ISA TR84!00!05 2009 Guidance On The Identification of Safety Instrumented Functions

ISA-TR84.00.
05-2009
Guidance on the Identification of Safety

Instrumented Functions (SIF)
in Burner Management Systems (BMS)
Approved 10 December 2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Copyright International Society of Automation

Provided by IHS under license with ISA Licensee=BP International/5928366101
No reproduction or networking permitted without license from IHS Not for Resale, 10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009, Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner
Management Systems (BMS)
ISBN: 978-1-936007-41-7
Copyright © 2009 by ISA. All rights reserved. Printed in the United States of America. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the
Publisher.
ISA
67 Alexander Drive
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
P.O. Box 12277

Research Triangle Park, North Carolina 27709

No reproduction or networking permitted without license from IHS Not for Resale, 10/04/2012 08:02:58 MDT
-3- ISA-TR84.00.05-2009
Preface
This preface is included for information purposes and is not part of ISA-TR84.00.05-2009.
This technical report has been prepared as part of the service of ISA, the International Society of
Automation. To be of real value, this document should not be static but should be subject to
periodic review. Toward this end, the Society welcomes all comments and criticisms and asks
that they be addressed to the Secretary, Standards and Practices Board; ISA, 67 Alexander
Drive; P.O. Box 12277; Research Triangle Park, NC 277099; Telephone (919) 549-8411; Fax
(919) 549-8288; E-mail: standards@isa.org.
This ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general, and the International System of Units (SI) in particular, in the
preparation of instrumentation standards, recommended practices, and technical reports. The
Department is further aware of the benefits to users of ISA standards documents of incorporating
suitable references to the SI (and the metric system) in their business and professional dealings
with other countries. Toward this end, the Department will endeavor to introduce SI and
acceptable metric units in all new and revised standards documents to the greatest extent
possible. The Metric Practice Guide, which has been published by the Institute of Electrical and
Electronics Engineers (IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the
reference guide for definitions, symbols, abbreviations, and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals
and interests in the development of ISA standards. Participation in the ISA standards-making
process by an individual in no way constitutes endorsement by the employer of that individual, of
ISA, or of any of the standards, recommended practices, and technical reports that ISA
develops.
CAUTION — ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR
VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND
ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE
USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF
ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR
OWN RESPONSIBILITY.
PURSUANT TO ISA’S PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT

APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS
DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A
LICENSE ON A WORLDWIDE, NON-DISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE
ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE
INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR
VISIT WWW.ISA.ORG/STANDARDSPATENTS.
OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF
ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS
OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING
INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR DETERMINING WHETHER
ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A
LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR
NON-DISCRIMINATORY.
ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS
THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND
PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

No reproduction or networking permitted without license from IHS Copyright 2009 ISA.NotAll rights
for Resale, reserved.
10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 -4-
ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS,

OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE
APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN
HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND
PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USER’S
PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF
ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH
PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT.
THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED
BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE
POTENTIAL ISSUES IN THIS VERSION.
The following served as voting members of ISA84 and approved this technical report:
NAME COMPANY
W. Johnson, Chair E I du Pont
V. Maggioli, Managing Director Feltronics Corp
R. Adamski RA Safety Consulting LLC
T. Ando Yokogawa Electric Co
R. Avali Westinghouse Electric Corp
L. Beckman Safeplex Systems Inc
J. Campbell ConocoPhillips
I. Chen Aramco
M. Coppler Ametek Inc
M. Corbo ExxonMobil
K. Dejmek Baker Engineering & Risk Consultants
P. Early Langdon Coffman Services
K. Gandhi KBR
J. Gilman JFG Technology Transfer LLC
W. Goble Exida
P. Gruhn ICS Triplex
B. Hampshire BP
J. Harris UOP A Honeywell Company
J. Jamison EnCana Corporation Ltd
R. Johnson Dow Process Automation
K. Klein Celanese Corp
T. Layer Emerson Process Management
E. Marszal Kenexis Consulting Corp
N. McLeod ARKEMA
R. Peterson Lyondell Chemical Company
G. Ramachandran Shell Global Solutions US
M. Scott AE Solutions
D. Sniezek Lockheed Martin Federal Services
C. Sossman CLS Tech-Reg Consultants
R. Strube Strube Industries
A. Summers SIS-TECH Solutions LP
L. Suttinger Savannah River Nuclear Solutions
R. Taubert Consultant
H. Thomas Air Products & Chemicals Inc
T. Walczak Conversions Inc
M. Weber System Safety Inc
A. Woltman Shell Global Solutions
P. Wright BHP Engineering & Construction Inc
D. Zetterberg Chevron Energy Technology Company
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
-5- ISA-TR84.00.05-2009
The following served as members of the ISA Standards and Practices board and approved this technical
report:
NAME COMPANY
J. Tatera, VP Tatera & Associates Inc.
D. Dunn, VP Elect Aramco Services Co
P. Brett Honeywell, Inc
M. Coppler Ametek, Inc
E. Cosman The Dow Chemical Co
B. Dumortier Schneider Electric
R. Dunn DuPont Engineering
J. Gilsinn NIST/MEL
E. Icayan ACES Inc
J. Jamison EnCana Corporation Ltd
D. Kaufman Honeywell International Inc
K. Lindner Endress+Hauser Process Solutions AG
V. Maggioli Feltronics Corp
T. McAvinew Jacobs Engineering
A. McCauley Chagrin Valley Controls Inc.
G. McFarland Emerson Process Mgmt Power & Water Sol
R. Reimer Rockwell Automation
N. Sands DuPont
H. Sasajima Yamatake Corp
T. Schnaare Rosemount Inc
I. Verhappen Industrial Automation Networks Inc.
R. Webb ICS Secure LLC
W. Weidman Consultant
J. Weiss Applied Control Solutions LLC
M. Widmeyer Kahler Engineering Inc.
M. Wilkins Yokogawa IA Global Marketing (USMK)
M. Zielinski Emerson Process Management
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
This page intentionally left blank.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
-7- ISA-TR84.00.05-2009
CONTENTS
1 Foreword .............................................................................................................................................. 9
2 Introduction......................................................................................................................................... 10
3 Scope ................................................................................................................................................. 10
4 References ......................................................................................................................................... 11
5 Abbreviations and Acronyms.............................................................................................................. 12
6 Safety Lifecycle and Protection Concepts.......................................................................................... 13
7 Example of a Hazard and Risk Analysis Applied to a Single Burner Boiler ....................................... 32
8 Example of a Hazard and Risk Analysis Applied to a Multi-Burner Process Heater ......................... 37
9 Example of a Hazard and Risk Analysis Applied to a Thermal Oxidizer............................................ 43
10 Example of a Hazard and Risk Analysis Applied to an Oil Heater Treater ........................................ 47
11 Example of a Hazard and Risk Analysis Applied to a Glycol Reboiler............................................... 53
12 Example Hazard and Risk Analysis and Verification ......................................................................... 59
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
This page intentionally left blank.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
-9- ISA-TR84.00.05-2009
1 Foreword
As a technical report, ISA-TR84.00.05 is provided for information purposes only and is not part of
ANSI/ISA-84.00.01-2004 (ref. 4.1)
ISA-TR84.00.05 is intended for reference in applications where it has been determined that ANSI/ISA-
84.00.01-2004 applies.
NOTE Throughout this technical report, the term “ANSI/ISA-84.00.01-2004” is used to refer to ANSI/ISA-84.00.01-
2004 Parts 1-3 (IEC 61511 Modified).
ANSI/ISA-84.00.01-2004 provides minimum requirements for designing and managing safety
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
instrumented systems (SISs) based on functional and integrity requirements established during a hazard
and risk analysis. The specific methods used to conduct the hazard and risk analysis are outside the
scope of this technical report. Additional guidance is provided in ANSI/ISA-84.00.01-2004 Part 3 (ref. 4.1)
and in Guidelines for Hazard Evaluation Procedures (ref. 4.2).
The ISA84 committee determined that it was appropriate to provide supplemental information on the
application of hazard and risk analysis to Burner Management Systems (BMS). The purpose of ISA-
TR84.00.05 is to provide users of ANSI/ISA-84.00.01-2004 with guidance on how to identify safety
functions within the BMS. Safety functions classified as Safety Instrumented Functions (SIFs) should be
designed and managed according to ANSI/ISA-84.00.01-2004, as well as other applicable practices. The
presented work processes and illustrations are not intended to replace, but instead to supplement, the
requirements of good engineering practices applicable to BMS, such as NFPA 85, NFPA 86, API 556,
ASME CSD-1, and API RP 14C (see Clause 4).
In jurisdictions where the governing authorities (e.g., national, federal, state, province, county, city) have
established process safety design, process safety management, or other requirements, these take
precedence over the guidance provided in this technical report.
NOTE The example BMS architectures represent possible system configurations and should not be
interpreted as recommendations. The configurations used in actual applications are specific to the
operating environment and process conditions where they are used. As such, no general
recommendations can be provided that are applicable in all situations. The user of this technical report
is cautioned to clearly understand the assumptions and data associated with the methodologies in this
document before attempting to utilize the methods presented herein.
The users of ISA-TR84.00.05 will include:
• Manufacturers of BMSs who are applying the requirements of ANSI/ISA-84.00.01-2004, in

addition to other applicable good engineering practices.
• Hazard and Risk Analysis teams identifying and classifying the SIFs within a BMS.
• SIS designers who want an understanding of the safety requirements of BMS.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 10 -
2 Introduction
In the process industries, many types of instrumented systems are used to maintain a process within
normal operating limits. When a process exceeds these limits, protective functions are used to reduce the
risk of identified hazardous events associated with safety, environmental, and business consequences.
Protective functions are often allocated to instrumented systems, which are designed and managed to
achieve or maintain a safe state when a process reaches a prescribed condition.
ANSI/ISA-84.00.01-2004 applies to safety instrumented systems (SISs), which are instrumented systems
implemented to prevent an event that results in major consequences and unacceptable lasting effects,
usually involving significant harm to humans, substantial damage to the environment, and/or loss of
community trust with possible loss of franchise to operate. As companies apply ANSI/ISA-84.00.01-2004
to the design of their process equipment, many want to consistently apply an identification and
classification process across a facility.
Fired equipment is found throughout the process industries in many applications, including various types
of heaters and boilers, The hazards associated with burner operation are managed by an instrumented
system commonly referred to as the burner management system (BMS). The BMS provides interlocks
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
and permissives to prevent misoperation of equipment and to safely handle faults caused by equipment
failure. These events potentially result in uncontrolled fires, explosions, or implosions and in the
unintended release of the materials being heated. This technical report refers to these functions as BMS
functions.
This technical report shows examples of BMS functions required by good engineering practices
applicable to BMS, such as NFPA 85 (ref. 4.4), NFPA 86 (ref. 4.5), API 556 (ref. 4.6), ASME CSD-1 (ref.
4.7), and API RP 14C (ref. 4.8). This technical report demonstrates how the work processes of Clauses 8
and 9 of ANSI/ISA-84.00.01-2004 can be applied to establish the functional and integrity requirements of
the functions within the BMS. BMS functions should be implemented according to applicable good
engineering practices, such as those previously referenced. ISA-TR84.00.05 illustrates how an
identification and classification work process can be used to identify SIFs within the BMS.
3 Scope
3.1 ISA-TR84.00.05 is strictly informative and does not contain any mandatory requirements.
3.2 ISA-TR84.00.05 is intended to be used by those with an understanding of the basic requirements
of ANSI/ISA-84.00.01-2004 and other good engineering practices applicable to BMS (references
4.4 to 4.8).
3.3 ISA-TR84.00.05 is intended to be used in conjunction with other good engineering practices. This
technical report is not intended to stand alone or be a replacement for BMS-specific practices.
3.4 This technical report is intended to:
a) Identify and classify SIFs within typical BMSs for typical operating modes of fired equipment (e.g.,
pre-firing, light-off, shutdown, and normal operation);
b) Provide examples of typical safety assessments for the following equipment with BMSs: boilers
(single burner), fired process heaters (multi-burner), thermal oxidizers, oil heater treaters and
glycol reboilers.

10/04/2012 08:02:58 MDT
- 11 - ISA-TR84.00.05-2009
4 References
4.1 ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the
Process Industry Sector, Parts 1, 2 & 3, ISA, 2004. www.isa.org/standards.
4.2 CCPS/AICHE, Guidelines for Hazard Evaluation Procedures, Second Edition with Worked
Examples, 1992.
4.3 ISA-TR84.00.02-2002, Safety Instrumented Systems (SIS) – Safety Integrity Level (SIL) Evaluation
Techniques, ISA, www.isa.org/standards.
4.4 NFPA 85, Boiler and Combustion Systems Hazards Code, National Fire Protection Association,
2003.
4.5 NFPA 86, Standards for Ovens and Furnaces, National Fire Protection Association, 2004.
4.6 API RP 556, Instrumentation, Control and Protective Systems for Fired Heaters and Steam
Generators, 1997.
4.7 ASME CSD-1, Controls and Safety Devices for Automatically Fired Boilers, American Society of
Mechanical Engineers, 2006.
4.8 API RP 14C. Recommended Practice for Analysis, Design, Installation, and Testing of Basic
Surface Safety Systems for Offshore Production Platforms, 2001.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 12 -
5 Abbreviations and Acronyms

1oo2 – One out of Two Voting
2oo2 - Two out of Two Voting
2oo3 – Two out of Three Voting
AIChE – American Institute of Chemical Engineers
ANSI – American National Standards Institute
API – American Petroleum Institute
API RP– American Petroleum Institute Recommended Practice
BMS – Burner Management System
BPCS – Basic Process Control System
CCPS – Center for Chemical Process Safety
E/E/P E – Electrical/Electronic/Programmable Electronic
HAZOP – Hazards and Operability Study
IEC – International Electrotechnical Commission
IPF – Instrumented Protective Function
IPL – Independent Protection Layer
ISA – International Society of Automation
LEL – Lower Explosion Limit
LOPA – Layers of Protection Analysis
MTTF – Mean Time to Failure
MTTFD - Mean Time to Failure Dangerous
MTTFS – Mean Time To Fail Safe
MTTR – Mean Time to Repair or Restore
NFPA – National Fire Protection Association
OSHA – U.S Occupational Safety and Health Agency
P&ID –. Piping and Instrumentation Diagram
PE – Programmable Electronic
PES – Programmable Electronic System
PFDavg – Probability of Failure on Demand Average
PHA – Process Hazards Analysis
PLC – Programmable Logic Controller
SIF – Safety Instrumented Functions
SIL – Safety Integrity Level
SIS – Safety Instrumented Systems
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 13 - ISA-TR84.00.05-2009
6 Safety Lifecycle and Protection Concepts

