Draft-II

OISD-STD-152
Second Edition
FOR RESTRICTED
CIRCULATION ONLY

SAFETY INSTRUMENTATION
FOR
PROCESS SYSTEM
IN
HYDROCARBON INDUSTRY

OISD - STANDARD - 152

Second Edition, December 2008

Oil Industry Safety Directorate

Government of India
Ministry of Petroleum & Natural Gas

1
 OISD-STANDARD-152
Second Edition

FOR RESTRICTED
CIRCULATION ONLY

SAFETY INSTRUMENTATION
FOR
PROCESS SYSTEM
IN
HYDROCARBON INDUSTRY

Prepared by:
COMMITTEE ON
PROCESS INSTRUMENTATION, MAINTENANCE & INSPECTION

OIL INDUSTRY SAFETY DIRECTORATE

NEW DELHI HOUSE, 7th FLOOR
27,BARAKHAMBA ROAD
NEW DELHI - 110 001.

2
 NOTES

OIL INDUSTRY SAFETY DIRECTORATE publications

are prepared for use in the Oil and gas industry under Ministry of
Petroleum and Natural Gas. These are the property of Ministry
of Petroleum and Natural Gas and shall not be reproduced or
copied and loaned or exhibited to others without written consent
from OISD.

Though every effort has been made to assure the

accuracy and reliability of data contained in these documents,
OISD hereby expressly disclaims any liability or responsibility for
loss or damage resulting from their use.

These documents are intended only to supplement and

not replace the existing statutory requirements.

3
 FOREWORD

# 1 The Oil Industry in India is nearly 100 years old.

Because of various collaboration agreements, a variety of
international codes, standards and practices have been in
vogue. Standardisation in design philosophies and operating
and maintenance practices at a national level was hardly in
existence. This, coupled with feed back from some serious
accidents that occurred in the recent past in India and abroad,
emphasized the need for the industry to review the existing state
of art in designing, operating and maintaining oil and gas
installations particularly using sophisticated instrumentation.

# 2 With this in view, the Ministry of Petroleum & Natural

Gas, in 1986, constituted a Safety Council assisted by Oil
Industry Safety Directorate (OISD), staffed from within the
industry, in formulating and implementing a series of self
regulatory measures aimed at removing obsolescence,
standardising and upgrading the existing standards to ensure
safe operations. Accordingly, OISD constituted a number of
Functional Committees of experts nominated from the industry
to draw up standards and guidelines on various subjects.

# 3 The present document on “Safety Instrumentation

For Process System in Hydrocarbon Industry’ is prepared by the
Functional Committee on “Instrumentation”. This document is
based on the accumulated knowledge and experience of
Industry members and the various national and international
codes and practices. It is hoped that provisions of this document
when adopted, may go a long way to improve the safety and
reduce accidents in oil and gas Industry. Users are cautioned
that no standard can be a substitute for a responsible, qualified
Instrumentation Engineer. Suggestions are invited from the
users after it is put into practice to improve the document further.

# 4 This standard in no way supercedes the statutory

regulations of CCE, Factory Inspectorate or any other statutory
body which must be followed as applicable.

Suggestions for amendments, if any, to this standard

should be addressed to:

The Co-ordinator,
Committee on
“Process Instrumentation, Maintenance & Inspection”
Oil Industry Safety Directorate,
NEW DELHI HOUSE, 7th FLOOR
27,BARAKHAMBA ROAD
NEW DELHI - 110 001.
.

4
 COMMITTEE
ON
PROCESS INSTRUMENTATION, MAINTENANCE AND INSPECTION

LIST OF MEMBERS

---------------------------------------------------------------------------------------------------------------------------------
------
Name Designation / Organisation Status
---------------------------------------------------------------------------------------------------------------------------------
------
S/Shri

S. Raghuraman Sr. Manager (Inst.), EIL Leader

K. G. Nair Ch. Inst. Manager, IOCL Member

V.K. Agarwal DGM (Tech.) BPCL Member

C. S. Osman Chief Manager (Inst.), MRL Member

R. D. Shira Sr. Maintenance Manager, BRPL Member

A. Majumdar DGM (Inst.), ONGC Member

S. Rammohan Sr. Manager (Inst.), GAIL Member

R. Murlidharan Manager (M & I), IOCL Member

G. R. Rana Joint Director, OISD Member

V. M. Ranalkar Dy. Director, OISD Member

Co-ordinator.
---------------------------------------------------------------------------------------------------------------------------------
------
In addition to the above several experts from industry contributed in the preparation, review and
finalisation of the document.

5
 COMMITTEE
ON
PROCESS SAFETY INSTRUMENTATION

LIST OF MEMBERS (2008)

Name Designation / Organisation Status

S/Shri
[Link] General Manager (POSD), EIL Leader

[Link] DGM (Proj.), GAIL Member

S.S. Maji General Manager, Essar Oil Limited Member

Y.B. Sonar DGM (Instrumentation), ONGC Member

U.K. Bhomick Chief Manager (S&EP), IOCL (R) Member

A. Chakravarty Chief Manager (Project), IOCL(R) Member

G.K. Dey Addititional Director (CHT) Member

[Link] kumar Chief Manager (Process), CPCL Member

Kaushalendra Kumar Chief Manager (T&I), IOCL (PL) Member

Girish Kumar Borah Sr. Manager (Instrumentation), NRL Member

Bimlesh Gupta Manager ( Operations), NRL Member
[Link] Mathews Sr. Manager (Process), Kochi – BPCL Member.
Ashok Simon Sr. Manager (Instru. Maint), Kochi – BPCL Member
S.V. Bagul Manager ( Instru. Maint.), HPCL Member
[Link] Manager ( Instrumentation) Member
[Link] Additional Director ( Process), OISD Coordinator

In addition to the above several experts from industry contributed in the preparation, review and
finalisation of the document.

6
 SAFETY INSTRUMENTATION FOR
PROCESS SYSTEM IN HYDROCARBON INDUSTRY

CONTENTS
------------------------------------------------------------------------------------------------------------------------
SECTION DESCRIPTION PAGE NO.
------------------------------------------------------------------------------------------------------------------------
1. INTRODUCTION
2. SCOPE
3. DEFINITIONS
4. SAFETY INSTRUMENTATION
FOR PROCESS EQUIPMENT & SYSTEMS
4.1 SEPARATORS
4.2 MAIN LINE PUMPS
4.3 GAS DEHYDRATOR
4.4 CROSS COUNTRY PIPE LINES
4.5 ELECTROSTATIC DESALTER
4.6 DISTILLATION COLUMN
4.7 PROCESS HEATERS
4.8 HDS REACTOR
4.9 PROCESS GAS COMPRESSOR
4.10 FCC REACTOR/REGENERATOR
4.11 FLARE GAS SYSTEM
4.12 ATMOSPHERIC STORAGE TANKS
4.13 AIR COMPRESSORS
4.14 TURBINES
4.15 LPG STORAGE AND BULK LOADING
4.16 COKE CHAMBERS

5.0 SIS IN PETROCHEMICALS

5.1 CRYOGENIC STORAGE
5.2 CENTRIFUGE
5.3 EXPANDER-COMPRESSOR
5.4 GAS CRACKER UNIT
6.0 RECOMMENDED PRACTICES
7.0 REFERENCES

ANNEXURE-1 Process Control and Safety Instrumented System – a Comparison

ANNEXURE-2 Details on LOPA (Layer of Protection Analysis)
ANNEXURE-3 SIL Determination- An overview
-----------------------------------------------------------------------------------------------------------------------

7
 LIST OF THE FIGURES ATTACHED
--------------------------------------------------------------------------------------------------
Figure No. Description Page No.
--------------------------------------------------------------------------------------------------
1 Relationship between HAZOP and LOPA Information
2 Instrumentation in a typical process plant
3 Safety Instrumentation for Separator
4 Safety Instrumentation for Separator (downstream processing)
5 Safety Instrumentation for Gas Dehydrator
6 Safety Instrumentation for Pipeline System
7 Safety Instrumentation for Scrubber
8 Safety Instrumentation for Filter Separator
9 Safety Instrumentation for Main Line Pumps
10 Safety Instrumentation for Crude Distillation Column
11 Safety Instrumentation for Process Heater
12 Safety Instrumentation for Combustion Air System
13 Safety Instrumentation for HDS Reactor
14 Safety Instrumentation for Hydrocracker
15 Safety Instrumentation for Dump Valve in Hydrocracker
16 Safety Instrumentation for Process Gas Compressor
17 Safety Instrumentation for Fluidized Catalytic Cracker
18 Safety Instrumentation for Flare Gas System
19 Safety Instrumentation for L.P.G Sphere
20 Safety Instrumentation for Coke Chamber
21 Safety Instrumentation for Sulphur Recovery unit
22 Safety Instrumentation for Cryogenic storage
23 Safety Instrumentation for Centrifuge
24 Safety Instrumentation for Expander - Compressor
25 Safety Instrumentation for Gas Cracker Furnace

