December 2008

System Integration

Hot iron

Iron reduction technology keeps plant shutdown safe, trip free


  • Demand for iron feed drives global boom for iron reduction plants.
  • Mexican steel producer improves direct reduced iron process.
  • Lessons learned on safety instrumented systems, standards.
By Gerardo González López and Eduardo Noriega

The production of direct reduced iron (DRI) involves reducing iron ore in the form of pellets or lumps using a reducing gas consisting of hydrogen and carbon monoxide. Growing demand for quality iron feed for electric furnaces is driving a boom in the market for DRI plants all over the world. As with all processes that operate at high temperatures and pressures, you should consider safety issues very carefully in the design of a DRI plant to prevent human fatalities and injuries, environmental damage, and damage to the plant, as well as to maximize throughput.

A safety instrumented system (SIS) plays a critical role in DRI plants by detecting potentially dangerous conditions, taking the plant to a safe state, informing the operator about the plant status and cause of the trip, and expediting safe plant restart. The SIS should ideally fully integrate with, but be functionally independent of the basic process control system (BPCS) and provide redundant logic solvers to increase safety and plant availability while reducing spurious trips.

DRI technology

Tenova HYL originated as the former Hylsa steel company of Mexico, and it is now part of the Techint Group, specializing in steelmaking production from mines and pellet plant operations, to direct reduction, electric furnace steelmaking, rolling, and finishing. Tenova HYL licenses the HYL direct reduction process to iron and steel companies around the world, directly and through collaboration with partner Danieli & C., under the Energiron brand.

HYL built the first DRI plant in 1957 and has developed the HYL-I and HYL-II processes, which use a retort bed, and the HYL-III process, which uses a countercurrent shaft furnace to reduce pellets and lump ore. HYL has improved these key DRI processes:

  • Partial combustion concept improves plant productivity
  • Reformerless operation (ZR process)
  • Production of high-carbon DRI
  • Hot DRI charging to the electric arc furnace through pneumatic transport
  • High quality DRI processing 100% lump ore in an industrial plant

Reducing gases begins by self-reforming in the reduction furnace. Natural gas feeds as make-up to the reducing gas circuit and oxygen injects at the furnace inlet. The partial combustion of the natural gas generates the hydrogen and carbon monoxide reducing gases and also provides the additional energy required for natural gas reforming and carburization of the metallic iron. Because of partial combustion, the reducing gas temperature at the furnace inlet is above 1000°C. But due to the endothermic behavior of the combined chemical reactions taking place inside the shaft furnace, the resulting temperature at the reduction zone is below the potential for material cluster formation.

Once in contact with the solid material inside the furnace, there is further reforming and cracking due to the catalytic effect of the metallic iron. Reformed gas, coal gas, and other gases can replace natural gas under the same basic process scheme. By eliminating the need for a reformer, the reformerless process reduces the total investment for a DRI plant by 10% to 15% and also reduces operating and maintenance costs. Eliminating the external gas reformer also reduces the plant footprint by nearly 40% compared to a conventional DRI plant of the same capacity. You can optimize the overall energy efficiency by integrating partial combustion, pre-reforming, and in-situ reforming inside the shaft furnace as well as lowering use of thermal equipment in the plant. The result is producing high quality DRI (94% iron, 4% carbon, discharged at 700°C) with energy consumption of only 2.25 to 2.3 Gcal/ton of natural gas and 60 to 80 kWh/ton of electricity. Another key advantage of this approach is the wider flexibility for DRI carburization, which allows you to attain carbon levels up to 5.5% due to improved carburizing potential of the gases inside the shaft furnace.

Potential process hazards

The DRI shaft furnace operates at pressures of nearly 6 bar absolute and temperatures of up to 1000°C, conditions that are more typical of chemical plants than steel mills with the danger this implies. One of the greatest potential hazards is a failure of the oxygen injection system, which could allow backflow of hydrogen into the oxygen injection system, leading to an explosion in the piping. In order to prevent this, the HYL design uses three block valves between the oxygen injection system and the shaft furnace. It also provides venting between the first and second block and a nitrogen injection system is between the second and third block.