6.1 The Safety Lifecycle
6.1.1 Overview
Safety consequences can result from the misoperation of fired equipment during start-up, normal
operation, maintenance, and shutdown. A BMS is implemented to prevent misoperation and to safely
handle faults caused by equipment failure. Misoperation can be caused by equipment failure or improper
firing and can potentially result in uncontrolled fires, explosions, or implosions and in the unintended
release of the materials being heated. Consequently, the hazard and risk analysis for the fired equipment
often focuses on events that lead to hydrocarbon fuels being introduced into the equipment under
abnormal operating conditions.
The ANSI/ISA-84.00.01-2004 Safety Lifecycle addresses SISs used to prevent unacceptable hazardous
events, generally involving harm to people and/or damage to the environment. The lifecycle is supported
by a management system that focuses on reducing the potential for SIS failure through effective SIS
design and management. The Safety Lifecycle includes steps for:
• Identifying the hazardous events resulting in unacceptable consequences
• Identifying the safety functions that prevent hazardous events
• Establishing the performance criteria (e.g., the risk reduction) for these safety functions
• Allocating safety functions to systems designed and managed to achieve the performance criteria
• Documenting the functional and integrity requirements in a design specification
• Verifying that the design and management practices are sufficient to meet the performance
requirements
• Documenting and implementing operation and maintenance procedures to support performance

requirements
• Managing changes to the process equipment and its safety systems to ensure safe operation
Many types of fired equipment are subject to application-specific good engineering practices. The hazard
and risk analysis described in ANSI/ISA-84.00.01-2004 can be used to classify these already identified
BMS functions. The BMS design should meet the intent of any applicable good engineering practice,
regardless of the perceived risk. This technical report demonstrates how ANSI/ISA-84.00.01-2004
complements other good engineering practices, allowing the owner/operator to define the requirements
for each instrumented system consistent with methods used for other process equipment. ANSI/ISA-
84.00.01-2004 work processes can also be used to determine whether planned BMS design and
management practices are sufficient to provide the required risk reduction for identified hazardous events.
This technical report addresses various aspects of the Safety Lifecycle and its application to BMS. While
this technical report provides examples of hazardous events, it does not illustrate all of the hazardous
events possible with the referenced equipment. Hazardous event identification can be accomplished
through a variety of methods ranging from checklists based on prior design and experience to formal,
structured techniques, such as Hazard and Operability Studies (HAZOP) and What If?/checklists. The
choice of method is not specific to BMS. More information on the hazard identification can be found in
Guidelines for Hazard Evaluation Procedures (Reference 4.2).
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 14 -
6.1.2 Safety Instrumented Functions
An SIS may implement one or more SIFs to address unacceptable hazardous events associated with
process equipment operation. The starting point for this technical report is a description of the
measurements and actions taken by various BMS functions required by applicable practices. The reader
is cautioned that identification of an individual SIF within an SIS may seem simple, but many errors are
common, such as:
• Not including all of the process measurements that can detect the hazardous condition
• Including actions that are not required to achieve or maintain a safe state
• Including measurements that do not detect the hazardous condition
The risk analysis is further complicated when multiple initiating causes can result in a hazardous event,
but not all initiating causes are detected by the same process measurement. In this case, multiple SIF
may be defined, each of which provide risk reduction against a set or subset of the initiating events that
can cause the hazard. When selecting the risk reduction and the associated SIL for these SIF, the
aggregation effect of the multiple SIFs protecting against the same hazardous event should be
considered. In many cases, the lack of independence between the SIFs necessitates the consideration of
the functions as a single function with diverse process measurements.
6.1.3 Safety Integrity Level
When a BMS function is classified as an SIS, the risk reduction allocated to the BMS function is related to
its SIL. The required risk reduction can be defined using qualitative, semi-quantitative or quantitative risk
analysis techniques. All techniques rely on process hazards analysis to identify hazardous events. The
primary difference between the techniques is the different degrees of rigor employed to estimate the
event likelihood (or frequency) and consequence severity.
Various hazard and risk analysis techniques are discussed in Guidelines for Hazard Evaluation
Procedures (ref. 4.2). While all techniques follow the same general steps, there is much variability in the
detail and degree of resolution between different owner/operators that apply ANSI/ISA-84.00.01-2004.
This report does not endorse a specific methodology for performing risk analysis. The CCPS concept
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
book Layers of Protection Analysis: A Simplified Risk Assessment discusses a semi-quantitative risk
analysis technique, which uses order-of-magnitude bands to assess the event likelihood.
The risk analysis process can be summarized as:
1) Identify the hazardous event (e.g., the event that the SIF under consideration is preventing).
2) Estimate consequence severity of the hazardous event.
3) Estimate likelihood (or frequency) of the hazardous event, considering all credible initiating
causes.
4) Assess the process risk of the hazardous event as a function of its consequence severity and
likelihood (or frequency).
5) Compare process risk to the risk criteria to determine the risk reduction requirements.
6) Identify safety functions required to achieve the risk reduction requirements.
7) Assign an SIL to the SIF that meets the risk reduction requirements.

10/04/2012 08:02:58 MDT
- 15 - ISA-TR84.00.05-2009
ANSI/ISA-84.00.01-2004 defines four discrete levels of SIL. Each SIL is an order of magnitude range of
values associated with the probability that the SIS will perform its required function under all stated
conditions within a specified time period. The risk reduction factor is defined in Table 6.1 as 1/PFDavg.
Table 6.1 – SIL Categories

Safety Integrity Level Average Probability of Failure on Demand (PFDavg) Risk Reduction Factor
(SIL)
4 10-4 to 10-5 10,000 to 100,000
3 10-3 to 10-4 1,000 to 10,000
2 10-2 to 10-3 100 to 1,000
1 10-1 to 10-2 10 to 100
Step 1. Identify Hazardous Event
Identifying the hazardous event is a critical step in the risk analysis process. Errors in this step may result
in an SIF design basis that does not adequately address the process risk. Hazardous events should be
identified using a process hazards analysis as discussed previously. This technical report provides
examples of the application of the risk analysis process to identified hazardous events. The reader is
cautioned that these examples are not comprehensive and should not be considered a substitute for
performing an analysis on similar fired equipment.
Step 2. Estimate Consequence severity
The consequence severity is typically estimated qualitatively. While consequence models employing
explosion, fire, and population density calculations are possible, they are rarely used for BMS
assessments. While risk analysis techniques are often focused on an evaluation of safety impacts, many
owner/operators consider environmental and business impacts.
Step 3. Estimate Likelihood (or frequency)
Likelihood (or frequency) is estimated qualitatively, semi-quantitatively, or quantitatively. Many

owner/operators use order-of-magnitude estimates for the event likelihood, e.g., once per year, once in
10 years, etc. The likelihood should be assessed without considering the presence of any protection
layers, e.g., instrumented systems and pressure relief devices. This yields the unmitigated likelihood of
the hazardous event.
Step 4. Assess Process Risk
The process risk is a function of the estimated consequence severity (step 2) and unmitigated likelihood
(Step 3) of the identified hazardous event.
Step 5. Compare Process Risk Against Risk Criteria
Many owner/operators represent their risk criteria as a risk matrix where event likelihood and
consequence severity are the two axes. The required risk reduction is provided as a function of the event
likelihood and consequence severity. The process risk is used to determine the required risk reduction for
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
the specific consequence-likelihood pair.
Some owner/operators use quantitative risk metrics, such as the individual risk of fatality or the risk to the
maximum-exposed individual (or societal risk criteria). In these cases, a numerical estimation of the
frequency of the hazardous event is compared to the risk criteria relevant for the specified consequence
severity.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 16 -
When the process risk exceeds the risk criteria, safety functions are identified that reduce the process risk
to the risk criteria.
Step 6. Identify safety functions required to achieve the risk reduction requirements.
Safety functions are implemented to achieve or maintain a safe state in response to a specified
hazardous event. The safety functions are allocated risk reduction as required to reduce the residual risk
below the risk criteria. Finally, the safety functions are allocated to protection layers that are designed and
managed to achieve the required functionality and risk reduction.
Step 7. Assign an SIL to the SIF that achieves the risk reduction requirements.
Those safety functions allocated to the SIS layer are SIFs. The risk reduction allocated to an SIF is
related to its SIL as shown in Table 6.1.
6.2 Safety Integrity Level Verification
The Safety Lifecycle, as defined in ANSI/ISA-84.00.01-2004, requires the verification of the SIL of each
SIF using quantitative analysis of the average probability of failure on demand. This calculation should
consider the failure characteristics of each SIF device, the SIF architecture, and the SIF proof test
interval. These calculations can be performed using the techniques described in ISA-TR84.00.02, Safety
Instrumented Systems (SIS) Safety Integrity Level (SIL) Evaluation Techniques. Examples of the
evaluation of a BMS function are presented in clause 12 of this technical report.
6.3 Operating Modes, Undesirable Events and SIF
The various operating modes of the fired equipment should be considered during the analysis. Each
operating mode may require specific protective layers. The operating modes, undesirable events and
safety functions discussed in this section are based on a review of the existing BMS good engineering
practices. Again, the reader is cautioned that these examples should not be considered a substitute for an
analysis of a specific piece of fired equipment. There may be situations or complexities that pose process
hazards with unacceptable consequences that are not discussed in this technical report, e.g., fuel rich
conditions due to use of staged LoNox burners or flue gas recirculation. It is the responsibility of the
owner/operator to identify hazardous events pertaining to fired equipment operation.
NOTE This section covers a variety of fired equipment including boilers, process heaters, thermal oxidizers, and ovens. The
undesirable events and SIFs covered below may not be applicable to all types of fired equipment. End users need to
identify which are applicable to their specific applications and corporate/local requirements.
6.3.1 Pre-firing cycle
The pre-firing cycle prepares the fired equipment for the introduction of fuel and light-off of the burners.
The pre-firing cycle includes prevention of fuel entering the firing chamber and purging of the chamber to
remove any residual hydrocarbon that may be present.
6.3.1.1 Excess Combustibles in the Firing Chamber
Misoperation of the fired equipment can result in an excessive amount of unburned fuel being introduced
to the firing chamber. If this fuel mixes with air in a flammable proportion and finds a source of ignition, it
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
may ignite. Ignition of a flammable mixture in the firing chamber may result in a fire that may propagate
into an explosion (deflagration) that could damage equipment and injure personnel in the area of the
explosion.

10/04/2012 08:02:58 MDT
- 17 - ISA-TR84.00.05-2009
6.3.1.1.1 Fuel Valves Improperly Aligned (Permissive)
To ensure a sufficiently fuel-free environment in the firing chamber, it is necessary to verify that the valves
are lined up such that fuel is not being introduced to the firing chamber. If the fuel valves were improperly
aligned, fuel is introduced into the firing chamber during the purge period, making the purge ineffective. A
successful purge requires that the valves remain in the closed position during the purge and an adequate
purge rate be sustained for a specified period of time.
The hazardous condition is detected by monitoring position switches on the fuel valves. If the valves are
determined to be in the wrong position, the startup sequence is stopped and fuel introduction is
prevented. While this functionality is considered good engineering practice, it is rarely considered an SIF.
Failure of the fuel valves to reach the closed position when required should be detected and annunciated,
because a valve failure could allow a hazardous condition to continue to exist after shutdown or during
later re-start activities.
6.3.1.1.2 Accumulation of Flammable Materials and Failure to Purge (Permissive)
Prior to ignition, any accumulation of unburned hydrocarbons needs to be removed to ensure that
introduction of an ignition source(s) will not cause an undesired fire or explosion of the accumulated fuel.
To prevent this consequence, the heater firebox is purged by operating the air fans for a pre-determined
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
period of time.
The air flow measurement device varies from application to application, but is typically some combination
of one or more of the following: (1) differential pressure measurement across the fan, (2) pressure
measurement at the outlet of the fan, (3) flow measurement device (such as a pitot tube), or (4) fan motor
running indication using motor contacts / speed probes and pressure indication. Each of these
measurement types has benefits and limitations, and decisions regarding the measurement type should
consider the specific application under consideration. In general, more direct measurement, such as
actual flow rate, is superior to indirect means of measurement, such as motor running contacts, as there
are a number of failure modes that may result in the indirect measurement giving a false positive
indication of flow. For instance, if a fan shaft decoupled from its motor, the motor running contact
indicates that the motor is running, but air is not actually flowing. Alternatively, motor amps could be used
to indicate that the fan motor is running and has a load. The benefits and limitations of the various
measurement devices are considered during the SIL verification, where the probability of failure on
demand is calculated. Inferior measurements will result in higher probabilities of failure on demand and
thus lower achieved SIL levels.
The timer functionality will either be supplied by a time delay relay or in the programming of a
programmable electronic system. The appropriate timer settings for purging are established in the BMS
practices (refer to clause 4 for a listing).
Measuring a proper purge is straightforward in a forced, induced, or balanced draft heater. Ensuring a
proper purge in a natural draft heater is less direct, but still important. There are a number of methods
that are commonly used in the process industries.
1) Use an external purge medium, such as steam, plant air, or instrument air, for a predefined period
of time. If this method is chosen, either the flow of the medium is measured and used as an input
to the permissive function, or the medium is confirmed to be flowing by inspection (audible and/or
visual evidence) and only the timer is used in the automatic function.
2) Allowing the natural draft occurring through the heater to purge the firebox. If this method is
chosen, some feedback, via limit switches, can be used to confirm the existence of flow in
combination with the purge timer.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 18 -
NOTE If no positive automatic means is used to ensure the firebox has been purged prior to light off, some
consideration for manual testing of the concentration of combustibles in the firebox, via combustible gas
detectors, should be considered.
The risk posed by failure to purge a heater firebox is significant and has resulted in a number of fired
equipment accidents. While not always classified as an SIF, depending on hazards associated with
burner light-off, this functionality is often considered safety-related and is reviewed for risk reduction
requirements.
6.3.1.2 Proceeding to the Light-Off cycle when the permissives are not satisfied
6.3.1.2.1 Flame Detector Indicating Premature Presence of Flame (Permissive)
To ensure a fuel-free firing chamber prior to introduction of fuel gas and ignition, all sources of fuel must
be stopped. If a flame were present at the burner prior to a planned light-off sequence, it would indicate
that fuel is being introduced to the heater and is being burned at the burner tip. While this scenario is not
likely to occur, if it did, it would result in an ineffective purge that might result in accumulated unburned
fuel in the firing chamber prior to light-off. This fuel might then be ignited, causing a fire or explosion.
In this case, the flame detectors at the burners detect the hazardous condition. If a flame is detected, the
startup sequence is stopped and introduction of fuel and ignition is prevented.
While this functionality is considered good engineering practice, it is rarely classified as an SIF as it is
considered sufficiently unlikely. Premature presence of a flame either indicates failure of the flame
detector in a dangerous state or that fuel is being introduced to the heater and combustion is occurring
without the knowledge or direction of operations staff. This could also indicate the presence of an oil pool
fire or leaking fuel valves that fail to fully extinguish the burner flames. It is very unlikely that after a
successful shutdown that fuel could be re-introduced to the heater and ignite at the burner without the
direct involvement of operations staff. As a result, this functionality is typically treated as a diagnostic of
the proper operation of the flame detectors rather than an indication that a hazardous condition exists.
6.3.1.2.2 Low Fuel Gas Pressure (Permissive)
After purging, but before light-off, a heater’s fuel systems typically at the header upstream of the control
valve are checked to ensure that they are prepared for introduction of fuel into the purged heater. This
preparation includes verification that the fuel gas pressure is sufficiently high to support combustion. If
fuel gas pressure were not high enough to support combustion it is possible that fuel gas could be
introduced to the firebox that would not be ignited at the burner. This fuel gas could then subsequently
accumulate in the firebox, find a source of ignition and cause an undesired fire or explosion.
Measuring the pressure of fuel gas in the main header detects the hazardous condition. If a hazardous
condition is detected, the startup sequence is stopped and introduction of more fuel and ignition is
prevented.
While this functionality is considered good engineering practice, it is rarely classified as an SIF. While
there are safety consequences that might result from low pressure conditions in the fuel gas header prior
to light-off, detection of the hazards posed by this scenario are more directly detected by the “Igniter
Flame Not Proven” and “Main Flame Not Proven” as described in clauses 6.3.2.1.1 and 6.3.2.1.2. As a
result, these pre-light off functions are typically considered an operational convenience than an SIF.
6.3.1.2.3 High Fuel Gas Pressure (Permissive)
After purging, but before light-off, a heater’s fuel systems are typically checked to ensure that they are
prepared for introduction of fuel into the purged heater. This preparation includes verification that the fuel
gas pressure is sufficiently low so that the velocity of the fuel gas leaving the burner tips is not so high
that it will prevent ignition from occurring. If fuel gas pressure were too high to allow combustion it is
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 19 - ISA-TR84.00.05-2009
possible that fuel gas could be introduced to the firebox that would not be ignited at the burner. This fuel
gas could then subsequently accumulate in the firebox, find a source of ignition and cause an undesired
fire or explosion.
Measuring the pressure of fuel gas in the main header detects the hazardous condition. If a hazardous
condition is detected, the startup sequence is stopped and introduction of more fuel and ignition is
prevented.
there are safety consequences that might result from high pressure conditions in the fuel gas header prior
to light-off, detection of the hazards posed by this scenario are more directly detected by the “Igniter
Flame Not Proven” and “Main Flame Not Proven” as described in clauses 6.3.2.1.1 and 6.3.2.1.2. As a
result, these functions are typically considered to be more of an operational convenience than an SIF.
However, each situation must be analyzed individually. For example, there could be a situation where
light-off is a manual operation. In this situation, the operator may be exposed to a flash fire.
6.3.1.2.4 Valves Not in Minimum Firing Position (Permissive)
To successfully light the heater, the fuel and air valves should be in their proper firing positions
(sometimes referred to as minimum firing positions). If the valves are not in a position where they will
generate a fuel/air mixture appropriate for combustion, ignition might not occur upon introduction of fuel.
The un-ignited fuel gas could then subsequently accumulate in the firebox, find a source of ignition and
cause an undesired fire or explosion.
In this case, the limit switches at the valves detect the hazardous condition. In some heater
configurations, special-purpose valves are used that have specified positions with associated limit
switches for minimum firing. In other applications minimum firing is set by use of a pressure regulator that
bypasses the fuel control valve. In this case, the minimum firing is proven by ensuring the fuel control
valve is confirmed closed and all fuel is entering the system through the bypass regulator. If the valves
are not proven to be in the correct position, the startup sequence is stopped and introduction of fuel and
ignition is prevented.
there are safety consequences that might result from valve misalignment in the fuel/air system prior to
light-off, detection of the hazards posed by this scenario are more directly detected by the “Igniter Flame
Not Proven” and “Main Flame Not Proven” as described in clauses 6.3.2.1.1 and 6.3.2.1.2. As a result,
these functions are typically considered to be more of an operational convenience than an SIF.
6.3.1.2.5 Burner Header Fuel Gas Does Not Hold Pressure (Permissive)
Prior to lighting a multiple burner fired heater, all of the block valves for the main gas at the individual
burners must be closed. If one or more of the individual block valves are left in the open position, then
when fuel gas is allowed into the main gas header, gas will be allowed to flow out into one or more
burners whose pilots are not lit. The un-ignited fuel gas could then subsequently accumulate in the
firebox, find a source of ignition and cause an undesired fire or explosion.
In this case, a hazardous condition is detected by a pressure measurement in the main gas header after
the pressure control valve but before the split to the individual burners. Prior to lighting, the main fuel gas
header will have its pressure increased to a normal operational level either by temporarily opening the
main fuel gas block valves or by introducing nitrogen from a separate source. If all of the individual block
valves are closed then the pressure in the header will increase above the permissive point and the start-
up process is allowed to proceed. If the pressure set point is not achieved after a suitable period of time,
the startup sequence is stopped and the valves introducing gas into the header (i.e., either the main fuel
gas shutoff valves or the nitrogen addition valve) are closed. It is important to note that if this permissive
is successful when nitrogen is used to pressure the header, then time should be allowed during the
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 20 -
lighting process to allow the nitrogen that is contained in the header to be purged out, allowing the fuel
gas to arrive at the burner.
This functionality is considered good engineering practice and is especially beneficial in multiple burner
fired equipment. This permissive will reveal failures that could result in a significant safety consequence.
As a result, this function is typically analyzed for risk reduction requirements
6.3.1.2.6 Steam Drum Level Not Established or Failure of Drum Level Measurement (permissive)
To ensure safe operation of the steam drum after the boiler is fired, the level of the steam drum shall be
measured and the level of water in the steam drum should be established at the desired range before
light-off of the burners. Higher level may result in water carryover to downstream equipment, such as a
steam turbine, possibly causing damage. Lower level may result in dry boiler tubes which reach their
temperature design limit leading to tube rupture and injury of personnel.
To proceed with burner light-off, appropriate steam drum level should be proven.
6.3.2 Light-off Cycle
The objective of the light-off cycle is to safely introduce fuel to the burner and ignite it. After ignition is
attempted, existence of a stable flame is proven prior to moving to the normal operation mode. If a proven
stable flame is not achieved in this phase, the light-off sequence will be stopped and the fired equipment
will return to the pre-firing sequence.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
to the firing chamber. If this fuel mixes with air in a flammable proportion and finds a source of ignition it
may ignite. Ignition of a flammable mixture in the firing chamber will result in a fire that may propagate into
an explosion (deflagration) that could damage equipment and injure personnel in the area of the
explosion.
6.3.2.1.1 Igniter Flame Not Proven Within a Specified Time (Trip)
If igniter flame ignition does not occur, continued introduction of fuel gas into the firing chamber could
result in accumulation of a flammable mixture. Failure to ignite could occur for a number of reasons,
including: ignition transformer failure, ignition valve failure, plugged pilot nozzle, pilot gas contamination,
improper fuel air ratio, etc. The accumulated mixture can result in a fire or explosion if a source of ignition
in the firing chamber or vent stack is encountered.
In this case, detection of igniter flame is performed using a flame detector at the burner in combination
with a time delay device. The timer functionality will either be supplied by a time delay relay or in the
programming of a programmable electronic system. If no flame is detected within a set time period, the
valve supplying fuel gas to the igniter is closed.
The risk posed by failure of the time delay device could be significant if the fuel fails to ignite.
While not always identified as an SIF, this functionality is typically deemed safety-related and should be
reviewed for risk reduction requirements.
6.3.2.1.2 Main Flame Not Proven Within a Specified Time (Trip)
If main flame ignition does not occur then continued introduction of fuel gas into the firing chamber could
result in accumulation of a flammable mixture, since the fuel is not being consumed. This accumulated
mixture can result in a fire or explosion if a source of ignition in the firing chamber or vent stack is
encountered.