----------------------------------------------------------------------------------------------

8
 SAFETY INSTRUMENTATION FOR PROCESS SYSTEM

IN HYDROCARBON INDUSTRY

1.0 INTRODUCTION typically in the widely used processing route

of various processes. The document covers
Newer technologies, process integration, areas including process operations in
major expansions, requirements to meet onshore production facilities, gas processing
improved quality products, yields & plant units, refineries, petrochemical process
capacity optimisation and stringent plants and pipeline installations.
environment considerations have made the
process operations very complex and However, onshore transportation facilities for
increasingly risk prone. Safety Instrumented gas & crude from oil fields/ the well head as
System (SIS) takes the process & operation well as the entire offshore facilities have
to safe state in case of operational upsets, been excluded from its scope.
process abnormality and emergency. This
standard lists the safety instrumentation as
minimum required for selected processes & 3.0 DEFINITIONS / BRIEF DESCRIPTION
operations for consideration of those
associated with design, operation and 3.1 Hazard: Potential Source of harm / accident
maintenance of refineries, gas processing & 3.2 HAZOPS: Hazard and Operability Study is a
petrochemical plants and associated systematic qualitative method to identify
pipeline installations. potential hazards and operability problems
due to deviations in system parameters from
Safety Instrumented System (SIS) is normal design intent. At project stage, the
required for the process & operations where appropriate time for HAZOP study is when
the mechanical integrity of the process P&IDs are frozen. However, for an existing
equipment, control system and other installation in operation, HAZOP study
protective devices are not adequate to should be done whenever changes from
mitigate the potential hazard. In this design case like procedural changes,
standard, reference has been taken from modification or higher throughput occurs.
International Standards like IEC 61508, Providing a better understanding of the
ANSI/ISA S 84.01 or equivalent to include plant, HAZOPS helps in predictive
the best engineering practices in SIS. evaluation of events that have never
occurred.
It is not intended that requirement of this 3.3 Risk: It is the combination of the likelihood
standard should be applied rigidly to existing of an accident with the severity of potential
premises where for a variety of reasons, it consequences. It is possible to make
may not be practicable to comply with. This quantitative risk assessment to judge
standard shall, however, create awareness whether the risk involved in a situation is
and help in selective implementation of the acceptable or not.
recommendations when major modifications 3.4 Tolerable risk: At some level, the risk is
are undertaken at existing installations acceptable, in a given context based on the
current values of society. Tolerability may be
2.0 SCOPE different for each risk posed by the
equipment and its control system, because it
The document provides guidelines for depends not only on the level of risk but also
minimum requirement of the Safety on the benefits to be gained by taking the
Instrumented System (SIS) for critical risk and the cost of reducing it.
process functions / equipment involved 3.5 Safety: freedom from unacceptable risk

9
 3.6 Residual Risk: Risk that remains after protects against the possibility of a process
protective measures have been taken. excursion developing into an incident and
3.7 ALARP: Risk reduced to a level that is “ As limits the excursion potential. Please refer
low as reasonably practicable”. Fig 2 and Annexure-1 for details.
3.8 BASIC PROCESS CONTROL SYSTEM
(BPCS):Basic process control system 3.12 SAFETY INTEGRITY LEVEL (SIL):
provides normal operation functions. It Safety Integrity Level (SIL) is a measure of
generally includes basic control and reliability / integrity of safety instrumented
monitoring of process operation through system when a process demand occurs.
operator supervision The level of reliability is defined in the scale
3.9 PROCESS HAZARD ANALYSIS (PHA): of 1 to 4 as SIL-1, SIL-2, SIL-3 & SIL-4; with
Process Hazard Analysis (PHA)) is a tool to SIL-4 designates highest reliability level of
systematically identify process hazards and safety instrumented system.
associated risks in making decisions for
improving safety and reducing the 3.13 FIRE, GAS & SMOKE DETECTION
consequences of unwanted or unplanned (FGSD) SYSTEM:
releases of hazardous chemicals by
minimising the likelihood of the occurrence A system that detects following at an early
and the consequences, in line with OISD stage:
206. - Presence of flammable and toxic
gases;
PHA is used to assess the adequacy of - Presence of a fire;
mitigation measures against potential - Presence of smoke from smouldering
hazards in the areas of mechanical integrity or incipient fires.
of the process equipment, control system FGSD system generates alarms, warnings
and other secondary protections like gas and / or initiates shutdown functions and / or
detection, fire protection etc. Subsequently, actuates fire fighting system. Also, based on
analysis is carried out on layers of protection pre-defined criticality on identified scenarios,
requirement. it may be configured to initiate evacuation
process, reports generation, historisation of
3.10 LAYERS OF PROTECTION: Layers of data & events at predetermined level of
protection are the systems or actions and concentrations. Associated electrical or
devices that are capable of preventing a electronics circuits connecting with the field
scenario from proceeding to undesired devices of detection system require high
consequences. Examples of protection availability and reliability in line with IEC
layers are i) inherently safe design features 61508 or equivalent international standards.
including basic control, ii) critical alarms &
manual intervention, iii) safety instrumented 3.14 HIGH LIQUID LEVEL: Liquid level in a
system (SIS), iv)physical protection such as process system above the permissible
relief devices, v) Post release physical operating level.
protection such as fire suppression system,
vi) plant and community emergency 3.15 HIGH TEMPERATURE: Temperature in a
response. Ideally such protection systems (i process system in excess of the set
to vi) are independent from one another. operating limit.
Each identified protection layer (safeguard)
is evaluated by layer of protection analysis 3.16 LEAK: The accidental release of liquid
(LOPA) for its effectiveness and and/or gaseous substances to
independent character. Refer Fig1. atmosphere from a process system.

3.11 SAFETY INSTRUMENTED SYSTEM (SIS) 3.17 LOW FLOW: Flow in a process system
Safety Instrumented System (SIS) is less than the minimum set operating flow
composed of software & hardware which rate.
takes the process to a safe state when
predetermined conditions, as set on control 3.18 LOW LIQUID LEVEL: Liquid level in a
parameters like pressure, temperature, process system below the lowest set
levels, flow etc, are violated, So, SIS operating level.

10
 5) Voting logic configuration for trip
3.19 LOW PRESSURE: Pressure in a process actuation on critical parameters to avert
system less than the minimum set spurious shutdowns
operating pressure.

3.20 SAFETY DEVICE: An instrument of 4.0 SAFETY INSTRUMENTATION FOR

control or mechanism used for the safety PROCESS EQUIPMENT & SYSTEMS
of the system.
4.1 General Philosophy
3.21 SENSOR : A device that measures the (i) In order to assess the adequacy of
process condition protection for a process function, PHA
(HAZOP study) is done first. HAZOP
3.22 MACHINE SAFETY FEATURES: These tables list out Deviations, Causes,
are in-built safety provisions or those Consequences, Safeguards and
additionally advised by the OEM ( Original Recommendations. The details so
Equipment Manufacturer)/vendor for compiled include estimates of
protection of the process equipment in frequency for each cause and severity
emergencies. It includes alarms and trip for each consequence. The HAZOP
signals required to be integrated with the information is utilised for development
trip logic system of the equipment and the of Layer of Protection Analysis (LOPA),
process system. For example an as shown in the Fig. 1. LOPA is a
automatically operated shutdown valve simplified semi-quantitative technique
(SDV) used for the protection of process of risk analysis. It helps to assess what
equipment is suitably configured for independent protection layers (IPL)
identified emergency scenarios. already exist or what are required for
process safety. Please refer Annexure-
3.23 EMERGENCY SHUTDOWN SYSTEM 2 for details on LOPA.
(ESD): A system (confirming to a certain
SIL level as per IEC 61508) of manual/ (ii) The LOPA team recommends use of
automatic interventions depending on an SIS only if other design changes for
process criticality, when activated brings inherent (built-in) safety, cannot reduce
the equipment / facility to a safe and non- the Mitigated event likelihood to less
operating mode without following the than the target
predefined sequence /procedures. An
Automatic Safety Shutdown (iii) Wherever level, temperature and flow
System(ASSS) is a prevention safety switches are mentioned, independent
layer, which takes automatic and transmitters (for level, temperature and
independent action following predefined flow as applicable) shall be used for
operating & safety logic to prevent a actuation of trip.
hazardous incidents from occurring and to
protect personnel, plant and equipment. (iv) 2/3 voting logic for ESD systems
An auto or manual trip system required should be implemented based on the
under SIS should cater minimum SIL study
requirement as under:
(v) Alarm Management system should be
1) PHA study based identification of in line with the best practices followed
critical parameters for system trip internationally, some of which are
2) Independent Sensing element of each mentioned at item 6.6
trip initiating parameter (preferably
direct mounted) 4.2 CRITICAL PROCESS EQUIPMENT &
3) Direct Type switch or Microprocessor
PROCESS FUNCTIONS: SIS
based SMART Transmitters for Trip
requirements for critical equipment and
actuation
process functions have been covered
4) Audio-visual alarms on trips
which includes Separators, Main line
pumps, Gas Hydrators, Distillation

