Paper 295177

AIChE Paper Number: 136b

ETHYLENE CRACKING FURNACE BURNER MANAGEMENT PRACTICES WITHIN U.S. PRODUCERS

Frank E. Irving

Manufacturing Technical Principal Engineer

DuPont Packaging & Industrial Polymers

Prepared for Presentation at the 2013 Spring National Meeting

San Antonio, Texas, April 28 – May 2, 2013

AIChE and EPC shall not be responsible for statements or opinions contained in papers or printed in its publications

AIChE Paper Number: 136b

ETHYLENE CRACKING FURNACE BURNER MANAGEMENT PRACTICES WITHIN U.S. PRODUCERS

Frank E. Irving

Manufacturing Principal Technical Engineer

DuPont Packaging & Industrial Polymers A summary of the current working practices and approaches to hazardous event management of the cracking heaters of several US based ethylene producers will be presented. The practices and approaches will be discussed in the context of a safety requirement specification document as it is defined by the standard ANSI/ISA 84.00.01 (IEC61511 mod.). The ISA standard has been recognized by OSHA as RAGAGEP in the U.S. for safety instrumented function life cycle management. The safety requirement specification format frames the engineering controls of the hazards relative to the applicable Codes, individual company standards and practices, and RAGAGEP.

Practices and approaches to allocating the layers of protection and establishing Safety Integrity Level (SIL) of safety instrumented function applications will also be detailed. Other elements of the safety instrumented system life cycle covering maintenance and safety instrumented function testing considerations of the burner management systems will also be addressed.

Ethylene furnace burner safety management practices vary among U.S. ethylene producers. Different hazardous events and event consequences are generated by the variations in ethylene cracking furnace process designs. Most ethylene cracking furnaces have large numbers of burners with different orientations and special process heater considerations that require unique burner management safety systems. Subtle design and maintenance considerations can have enormous impact on the heater safety, recovery from upsets, and overall performance.

Contributors

This paper has been made possible by the sharing of burner management safety practices and approaches of six contributing multi-national ethylene producers in the United States (U.S.). Several of the contributing companies requested to not be specifically identified, so all contributors will remain anonymous.

Summary of Findings Process hazard safety studies often lead ethylene producers to pursue burner management system safety instrumented function for the process heaters. Six different heater configurations covering heater installations that are newly constructed to installations that are over 40 years old are described. The safety instrumented function approaches and practices to implement the hazards analysis required protection applications for each configuration are detailed in the six appendixes of this paper. In the U.S. the NFPA® 86 2011 (1) and API RP 556 1997 (2) standards provide a framework for hazardous event protection for the ethylene heaters. The process hazards analysis process allocates layers of protection to prevent and mitigate hazardous events. At a high level, the heater flame supervision SIF and operation practice configurations generally fall into 3 groups:

1. “Older” heater installations built with only wall fired burners utilize fully attended burner systems with qualified operators present at all times to provide manual burner system monitoring and combustion chamber high LEL SIF trips to satisfy flame proven monitoring requirements during the operating window where the combustion chamber temperature is < 1400° F.

2. “Newer” heater systems with floor fire burners that can elevate the combustion chamber to > 1400° F utilize flame scanner systems to satisfy flame proven monitoring requirements and have remotely supervised burner systems.

3. Heater systems that utilize secondary staged fuel or wall burners with the primary flame scanner monitored floor burners utilize combustion chamber temperature > 1400° F to satisfy flame monitoring requirements for secondary burner permissives.

The list below captures examples of some of the most robust and interesting safety instrumented function approach examples from the six appendix listings: 1. Safe to start checks (isolation of fuels, purge, combustion system)

Pre-start permissives that verify ID fan status, ID fan speed, ID fan current, damper position, ID fan d/p, fire box d/p, fuel isolation proven, process feed isolation proven, steam drum level, no safety

instrumented function bypasses engaged, all process variables good quality

Automated fuel system pressure test for primary and secondary burner systems – fuel system pressurized with fuel using small fuel control valve, pressure maintained with time

Automated steam educator system for purging of natural draft fire box Purge time completed for 5 or more minimum air exchanges Fire box high LEL 1o2 trip function enabled at end of purge cycle Proof of no flame in fire box & flame scanners OK

2. Ignition trial period (supervised or remote ignition, proof of flame) Supervised local pilot ignition of maintained pilots with automated 15

second trial time Flame supervision by flame scanners Automated remote ignition of main burners Automated remote ignition of staged burners

3. Combustion safeguards (master fuel trip, staged trip) Master fuel trip integrated into safety system No combustibles in fire box when temperature < 1400° F Loss of combustion air (motor current, blower wheel speed, blower

d/p, fire box d/p) Fuel pressure not high or low (applies to all fuel headers) Staged trip where 1st level of trip sets system to low fire Staged trip where 2nd level of trip is a total fuel trip Staged trip where wall burners remain active in many cases as long as

fire box temperature is > 1400° F (SIF not linked solely to floor burner states)

Staged trip of main burners where pilots remain lit in many cases 4. Flame supervision bypass above 1400° F (re-ignition after miss-fire)

Temperature > 1400° F automated bypass of combustion chamber LEL 1o2 trip

Temperature > 1400° F automated bypass of flame scanners Temperature > 1400° F permits secondary burners (burner without

flame scanners) 5. Process Specific protection (unique to ethylene heaters)

High tube pressure protection trip High tube temperature trip Low process flow trip Low steam flow trip

6. De-coke mode (permissive & protection) Double block effluent valves with proof of position Effluent block valve inter-chamber pressure proven permissive Feed valve isolation proof of position Air valve position proven

7. Steam generation specific (steam drum levels, pressure, super heat temp)

2 of 3 level transmitters for low level SIF Low and Low-Low SIF actions that implement staged trip of heater

where first SIF is to low fire position for main burners and second action implements a master fuel trip.

High super heat tube temperature SIF High quench system temperature SIF

8. Manual emergency shutdown & isolation system requirements Emergency shutdown system with “hardwired” trip action in master

fuel trip circuits Emergency shutdown systems integrated with SIS system functions Multiple levels of emergency shutdown system actions

1. Emergency trip action isolates all fuels from burners and pilots and feeds

2. Emergency trip action that isolates burner fuel and feeds, but pilots are maintained

9. Special Requirements Standard SIL 3 capable SIS (in general SIFs are SIL 1 or 2) High reliability (minimal SIFs with single vote to trip) In line fuel isolation valve leak testing annually Valve proof of position switches Certification of PHA Leaders, LOPA Leaders, Safety Engineers End to end testing of SIF actions annually Ability to fully test & repair sensors while Unit in operation Investigation of every actual SIF trip to confirm validation of function

Process Hazards Assessment

Process hazards analysis (PHA) studies commonly identify hazardous events associated with ethylene cracking furnaces. The application of CFR 1910.119 – Process safety management of highly hazardous chemicals (3) directs all highly hazardous facility operators such as ethylene producers to define and manage process hazards. PHA studies are conducted to define the hazardous events and complete the risk assessment of the process using each company’s internal risk management criteria. The PHA will then allocate risk management to safety function protection layers such as relief systems and safety instrumented functions (SIF). The results of the safety management process will often lead ethylene producers to pursue burner management system SIFs for the ethylene process heaters.

U.S. Applicable Codes / Standards / RAGAGEP

The governing standard and code for SIFs in the U.S. is the ANSI/ISA 84.00.01 (IEC61511 mod.) (4) which was recognized by OSHA as generally accepted good engineering practice (RAGAGEP) in 2004. Most countries in the world have adopted IEC 61511 a national standard. Many multi-national companies have

incorporated the IEC 61511 standard into their internal compliance standards and practices. This standard is a broad document that covers the entire life cycle of SIFs, from conception in the PHA process to the final retirement of the application. The standard is complex and requires significant interpretation.

This standard details the requirements to demonstrate and maintain the safety performance of instrumented function applications. The performance level and architecture for an application to be credibly classified as a SIF is specifically addressed. The performance levels are further broken into 3 Safety Integrity Level (SIL) groups. The higher the SIL value the more reliable the application. In Table 1 (below) shows the SIL value with the range of probability of failure on demand (PFD) for SIFs in that level and the risk reduction factor (RRF) (1/PFD) that is provided.

Table 1 ANSI/ISA 84.00.01 (IEC61511 mod.) SIL Summary

SIL Safety Availability PFD RRF

3 >99.9 - 99.99% <.001 - .0001 >1,000 - 10,000

2 >99 - 99.9% <.01 - .001 >100 - 1,000

1 >90 – 99% <.1 - .01 >10 – 100

As the PHA function allocates the risk mitigation across the layers of protection, the risk reduction performance of the SIF can be translated into the SIL requirement. This target SIL is used to design and maintain the SIF.

Guidance from United States National Codes and Standards A number of codes and recommended practices have been written to cover the ethylene cracking furnaces, but no single standard appears to be recognized across the US ethylene industry as being required or governing or as defining recognized RAGAGEP. This is best demonstrated by the very selective company participation in the national standard committees. A well-known and broadly followed burner management standard in the US is the NFPA® 85 Boiler and Combustion Systems Hazard Code – 2011 (5). This prescriptive standard provides extensive design and performance requirements for BMS systems and also covers maintenance practices. The standard has

broad industry participation on the committee but in section 1.1.3 this standard specifically excludes process heaters used in chemical and petrochemical manufacture. Combustion systems for ethylene cracking furnaces are covered by the NFPA® 86 Standard for Ovens and Furnaces 2011. This standard has limited industry participation on the committee but some companies have adopted this standard as a requirement. It provides extensive details and prescriptive controls for the unique needs of the cracking furnaces. The administrative section 1.1.7 of the standard provides exclusion for compliance that states the NFPA® 86 standard shall not apply to fired heaters in petrochemical facilities that are designed and installed in accordance with: • API STD 560 Fired Heaters for General Refinery Service 2007 (6) • API RP 556 Instrumentation and Control Systems for Fired Heaters and

Steam Generators 1997 • API RP 2001 Fire Protection in Refineries May 2005. (7) The three referenced API standards in total follow closely with NFPA® 86. STD 560 is a general standard that covers a broad range of process heaters used in petrochemical facilities. The API RP 556 1997 covers instrumentation, controls, alarms, and protective systems as they apply to fired heater systems such as ethylene cracking furnaces. The API RP 2001 Fire Protection in Refineries details practices for fired equipment such as BMS (specifically refers back to NFPA® 85) and covers emergency isolation systems. The API RP 556 1997 version standard provides a list of prescriptive “shall” and “should” BMS practices and relates the practices to the hazardous events. Emphasis is given to protections for the purge cycle, flame stability, and loss of flame. The API RP 556 1997 also refers the user back to the referenced industry standards (NFPA) for more information. Specific guidance is provided for the features and performance requirements of pilot and fuel safety shut off valves. Table 2 below summarizes the 1997 guidance for a gas fired heater system.