10/04/2012 08:02:58 MDT
- 21 - ISA-TR84.00.05-2009
In this case, detection of main flame is performed using a flame detector at the burner in combination with
a time delay device. The timer functionality will either be supplied by a time delay relay or in the
programming of a programmable electronic system. If no flame is detected within a set time period, the
valve supplying fuel gas to the main burner is closed.
The risk posed by failure of the time delay device could be significant if the fuel fails to ignite.
While not always identified as an SIF, this functionality is typically deemed safety-related and should be
6.3.3 Normal Operation
The normal operation phase of fired equipment occurs when a stable proven flame is used for process
heating purpose. In this phase conditions that ensure stable operation of the flame are monitored to
detect any deviations that might compromise the flame. If these conditions are detected various degrees
of action may be taken to bring the process to a safe state.
to the firing chamber. If this fuel mixes with air in a flammable proportion and finds a source of ignition it
may ignite. Ignition of a flammable mixture in the firing chamber will result in a fire that may propagate into
an explosion (deflagration) that could damage equipment and injure any personnel in the area of the
explosion.
6.3.3.1.1 High Fuel Gas Pressure (Trip)
High fuel gas pressure can result in loss of flame and introduction of fuel gas into the firing chamber
without a flame available to ensure that ignition will occur at the burner. High fuel gas pressure typically
occurs as the result of failure of pressure control. This failure results in an uncontrolled high pressure at
the burner. If the pressure is sufficiently high, the rate of flow through the burner will be so great that the
flame will be lifted off the burner and extinguished. After the flame is extinguished, a high rate of
unburned fuel gas will continue into the firebox unless the fuel gas flow is stopped.
In this case, the hazardous condition can be detected either by the high fuel gas pressure that precedes
the actual loss of flame or by the flame detector detecting that the flame has been extinguished. If both of
these measurements are available to detect the hazardous condition, the measurements can be voted
1oo2, since either sensor can detect the hazardous condition. Detection of this condition will result in a
Master Fuel Trip or Individual Burner Valve Trip depending upon system configuration.
The risk posed by high fuel gas pressure leading to complete loss of flame and/or incomplete combustion
leading to secondary ignition can be significant. Continuous pilots may not be considered a layer of
protection in all applications. It is possible that there could be a fuel rich (or air starved) condition that
would not permit complete combustion resulting in a hazard, if air is re-introduced or the fuel rich mixture
reaches an oxygen source (near top of stack).
6.3.3.1.2 Low Fuel Gas Pressure (Trip)
Low fuel gas pressure can result in loss of flame and subsequent re-introduction of fuel gas into the firing
chamber without a flame available to ensure that ignition will occur at the burner. Low fuel gas pressure
typically occurs as the result of loss of fuel gas supply from the external source of fuel or failure of the fuel
gas control system. This failure will result in a fuel pressure at the burner tip that is not sufficient to
support combustion. This may result in loss of flame with continued addition of fuel gas.
In this case, the hazardous condition can be detected either by the low fuel gas pressure that precedes
the actual loss of flame, or by a flame detector detecting that the flame has been extinguished. If both of
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 22 -
these measurements are available to detect the hazardous condition, the measurements can be voted
1oo2, since either sensor alone can detect the hazardous condition. Detection of this condition will result
in a Master Fuel Trip or Individual Burner Valve Trip depending upon system configuration.
The risk posed by loss of flame resulting from low fuel gas pressure can be significant depending on the
fuel gas system design. This function is typically reviewed to determine risk reduction requirements,
where the design of the fuel gas system is such that loss of flame resulting from low fuel gas pressure is a
credible scenario. During the hazard and risk analysis, credit may be taken for use of a continuously
operating pilot burner system sourced from a fuel supply, which is independent of the main burner
system. Care should be taken when using continuous pilots to prevent the main flame detector from
"seeing" the continuous pilots rather than the main flame resulting in failure to identify the hazardous
scenario of the loss of main flame with fuel still entering the furnace.
6.3.3.1.3 Low Fuel Oil Pressure (Trip)
Low fuel oil pressure can result in unstable burner operation and loss of flame in fuel oil burners as the
flow of oil becomes too low to support combustion. Low fuel oil pressure typically occurs as the result of
mechanical failures of the fuel oil supply system or depletion of the fuel oil system’s inventory. The fuel oil
supply system failures include, but are not limited to, a plugged strainer, failure of supply pumps and
failures of control system components regulating fuel oil flow such that flow is significantly decreased or
stopped. Fuel oil system low pressure and loss of flame may result in continued addition of fuel to the
burner which will not be burned and instead accumulate in the firebox and surrounding areas potentially
resulting in an uncontrolled fire of the fuel oil pool.
In this case, the hazardous condition can be detected either by the low fuel oil pressure that precedes the
actual loss of flame, or by a flame detector, detecting that the flame has been extinguished. If both of
these measurements are available to detect the hazardous condition, they form a 1oo2 vote, as either
sensor alone can detect the hazardous condition. Detection of this condition will result in a master fuel
trip.
The risk posed by loss of flame resulting from low fuel oil pressure can be significant, but is usually less
severe than a fuel gas explosion in terms of consequence severity. This function is typically reviewed to
determine SIL requirements on virtually all fuel oil fired equipment as it is almost always a credible
scenario. During the hazard and risk analysis, credit may be taken for use of a continuously operating
pilot burner system that is sourced from a fuel supply that is independent of the main burner system. Care
should be taken when using continuous pilots to prevent the main flame detector from "seeing" the
continuous pilots rather than the main flame resulting in failure to identify the hazardous scenario of the
loss of main flame with fuel still entering the furnace.
6.3.3.1.4 Low Atomizing Steam or Air / Fuel Oil Differential Pressure (Trip)
Low differential pressure between the fuel oil and atomizing steam or air can result in unstable burner
operation and loss of flame in fuel oil burners. As the differential pressure drops the oil fails to be
dispersed into finely divided droplets and the efficiency of the combustion decreases. As the combustion
efficiency drops not all of the fuel oil is combusted resulting in unburned oil dropping to the floor of the
firebox and the surrounding area. This incompletely combusted oil may be ignited resulting in an
uncontrolled fire in or near the heater. Low differential pressure between the fuel oil and atomizing steam
or air typically occurs as the result of failure of the steam supply or air supply system to provide the
atomizing media at an adequate pressure. This can be either the result of the loss of the overall atomizing
utility or failure of the differential pressure controller that sets the atomizing media pressure at the burner
tip.
In this case, the hazardous condition can be detected by the low differential pressure measurement
detecting that atomization is not sufficient. It should be noted that oil pooling and fire can occur without
completely extinguishing the flame at the burner. As a result, loss of flame does not accurately predict
whether or not the consequence is about to occur and should not be considered as a means of detection
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 23 - ISA-TR84.00.05-2009
of this hazard. Detection of this condition will result in a Master Fuel Trip or Individual Burner Valve Trip
depending upon system configuration.
The risk posed by low differential pressure between fuel oil and atomizing media can be significant, but is
usually less severe than a fuel gas explosion in terms of consequence severity. This function should be
reviewed to determine SIL requirements.
6.3.3.1.5 Loss of Air Flow (Trip)
Low combustion air flow (i.e., minimum air flow required to sustain flame) can result in unstable burner
operation and loss of flame. Loss of flame resulting from low combustion air flow can occur in both fuel
gas and fuel oil fired burners. As the flow of combustion air decreases, insufficient oxygen is available to
combust all of the fuel, resulting in unburned fuel entering and accumulating in the firebox. Ignition of this
fuel may result in an explosion. Low combustion air flow typically occurs as the result of failure of the
blower supplying air to the fired equipment or failure of the control loop regulating air flow.
In this case, the hazardous condition can be detected either by the low air flow pressure that precedes
the actual loss of flame, or by a flame detector detecting that the flame has been extinguished. If both of
these measurements are available to detect the hazardous condition, they form a 1oo2 vote, as either
sensor alone can detect the hazardous condition. Detection of this condition will result in a master fuel
trip.
The risk posed by loss of flame resulting from low combustion air flow pressure can be significant. This
function is typically reviewed to determine SIL requirements on virtually all fired equipment that is not
natural draft (i.e., forced, induced or balanced draft). It is important to note that continuous pilots typically
may not be considered a layer of protection as there could be a situation where there is a fuel rich (or air
starved) condition that will not allow complete combustion resulting in a hazard if air is re-introduced or
the fuel rich mixture reaches a source of oxygen (near top of stack).
6.3.3.1.6 Loss of Flame (Unrelated to fuel gas pressure or air flow) (Trip)
Loss of flame that is not associated with fuel gas or combustion air supply problems can occur in fired
equipment. This loss of flame is typically associated with contamination of the fuel with inert materials
such as nitrogen or carbon dioxide for gas or water for oil. As the non-combustible material passes
through the burner the flame will be extinguished. After the inert material passes through and flammable
material is re-introduced, it does not combust at the burner and accumulates in the firebox and
surrounding area, resulting in a fire or explosion upon ignition.
The risk posed by loss of flame due to contaminants in the fuel can be significant. In this case, the only
means of detecting the hazardous condition is by a flame detector detecting that the flame has been
extinguished. Detection of a loss of flame will result in a master fuel trip. However, the likelihood of this
initiating cause for multi-burner process heaters needs to be carefully evaluated to determine the risk and
thereby the need for flame detectors. During the hazard and risk analysis credit may be taken for use of a
continuously operating pilot burner system that is sourced from a fuel supply that is independent of the
main burner system. Care should be taken when using continuous pilots to prevent the main flame
detector from "seeing" the continuous pilots rather than the main flame resulting in failure to identify the
hazardous scenario of the loss of main flame with fuel still entering the furnace.
6.3.3.1.7 Loss of Instrument Air or Primary Power (Trip)
The loss of instrument air or the primary power supply has the potential to cause loss of firing control and
the subsequent loss of burner flame while continuing to supply gas to the firebox. The loss of instrument
air can cause the temporary loss of fuel gas supply by closing the fuel gas control valve. Since the
process control device responses can be unpredictable when insufficient air pressure is available, an
orderly shutdown of the fired equipment is required.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 24 -
In this case, the hazardous condition can be detected either by the low instrument air pressure (or loss of
power) that precedes the actual loss of flame, or by the flame detector detecting that the flame has been
extinguished. If both of these measurements are available to detect the hazardous condition, they form a
1oo2 vote, as either sensor alone can detect the hazardous condition. Detection of this condition will
result in a master fuel trip.
The risk posed by the loss of flame resulting from loss of instrument air or power can be significant. While
not always identified as an SIF, this functionality is typically deemed safety-related and should be
6.3.3.1.8 High Pilot Gas Pressure (Trip)
High pilot fuel gas pressure typically occurs as a result of failure of pressure control. This failure results in
an uncontrolled high pressure at the pilot burner. If the pressure is sufficiently high, the rate of flow
through the burner will be so great that the flame will be lifted off the burner and extinguished. After the
pilot flame is extinguished, a protection layer for the loss of main burner flame has been lost and, if the
pilot gas is not isolated, may potentially lead to the development of an explosive mixture in the firebox.
In this case, a pilot fuel gas pressure sensor can detect the hazardous condition. Detection of this
condition will result in a pilot fuel trip.
The risk posed by the loss of pilot flame resulting from high pilot fuel gas pressure can be significant
depending on the fuel gas supply system design. While not always classified as an SIF, this functionality
is typically deemed safety-related and should be reviewed for risk reduction requirements. During the
hazard and risk analysis, credit may be taken for the main flame. If IPL (Independent Protection Layer)
credit is taken for the continuous pilot, an alarm should be implemented to alert operations to take
appropriate action to re-establish the pilot. Care should be taken when using continuous pilots to prevent
the main flame detector from "seeing" the continuous pilots rather than the main flame resulting in failure
to identify the hazardous scenario of the loss of main flame with fuel still entering the furnace.
6.3.3.1.9 Low Pilot Gas Pressure (Trip)
Low pilot fuel gas pressure can result in loss of pilot flame and, if the main burner flame were lost, the
subsequent introduction of fuel gas into the firing chamber without a flame available. Low pilot gas
pressure typically occurs as the result of loss of pilot fuel gas supply from the external source of fuel or
failure of the pilot gas control system. This failure will result in a fuel pressure at the burner tip that is not
sufficient to support combustion. After the pilot flame is extinguished, a protection layer for the loss of
main burner flame has been lost and, if the pilot gas is not isolated, may potentially lead to the
development of an explosive mixture in the firebox.
In this case, a pilot fuel gas pressure sensor can detect the hazardous condition. Detection of this
condition will result in a pilot fuel trip.
The risk posed by the loss of pilot flame resulting from low pilot gas pressure can be significant
depending on the fuel gas supply system design. While not always classified as an SIF, this functionality
is typically deemed safety-related and should be reviewed for risk reduction requirements. During the
hazard and risk analysis, credit may be taken for the main flame. If IPL credit was taken for the
continuous pilot, an alarm should be implemented to alert operations to take appropriate action to re-
establish the pilot.
6.3.3.2 Loss of Water in Boiler Steam Drum (Trip)
Misoperation of a boiler can result in loss of water in the boiler steam drum. Loss of water in the boiler
tubes can result in mechanical damage and failure of the tubes if firing continues without sufficient water
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 25 - ISA-TR84.00.05-2009
flow. In addition, personnel in the area could potentially be impacted by the release of high-pressure
steam through the ruptured tubing.
6.3.3.2.1 Low Steam Drum Level (Trip)
Low steam drum level can result in rupture of boiler tubing if firing is continued without sufficient flow of
water. Low steam drum level can typically occur under three scenarios: (1) loss of boiler feed water
system (2) failure of steam system (i.e., leaking), and (3) failure of drum level instrumentation / basic
process control.
For this function, the hazardous condition is typically detected by level measurement on the steam drum.
If the level measurement indicates a low level in the steam drum, fuel supply is stopped to the main
burners by closing the main fuel gas supply valve (or valves).
The risk posed by rupture of the boiler piping may pose a significant hazard, depending on the design of
the system. This function is typically reviewed to determine the risk reduction requirements.
6.3.3.2.2 Excessive Pressure in Steam Drum (Trip)
Misoperation of a boiler can result in excessive pressure being generated in the steam drum and
associated piping. If allowed to continue rising, unchecked, the pressure in the steam drum could exceed
the design limitations of the drum, resulting in overpressure, rupture, and explosion.
Pressure sensors connected to the steam drum detect this condition. If a high-pressure condition is
indicated in the steam drum, fuel supply is stopped to the main burner by closing the main fuel gas supply
valve (or valves).
When assessing the risks prevented for this particular SIF, many owner/operators consider the steam
drum relief valve(s) as an independent layer of protection. Depending upon the risk reduction
requirements for this SIF associated with the specific installation of the fired equipment under
consideration, it may be possible to eliminate the need for an SIF associated with excessive pressure in
the steam drum. This should be addressed on a case by case basis. While not always classified as an
SIF, this functionality is typically deemed safety-related and should be reviewed for risk reduction
requirements. The overpressure and explosion of the steam drum presents a significant hazard to those
in the vicinity. The potential for injury exists due to exposures to high temperature water and/or steam,
high-pressure energy release, and flying debris.
6.3.3.3 Low Pass Flow (Trip)
Loss of flow in the process tubes in a fired heater with continued firing can lead to increased tube
temperature and, subsequently, to heater tube damage. The increased stress on the heater tube could
lead to a tube rupture, which could lead to an uncontrolled heater fire, depending upon the flammability
characteristics of the process fluid.
Flow sensors in each pass of the process flow either on the inlet or discharge of the heater detect this
condition. Upon detection of a low or no-flow condition in a heater tube, the master fuel trip is activated,
stopping the flow of fuel to the main burner and the pilots. Alternatively, independent source of pilot gas
does not necessarily need to be immediately shut off on loss of flow of heater passes. The furnace can be
put into min. fire mode. There are a few issues that must be considered when selecting the placement of
the flow sensor either on the inlet or discharge side of the heater. A flow sensor on the discharge side can
detect loss of flow upstream of the heater and can also detect tube ruptures within the heaters. However,
the higher temperature of the process fluid at the heater discharge can make the specification and
maintenance of a flow sensor at this location difficult. Placing the sensor at the heater inlet allows for the
detection of the loss of flow to the heater, but will not provide indication of a tube rupture. The problems
and benefits associated with each location should be considered when designing this SIF.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 26 -
A ruptured tube inside a fired heater can lead to an uncontrollable fire within the firebox. Depending upon
the design of the heater, there is the potential for the flames to leave the confines of the heater and
potentially expose personnel in the vicinity to a fire hazard. This function is typically reviewed to
determine SIL requirements on fired heaters.
6.3.3.4 High Firebox or Stack Temperature (Trip)
A high temperature in the firebox or stack can be caused by a firing control failure resulting in the
temperature exceeding the desired control set point. If the temperature rises beyond the manufacturer
specified limit, there is the potential to damage the combustion chamber resulting in the loss of
containment of firebox contents. Excess temperature may also present the potential to exceed the auto-
ignition temperature of materials being processed in an oven, heater, or dryer.
A temperature sensor should be provided to detect high temperature conditions. Upon detection of a high
temperature condition, a main fuel trip or minimum firing trip is activated. Such devices are necessary
only when the maximum temperature specification provided by the manufacturer can be exceeded. While
not always classified as an SIF, this functionality is typically deemed safety-related and should be
6.3.3.5 High Heater Pressure (Trip)
There are two conditions that are indicated by high heater pressure: tube rupture and loss of draft. The
rupture of a heater tube could lead to an uncontrolled heater fire, depending upon the flammability
characteristics of the process fluid. The loss of draft can also be detected by an increase in the heater
pressure. As the flow of combustion air decreases, insufficient oxygen is available to combust all of the
fuel, resulting in unburned gas entering and accumulating in the firebox. Ignition of this fuel may result in
an explosion. High heater pressure due to the loss of draft typically occurs as the result of failure of the
dampers to a closed position.
A master fuel trip, isolating fuel to the main burners and pilots, should be initiated upon the detection of a
high heater pressure condition. A pressure sensor located inside the firebox can detect this condition.
A ruptured tube inside a fired heater can lead to an uncontrollable fire within the firebox. Depending upon
the design of the heater, there is the potential for the flames to leave the confines of the heater and
potentially expose personnel in the vicinity to a fire hazard. The risk posed by loss of flame resulting from
loss of draft can be significant. In the case of boilers, the rupture of water or superheated steam tube
could release extensive amount of steam. The high firebox pressure function is typically reviewed to
determine risk reduction requirements on all fired heaters and on fired equipment where the combustion
air can be stopped or isolated. There are other instrumented functions that may be used in place of this
high firebox pressure to detect conditions of tube rupture or loss of draft. These functions can be
considered during the hazard and risk analysis and later verification/assessment activities.
There are two scenarios here. For scenario 1, tube rupture, low flow at heater exit is an additional
measurement. For scenario 2, loss of draft, there is no definite additional measurement.
6.3.3.6 Loss of Level in Heater Treater or Glycol Reboiler Drum (Trip)