11
Columns, Process Heaters, Reactors,
Process Gas Compressor, Storage Tanks, (i) High level alarm and High-High
Fluidised Catalytic Cracking, level interlock on separator (e.g.
hydrocracking, delayed coking etc., suction KOD of compressor etc.)
described as under: to cut-off the compressor for
preventing liquid ingress into it
4.2.1 SEPARATORS
Description: They serve to separate (ii) Low level alarms to be provided
gas, oil and water in refineries, Gas for hydrocarbon (HC) level &
Processing & Petrochemical plants. water interphase level. In cases,
Separators for upstream (onshore) where the downstream
and for downstream processing have equipment is not equipped to
been described separately as under: handle gas breakthrough
resulting from loss of liquid level,
[Link] Separator for upstream (onshore) provision of Shut off valve should
Following safety instrumentation be made on the HC liquid outlet
should be provided for Oil Hydrator. and water outlet and to be
(Refer Fig. 3) configured on Low-Low level.
(iii) In case of congealing fluid or
(i) High pressure transmitter shall be dirty service like sour water, two
provided to shut off inflow to the independent level tapings &
vessel. transmitters to be provided.

(ii) High-pressure alarm

4.2.2 GAS DEHYDRATORS
(iii) Low-Low pressure switch to shut Description
off inflow to the vessel Dehydrators using liquid desiccant are
considered here. The desiccant
(iv) High-High level trip to shut off considered may be suitable solvent
inflow to the vessel in case the like ethylene glycol.
down stream component receiving
the gas cannot handle liquid. Gas saturated with moisture but free
of entrained liquid particles is brought
(v) Low-Low level trip to shut off the into counter current contact with
liquid outflow from the separator if concentrated desiccant (solvent) in
the downstream system is not the contactor tower. After absorbing
designed to handle gas water vapour from moist gas, the
breakthrough. desiccant passes out from the
(vi) High-High Temperature trip on bottom of the contactor. After
separators like heater-treater to knocking off the entrained solvent, the
shut off the source of heat. dried gas exits from overhead and is
sent to the pipeline. The bottom
(vii) Automatic power supply cut-off to stream of wet solvent is sent for
the high voltage transformer used recovery of solvent and its reuse.
for electrostatic separation in case
abnormal conditions develop [Link] Following safety instrumentation
requiring feed cut off and low level shall be provided for gas
in the separator. dehydrators: - (see Fig. 5):

[Link] Separators for downstream i) High pressure sensor on the

critical services in Refineries/ glycol contactor to shut off inflow
Gas Processing & Petrochemical of gas.
Plants ii) Low pressure sensor on the glycol
contactor to shut off inflow of gas.
The following safety instrumentation
shall be provided. (see Fig.4)

12
 iii) High level sensor to trip the glycol alarm for level High, High-High and
pump and inflow of the gas to the Low.
contactor.
iv) Low level sensor to shut off the [Link] Liquid Hydrocarbon Pipeline
glycol outlet line. System
v) Instrumentation System shall be
installed for vessel depressurising Requirement for safety instrumentation
and releasing excess pressure to system for Liquid HC cross country
flare in case of emergency. pipelines shall be in line with OISD-STD-
vi) Shutdown valves on the Gas inlet 141 and OISD-STD-241. However,
and outlet line. general minimum requirements towards
safety instrumentation are covered as
4.2.3 CROSS COUNTRY PIPELINES under:
Description
For this standard the cross country 1) Mainline Pumps
pipelines considered are pipelines Description
which carry crude petroleum, #1 Main line pumps are the pumps
petroleum products and Natural Gas used for liquid hydrocarbon
from producers facilities such as tank transportation through cross
farms, Natural Gas Processing Plants, country pipelines. The pumps
Refineries, Pump Stations etc. to considered here are electrical
other delivery and processing plants. motor driven centrifugal pumps. It
Please refer Figures 6, 7, 8 for is also considered that the pumps
pipelines related process systems. are located in the field and all
parameters related to the pumps
The safety instrumentation required as are controlled from the control
minimum for cross country pipelines room. All the machine safety
are described under the two system: - features as provided by the OEM /
Liquid hydrocarbon pipelines system vendor should be integrated with
and natural gas pipelines system. the alarm system and pump trip
logic
At each station of cross country
pipeline, provision of Emergency Safety Instrumentation system
Shutdown (ESD) valves (quick shutoff for Mainline pumps: Refer Fig. 9
type) shall be considered on upstream
as well as downstream of the station. i. High pressure sensor in the
Requirement for isolation of specific pump discharge for alarm & to
segments as identified through PHA trip the pump.
study, shall also be met through ii. Low pressure sensor in the
additional shutdown valves. pump suction for alarm and to
trip the pump.
SIS requirement for Surge relief iii. Low discharge pressure trip for
should be identified through surge protection against pipe rupture,
analysis of the pipeline and if required
accordingly provision shall be made. iv. High casing temperature alarm
Use of reliable Fire and Gas detection v. High bearing temperature alarm
system should be considered for gas vi. Motor operated valves (MOVs)
pipelines at compressor stations and provided on upstream and down
other relevant locations where leak of stream of the pump which shall
flammable gases can cause hazard to be coupled to the start and
people, environment and plant in line operation of the pump logic.
with section 3.14 above Pump shall trip in case MOVs
at suction/ discharge get closed
Storage tanks and line balancing and vice versa.
tanks at each location shall have

13
 vii. In case of double seal pump, ii. Low pressure sensor on fuel
alarm to be provided in the supply.
event of primary seal failure. iii. High temperature transmitters
on gear box pinion bearing and
viii. Protections in line with wheel bearing, engine
manufacturer’s (OEM) bearing, engine jacket
recommendations, such as: cooling water.
a. Vibration trip at high-high iv. Oil Mist detector (OMD)
vibration v. CO2 purging system in case of
b. Temperature sensors (RTD/ high OMD detection for mist
Thermocouple type) for vi. High temperature sensor for
monitoring of bearing and lube oil
casing temperatures and
trip [Link] Gas Pipeline System
c. Motor bearing and winding
temperature indicators for Description
each phase, with It covers the pipeline with associated
alarms/trips facilities used for transportation of
gas. The pipeline system consists of
2) Storage at receiving/ delivery gas dispatch terminals, gas receiving
terminals – terminals, compressor station and
scrapper station.
i. High-High level alarm for the
storage receiving material The dispatch and receiving terminals
delivered by the pumps. The are provided with gas scrubbers, filter
audio visual alarm shall be separators drums, gas heaters, flow
provided at local panel and the metering and pressure regulating
pipeline control room. equipment and condensate handling
ii. Pipeline delivery MOV/ROVs systems (Refer Fig. 6).
shall close on actuation of High-
High level alarm. 1) Filter/ Separator / Scrubber

3) Hydrocarbon Leak The scrubber is used for removal of

Detection system: foreign particles and condensate
i. Gas detectors with alarm droplets.
system shall be installed at LPG
pumping station. Safety instrumentation provided
ii. Supervisory control and data shall be as under: (Refer Fig. 7, 8).
acquisition (SCADA) system
should be provided for efficient (a) Level indicator with low, low-low
operation and improved safety. and high alarms.