Table 2 API RP 556 1997 Summary

EVENT PILOT SHUTDOWN

FUEL SAFETY VALVE SHUTDOWN

API RP 556 SECTION

Manual Trip Yes Yes 3.9.2 Low Pilot Fuel Press

Yes 3.9.5

Low Burner Fuel Press

Yes 3.9.3

High Burner Fuel Press

Yes 3.9.4

Loss of Flame

Yes Yes 3.9.8

Partial Loss of Flame

Polling Logic allows continued conditional

operation

Polling Logic allows continued conditional operation 3.9.8

High box Press

Yes Yes 3.9.12

Low Feed Flow

Yes 3.9.15

Loss of ID Fan

Yes Yes 3.9.18

Low Air Flow Yes Yes 3.9.19

The API RP 556 standard was extensively revised in 2011 (8) and now states in section 1.1.3 that the API RP 556 2011 does not cover pyrolysis furnaces such as ethylene reformers. With this change in the API RP 556 2011 standard, practitioners are brought full circle back to NFPA® 86 2011 as the guiding document. The design and implementation of a BMS system for an ethylene cracking furnace is a significant engineering and capital commitment. To insure a complete design is produced the following codes and standards can be referenced for additional prescriptive guidance and recommended practices: FM 7605 is working Standard for programmable logic controls of BMS (9) ISA-TR84.00.05-2009 Guidance for the Identification of Safety Instrumented

Functions (SIF) in Burner Management Systems (BMS), Approved 10 December 2009 (10)

Translating the PHAs & Standards & Codes into Action

The life cycle model of the ANSI/ISA 84.00.01 (IEC61511 mod.) standard Table 3 (below) defines the steps that are implemented in the SIS Safety Life Cycle.

Table 3 SIS Safety Life-Cycle - ANSI/ISA 84.00.01 2004 Part 1 (IEC61511 Mod)

Once a SIF action has been assigned by a hazards assessment and a target SIL level established in the allocation of safety functions, the next step is detailed in clause 10.3 of the ANSI/ISA 84.00.01 (IEC61511 mod.). The SIF life cycle directs that a safety requirements specification (SRS) for the safety instrumented functions be developed. Some companies document the SRS in multiple documents such as drawings, standards, and procedures. Other companies compile and issue a single SRS document. In either format, the SRS serves as the primary design basis and performance document for the SIFs in the safety instrumented system (SIS). It becomes a “one-stop-shop” for all SIS design

Design and development of other

means of risk reduction

Hazard and risk assessment

Management of functional safety and functional

safety assessment and auditing

Safety life-cycle structure

and planning

Design and engineering of safety instrumented

system 4

Installation, commissioning, and

validation 5

Operation and maintenance 6

Modification 7

Verification

Decommissioning 8

Safety requirements specification for the safety instrumented

system

Allocation of safety functions to protection layers

2

10 9 11

1

3

4a

details, for testing procedure development, and for the operating and recovery procedures. It is very challenging for PHAs to fully develop all of the hazardous event cases and routes that can lead to the particular catastrophic events that are required to be addressed by each companies risk management criteria. PHAs will also differ in the methodology to allocate protection across the protection layers including the SIFs. So this means each company has different reference PHA for the ethylene cracking heaters that are structured in accordance with specific standards and practices required by the respective corporation. To compare practices across a more universal bench mark, the NFPA® 86 standard has been used in this report. This standard provides a broad summary of the concepts and elements needed in a BMS for the ethylene cracking furnaces. It is a prescriptive standard, similar in organization and requirements to the familiar NFPA® 85. Section 8 of the NFPA® 86 document makes references to “safety interlocks” but this terminology does not conform completely with the SIF definitions and structures that are detailed in the ANSI/ISA 84.00.01 (IEC61511 mod) standard and supporting documents. The hazard framework considerations detailed in chapter 8 of the NFPA® 86 standard cover:

1. Safe to start checks a. Isolation of Fuels (including secondary fuels) & Pre-light permissive b. Purge & Proof of Purge of radiant box and convection section c. Combustion air flow adequacy / loss if ID fan / high fire box

pressure / damper position d. Fuel and / or pilot fuel pressure not high or low e. Instrument air pressure f. Valve proving systems (isolation position indication, low fire

position) 2. Ignition trial period

a. Low fire position for main burner b. Igniter / Pilot trail (safe) c. Flame supervision (proof of flame) d. Ignition sequencing of burners (floor and/or wall)

3. Combustion safeguards a. Master fuel trip considerations b. ID fan status and/or combustion air flow c. Assurance of stable flame (fuel high or low pressure) d. Prevent re-ignition after miss fire e. Fuel rich (burner fuel/air ratio or heater tube process leak) f. Staged trip (concept)

4. Flame supervision bypass above 1400° F (760° C)

a. Re-ignition after miss-fire with chamber & surfaces less than auto ignition temperature

b. Re-ignition after miss-fire with chamber & surfaces above the auto ignition temperature

5. Process Specific protection a. Excess temperature protection such as high tube temperature or

low flow b. Heater tube steam flow c. Heater tube over pressure

6. De-coke mode a. Permissive & protection

7. Steam generation specific a. Steam drum level &/or fired tube steam generators b. Steam drum pressure not high c. Steam super heat high temperature d. Quench system high temperature

8. Manual emergency shutdown & isolation system requirements a. Emergency and remote shutdown configured in SIS b. Emergency and remote shutdown configured in hardwired master

fuel trip system 9. Special requirements for hardwired SIFs

a. Dual final devices b. Master fuel trip logic string

10. Special requirements for safety PLCs (SIL 2 minimum SIS & certain transmitters)

11. Safety shut off valve requirements a. Double block and bleed b. External position indication c. Leakage testing and valve cycle rate accounting

ANSI/ISA 84.00.01 Elements of a Safety Requirements Specification The elements of the SRS are broken down in a 27 item list in the ANSI/ISA standard section 10.3.1. To give a presentation of considerations that is generally applicable across ethylene producers, some of the SRS elements have been omitted and others have been combined into the following 12 point summary: 1) Describe SIFs necessary to achieve target risk criteria including target SIL and

requirements for proof interval testing 2) Define safe state for each SIF 3) Define “safe” process states and states that if concurrent can lead to a

separate hazard 4) Assumed sources of trip & rate on SIFs (demand or continuous) 5) SIF process measurements and trip values

6) SIF actions and criteria (e.g. shut off class, speed) such as response time requirement to bring process to a safe state

7) Manual SD requirement 8) Energize to trip or fail safe? Energize to trip or de-energize to trip

requirements 9) Reset considerations including requirements for startup and restart of SIS 10) Define modes of Operation for Plant & SIFs for each mode and requirements

for overrides, inhibits, bypasses 11) Identify & define special Unit mode of operation SIF such as for startup,

standby, shut down 12) Identify & define special functions or performance in event of a major event

Qualification of Engineers / Operators / Maintenance Another area that is important to the Unit safe operation is that of personnel training and qualification. This topic is covered extensively in the ISA and NFPA standards:

1. PHA process or other methodology to establish target SIL 2. Operator training (emergency response, safe operation, recovery from SIF

action) 3. Engineering training or certification requirements (e.g. internal company

training, ISA84 Certificate or CFSE certified, LOPA, PHA, etc.) 4. Maintenance training or certification requirements (e.g. internal company,

2 year IT program, ISA certificate, etc.)

Considerations for Long Testing Intervals

Some producers have special considerations for long testing intervals of the BMS application. These may include:

1. Using actual process trips as proof of function 2. How is testing done & managed in the organization 3. How to manage test records of actual, partial and segment tests, and full

tests 4. Design considerations for high reliability and long testing intervals (such

as no single vote to trip, high reliability instrumentation, partial stroke testing)

5. Design considerations for long testing intervals (support of online testing, segmented testing)

6. Considerations for energize to trip devices (MOVs)

Contributing Company Practices The practices and approaches of the contributing companies are summarized in attached Appendixes 1 thru 6. The appendixes do not associate practices to any specific company. The 12 point SRS summary format is used and the SIFs are organized in the hazard framework used in NFPA® 86. Additional information that summarizes the practices and approaches of the contributing companies

with respect to training and qualification of personnel and in the other considerations is provided at the end of each appendix.