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Misoperation of fired drum heaters can result in loss of level in the drum. Loss of level can leave the firing
tubes exposed, resulting in mechanical damage and failure of the tubes if firing continues. The exposure
of the process fluids to the fire poses a significant potential for event escalation. In addition, personnel in
the area could potentially be impacted by the release event if high-pressure, high-temperature process
materials were released from the damaged vessel.

10/04/2012 08:02:58 MDT
- 27 - ISA-TR84.00.05-2009
Low drum level can result in rupture of firing tubes, if firing is continued without a sufficient liquid heat
sink. Low drum level can typically occur under three scenarios: (1) loss of flow into the vessel, (2) leakage
from the vessel, and (3) failure of drum level instrumentation / basic process control.
For this function, the hazardous condition is typically detected by level measurement on the drum. If the
level measurement indicates a low level in the drum, then fuel supply is stopped to the main burners by
closing the main fuel gas supply valve (or valves).
The exposure of the process fluids to the fire poses a significant potential for event escalation. In addition,
personnel in the area could potentially be impacted by the release event if high-pressure, high-
temperature process materials were released from the damaged vessel. This function is typically
reviewed to determine SIL requirements.
6.3.3.7 High Temperature in Heater Treater or Glycol Reboiler Drum (Trip)
High temperature can result in rupture of firing tubes and the drum, if firing is continued beyond the
mechanical limitations of the equipment. High temperature can typically occur due to (1) low level (as
described above), (2) temperature control failure, or (3) the ignition of process fluids leaking into the firing
chamber.
For this function, the hazardous condition is typically detected by temperature measurement on the drum.
If the measurement indicates a high temperature in the drum, then fuel supply is stopped to the main
burners by a Minimum Fire Trip or a Master Fuel Trip.
The risk posed by rupture of the drum may pose a significant hazard, depending on the design of the
system and occupancy of the area. This function is typically reviewed to determine SIL requirements.
6.3.3.8 Excessive Pressure in Oil Heater Treater (Trip)
Misoperation of an oil heater treater can result in excessive pressure being generated in the drum and
associated piping. If allowed to continue rising unchecked, the pressure in the drum could exceed the
design limitations of the drum, resulting in overpressure, rupture, and explosion. This event can be
caused by a failure of the drum pressure control system or by over-firing caused by a failure of the burner
basic process control system.
Pressure sensors located on the drum detect this condition. If a high-pressure condition is indicated in the
drum, fuel supply is stopped to the main burner by closing the main fuel gas supply valve (or valves).
The overpressure and explosion of the drum presents a significant hazard to those in the vicinity. The
potential for injury exists due to exposures to high temperatures, high-pressure energy release, and flying
debris. This function is typically reviewed to determine SIL requirements.
6.4 Fuel Valve Trips

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
While assessing shutdown of the heater, the actions taken to move the fired equipment to a safe state are
common among many of the trips and permissives described in the clauses above. As such, the actions
taken are described here and referred to in the previous clauses. There are several types of heater trips
that are utilized in industry. These trips are applied at different times depending on the hazardous
condition that required the heater firing to be stopped. These shutdowns include: (1) Master Fuel Trip, (2)
Main Fuel Trip, (3) Minimum Firing Trip, (4) Individual Burner Main Fuel Trip, (5) Individual Burner Main
and Pilot Fuel Trip, and (6) Pilot Fuel Trip.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 28 -
6.4.1 Master Fuel Trip
The master fuel trip is the most comprehensive of the heater trips. The master fuel trip isolates all fuel
sources to the greatest degree possible. This trip includes stopping both the main fuel source and pilot
fuel source, and may also include closure of purge valves. A master fuel trip is usually called for when a
firing anomaly has occurred, resulting in potential uncombusted flammable material in the firebox. As a
result, all sources of fuel are closed and the heater is required to go through its startup sequence before
relighting can occur.
When a master fuel trip is called for, both the main fuel source and pilot fuel source are required to be
stopped for the heater to be moved to a safe state. Since both fuel sources must be successfully isolated
to move to a safe state, the arrangement can be considered a two-out-of-two (2oo2) vote. In some cases,
such as thermal oxidizers, more fuel sources, such as a waste gas stream, may be available. All fuel
sources must be isolated to move the process to a safe state (i.e., NooN voting).
For each fuel, the number of shutoff valves required depends on the heater type and the application
specific standard that governs the design. In many heaters, each fuel source is isolated from the heater
using a double-block-and-bleed valve arrangement. A double-block-and-bleed arrangement consists of
two block valves along with a bleed valve that is used to vent the cavity between to the block valves to a
safe location. There are two advantages to the double-block-and-bleed arrangement. First, since two
valves must fail in order to prevent the safety function from taking its proper action the probability that the
overall system will fail to perform its safety function is much lower than if only a single valve were used.
Second, the double-block-and-bleed arrangement provides a more positive isolation between the fuel and
the firebox. Leakage into the firebox would require leakage through both valves, and failure of the bleed
valve (or vent system) to allow any gas that has leaked through the upstream valve to vent to a safe
location instead of migrating through the second closed valve into the firebox.
While the double-block-and-bleed arrangement has strong and apparent advantages, it also has
limitations. Increased equipment requirements over single valve installations lead to higher costs, both in
terms of initial capital and on-going maintenance. In addition, multiple valve installations lead to increased
complexity and operator training. There is also a possibility that leaking bleed valves can result in
additional unnecessary fuel consumption. While all options have strengths and limitations, it is important
to consult application specific practices to assist in determining the proper valve configuration for your
application.
If a double-block-and-bleed arrangement is used, the valves are considered to be a one-out-of-two (1oo2)

vote to bring the process to a safe state since closure of either one of the two valves can successfully
isolate fuel from the firebox. It is important to note that failure of the bleed valve to successfully open is
not considered to be part of the core Safety Instrumented Function that required the master fuel trip. If the
bleed valve failed to open, it would not prevent the immediate isolation required to bring the process to a
safe state from occurring. Instead, failure of the bleed valve to open is part of a secondary safety function
that prevents a separate hazard. If the bleed valve does not open, then leakage through the primary and
secondary valve may lead to an unsafe condition in the firebox (i.e., accumulation of a flammable mixture
at a time significantly subsequent to the heater shutdown).
If a single block valve is used as the final element for each fuel train, then obviously, that valve must close
to bring the heater to a safe state, which is one-out-of-one (1oo1) voting. In some cases, the fuel control
valve is commanded closed during a master fuel trip. Great care should be taken when considering the
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
closure of the fuel control valve to be part of the SIF. Several factors can compromise the integrity of the
fuel source control valve when considering it for safety application. First and foremost, many fuel source
control valves have appliances such as mechanical stops, minimum stop hand wheel settings, bypass
valves, or bypass regulators that allow fuel source to continue to flow to the burners even though the
valve is fully closed. This type of design is typically performed to ensure that valve closure will not result in
a loss of flame, but only a return to the minimum firing settings. If one of these conditions exists, the fuel
control valve cannot be considered to be part of the SIF as it is incapable of isolating the fuel and bringing
the process to a safe state.

10/04/2012 08:02:58 MDT
- 29 - ISA-TR84.00.05-2009
Other conditions affecting a control valve’s ability to bring the process to a safe state include: (1) control
valves typically cannot provide the tight-shutoff required for isolation and (2) control valves are
necessarily connected to the basic process control systems, and as such may fail as the result of
problems in the basic process control system. While most of the failure modes associated with these
conditions can be accounted for in the design, use of control valves as SIS final elements should be
undertaken with extreme caution and additional risk analysis. Typically, the closure of the fuel control
valve is considered an “additional action” that is not part of the core safety function, and as such, no credit
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
is typically taken for the fuel control valve closure’s ability to take the process to a safe state.
6.4.2 Main Fuel Trip (Minimum Firing Trip)
In some cases a comprehensive fuel trip is not required. When the hazardous condition that is being
acted upon by the heater safety system is an excessively high temperature or other hazard that can
compromise heater safety, but is not related to the release of unburned fuel, a main fuel trip or a minimum
fuel trip may occur. The advantage of the main fuel trip and minimum firing trip over a master fuel trip in
these circumstances is that the heater is moved to a safe state from which recovery is easier, and the
down-time and start-up effort is minimized. This is possible because during a main fuel trip or minimum
firing trip, the burners will stay lit, at least at the pilot burners. This will prevent a requirement for purging
and re-light of the pilots.
The key difference between a main fuel trip and a minimum firing trip is whether or not the main flame is
extinguished. In a main fuel trip, the block valve(s) used to isolate main fuel source are closed, causing
the main flame to be extinguished. Since the pilot valves are not closed, the pilot flames stay ignited. In a
minimum firing trip, the main fuel source block valve(s) are not closed. Instead the fuel control valve is
sent to its minimum firing position. This is typically accomplished by de-energizing a solenoid valve on the
control valve’s pneumatic signal, causing the valve to go to its closed position. The fuel control valve is
equipped with a bypass valve, bypass regulator, or some form of mechanical stop in order to allow a
minimum amount of fuel to continue to the burners. This will decrease the main flame to a minimum size,
but allow the flame to continue burning. This allows a rapid return to normal operations, as all of the
burners are still lit, and normal operation can be re-established by resetting the safety function and
returning to automatic control after the situation that caused the trip to occur has been addressed.
For a main fuel trip or a minimum firing trip, only the main fuel train (not the pilot fuel train) needs to be
stopped, resulting in a 1oo1 vote for the fuel train. As described in 6.4.1 above, if a double-block and
bleed, or double-block assembly, is used to isolate fuel source flow (for a main fuel trip) voting in either of
these two configurations is 1oo2 voting of the two block valves. If only a single shutoff valve is used for a
main fuel trip, then it is a 1oo1 arrangement. If a minimum firing trip is used, it is a 1oo1 vote using the
fuel control valve. As noted in 6.4.1 above, caution should always be exercised when using a BPCS valve
for safety purposes. It is important to ensure that no failure in the BPCS can result in the dangerous
failure of the SIS functionality. In practice this means that the solenoid valve, which is electrically
connected to the SIS but acts on the BPCS pneumatic signal, should be positioned so that it will vent the
actuator of the fuel control valve regardless of the control action taken by the BPCS. The control valve is
part of the BPCS and could be the initiating cause for the need to trip. Achieving minimum firing should be
verified and if it is not successful then a Master Fuel Trip should be initiated.
6.4.3 Individual Burner Valve Trips
In some cases, it is desirable to isolate fuel to an individual burner. This type of trip is performed when
loss of flame occurs at an individual burner while the remaining burners remain operational. The
advantage of this type of trip is that a firing anomaly at an individual burner, or a nuisance failure of an
individual burner flame detector, will not result in a complete shutdown of a multiple burner heater.
Instead, only the affected burner is shutdown. This allows continued operation of the remaining burners of
the heater while the affected burner is repaired, and relatively easy restart of only the affected burner,
which does not require a complete purge cycle for the entire heater.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 30 -
When loss of flame at an individual burner is detected, the fuel supply to that burner is isolated. This is
done by closure of the individual fuel supply block valve to that burner. Depending on the extent of the
situation that causes this trip to occur, either the main fuel source block valve alone will be closed, or the
main fuel source block valve and the pilot gas block valve will be closed. The valves which close will be
determined by which flame detectors cause the trip to occur. If only a main fuel source shutoff is required,
then only the main fuel source block valve is closed. This is typically a single valve, resulting in a 1oo1
vote. If both main and pilot fuels need to be isolated, then both fuel trains are required to move the
process to a safe state, resulting in a 2oo2 vote for both trains. Since each fuel typically has a single
valve for isolation, each train’s fuel block valve operates in a 1oo1 configuration.
6.4.4 Pilot Fuel Trip
In some cases, only the pilot valves are required to be closed. This situation typically only occurs during a
failed attempt to light the pilots. From a functional perspective, this trip is often considered a master fuel
trip, because functionally the BMS will take the same action as a master fuel trip. The difference between
a pilot fuel trip and a master fuel trip is subtle but important in terms of what equipment needs to be
considered when determining if the target SIL has been achieved.
The difference between a master fuel trip and a pilot fuel trip is that when a pilot fuel trip is called for, the
main fuel valves have never been opened. As such, the probability of the fuel valves failing to close does
not need to be considered (because the valves are already closed). In order to perform a pilot fuel trip
only the pilot fuel source needs to be isolated. This results in a 1oo1 vote for the fuel source. The pilot
fuel source will typically be isolated by either a double-block-and-bleed assembly or a single block valve.
The strengths and limitation of each approach are discussed in clause 4.4.1. If a double-block-and-bleed
assembly is used, either of the two block valves can be used to bring the process to a safe state, resulting
in a 1oo2 vote. If a single valve is used, that valve must be able to bring the process to a safe state,
resulting in a 1oo1 vote. Unlike the main fuel source trip, basic process control system valves are typically
not used for pilot shutoff, because control of pilot fuel pressure is typically performed by a self-contained
regulator instead of an external control system.
6.5 Other Safety Instrumented System Design Considerations
ANSI/ISA-84.00.01-2004 provides specific design and management requirements for implementation of