4) Engines: (b) Shut off valve on the

Apart from Electrical drives, condensate line to isolate the
Engines (using Crude Oil, Diesel system in case of low-low level.
or both as fuels) are also used to
drive Main Line Pumps. In
addition to manufacturer’s 2) Condensate handling system
recommendations on
instrumentation, Engines shall be Condensate handling system
provided with following safety consists of condensate flash drum,
instrumentation: underground sump, overhead
storage tank, loading station and
i. Low Pressure sensor for burn pits. The condensate flows by
instrument air. gravity to a sump tank. The transfer
pump is started and stopped by high

14
 and low level switches on the sump In all cases the resetting and
tank respectively. The liquid is sent opening of the valve shall be
either to the overhead tank or to the possible only locally and should be
burn pit. done after investigation of the cause
Following safety instruments shall of the trip.
be provided:
4.2.4 ELECTROSTATIC DESALTER
(a) Low level of condensate in the Description
sump tank shall trip the
condensate pump. In a Desalter, the crude is mixed with
water and led into a vessel operating
(b) High level alarm of the under pressure and having a
condensate in the sump tank. electrostatic field. The water
dissolves the undesirable soluble salts
(c) High level alarm in the overhead present in the crude and gets
tank. separated from the crude under the
influence of electrostatic field.
3) Gas heaters
The following Safety Instrumentation
The filtered gas is heated before shall be provided:
entering the metering system to
keep the gas temperature above its (i) High- High level interphase
dew point. The safety instruments alarm and actuation of interlock
are: (ii) Low–Low interphase level alarm
i. High-high gas outlet (iii) Transformer trip on high current
temperature alarm (iv) High and low pressure alarm
ii. Skin temperature high alarm for (v) Additional features to be
electrical heater incorporated as per OEM’s
recommendations
4) Pressure Reducing Installation.
4.2.5 DISTILLATION COLUMN
The clean filtered gas after pressure Description
reduction passes through metering Distillation column is used to
skid to the downstream installation. fractionate the hydrocarbon feed
The skid consists of filters, flow mixture into the desirable petroleum
meters, flow computers and fractions as per requirement for
associated temperature and primary crude distillation or in
pressure correcting instrument secondary units for fractionation in
systems. refineries, gas processing and
petrochemical plants. Typically, the
The safety instrumentation shall be crude distillation column is used to
quick shut off valve to isolate the fractionate the crude oil into various
downstream installation from the petroleum products. Hot crude oil
main pipe line in case of high from the furnace enters the flash zone
pressure. of the column. Flashed vapour rises
up and the liquid flows down. Various
5) Scrapper stations and products are withdrawn as side
Sectionalising valve stations streams. The overhead vapour is
condensed and partially refluxed back
Sectionalising valves shall be for temperature control for top product
provided to isolate the affected (Naphtha) cut point requirements.
sections of a pipeline in case of gas Column pressure is controlled utilising
leak or line rupture. These valves the split range controller based on
may be with remote operation pressure set point. Column bottom
facilities. level is controlled by level controller
(LIC).

15
 heated passes through the radiant
[Link] The following safety instrumentation section, before it enters the
shall be provided in a distillation fractionator. The burners are
column: (Refer Fig. 10) normally combination type suitable
for oil or/and gas firing. The
(i) Column bottom level shall be furnaces are either
monitored by two different smart natural/forced/balanced draft
level instruments with separate design. The balance draft furnaces
tappings. are provided with FD and ID fan
(ii) Separate independent transmitter alongwith air pre-heater (APH)
to be provided wherever tripping which will have stack dampers
is provided. closed during normal operation.
(iii) The column top temperature
shall be monitored through [Link] SIS for Process Heaters
minimum two temperature points Following safety instrumentation
-- one for control and another for shall be considered for safe
indication with alarms on high & operation of the heater in line with
low temperature OISD-STD-111. Please refer Fig-11
(iv) High temperature alarm for the & 12.
column bottom
(v) Pressure indications for 1) SIS for Feed Section in
fractionating column top and Process Heater
flash zone. Safety Instrumentation for
(vi) High and low level alarm for furnace shall be in line with
overhead reflux drum. OISD-STD-111.
(vii) Low reflux flow alarm as leading
indicator of an overhead upset (i) Low Feed flow alarms for
(viii) In the following cases, automatic each pass.
shut down valve should be (ii) High temperature alarm for
provided at the column bottom each pass and at the heater
outlet for column isolation at low- outlet.
low bottom level to avoid gas (iii) Skin temperature
passing to the downstream measurements at 3
systems: locations for each pass.

where column bottom High temperature alarm for
operating temp is above auto each tag of tube skin
ignition temp temperature

where column would need (iv) Alarm of High-High flue gas
immediate isolation in case of temperature should be
fire below the column provided

where downstream facility viz. (v) Low total feed flow interlock
a storage tank has not been to bring the heater to a safe
designed to handle gas minimum firing position by
released from the column keeping only the pilot
bottom burners on.
(vi) For heavy, congealing type
4.2.6 PROCESS HEATERS / of service fluid, independent
FURNACES tappings to be provided for
Description flow metering
Process heaters are required to (vii) Heater shall trip in following
raise the temperature of various cases:
process fluids to achieve partial  Low-low feed flow on a
vapourisation of fractionation pass coupled with High-
operation. The fluid enters the High outlet temperature
heater in convection section in more of the same pass.
than one passes and after getting

16
  Low pass flow in This is referred as crack
minimum two passes or open test.
low total flow for a multi
pass furnace. In the (vi) Positive protection for mal
case of catalytic process operation of ID fan shall be
furnaces like Reformer provided by motor contact
employing a liquid closure and pressure
hydrocarbon feed and switch.
recycle gas steam, the
furnace shutdown should (vii) Tripping/stopping of ID/FD
get actuated when fan shall have provision to
recycle gas failure automatically open the
occurs. stack damper.
 High combined outlet
temperature (viii) Heater trip due to high
 High-High coil outlet pressure shall be preceded
temperature on each by high pressure alarm.
pass. This very high pressure
 High furnace coil (PHH) trip shall be sensed
pressure preferably by three directly
mounted pressure switches
(viii) Automatic injections and voting logic of two out
of coil purging steam/ of three shall be used for
Nitrogen at the time of furnace tripping.
furnace trip should be
considered. (ix) In the event of fuel oil and fuel
gas cut off to the heater, the
2) Combustion Air Systems following sequential action is
needed:-
(i) Running of FD fan shall be (a) Stack Damper to Open.
verified in the circuit by (b) ID Fan to trip
Motor contactor closure (c) FD Fan to trip
and discharge pressure low- (x) Hydrocarbon Gas detector
low pressure switch. This should be provided at the FD
will ensure positive fan suction hood
protection against mal-
operation of guide vane. (xi) For variable speed or fixed
speed drives of FD fan, speed
(ii) Low air flow alarm and low of fan and motor contact
air flow combined with should be used for heater trip
motor contactor to warn interlock.
maloperation of FD fan.
(iii) Heater trip on low 3) SIS for Burner System
combustion air pressure as
well as its low flow with (i) Low pressure alarm and
AND gate. Low-Low pressure alarm for
(iv) Air storage tank to ensure pilot gas should be
opening of drop out door. In incorporated in the safety
case of air failure provision interlock system of the
for mechanically opening furnace.
shall be provided.
(v) Provision should be made (ii) A separate shut off valve
to check up operation of shall be provided on the
drop out door in running pilot gas header. It will close
condition, wherever dropout only in case of low-low fuel
door have been provided. gas header pressure in pilot

