Available online at www.sciencedirect.

com
Available online at www.sciencedirect.com
ScienceDirect
ScienceDirect
Energy
Available
Available Procedia
online
online 00 (2017) 000–000
atatwww.sciencedirect.com
www.sciencedirect.com
Energy Procedia 00 (2017) 000–000
www.elsevier.com/locate/procedia
ScienceDirect
ScienceDirect
www.elsevier.com/locate/procedia

EnergyProcedia
Energy Procedia00
120 (2017)
(2017) 2–19
000–000
www.elsevier.com/locate/procedia
INFUB - 11th European Conference on Industrial Furnaces and Boilers, INFUB-11
INFUB - 11th European Conference on Industrial Furnaces and Boilers, INFUB-11
Fired equipment safety in the oil & gas industry
Fired equipment safety in the oil & gas industry
The 15th International Symposium on District Heating and Cooling
A review of changes in practices over the last 50 years
A review of changes in practices over the last 50 years
Assessing the feasibility of using
Jacques Duguéthe*
heat demand-outdoor
Jacques Dugué *
temperature function for a long-term
TOTAL Refining & Chemicals,district
France
TOTAL Refining & Chemicals, France
heat demand forecast
I. Andrića,b,c*, A. Pinaa, P. Ferrãoa, J. Fournierb., B. Lacarrièrec, O. Le Correc
a
AbstractIN+ Center for Innovation, Technology and Policy Research - Instituto Superior Técnico, Av. Rovisco Pais 1, 1049-001 Lisbon, Portugal
b
Abstract Veolia Recherche & Innovation, 291 Avenue Dreyfous Daniel, 78520 Limay, France
c
Département Systèmes Énergétiques et Environnement - IMT Atlantique, 4 rue Alfred Kastler, 44300 Nantes, France
This paper reviews how the requirements of safety, availability, energy efficiency and environmental compliance have
This paper
influenced reviews
the design andhow the requirements
operation of fired equipment of safety,overavailability, energy
the last 50 years. efficiency
It presents theand environmental
various compliance
norms and standards have
relevant
influenced
to the classes the ofdesign
firedand operation
equipment usedof fired
in theequipment
Oil & Gasover the lastand
industry 50 highlights
years. It presents the various
the differences normsprescriptive
between and standards relevant
norms and
to the classesbased
performance
Abstract of fired equipment
standards. Theusedmaininhazards
the Oiland & Gas
common industry andofhighlights
causes accidentsthe of differences
process heaters,between prescriptive
petrochemical norms and
furnaces and
performance based standards.
boilers are described. Finally,The thismain
paperhazards
reviews andthecommon
evolution causes
of theof accidents of process
risk mitigations and heaters, petrochemical
design best furnaces
practices over the and
last
boilers
Districtare
decades. described.
Itheating
discusses inFinally,
networks are this
particular thepaper
commonly reviews
particular addressed the in
challenges evolution
the of the as
literature
of improving risk
the onemitigations
of the
safety mostandeffective
performance design best practices
solutions
of existing over the last
for decreasing
equipment. the
greenhouse
decades.
BeforeIt the gas
discusses emissions
first oil from
in particular
crisis the building
of 1973, particular
the price sector. Theseofsystems
challenges
of refinery improving
fuels wasrequire
the high
lowinvestments
safety
very and it waswhich
performance of are returned
existing
common through
equipment.
practice the heat
to run heaters
sales.
BeforeDuethe
inefficiently tofirst
with thehighchanged
oil crisis climate
excess air (e.g. conditions
of 1973, 5 the % O2and
to 8price building
ofinrefinery
the renovation
flue fuels
gas) washigh
and verypolicies,
lowtoand
draft heat demand
it was
reduce the common in thepractice
probability future could
to run decrease,
heaters
of sub-stoichiometric
prolonging
inefficiently the investment
withpositive
high excess return period.
air (e.g. 5 tocombustion
8 % O2 in the flue gas) and the
highsafety
draft to reducewastheprovided
probability
combustion and pressure in the chamber. Since margin byofoperating
sub-stoichiometric
with high
The main scope
combustion and of this paper
positive is to in
pressure assess the feasibility
the combustion of using Since
chamber. the heatthedemand
safety – outdoor
margin temperature
was provided function for heat
withdemand
excess air and high draft, control improvements were considered unnecessary. Fired equipment safety wasbyessentially
operating high
distributed
forecast. The district of Alvalade, located in Lisbon (Portugal), was used as a case study. The district is consisted of 665
excess
between airoperator
and highresponsedraft, control
to improvements
alarms (e.g. process were
upsetconsidered
conditions), unnecessary.
instrumented Fired equipment
protective safety was
functions essentiallyindistributed
programmed the safety
buildings that vary in both construction period and typology. Three weather scenarios (low, medium, high) and three district
between
instrumented operator
system response
and to alarms
solutions such(e.g.as process
explosion upset
doors conditions),
and snuffing instrumented
steam protective
to mitigate the functions
consequence programmed
of demand in the safety
explosions.
renovation scenarios were developed (shallow, intermediate, deep). To estimate the error, obtained heat values were
instrumented
In the last system
25 years,and solutions
the drive forsuch
safer as explosion
operation doors
with and
higher snuffing
energy steam to
efficiency,
compared with results from a dynamic heat demand model, previously developed and validated by the authors. mitigate
lower the
NOx consequence
emissions of
and explosions.
fewer nuisance trips
has In
ledthe last
operating 25 years, the
companies drive
to for
adapt safer
their operation
approach with
to higher
fired energy
equipment efficiency,
safety. The lower
modern
The results showed that when only weather change is considered, the margin of error could be acceptable for some applications NOx emissions
approach to and
fired fewer nuisance
equipment trips
safety is
has
to(thelederror
operating
distribute inthe companies
risk
annual across towas
adapt
demandindependent theirthan
lower approach
protection
20% forto fired
layers. equipment
These
all weather safety safety. Therely
barriers
scenarios modern
considered). approach
on aHowever, to
comprehensive fired
after equipment
control
introducing safety
system with
renovationis
to distributeand
scenarios,
constraints theerror
the arisk across
value
safety independent
increased
instrumented toprotection
upsystem, 59.5% layers.
but(depending
also on These safety
on the
operational barriers
weather and rely
excellence onwell-trained
renovation
with a comprehensive control
scenariosoperators,
combination
good system with
considered).
operating
constraints
The value and
procedures and areliability-centered
of slope safety instrumented
coefficient increased system,
maintenance butand
on averagealso on operational
within
risk-based rangeexcellence
theinspection. As anupwith
of 3.8% to 8%well-trained
important perbenefit,operators,
decade, good
that corresponds
constraint operating
controls to
withthe
decrease in
procedures
automated and
fuelthe numberhave of heating
reliability-centered
cutbacks hours
provenmaintenance
effective of 22-139h duringnuisance
and risk-based
at minimizing the inspection.
heating
tripsseason
by As (depending
an
keeping important
the heateronbenefit,
the combination
within constraint of
operational weatherwith
controls
limits. and
renovationfuel
automated scenarios
cutbacksconsidered).
have provenOn the other
effective hand, function
at minimizing intercept
nuisance tripsincreased
by keeping forthe7.8-12.7% per decade
heater within (depending
operational limits. on the
coupled scenarios). The values
© 2017 The Authors. Published by Elsevier Ltd. suggested could be used to modify the function parameters for the scenarios considered, and
©improve
2017 The theAuthors.
accuracy Published
of heat by Elsevier
demand Ltd.
estimations.
© 2017
Peer-reviewThe Authors. Published by Elsevier Ltd.
Peer-review under under responsibility
responsibility of of the
the organizing
organizing committee
committee of of INFUB-11.
INFUB-11
Peer-review under responsibility of the organizing committee of INFUB-11.
© 2017 The Authors. Published by Elsevier
Keywords: Fired equipment safety, risk analysis, HAZOP, LOPA Ltd.
Peer-review
Keywords: Firedunder
equipmentresponsibility
safety, riskofanalysis,
the Scientific
HAZOP,Committee
LOPA of The 15th International Symposium on District Heating and
Cooling.

