You are on page 1of 5

Role of fired heater safety systems

A fully automated burner management system operating as a SIS for burner control
can meet minimum safety targets, improve system availability and lower costs

NIKKI BISHOP and DAVID SHEPPARD


Emerson Process Management

S
afety and risk mitigation have are to maintain the desired outlet taken to ensure safe operation. Fuel
always been, and always will temperature at the desired charge can accumulate when burners are
be, an important topic for any rate. Besides maintaining tempera- off but should be on and also from
operating company. Safety risks ture and charge rate, control and substoichiometric conditions. Fuel
can be lurking anywhere through- safety systems are designed to must not be allowed to accumulate
out a facility and the consequences maintain efficient combustion of in the firebox as subsequent intro-
of an event range from minor inci- fuel and safe operation throughout duction of an ignition source could
dents to catastrophic failures that the full range of conditions the be catastrophic. In addition to
lead to a loss of life. Protective heater experiences. Figure 1 shows combustion risks, fired heaters
systems are put in place to reduce a typical process fired heater. present risks associated with the
the likelihood of occurrence of Burners in the heater transfer process. Unlike boilers, where the
safety incidents and to take action energy into the process through the process stream is water, the process
in the event that unsafe conditions combustion of fuel. As with any stream for most fired heaters is
arise. While the safety and well combustion process, care must be highly flammable hydrocarbons.
being of personnel is of utmost
importance, the financial impact of
safety systems cannot be ignored.
With so many options available,
selection of a safety system can
prove challenging but can also be
Draught
rewarding. Stack PC
pressure
TI
Minimum safety goals must be temperature
Firebox
met, but a safety system can go Oxygen temperature
beyond meeting safety require- AC
Total charge FC CO TI TC TI
ments to improve overall flow AC
operations and profitability. This FC Pass 1
article will discuss common risks
associated with fired heaters, the FC TI TI Coil outlet
temperature
role of the safety system, applicable
TC
standards and practices, safety Pass 2
instrumented systems (SIS) and the FC TI TI
benefits of an automated burner
management system (BMS), includ- Pass 3
ing an example of cost savings.
FC TI TI

Fired heater operation and risk


Pass 4
Process fired heaters present signif-
icant safety risks. Common in
refineries and chemical facilities, Fuel PI
they are used for heating, vaporisa- gas
Fuel gas FI
tion and thermal cracking of
various process fluids.Heat energy, PI
Combustion
provided by the combustion of fuel, Pilot gas air flow
is transferred to a charge or feed in
a controlled manner. The primary
functions of a process fired heater Figure 1 Typical process fired heater