In the event of a problem such as a breakdown of the oxygen injection system, the SIS trips the plant and takes it to a safe state. Tripping the plant first opens the nitrogen injection valve and closes the first and second oxygen block valves. The third block valve remains open. Once a feedback signal confirms the closing of the first and second block valves, the vent valve opens to release oxygen between the second and third block valve to atmosphere. With the third block valve still open, a nitrogen flow purges the piping and forces any oxygen trapped between the valves into the shaft furnace in order to avoid an explosive environment inside the piping. Once the time allotted for the purge has elapsed, the third oxygen block valve closes.

system 24

Another potential hazard is the exhaust system that takes CO2, CO, H2 and other gases out of the shaft furnace. Water injects into the pipe to cool the hot gas. If the water injection fails, then temperature of the gas is likely to exceed the rating of the carbon steel piping. For this condition, you can implement a high temperature trip to stop gas flow and heating, thus preventing any damage to the equipment and a potential gas leakage. Remove the water from the piping in quench towers with the pressure of the gas pushing the water back into the water system. The water itself provides a seal that prevents the gas from leaking out. It is important to prevent leakage because CO presents a danger to people who might be around the cooling tower. A low level trip will close a shut-off valve in the water return line to prevent a gas leakage. In addition, there are trips for rotating equipment like centrifugal compressors and pumps. You also have to protect thermal equipment against explosion; therefore BMS is ano
ther safety function present in HYL plants.

system 25

SIS design considerations

Normally, you look for a common cause in common hardware, using the same tapping points, having only one final element. But you rarely think about something like environment. We learned a lesson about it in one of our plants. In one steam drum level controller with three transmitters and different tapping points, a failure left the steam drum empty. This was due to freezing of the tapping lines when a common circuit breaker left the heat tracing without power. Fortunately another 2oo3 level switch that needed no heat tracing tripped the plant. Another incident caused a plant trip due to freezing of most of the natural gas control and shut-off valves when the natural gas temperature dropped far below 0°C. In this case, the double block and bleed valves protected the plant. This prompted consideration of the consequences of a wide range of weather conditions such as flood, sand storm, freezing temperatures, and the like.

Layered approach

The International Electrotechnical Commission's IEC 61508 standard and the ANSI/ISA-84.00.01-2004 standard govern the design and implementation of SISs. The standards define the concept of a safety instrumented function (SIF), which is a single set of actions that protect against a specific hazard and a safety integrity level (SIL), which defines the level of protection needed for a particular SIF. You need to perform the layer of protection analysis for each hazard. This involves first defining the severity of the unmitigated event S(x). The next step is defining the frequency of the initiating event, then applying reduction factors for existing automation, operator intervention, safety relief devices, and calculating the event frequency F(x). The event frequency times the severity is equal to the risk.

From this point, we can determine whether we need a SIS and the risk reduction factor that the SIS must provide to reduce Risk(x) to an acceptable level. The SIS ensures safe operation of the process, which consists of four components. Primary elements or sensors monitor the process conditions.

Final elements or shut-off valves perform the mitigating actions. The logic solver makes the decision on what actions need to be performed. The human machine interface (HMI) keeps the operators informed of the plant status and cause of the trip.

When we originally developed the DRI process, the SIS logic solver was based on relay logic. Later, in the 1980s, we implemented SIS in redundant programmable logic controllers. We configured a main power relay so when power went out and the relay was de-energized, the plant would go to a safe state.

One weakness of this approach is quite a few interfaces were required to the various sensors, valves, and other elements of the SIS. This put practical limits on the number of points we could monitor and control, and each of these interfaces represented a possible point of failure. Many pages of ladder logic were required to program the operation of the SIS.

We needed to manually test the entire safety loop on a regular basis, which required considerable manual labor and shutting down the plant. An incident in the early stages of DRI development highlighted the weaknesses of the traditional PLC approach. The SIS failed to detect a problem that ended up causing several millions in damage.