Attachments -

Appendix 1 - Practices and Approaches – Company A - Ethylene induced draft cracking furnace system consisting of main floor burners & wall burners

Appendix 2 - Practices and Approaches – Company B - Ethylene natural draft cracking furnace system with floor burners

Appendix 3 - Practices and Approaches – Company C - Ethylene induced draft cracking furnace system consisting of multiple piloted main floor burners & staged fuel floor burners & wall burners

Appendix 4 - Practices and Approaches – Company D - Ethylene induced draft cracking furnace system consisting of 156 wall burners

Appendix 5 - Practices and Approaches – Company E - Ethylene induced draft cracking furnace system consisting of fully automated multiple piloted main staged fuel floor burners and manually lit wall burners

Appendix 6 - Practices and Approaches – Company F - Ethylene furnace with multiple bottom burners and multiple upper level burners, ID fan for draft

References: 1) NFPA® 86 Standard for Ovens and Furnaces 2011 2) API RP 556 Instrumentation and Control Systems for Fired Heaters and

Steam Generators 1997 3) CFR 1910.119 – Process Safety Management of Highly Hazardous

Chemicals 4) ANSI/ISA 84.00.01 (IEC61511 mod.) 5) NFPA® 85 Boiler and Combustion Systems Hazard Code – 2011 6) API STD 560 Fired Heaters for General Refinery Service, 2007 7) API RP 2001 Fire Protection in Refineries May 2005 8) API RP 556 Instrumentation, Control, and Protective Systems for Gas

Fired Heaters, Second Edition, April 2011 9) FM 7605 is working Standard for programmable logic controls of BMS 10) ISA-TR84.00.05-2009 Guidance for the Identification of Safety

Instrumented Functions (SIF) in Burner Management Systems (BMS), Approved 10 December 2009

Appendix 1 - Practices and Approaches – Company A - Ethylene induced draft cracking furnace system consisting of main floor burners & wall burners 1. Safe to start checks - cold fire box

start up a. Isolation of Fuels (including feed & secondary fuels) & Pre-light permissive – permissive for start of purge

1) SIFs necessary to achieve target risk criteria including target SIL and requirements for proof interval testing

Permissive where all process feeds & fuels isolated from the fire box & start-up is in progress - SIL 1 - 12 month test frequency

2) Define safe state for each SI all valves at SIF action positions

3) Define “safe” process states & states that if concurrent can lead to a separate hazard

all process feeds & fuels isolated from the fire box & start-up is in progress

4) Assumed sources of trip & rate on SIFs (demand or continuous)

demand - caused by the system being taken down on purpose

5) SIF process measurements and trip values List of permissive states that are checked - closed position switches on fuel safety shutoff valves (main fuel header isolation valve, main fuel header fuel vent valve, each automated burner fuel header isolation valve) low fire position switches on fuel flow valves closed position switches on feed valves no flame indicated by scanners temperature transmitters (box) where proof of furnace temp < 1400° F (760° C), 2o3 voting pressure transmitter (instrument air & fuel & pilot & box pressure) main burner fuel pressure not low, switch downstream of 1st safety shut off valve, SIF enabled after safety valves are open with delay pilot fuel pressure not low, pressure switch located before pilot safety shut off solenoid valves main burner fuel pressure not high, pressure switch downstream of safety valves and before the flow valve pilot pressure not high, pressure switch located after pilot shut off valves & regulator relay contact – logic status pressure switches (pilot fuel gas not high or low pressure)


fuel isolation valves are closed - Class IV shutoff - position switches / contacts provided with the valve open on all fuel vent valves - position switches / contacts provided with the valve floor fuel valves at low fire position - position switch on the valve proof of closure of all feed valves - position switch on the valve proof of no flame from flame scanners proof of furnace temp < 1400° F (760° C), 2o3 voting from 3 transmitters power to igniters shut off

7) Manual SD requirement N/A

8) Energize to trip or fail safe? Energize to trip or de-energize to trip requirements

fail safe

9) Reset considerations including requirements for startup and restart of SIS

proof of position feedback from feed & fuel isolation valves

10)Define modes of Operation for Plant & SIFs for each mode and requirements for overrides, inhibits, bypasses

normal mode for this state is no flames in fire box, temp < 1400° F (760° C), Operations is making preparations to ignite a burner system

11)Identify & define special Unit mode of operation SIF such as for startup, standby, shut down

this is the 1st action in the start-up sequence

12)Identify & define special functions or performance in event of a major event

this is the system safe state position

1. Safe to start checks when fire box is < 1400° F (760° C)

b. Purge & Proof of Purge of radiant box and convection section - permissive for start of ignition steps


Permissive where Operator starts purge cycle. Purge conditions maintained for 10 minutes & permissive for start of purge are maintained for entire purge cycle & up to time of 1st pilot ignition - SIL 1 - 12 month test frequency

2) Define safe state for each SI all valves at SIF master fuel trip action positions -

ID fan running

VFD ID fan speed at minimum

dampers confirmed open

air flow adequate in fire box

purge time satisfied - time for 5 volumes of air turnover in fire box




demand - caused by Operator request

5) SIF process measurements and trip values all valve positions for fuel & feed at step 1a position for entire purge cycle

relay contact – logic status

starter contact & VFD speed

2o3 pressure transmitters

flow transmitter

logic timer – started by operator request for purge


purge requested by Operator

permissive for start of purge are maintained

ID fan running minimum speed

fire box pressure not high

air flow not low

purge time satisfied 7) Manual SD requirement N/A


fail safe


proof of position feedback from feed & fuel isolation valves & Operator request to purge


Operator starts purge cycle, if any condition is not achieved purge is stopped.


this is the 2nd action in the start-up sequence


system is in safe state position with ID fan running

2. Ignition trial period – ignition of pilots when fire box temperature is < 1400° F (760° C)

a. remote unattended ignition trial with no flame proven requires purge to perform ignition trial - 1st pilot & burner can be lit following:

1. operator requests pilot ignition

2. pilot ignition with maintained flame is proven

3. operator then requests associated main burner to be lit

4. floor burner ignition with pilot maintained is proven


Operator initiated step after purge, ID fan at minimum speed. All purge cycle permissive must be maintained and flame must be proven in allowed time or re-purge is required - SIL 1 - 12 month test frequency

2) Define safe state for each SI if ignition of the 1st burner is not proven in trial period then the furnace must be run thru the purge cycle again


all process feeds & fuels isolated from the fire box


igniter problems – demand

5) SIF process measurements and trip values loss of purge complete or no flame proven in ignition trial period

logic condition

logic condition & relay contact

position switches

logic timer

flame scanners


ignition of pilot is requested by Operator

purge complete


low fire position switches for main floor burners

ignition of pilot requested (10 second time for flame proven)

ignition of floor burner follows after pilot proven by Operator request for ignition

7) Manual SD requirement yes - manual SD will shut down all burners & pilots


fail safe


proof of purge maintained & Operator request to ignite


Operator starts ignition cycle, if condition is not achieved system restart is required


this is the 3rd action in the start-up sequence


this burner returns to not purged status

2. Ignition trial period – ignition of

main floor burners when fire box temperature is < 1400° F (760° C)

b. remote unattended ignition of next floor burners - 2nd and subsequent floor pilot & burner ignition

1. operator requests pilot ignition

2. pilot ignition with maintained flame is proven

3. operator then requests associated main burner to be lit

4. floor burner ignition with pilot maintained is proven


Operator initiated step after purge, ID fan typically minimum speed. Flame must be proven in allowed time or restart this burner is required - SIL 1 - 12 month test frequency

2) Define safe state for each SI if ignition of the next burner is not proven in trial period then the next ignition is delayed by 1 minute to allow a partial furnace purge


fuel for this burner proven isolated



5) SIF process measurements and trip values no flame proven in ignition trial period

flame scanners & logic condition

position switches

flam scanner

no flame proven in ignition trial period


remote unattended ignition of pilot is requested by Operator

at least 1 floor burner flame proven (proven flame permits 1 minute partial furnace purge timer for subsequent burner misfires events)

low fire position switch for main floor burner





fail safe


proof of purge maintained & Operator request to ignite after 1 minute wait period




this is the 4th action in the start-up sequence



3. Combustion safeguards a. General safe guards


master total fuel trip is triggered by -

SIL 1 - 12 month test frequency

Emergency shut down

low ID fan current / fan not running

low ID fan flow – characterized flow

high combustion chamber pressure

polling logic for loss of flame in 2 or more adjacent burners with temp <1400° F (760° C)

low instrument air pressure

2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from floor & wall burners


master fuel trip - where main floor burner fuel valves (main header shut off valve & individual burner shut off valves) - closed - Class IV shut off main floor burner fuel vent valves - open floor pilot fuel valves - closed main wall burner fuel isolation valves - closed - Class IV shut off main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan - minimum speed


power or utility upset – demand

5) SIF process measurements and trip values air flow characterization from blower speed

ID fan starter contacts

ID fan current

2o3 chamber pressure transmitters

flame scanners

2o3 for temperature meters

instrument air pressure transmitter





fail safe


restore stable flame system conditions - fan &/or temperatures &/or fire box pressure &/or fuel system supply pressure - activate reset


master fuel trip conditions


shutdown mode


ID fan will continue to run to remove latent heat in fire box

3. Combustion safeguards b. Assurance of stable flame (fuel high or low pressure)




low main burner fuel pressure

high main burner fuel pressure

low floor burner pilot gas pressure

high floor burner pilot fuel pressure

low wall burner fuel gas pressure

high wall burner fuel gas pressure





fuel utility upset – demand

5) SIF process measurements and trip values main burner fuel pressure not low, switch downstream of 1st safety shut off valve, SIF enabled after safety valves are open with delay

pilot fuel pressure not low, pressure switch located before pilot safety shut off solenoid valves

main burner fuel pressure not high, pressure switch downstream of safety valves and before the flow valve

pilot pressure not high, pressure switch located after pilot shut off valves & regulator





fail safe


restore fuel supply - activate reset


master fuel trip


shutdown mode



4. Flame supervision bypass above

1400° F (760° C) & wall burner enable

a. flame supervision bypass above 1400° F (760° C) – wall burner enable


SIF action will bypass only the flame supervision system for all burners when combustion chamber temperature is at or above 1400° F (760° C)


2) Define safe state for each SI N/A


N/A


N/A

5) SIF process measurements and trip values 2o3 temperature transmitters


transmitters have upscale burn out



fail safe


SIF action will automatically restore flame supervision when temperature is below 1400° F (760° C)


flame scanners will continue to indicate and will become part of master fuel trip below 1400° F (760° C)


start-up mode




1400° F (760° C) b. Wall burner permit above 1400° F (760° C)


wall burner fuel isolation valves when requested by Operator

floor burner flame scanner bypass / seal in


2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from wall burners


Master fuel trip position for wall burner fuel system will fail off during a control power upset


N/A

5) SIF process measurements and trip values List of permissives for reset of the wall burner isolation valves – Main floor burners not tripped temperature transmitters (box) where proof of furnace temp > 1400° F (760° C), 2o3 voting with transmitter down scale burn out


reset of the wall burner fuel isolation valves is requested by Operator



fail safe


SIF action will permit Operator to request wall burner fuel gas when combustion chamber temperature is 1400° F (760° C)


wall burner fuel must be requested by the Operator during the heater system start-up


start-up mode


during a major upset that caused the fire box temperature to drop, the wall burner system would be automatically removed from operation by isolating the fuel system