Keywords: Heat demand; Forecast; Climate change

* E-mail address: jacques.dugue@total.com
* E-mail address: jacques.dugue@total.com
1876-6102 © 2017 The Authors. Published by Elsevier Ltd.
1876-6102 ©under
Peer-review 2017responsibility
The Authors. of
Published by Elsevier
the organizing Ltd. of INFUB-11.
committee
Peer-review
1876-6102 under responsibility
© 2017 The Authors.ofPublished
the organizing committee
by Elsevier Ltd. of INFUB-11.
Peer-review under responsibility of the Scientific Committee of The 15th International Symposium on District Heating and Cooling.
1876-6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11
10.1016/j.egypro.2017.07.151
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 3
2 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

1. Introduction

The spectacular accidents that accompanied the industrial revolution caused many governments and industry
representatives to take action to minimize loss of life and to protect the environment. Process Safety emerged as a
key engineering field with techniques to assess process hazards, initiating event frequencies, consequence severity
levels and safeguards to achieve an acceptable level of risk reduction. Since the turn of the 20th century, each decade
brought continuous improvements in terms of regulations and techniques as well as a reduction in the public
perception of acceptable risk. What-ifs, checklist, HAZOP, Fault- and Event-Tree analyses were some of the
essential techniques developed in the early 1960s [Lees, 2012]. Their use as safety systems and reliability techniques
quickly gained widespread interest and represent some of the commonly used process safety techniques used today.
The late 1990s saw the development of the layer of protection analysis (LOPA) method [Bridges, 2014]. The first
international standards were published soon after [EN 746-2, 1996; ISA S84.01, 1996; IEC 61508, 1998 and IEC
61511, 2003], setting new industry practices and standards for the design of safety instrumented systems (SIS) in the
process industries.
This paper reviews how the design and operation of fired equipment has evolved over the last 50 years to address
growing requirements on safety, availability, energy efficiency and environmental performance at a reasonable cost.
Process heaters, furnaces and boilers built in the 1950s and 1960s were considered modern designs and represented a
significant progress compared to inefficient designs seen before 1940. Many of the heaters, furnaces and boilers built
before the first oil crisis of 1973 are still in operation today. During the period from 1950 to 1975, the energy
consumption of fired equipment was mostly ignored because refinery fuel oil and fuel gas were a byproduct of
refining operations and had no commercial value. This period was characterized by manual mode operation, limited
automation and protective functions and a preference for operator initiated emergency shutdown (ESD). As operator
procedures were in their infancy, operator experience was the prime protection from the risk of explosion at startup.
The risk of sub-stoichiometric firing and subsequent explosion was mitigated by operating with high excess air and
high draft. In this period of limited instrumentation and controls, the frequency of combustion upsets and emergency
shutdowns was fairly high.
The codes, standards and safety requirements introduced since the late 1990s have brought greater emphasis on
safety and increased compliance with codes and practices on all new projects. These requirements, combined with
industry objectives to achieve not only a high level of safety but also a high level of availability, energy efficiency
and environmental performance have led to changes in fired equipment design and operation. A specific objective of
this paper is to address the specific challenge of achieving today’s safety and availability requirements on the fired
equipment built before 1975.
Based on the author’s experience, the fired equipment referred to in this paper includes mostly refinery process
heaters, petrochemical cracking furnaces, steam-methane reformers and industrial boilers. However, some analogy
may be inferred for other combustion equipment such as the furnaces, ovens and kilns used in the glass, mineral and
iron & steel industries. In the terminology of this paper, fired heaters refer to process heaters used to heat a
hydrocarbon feed in coils. Furnaces refer mostly to petrochemical cracking furnaces used for ethylene production
and steam methane reformer (SMR) furnaces used for syngas production.

Nomenclature
API American Petroleum Institute
DCS Distributed Control System
ESD Emergency Shutdown
HAZOP Hazard and Operability
LEL Lower Explosive Limit
LOPA Layer of Protection Analysis
SIL Safety Integrity Level
SIS Safety Instrumented Systems
SCR Selective Catalytic Reduction
SMR Steam Methane Reformer
 Jacques Dugué/ Energy Procedia 00 (2017) 000–000 3

4 Jacques Dugué / Energy Procedia 120 (2017) 2–19

2. Regulations, codes and standards

Codes, standards and norms on various types of fired equipment have been developed over the last decades by
several organizations, national and international bodies [refs 1-9, 10-13, 17]. These documents address all key
aspects of system design, construction, operation, maintenance and personnel training. Countries or jurisdictions
may require owner/operators to follow prescribed norms, codes or standards. In absence of jurisdictional
requirements for particular equipment, owner/operators apply the appropriate good engineering practices recognized
in the Industry and use a risk analysis to verify that the risks are mitigated to a safe level.

2.1. Prescriptive standards

Standards can be distinguished between prescriptive and performance based categories. Prescriptive standards
specify “what” interlocks or safeguards should be implemented based upon lessons learned from previous incidents
and near misses. However, they do not describe “how” to properly implement the prescriptive based interlocks. The
requirements from prescriptive standards are often general and not always applicable to the wide diversity of
refinery heaters, petrochemical furnaces and boilers. The main prescriptive standards pertaining to fired equipment
used in the Oil & Gas Industry are presented below.
NFPA 85 applies to gas, liquid and solid fuel fired boilers with a heat release exceeding 3.7 MW. This code
addresses combustion systems hazards, design, installation, operation and maintenance procedures and training. It
covers in particular combustion and draft control equipment, safety interlocks, alarms, trips and other related
controls that are essential to safe operation. Since its 2011 edition, NFPA 85 clarifies that its scope exclude process
heaters used in chemical and petroleum manufacture in which steam generation is incidental to the operation of a
processing system.
NFPA 86 applies to thermal oxidizers, incinerators and a number of applications such as (bakery) ovens, dryers
and specialty furnaces. It specifically states that it does not apply to process heaters used in the chemical and
petroleum industry and designed in accordance with API 560 and API 556.
NFPA 87 applies to thermal and process fluid Heaters. It also does not apply to process heaters used in the
chemical and petroleum industry and designed in accordance with API 560 and API 556.
EN 746-2 specifies the safety requirements for industrial furnaces and industrial heating equipment. It details the
hazards associated with the use of industrial thermal equipment and specifies the safety measures required for
compliance with essential requirements of relevant European Directives. EN 746-2 covers a broad range of fired
equipment from process industries such as cement, lime and ceramic, iron and steel, glass, waste incineration,
drying, refining, chemical and petrochemical. As EN 746-2 covers very different types of fired equipment, the
application of its generic requirements on some equipment types may be impossible, impractical or may not justify
the costs. As an example, the EN 746-2 standard ignores that many refinery heaters and petrochemical furnaces rely
on natural draft to draw air into burners and therefore do not measure the total combustion air flow.
ISO 13577-2 was published in 2014 and applies to fired equipment from the same process industries as EN 746-
2. As an ISO standard, it applies worldwide, although its annexes have distinct requirements for Europe, the USA
and Japan. ISO 13577-2 specifies requirements to ensure the safety of people and property during commissioning,
start-up, operation, shutdown, maintenance periods and dismantling, as well as in the event of possible malfunctions.
CSA B149.3 specifies requirements for fuel-related components and their assembly on appliances in Canada. It
applies to process ovens, bakery ovens, process furnaces and furnaces used for material processing.
AS 3814 is the code that provides minimum requirements for the safe operation of gas fired industrial and
commercial appliances in Australia. Of all codes and standards pertaining to industrial fired equipment, this standard
is considered the most onerous to comply with because of its complexity.
4 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