17
 gas line and will not close in Description
case of furnace trip due to Hydro de-sulphurisation of
other process interlocks. Petroleum products like naphtha,
kero, diesel etc is carried out in
(iii) Main FO/FG headers shall presence of catalyst in the HDS
be provided with shut off Reactor. The high sulphur
valves operated by low fuel petroleum feed alongwith hydrogen
pressure and other reasons is heated in a furnace to the
of furnace trip. required temp. Outlet stream from
furnace at controlled temperature is
(iv) Shut down valve operated fed to the reactor for
by manual push button to Desulphurisation reaction. The
trip the furnace by cutting- sulphur present in the Petroleum
off fuel supply to main products reacts with H2 to form
burners. H2S. The reaction products go to
the separator where the H2S rich
(v) Pressure transmitters shall gas is separated from the liquid
be directly mounted on the product.
FO/FG headers for safety.
[Link] HDS Reactor
(vi) For dual firing the safety
interlock should take care The following safety instrumentation
that no interruption in shall be provided for HDS unit.
furnace operation takes Please refer Fig: 13)
place during change over of
fuel. (i) Reactor thermocouple
assembly consisting of
(vii) Pilot flame detection should number of thermocouples of
be provided in the safety different lengths to measure
interlock wherever remote and record reactor bed
burner lighting system is temperature at different
existing so that main fuel heights. Hydrogen quench
cannot be admitted without should be provided in
establishment of pilot flame. between the beds for
controlling bed temperature.
(viii) There shall be two sets High temperature alarms for
push button emergency trip, the beds shall be provided.
one located in the control
room and another near the (ii) Reactor inlet and outlet
furnace. temperature high
temperature alarms using
(ix) Arrangement for positive separate sensors for
isolation of fuel gas supply recorders and alarms.
line to heater is necessary.
Block-&-Bleed to flare/ safe (iii) Reactor inlet temperature
venting should be provided. control to be incorporated in
the furnace outlet
(x) FO firing cut off interlock temperature control scheme.
shall be provided to actuate
at low-low differential (iv) Safety interlock shall be
pressure of atomising steam provided for low hydrogen
and fuel oil flow, low feed, high reactor
temperature.
4.2.7 HDS REACTOR (HYDRO (v) Feed pump and heater shall
DESULPHURISATION) trip on low recycle gas flow
to the reactor

18
 lengths to measure and record
4.2.8 HYDROCRACKER UNIT: reactor bed temperature at
Description: different heights. Hydrogen
Hydrocracking process is catalytic quench should be ensured in
operation performed at relatively between the beds for controlling
high hydrogen pressure and bed temperature. High
elevated temperature to convert a temperature alarms for the beds
heavy oil fraction into products of shall be provided.
lower molecular weight. It is a
flexible process to produce widely (iii) Reactor inlet and outlet
different fuels from same or different temperature high alarms should
feedstocks. Generally, be provided.
hydrocrackers use fixed beds of
catalyst with downflow of reactants. (iv) Reactor inlet temperature
During the process with severity control to be incorporated in the
increasing, the first reaction leads to furnace outlet temperature
saturation of any olefinic matter control scheme.
present in feedstock. Next follow the
treating steps involving reactions of (v) Safety interlock shall be provided
desulphurisation, de-nitrogenation for low hydrogen flow, low feed,
and de-oxygenation, wherein only high reactor temperature.
limited cracking takes place. Finally, (vi) Feed pump and heater shall trip
on further increase in severity, on low recycle gas flow to the
hydrocracking reaction is initiated, reactor
which proceeds at various rates,
with the formation of intermediate 4.2.9 PROCESS GAS
products (eg. saturation of COMPRESSORS
aromatics), which are subsequently Description
cracked into lighter products. In the Process gas compressors are used
Single-stage hydrocracking process in the petroleum processing and gas
the treating step combines with pipeline systems to increase the
cracking reaction to occur in one pressure of gas for specific use and
reactor. However, Two-Stage or handling & transportation. The
Series Flow hydrocrackers are safety interlocks shall be in line with
employed for high/ full conversion OEM’s recommendations and follow
by an additional reactor. Please minimum provisions as under:
refer Fig.14
[Link] The compressors should be
[Link] SIS in Hydrocracker unit shall be in provided with the following
line with the process licensor’s instrumentation. Please refer
design guidelines and taking into Fig.16. Additional instrumentation
consideration the following safety shall be provided as per
instrumentation: manufacturer’s recommendations.

(i) Automatic depressurization (i) Low–Low suction and High-High

through the dump valve should discharge pressure shall be
be actuated at high-high configured to trip the compressor.
temperature with any two of the (ii) Pressure safety valve on the
temperature indications provided discharge line and K.O drum of
on the top bed of the reactor. each stage.
Please refer Fig: 15
(iii) Gas detection and fire detection
(ii) Reactor thermocouple assembly devices shall be provided if the
consisting of number of compressor is located inside
thermocouples of different enclosed buildings totally covered
on all the sides. The protection

19
 shall also include turbine the reactor aids the transfer of spent
enclosures. catalyst from reactor to regenerator.
During normal operation spent
(iv) Devices to monitor and trip in case catalyst slide valve operation is
of excessive vibration, speed, low dependent on the level in the
lube oil pressure, seal oil low reactor through its level controller
differential pressure, high bearing (LRC). The reactor is maintained at
temperature and high discharge a temp around 490 Deg.C by the
temperature, low governor oil pr etc. transfer of hot regenerated catalyst
in line with manufacturers from regenerator. During normal
recommendations. operation regenerator catalyst slide
valve opening is controlled by
(v) High-High level on the suction reactor temperature controller
knockout drum shall trip the (TRC). Please refer Fig. 17.
compressor.
[Link] Following safety instrumentation
Note: Compressor trip shall mean shutting shall be provided in FCC
down the drive unit and closing of
suction & discharge shut-down (i) The spent catalyst slide valve
valves / motorised valves. (SCSV) shall be automatically shut
off in the event of low differential
4.2.10 FLUIDISED CATALYTIC pressure across the SCSV.
CRACKING (FCC) UNIT -
REACTOR/ REGENERATOR (ii) The regenerated catalyst slide
valve (RCSV) shall be automatically
Description shut off in the event of low
Lighter products are obtained from differential pressure across the
Vacuum Gas Oil (VGO) by Catalytic RCSV
cracking in FCCU. Zeolite catalyst is
heated to a temperature of about (iii) Reactor high temperature alarm
650 degree C and is then allowed to shall be provided.
flow with the feed in the riser pipe of
the reactor. Carbon particles are (iv) Emergency feed by pass provision
deposited on the catalyst when the to divert feed from the reactor. This
may be integrated with steam opening
feed cracks into lighter ends like to riser and closing of RCSV and SCSV
Fuel Gas, LPG, Naphtha, diesel and (v) Hand jack provision for all slide
heavy oil. The carbonized catalyst valves for manual operation. In
is called spent catalyst and is then addition, local electrical / hydraulic /
taken into the regenerator for pneumatic operation shall also be
regeneration. In the regenerator provided.
controlled air is blown through the
hot catalyst to convert the carbon (vi) Steam Low flow alarm and
into carbon monoxide, thereby emergency cut in for steam and
releasing equilibrium catalyst for use bypassing feed to reactor may be
in the next cycle. considered.
FCC Reactor contains hydrocarbon (vii) Low temperature alarm for reactor
vapour and regenerator contains hot outlet temperature should be
air. Air should not enter the reactor considered for preventing ingress of
and hydrocarbon vapour should not hydrocarbon into regenerator.
find entry into the regenerator.
Regenerator is kept at higher (viii) Regenerator dilute phase high
pressure (by 0.5 Kg/CM2) compared temperature alarm should be provided.
to the reactor. Additionally, static
head due to spent catalyst level in

20
 (ix) Plant shutdown shall be provided on The compressors considered here
low air flow to regenerator are reciprocating type.

4.2.11 FLARE GAS SYSTEM Following safety instrumentation

shall be provided for Air
Description Compressor - Reciprocating:
Gas to be flared is routed through a
knock out (K.O.) drum. From the (i) Cooling water low flow trip.
K.O. drum the liquid is pumped back (ii) Discharge temp high trip.
to Recovery System and the gas (iii) Frame oil low pressure trip.
goes to flare stack through a water (iv) Discharge pressure high trip.
seal drum. Flare flame failure alarm (v) Automatic loading/unloading
may be considered. T.V. monitoring system to be considered
of the flame may be considered. wherever possible.
H2S and HC detectors may be (vi) Additional instrumentation shall
provided as per requirement be provided as per
manufacturer’s
[Link] Following safety instrumentation recommendations .
shall be provided. Please refer Fig.
18. 4.2.14 TURBINES
(i) High and Low liquid level alarms for Description
auto start / stop of the pump.
(ii) Low water level in the seal pot alarm Turbines are steam/gas driven drive
(iii) Pilot FG header Pressure low alarm units used in hydrocarbon industry
(iv) Gas detector near the flare KOD for driving compressors, blowers
and alternators in the process units
4.2.12 STORAGE TANKS and captive thermal power station.
Following safety instrumentation
shall be provided in line with OISD- Following safety instrumentation
STD-108: shall be provided for Turbines - in
(i) Tanks shall be provided with at line with manufacturer’s
least two numbers of level recommendation:
instruments working on different
principles. One of the above shall (i) Lube Oil pressure low trip.
be used for High-High and Low (ii) Governor oil to pressure low
level alarms. trip.
(ii) Automatic isolation of tank (iii) Turbine exhaust pressure
receipt line based on High-High high trip.
Level sensing device should be (iv) Over speed trip.
considered for tanks receiving at (v) Axial displacement trip.
high flow rates (unloading from (vi) Vibration high trip.
ship/ pipeline receipt etc.). (vii) Emergency trip.
(iii) Low-low level switch from the (viii) Condensate level high alarm.
primary level instrument to stop (ix) Exhaust hood high
transfer pump (optional) temperature alarm.
(iv) High temperature alarm should (x) Operating temperature high
be provided wherever required Trip.
(xi) FG pressure low trip.
(xii) Exhaust temp.(average of 3
4.2.13 AIR COMPRESSORS thermocouples in exhaust)
Description high trip.
Air compressors are used in (xiii) Lube oil temp. high trip
hydrocarbon industry for supplying (xiv) K.O drum level high trip
air to pneumatic instruments and as
well as for process requirements. [Link] SIS Specific features for Gas
Turbines

21
 (i) Flame failure trip ii)Activation of tone generator in
(ii) Gas detectors paging or a siren in the particular
(iii) L.O. Pr low area.
(iv) Exhaust Pr high
(v) Exhaust temp high trip iii) Tripping of LPG pumps and
(vi) Oil tank level alarms. compressors.