5. Process specific protection Steam standby trip


low hydrocarbon feed flow

high fire box pressure


2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from wall burners & floor burners at low fire position


main wall burner fuel isolation valves – closed

main wall burner fuel vent valves - open

coil feed inlet valves - closed

coil steam flow valves - at set point

fire box air ID fan - minimum speed

floor burners to min fire position


major Unit upset or extremely high wind event - demand

5) SIF process measurements and trip values feed flow meter

2o3 pressure transmitters (fire box pressure)










fail safe


restore feed & pressure - activate reset


Feed & pressure upsets are only allowed with all fuels tripped


standby mode


low fire with ID fan running to allow for system restoration or cooling down

6. Decoke Mode - permissive Steam standby trip


permissive to start decoke mode are defined, low process feed flow SIF is bypassed during decoke mode, all other BMS SIFs are in service


2) Define safe state for each SI process feed proven isolated from the fire box & heater effluent valve proven isolated from quench system


Steam standby mode for heater -








decoke demand - 6 times per year - this is a permissive so demand rate is N/A if procedures are followed for establishing decoke mode

5) SIF process measurements and trip values decoke selector switch in decoke mode position

process feed valve closed position switch

effluent valve closed position switch











if decoke procedure and permissive are not established, low process flow SIF will activate, de-energize to trip - fail safe


establish permissive - follow decoke procedure


standby mode will put the Unit in a safe mode to move to decoke


decoke mode



7. Steam generation specific

(concerning steam drum levels &/or fired tube steam generators)

a. low steam drum level (2o3) or high superheat steam temperature (2o3) or high steam drum pressure (2o3)


Steam standby trip












major upset of steam header or upset in BFW - demand

5) SIF process measurements and trip values 3 independent level meters (steam drum level)

3 independent pressure meters (steam drum pressure)

3 independent temperature meters (superheated steam)











de-energize to trip - fail safe


restore level & temperature & pressure control of the system - activate reset


level and pressure upsets are only allowed with all fuels tripped


standby mode





b. low low steam drum level (2o3)


master fuel trip




master fuel trip - where main floor burner fuel valves (main header shut off valve & individual burner shut off valves) - closed - Class IV shut off main floor burner fuel vent valves - open floor pilot fuel valves - closed main wall burner fuel isolation valves - closed - Class IV shut off main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan - minimum speed de-energized - device will be in the interlock position - dual safety rated relays, master fuel trip circuit



5) SIF process measurements and trip values 3 independent level meters – 2o3 voting


master fuel trip - where main floor burner fuel valves (main header shut off valve & individual burner shut off valves) - closed - Class IV shut off main floor burner fuel vent valves - open floor pilot fuel valves - closed main wall burner fuel isolation valves - closed - Class IV shut off main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan - minimum speed de-energized - device will be in the interlock position - dual safety rated relays, master fuel trip circuit





restore level & boiler feed water supply - activate reset


level upsets are only allowed with all fuels tripped


shutdown mode



8. Manual emergency shutdown &

isolation system requirement NFPA® 86 8.4.5 can be interpreted to require the emergency trip and isolation logic to be hardwired in the "master fuel trip" logic string, separate from the SIL rated logic solver


master fuel trip

SIL N/A - 12 month test frequency



master fuel trip - where

main floor burner fuel valves - closed - Class IV shutoff

main floor burner fuel vent valves - open

floor pilot fuel valves - closed

main wall burner fuel isolation valves - closed - Class IV shutoff




fire box air ID fan - 25% speed

de-energized - device will be in the interlock position - dual safety rated relays, master fuel trip circuit


manual activation by Operator - demand

5) SIF process measurements and trip values manual activation of the master fuel trip - 1 local activation switch & 1 CCR activation switch


manual activation of the master fuel trip - 1 local activation switch & 1 CCR activation switch - master fuel trip - where




main wall burner fuel isolation valves - closed - Class IV shutoff










manual reset by Operator


manual activation by Operator


this is an emergency response application - places heater in shutdown mode


this is an emergency response application

9. Special requirements for hardwired

SIFs Master fuel trip application per NFPA 85 & NFPA 86


Master fuel trip application per NFPA 85 & NFPA 86 - master fuel trip



de-energized - device will be in the interlock position


N/A

5) SIF process measurements and trip values N/A







N/A


N/A


N/A


N/A

10. Safety PLCs Prescriptive requirements in NFPA 86


SIS - SIL 2 minimum per NFPA 86





N/A








N/A


N/A


N/A


N/A

11. Safety shut off valve requirements rated fuel shut off valves - per NFPA 86 & NFAP 85



2) Define safe state for each SIF N/A




N/A



double block and bleed rated valves for floor burner system - Class IV shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd burner shut off valve at each burner system

double block and bleed rated valves for wall burner system - Class IV shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd master fuel shut off valve. Manual isolation valve at each of 27 burners.

external position indication & position switches on all fuel isolation and vent valves

all valves with provisions for annual Class IV leakage testing per NFPA 85





N/A


N/A


N/A


N/A

Company A - Personnel Training and Qualifications 1. PHA process or other methodology to establish target SIL

SIL is set in the PHA process using LOPA. LOPA follows internal corporate rule structure using trained & certified LOPA leaders.

2. Operator training (emergency response, safe operation, recovery from SIF action)

Operator training and response documented in procedures and training

3. Engineering training or certification requirements (e.g. internal company training, ISA84 Certificate or CFSE certified, LOPA, PHA, etc.)

Internal corporate training for SIF design and maintenance required following corporate standards. ISA84 or CFSE supported and paid for by company. Internal LOPA training and certification process. Internal PHA training and certification process

4. Maintenance training or certification requirements (e.g. internal company, 2 year IT program, ISA certificate, etc.)

New hires require 2 year control technician degree, annual Site instrument technician training and testing for SIF testing and maintenance

Company A - Considerations for Long Testing Intervals

1. Using actual process trips as proof of function

Not done, systems do not support transmitter signal analysis and maintenance to verify trip points are appropriate except during controlled off line testing procedure

2. How is testing done & managed in the organization

Operations schedules and oversees testing, instrument technicians perform most testing functions per written procedures

3. How to manage test records of actual, partial and segment tests, and full tests

full testing is normally done, covering meter sensor thru logic solver and final element

4. Design considerations for high reliability and long testing intervals (such as no single vote to trip, high reliability instrumentation, partial stroke testing)

SIFs are set at 12 month testing frequency due to corporate BMS standards and process fouling


High reliability considerations are used (no single vote to trip, 2o3 meter voting, in line valve leakage testing). Segmenting testing is allowed but not needed. No partial stroke applications


no MOVs are used in SIF required actions. MOVs are used in isolation system, but this is a manual trip, not a SIF action

Appendix 2 - Practices and Approaches – Company B - Ethylene natural draft cracking furnace system with floor burners 1. Safe to start checks – cold fire box start up

a. Isolation of Fuels (including feed & secondary fuels) & Pre-light permissive – permissive for start of purge


Permissive where all process feeds & fuels isolated from the fire box & start-up is in progress - SIL 1 - 24 month test frequency






5) SIF process measurements and trip values List of permissive states that are checked - closed position switches on fuel safety shutoff valves (main fuel header isolation valve, main fuel header fuel vent valve, each automated burner fuel header isolation valve) low fire position switches on fuel flow valves closed position switches on feed valves no flame indicated by scanners temperature transmitters (box) where proof of furnace temp < 1400° F (760° C), 2o3 voting pressure transmitter (instrument air & fuel & pilot & box pressure) main burner fuel pressure not low, switch downstream of 1st safety shut off valve, SIF enabled after safety valves are open with delay pilot fuel pressure not low, pressure switch located before pilot safety shut off solenoid valves main burner fuel pressure not high, pressure switch downstream of safety valves and before the flow valve pilot pressure not high, pressure switch located after pilot shut off valves & regulator relay contact – logic status pressure switches (pilot fuel gas not high or low pressure) QDLS diode laser analyzer (CO, combustibles, temperature, O2)


proof of closure on all fuel isolation valve position switches - Class IV shutoff proof of floor fuel valves at low fire position, position switch on the valve proof of closure of all feed valves, position switch on the valve proof of no flame from flame scanner proof of furnace temp < 1400° F (760° C) using QDLS analyzer secondary burner header maintains pressure test (assures burner valves are closed)



fail safe




normal mode for this state is no flames in fire box, temp< 1400° F (760° C), Operations is making preparations to ignite a burner system


this is the 1st action in the start-up sequence






Permissive where Operator starts purge cycle. Purge conditions maintained for required minutes & permissive for start of purge are maintained for entire purge cycle & up to time of 1st pilot ignition - SIL 1 - 24 month test frequency


steam educator purge activated

dampers confirmed open

purge time satisfied





5) SIF process measurements and trip values position switches on fuel & feed valves


educator flow





educator flow



fail safe






this is the 2nd action in the start-up sequence


system is in safe state position with educator steam flow

2. Ignition trial period a. ignition trial with no flame proven requires purge to perform ignition

trial – remote burner request for Operator safety - 1st burner can be lit following:

1. Operator remotely requests pilot ignition 2. secondary burner header maintains pressure test (assures burner

valves are closed) 3. pilot ignition with maintained flame proven 4. operator remotely then requests main burner to be lit 5. floor burner ignition with pilot maintained


Operator initiated step after purge. All purge cycle permissive must be maintained and flame must be proven in allowed time or re-purge is required - SIL 1 - 24 month test frequency

2) Define safe state for each SI if ignition of the 1st burner is not proven in trial period then the furnace must be run thru the purge cycle again





5) SIF process measurements and trip values loss of purge complete or no flame proven in ignition trial period

logic condition

logic condition & relay contact

position switches

logic timer

flame scanners



purge complete


low fire position switches for main floor burners


ignition of floor burner follows after pilot proven by Operator request for ignition



fail safe


proof of purge maintained & Operator request to ignite







2. Ignition trial period b. ignition of next burners - 2nd and subsequent burner ignition is a

manual step by Operator, permit to open double block for secondary burner fuel is sealed in by the pilot burner flame scanner and QDLS analyzers


Operator initiated step after pilot burner is lit. Flame must be proven in the main pilot burner. Next burners are manually lit and supervised by the operator - SIL 1 - 24 month test frequency