BPCS and SIS: Integrated yet separate

The incident mentioned above, as well as the experience we have gained over the years, demonstrated the advantages of using a SIS based on the same proven digital technology as the BPCS while providing complete redundancy that prevents a failure in one system from affecting the other. SISs are integrated with, yet separate from, the BPCS. Separate application specific hardware is used for the BPCS and the SIS, yet these systems share a common HMI, configuration procedures, programming languages, and maintenance procedures. This enables users to achieve the operational benefits of integration while meeting the safety requirements of separation. The BPCS and SIS can communicate transparently with each other, but each is protected from corruption by the other.
This latest approach uses the same workstations for operations, engineering, and maintenance with a rigorous user manager to ensure only the right people have access to safety functions. The use of a common software platform gives the operational benefits of high-level integration control and safety.

Each SIS controller is a stand-alone, self-contained logic solver with its own pair of redundant CPUs, power supply, and I/O processor. You can install it on the same carrier as standard BPCS modules while remaining completely independent of power supplies, communications networks, hardware and operating systems.

The safety system delivers diagnostic information that provides technicians with details about a malfunction in sensors, transmitters, and final elements,and enables them to conduct preventive maintenance as well. You can access the safety system and control systems data from a single operator interface in exactly the same way you would access it from a BPCS controller.

The logic solver has extensive diagnostics to ensure a safe plant trip, even with SIS element failure. The shutdown logic monitors the sensors, detects variables outside the safety values, and activates the final elements to perform the safety function when required. The reset logic receives operator commands to reset the final elements, detects safe process values to restart, monitors initial valves or status of equipment, and performs automatic start sequences if they are required. The first out logic detects the initial cause of a trip and locks it for operator information.

Simple, certain programming

A rich set of function blocks reduces what formerly took pages of ladder logic to engineer into a simple drag-and-drop configuration activity, a set of function blocks certified by TUV for SIL 3 applications. A cause-and-effect matrix block greatly simplifies logic solver configuration. Voter blocks simplify device upset and diagnostic condition handling to avoid spurious trips while automating bypass management. Step sequencer blocks save hours of time compared to conventional ladder logic approaches. State transition diagram blocks provide simple fill-in of state, transition inputs, and desired outputs, saving hours of engineering.

Using common SIS function blocks to create shutdown logic in a SIS module, the status on the output parameter of the input function blocks, LSAI and LSDI, is the status of the referenced input channel. The analog voter (LSAVTR) and discrete voter (LSDVTR) blocks propagate Bad status on input parameters selectively.

If a single input of a 1oo2 or 2oo3 voter block has Bad status, OUT_D continues to have Good status because there are enough good inputs for a real process demand to cause a trip. However, if a single input of a 1oo1 or 2oo2 voter block has Bad status, its OUT_D has Bad status. If a Cause input of a cause effect matrix (LSCEM) block has Bad status, all Effect outputs associated with that input have Bad status.

Primary, final elements

Sensors for pressure, temperature, and level play an important role in DRI risk-reduction strategy. Discrete measurement switches have only a few failure modes, but most are dangerous and undetectable. It requires regular proof testing, but this introduces risk because testing is manual. So it is subject to error and puts maintenance personnel in hazardous locations. Fortunately, smart digital devices provide continuous indication of status, which greatly reduces the number of undetected failure modes. Advanced diagnostic capabilities provide assistance in initial setup as well as ongoing maintenance, including predictive diagnostics and detection of in-scale errors that were previously undetectable.

The only way to ensure a safety system valve will function when it is needed is to periodically test it. Safety valve testing often involves the installation and removal of mechanical valve interlocks. If you do not remove the interlocks, you could compromise the performance of the SIS. Human errors cause a majority of plant incidents, so removing the need for manual proof tests can improve safety.


Gerardo González López is manager of instrumentation and control engineering at Tenova HYL in Monterrey, México. E-mail him at Eduardo Noriega is DeltaV SIS manager at Emerson Process Management in México City, México. E-mail him at