4.2.15 LPG - PRESSURE STORAGE AND Emergency push buttons shall be

BULK LOADING provided in the control panel and at
a safe place in the field to initiate the
Description above actions manually.
LPG is received from the plant
through pipelines. It is stored under ROVS shall be provided with
pressure at atmospheric open/close indications on the control
temperatures in spheres or bullets panel.
or mounded storage. The LPG is
pumped to a loading gantry from (ii) Gas Detection Systems
where it is loaded through loading
arms into truck tankers or rail Gas detectors shall be provided at
tankers. all locations where possibility of
build up of LPG vapour exists, which
When LPG is received through road might lead to a fire.
or rail tankers, it is transferred by
unloading pumps into the bullets or Suggested locations are:
spheres.
- i) LPG Pump and compressor
Following safety instrumentation house.
shall be provided for LPG Sphere.
Please refer Fig. 19: - ii) LPG Truck and rail loading
gantries
(i) Fire detection and protection
system - iii) LPG Sampling Point.

In line with OISD-144 and OISD-150 - iv) Near ROVS.

as applicable, LPG storage, LPG
pumps, compressor house etc. shall Gas detectors shall have two levels
be protected through automatic fire of alarms. Suggested values are
detection and/or protection (Fixed) 20% LEL and 60% LEL.
system based on heat detection
through thermal fuses/ quartz bulbs/ (iii) Level gauging devices
EP detectors. Sensors shall be #1 LPG spheres shall be provided
installed at all critical locations e.g. with two independent indicators as a
near ROV. For early detection of minimum.
LPG leakage across large area, use
of point or open path flammable gas (iv) Level switches
detectors may be considered. A separate high level switch shall be
provided for alarm in the control
The activation of the pressure room.
switch shall initiate the following
action. A water seal pot shall be provided
on the low pressure side of the DP
i) Closure of remote operated valves type level transmitter if use, the seal
in the affected area. pot and the connecting pipe shall be
of the same rating as that of the
sphere. Alternatively, the low
pressure leg of the D. P. transmitter

22
 shall be heat traced. The D. P.
transmitter shall be provided with 2) Coke Drum Head Removal:
level elevation or suppression kit. Consider equipment upgrades by
automating both top and bottom
4.2.16 COKING CHAMBERS IN head removal operations for
DELAYED COKING keeping workers away from
these hazard prone areas during
Description head removal.
The Delayed Coking process for
upgrading the heavy ends, is a 3) Coke Cutting by Hydro-
semi-batch operation wherein a Blasting:
severe form of thermal cracking is (i) During coke cutting, when the
allowed to occur at high cutting/drilling tools need to
temperatures (about 500 Deg C) for be brought out for the tool
an extended period of time in the change etc., the coke cutting
coke chamber. The process module water pump discharge shall
contains a fired heater, two coking automatically get routed to
chambers ( Drums or reactors) and storage tank.
a fractionation tower. The coke gets (ii) Provide interlocks to shut-off
deposited on the chamber and and prevent restart of cutting
cracked vapour goes from the top to water pump whenever the
fractionation section. After a definite cutting head level is raised
cycle, the reactor is changed over, above a pre-determined point
deposited hot coke is steam within the coke drum. Further,
stripped and quenched with water, consider installing a
After water draining, bottom cover of redundant level transmitter (
the drum is opened (de-headed) in voting 1 of 2) as additional
preparation for decking. The coke protection layer against the
bed is fractured/cut into smaller hazard due to cutting head
pieces using high pressure water jet under pressure.
and dumped through the bottom
opening. The batch operation in 4) Other provisions in SIS of
coking presents typical hazards Delayed Coking Unit:
attributed to most of the serious
accidents. The operation activities (I) Level alarms at different
include drum switching, coke drum locations to avoid foam/coke
head removal and coke cutting by carry over etc.
hydro-blasting. (ii) High pressure alarm with
independent impulse line.
Following safety instrumentation (iii)Temperature indication and
shall be provided for Coking high temperature alarm at
Chambers. Please refer Fig: 20 vapour outlet (after HGO
quench). Skin thermo-couple
1) Coke Drum Switching: at top/middle/bottom of the
(i) Provide interlocks for chamber.
automated or remotely (iv) Coke cutting water pump trips
activated valve switching for following conditions:
systems.
(ii) Provide interlocks for valves (a) Low discharge pressure.
that are manually operated to (b) If isolation valve on water
avoid unanticipated valve line at other chamber is in
movement. open position.
(iii)Provide indicator lights at (c) If the cutting tool is out of
valve and valve control panel chamber and discharge
to help for intended operator does not get routed to
action. storage.

23
 consist of double walls and are
(v) During coke cutting, when the designed as per API 620. Please refer
cutting/drilling tools need to Fig 22.
be brought out for the tool
change etc., the coke cutting 5.1.1 Following safety instrumentation shall
water pump discharge shall be provided for Cryogenic Storage:
automatically get routed to
storage tank. Considering hazardous nature of the
fluid handled, the storage facility
4.2.17 SULPHUR RECOVERY UNIT requires provision of following safety
(SRU) : instrumentation as minimum:

The acid gas rich in H2S (>90%), i) Interlocking for Vacuum breaker
generated from the Hydrotreating isolation valves
units is processed in SRU to recover ii) Level transmitter for low-low level
the sulphur. One third of the acid trip of pump.
gas is converted to SO2 in the iii) Pressure transmitter for low-low
reaction furnace at a temperature of pressure trip of the pump.
1200 deg C. The SO2 formed will iv) Tripping of pump at Gas Cracker
react with the H2S to form sulphur. Unit at high-high level in tank
The reaction takes place in the v) Tripping of IOP pump at low-low
presence of catalyst. Please refer level in tank
Fig.21 vi) ESD to shut off all inlet valves in
feed line in case of high-high level
In view of the toxic nature of the gas and high- high pressure in the
being handled, the following safety tank. ESD to be located in Main
instrumentation shall be considered Control Room and at site (outside
for implementation with the process the periphery of tank)
licensor: vii) Any other protection for safe
operation of the system in line
a. The feed to the unit shall be cut with OEM
off and the furnaces shall trip in
following conditions: 5.2 CENTRIFUGE:
i) high pressure inside Centrifuge in petrochemicals is used
reaction furnace for separating the polymer powder
ii) low combustion air flow/ cake and the solvent. It runs much risk
pressure of explosion due to often present
iii) when the off-gas hydrocarbon Fuel, Oxygen and
incinerator trips Ignition source within the Centrifuge
b. Any other protection for safe itself. The possible ignition source
operation of the system in line may be very high levels of static
with the process licensor electricity generated from high
rotational speed of basket (bowl) or a
5.0 SAFETY INSTRUMENTED spark from metal to metal contact
SYSTEMS IN PETROCHEMICALS resulting from a mechanical failure
within the centrifuge or hot spot
5.1 CRYOGENIC STORAGE: developed from mechanical wear,
Liquefied Natural Gas (LNG) turns to friction or bearing failure etc. Typical
liquid state at (-161 ºC) under process cycle of a batch type
atmospheric pressure. As liquefaction Centrifuge operating with hazardous
reduces volume by 600 times, LNG is substances is -- Purging with inert gas
stored and transported in liquid form. (usually Nitrogen), Separation of
Ethylene produced from Cracker unit is solvent liquor from feed slurry,
stored at (-104 ºC) at atmospheric washing the residual solid product,
pressure. The cryogenic storage tanks final spinning and discharge of solid
product. Inerting is required to