an SIS based on its SIL. These requirements are in addition to verifying the PFDavg using quantitative
calculations. Some additional considerations are listed in the following clauses.
6.5.1 Reset
ANSI/ISA-84.00.01-2004 requires that once an SIF has placed a process into a safe state, it shall remain
in the safe state until reset. The reset functionality is generally performed manually, but the actual
equipment used to perform the reset can vary. The essential difference is the location of the reset.
Resetting is typically performed in one of two methods, either through a device that holds the final
element in its safe state until it is manually reset, or through the logic solver which maintains its outputs in
the safe condition until an operator reset has been initiated. Both options are acceptable and each option
has its strengths and limitations. Owner/operators are encouraged to review other applicable practices to
determine what type of reset functionality is required.
6.5.2 Manual Trip Requirements
ANSI/ISA-84.00.01-2004 suggests that manual means of bringing a process to a safe state, independent
of the logic solver, are provided. An independent manual master fuel trip is also a requirement of the
referenced NFPA practices. Where required or deemed appropriate, manual trip facilities for fired
equipment should be provided and tested.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 31 - ISA-TR84.00.05-2009
6.6 Hazard analysis tables
Hazard analysis tables for various types of fired equipment are provided in clauses 7 – 11 of this technical
report. Hazard and risk analysis is applicable to fired equipment regardless of its position in the process
flow. The boundaries of each process component include the inlet piping, control devices and the outlet
piping to another component. Every outlet pipe and pipe branch should be included up to the point where
safety devices on the next component provide protection.
The safety analysis of fired equipment highlights undesirable events (effects of equipment failures,
process upsets, etc.) from which protection should be provided, along with detectable abnormal
conditions that can be monitored for input into an SIF and the safety actions that should be taken upon
detection. These detectable conditions are used to initiate action through the SIS to prevent or minimize
the effect or undesirable events. The tables present the logical sequence of safety system development,
including, causes, consequences, detectable abnormal conditions, and safety actions that should be
taken. Note: Safety actions are defined as shutoff of fuel supply to main burner and pilot. Actions such as
de-energizing the igniter or performing a 15-second post purge are important additional functions, but do
not prevent the hazard in question and are not listed in the table. As such, these functions are classified
as secondary actions performed by the BMS and are not included as part of any identified SIF.
The generic causes of each undesirable event are listed. The primary causes are equipment failures,
process upsets, and misoperation, but all primary causes in a category will create the same undesirable
event. The undesirable events should be determined from a detailed evaluation of the failure modes of
the component and its ancillary equipment. These failure modes are grouped under causes, according to
the manner in which they may generate the undesirable event.
The hazard analysis table identifies the following operating phases:
a) Pre-firing cycle
b) Light-off cycle
c) Normal operation
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 32 -
7 Example of a Hazard and Risk Analysis Applied to a Single Burner Boiler

The following is an example of a hazard and risk analysis for a single burner boiler firing natural gas using
a Class 1 continuous fired pilot. The purpose of this example is to illustrate a methodology for identifying
and classifying the SIF within the BMS. The identified hazards are common to most boilers, and the
illustrated functions are listed in NFPA 85 – Boiler and Combustion Systems Hazards Code. The
schematic in Figure 7.1 provides a simplified single burner boiler design used for this example.
7.1 Assumptions and Clarifications
To assist one in interpreting the hazard analysis table and the associated single burner boiler P&ID
sketch, the following assumptions and clarifications have been made regarding this design:
Assumptions
1) Many different approaches and designs are utilized in industry with respect to BMS functions
associated with the single burner boiler operations. This example is not recommending any
specific “best” and / or mandatory design approach. The intent of this example is to assess typical
NFPA 85 installations and minimum design requirements. It is recognized that many designs
currently exist in industry. The system designer or owner/operator may apply the illustrated
concepts to their designs to better understand the application of ANSI/ISA-84.00.01-2004.
2) The boiler is assumed to be designed to operate in a de-energize to trip capacity.
3) The P&ID sketch depicts the use of switches instead of transmitters for measurement of various
process conditions. The system designer, when performing design / SIL verification activities,
may need to evaluate switches versus transmitters based upon the desired proof test interval and
selected SIL target. Switches were depicted on the P&ID sketch due to the large installed base
that currently exists in industry utilizing this architecture. Note: the use of transmitters is typically
used in new SIS applications because of the potential reduction in proof testing requirements and
the additional diagnostic benefits associated with transmitters.
4) Basic Process Control System (BPCS) instrumentation has not been completely depicted to
simplify the P&ID and keep the focus on BMS related sensors and final elements.
5) For the purposes of this example, a high drum level trip was considered to be a BPCS function
associated with protection of the downstream steam system. BPCS controls are outside the
scope of this document and as such are not included in this example. Each owner/operator
should review this decision for their particular situation to determine if they need to evaluate this
as a potential SIF.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
6) Note: not all items contained in the hazard analysis table will result in assignment of an SIL.
Qualitative or quantitative techniques should be used to determine whether specific functions
should be assigned an SIL based on a owner/operator’s risk criteria. As a result of this process
some permissives and / or trips will be assigned an SIL and others will not.
Design Considerations
There are several events that can lead to loss of flame, which are listed below with some non-interlock
means of protection against the hazard to consider.
1) Low Fuel Gas Pressure – Typical causes of low fuel gas pressure are failure of the fuel gas
regulator or loss of supply. A non-interlock layer of protection to consider is a minimum fire
bypass around the control valve to maintain fuel gas pressure above the point of loss of flame in
the event that the controller closes the fuel gas control valve completely. Note: one should

10/04/2012 08:02:58 MDT
- 33 - ISA-TR84.00.05-2009
carefully review the location of the low pressure sensor and its ability to detect a control valve
failure. Many different designs exist in industry. One option is to move the control valve upstream
of low pressure sensor. Another option is to move the low pressure sensor downstream of control
valve with the addition of another low pressure sensor on the gas header for the light-off
permissive. Once flame is established the low pressure sensor downstream of the control valve is
used to trip the boiler. The main consideration is what is the hazard and how is it detected.
Careful consideration of the piping arrangement and low pressure sensor location is necessary to
detect low pressure due to control valve failure.
2) Loss of control system actuating energy and / or power failure – The boiler is assumed to be
designed to operate in a de-energize to trip capacity. However, it is recognized that some BMS
are designed as energize to trip. Utilization of an energize to trip design poses some unique
challenges for the owner/operator with respect to SIS design and the ability of the system to
achieve the allocated risk reduction. Design verification should be carefully reviewed, as many
simplified calculation methods assume the application is de-energize to trip scenarios.
Sequence Considerations
There are several permissives and sequence steps listed in section 7.2 that should be considered for safe
start-up and operation of a boiler. This list is not all-inclusive, but should provide a starting point for
discussion on sequencing requirements for a safe boiler start-up and operation.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 34 -
Figure 7.1 – Single Burner Boiler Process Schematic
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
No reproduction or networking permitted without license from IHS
Provided by IHS under license with ISA
- 35 - ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
7.2 Example Hazard Analysis Table for a Single Burner Boiler

Function # Detectable
Actions
Phase Undesirable Event Consequence Description Permissive Cause(s) Abnormal
Taken
(P) or Trip (T) Condition
Prefiring Excess Combustible Vapors Combustibles in the firing chamber may 1 Fuel supply valves improperly aligned Valve fully closed limit Inhibit subsequent
Cycle in Firing Chamber result in development of a flammable or (P) (i.e. block valves not closed and / or switch(es) not proven start-up steps.
explosive mixture, which may then be vent valve not open) prior to Light-off.
exposed to a source of ignition, causing See Clause 6.3.1.1.1
undesired combustion, and potentially an
explosion, which may result in mechanical 2 Failure to purge firebox. Air flow does not exist for Inhibit subsequent
damage to the boiler and may also result (P) See Clause 6.3.1.1.2 specified time period at start-up steps.
in personnel impacts to persons near the sufficient flow rate
equipment.
Proceeding to the Light-Off Mechanical damage to the equipment and 3 Light-off of the burner when the fuel Fuel control valve and air Inhibit subsequent
cycle when the permissives personnel exposure/harm may occur if the (P) gas valve position and / or air damper damper not at minimum fire start-up steps.
are not satisfied identified permissives are not met prior to position is such that an excessive fuel positions during attempted
proceeding with the sequence. rich mixture is entering the light-off
combustion chamber.
See Clause 6.3.1.2.4
4 Steam drum level not established or Low steam drum level Inhibit subsequent
(P) failure of drum level instrumentation. start-up steps.
Not for Resale, 10/04/2012 08:02:58 MDT
Licensee=BP International/5928366101
Light-Off Excess Combustible Vapors Combustibles in the firing chamber may 5 Failure to ignite pilot due to: Igniter flame not proven Shutoff fuel supply
Cycle in Firing Chamber result in development of a flammable or (T) • Ignition transformer failure within specified time to pilot
explosive mixture, which may then be • Ignition valve failure
exposed to a source of ignition, causing • Plugged burner nozzle
undesired combustion, and potentially an • Pilot gas contamination with
explosion, which may result in mechanical non-flammable material results
damage to the boiler and may also result in unstable mixture that cannot
in personnel impacts to persons near the support combustion
equipment. • Improper fuel / air ratio
6 Failure to ignite main flame due to: Main flame not proven within Shutoff fuel supply
(T) • Plugged burner nozzle specified time to main burner
• Fuel gas contamination with
non-flammable material results
in unstable mixture that cannot
support combustion
• Plugged burner nozzle.
Normal Excess Combustible Vapors Combustibles in the firing chamber may 7 High fuel gas pressure causes High fuel gas pressure or Shutoff fuel supply
Operation in Firing Chamber result in development of a flammable or (T) unstable flame operation and loss of loss of flame to main burner and
explosive mixture, which may then be flame with subsequent introduction of pilot
exposed to a source of ignition, causing unburned fuel gas due to fuel gas
undesired combustion, and potentially an regulator failure
explosion, which may result in mechanical See Clause 6.3.3.1.1
Copyright 2009 ISA. All rights reserved.

ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
- 36 -
Actions
Phase Undesirable Event Consequence Description Permissive Cause(s) Abnormal
Taken
(P) or Trip (T) Condition
damage to the boiler and may also result 8 Low fuel gas pressure causes Low fuel gas pressure or Shutoff fuel supply
in personnel impacts to persons near the (T) unstable flame operation and loss of loss of flame to main burner and
equipment. flame with subsequent introduction of pilot
unburned fuel gas due to loss of fuel
gas supply; or fuel gas control valve
failure
9 Combustion Air Fan or Damper Loss of combustion air Shutoff fuel supply
(T) Failure while firing. supply (i.e. air flow falls to main burner and
See Clause 6.3.3.1.5 below minimum firing rate) pilot
or loss of flame
10 Fuel gas contamination with non- Loss of flame Shutoff fuel supply
(T) flammable material causes loss of to main burner and
flame and subsequent introduction of pilot
unburned fuel gas.
11 Loss of control system actuating Low instrument air pressure Shutoff fuel supply
(T) energy and / or power failure. or loss of primary power to main burner and
See Clause 6.3.3.1.7 pilot.
Loss of Water in Boiler Steam Possible mechanical damage to water 12 Low steam drum level due to loss of Low Drum Level Shutoff fuel supply
Drum tubes if boiler firing is continued without (T) boiler feed water system; failure of to main burner and
sufficient water present to remove heat. steam system (i.e. leak); or failure of pilot
Mechanical damage to the boiler and may drum level instrumentation / basic
also result in personnel impacts to process control system with
persons near the equipment. continued firing of the boiler results in
loss of water in the steam drum.
See Clause 6.3.3.2
Excessive Pressure in Steam Possible steam drum rupture or explosion. 13 High steam drum pressure due to High Steam Drum Pressure Shutoff fuel supply
Drum This event may result in personnel (T) blocked outlet of the steam drum to main burner and
impacts to persons near the equipment caused by instrumentation / basic pilot
process control system failures or Note: provides
operator error or overfiring caused by discussion of
instrumentation / basic process protection layers.
control system failures or operator
error

- 37 - ISA-TR84.00.05-2009
8 Example of a Hazard and Risk Analysis Applied to a Multi-Burner Process

Heater
The following is an example of hazard and risk analysis for a natural draft multi-burner process heater
firing fuel gas and/or fuel oil. The purpose of this example is to illustrate a methodology for identifying and
classifying the SIF within the BMS. The identified hazards are common to most fired heaters, and the
associated interlocks are typical of those listed in API RP 556 – Instrumentation and Controls for Fired
Heaters and Steam Generators. The schematic in Figure 8.1 provides a simplified multiple burner process
heater design that should be used when reviewing this example.
The primary hazards associated with fuel gas and fuel oil-fired heaters are accumulation of uncombusted
fuel in the firing chamber and re-ignition due to loss of flame, fire (due to release of unburned fuel oil in
the firebox), process tube rupture, and steam coil rupture. The hazards associated with the permissives
and interlocks are discussed in clause 6 of this Technical Report and more specifically in the hazard
analysis table of this example. For reference, some recommendations are given for sequencing, which
should not be considered as all-inclusive. These should only be treated as a starting point for review of
the required sequencing for a particular heater application.
8.1 Assumptions and Clarifications
To assist one in interpreting the hazard analysis table and the associated multi-burner heater P&ID
sketch, the following assumptions and clarifications have been made regarding this design.
Assumptions
1) The fired heater is assumed to be designed to operate in a de-energize to trip capacity. Note: de-
energize to trip is considered to be the fail safe mode.
2) The heater P&ID is for illustrative purposes only and provides a basis for the analysis
summarized in the hazard analysis table. This example is designed to illustrate the typical
permissives and trips associated with multi-burner fired heaters. The design depicted is only one
of many ways by which the functions may be designed for a multi-burner process heater.
3) This example, in general, does not show BPCS equipment or miscellaneous piping components
(e.g., strainers) associated with the fired heater, but rather is intended to highlight the BMS
equipment. Evaluation of necessary BPCS equipment should also be conducted.
4) This heater is assumed to have continuous pilots sourced from a supply that is separate from the
main burner fuel gas supply.
5) The heater is natural draft and uses the position of the damper to protect against high firebox
pressure. This example does not take into consideration the need for a high firebox pressure trip
due to loss of containment in a process tube. That SIF should be evaluated according to the
specific process fluid being heated by the heater.
6) The method utilized in this example to verify that all individual burner and pilot valves are closed
prior to light-off is pressurization of the system with nitrogen. Use of nitrogen (or other non-
combustibles) to perform this activity may be unsafe if the following considerations are not
accounted for within operating procedures:
• Allowance of a purge of the nitrogen from the system prior to light-off to ensure that the
nitrogen does not interfere with flame stability.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 38 -
• Measures to ensure that nitrogen is not able to enter the system during normal operation.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
start-up of a fired heater. This list is not all-inclusive, but should provide a starting point for discussion on
sequencing requirements for a safe heater start-up. The following considerations are listed as specific for
this type of equipment as they are not implemented automatically as SIFs.
1) Confirm draft doors (or other facilities) are open to enable natural draft in the heater before
attempting to start the purge.
2) The operator shall accomplish, via documented operating procedure, the confirmation of a
successful purge of the firebox for the natural draft fired heater because no means of detecting air
flow is provided.