www.eptq.com PTQ Q3 2013 35


can be quite a daunting task to
assess risk factors, assemble the
Analysis
interlock and permissive conditions
Hazard and risk and then determine which safety
assessment system to implement that meets
both safety and financial targets.
Allocation of safety Fortunately, organisations such as
functions to protection
layers NFPA, ISA, IEC and API publish
documents that offer guidance for
Safety requirements protective systems, which inform a
Specifications for user how to avoid a situation
the SIS
where the fuel supply should be off
but is not, where the flame should
Implementation be on but is off, where the process
Management equipment is overheated, and
of functional Design and Design and
safety, and Safety engineering of development of
where the protective system itself is
functional lifecycle safety other means of risk Verification prevented from working as it
safety structure instrumenated reduction should. These standards also
assessment and planning system
and auditing describe possible actions that the
protective system can perform
Installation,
commissioning and when it detects any of these situa-
validation tions. Each document has been
developed based on experience and
Operation offers valuable information. The
fact that accidents and disasters are
Operation and as infrequent as they are is due to
maintenance
the long experience that has been
incorporated into the various stand-
Modification ards and recommended practices.
The National Fire Protection
Association (NFPA) publishes
Decommissioning NFPA 86 Standard for Ovens and
Furnaces, which covers protective
Source: IEC 61511-1 ed. 1.0 Copyright 2003 Geneva, Switzerland. www.iec.ch systems for process fired heaters. It
Figure 2 Safety lifecycle as per ISA 84.00.01 2004 applies to heated enclosures regard-
less of heat source. NFPA 86 is a
Overheating or overfiring can cause draft pressure, flame detection, prescriptive, conservative standard
process tubes to exceed metallurgi- process stream flow, combustion written like instructions with few
cal limits and rupture. In cases air flow, tube skin temperature, options. While NFPA develops the
where tube leaks occur, resulting stack temperature, per cent oxygen standards, it does not enforce
explosions can destroy process and combustibles all pose an opera- compliance to the standard.
equipment and pose a threat to tional threat if limits are exceeded. Insurers or local authorities may, in
human life. The release of the The safety system must continu- certain cases, enforce compliance.
process stream into the surround- ously monitor for unsafe conditions IEC 61508 Functional Safety of
ings can pose an environmental and take action when necessary, Electrical/Electronic/Programmable
threat. Even minor events can making it critical to understand all Electronic Safety-related Systems,
result in extended downtime for of the possible equipment failure developed by the International
repair, impacting production. modes and the potential impact to Electrotechnical Commission (IEC),
The purpose of the fired heater both the operating unit and provides the framework and core
safety system is to prevent disas- personnel. requirements for safety-related
trous combustion of accumulated system design of hardware and
fuel and to prevent overheating Safety system design and selection software, independent of industry
and the subsequent catastrophic Every fired heater must have some sector. IEC also released the
release of the process stream. It type of safety system in place. It document IEC 61511 Functional
sounds simple enough to inhibit may be as simple as a written Safety Safety Instrumented Systems
the admission of fuel when unsafe procedure for manual intervention for the Process Industry Sector, which
conditions exist, but the determina- or it may be a fully automated defines the functional safety
tion of a safe state requires careful emergency shutdown system. The requirements established by IEC
monitoring of many conditions. In design and selection of a safety 61508 for the process industry
particular, conditions such as fuel system starts with the evaluation of sector specifically. The International
gas pressure and flow, furnace risk factors and risk tolerance. It Society of Automation (ISA)

36 PTQ Q3 2013 www.eptq.com


design specification for the process
fired heater.
Logic solver The preceding list is not an
exhaustive list of standards and
practices. There are more available,
such as FM 7605, developed by
Factory Mutual, which requires that
any programmable logic controller
(PLC) listed for use in combustion
safeguard service meets the SIS
Sensor requirements contained in IEC
61508. A European standard, EN
50156-1, covers electrical equipment
Final control element
for furnaces and invokes SIS
requirements for BMS.
There is no regulation requiring
compliance to any specific standard
or practice so it is left up to the
Figure 3 Elements of a safety instrumented system user to sort through the standards
and recommended practices, adopt
released a document very similar to design and construction of heaters the methods best suited to their
IEC 61511, ANSI/ISA 84.00.01-2004, with little focus on instrumentation, needs, and then follow through
and the two documents were the scope of RP 556 includes with those practices. While it may
merged into one standard, IEC process measurement, process seem overwhelming, the freedom
61511 - Mod. This standard is a control and protective systems. RP to select a system best suited to a
performance-based, rather than 556 defines protective actions as specific users needs provides an
prescriptive, standard that applies basic process control action, opera- opportunity for innovation and
to SIS regardless of application, tor action and SIS action, and improvement beyond minimum
with no specific functions defined. includes input devices, logic solvers safety requirements.
S84-2004, as the merged standard is and output devices as components.
more commonly known, focuses on Compliance with IEC 61511-MOD Safety instrumented systems
the safety lifecycle. Steps include is recommended for SIF. Specific A common trend in all of the stand-
identifying risks, assessing the risks recommendations for safe states ards is the use of SIS for protective
and then reducing the risk by and startup and shutdown actions. By definition, a SIS is a set
means of a SIS. Figure 2 shows the of components such as sensors,
safety lifecycle as defined by logic solvers and final control
S84-2004. The standard clearly
The design and elements arranged for the purpose
defines the steps for designing the
SIS and requires that users have a
selection of a safety of taking the process to a safe state.
Figure 3 shows the components of
good understanding of their system starts with a SIS. These are separate from all
process hazards and risks. ISA also other control systems such that, in
published a technical report, the evaluation of the event of a failure of the control
TR84.00.05 Guidance on the system, the SIS is not prevented
Identification of Safety Instrumented risk factors and risk from performing the SIF. Certified
Functions (SIF) in Burner SIS systems follow a stringent certi-
Management Systems (BMS), which tolerance fication process and are designed,
offers specific guidance on SIS used maintained, inspected and tested
as BMS. This technical report offers sequences are described. This docu- per applicable standards and
recommendations for assessing SIF ment, meant to be a recommended recommended practices. Safety
within a BMS and provides some practice, is not a prescriptive stand- rated hardware is more robust and
example safety assessments. ard and allows the sophisticated experiences fewer device failures
The American Petroleum Institute user to determine the best practice than traditional hardware. SIS offer
(API) issued the second version of for their heater, leaving room for the benefits of improved safety,
recommended practice, RP 556 improvement and innovation. RP increased system availability and
Instrumentation, Control, and 556 was updated from an earlier compliance with standards and
Protective Systems for Gas Fired release in May 1997 to reflect practices. The benefits can be
Heaters, in April 2011. RP 556 advances in safety automation and extended to operational benefits by
applies only to gas-fired heaters design procedures and implemen- taking advantage of safety systems
and excludes boilers. In contrast to tation. The revised edition that go beyond meeting minimum
RP 560 Fired Heaters for General represents current cumulative best safety requirements and can actu-
Refinery Services, which applies to practices and provides a good ally improve operational efficiency.