24
 maintain minimum oxygen level for Centrifuge may be interlocked
combustion (MOC) for safety against with an analyser.
explosion. Refer Fig 23 v) Interlock to trip motor on High
Vibration
5.2.1 Following safety instrumentation shall be vi) Interlock to trip motor on High
provided for Centrifuge: Torque
i) An interlock to inhibit any purging vii) Centrifuge will shut down in a
until its lid or inspection hatch has controlled fashion if there is a
been closed. failing of the analyser, the
ii) An interlock to inhibit the compressed air supply, the
Centrifuge from rotating until the electrical power supply, the
oxygen level reaches below a pre- sensor or the nitrogen supply
set safe level. Minimum two viii) Any other protection for safe
sensors for oxygen and both operation of the system in line
should confirm for start permit. with OEM
iii) An interlock on the slurry feed,
which has a normally closed 5.3 EXPANDER – COMPRESSOR
automated valve and is permitted SYSTEM:
to open only for feeding the
Centrifuge. Following safety interlocks as minimum
iv) An interlock used to ensure safe with required instrumentation shall be
levels of oxygen within the incorporated for safe operation of the
Centrifuge for operator entry, i.e. system in line with OEM. Refer Fig. 24
at the end of the batch the

Table 1: Details on trip requirements for Expander-Compressor

TRIP PARAMETERS Initiating cause for Tripping Initiating cause for
of ( Driver side) Expander Tripping of ( Load
turbine side) Compressor
Bearing temperature High-High High-High
Bearing temperature Low-Low
Shaft Vibration High-High High-High
Shaft Speed High-High
Lube oil Del Pr Low-Low Low-Low
Seal gas Del Pr Low-Low Low-Low
Thrust Diff Pr High-High High-High
Inlet (Suction)Pr Low-Low Low-Low
Discharge Pressure High-High & Low-
Low
Discharge Temperature Low-Low High-High
Suction KOD level High-High High-High
Separator-I & II Level High-High
Expander SDV Causes expander to trip when
suction/discharge limit SDV closes
switch actuation
Discharge Flow Low-Low
Power-failure Power fail contact taken from
electrical sub station and given
to instrument system for
tripping expander-compressor

25
5.4 GAS CRACKER UNIT: Pyrolysis vi) Manual push button of partial
Furnace shutdown in Field as well as in
Pyrolysis or steam cracking is the Control room which will cut fuel gas
primary process utilized to to wall burners.
manufacture olefins. This gas-phase
reaction takes place in metal alloy 2) Following SIS provisions will facilitate
tubes within a fired furnace. An Complete Shutdown:
industrial Pyrolysis furnace is a i) Main dilution steam flow low Low
complicated piece of equipment that switch if activated will cut the main
functions as both a reactor and high- fuel gas supply through quick shut
pressure steam generator. The off.
Pyrolysis reactions proceeds in ii) Water quench tower overhead
tubular coils made of Cr/Ni alloys. temperature high high switch if
These coils are hung vertically in a activated shall cause shutdown of
firebox. Burners are arranged on the furnace.
walls and on the floor of the firebox for iii) Fuel gas flow in Low Low Pressure
indirect firing. This section is called shall activate Furnace draft control to
the radiant section because the close damper.
radiant heat is recovered. At the end iv) Furnace arch draft high pr. switch if
of the Pyrolysis, the reaction needs to activated will stop the ID fan.
be quenched rapidly to avoid further v) Manual push buttons of complete
decomposition of desired olefins. This shutdown of furnace shall be
is achieved by indirect cooling using a provided both in Field and in control
quench exchanger or direct cooling by room
injecting quench oil into the gas
effluent. The heat carried by the flue 6.0 RECOMMENDED PRACTICES &
gas is recovered at the convection INNOVATIONS FOR IMPROVEMENT
section of the furnace. This section Long industry experience on operating
consists of a series of “tube banks” complex processes, lesson learnt from
where the heat is recovered for major incidents in the past and proven
superheating steam, preheating the guidelines from process licensors and
hydrocarbon feed, boiler feed water OEMs, provide us with set of best
and dilution steam. practices to follow for enhanced safety.
A few of them are listed as under:
5.4.1 Following safety instrumentation shall 6.1 Application of diagnostic provisions for
be provided for Pyrolysis furnace ( Refer Predictive/Maintenance/ Failure Alerts e.g.
fig 25). to detect chokage in impulse line, use of
smart positioners for online checking of
1) Following SIS provisions will facilitate critical safety instrumentation and
partial shutdown with ID fan in line: interlocks wherein demand overrides the
i) Hydrocarbon Feed Flow Low Low Partial Stroke Test. For example for dump
interlock in each zone to cut off HC valve etc.
feed into each zone. 6.2 Frequent periodic testing to ensure
ii) Steam Drum water level low low availability of SIS and its components on
interlock to reset flow rates in Dilution demand
Steam Control valves to each zone. 6.3 Recommendations by the Process
iii) High pressure Superheated Steam Licensors and International standards as
Coil Outlet Temperature High High applicable shall be used as guidelines viz.
interlock to reset flow rates in Dilution IEC 61511 -1,2,3 which pertains to the
Steam Control valves to each zone. trips and alarms and emergency
iv) Floor Burner Fuel gas pressure Low shutdowns required for the protection of
Low interlock to reset flow control in the equipment and loss to assets .
De coke steam control valves. 6.4 Necessary SIL level should to be ensured
v) Bypass MOV to De-coke Drum if for SIS components in critical process
start to open will activate SD 2. . functions, in line with IEC 61508
guidelines.

26
6.5 To defend against common mode failure, it Operators must have SOP (standard
is appropriate to monitor dissimilar but operating practices) for each alarm
related alarm conditions in the same detailing a unique predefined follow up
equipment/ circuit. For example, monitor action – either from control room or in the
both, low cooling water flow high water field or both. It is preferable to configure
outlet temperature. alarms with the non-controlling loops or
open loops.
6.6 ALARM MANAGEMENT
Alarms are configured to alert the operator Instead of overloading the operator
whenever the process parameters unnecessarily, alarms should facilitate
undergo change beyond their permissible safe and efficient operation by bringing the
operating limits. Based on the extent of criticality to the fore where corrective
change in parameter and severity of actions are called for. Detailed periodic
related consequence, the alarms’ priority review of alarm summary should be
need be assigned to enable the operator undertaken to identify the redundant /
taking corrective actions. Too many nuisance alarms..
alarms overload the operator. Nuisance
alarms create distraction in handling For quick understanding by the operator
emergencies by the operator. about the priority level of an alarm, use of
different color codes and beeps may be
For efficient emergency handling, alarms considered to assign priority 1,2,3 and 4.
need to be rationalised. The principle
should be “no alarm for no action”.

Table 2: Typical Best Practices Bench Marks: **EEMUA 191

Plant Alarms #
Average number of Alarms (over 10 minutes) i.e. alarm rate 1
Alarms after plant upset (over 10 minutes) 10
Average number of standing alarms 10
Average number of shelved alarms 30

Configured Alarm Priority Breakup

Critical Alarms < 1%
High priority 5%
Medium Priority 15%
Low Priority 80%

**EEMUA (Engineering Equipment & Materials Users Association) is an established industry

Association with an international reputation in engineering, technology and the management of
capital assets, typically chemical process plants, refineries, power stations and upstream oil/gas
facilities. EEMUA Publication 191 - first published in 1999 and revised in 2007, is recognised
world over as a reference and guide to the design, management and procurement of alarm systems.

ii) IEC 61511: Standard by International

7.0 REFERENCES : Electro-technical Committee on “Safety
Instrumented system for process industry
i) IEC 61508: A generic standard by sector”. It is intended to provide
International Electro-technical Committee guidelines for determination of required
on “Functional Safety of safety integrity levels.
electrical/electronic/programmable-
electronic safety related systems”. It is iii) API- 14 C
intended to be a basic functional safety
standard applicable to all kinds of iv) EEMUA 191: Provides guidelines the
industry. design, management and procurement of
alarm systems

27
THIS PAGE IS INTENTIONALLY KEPT BLANK

28
 Annexure – 1
Process Control and Safety Instrumented System – a Comparison
Features Process Control Safety Control
Control type Active, complex, optimising Passive, simple, direct acting
Tasks Many variables, expanding, Limited, strictly defined
experimental
Modes of control Auto/manual, supervisory Automatic, no manual intervention,
no external command levels
Communications Open systems, Field bus etc Limited, specialised, difficult with
bus networks
Changes Easy to make, password Strictly controlled, password
protected, configurable, protected, verified and documented,
parameter changes parameter changes strictly controlled
Diagnostics Limited Intensive proof-testing
Redundancy Used for high availability for Used for high reliability
continuous use
Documentation For convenience Essential for validation of each
function
Testing Nominal loop testing Failure modes testing
Legal Not regulated Subject to regulation, audit and
certification

29
 Annexure – 2
Details on LOPA (Layer of Protection Analysis)
In order to assess the adequacy of protection for a process function, PHA (HAZOP study) is done first.
HAZOP tables list out Deviations, Causes, Consequences, Safeguards and Recommendations. The
details so compiled include estimates of frequency for each cause and severity for each consequence.
The HAZOP information is utilised for development of Layer of Protection Analysis (LOPA), as shown in
the Fig.1. LOPA is a simplified semi-quantitative technique of risk analysis. It helps to assess what
independent protection layers (IPL) already exist or what are required for process safety.