Jacques Dugué / Energy Procedia 120 (2017) 2–19 5

2.2. Performance based standards

Performance based standards provide performance criteria for achieving design objectives, as opposed to
prescriptive standards which prescribe compliance criteria without stating the design objectives. Performance based
standards provide different options to mitigate a hazard. Performance based standards are usually specific to
categories for fired equipment.
Advocates of performance based standards point to multiple layers of protections that can be used to demonstrate
compliance with the design objectives. The layers of protection to mitigate a hazardous situation may include
operator response to alarm, provided that the operator has sufficient response time. The operator response time is
typically assumed to be at least 10 min for panel operators and 20 min for field operators. When the hazard
scenarios develop faster than the operator can respond, automatic constraint controls should be considered to keep
the fired equipment within operational limits. Operator response to alarms and automatic overrides in the control
system are frequently omitted in prescriptive standards which are primarily dedicated to defining trip conditions. As
was widely agreed in the IFRF TOTeM 43 conference on fired equipment safety [39], tripping a heater is neither the
only nor the preferred corrective action to keep fired equipment safe. This conference highlighted that constraint
controls are an important best practice to keep the heather within operational limits and help minimize nuisance
trips.
The main performance based standards pertaining to fired equipment used in the Oil & Gas Industry are
presented below.
API 556 addresses instrumentation, control and protective systems for gas fired heaters used in the refining
industry. As it is specific to refinery process heaters, it is widely used by the refining industry, although local
jurisdictions may also bring additional requirements. API 556 was written by specialists covering the fields of fired
equipment, instrumentation, control and protective functions. It integrates the operating experience and incident
history of major refiners to reduce the overall risk exposure to equipment and personnel. For each hazard scenario,
API 556 provides recommendations on design, control system constraints/overrides, operator response to alarms and
protective functions to ensure satisfactory mitigation of the process hazard. With the exception of a few prescriptive
“shalls”, the user may choose between solutions of different levels of sophistication and cost which all mitigate the
hazards but provide different availability levels. API 556 is a performance based standard that can be used by
competent practitioners to achieve a high safety level and the desired optimum between availability, reliability and
cost.
API 538 applies to industrial boilers in general refinery and petrochemical service. It was written by
manufacturers and users of industrial boilers to supplement rather than duplicate the requirements of NFPA 85.
API 538 specifies requirements and gives recommendations for design, operation, maintenance, and troubleshooting
of industrial boilers. It covers waterside control, combustion control, burner management systems (BMS), feedwater
preparation, steam purity, emissions, etc.
The CGA H-10 and H-11 publications from the Compressed Gas Association apply to steam reformers with
capacities of 10 000 Nm3/hr or more. The H-10 publication covers operation, maintenance, and certain design
aspects of steam reformers relative to the potential safety hazards of the combustion process inherent to these units.
Emphasis is placed on operational guidance and safeguards such as furnace control philosophies, safety interlocks
and inspection routines. The H-11 publication covers operational safety of steam reformer startup and shutdown.
Emphasis is placed on operational guidance and safeguards against the hazards associated with the transition and
infrequent nature of startups and shutdowns.

2.3. Pros and cons of prescriptive and performance based standards

Whatever the standard, code or norm required by the authority having jurisdiction, the diversity in the design or
operational modes of fired heaters and furnaces requires each equipment to be independently evaluated to ensure
that each hazard scenario is effectively mitigated. As stated in NFPA 85, designers of safety systems should be
6 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 5

completely familiar with the features and weaknesses of the specific hardware and should possess a thorough
understanding of the safety code and its intent. Designers should carefully consider all the possible failure modes
and the effect that each might have on personnel safety and equipment integrity. Thus, codes and standards should
not be used as design handbooks and cannot replace sound engineering judgment and experience. Codes and
standards specifically do not discuss how to achieve even heat distribution, good flames, operating procedure and
how to avoid tube failures and nuisance trips.
There are on-going debates on the respective merits of prescriptive and performance based standards. Some
authorities argue that prescriptive checklists reduce risk exposure more effectively by reducing the potential for
inconsistent application by lesser experienced practitioners. However, incident history does not support this as a
definitive conclusion. In practice, the probability of success appears to be strongly dependent upon the skill set of
the practitioners.
The API standards pertaining to fired equipment usually assume permanent supervision from a control room and
continuous availability of outside operators of fired equipment on the fenced plant. On the other hand, NFPA, EN
and ISO standards have usually been written as to apply to unsupervised industrial or commercial fired equipment,
for example, remotely operated steam boilers and bakery furnaces. It is therefore logical that standards written for
unsupervised equipment require a higher level of instrumentation, controls and automatic safety functions. The
corollary is that there is little logic in imposing the same requirements on a fired equipment with controlled access
within a refinery or chemical plant as on a heating appliance in high occupancy spaces such as the basement of a
school or hospital.

3. Identification of fired equipment hazards

3.1. Fired equipment hazards

The main hazards associated to fired equipment operation involve principally explosions and tube ruptures.
Explosions occur mainly during the pilot and burner ignition sequence or as a result of flame blow off. Explosions
generally take place in the combustion chamber or convection section and can cause a collapse of the furnace floor,
firebox or convection section walls. Tube rupture is usually caused by loss of feed or overheating. Heaters may also
be a source of ignition for the flammable gases escaping from other parts of the plant.
There are two distinct limit behaviors for explosions in enclosures. If the chamber has a length/diameter aspect
ratio not too different from one, and if the inside of the firebox is not cluttered by partition walls or other equipment,
the explosion will generate a deflagration, i.e. an explosion characterized by a relatively slow pressure rise. While
these explosions can cause extensive damage, the blast wave that they produce is generally weak.
The other limit behavior occurs in enclosures which have a large length/diameter ratio or contain many internal
partitions. Such is the case for the convection section of tubular process heaters. Analysis of furnace explosions
shows that the presence of tube banks in the convection section may generate turbulence and recirculation behind
tubes, which results in a rapid increase in flame area and a faster pressure rise that may reach several bar. These
phenomena may lead to gas phase detonation and complete destruction of the convection section. There are ample
examples of detonation in heater convection sections in the oil & gas industry. These explosions usually produce
strong blast waves and high velocity fragments, and can cause more damage to the surroundings than overpressure
explosions.
Investigations on heater explosions have shown explosion induced overpressures up to 400 mbar. Investigations
have shown that most combustion chambers fail at pressure wave above 200 mbar. Fig. 1 shows a heater with a
collapsed floor. Fig. 2 shows a damaged convection section.
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 7
6 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