38 PTQ Q3 2013 www.eptq.com


Pre-purge
Shutdown in progress Purge
and ready complete
S03
Shutdown, S02 S04
not ready Ignite
pilot
S01
S05

Start-up failure Pilot only


running
S06
Trips from states 5, 6, 7, 8, 9, 10, 12

Mixed firing.
Set low fire position
S12
S07

S13 Cold start.


Set low fire
Waste gas position
only
S08
S10 S09 Ignite main
Mixed gas with pilot
Main without pilot.
Not at temperature

Figure 4 Example of a burner management sequence

Going beyond minimum safety that a safe state is initiated when startup procedure may, therefore,
requirements unsafe conditions are detected. be a lengthy process to complete.
A BMS represents a great opportu- Example interlocks include loss of When the startup procedure is a
nity to go beyond the minimum flame, loss of combustion air, high manual operation, each permissive
requirements and can simultane- or low fuel pressure, and excess must be manually verified before
ously meet safety targets and process pressure or temperature. proceeding. Let us consider a fired
provide operational benefits. By Should an interlock condition be heater with multiple burners and
definition, a BMS is a system to detected, a fully automated BMS each with the associated gas valves.
monitor and control fuel burning will initiate a safe state and, if It could take a significant amount
equipment during all startup, shut- necessary, shut off the fuel supply. of time for an operator to manually
down, operating and transient Consistent with the standards check the valve positions based on
conditions. They can range from a and recommended practices, a BMS the location of the heater and the
simple procedure that requires can be treated as a SIS and the individual valves. This also
manual verification before proceed- safety lifecycle can be followed. assumes the operator can correctly
ing or a fully automated system Minimum safety requirements can locate each valve and is careful to
that automatically detects condi- be satisfied through permissive and check them all. This manual confir-
tions and takes action. interlock conditions in the sequence mation may take a significant
A fully automated BMS uses logic and the associated SIF can be amount of time and has the poten-
sequence logic designed with a set SIL rated. Figure 4 shows an exam- tial for human error. A BMS with
of states, transitions, outputs and ple of a BMS sequence. an automated sequence for light-off
trips. The sequence is only allowed The sequential framework of a can save valuable startup time by
to proceed to the next step and take fully automated BMS provides eliminating the need for operators
action if the permissive conditions additional value beyond meeting to manually verify valve position,
for the transition are met. minimum safety requirements. One detect a flame or manually time a
Permissive conditions are designed benefit is a significant reduction in purge.
such that a safe environment is startup time. Light-off events for The automated sequence ensures
confirmed before proceeding. fired heaters may only occur once that each step is properly executed
Examples of permissive conditions every two to three years, so the and eliminates human error associ-
include fuel block valve positions, startup procedure may be unfamil- ated with possibly verifying the
flame detection, minimum process iar to operators. Due to the inherent wrong valve or condition, as the
flow, purge flow and purge timer. danger associated with light-off, sequence will check for the correct
While in any state, interlock or each step in the process must be condition at the correct time. Even
trip conditions are designed so carefully executed. A manual further, a BMS with a graphical