The LOPA team recommends use of an SIS only if other design changes for inherent (built-in) safety,
cannot reduce the Mitigated event likelihood to less than the target. While LOPA does not suggest which
safeguards to add or which design to choose, it does assist in deciding between alternatives.

1) First LOP is the primary protection catered by a safe and effective basic process control system
(BPCS), e.g. controllers, control valves and operator supervision. It is a preventive measure
protection.

2) Second LOP is also in-built in the Process control system in the form of alarms combined with
operator’s intervention to bring the process to safe state in case of upset. It is a preventive measure
applied for protection in all major installations. Where control system is not designated as safety
related, the protective system for a process has to be separate and independent from control system
as the third LOP.

3) Third LOP is the Safety Instrumented System (SIS) which is independent of the process control
system. Having separate sensors, valves and logic system, its only role is Safety. Based on available
experience and technological know-how with the process designer, SIS is configured to protect the
process & equipment against envisaged adverse process conditions. Adequacy of SIS is verified
through [Link] remains dormant or passive until demand arises.
4) Fourth LOP is the secondary protection configured to minimise consequence of a process upsets like
overpressure causing equipment rupture, loss of containment causing large uncontrolled spills or
release leading to explosion/fire/toxic environment. For example relief valves or rupture discs
designed to prevent overpressures can provide the secondary protection. Similarly, it may exist in the
form a dyke or other passive barriers to contain a fire or channel of energy of an explosion and
minimise the consequence or spread of damage. System for Pressure Relief & Disposal and system
for Oily Water Sewer (OWS) should be designed in line with OISD STD-106and OISD-STD-109
respectively and also in compliance to the layout stipulations of OISD-STD-118.
5) Fifth LOP, also the final layer, is the emergency response plan (ERP) for both onsite & offsite. It
generally includes evacuation plan, fire fighting, rescue operation etc. This LOP responds to minimise
consequence in terms of the ongoing damage, injury or loss of life. Accordingly, each
installation/group of installation handling hazardous material needs to have risk mitigation plan or
disaster management plan (DMP) in place.

Notes:
i) As Layers of Protections together mitigate the risk severity to ALARP (as low as reasonably
practical) limits, LOPA is an essential step to follow after PHA (HAZOP study). LOPA uses risk
-6
tolerance criterion of 1 x 10 per year for an event with consequence of 2-10 fatalities for the risk
that is broadly acceptable.
rd
ii) OISD-STD-152 mainly deals with SIS requirement (i.e. 3 LOP) and also covers safety related
nd
instrumentation of the 2 LOP.
iii) In order to assess the requirement of Safety Instrumented Functions for protection of the process
facility, it is recommended to perform Process Hazard Analysis (covering HAZOP, Risk Analysis
and SIL studies) for any proposed (new) facility or modifications/change in the existing process/
facility, so that SIS can be suitably designed / upgraded.

30
 ANNEXURE-3

SIL Determination – An Overview

There are several methods to determine SIL level for an SIF. These include ALARP, Risk Matrix,
Risk Graph, Layers of Protection Analysis (LOPA) etc. LOPA is not essential to a SIL study but is
very helpful to establish SIL targets.

1) SIL, also termed as SIL rating, it helps in defining the extent of process safety performance
expected from SIS to bring the process to safe state, when the specific process control
(BPCS) provided fails to cope with the upset conditions. Based on the SIL rating, each
specific process function is optimized for risk protection by selecting components rated
appropriately in line with IEC 61508. SIL is the discrete level (1 out of a possible 4) for
specifying safety integrity requirements of the safety functions to be allocated to the
electrical/ electronic/ programmable electronic safety related systems. SIL 4 stands for the
highest level of safety integrity and SIL 1 the lowest. SIL concept helps the safety system
designers and developers in making systems “acceptably safe” for their intended use in
the safety function with an understanding of the risks and defined safety requirements for
the risks needing reduction. Main objective of SIL is to provide a consistent, auditable result
of performance of SIS present in the process facilities. SIL should be assessed and
determined in terms of both hazards and consequences associated with specific installation.
Accordingly, it should be considered essential to assign and verify SIL level of various SIS
present.

2) SIL & related Measures for low demand mode operation

SIL Availability *PFD (avg) * MTBF = ( 1/PFD) =

equivalent *RRF
4 >99.99% 10-5 to <10-4 100000 to 10000
3 99.9% 10-4 to <10-3 10000 to 1000
2 99 – 99.9% 10-3 to <10-2 1000 to 100
1 90-99% 10-2 to <10-1 100 to 10
* MTBF = Mean Time between failures, RRF = Risk Reduction Factor
* PFD = Probability of Failure on Demand

3) Steps involved in Assignment of SIL Rating of a Safety Function:

 Step 1: A detailed Hazard & Risk Analysis of the process system shall be undertaken by
a multi-disciplinary team to enlist all foreseeable Hazards, their probability of occurrence
and impact on plant, manpower, society and environment (operational, corrosion related,
accidents and natural calamities). For non-availability of requisite data, subjective
probability shall be assigned based on collective experience of the members.

 Step 2: A comprehensive Layer of Protection Analysis (LOPA) shall be conducted to

specify the protection layers for reduction of above Hazards. LOPA helps to establish
whether the hazards involved need reduction by application of SIS as LOP.

 Step 3: Safety Integrity Functions (SIFs) shall be defined for each identified SIS LOP.

31
  Step 4: Then, for each SIF, the SIL rating shall be defined based on the desired level of
risk reduction. A sample exercise of SIF with SIL assignment is reproduced to
conceptualise the SIS architecture.

SIL Rating for SIF Listing – a sample matrix

SIF SIF Description Hazard Inputs Outputs SIL Reason Risk
ID Reduction
1 Main Pump high Potential P,T 2 Potential 1000
discharge for fatal times
Pressure rupture impact
demands of main
emergency line due
shutdown of the high
facility through pressure
activating ESD
Note: This simplified matrix is intended to illustrate in broad sense the methodology
for SIL assessment and does not provide a model solution. A case specific
assessment will be required for each process safety function.

 Step 5: The SIS conceptualised at step-4, shall then be Safety certified by TUV, FM or
equivalent.

 Step 6: During commissioning and thereafter once every five years, the SIS shall be
functionally validated. OISD-STD- 153 provides the minimum re-calibration intervals for
SIS instruments.

 Step 7: Whenever, any retrofitting to the plant is done, new processes are added,
major repairs are done, a major modification to the plant or in operation philosophy is
done, a detailed review should be done by following above procedure from steps from 1
to 7.

 Step 8: During design of SIS, useful design life of the system shall be evaluated. Due
consideration to be taken for de-rating the reliability due to ageing as well as availability
constraints of maintenance spares. The entire SIS shall be replaced upon completion of
the design life. During replacement, the above procedure shall be followed.

 Step 9: If is decided to extend the operation of the SIS beyond the design life, approval
shall be obtained from the head of the plant and documented. Upon completion of the
extension period, the replacement shall be ensured as per procedure step 9. (There has
to be rare instance where from Engineering Estimation, Maintenance Data and other
evidences, it is decided to extend the operation of the SIS)

Reference: IEC 61511 is an application specific adaptation of IEC 61508 for the Process
Industry sector. This standard is used in the petrochemical and hazardous chemical
industries.

32
FIGURES / DRAWINGS

33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55