Fig.1 : Collapsed heater floor

Fig.2 : Burst convection section

8 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 7

3.2. Feedback from industry accidents

The literature on fired equipment hazard and fired equipment accidents can be found in textbooks [Lees, 2012;
Baker, 2012], in open literature [Ostroot, 1972 and 1976; Sparrow, 1986; Davis, 1987; WHSCC, 1999] and in
restricted communications from the Center for Chemical Process Safety (CCPS) and from the API Operating
Symposium. A review of the available literature over the last five decades showed that fired equipment light-off
sequences account for about 70% of the explosions and about 90% of the casualties. The common causes of heater
and boiler explosions are summarized below:

• Inadequate purge during start-up sequence, mostly because of leaking, damaged or obstructed single safety
shutoff valves. A partial list of accident causes include the following:
o Insufficient purge flow rate
o Insufficient purge time

• Inadequate or improperly followed start-up procedure. A partial list of accident causes include the following:
o Repeated attempts to light pilot without intermediate purging
o Burner ignition attempt with excessive gas flow or for a too long trial-for-ignition period, allowing fuel to
reach the explosive limit
o Insufficient time between successive ignition attempts, allowing fuel to accumulate in the combustion
chamber and reach the explosion limit
o Safety shutoff valves bypassed

• Delayed ignition at start-up, with gas not ignited as soon as it enters the furnace but instead collected in an
unburned cloud before being ignition. A partial list of accident causes include the following:
o Improper use of hand torch
o Pilot too small, improperly positioned or unreliable
o Poor mechanical condition of the pilot or burner
o Improper fuel flow control at low load

• Improper fuel-air ratio, causing the burners to flame out. A partial list of accident causes include the following:
o Erroneous operation of air registers, leading to operate some burners with only part of the required
combustion air
o Failure of the control system allowing the overall air/fuel mixture to become sub-stoichiometric
o Excessive draft causing a high level of tramp air ingress and operation of burners with a sub-stoichiometric
air/fuel ratio
o Unstable fuel supply due to changes in the fuel gas composition

• Presence of liquid condensates or inerts in the fuel gas system, caused by flaws in the fuel gas network design.

• Tube failure, causing a large and sudden release of hydrocarbon in the combustion chamber. A partial list of
accident causes include the following:
o Overfiring the tubes above their metallurgical limit
o Operation with significant tramp air, leading to flame impingement on tubes and hot spots.
o Uneven distribution of heat release, leading to flame impingement on tubes and local hot spots

• Insufficient maintenance of the equipment, causing difficulties to ignite the pilots or burners. A partial list of
accident causes include the following:
o Fouling of the fuel gas supply to the pilots or burners
o Damage to the pilots, pilot igniters or burners
o Damage to the stack damper or fan dampers
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 9
8 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

The main learnings from this accident review are summarized below:

• Single safety shutoff valves, as seen in the past in gas lines, do not provide adequate protection against leakage
of gas into the furnace. Double block valves in gas lines reduce the chance of leakage to a very low probability.
Gas pilot or other electric igniters must be reliable. Their heat or energy release should not be too small
compared to the heat release and dimensions of the burners to be ignited. They need to be adequately
maintained.

• The fired equipment startup procedure should clearly define:

o the maximum time for introducing fuel through a pilot or burner without a confirmed stable flame
o the minimum time interval between ignition attempts of pilots and burners
o the air flow during the ignition sequence
o the prescribed (maximum) fuel flow during pilot and burner ignition attempts
o the maximum of pilot and burner ignition attempts before repeating a full purge

• The burners must be operated within their design operating range. Automatic safeguards must be provided as
defined by codes and standards and risk analysis. Sufficient excess air must be available at all times. On all
combustion system operating with a slight underpressure and potentially exposed to tramp air, means should be
provided to maintain draft within a range that cannot cause burners to become starved of air.

• The fuel supply system should be designed to provide adequate fuel control at turndown for the ignition of the
first burners. Typical solutions include using a control valve with high range or a small bypass around the main
regulator for handling low flow.

• The use of hand torches for lighting main burners is a practice from the past that should be eliminated as much
as possible. Where not feasible, as in process furnaces with a very large number of burners, a standard
procedure should be developed for each furnace.

• Adequate filtering should be installed upstream of all safety shutoff valves to prevent debris and particulates
from obstructing and fouling valve seats and burner orifices. The installation of coalescer filters on fuel gas
lines has proven successful to improve equipment reliability as it significantly reduces the rate of fouling of the
safety valves, control valves, flowmeter and burner fuel gas injectors.

• Specific issues pertaining to oil firing include the need to ensure good atomization. Inadequate atomization can
be caused by plugged burners, improper heating of heavy oil and excessive viscosity, insufficient atomizing
steam pressure, low oil pressure, poor burner design and excessive burner turndown. Depending on
circumstances, oil dripping from oil atomizers can vaporize and explode or can cause a fire inside the burner or
combustion air ducting.

• The fired equipment instrumentation and analyzers (oxygen, CO) must be carefully selected, installed and
maintained in order to provide useful alarms and safeguards. The minimum excess air target should take into
account the accuracy, reliability and response time of the oxygen and/or CO analyzers and the ability to
adequately control the excess air.

• The maintenance of the fired equipment (heater, furnace or boiler), burner, pilots, instrumentation and
analyzers is an essential requirement for safe operation. A formal, preventive maintenance program should be
defined and carried out on a regularly schedule.

• A risk analysis must be done to ensure that sufficient risk reduction is achieved on every fired equipment.

• Good operator training and comprehensive, written procedures are essential.

10 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 9

4. Changes in risk mitigation methods in the last decades

4.1. Design and operation practices prior to 1975

A large fraction of the fired heaters, furnaces and boilers operated in the Oil & Gas industry today were built
before 1975 with different technical constraints, performance standards and operation methods. It is useful to point
the salient characteristics of older fired equipments as they bring specific challenges to the current objectives of high
level of safety, availability, energy efficiency and low NOx emissions.
Fired equipments designed before 1975 were characterized by simple, limited instrumentation, limited controls
and basic emergency shutdown (ESD). As written operator procedures were in their infancy, operator experience
was the prime protection from the risk of explosion at startup. The risk of sub-stoichiometric firing and subsequent
explosion was mitigated by operating with high excess air and high draft. In this period of limited instrumentation
and controls, the frequency of combustion upsets and emergency shutdowns was fairly high.
Heaters and furnaces designed before 1975 were in their vast majority equipped with conventional natural draft
burners. The conventional burners had the advantaged of wide stability limit and could maintain a stable flame from
a significant sub-stoichiometric range and up to operation with an air flow several times higher than required for
stoichiometric operation.