2) Define safe state for each SI ignition of the next burner is proven by the field Operator. If ignition fails a 1 minute trial period is procedurally followed by the Operator to allow a partial furnace purge


closed double block isolation valves for the 2nd and subsequent burner fuel supply


fuel pressure upset – demand

5) SIF process measurements and trip values no flame proven in pilot burner with temperature < 1400° F (760° C)

flame scanners & logic condition

position switches

QDLS analyzer

no flame proven in ignition trial period


ignition of next burner is requested by Operator

floor pilot burner flame proven with temperature < 1400° F (760° C)

or temperature > 1400° F (760° C)



fail safe


proof of flame in pilot burner when temperature < 1400° F (760° C) or when temperature > 1400° F (760° C)

Operator action to ignite after 1 minute wait period






major event will activate master fuel trip to isolate all fuels and feed streams to heater





Emergency shut down

loss of flame in pilot burner with temp < 1400° F (760° C)

low instrument air pressure



master fuel trip – where main floor burner fuel valves (main header double block & bleed shut off valves) - closed - Class IV shut off main floor burner fuel vent valves - open floor pilot fuel valves - closed coil feed inlet valves - closed coil steam flow valves - at set point



5) SIF process measurements and trip values fuel pressure transmitter

flame scanners

1o2 QDLS analyzer reading on low temperature with no flame

1o2 QDLS analyzer reading high combustibles

instrument air pressure transmitter


master fuel trip – where main floor burner fuel valves (main header double block & bleed shut off valves) - closed - Class IV shut off main floor burner fuel vent valves - open floor pilot fuel valves - closed coil feed inlet valves - closed coil steam flow valves - at set point



fail safe


restore stable flame system conditions - temperatures &/or fire box pressure &/or fuel system supply pressure - activate reset


master fuel trip


shutdown mode









low floor burner pilot gas pressure

high floor burner pilot fuel pressure



master fuel trip - where floor burner fuel valves - closed floor pilot fuel valves - closed secondary burner fuel isolation valves - closed coil feed inlet valves - closed coil steam flow valves - at set point


fuel utility upset – demand

5) SIF process measurements and trip values Pilot burner fuel pressure not low, switch downstream of 1st safety shut off valve, SIF enabled after safety valves are open with delay

pilot fuel pressure not low, pressure switch located before pilot safety shut off solenoid valves

main burner fuel pressure not high, pressure switch downstream of safety valves and before the flow valve

pilot pressure not high, pressure switch located after pilot shut off valves & regulator


master fuel trip - where floor pilot burner fuel valves - closed - Class IV shut off floor pilot fuel valves – closed secondary burner fuel isolation valves - closed - Class IV shut off coil feed inlet valves - closed coil steam flow valves - at set point



fail safe




master fuel trip


shutdown mode




1400° F (760° C) flame supervision bypass above 1400° F (760° C)


SIF action will bypass only the flame supervision system for all burners when combustion chamber temperature is at or above 1400° F (760° C)




N/A


N/A

5) SIF process measurements and trip values 2o2 QDLS analyzer temperature readings


transmitters have down scale burn out



fail safe


SIF action will automatically restore flame supervision when temperature is below 1400° F (760° C)




start-up mode



5. Process specific protection - Excess

temperature protection Steam standby trip


low hydrocarbon feed flow




main wall burner fuel isolation valves - closed



floor burners to min fire


major Unit upset - demand

5) SIF process measurements and trip values feed flow meter








fail safe


restore flow - activate reset


feed upsets are only allowed with all fuels tripped or in steam standby mode


standby mode


low fire to allow for system restoration or cooling down

6. Decoke Mode - permissive Steam standby trip


permissive to start decoke mode are defined, low process feed flow SIF is bypassed during decoke mode, all other BMS SIFs are in service





secondary burner fuel isolation valves - closed







process feed valve closed position switch




secondary burner fuel isolation valves - closed













decoke mode


low fire to allow for system restoration or cooling down



N/A – no steam generation hazards exist



2) Define safe state for each SI N/A – no steam generation hazards exist





5) SIF process measurements and trip values N/A – no steam generation hazards exist



7) Manual SD requirement N/A – no steam generation hazards exist












isolation system requirement NFPA has be interpreted to require the emergency trip and isolation logic to be hardwired in the "master fuel trip" logic string, separate from the SIS.


master fuel trip

SIL N/A - 24 month test frequency



master fuel trip – where







manual activation by Operator – demand



manual activation of the master fuel trip - 1 local activation switch & 1 CCR activation switch - master fuel trip - where



coil feed inlet valves – closed















SIFs Master fuel trip application per API RP 556 & NFPA ®85


Master fuel trip application per API RP 556 - master fuel trip





N/A








N/A


N/A


N/A


N/A

10. Safety PLCs Prescriptive requirements in API RP 556


SIS - SIL 3 capable logic solver





N/A



SIS – SIL 3 capable logic solver





N/A


N/A


N/A


N/A

11. Safety shut off valve requirements rated fuel shut off valves - per NFPA 86 & NFAP 85


SIS - SIL 3 capable logic solver





N/A



double block and bleed rated valves for floor burner system - Class IV shut off, 1st block master shut off valve on fuel header, no vent valve, 2nd burner shut off valve at each burner system


all valves with provisions for annual Class IV leakage testing per NFPA 85





N/A


N/A


N/A


N/A

Company B - Personnel Training and Qualifications

1. PHA process or other methodology to establish target SIL

SIL is set in the PHA process using LOPA.




SIF design and maintenance required follow Site standards. LOPA practitioners are trained and internally certified. Internal PHA training and certification process. Safety engineers are ISA84 certified experts.


New hires require 2 year control technician degree or significant experience.

Company B - Considerations for Long Testing Intervals


Not done, systems do not support transmitter signal analysis and maintenance to verify trip points are appropriate except during controlled off line testing procedure?


Operations schedules and oversees testing, instrument technicians perform most testing functions per written procedures.


full testing is normally done, covering meter sensor thru logic solver and final element. Segmented testing is done sometimes for involved logic applications.


SIFs are set at 24 month testing frequency


High reliability considerations are used, but some BMS applications have single vote to trip. Segmenting testing is allowed but normally not done for BMS. No partial stroke applications in BMS.


no MOVs are used in SIF required actions.

Appendix 3 - Practices and Approaches – Company C - Ethylene induced draft cracking furnace system consisting of multiple piloted main floor burners & staged fuel floor burners & wall burners 1. Safe to start checks - cold fire box

start up a. check for isolation of fuels (pilot fuel & burner fuel & feed & secondary fuels) & Pre-light permissive – permissive for start of purge


Permissive where all process feeds & fuels isolated from the fire box & start-up is in progress - SIL 1 - 12 month test frequency or at every maintenance turnaround that disturbs the system

2) Define safe state for each SIF all valves at SIF master fuel trip action positions


all process feeds & fuels isolated from the fire box & start-up is in progress, fuel header pressure test logic



5) SIF process measurements and trip values List of permissive states that are checked - closed position switches on main burner fuel valves open position switch on fuel vent valve automated fuel header pressure check (fuel cock valve closure & leakage test for manually activated fuel isolation valves at multiple burners) main floor staged burner fuel valve closed (valve is opened during automated fuel header pressure check) closed position switches on wall burner fuel valves open position switch on wall burner fuel vent valve minimum stop position on burner air registers VFD on ID fan on pressure control & acceptable current load (ID fan may optionally run at fixed speed, subject to physical limitations) position switches on feed isolation valves temperature transmitters (box) where proof of furnace temp < 1400° F (760° C), 2o3 voting pressure transmitters (fuel & pilot & box pressure) with trip limits active relay contact – logic status visual proof of no flame

6) SIF actions and / or criteria (e.g. shut off class, speed) such as response time requirement to bring process to a safe state

fuel isolation valves for pilot gas are closed fuel vent valve for pilot gas is open all fuel other valves maintained in master fuel tip position - closure on all fuel isolation valves - Class V shutoff open on all fuel vent valves closure of all feed valves minimum speed stop on ID fan VFD physical minimum stop on burner registers



fail safe




normal mode for this state is no flames in fire box, temp < 1400° F (760° C) requiring a box purge before burner ignition is allowed, Operations is making preparations to ignite a burner system


this is the 1st action in the start-up sequence – satisfying the conditions will allow the purge step to be done when requested






Permissive where Operator starts purge cycle. Purge conditions maintained for required time & permissive for start of purge are maintained for entire purge cycle & up to time of 1st pilot ignition - SIL 1 - 12 month test frequency or at every maintenance turnaround that disturbs the system


VFD on ID fan at draft pressure control & acceptable current load

minimum stop position on burner air registers


logic condition – time for a minimum of 5 volumes of air turnover in fire box












valid purge time satisfied 7) Manual SD requirement N/A


fail safe






this is the 2nd action in the start-up sequence – at the end of the purge cycle the pilot gas is permitted to each pilot burner




pilots when fire box temperature is < 1400° F (760° C)

a. ignition trial with no flame in fire box as monitored by the field operator after the box has been purged - 1st pilot burner can be lit following:

1. Operator verifies all pilot fuel isolation valve are closed and executes the automatic all-burners closed test

2. Operator inspects the pilot for no flame 3. Operator inserts the portable electric igniter into the pilot 4. Operator resets pilot fuel trip, then opens pilot gas valve and

confirms ignition within 15 seconds 5. Operator moves on to next pilot and repeats steps for all other pilots


Operator initiated step after purge & with ID fan on draft pressure control. All purge cycle permissive must be maintained and pilot fuel gas pressure must not be high or low - SIL 1 - 12 month test frequency

2) Define safe state for each SI if ignition of the pilot is not visually proven in trial period then the operator checks the fuel system, re-purges fire box, and attempts ignition again or tags the burner for maintenance


all process feeds & floor burner fuels isolated from the fire box



5) SIF process measurements and trip values all valve positions for fuel & feed at step 1a position until main fuel is reset by operator after pilots are lit

pilot fuel gas high or low pressure trip value with fire box temp < 1400° F (760° C) will trip system to not purged status



ignition of pilot is by Operator manual field action

pilot fuel gas high or low trip value with fire box temp < 1400° F (760° C) will trip system to not purged status

all valves will go to master fuel trip positions

pilot fuel isolation and vent valves will be at trip position



fail safe


proof of purge maintained & Operator request to reset pilot fuel gas


Operator started & managed ignition cycle, if a pilot cannot be lit the operator will tag it for maintenance & move on to next burner




pilot fuel gas high or low pressure trip value with fire box temp < 1400° F (760° C) will trip system to not purged status


main floor burners when fire box temperature is < 1400° F (760° C)

b. ignition of main floor burners


Operator initiated step after all pilots are manually lit, ID fan on pressure control with fire box temp < 1400° F (760° C) - SIL 1 - 12 month test frequency of floor burner fuel trip reset