10/04/2012 08:02:58 MDT
- 39 - ISA-TR84.00.05-2009
Figure 8.1 – Multiple Burner Process Heater Process Schematic
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 40 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
8.2 Example Hazard Analysis Table for a Multiple Burner Process Heater
Action
Phase Undesirable Event Consequence Description Permissive (P) Cause(s) Abnormal
Taken
or Trip (T) Condition
Prefiring Excess Combustible Vapors Accumulation of uncombusted fuel in 1 (P) Fuel gas and pilot gas valves (block valves Valve limit switches not Inhibit
in Firing Chamber the heater firebox may lead to a and vent) improperly aligned prior to light- proven subsequent
flammable or explosive mixture. If a off. startup steps.
source of ignition is available ignition of See Clause 6.3.1.1.1
the flammable mixture may lead to an
uncontrolled fire/explosion, potentially 2 (P) Improper purge prior to attempted ignition. Air flow with damper and Inhibit
causing injury to personnel or See Clause 6.3.1.1.2 air doors in the correct subsequent
mechanical damage to the heater and position does not exist for startup steps
surrounding equipment. specified time period
3 (P) Block valves at burners or pilots left open. Two options: Inhibit
See Clause 6.3.1.2.5 1. Individual valve limit subsequent
switches not proven startup steps
2. Fuel gas line
downstream of control
valve fails to pressurize
within set time period –
Low Fuel Gas Pressure
(Burner)
Proceeding to the Light-Off Mechanical damage to the equipment 4 (P) Light-off of the burner when fuel gas valve Fuel gas control valve at Inhibit
cycle when the permissives and personnel exposure/harm may position is not at min fire position and/or air position greater than min subsequent
are not satisfied occur if the identified permissives are damper is closed such that a fuel rich fire position; Damper startup steps
not met prior to proceeding with the mixture is entering the combustion closed beyond light-off
sequence. chamber. position (e.g., minimum
See Clause 6.3.1.2.4 stop)
Light-Off Accumulation of Accumulation of uncombusted fuel in 5(T) Failure to ignite pilot due to: Pilot flame not proven Shutoff fuel
Cycle uncombusted fuel in heater the heater firebox may lead to a • Ignition transformer failure within specified time supply to pilot.
firebox and re-ignition flammable mixture. If a source of • Ignition valve failure
ignition is available, ignition of the • Plugged burner nozzle
flammable mixture may lead to an • Pilot gas contamination with non-
uncontrolled fire/explosion, potentially flammable material results in
causing injury to personnel or unstable mixture that cannot support
mechanical damage to the heater and combustion
surrounding equipment. • Improper fuel / air ratio

- 41 - ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Action
Taken
6 (T) Failure to ignite main flame due to: Main flame not proven Shutoff fuel
• Plugged burner nozzle (This example does not supply to main
• Fuel gas contamination with non- provide detectors on burners
flammable material results in main flame to detect this
unstable mixture that cannot support condition)
combustion Low/High fuel gas
• Plugged burner nozzle. pressure at burner
See Clause 6.3.2.1.2 Double block and bleed
limit switches not proven
Fuel gas control valve
closed
Normal Accumulation of Accumulation of uncombusted fuel in 7 (T) High fuel gas pressure in the main header High Fuel Gas Pressure Close Master
Operation uncombusted fuel in heater the heater firebox may lead to a causes flame to blow off of burner tip, with (Burner) Fuel Gas Valves
firebox and re-ignition flammable mixture. If a source of potential for loss of flame. Flow of fuel gas
ignition is available, ignition of the through the burner can exceed ratio of
flammable mixture may lead to an available combustion air and lead to a fuel
uncontrolled fire/explosion, potentially rich environment in the heater firebox. See
causing injury to personnel or Clause 6.3.3.1.
mechanical damage to the heater and
surrounding equipment. 8 (T) Low fuel gas pressure at the burner causes Low Fuel Gas Pressure Close Master
unstable flame operation and loss of flame. Fuel Gas Valves
Continued flow or reintroduction of fuel gas
leads to unburned fuel in the firebox.

Normal Accumulation of Accumulation of uncombusted fuel in 9 (T) Loss of draft in the heater can lead to High Firebox Pressure Close Master
Operation uncombusted fuel in heater the heater firebox may lead to a unstable flame, with potential for loss of Fuel Gas Valves
firebox and re-ignition flammable mixture. If a source of flame. Flow of fuel gas through the burner
ignition is available, ignition of the can exceed stoichiometric rates for
flammable mixture may lead to an available combustion air and lead to a fuel
uncontrolled fire/explosion, potentially rich environment in the heater firebox.
causing injury to personnel or See Clauses 6.3.3.5
mechanical damage to the heater and 10 (T) Fuel Gas Contamination with Non- Loss of Burner Flame Close Master
surrounding equipment. flammable material causes loss of flame Fuel Gas Valves
and subsequent introduction of unburned
fuel gas. See Clause 6.3.3.1.6
11 (T) Low fuel oil pressure in the main header Low Fuel Oil Pressure Close Master
causes unstable flame operation and loss of Fuel Oil Valves
flame. Continued flow or reintroduction of
fuel oil leads to unburned fuel in the firebox.
12 (T) Loss of control system actuating energy and Low instrument air Close Master
/ or power failure. pressure or loss of Fuel Gas, Oil
See Clause 6.3.3.1.7 primary power Valves & pilot

ISA-TR84.00.05-2009 - 42 -
Action
Taken
Normal Accumulation of Accumulation of uncombusted fuel in 13 (T) Low pilot gas pressure causes unstable Low Pilot Gas Pressure Close Pilot Gas
Operation uncombusted fuel in heater the heater firebox may lead to a pilot operation and loss of flame. Continued Valves
firebox and re-ignition flammable mixture. If a source of flow or reintroduction of gas leads to
ignition is available, ignition of the uncombusted fuel in the firebox. This
flammable mixture may lead to an potential hazard only exists during pilots
uncontrolled fire/explosion, potentially only operation of the heater.
causing injury to personnel or See Clause 6.3.3.1.9
mechanical damage to the heater and 14 (T) High pilot gas pressure causes liftoff of pilot High Pilot Gas Pressure Close Pilot Gas
surrounding equipment. flame and loss of flame. Continued flow or Valves
reintroduction of gas leads to uncombusted
fuel in the firebox. This potential hazard only
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
exists during pilots only operation of the

heater.
Normal Unburned Fuel Oil Directed Accumulation of uncombusted liquid oil 15 (T) Loss of atomizing steam to the heater will Low Atomizing Steam Close Master
Operation into the Heater Firebox in the firebox may lead to a large fire in cause loss of atomization of the fuel oil and Flow/Low FO/Atomizing Fuel Oil Valves
the firebox or a fire on the ground its accumulation on the walls and at the Steam delta P
outside of the heater. bottom of the heater firebox.
Loss of Flow Through Increased tube temperature can lead to 16 (T) Loss of flow to one or more heater process Low Pass Flow / No Pass Close Master
Heater Passes excessive stress and tube rupture. tubes. Flow Fuel Valves
Extent of consequence will be See Clause 6.3.3.3
determined by process fluid in heater
tubes.

- 43 - ISA-TR84.00.05-2009
9 Example of a Hazard and Risk Analysis Applied to a Thermal Oxidizer

The following example shows how to perform a hazard and risk analysis for a thermal oxidizer. The
hazards listed in this example are common to most thermal oxidizers and the associated interlocks are
typical of those required per NFPA 86 – Standard for Ovens and Furnaces. The schematic in Figure 9.1
provides a simplified thermal oxidizer design used for this example.
9.1 Assumptions and Considerations
To assist one in interpreting the hazard analysis table and the associated thermal oxidizer P&ID sketch,
the following assumptions and clarifications have been made regarding this design.
Assumptions
The following assumptions are made in regard to this example:
1) The waste feed stream is not in and of itself flammable, i.e., it will not continue to burn in the
absence of natural gas flow.
2) A continuous pilot is used.
3) All requirements for Class A ovens in NFPA 86 apply to thermal oxidizers, except for the
requirements for explosion relief.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
1) All design considerations listed for the single burner boiler example apply.
2) The need for a double block and bleed on the waste feed stream should be evaluated on a case-
by-case basis. For cases where the waste feed stream is toxic or flammable, analysis should be
used to determine when or if a double block and bleed assembly was required to meet the SIL
requirement.
3) Environmental considerations may dictate that a minimum temperature be achieved to effectively

burn the waste feed. This is not considered in our analysis because this is not a BMS trip, but
would require a risk analysis to determine the required SIL.
start-up of a thermal oxidizer. This list is not all-inclusive, but should provide a starting point for discussion
on sequencing requirements for a safe thermal oxidizer start-up.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 44 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Figure 9.1 – Thermal Oxidizer Process Schematic

10/04/2012 08:02:58 MDT
- 45 - ISA-TR84.00.05-2009
9.2 Example Hazard Analysis Table for a Typical Thermal Oxidizer

Phase Undesirable Consequence Description Function # Cause(s) Detectable Action Taken
Event Permissive Abnormal
(P) or Trip Condition
(T)
Prefiring Cycle Excess Combustible Combustibles in the firing chamber may result in 1 Fuel supply valves improperly aligned Valve fully closed limit Inhibit subsequent
Vapors in Firing Chamber development of a flammable or explosive (P) (i.e. block valves not closed and / or switch(es) not proven start-up steps.
mixture, which may then be exposed to a vent valve not open) prior to Light-off.
source of ignition, causing undesired See Clause 6.3.1.1.1
combustion, and potentially an explosion, which
may result in mechanical damage to the 2 Failure to purge firebox. Air flow does not exist for Inhibit subsequent
oxidizer and may also result in personnel (P) See Clause 6.3.1.1.2 specified time period at start-up steps.
impacts to persons near the equipment. sufficient flow rate
Proceeding to the Light- Mechanical damage to the equipment and 3 Light-off of the burner when the fuel Fuel control valve and air Inhibit subsequent
Off cycle when the personnel exposure/harm may occur if the (P) gas valve position and / or combustion damper not at minimum start-up steps.
permissives are not identified permissives are not met prior to air damper position is such that an fire positions during
satisfied proceeding with the sequence excessive fuel rich mixture is entering attempted light-off
the combustion chamber.
Light-Off Cycle Excess Combustible Combustibles in the firing chamber may result in 4 Failure to ignite pilot due to: Igniter flame not proven Shutoff fuel supply
Vapors in Firing Chamber development of a flammable or explosive (T) • Ignition transformer failure within specified time to pilot
mixture, which may then be exposed to a • Ignition valve failure

source of ignition, causing undesired • Plugged burner nozzle
combustion, and potentially an explosion, which • Pilot gas contamination with
may result in mechanical damage to the boiler non-flammable material results
and may also result in personnel impacts to in unstable mixture that cannot
persons near the equipment. support combustion
• Improper fuel / air ratio
5 Failure to ignite main flame due to: Main flame not proven Shutoff fuel supply
(T) • Plugged burner nozzle within specified time to main burner
• Fuel gas contamination with
non-flammable material results
in unstable mixture that cannot
support combustion
• Plugged burner nozzle.
Normal Excess Combustible Combustibles in the firing chamber may result in 6 High fuel gas pressure causes unstable High fuel gas pressure or Shutoff fuel supply
Operation Vapors in Firing Chamber development of a flammable or explosive (T) flame operation and loss of flame with loss of flame to main burner and
mixture, which may then be exposed to a subsequent introduction of unburned pilot
source of ignition, causing undesired fuel gas:
combustion, and potentially an explosion, which • Fuel gas regulator failure
may result in mechanical damage to the boiler See Clause 6.3.3.1.1
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009 - 46 -
Phase Undesirable Consequence Description Function # Cause(s) Detectable Action Taken

Event Permissive Abnormal
(P) or Trip Condition
(T)
and may also result in personnel impacts to 7 Low fuel gas pressure causes unstable Low fuel gas pressure or Shutoff fuel supply
persons near the equipment. (T) flame operation and loss of flame with loss of flame to main burner and
subsequent introduction of unburned pilot
fuel gas:
• Loss of fuel gas supply
• Fuel gas control valve failure
8 Combustion Air Fan or Damper Failure Loss of combustion air Shutoff fuel supply
(T) while firing. supply (i.e. air flow falls to main burner and
See Clause 6.3.3.1.5 below minimum firing rate) pilot
or loss of flame
9 Fuel gas contamination with non- Loss of flame Shutoff fuel supply
(T) flammable material causes loss of to main burner and
flame and subsequent introduction of pilot
unburned fuel gas.
10 Loss of control system actuating Low instrument air Shutoff fuel supply
(T) energy and/or power failure. pressure or loss of primary to main burner and
See Clause 6.3.3.1.7 power pilot
Uncontrolled temperature If the maximum temperature limit specified by 11 High combustion chamber temperature High combustion chamber Shutoff fuel supply
rise in the fume the heater manufacturer is exceeded, the (T) caused by Fuel gas control valve failure temperature to main burner and
incinerator combustion chamber could be mechanically Waste Feed control valve failure pilot if deemed
damaged and could pose a risk of injury to See Clause 6.3.3.4 necessary
personnel located in the vicinity of the
equipment
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

- 47 - ISA-TR84.00.05-2009
10 Example of a Hazard and Risk Analysis Applied to an Oil Heater Treater

The following example shows how to perform a hazard and risk analysis for an oil heater treater. The
hazards listed in this example are common to most oil heater treaters and the associated interlocks are
typical of those required per API RP 14C – Recommended Practice for Analysis, Design, Installation, and
Testing of Basic Surface Safety Systems for Offshore Production Platforms, Fired and Exhaust Heated
Components. The schematic in Figure 10.1 provides a typical Oil Heater Treater that should be used
when reviewing this example.
To assist one in interpreting the hazard analysis table and the associated Oil Heater Treater P&ID sketch,
the following assumptions and clarifications have been made regarding this design.
Assumptions
1) The following assumptions are made in regard to this example:
2) The Oil Heater Treater is a natural draft fired vessel.
3) A continuous pilot is provided on the oil heater treater that is supplied with fuel gas that is shared
with the main burner.
4) The oil heater treater is assumed to be designed to operate in a de-energize to trip capacity.
5) The P&ID sketch provided in Figure 10.1 depicts the use of transmitters for measurement of
various process conditions. Transmitters are typically used in new SIS applications because of
the potential reduction in proof testing requirements and the additional diagnostic benefits
associated with transmitters.
6) The symbols used in Figure 10.1 are based on ANSI/ISA–5.1 and have been modified from the
simplified sketches presented in API RP 14C.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
8) High oil/water treater level and low oil level were not addressed because they are associated with
equipment either upstream or downstream of the fired component.
9) The fusible plug loop fire detection system was deemed beyond the scope of this evaluation
because the system involves the entire platform.
10) The purpose and use of stand-alone safety devices, such as relief valve and stack flame
arresters, are shown on the P&ID drawing; however, their functionality was not considered in the
hazard analysis table. The risk reduction provided by these devices should be considered in the
risk analysis for equipment of this type.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 48 -
The following design considerations are applicable to the Oil Heater Treater:
1) The low fuel gas pressure design consideration presented for the single burner boiler is also
applicable to the oil heater treater.
2) The design considerations for the loss of control system actuating energy presented for the single
burner boiler are also applicable to the oil heater treater.
3) Double actuated block valves are provided to isolate the fuel gas supply to the main burner.
4) The fuel gas isolation block valves have been equipped with a closed position switch to allow for
proper line-up in the pre-firing sequence. This position switch is in addition to the equipment
presented in API RP 14C.
5) A pressure transmitter has been added to the API RP 14C oil heater treater design located
upstream of the pilot and main burner fuel gas isolation valves to provide detection of adequate
fuel gas supply.
There are several permissives and sequence steps listed in clause 10.2 that should be considered for
safe start-up of an oil heater treater. This list is not all-inclusive, but should provide a starting point for
discussion on sequencing requirements for a safe oil heater treater start-up. The following consideration
is listed as specific for this type of equipment as it is not implemented automatically as a SIF.
1) The operator shall accomplish, via documented operating procedure, the confirmation of a
successful purge of the firebox for the natural draft oil heater treater because no means of
detecting air flow is provided.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`