Fig. 3: Firebox purging with atomization steam [American, 1963]

Most of the heaters relied on natural draft to draw air into the burners. Draft was not controlled but checked
during operator rounds and adjusted by means of cables connected to the stack damper. As a result, variations in
draft and in excess air were significant. Purging of the combustion chamber was carried out either with the snuffing
steam line or with the atomization steam from the oil burners [American, 1963].
Boilers were often better equipped and featured online oxygen analyzers, air/fuel ratio control and flame
scanners, although the reliability of these devices was variable.
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 11
10 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

As a byproduct of refinery processes, residual fuel oil had a very high viscosity, a high sulfur content and
variable properties that made it unsuitable for sale. Because the liquid and gaseous fuels used in refineries and
petrochemical plants had essentially no commercial value, there was little incentive to optimize energy efficiency.
Residual fuel oil was used in combination with fuel gas on a majority of fired heaters and boilers. Because of the
regular needs to stop burners for oil atomizer cleaning, it was often difficult to keep a homogenous firing rate and
excess air on all burners.

4.1.1. Fired equipment instrumentation, controls and emergency shutdowns

Air/fuel control by air and fuel metering or oxygen trimming was essentially nonexistent, except on some boilers.
Online oxygen analyzers were rare on fired heaters and furnaces, and excess air was occasionally checked after
analyzing flue gas samples with the Orsat method. It was therefore common practice to run heaters with very high
excess air (e.g. 5 to 8 % O2 in the flue gas) to reduce the probability of sub-stoichiometric combustion. Since the
safety margin was provided by high excess air operation, control improvements were considered unnecessary. For
natural draft heaters, stack dampers were typically operated manually and flue gas analyzers were used for alarm
indication only. Uncompensated volume fuel flow measurements prevailed (e.g. orifice plates).
Most heaters were operated on temperature control from the outlet process temperature to a control valve in the
main gas line, with a single shut-off valve upstream on the control valve. This shut-off valve was either automatic
with the plant ESD or operated manually with an operator action, with each company having various additions to
this basic concept. Because of the more primitive and less reliable combustion controls and safeguards of the time,
the automatic and manual (operator triggered) shutdowns were fairly frequent.
The limited instrumentation and controls, and frequent lack of written procedures were compensated to some
extend by the strong presence of “fire men”, experienced field operators dedicated to heater and boiler operation.
Operator training at the time was based for a large part on peer companionship with senior operators.

4.1.2. Explosion doors

Explosion doors were built for the purpose of relieving the pressure wave induced by explosions. Evidence of hot
gases or flames exiting the explosion doors was also used to alert operators and get them to troubleshoot the heater.
Explosion doors were widely used on heaters and furnaces built before 1975.

4.1.3. Snuffing steam

Snuffing steam used to be widely implemented in the past and was used as a response to tube ruptures and to
purge natural draft heaters. Snuffing steam was sometimes used after shutting off the burners to dilute a potentially
flammable mixture forming from leaking fuel gas valves. As a side benefit, snuffing steam was used to purge natural
draft heaters.

4.2. Developments in design and operating practice in the last 30 years

The approach to fired heaters design, operation and safety has significantly evolved over the last three to four
decades under the influence of a number of factors presented below.

4.2.1. Environmental legislation on NOx and SOx emissions and energy efficiency
Environmental legislation on NOx and SOx emissions started to be implemented in the early 1980s. The high
sulfur content and a high fuel bound nitrogen content of residual fuel oils were responsible for high SOx and NOx
emissions. This caused fuel oil to be gradually ruled out from refineries and petrochemical plants, first in North
America and more recently in Europe.
Most of the original conventional burners of the 1960s and 1970s were eventually replaced by ultra low NOx
burners firing only fuel gas. The first generations of low NOx burners were much less stable than the early
conventional raw gas or premix burners that they replaced. Some of them were susceptible to flame out at startup or
in operation with a modest level of sub-stoichiometric firing. The development of more stringent NOx legislation
made flame instability an issue which further increased the focus on protective measures. In some regions such as
12 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 11

California, the legislation requires NOx emissions so low that they cannot be met only with ultra low NOx burners,
thus imposing installation of Selective Catalytic Reduction (SCR) systems downstream of the combustion chamber.
The demise of fuel oil led the refineries and petrochemical sites to import natural gas and to begin efforts to
improve fuel efficiency in order to minimize the natural import costs. The new objective of improving energy
efficiency had major impacts on fired equipment operations. Instrumentation and controls were added or improved
in order to operate at low excess air. The implementation of low excess firing on old pre 1975 heaters proved to be
challenging. Owner/operators faced a long learning curve to develop effective instrumentation and controls that
would allow safe operation at low excess air.

4.2.2. Emergence of norms and standards

Norms and standards were developed in the mid 1990s as a response to the increased risks associated to operation
with low NOx burners at lower excess air. The first edition of the performance based API 556 standard was
published in 1997, offering the refining industry a detailed description of the various hazards related to process
heaters and steam generators. It also addressed instrumentation, control systems, alarm and shutdown systems to
mitigate risks while still avoiding emergency shutdowns when possible. In the same year, the prescriptive EN 746-2
norm was introduced in Europe and required designing fired equipment with more automatic safeguards and with a
highly automated burner management system (BMS). One of the main new requirements of EN 746-2 is the
automatic and permanent supervision of burner flames with flame scanners and an automatic shutdown of the burner
within 3 to 5 seconds following loss of flame detection. Prescriptive standards only focus on safety and leave it to
owner/operators to define the level of equipment availability that they wish to achieve. Thus, new refinery fired
heaters designed to achieve compliance with EN 746-2 and a high level of availability (e.g. a low frequency of
nuisance trips) need to have every burner equipped with a flame scanner and an automatic shutoff valve. It can be
emphasized that the successful implementation of prescriptive norms or performance based standards is strongly
dependent upon the skill set of the practitioners.
Important discussions took place in the early years that followed the introduction of API 556 standard and EN
746-2 norm regarding the potential safety benefit of using permanent pilots. An early claim was that a permanent
pilot could guarantee of main burner flame re-ignition in all operating conditions. Discussion with burner and pilot
manufacturers and between operating companies showed that pilots can only be expected to light burners in
controlled start-up conditions with prescribed draft and air flow. Thus, more recent versions of API standards have
clarified that main flame stability cannot be expected to be guaranteed by presence of a permanent pilot. The
corollary is that loss of pilot is not a justification to trip a heater as it is not a valid safety barrier in the first place.
Thus, when flame scanners are not available on burners, pilot flame rods should not be used to infer proof or
absence of main flame. Where installed, this erroneous protection philosophy has significantly contributed to
nuisance trips on gas fired heaters. With the updated clarifications in the third edition of API 535, many
owner/operators have removed this trip logic from their BMS systems.
As several other standards, EN 746-2 does not require permanent flame detection and automatic shutdown if the
temperature of all combustion chamber walls exceeds 750°C. This criterion is easily achieved in steam methane
reformer furnaces and petrochemical steam cracking furnaces. However, this is never achieved in refinery heaters
with floor mounted burners. These heaters tend to have a significant vertical temperature gradient with the top of
their radiant chamber is generally above 800°C at design firing conditions, but the floor generally colder than 500°C
and not hot enough to allow smooth and safe re-ignition after a flame out.