2) Define safe state for each SIF ignition of the floor burners is done by manual operation of the individual burner manual isolation valve by the operator. Operator verifies burner is ignited by the pilot and maintains supervision of flame stability until fire box temperature exceeds 1400° F (760° C). If burner does not lite, operator re-tries and if not successful will tag off for maintenance.


master fuel trip position for all floor burner isolation valves if not reset


fuel supply problems – demand

5) SIF process measurements and trip values List of permissives for reset of master floor burner isolation valves – closed position switches on main burner fuel valves open position switch on fuel vent valve position switches on staged fuel valve (must be open before automated pressure check, must be closed before main burner ignition) automated fuel header pressure check (fuel cock valve closure & leakage test for manually activated fuel isolation valves at multiple burners) main floor staged burner fuel valve closed (valve is opened during automated fuel header pressure check) closed position switches on wall burner fuel valves open position switch on wall burner fuel vent valve fuel flow valve set to fuel gas pressure control minimum stop position on burner air registers VFD on ID fan set at draft pressure control & acceptable current load (ID fan may optionally be run at fixed speed, subject to physical limitations) position switches on feed isolation valves temperature transmitters (box) where proof of furnace temp < 1400° F (760° C), 2o3 voting prevents staged fuel firing pressure transmitters (fuel & pilot & box pressure) with active trip points relay contact – logic status purge sequence complete pilot fuel reset complete operator request of main floor burner fuel isolation valves reset


reset of floor burner fuel isolation valves is requested by Operator

pilots isolation valves are reset & all requirements for pilot ignition is satisfied

7) Manual SD requirement yes - manual SD will shut down all burners


fail safe


proof of purge maintained & Operator request to reset floor burner fuel isolation valves


Operator starts & completes floor burner ignition




pilot fuel gas high or low trip value with fire box temp < 1400° F (760° C) will trip system to not purged status

manual emergency trip will isolate fuel system



master total fuel trip is triggered by-


Emergency shut down

low ID fan current


2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from floor & wall burners (pilots remain in operation)



main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves – open main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open closure of all feed valves minimum speed stop on ID fan VFD physical minimum stop on burner registers coil feed inlet valves – open and steam purging coil steam flow valves - at set point



5) SIF process measurements and trip values ID fan starter contacts

ID fan current switch



master fuel trip - where main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves - open floor pilot fuel valves – closed main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open floor and wall fuel control valves - closed coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position



fail safe


Establish re-start permissives by either 1) prepare to re-purge fire box (1a), or 2) restart main burners (2b) depending on fire box temperature


1) master fuel trip on < 1400° F (760° C) fire box or manual trip or

2) master fuel trip on > 1400° F (760° C) fire box


shutdown mode



3. Combustion safeguards b. Assurance of main burner within pressure boundaries (high or low floor burner fuel pressure for flame stability)


master total fuel trip







main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves – open main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open closure of all feed valves fire box air ID fan remains in last mode (draft pressure control or speed control) physical minimum stop on burner registers coil feed inlet valves – open and steam purging coil steam flow valves - at set point


utility upset – demand

fuel controller failure - continuous

5) SIF process measurements and trip values main burner fuel pressure not low, pressure transmitter downstream of 2nd shut off valve, SIF enabled after fuel gas pressure reset

main burner fuel pressure not high, pressure transmitter downstream of shut-off valves and flow valve


master fuel trip – where main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open floor and wall fuel control valves - closed coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position

fuel isolation valves for pilot gas are not tripped – pilots stay in service 7) Manual SD requirement yes - manual SD will shut down all burners


fail safe


Establish re-start permissives by either 1) prepare to re-purge fire box (1a), or 2) restart main burners (2b) depending on fire box temperature


master fuel trip


shutdown mode



3. Combustion safeguards c. Assurance of pilot fuel within pressure boundaries (high or low pilot

fuel pressure for flame stability) – action is temperature dependent –

1. when fire box temp < 1400° F (760° C) pilots & master fuel trip is activated

2. when fire box temp > 1400° F (760° C) only pilot trip is activated 1) SIFs necessary to achieve target risk criteria including target SIL and requirements for proof interval testing

Pilot trip


low pilot burner fuel pressure

high pilot burner fuel pressure

2) Define safe state for each SI 1. when fire box temp < 1400° F (760° C) pilots & master fuel trip is activated

2. when fire box temp > 1400° F (760° C) only pilot trip is activated (floor & wall burners remain in operation)


when fire box temp < 1400° F (760° C) pilot trip is activated & master fuel trip is activated pilot isolation valves are closed pilot vent valve is open master fuel trip - where main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves – open main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open closure of all feed valves minimum speed stop on ID fan VFD physical minimum stop on burner registers coil feed inlet valves – open and steam purging coil steam flow valves - at set point when fire box temp > 1400° F (760° C) only pilot trip is activated (floor & wall burners remain in operation) pilot isolation valves are closed pilot vent valve is open



5) SIF process measurements and trip values pilot fuel pressure not low or high, pressure transmitter located before pilot header valves


floor pilot fuel valves – temperature dependent as described above pilot trip - where pilot isolation valves are closed pilot vent valve is open master fuel trip - where main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open coil feed inlet valves – open and steam purging coil steam flow valves - at set point fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position

7) Manual SD requirement yes - manual SD will shut down all pilots (master fuel trip is temperature dependent)


fail safe


restore fuel supply - activate reset – restore pilots & burners to operation


Pilot trip & / or master fuel trip


shutdown mode




1400° F (760° C) – staged floor burners & wall burners – fire box temperature is > 1400° F (760° C)

a. flame supervision bypass above 1400° F (760° C) - ignition of staged floor burners & wall burners


Operator initiated step to reset the isolation valves for these burners after all floor burners are manually lit, ID fan on pressure control with fire box temp > 1400° F (760° C) - SIL1 - 12 month - ignition of the staged floor burners is done by manual operation of the individual burner manual isolation valve by the operator after the main staged floor burner isolation valves has been reset. Operator verifies burner is ignited by the fire box. Ignition of the wall burners is done by manual operation of the individual wall burner manual isolation valves by the operator after the main wall burner isolation valve has been reset. Operator uses a portable ignition torch to light wall burners. If burner does not lite, operator re-tries and if not successful will tag off for maintenance.

2) Define safe state for each SI Staged floor burner and wall burner isolation valves are in interlock position


master fuel trip position for all staged floor burner isolation valves and wall burner isolation valves if not reset


Upset heater with low temperature – demand

5) SIF process measurements and trip values List of permissives for reset of the stage floor burner isolation valves & wall burner isolation valves – Main floor burners not tripped temperature transmitters (box) where proof of furnace temp > 1400° F (760° C), 2o3 voting with transmitter down scale burn out


reset of staged floor burner fuel isolation valves is requested by Operator & reset of the wall burner fuel isolation valves is requested by Operator

7) Manual SD requirement yes - manual SD will shut down all wall and staged burners


fail safe


when fire box temp > 1400° F (760° C) & Operator request to reset staged floor burner fuel isolation valves & wall burner isolation valves




start-up mode


during a major upset that caused the fire box temperature to drop, the staged floor burners & wall burner systems would be automatically removed from operation by isolating the fuel systems for each

5. Process specific protection a. Steam standby trip


low hydrocarbon feed pressure

high fire box pressure

low dilution steam flow


2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from wall burners & staged floor burners & floor burners at low fire position & sweep steam on heater tubes


partial fuel trip - where

main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open floor fuel valves at low fire position closure of all feed valves minimum speed stop on ID fan VFD physical minimum stop on burner registers coil feed inlet valves – open and steam purging coil steam flow valves - at set point


major Unit upset or extremely high wind event - demand

5) SIF process measurements and trip values 2o3 feed pressure transmitters


2o3 steam flow transmitters


partial fuel trip - where main floor staged burner fuel valve - closed main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open coil feed inlet valves – open and steaming coil steam flow valves - at set point fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position

fuel isolation valves for pilot gas are not tripped – pilots stay in service

7) Manual SD requirement yes - manual SD will initiate partial trip


fail safe


restore feed pressure or fire box control - activate reset - when fire box temp > 1400° F (760° C) the floor burners & staged floor burner & wall burners fuel flow can be re-established by the operator


Partial firing trip, i.e. hot steam standby


shutdown mode



5. Process specific protection b. Decoke transition trip


high tube pressure


2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from wall burners & staged floor burners. Floor burners at low fire position & sweep steam on heater tubes. Open path to either the decoking facility or fractionation train


partial fuel trip - where floor fuel valves at reduced fire position (may prevent operation of staged fuel and wall burners, depending on fire box temperature) closure of all feed valves minimum speed stop on ID fan VFD physical minimum stop on burner registers coil feed inlet valves - closed coil steam flow valves - at set point

At least one open path to either fractionator train or decoking facilities, but hydraulics do not allow revers hydrocarbon flow to decoking facilities


major Unit upset or failure in steam pressure control system - demand

5) SIF process measurements and trip values 2o3 effluent pressure transmitters


partial fuel trip - where floor fuel valves at reduced fire position (may prevent operation of staged fuel and wall burners, depending on fire box temperature) closure of all feed valves minimum speed stop on ID fan FVD physical minimum stop on burner registers coil feed inlet valves - closed coil steam flow valves - at set point

coil feed inlet valves – open and steam purging

fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position


At least one open path to either fractionator train or decoking facilities, but hydraulics do not allow revers hydrocarbon flow to decoking facilities

7) Manual SD requirement yes - manual SD will interrupt and reverse transition


fail safe


restore outlet path and proceed with transition automatically


Trip is only active during transitions to and from fractionation train (for decoking)