www.eptq.com PTQ Q3 2013 39


user interface that is easy to under-
stand and clearly indicates status
eliminates the need for operators to
understand and sort through
complex logic diagrams. A clear
first out indication should be
provided to the operator to ensure
they know exactly what is prevent-
ing a startup or what caused a trip.
This saves many hours trouble-
shooting when compared to a
manual process or PLC-based solu-
tion, where inherently dangerous
trial and error procedures must be
used to determine what condition Figure 5 Graphical user interface for BMS
is preventing startup. Instead, the
specific trip condition can be specific unit. In cases where spuri- improvement. Implementing a fully
addressed quickly. Figure 5 shows ous trips are reduced through automated BMS as a SIS for burner
an example of a graphical user integration of device diagnostics in control and monitoring can simulta-
interface for an automated BMS. the BMS, the savings are even neously meet minimum safety
Diagnostic data can also play a greater. The savings associated targets, improve system availability
role in an automated BMS. The use with automating the light-off and lower costs.
of smart devices and HART sequence to reduce the startup time
communication for system hard- and integrating device diagnostics Nikki Bishop is a Senior Application
ware fault identification and field to reduce spurious trips are signifi- Consultant at Emerson Process Management.
device failure alerts provides cant and simultaneously ensure a With over 12 years in the process control
continuous monitoring of sensors, safer facility. industry, her experience includes automation
logic solvers and final elements so projects in industrial energy, pharmaceuticals,
that faults can be diagnosed early. Conclusion power generation, pulp and paper, and refining.
This diagnostic data can be inte- Safety systems are required to She holds a BSChE degree from Georgia Tech
grated with the BMS so that its protect personnel and environment, and is a registered professional engineer in the
overall integrity can be maintained, but can go beyond meeting the state of Georgia.
David Sheppard is Engineering Manager with
reducing spurious trips that signifi- minimum requirements and provide
the Midwest Engineering Center for Emerson
cantly reduce operations and financial benefits as well. The appli-
Process Management. He has served as Lead
maintenance cost. cable standards and recommended SIS Engineer for multiple burner management
Table 1 shows an example of a practices provide guidance for system and refinery safety systems projects,
cost savings calculation associated safety system design and selection including complex multi-burner, multi-fuel
with a two-hour reduction in criteria, and also provide an oppor- burners and has been a Certified Functional
startup time for a typical 200 000 tunity for innovation and Safety Expert (CFSE) since 2007.
b/d refinery with typical down-
stream processing capacities. The
savings calculated are for a single Sample cost savings for a fully automated BMS to reduce startup time
light-off event. For example, a
two-hour reduction in startup time Unit Heater Margin $/bbl Two-hour value Unit total
for a single heater in a hydroc- Crude distillation Crude heater $2 $33 334
racker unit equates to savings of Preflash heater $2 $33 334 $66 668
$100 000 and $300 000 if you Vacuum distillation Vacuum heater $1 $16 666 $16 666
FCC Feed heater $6 $100 000 $100 000
consider all three heaters in the Alkylation lsostripper reboiler
unit. In the case of the reforming Heater $4 $66 666 $66 668
unit, where margins are even Hydrotreating Reactor feed heater $1 $8334
higher, the savings equate to over Stripper reboiler heater $1 $8334 $16 668
Reforming Reactor feed heaters $8 $133 334
$250 000. A typical refinery may Stabiliser reboiler heater $8 $133 334 $266 668
have three or more hydrotreating Hydrogen plant PSA Reformer reactor furnace $8 $133 334 $133 334
units, and thus the $17 000 esti- Hydrocracking Feed heater $6 $100 000
mated savings would apply to each Fractionator heater $6 $100 000
Stabiliser reboiler heater $6 $100 000 $300 000
unit, such as hydrotreating units Coking/thermal cracking Feed heater $8 $133 334 $133 334
for naphtha, diesel, heavy oil and
possibly jet fuel. The total annual Example savings calculation associated with two-hour reduction in unit startup time for a 200 000 bpd refinery
savings will depend on the number with typical downstream processing capacities.

of light-off events for each heater


and the margin associated with the Table 1

www.eptq.com PTQ Q3 2013 41