4.2.3. Explosion doors

Decades of experience have shown that explosion doors do not prevent heater destruction. When explosions
occur, explosion doors can be blown as projectiles that may create further damage on refinery process units and
personnel. The NFPA 68 code provides a method to calculate their size. The calculations show that while explosion
doors may partially relieve the energy of a small deflagration, it is impractical to increase their size to fully mitigate
the energy of an explosion.
Experience over the last decades has shown that explosion doors often cause a significant ingress of tramp air
which leads to falsely high bridgewall oxygen readings. The consequence is a risk of incomplete combustion at the
burners, flame extinction and explosion [CCPS, 2004]. If the bridgewall pressure is positive, these doors may lift
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 13
12 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

allowing hot flue gas to escape and damage the shell metal surface around the open area. A gradual shift is seen in
the Oil & Gas Industry to remove or weld shut explosion doors as they cause particular risks when operating at low
excess air and do not provide the level of protection originally expected.

Fig. 4 : Partly open explosion door

4.2.4. Control system

In the past, fired equipment safety was distributed between operator response to abnormal situations,
instrumented protective functions programmed in the safety instrumented system, and solutions such as explosion
doors and snuffing steam to mitigate the consequence of explosions. The drive for safer operation with higher
energy efficiency, lower NOx emissions and reduced number of nuisance trips has led operating companies to adapt
their approach to fired equipment safety. The modern approach to fired equipment safety is to distribute the risk
across independent protection layers. These safety barriers rely on DCS constraint control and SIS functions, but
also on operational excellence (operator training and procedures), preventive, reliability-centered maintenance and
risk based inspection.

4.2.5. Burner management system

The function of a burner management system is to manage the start-up, operation and shutdown of the fired
equipment. Provided it is properly designed, configured and commissioned, a BMS will guide the operator through a
safe and consistent operating sequence. Fig. 4 displays the operating philosophy found in all burner management
systems [Newnham, 2006].
14 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 13

Fig. 5: Operating philosophy of a burner management system [Newnham, 2006]

Because it is up to operating companies to decide the level of availability and automation that they wish to
achieve, it is therefore common to find differences in BMS designs. Some will allow a fully automatic startup with
the operator behind a concrete wall at a safe location, whereas others will still require the operator to be on a
platform to open manual pilot and burner valves.

4.3. Current discussion points in fired equipment design and operating practice

The topics addressed in this section are examples of discussion points currently debated in the committees in
charge of writing norms and standards. More information is provided in the summary report of the IFRF TOTeM 43
conference on safe design and operation of fired equipment in the oil and gas industry [IFRF Doc. no G 22/y/01,
2016].

4.3.1. General approach to fired equipment safety

The discussions at the IFRF TOTeM 43 conference highlighted that safe furnace operation should not attempt to
mitigate risk exclusively in the safety instrumented system (e.g. a single SIL 3 function). It was broadly agreed that
safe operation should be based on distributing the risks across independent protection layers (e.g. good design
practices, operator training, operator procedures, DCS constraint control and SIS functions).
It was widely agreed that nuisance trips should be avoided as they cause production and economic losses. More
frequent startups increase the risk of incidents and induce thermal stresses that can damage the equipment.
Proper controls and constraints and trip logics are recommended to reduce the risk of nuisance trips. In some
scenarios, time delays can be recommended to prevent nuisance trips. It was noted that reducing the number of
nuisance trips also reduces the causal frequency. As an example, reducing the causal frequency from 10 to 1 reduces
the SIL requirement, e.g. from SIL 2 to SIL 1.

4.3.2. Constraint controls to keep the heater within operational limits, avoid nuisance trips
Automatic fuel cut-back systems have been frequently implemented for hazard scenarios involving a rapid
change from safe to unsafe operation. These automatic controls do act as a protection layer, because their response
time to safe state is shorter than the process safety time of the faster developing hazard scenarios. Automatic
controls also provide a much faster response time than operators, which generally are considered to respond to an
alarm in 10 min for a board operator and 20 min for a field operator.
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 15
14 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

A number of owner/operators have successfully reduced nuisance trips and improved heater performance after
implementing fuel cutback controllers with constraint controls. These overrides:
o avoid sub-stoichiometric combustion,
o limit the maximum fuel gas pressure to the main burner,
o limit the process outlet temperature,
o keep the air / fuel ratio in range,
o ensure that the excess oxygen is kept within range,
o limit the frequency of nuisance trips.

4.3.3. Oxygen analyzers

The application of oxygen analyzers on fired heaters and furnaces has brought particular challenges. When
zirconium-oxide-based oxygen analyzers were first introduced for online measurements several decades ago, they
were frequently installed after the convection section and were not equipped with flame arrestors. This location
generally implies that the zirconia cell resides inside the flue gas stream. Several drawbacks should be pointed with
this type of practice:
o The oxygen measurement may not be representative of the oxygen concentration in the combustion
chamber as tramp air ingress causes the oxygen concentration to increase across the convection section.
This measurement artifact can be dramatic if the fired equipment is operated at low excess air as it can lead
to sub-stoichiometric operation of the burners.
o The response time of the “in situ” zirconia analyzers is slow, typically one minute or more because it
depends on diffusion of the flue gas in the probe rather than on induced flow. A response time of 1 minute
is much longer than the process safety time of some hazard scenarios which have a time scale similar to the
average residence time of the combustion gases in the combustion chamber, about 10 to 15 sec for heaters,
furnaces and boilers at maximum load. The addition of a flame arrestor and fouling of the sensor
significantly increase the response time of “in situ” zirconia sensors.
o A heated Zirconium oxide sensor without flame arrestors can be an ignition source for an air/fuel mixture
during a purge sequence or during an upset.

The best practices for reliable oxygen measurements in heaters and furnaces with zirconia sensors are the
following:
o Use of a sampling probe at the top of the radiant section, preferably at the inlet of the convection section.
The sampling location should be deep enough into the flue gas stream in order to avoid a measurement bias
due to presence of tramp air close to the walls.
o Use of a system with a jet pump to guarantee a response time not longer than 15 sec, even on sensors
equipped with flame arrestors. This is most important if automatic fuel cutback is to be implemented to
correct upset in firing conditions before a hazardous situation is reached.

It should be noted that analyzers are more complex than transmitters and require considerably more knowledge
and attention to detail to ensure high analyzer availability. Low availability is frequently traceable to a lack of
proper maintenance and training, not to the analyzer.
Although zirconia sensors have been successfully used for a number of years, tunable diode lasers (TDLs) have
been introduced in the past few years and are emerging as alternative technologies. TDLs are currently more
expensive that zirconia-based analyzers, but require less maintenance. Other advantages of TDLs include a
measurement over a line-of-sight which provides a better spatial averaging across the stream of combustion products
and a response time of 5 sec or less.
16 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 15

4.3.4. CO analyzers
Although CO analyzers have not been commonly used to detect sub-stoichiometric firing due to the lack of
reliable analyzers and slow response time, the situation is changing. Tunable diode lasers (TDLs) for CO and have
demonstrated several key advantages as their ability to measure the CO concentration over a line-of–sight up to
about 20 m allows detecting CO emissions from one poorly operating burner or firebox flooding. Tunable diode
lasers for CO measurements can be expected to be more widely used in the coming years as their cost reduces.