Interrupt transition to prevent furnace overpressure


None

6. Decoke Mode - permissive a. Air decoke permissive


permissive to start decoke mode are defined, all BMS SIFs are in service




partial fuel trip - where floor fuel valves at reduced fire position (may prevent operation of staged fuel and wall burners, depending on fire box temperature) closure of all feed valves minimum speed stop on ID fan VFD physical minimum stop on burner registers coil feed inlet valves - closed coil steam flow valves - at set point

At least one open path to either fractionator train or decoking facilities, but hydraulics do not allow revers hydrocarbon flow to decoking facilities. Prior to decoke air introduction, proven isolation from fractionation train is required.




feed valve closed position switch

ONIS line blinds on process feed line & air feed line are mechanically linked – procedurally controlled


effluent valve cavity pressure low pressure switch


Allow introduction of decoking air on operator request

7) Manual SD requirement yes - manual SD will shut down will stop decoking air








decoke mode



6. Decoke Mode – process specific b. Steam standby trip


Low dilution steam flow


2) Define safe state for each SI process feed proven isolated from the fire box & heater effluent valve proven isolated from quench system – master fuel trip





Upset of steam utility during decoke cycle - demand

5) SIF process measurements and trip values steam flow meter


trips decoke air off master fuel trip - where main floor burner fuel valves - closed - Class V shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves - open coil feed inlet valves – open and steam purging coil steam flow valves - at set point fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position










decoke mode





low low steam drum level (2o3)

high superheat temperature

high quench system temperature


master fuel trip






fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position



major upset of steam header or upset in BFW or low feed flow- demand


3 independent temperature transmitters in superheat & quench systems



all fuel valves maintained in master fuel tip position - closure on all fuel isolation valves - Class V shutoff open on all fuel vent valves closure of all feed valves fire box air ID fan remains in last mode (draft pressure control or speed control) de-energized - device will be in the interlock position

fuel isolation valves for pilot gas are not tripped – pilots stay in service 7) Manual SD requirement yes - manual SD will shut down all burners




restore level & temperature - activate reset




shutdown mode


Pilots on with ID fan running to allow for system restoration or cooling down


isolation system requirement all logic is integrated into the SIL logic solver – Manual and master fuel trip application is integrated within SIL logic solver


Manual shut down will activate the fuel trip application SIL N/A - 12 month test frequency

2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from floor & wall burners – pilot fuel may continue if fire box temp > 1400° F (760° C)


Operator input dependent





manual activation of the master fuel trip - 1 local activation switch & 1 CCR activation switch












9. Special requirements for hardwired SIFs

N/A


N/A



N/A


N/A



N/A



N/A


N/A


N/A


N/A


N/A

10. Safety PLCs Company standard SIL 3 capable logic solver is used


SIS - SIL 3 capable





N/A



SIS - SIL 3 capable





N/A


N/A


N/A


N/A

11. Safety shut off valve requirements rated fuel shut off valves – Class V for forward flow


SIS - SIL 3 capable system





N/A



fuel manifold pressure test to test for closure of individual burner cock valves

double block and bleed rated valves for floor burner system - Class V shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd burner shut off valve on common fuel header, Manual isolation valve at each burner

single Class V shut off valve downstream of main floor burner fuel isolation valve set for the staged burner system

double block and bleed rated valves for wall burner system - Class V shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd master fuel shut off valve. Manual isolation valve at each burner


all valves with provisions for Class V leakage testing per company maintenance practices





N/A


N/A


N/A


N/A

Company C - Personnel Training and Qualifications 1. PHA process or other methodology to establish target SIL

SIL is set in the PHA process using LOPA. LOPA follows internal corporate rule structure using trained & certified LOPA leaders.




Internal corporate training for SIF design and maintenance required following corporate standards. Internal LOPA training and certification process. Internal PHA training and certification process


Practices not known by contributor representative.

Company C - Considerations for Long Testing Intervals


Not done. All trips are documented and investigated.


Instrument group schedules and oversees testing; instrument technicians perform most testing functions per written procedures with Operations assistance.




SIFs are set at 12 month testing frequency and / or a test at after major maintenance work due to corporate BMS standards and process fouling


High reliability considerations are used (minimal single vote to trip, 2o3 meter voting, in line valve leakage testing). Segmenting testing is allowed but not needed. No partial stroke applications with the BMS applications.



Appendix 4 - Practices and Approaches – Company D - Ethylene induced draft cracking furnace system consisting of 156 wall burners 1. Safe to start checks - cold fire box

start up a. check for isolation of fuels (wall burner fuels) & Pre-light permissive – permissive for start of purge








5) SIF process measurements and trip values List of permissive states that are checked - closed position switches on wall burner fuel isolation valves open position switch on wall burner fuel vent valve fuel gas header at burners at 0.0 psig low fire position switches on fuel flow valve minimum stop position on ID fan air damper minimum stop position on wall burners Steam driven ID fan status via measurement of speed ID fan d/p adequate Fire box d/p adequate position switches on feed isolation valves temperature transmitters (box) where proof of furnace temp < 1400° F (760° C), 2o3 voting (fire box LEL SIF bypassed > 1400° F (760° C)) logic status no bad process variables indicated no SIFs in bypass state visual proof of no flame by Operator


all fuel other valves maintained in master fuel tip position - closure on all fuel isolation valves - Class V shutoff open on all fuel vent valves fuel valve at low fire position closure of all feed valves minimum speed stop on ID fan minimum governor speed physical minimum stop on burner registers



fail safe




normal mode for this state is no flames in fire box, temp < 1400° F (760° C), Operations is making preparations to ignite a burner system








Permissive where Operator starts purge cycle. Purge conditions maintained for required time & permissive for start of purge are maintained for entire purge cycle & up to time of 1st burner ignition - SIL 1 - 12 month test frequency or at every maintenance turnaround that disturbs the system

2) Define safe state for each SI all valves at SIF master fuel trip action positions while purge cycle is executed





5) SIF process measurements and trip values all valves at SIF master fuel trip action positions in step 1a while purge cycle is executed

governor on ID fan at minimum speed

fan speed satisfied

fan d/p satisfied

fire box d/p satisfied



logic condition – time for 5 volumes of air turnover in fire box logic timer – started by operator request for purge

at end of purge cycle 2 other permissives are enabled –

1. Automated pressure test of the fuel header to verify individual burner fuel manual isolation valves are closed.

2. Fire box LEL SIF is enabled – 1o2 LEL meter SIF will initiate a master fuel trip on high LEL in the fire box when temperature is < 1400° F (760° C)


purge requested by Operator – if purge conditions are not satisfied logic status of purge complete is not attained

all fuel other valves maintained in master fuel tip position - closure on all fuel isolation valves - Class V shutoff open on all fuel vent valves fuel valve at low fire position closure of all feed valves minimum speed stop on ID fan minimum governor speed physical minimum stop on burner registers



fail safe






this is the 2nd action in the start-up sequence – at the end of the purge cycle the burner gas is permitted to be reset by the Operator



2. Ignition trial period – ignition of 1st

group of wall burners when fire box temperature is < 1400° F (760° C)

a. ignition trial with no flame in fire box as monitored by the field operator after the box has been purged - 1st wall burner can be lit following:

1. Operator verifies wall burner fuel isolation valve is closed, fuel system double block & bleed isolation is reset by Operator

2. Operator inspects the burner for no flame 3. Operator inserts the portable electric igniter into the burner 4. Operator opens wall burner gas valve and confirms ignition within

15 seconds 5. Operator moves on to next burner and repeats steps for all burners

in 1st group 1) SIFs necessary to achieve target risk criteria including target SIL and requirements for proof interval testing

Operator initiated step after purge & with ID fan speed control. All purge cycle permissive must be maintained and fuel gas pressure must not be high or low - SIL 1 - 12 month test frequency

2) Define safe state for each SI if ignition of the burner is not visually proven in trial period then the operator checks the fuel system and attempts ignition again or tags the burner for maintenance





5) SIF process measurements and trip values All valves will move to master fuel trip (step 1a) positions when -

fuel gas high or low trip

governor on ID fan tripped

fan speed not satisfied

fan d/p not satisfied

fire box d/p not satisfied

Fire box LEL SIF is enabled – 1o2 high LEL meter SIF will initiate a master fuel trip on high LEL in the fire box when temperature is < 1400° F (760° C)

Low steam drum level



ignition of burner is supervised by Operators - manual field action

all valves will go to master fuel trip positions listed in 1a

system will change to not purged logic status



fail safe


proof of purge maintained & Operator request to reset fuel gas


Operator started & managed ignition cycle, if a pilot cannot be lit the operator will tag it for maintenance & move on to next burner




Flame supervision is maintained by Operator until fire box temperature >1400° F (760° C)

2. Ignition trial period – ignition of next group of wall burners when fire box temperature is < 1400° F (760° C)

b. ignition of next group of wall burners

1. Operator inspects the burner for no flame 2. Operator inserts the portable electric igniter into the burner 3. Operator opens wall burner gas valve and confirms ignition within

15 seconds 4. Operator moves on to next burner and repeats steps for all burners

in this group 1) SIFs necessary to achieve target risk criteria including target SIL and requirements for proof interval testing

Operator initiated step after 1st group of wall burners are manually lit, ID fan on speed control with fire box temp < 1400° F (760° C) - SIL 1 - 12 month test frequency of wall burner fuel trip reset

2) Define safe state for each SIF ignition of the wall burners is done by manual operation of the individual burner manual isolation valve by the operator. Operator verifies burner is ignited by the igniter and maintains supervision of flame stability until fire box temperature exceeds 1400° F (760° C). If burner does not lite, operator re-tries and if not successful will tag off for maintenance.


master fuel trip position for all wall burner isolation valves if not reset






fan speed satisfied

fan d/p satisfied

fire box d/p satisfied


Fire box LEL SIF is enabled – 1o2 LEL meter SIF will initiate a master fuel trip on high LEL in the fire box when temperature is < 1400° F (760° C)

Low steam drum level

relay contact – logic status 6) SIF actions and criteria (e.g. shut off class, speed) such as response time requirement to bring process to a safe state

ignition of burner is supervised by Operators - manual field action

all valves will go to master fuel trip positions listed in 1a

system will change to not purged logic status



fail safe


proof of purge maintained & Operator request to reset wall burner fuel isolation valves