10/04/2012 08:02:58 MDT
- 49 - ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Figure 10.1 – Example Oil Heater Treater Process Schematic

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 50 -
10.2 Example Hazard Analysis Table for Typical Oil Heater Treater (API RP14C Fired Vessel - Natural Draft)
Phase Undesirable Event Consequence Function # Cause(s) Detectable Action Taken
Description Permissive (P) Abnormal
Prefiring Cycle Excess Combustible Vapors Combustibles in the firing 1 Fuel supply valves improperly Valve fully closed limit Inhibit subsequent
in Firing Chamber chamber may result in (P) aligned (i.e. block valves not switch not proven start-up steps.
development of a flammable closed and / or vent valve not (sensor not required
or explosive mixture, which open) prior to Light-off. by API 14C)
may then be exposed to a See Clause 6.3.1.1.1
source of ignition, causing
undesired combustion, and 2 Failure to purge firebox. Air flow does not exist Inhibit subsequent
potentially an explosion, (P) See Clause 6.3.1.1.2 for specified time start-up steps.
which may result in period.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
mechanical damage to the

vessel and may also result in
personnel impacts to persons
near the equipment.
Proceeding to the Light-Off Mechanical damage to the 3 Light-off of the burner when the Fuel gas control valve Inhibit subsequent
cycle when the permissives equipment and personnel (P) fuel gas valve position is such that at position greater startup steps
are not satisfied exposure/harm may occur if an excessive fuel rich mixture is than min fire position.
the identified permissives are entering the combustion chamber.
not met prior to proceeding See Clause 6.3.1.2.4
with the sequence
Light-Off Cycle Excess Combustible Vapors Accumulation of combustibles 4 Failure to ignite pilot due to: Igniter flame not Shutoff fuel supply
in Firing Chamber in the firing chamber may (T) • Ignition transformer failure proven within to main burner and
result in development of a • Ignition valve failure specified time pilot
flammable mixture, which • Plugged pilot burner nozzle
may then be exposed to a • Pilot gas contamination
source of ignition, causing with non-flammable
combustion, and potentially material results in unstable
an explosion, which may mixture that cannot support
result in mechanical damage combustion
to the vessel and may also • Improper fuel / air ratio
result in personnel impacts to See Clause 6.3.2.1.1
persons near the equipment. 5 Failure to ignite main flame due to: Main flame not proven Shutoff fuel supply
(T) • Plugged burner nozzle within specified time to main burner and
• Fuel gas contamination pilot
with non-flammable
material results in unstable
mixture that cannot support
combustion

- 51 - ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

Normal Operation Excess Combustible Vapors Accumulation of combustibles 6 High fuel gas pressure in the main High fuel gas pressure Shutoff fuel supply
in Firing Chamber in the firing chamber may (T) burner fuel gas causes unstable or loss of flame to main burner and
result in development of a flame operation and loss of flame pilot
flammable mixture, which with subsequent introduction of
may then be exposed to a unburned fuel gas:
source of ignition, causing • Fuel gas regulator failure
combustion, and potentially See Clause 6.3.3.1.1
an explosion which may result
in mechanical damage to the
vessel and may also result in
personnel impacts to persons
near the equipment.
Normal Operation Excess Combustible Vapors Accumulation of combustibles 7 Low fuel gas pressure in the main Low fuel gas Shutoff fuel supply
in Firing Chamber in the firing chamber may (T) burner fuel gas causes unstable pressure* or loss of to main burner and
result in development of a flame operation and loss of flame flame pilot
flammable mixture, which with subsequent introduction of (*Pressure sensor not
may then be exposed to a unburned fuel gas: required by API
source of ignition, causing • Loss of fuel gas supply RP14C)
combustion, and potentially • Fuel control system failure
an explosion which may result See Clause 6.3.3.1.2
in mechanical damage to the 8 Fuel gas contamination with non- Loss of burner flame Shutoff fuel supply
vessel and may also result in (T) flammable material causes loss of to main burner and
personnel impacts to persons flame and subsequent introduction pilot

near the equipment. of unburned fuel gas
9 Loss of control system actuating Low instrument air Shutoff fuel supply
(T) energy and / or power failure. pressure or loss of to main burner and
See Clause 6.3.3.1.7 primary power pilot
(sensor not required
by API 14C)
Normal Operation Low level in front Clause of Possible mechanical damage 10 Low vessel level due to: Low Level in Heater Shutoff fuel supply
Heater Treater to vessel or heating tubes, if (T) • Loss or reduced inlet flow Treater front Clause to main burner and
firing is continued without into vessel pilot
sufficient heat sink. • Failure of drum level
Mechanical damage and/ or instrumentation / basic
explosion of the vessel may process control system
also result in personnel • Leakage from vessel
impacts to persons near the • Water vaporization
equipment. See Clause 6.3.3.6
Normal Operation High temperature in Heater Possible mechanical damage 11 High vessel temperature due to: High temperature in Shutoff fuel supply
Treater to vessel or heating tubes, if (T) • Temperature control failure Heater Treater front to main burner and
firing is continued without • Inadequate inlet flow into Clause pilot
sufficient liquid present to vessel
remove heat. Mechanical • Ignition of medium leak into

ISA-TR84.00.05-2009 - 52 -

damage and/ or explosion of fired chamber
the vessel may also result in • Plus low level causes
personnel impacts to persons identified in item 11, above.
near the equipment. See Clause 6.3.3.7
Normal Operation Excessive Pressure in Heater Possible vessel rupture or 12 High vessel pressure due to: High Vessel Pressure Shutoff fuel supply
Treater Vessel explosion. This event may (T) • Regulator failure or valve to main burner and
result in personnel impacts to closed in gas outlet pilot
persons near the equipment. • Overfiring caused by
instrumentation / basic
process control system
failures or operator error
See Clause 6.3.3.8
High Stack Temperature Potential to damage the 13 High stack temperature due to: High Stack Shutoff fuel supply
burner tubes leading to hot (T) • Overfiring caused by Temperature to main burner and
process fluid leakage out of instrumentation / basic pilot
the vessel and possible fire. process control system
See Clause 6.3.3.4
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

- 53 - ISA-TR84.00.05-2009
11 Example of a Hazard and Risk Analysis Applied to a Glycol Reboiler

The following example shows how to perform a hazard and risk analysis for a glycol reboiler. The hazards
listed in this example are common to most fired reboilers, and the associated interlocks are typical of
those required per API RP 14C – Recommended Practice for Analysis, Design, Installation, and Testing
of Basic Surface Safety Systems for Offshore Production Platforms, Fired and Exhaust Heated
Components. The schematic in Figure 11.1 provides a typical Glycol Reboiler that should be used when
reviewing this example.
To assist one in interpreting the hazard analysis table and the associated glycol reboiler P&ID sketch, the
following assumptions and clarifications have been made regarding this design.
Assumptions
1) The following assumptions are made in regard to this example:
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
2) The Glycol Reboiler is a forced draft fired vessel.
3) A continuous pilot is provided on the glycol reboiler that is supplied with fuel gas that is shared
with the main burner
4) The glycol reboiler is assumed to be designed to operate in a de-energize to trip capacity.
5) The P&ID sketch provided in Figure 11.1 depicts the use of transmitters for measurement of
various process conditions. Transmitters are typically used in new SIS applications because of
the potential reduction in proof testing requirements and the additional diagnostic benefits
associated with transmitters.
6) The symbols used in Figure 11.1 are based on ANSI/ISA–5.1 and have been modified from the
simplified sketches presented in API RP 14C.
8) High reboiler level and low glycol level in the overflow were not addressed because they are
associated with equipment either upstream or downstream of the fired component.
9) The fusible plug loop fire detection system was deemed beyond the scope of this evaluation
because the system involves the entire platform.
10) The purpose and use of stand-alone safety devices, such as relief valve and stack flame arrester,
are shown on the P&ID drawing; however, their functionality was not considered in the hazard
analysis table. The risk reduction provided by these devices should be considered in the risk
analysis for equipment of this type.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 54 -
1) The following design considerations are applicable to the Glycol Reboiler:
2) The low fuel gas pressure design consideration presented for the single burner boiler is also
applicable to the glycol reboiler.
3) The design considerations for the loss of control system actuating energy presented for the single
burner boiler are also applicable to the glycol reboiler.
4) A single actuated block valve is provided to isolate the fuel gas supply to the main burner.
5) The fuel gas isolation block valve has been equipped with a closed position switch to allow for
proper line-up in the pre-firing sequence. This position switch is in addition to the equipment
presented in API RP 14C.
6) A pressure transmitter has been added to the API RP 14C glycol reboiler design located
upstream of the pilot and main burner fuel gas isolation valves to provide detection of adequate
fuel gas supply.
There are several permissives and sequence steps listed in clause 11.2 that should be considered for
safe start-up of a glycol reboiler. This list is not all-inclusive, but should provide a starting point for
discussion on sequencing requirements for a safe glycol reboiler start-up.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 55 - ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Figure 11.1 – Typical Glycol Reboiler Process Schematic

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 56 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Table 11.2 Example Hazard Analysis Table for Typical Glycol Reboiler (API RP14C Fired Vessel (Forced Draft))
Function #
Consequence Permissive Detectable Abnormal
Phase Undesirable Event Cause(s) Action Taken
Description (P) or Trip Condition
(T)
Prefiring Cycle Excess Combustible Vapors Combustibles in the firing chamber 1 Fuel supply valve not fully closed prior to Valve fully closed limit switch not Inhibit subsequent start-up steps.
in Firing Chamber may result in development of a (P) light-off. proven (sensor not required by
flammable or explosive mixture, which See Clause 6.3.1.1.1 API 14C)
may then be exposed to a source of
ignition, causing undesired
combustion, and potentially an 2 Failure to purge firebox. Combustion air pressure not Inhibit subsequent start-up steps.
explosion, which may result in (P) See Clause 6.3.1.1.2 sufficient for specified time
mechanical damage to the vessel and period
may also result in personnel impacts
to persons near the equipment.
Proceeding to the Light-Off Mechanical damage to the 3 Light-off of the burner when the fuel gas Fuel control valve and air Inhibit subsequent start-up steps.
cycle when the permissives equipment and personnel (P) valve position and / or air damper position is damper not at minimum fire
are not satisfied exposure/harm may occur if the such that an excessive fuel rich mixture is positions during attempted light-
identified permissives are not entering the combustion chamber. off
met prior to proceeding with the See Clause 6.3.1.2.4 (Function not required by API
sequence 14C)
Light-Off Cycle Excess Combustible Vapors Accumulation of combustibles in the 4 Failure to ignite pilot due to: Igniter flame not proven within Shutoff fuel supply to pilot
in Firing Chamber firing chamber may result in (T) • Ignition transformer failure specified time
development of a flammable mixture, • Ignition valve failure
which may then be exposed to a • Plugged pilot burner nozzle
source of ignition, causing • Pilot gas contamination with non-
combustion, and potentially an flammable material results in
explosion, which may result in unstable mixture that cannot support
mechanical damage to the vessel and combustion
may also result in personnel impacts • Improper fuel / air ratio (linkage
to persons near the equipment. failure, control failure)
5 Failure to ignite main flame due to: Main flame not proven within Shutoff fuel supply to main burner
(T) • Plugged burner nozzle specified time
• Fuel gas contamination with non-
flammable material results in
unstable mixture that cannot support
combustion

- 57 - ISA-TR84.00.05-2009
Function #
(T)
Normal Operation Excess Combustible Vapors Accumulation of combustibles in the 6 High fuel gas pressure in the main burner High fuel gas pressure or loss of Shutoff fuel supply to main burner and
in Firing Chamber firing chamber may result in (T) fuel gas causes unstable flame operation flame pilot
development of a flammable mixture, and loss of flame with subsequent
which may then be exposed to a introduction of unburned fuel gas:
source of ignition, causing • Fuel gas regulator failure
combustion, and potentially an See Clause 6.3.3.1.1
explosion which may result in
7 Low fuel gas pressure in the main burner Low fuel gas pressure or loss of Shutoff fuel supply to main burner and
mechanical damage to the vessel and
(T) fuel gas causes unstable flame operation flame pilot
may also result in personnel impacts
and loss of flame with subsequent
to persons near the equipment.
introduction of unburned fuel gas:
• Loss of fuel gas supply
• Fuel control system failure
8 Low combustion air: Low combustion air pressure, Shutoff fuel supply to main burner and
(T) • Combustion Air Fan failure while motor run contact lost on pilot
firing combustion air blower, or loss of
• Blocked air inlet flame
9 Fuel gas contamination with non-flammable Loss of burner flame Shutoff fuel supply to main burner and
(T) material causes loss of flame and pilot

subsequent introduction of unburned fuel
gas
10 Loss of control system actuating energy and Low instrument air pressure or Shutoff fuel supply to main burner and
(T) / or power failure. loss of primary power pilot
(Sensor not required by API
See Clause 6.3.3.1.7 14C)
Low level Glycol Reboiler Possible mechanical damage to 11 Low vessel level due to: Low level in reboiler Shutoff fuel supply to main burner and
vessel or heating tubes, if firing is (T) • Loss or reduced inlet flow into vessel pilot
continued without sufficient liquid • Failure of drum level instrumentation
present to remove heat. Mechanical / basic process control system
damage of the vessel may also result • Leakage from vessel
a heater fire with the potential for See Clause 6.3.3.6
personnel impacts to persons near
the equipment.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009 - 58 -
Function #
(T)
Normal High temperature in Glycol Possible mechanical damage to 12 High vessel temperature due to: High temperature in Glycol Shutoff fuel supply to main burner and
Operation Reboiler vessel, heating tubes or column, if (T) • Temperature control failure Reboiler pilot
firing is continued without sufficient • Inadequate inlet flow into vessel
heat removal. Mechanical damage of • Ignition of medium leak into fired
the vessel and tubes may also result chamber
a fire with the potential for personnel • Plus low level causes identified in
impacts to persons near the item 11, above.
equipment. See Clause 6.3.3.7
Normal High Stack Temperature Potential to damage the burner tubes 13 High stack temperature due to: High Stack Temperature Shutoff fuel supply to main burner and
Operation leading to hot process fluid leakage (T) • Overfiring caused by instrumentation pilot
out of the vessel and possible fire. / basic process control system
See Clause 6.3.3.4
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

- 59 - ISA-TR84.00.05-2009
12 Example Hazard and Risk Analysis and Verification

The following examples are provided to help clarify how the overall concepts of the Safety Lifecycle can
be applied to fired equipment. The examples contained herein are generic in nature and do not represent
an intention to endorse any specific risk criteria and/or design architectures.
12.1 Hazard and Risk Analysis
This report does not endorse a specific methodology for performing risk assessment. Refer to ANSI/ISA-
84.00.01-2004 Part 3 and Guidelines for Hazard Evaluation Procedures (CCPS/AICHE) for information on
methods for risk assessment. The hazard and risk analysis results presented in this Clause are based
upon the Safety Layer Matrix presented in ANSI/ISA-84.00.01-2004 Part 3, Figure C.2. Four different
scenarios were evaluated and are shown in Table 12.1. The scenarios were selected to highlight the
design process and decisions an SIS designer should consider when selecting an architecture for a given
SIF / SIS.
12.1.1 Item Number 1
The first scenario analyzes the process hazards associated with low fuel gas pressure, which could result
in loss of flame. The continued addition of fuel gas without flame allows accumulation of unburned fuel
gas which if ignited results in an uncontrolled fire or explosion. This consequence is determined to be a
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
“serious” event. Two different initiating events were identified for this identified hazard. A likelihood of
“medium” was estimated for the failure of the fuel gas pressure control loop. A likelihood of “high” was
estimated for the failure of the fuel gas supply. A continuously operated, separately sourced pilot provides
protection against both initiating events. Based upon the risk analysis, the function is an SIF and needs to
meet SIL 2.
The second scenario also analyzes the process hazards associated with low fuel gas pressure, but in this
case, the likelihood of the event is judged to be less likely than the event assessed item number 1. The
consequence is determined to be a “serious” event and the same two different initiating events were
identified. A likelihood of “medium” was estimated for both the failure of the fuel gas pressure control loop
and failure of the fuel gas supply. Once again, for both initiating events, a single Independent Protection
Layer was identified consisting of a continuously operated, separately sourced pilot burner. Based upon
the risk analysis, the BMS function is an SIF and needs to meet SIL 1.
The third scenario analyzes the process hazards associated with inadequate purge due to poor air flow at
the purge rate for the purge duration. Inadequate purge could allow previously introduced fuels to remain
in the heater, which could result in a fire or explosion upon light-off. This consequence was deemed to be
a “serious” event. Two different initiating events for this specific hazard were identified. A likelihood of
“medium” was estimated to the blocked air inlet. A likelihood of “low” was estimated to the blower failure.
For both initiating events a single Independent Protection Layer was identified, which relies on an
operator following a procedure requiring a manual check of the combustible concentration prior to light-
off.