4.3.5. Improvements in fuel gas flow measurement

Considering the regular changes in refinery fuel gas composition, controlling the fuel gas mass flow rather than
volume flow is considered a good practice to reduce the dependence on flue gas analyzers to keep the heaters within
operational limits. Fuel gas mass flow is often measured with differential pressure systems compensated for
pressure, temperature and density. In recent years, Coriolis mass flow meters have shown to be more accurate and
provide a wider measurement range as they offer a direct measurement of mass flow with no need to pressure,
temperature or density compensation. The improved measurement accuracy allows operating more reliably with a
lower oxygen concentration setpoint.

4.3.6. Flame scanners

Flame scanners have been required by the NFPA 85 boiler code since its first edition in 1964. They are generally
required by the prescriptive standards applicable to new industrial heaters and furnaces. Flame scanners, however,
have not been commonly used in refinery heaters and petrochemical furnaces. Few operating companies use them
systematically; many do not unless the jurisdiction requires them to.
A common practice in the refining industry has been to consider that the burner is presumed to be firing after
initial light-off and subsequent operation provided that:
o the fuel gas is clean, without inerts or only a low and stable concentration of inerts,
o the fuel gas supply is kept within the pressure range per the burner manufacturer,
o the burners are operated with adequate excess air,
o the burner flame stability has been proved.

It can be noted that flame scanners are no panacea for fired equipment safety. They only indicate whether a flame
is present or not and they cannot detect fuel rich condition, which is one of the highest risks of heater operation.
Although a large majority of fired heaters are not equipped with flame scanners, statistics on fired heater do not
indicate a higher rate of accidents than on boilers which generally do have flame scanners.
When included in a burner management system and combined with an automatic shut off valve on every burner,
the main benefit of flame scanners is to allow the startup of fired equipment with the operator at a safe location. The
BMS can automatically close the burner manual valve if the flame is not detected after a prescribed time (typically 3
to 5 sec). Many in the Industry have argued that the benefit of introducing flames scanners, new automatic valves on
every burner and new burner management systems on existing heaters does not justify the huge cost and complexity.
One can further note that the justification to use or not to use flame scanners should be made on technical
grounds. Calculation of the time required to reach the Lower Explosive Limit (LEL) in case of a delayed burner
ignition shows that the explosion risk is strongly dependent on the fuel and air flows during the trial-for-ignition
period. Practically, assuming that the burners are ignited at a similar turndown condition, the time required to reach
the LEL is strongly dependent on the number of burners. If the number of burners is high, the low fuel gas rate
through one burner is diluted with a high air through all burners. This results in a time to reach LEL long enough to
be compatible with a manual operator procedure. This is consistent with the long-standing practice of manually
igniting fired heaters and furnaces which typically have many burners. The corollary is that during startup
conditions, the LEL can be reached more rapidly in fired equipments with a low number of high capacity burners.
This situation is encountered in boilers and some forced draft heaters with few high capacity burners. It can be
suggested that when the number of burners in a combustion chamber is between one and six, the benefit of a burner
management system with flame scanners and automatic shutoff valves on every burner is easier to demonstrate and
the extra cost and complexity are justified by the extra risk reduction.
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 17
16 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

4.3.7. Techniques for improving purge in cold firebox (e.g. stack eductors to keep firebox dry)
Experience has shown that purging a combustion chamber with snuffing steam can severely affect the reliability
of the flame scanners and pilots, particularly if they are fitted with ignition rods and ionization flame detection.
Purging with snuffing steam can also damage the refractory lining. A more modern solution implemented by a
growing number of owner/operators is to use a steam eductor above the stack damper to establish a purge flow into
natural draft heaters. Nowadays, the use of snuffing steam appears to be owner/operator dependent. Some will not fit
snuffing steam on new heaters and let a fire burn itself off in the firebox in the event of a tube rupture. Others
continue to equip their heaters with snuffing steam and will use snuffing steam at the final stage of an uncontrolled
heater fire essentially to purge and cool the firebox.

4.3.8. Control of the fuel gas flow at startup

It is largely agreed that controlling the fuel gas pressure at light-off is an important safety requirement. In the
past, the norm was to ignite burners manually. The operator procedure would specify to open the burner manual
valve slowly to ensure a smooth ignition. More recent burner ignition methods with the operator at a safe location
have shown that when the fuel gas control valve lacks the required turndown to light the first few burners, the first
burners will need to be ignited at a higher pressure to prevent tripping on low fuel gas pressure. A startup override to
defeat the high pressure trip is then required until enough burners can be ignited for the control valve to be within
control range.
Thus, the correct selection and sizing of the fuel gas control valve is a critical design issue. Unfortunately, the
process data on valve specification sheets is typically provided for all burners in service and rarely identify the
turndown requirements to light the first few burners of a multiple burner system. If a heater is equipped with six
burners and if burner ignition is to be performed at ¼ of the burner capacity, the required turndown of the control
valve should be a very minimum of 24. This widely exceeds the 1 to 10 turn-down of a globe valve.
A preferable, inherently safer practice is to properly size the control valve or install a startup regulator to assist
the operator, is lighting the burners at lower pressure. When the control valve lacks sufficient startup turndown to
light the first burner, the common best practices to maintain the desired light-off pressure are to install a small
bypass line with a startup regulator or to select a Vee-ball with improved startup turndown (estimated at 300:1 or
better). The benefit of a startup regulator is that it requires no action by the operator to hold light-off pressure. In
contrast, the controller output to the Vee-ball will have to be manually adjusted (from burner curve calculations)
until the valve is within control range for automatic pressure control.

5. Conclusions

The design and operation of fired equipment has seen in the last 50 years continuous improvements in safety,
efficiency and environmental performance. In the Oil & Gas industry, heaters and furnaces designed prior to 1975
were often of natural draft type with many low capacity burners. Their level of instrumentation and controls was
low, and the risk mitigation measures rested for a large part on operator procedures, operator skills, operator
response to upsets and alarms and other severity reduction means such as explosion doors and snuffing steam. The
risk of sub-stoichiometric firing was mitigated by operating with high excess air and high draft.
The drive for safer operation with higher availability, energy efficiency, lower NOx emissions and fewer
nuisance trips has led operating companies to modify their approach to fired equipment safety. The modern best
practice is to distribute the risks across independent protection layers. These safety barriers rely on control systems
with constraints and safety instrumented functions, but also on operational excellence (operator training and
procedures), preventive, reliability-centered maintenance and risk based inspection.
New fired equipment designs will involve better instrumentation, better controls and a more comprehensive
safety instrumented system. As specified by the current legislation, European process heaters will be equipped with
flame scanners and two safety shutoff valves per burner. These requirements will promote the use of forced draft
furnaces with a small number of high capacity burners. The use of high capacity burners will be made possible by
the use of higher pressure drop burners which help keep the flame length short. As the approach to fired equipment
safety shifts from mitigating consequences to mitigating the risk of explosions and fires, explosion doors and
snuffing steam may become obsolete. Operators will still have a key role in fired equipment operation. However, the
18 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué/ Energy Procedia 00 (2017) 000–000 17

fired equipment will be designed to keep the field operator at a safe location during the pilot and burner startup
sequence, thus reducing the operator’s exposure to startup hazard.
The modernization of old fired equipment will be more challenging and will require compromises. Detailed risk
analysis should demonstrate that better instrumentation, control safety and safety instrumented systems reduce the
risks to a tolerable level. The retrofit of flame scanners and automatic shutoff valves on burners of existing fired
equipment may be neither practical nor technically justified on heaters equipped with many low capacity burners.
The use of performance based standards defining best practices for different classes of fired equipment may be
recommended. On the positive side, experience has shown that implementation of controls with constraints and
automatic fuel cutbacks have demonstrated good results at operating safely and minimizing nuisance trips. Current
trends are to evaluate the change in air demand in response to change in fuel gas composition in order to reduce the
burden on flue gas analyzers to keep the heater within operational limits. Additional considerations should be given
to startup control turndown (e.g. startup regulator) to reduce the risk of creating a hazardous gas mixture at startup.

Acknowledgements

The author wishes to express his deepest gratitude to Doug Smith and Dave Wilson for sharing their extensive
experience on fired equipment safety through many hours of personal discussions. The author would also like to
acknowledge the numerous fruitful discussions with his colleagues at TOTAL Refining & Chemicals and TOTAL
HSE and his counterparts at API meetings.
 Jacques Dugué / Energy Procedia 120 (2017) 2–19 19
18 Jacques Dugué/ Energy Procedia 00 (2017) 000–000

References

Regulations, Codes, and Standards

[1] API RP 538; “Industrial fired boilers for general refinery and petrochemical service”, 1st ed.; 2015.
[2] API RP 556; “Instrumentation, control, and protective systems for gas fired heaters”, 1st ed.; 1997, 2nd ed.; 2011.
[3] AS 3814 Australian Standard , “Industrial and commercial gas-fired appliances”; 2009.
[4] CGA H-10, “Combustion safety for steam reformer operation”, Published by the Compressed Gas Association, 1st ed; 2012.
[5] CGA H-11, “Safe startup and shutdown practices for steam reformers”, 1st ed.; 2013.
[6] CSA B149.3; “Code for the field approval of fuel-related components on appliances and equipment”, 1st ed.; 1989; 5th ed.; 2015.
[7] EN 746-2; Industrial therm. equipment; Part 2: “Safety requirements for combustion and fuel handling systems”, 1st ed.; 1997, 2nd ed. 2010.
[8] ISO 13577, Industrial furnaces and associated processing equipment safety; Part 1: “General requirements”, 1st ed.; 2012.
[9] ISO 13577, Industrial furnaces and associated processing equipment safety; Part 2: “Combustion and fuel handling systems”, 1st ed.; 2014.
[10] NFPA 68; “explosion prevention by deflagration venting”; 2007.
[11] NFPA 85; “Boiler and Combustion Systems Hazards Code”; 2015.
[12] NFPA 86; Standard for Ovens and Furnaces; 2015.
[13] NFPA 87; “Recommended Practice for Fluid Heaters”; 2015.
[14] ISA TR84.00.02, Part 1; Safety instrum. functions (SIF) and safety integrity level (SIL) evaluation techniques, 1st ed. 2002, 2nd ed. 2015.
[15] IEC 61508-1; “Functional safety of programmable safety-related systems; Part 1: General requirements”, 1st ed.; 1998, 2nd ed.; 2010.
[16] IEC 61511-1; “Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system,
hardware and application programming requirements”, 1st ed.; 2003; 2nd ed.; 2016.
[17] Arrêté du 26 août 2013 relatif aux installations de combustion d’une puissance supérieure ou égale à 20 MW soumises à autorisation au titre
de la rubrique 2910 et de la rubrique 2931 ; Titre VII : Prévention des risques d’incendie et d’explosion.

Textbooks
[18] “Safe furnace firing”, American Oil Company, American, revised 2nd ed.; 1963.
[19] “Safe furnace and boiler firing”, Process safety booklet three, BP, 4th ed.; 2003.
[20] W.E. Baker, P.A. Cox, J.J. Kulesz, R.A. Strehlow, P.S. Westine; “Explosion hazards and evaluation”; Elsevier; 2012.
[21] Lees' “Loss Prevention in the Process Industries, Hazard Identification, Assessment and Control” (3 volumes); Elsevier; 4th ed.,; 2012.
[22] Roger Newnham; Direct-fired heaters; Operator training manual; Kingsley Knowledge Publishing; 2013.

Literature
[23] G. Ostroot, Jr., “Explosions in Gas or oil-fired Furnaces : A look at the causes of over 200 furnace explosions and the primary lessons
derived from them; Monsanto Co.” ; St. Louis, Mo; Loss prevention, vol. 6; 1972.
[24] G. Ostroot, Jr., “Case history: A two burner boiler explosion” ; Monsanto Co., St. Louis, Hydrocarbon Processing, Dec. 1976.
[26] R.A. Hancock, P. Spittle and R.G. Ward; “Safety standards for large burners: new criteria for burner start-up”; British Gas Corporation,
Midlands Research Station, IFRF Doc F21/ca/25; 1977.
[27] W.S. Lee, D.L. Grosh, F.A. Tillman, C.H. Lie, “Fault tree analysis, methods, and applications-A review”, IEEE; Trans. on Reliability; 1985.
[28] R. E. Sparrow, “Firebox explosion furnace in a primary reformer , Analysis of the incident with some practical considerations for reducing
the risk”; Western Co-operative Fertilizers Ltd., Calgary, Canada ; Plant/Operations Progress (Vol. 5, No.2); April 1986.
[29] G.D. Davis, “Investigation and repair of an auxiliary boiler explosion”; Plant/Operations Progress (vol. 6, no.1); Jan 1987.
[30] T.A.Kletz, “Hazop-past and future”; Reliability Engineering; System Safety; 1997.
[31] P Fewtrell, “A review of high-cost chemical/petrochemical accidents since Flixborough 1974”; WS Atkins Consultants Ltd, Warrington,
Cheshire, UK, IchemE Loss Prevention Bulletin no 140 ; April 1998.
[32] “Modifications After a Primary Reformer Explosion at a Reforming Plant”; Ammonia Technical Manual; 1999.
[33] WHSCC, “Accident Investigation Report on the Explosion and Fire at the Irving Oil Refinery Saint John, New Brunswick”; June 1999.
[34] “Explosion at a styrene plant”, Center for Chemical Process Safety, AIChE; Jan. 2004.
[35] R. Newnham and P. Chau, “Safety controls and burner management systems (BMS) on direct-fired multiple burner heaters”; Born Heaters
Canada Ltd; 2006.
[36] A. Hawryluk, “Hazardous flue gas mixtures in furnaces due to fuel-rich combustion”; NOVA Chemicals Corp., Ethylene Producers Conf.,
April 2008.
[37] R. Limaye, “Operator response to alarms is an important protection layer”; Praxair, Houston, Texas; Hydrocarbon Processing; March 2013.
[38] William G. Bridges, “Lessons Learned from Application of LOPA throughout the Process Lifecycle”, 10th Global Congress on Process
Safety, New Orleans, LA, March 31-April 2; 2014.
[39] P. Fisher, “Monitor safety with improved risk performance indicators” ; ACM Facility Safety, Calgary, Alberta, Canada ; Hydrocarbon
Processing; Dec. 2014.
[40] L.D. Wilson, “Conclusions from TOTeM 43 on safe design and operation of fired equipment in the oil and gas industry”;
IFRF Doc. no G 22/y/01; 28 Sept. 2016.