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 60 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Table 12.1 – Example Hazard and Risk Analysis Summary

Consequence Initiating Likelihood Independent Protection Highest
Item Process Hazardous (Risk Matrix) Event Category Layers Required SIL
No. Hazard Event IPL for SIF (All
Consequence S L RR IPLs
Credit Causes)
1 Low Fuel Gas Loss of flame with The team felt that Serious 1. Failure of fuel Medium 2 1. Continuously- 1
Pressure continued addition the consequence gas pressure operated separately
Resulting in Loss of fuel gas can of this event control sourced pilot
of Flame result in could be serious burners
(Case 1) accumulation of based on the 2. Low Fuel Gas SIL 1
unburned fuel gas magnitude of the Pressure Causes
which if ignited potential Fuel Gas Shutoff
could result in an explosion and SIL 2
2. Loss of fuel gas High 3 1. Continuously- 1
uncontrolled fire or equipment
supply - various operated separately
explosion. location in a
reasons including sourced pilot
frequently
loss of utility burners
occupied area.
supply and 2. Low Fuel Gas SIL 2
miscellaneous Pressure Causes
misoperation Fuel Gas Shutoff
2 Low Fuel Gas Loss of flame with The team felt that Serious 1. Failure of fuel Medium 2 1. Continuously- 1
Pressure continued addition the consequence gas pressure operated separately
Resulting in Loss of fuel gas can of this event control sourced pilot
of Flame result in could be serious burners
(Case 2) accumulation of based on the 2. Low Fuel Gas SIL 1
unburned fuel gas magnitude of the Pressure Causes
which if ignited potential Fuel Gas Shutoff
could result in an explosion and
2. Loss of fuel gas Medium 2 1. Continuously- 1
uncontrolled fire or equipment
supply - various operated separately SIL 1
explosion. location in a
reasons including sourced pilot
frequently
loss of utility burners
occupied area.
supply and misc. 2. Low Fuel Gas SIL 1
misoperation - For Pressure Causes
this case the fuel Fuel Gas Shutoff
gas supply was
considered more
reliable than the
first case.

- 61 - ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Consequence Initiating Likelihood Independent Protection

Item Process Hazardous (Risk Matrix) Event Category Layers Required SIL
No. Hazard Event IPL (All Causes)
Consequence S L RR IPLs
Credit
3 Failure to Provide Failure to purge The team felt that Serious 1. Blocked air inlet Medium 2 1. Operator 1
Airflow (Detected the firebox prior to based on the intervention based
by Low Pressure) addition of fuel and location and on manual
at Purge Rate for light-off (an ignition occupancy of the combustible
the Purge source) could area around the concentration
Duration result in a fire or heater the analysis prior to
explosion if consequence of light-off
flammable this event would
materials were be serious. 2. Low Air Flow (to SIL 1
present. be detected by Low
Air Pressure) to SIL 1
inhibit subsequent
start-up step
2. Blower failure Low 1 1. Operator 1

intervention based
on manual
combustible
concentration
analysis prior to
light-off
4 Flame Detection Prior to light-off, The team felt that Serious 1. Oil pool fire Low 1 1. Operator 1 Not Applicable
Prior to Purge pool fire of based on the existing prior to intervention based
flammable liquids equipment startup on walkthrough
exists in the firebox location and inspection prior to
due to occupancy of the startup
misoperation. area around the
heater the
consequence of
this event would
be serious.

ISA-TR84.00.05-2009 - 62 -
The fourth scenario analyzes the process hazards associated with starting up the fired equipment under
emergency conditions. It is included to highlight the various types of functions that might be evaluated
using risk analysis. The hazards are caused by the presence of uncontrolled pool fires within the firebox
due to equipment misoperation. If the operator attempts to start-up the equipment in this condition, a
more serious event could result. The consequence severity was deemed to be a “serious.” One initiating
event was identified with a likelihood of “low.” A single Independent Protection Layer was identified, which
relied on an operator following a procedure to inspect the combustion chamber prior to startup.
NOTE RR in the above table represents the amount of required risk reduction prior to consideration of independent protection
layers.
12.2 SIL Verification
The process of selecting an acceptable design for a given SIS / SIF in practice tends to be iterative. The
SIS designer adjusts key parameters and performs the SIL Verification calculations to determine their
impact on the overall results. Some or all of the following are key parameters typically considered during
the evaluation:
• Sensor type (i.e., transmitter versus switch, etc.) and architecture (redundancy / voting with
common cause failure consideration)
• Logic Solver type (i.e., E/E/PE) and architecture (redundancy / voting with common cause failure
consideration)
• Final Element type (on/off valve versus on/off valve with partial stroke testing, etc.) and
architecture (redundancy / voting with common cause failure consideration)
• Proof Test Interval for Sensor, Logic Solver and Final Elements
The design process typically uses a five (5) step procedure to verify the safety integrity level (see Figure
12.1). The typical five (5) step system analysis approach can be defined as:
7) Step 1 – Select an architecture for evaluation (sensors, logic solver and final elements). For SISs,
ensure that the architecture meets the fault tolerance requirements of ANSI/ISA-84.00.01-2004.
8) Step 2 – Determine theoretical Probability of Failure on Demand Average (PFDavg).
9) Step 3 – Determine theoretical Nuisance Trip Rate or Mean Time To Fail Safe (MTTFS)
10) Step 4 – Compare theoretical results to expected performance
11) Step 5 – Repeat above steps for each possible SIS architecture being considered for the project
Evaluation of cost of ownership can be as simple as selecting an architecture that achieves a minimum
nuisance trip (i.e., MTTFS > 10 years) or as detailed as performing Lifecycle Cost Analysis to evaluate
order of magnitude cost of ownership, including initial capital expenditures and operating costs, over the
lifetime of the SIS.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 63 - ISA-TR84.00.05-2009
Start
SIS Design Architecture

Options
Perform SIL or PFDAVG
Perform Nuisance Trip Rate or

MTTFS
No Yes
Meet
SIL?
Evaluate Cost of Ownership
No Yes
Lowest
Cost
Figure 12.1. Work Process Used for This Example

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 64 -
12.2.1 Assumptions and Clarifications
This technical report does not include the specific reliability calculations in this document. Instead, one
should refer to ISA–TR84.00.02–2002 for information on performing these calculations.
1) Failure Rate Data for field devices for the examples in this document were obtained from ISA–
TR84.00.02–2002 Part 1, Table 5.1, Company B. Failure Rate Data for logic solvers for these
examples were obtained from SINTEF and the Safety Equipment Reliability Handbook, ISBN 0-
9727234-0-4.
2) The Generic Safety PES in Table 12.2 represents a logic solver designed per IEC 61508 and
suitable for use in a SIL 2 application.
3) The generic PES contained in Table 12.2 represents a general purpose, industrial grade PE logic
solver.
4) The generic Safety PES architecture / voting scheme in Table 12.2 has been depicted as
“complex” to avoid the appearance of endorsing any specific platform or product. Each
owner/operator should evaluate the architecture (1oo1, 1oo2, 1oo2D, 2oo3, 2oo4, etc.) for their
given application.
Prior to selecting an architecture for a given SIF, one must consult the specific code / standard that
governs the fired equipment under consideration. For example, NFPA 85 Clause 4 places additional
requirements on the logic system where “no single component failure within the logic system shall prevent
a mandatory master fuel trip”. For SIFs with a requirement of SIL 1 or higher, refer to ANSI/ISA-84.00.01-
2004 for additional information regarding PES requirements.
12.2.2 Design Results
Examples of the functions identified in Table 12.1 were assessed to determine if these functions could
meet the risk reduction requirements defined by the hazard and risk analysis. Details of the assessment
are discussed below and summarized in Table 12.2.
12.2.2.1 Item Number 1 – Case 1
This design option included the use of redundant / diverse sensors in a 1oo2 voting scheme to detect low
fuel gas pressure. A general purpose industrial grade logic solver was considered for use as the logic
solver. Redundant block valves in a 1oo2 voting scheme were modeled as final elements. The sensor,
logic solver and final element subsystems were assumed to be proof tested every 12 months. As
modeled, this design does not meet the risk reduction requirements. Thus, design modifications must be
considered.
This design option included the use of redundant / diverse sensors in a 1oo2 voting scheme to detect low
fuel gas pressure. The general purpose industrial grade logic solver was replaced with a Safety PES
designed per IEC 61508 and suitable for use in SIL 2 applications. Redundant block valves in a 1oo2
voting scheme were modeled as final elements. The sensor, logic solver and final element subsystems
were assumed to be proof tested every 12 months. The upgraded logic solver made a significant
difference in the theoretical performance. The design meets the required SIL. If desired, an
owner/operator could now consider cost of ownership issues and evaluate alternative designs.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
- 65 - ISA-TR84.00.05-2009
This potential design option under consideration included the use a single transmitter to measure the loss
of flame due to low fuel gas pressure initiating event. A general purpose industrial grade logic solver was
considered for use as the logic solver. A simplex block valve was modeled for the final element. The
sensor, logic solver and final elements were subjected to an assumed proof test interval of 48 months. As
modeled, this design cannot meet SIL 1. Thus, design modifications must be considered.
This design option included the use a single transmitter to detect low fuel gas pressure. The general
purpose industrial grade logic solver was replaced with a Safety PES designed per IEC 61508 and
suitable for use in SIL 2 applications. The simplex block valve scheme was replaced with redundant block
valves used in a 1oo2 voting scheme. The sensor, logic solver and final element subsystems were
assumed to be proof tested every 48 months. By upgrading the final element voting architecture and logic
solver, this design meets the PFDavg required for SIL 1. If desired, an owner/operator could now consider
cost of ownership issues and potentially evaluate additional designs for this SIF.
This potential design option under consideration included the use a single transmitter to measure loss of
combustion air flow as the initiating event. A Safety PES designed per IEC 61508 and suitable for use in
SIL 2 applications is modeled as the logic solver for this SIF. Because this is a permissive SIF that
prevents subsequent light-off steps and final elements are not required in the design, the sensor and logic
solver subsystems are assumed to be proof tested every 12 months.
As modeled, this design meets the PFDavg required for SIL 1. If desired, an owner/operator could now
consider cost of ownership issues and potentially evaluate additional designs for this SIF.
No design options were evaluated for this case as the hazard and risk analysis did not identify this
function as an SIF.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009 - 66 -
Table 12.2 – Example SIL Verification Summary
Item Case# Sensor Sensor Logic Final Final Proof SIL SIL Met SIL PFD Met SIL
Subsystem Subsystem Solver Element Element Test Required Achieved Requirements Minimum
Voting Voting Interval Fault
Note 3 Tolerance
1 1 Pressure 1oo2 PES Block Valve 1oo2 12 Months 2 1 NO NO
Transmitter Note 1
Flame Relay Block Valve
2 Pressure 1oo2 Safety PES Block Valve 1oo2 12 Months 2 2 YES YES
Transmitter Note 2
Flame Relay Block Valve
2 3 Pressure 1oo1 PES Block Valve 1oo1 48 Months 1 0 NO YES

Transmitter Note 1
4 Pressure 1oo1 Safety PES Block Valve 1oo2 48 Months 1 1 YES YES
Transmitter Note 2
Block Valve
3 5 Pressure 1oo1 Safety PES None N/A 12 Months 1 1 YES YES

Transmitter Note 2
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
4 6 No SIL Verification required for this scenario based upon hazard analysis summarized in Table 12.1.
Notes:
1) PES represents a general purpose industrial grade PE logic solver.

2) Safety PES represents a logic solver designed per IEC 61508 and suitable for use in an SIL 2 application.
3) Each block valve has a dedicated solenoid.

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT
Developing and promulgating sound consensus standards, recommended practices, and technical
reports is one of ISA’s primary goals. To achieve this goal the Standards and Practices Department
relies on the technical expertise and efforts of volunteer committee members, chairmen and reviewers.
ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United
States Technical Advisory Groups (USTAGs) and provides secretariat support for International
Electrotechnical Commission (IEC) committees that develop process measurement and control
standards. To obtain additional information on the Society’s standards program, please write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, NC 27709
ISBN: 978-1-936007-41-7
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

10/04/2012 08:02:58 MDT

ISA TR84!00!05 2009 Guidance On The Identification of Safety Instrumented Functions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISA TR84!00!05 2009 Guidance On The Identification of Safety Instrumented Functions

Uploaded by

Copyright:

Available Formats

ISA-TR84.00.

Guidance on the Identification of Safety

Approved 10 December 2009

Copyright International Society of Automation

P.O. Box 12277

Copyright International Society of Automation

PURSUANT TO ISA’S PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT

Copyright International Society of Automation

ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS,

Copyright International Society of Automation

Copyright International Society of Automation

Copyright International Society of Automation

5 Abbreviations and Acronyms.............................................................................................................. 12

6 Safety Lifecycle and Protection Concepts.......................................................................................... 13

9 Example of a Hazard and Risk Analysis Applied to a Thermal Oxidizer............................................ 43

11 Example of a Hazard and Risk Analysis Applied to a Glycol Reboiler............................................... 53

12 Example Hazard and Risk Analysis and Verification ......................................................................... 59

Copyright International Society of Automation

Copyright International Society of Automation

ANSI/ISA-84.00.01-2004 provides minimum requirements for designing and managing safety

The users of ISA-TR84.00.05 will include:

• Manufacturers of BMSs who are applying the requirements of ANSI/ISA-84.00.01-2004, in

• SIS designers who want an understanding of the safety requirements of BMS.

Copyright International Society of Automation

3.4 This technical report is intended to:

Copyright International Society of Automation

Copyright International Society of Automation

5 Abbreviations and Acronyms

Copyright International Society of Automation

6 Safety Lifecycle and Protection Concepts

• Identifying the hazardous events resulting in unacceptable consequences

• Identifying the safety functions that prevent hazardous events

• Documenting the functional and integrity requirements in a design specification

• Documenting and implementing operation and maintenance procedures to support performance

Copyright International Society of Automation

6.1.2 Safety Instrumented Functions

• Including measurements that do not detect the hazardous condition

6.1.3 Safety Integrity Level

The risk analysis process can be summarized as:

2) Estimate consequence severity of the hazardous event.

6) Identify safety functions required to achieve the risk reduction requirements.

Copyright International Society of Automation

Table 6.1 – SIL Categories

Step 1. Identify Hazardous Event

Step 2. Estimate Consequence severity

Step 3. Estimate Likelihood (or frequency)

Likelihood (or frequency) is estimated qualitatively, semi-quantitatively, or quantitatively. Many

Step 4. Assess Process Risk

Step 5. Compare Process Risk Against Risk Criteria

the specific consequence-likelihood pair.

Copyright International Society of Automation

6.2 Safety Integrity Level Verification

6.3 Operating Modes, Undesirable Events and SIF

6.3.1 Pre-firing cycle

6.3.1.1 Excess Combustibles in the Firing Chamber

Copyright International Society of Automation

6.3.1.1.1 Fuel Valves Improperly Aligned (Permissive)

6.3.1.1.2 Accumulation of Flammable Materials and Failure to Purge (Permissive)

Copyright International Society of Automation

6.3.1.2.1 Flame Detector Indicating Premature Presence of Flame (Permissive)

6.3.1.2.2 Low Fuel Gas Pressure (Permissive)

6.3.1.2.3 High Fuel Gas Pressure (Permissive)

Copyright International Society of Automation