Operator starts & completes wall burner ignition




Flame supervision is maintained by Operator until fire box temperature >1400° F (760° C)

3. Combustion safeguards General safe guards – assurance of stable flame




Emergency shut down



fan speed not satisfied

fan d/p not satisfied

fire box d/p not satisfied

Fire box LEL SIF is enabled – 1o2 LEL meter SIF will initiate a master fuel trip on high LEL in the fire box when temperature is < 1400° F (760° C)




main wall burner fuel isolation valves - closed - Class V shutoff main wall burner fuel vent valves – open fuel valves at low fire position closure of all feed valves minimum speed stop on ID fan governor physical minimum stop on burner registers coil feed inlet valves - closed coil steam flow valves - at set point



5) SIF process measurements and trip values fuel gas high or low trip governor on ID fan tripped fan speed not satisfied fan d/p not satisfied fire box d/p not satisfied Fire box LEL SIF is enabled – 1o2 LEL meter SIF will initiate a master fuel trip on high LEL in the fire box when temperature is < 1400° F (760° C) relay contact – logic status






fail safe


restore stable flame conditions - fan & fire box pressures - activate reset


master fuel trip


shutdown mode




1400° F (760° C) – staged floor burners & wall burners – fire box temperature is > 1400° F (760° C)

flame supervision bypass above 1400° F (760° C) – bypass of 1o2 fire box LEL meter SIF


Automatic action - with fire box temp > 1400° F (760° C) - SIL 1 - 12 month

2) Define safe state for each SI Wall burner isolation valves are in interlock position – master fuel trip


master fuel trip position for all wall burner isolation valves if not reset




Fire box LEL SIF is enabled – 1o2 high LEL meter SIF will initiate a master fuel trip on high LEL in the fire box when temperature is < 1400° F (760° C)


reset of the wall burner fuel isolation valves is requested by Operator

7) Manual SD requirement yes - manual SD will shut down all burners & when fire box temp < 1400° F (760° C) & LEL is high


fail safe


SIF will reset automatically when fire box temperature < 1400° F (760° C)




start-up mode


during a major upset that caused the fire box temperature to drop, the SIF will be engaged

5. Process specific protection No process specific SIFs are implemented with this heater system


N/A



N/A


N/A



N/A



N/A


N/A


N/A


N/A


N/A

6. Decoke Mode - permissive problems with decoke valve setup will initiate a master fuel trip


permissive to start decoke mode are defined, all other BMS SIFs are in service










air feed valve closed / open position switches

Double block effluent valve closed position switches

effluent valve cavity pressure low pressure switch


Air valves will be closed if decoke permissive states are tripped

and









Master fuel will put the Unit in a safe mode


decoke mode


Master fuel trip with ID fan running to allow for system restoration or cooling down



low steam drum level (2o3)


master fuel trip







major upset of steam header or upset in BFW or low feed flow- demand









restore level - activate reset




shutdown mode


ID fan running to allow for system restoration or cooling down


isolation system requirement all logic is integrated into the SIL logic solver – Manual and master fuel trip application is integrated within SIL logic solver


Manual shut down will activate the master fuel trip application SIL N/A - 12 month test frequency























all logic is integrated into the SIL logic solver – Manual and master fuel trip application is integrated within SIL logic solver


Manual shut down will activate the master fuel trip application SIL N/A - 12 month test frequency





N/A



de-energized - device will be in the interlock position – independent SVs on all SIF valves





N/A


N/A


N/A


N/A



SIS - SIL 3 capable





N/A



SIS - SIL 3 capable





N/A


N/A


N/A


N/A

11. Safety shut off valve requirements rated fuel shut off valves – Class V







N/A



fuel manifold pressure test to test for closure of individual burner cock valves

double block and bleed rated valves for wall burner system - Class V shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd burner shut off valve on common fuel header

single Class V shut off valve used in fuel manifold automated pressure test


all valves with provisions for Class V leakage testing per company maintenance practices





N/A


N/A


N/A


N/A

Company D - Personnel Training and Qualifications 1. PHA process or other methodology to establish target SIL

SIL is set in the PHA process using risk matrix. External certified LOPA leaders. PHAs follow internal corporate rule structure using trained & certified leaders.




Internal corporate training for SIF design and maintenance required following corporate standards. External LOPA training and certification process. Internal PHA training and certification process.


2 year degree IT program or experienced technicians. SIS maintenance group is dedicated and all SIF components are marked.

Company D - Considerations for Long Testing Intervals


Not done. All trips are documented and investigated.


Instrument group schedules and oversees testing; instrument technicians perform most testing functions per written procedures with Operations assistance.




SIFs are set at 12 month testing frequency and / or a test at after major maintenance work due to corporate BMS standards and process fouling


High reliability considerations are used (no single vote to trip, 2o3 meter voting, in line valve leakage testing). No partial stroke applications with the BMS applications.



Appendix 5 - Practices and Approaches – Company E - Ethylene induced draft cracking furnace system consisting of multiple piloted automated main floor burners & manually lit wall burners 1. Safe to start checks - cold fire box start up

a. check for isolation of fuels (pilot fuel & burner fuel & feed) & Pre-light permissive – permissive for start of purge








5) SIF process measurements and trip values List of permissive states that are checked - closed position switches on main burner fuel valves open position switch on fuel vent valve closed position switches on staged fuel valve main floor staged burner fuel valve closed (valve is opened during automated fuel header pressure check) closed position switches on wall burner fuel valves open position switch on wall burner fuel vent valve low fire position switches on fuel flow valve minimum stop position on burner air registers ID fan and dampers at pressure control & acceptable current load position switches on feed isolation valves temperature transmitters (box) where proof of furnace temp < 1300° F, 2o3 voting pressure transmitters (fuel & pilot fuel system pressure) pressure transmitters (fire box pressure pressure) SIS contact – logic status visual proof of no flame


fuel isolation valves for pilot gas are closed fuel vent valve for pilot gas is open all fuel other valves maintained in master fuel tip position - closure on all fuel isolation valves - Class V or better shutoff open on all fuel vent valves floor fuel valves closed with fuel minimum flow bypass regulator closure of all feed valves ID fan dampers at minimum position (pressure control) physical minimum stop on burner registers



fail safe




normal mode for this state is no flames in fire box, temp < 1300° F, Operations is making preparations to ignite a burner system





1. Safe to start checks when fire box is < 1300° F



Permissive where Operator starts purge cycle. Purge conditions maintained for required time & permissive for start of purge are maintained for entire purge cycle & up to time of 1st pilot ignition - SIL 2 - 12 month test frequency or at every maintenance turnaround that disturbs the system


ID fan dampers on pressure control & acceptable current load


fan d/p adequate

fire box d/p adequate


logic condition – time for 5 volumes of air turnover in fire box






SIS contact – logic status






fan d/p adequate

pressure control of ID fan dampers



fail safe






this is the 2nd action in the start-up sequence – at the end of the purge cycle the pilot gas is permitted to each pilot burner




pilots when fire box temperature is < 1300° F

All pilots are lit before any burners

a. ignition trial with no flame in fire box as monitored by the field operator after the box has been purged - 1st pilot burner and all following floor pilot burners can be lit following:

1. Operator verifies no flame in system 2. Operator inspects the pilot for no flame 3. Operator inserts the portable torch igniter into the pilot 4. Operator requests start of pilot and SIS confirms ignition within 15

seconds 5. Operator moves on to next pilot and repeats steps for all pilots


Operator initiated step after purge & with ID fan pressure control speed. All purge cycle permissive must be maintained and pilot fuel gas pressure must not be high or low - SIL 2 - 12 month test frequency

2) Define safe state for each SI if ignition of the pilot is not proven in trial period t by flame scanner, then SIS action isolates pilot fuel and requires 1 minute pause for partial system purge.





5) SIF process measurements and trip values all valve positions for fuel & feed at step 1a position until main fuel is reset by operator after pilots are lit

pilot fuel gas high or low trip value will trip all pilots and SIS will set system to not purged status

SIS contact – logic status


ignition of pilot is by Operator manual field action


all valves will go to master fuel trip positions

pilot fuel isolation and vent valves will be at trip position

7) Manual SD requirement yes – “Global” shutdown will shut down all burners & pilots


fail safe


proof of purge maintained & Operator request to reset pilot fuel gas


Operator started ignition cycle, if a pilot cannot be lit the operator will tag it for maintenance & move on to next burner






main floor burners when fire box temperature is < 1300° F

b. ignition of all main floor burners


Operator initiated step after all pilots are lit, ID fan on pressure control with fire box temp < 1300° F - SIL 2 - 12 month test frequency of floor burner fuel trip reset

2) Define safe state for each SIF ignition of the floor burners is done by remote operation of the individual burner resets by the operator. Flame scanners verify burner is ignited by the pilot and maintains supervision of flame stability until fire box temperature exceeds 1300° F. If burner does not lite, operator re-tries. Excess attempts to lit, if not successful will trigger the SIS to require a re-purge.


master fuel trip position for all floor burner isolation valves if not reset



5) SIF process measurements and trip values List of permissives for reset of master floor burner isolation valves – closed position switches on main burner fuel valves open position switch on fuel vent valve closed position switches on staged fuel valve main floor staged burner fuel valve closed (valve is opened during automated fuel header pressure check) closed position switches on wall burner fuel valves open position switch on wall burner fuel vent valve closed position switches on fuel flow valve minimum position on burner air registers ID fan on pressure control & acceptable current load Fire box d/p satisfied Fan d/p satisfied position switches on feed isolation valves temperature transmitters (box) where proof of furnace temp < 1300° F, 2o3 voting pressure transmitters (fuel & box pressure) pressure switches (pilot fuel gas not high or low pressure) relay contact – logic status purge sequence complete pilot fuel reset complete operator request of main floor burner fuel isolation valves reset


reset of floor burner fuel isolation valves is requested by Operator

pilots isolation valves are reset & all requirements for pilot ignition is satisfied

7) Manual SD requirement yes - manual SD will shut down all floor burners when fire box temp < 1300° F (pilots remain lit)


fail safe


proof of purge maintained & Operator request to reset floor burner fuel isolation valves


Operator starts & completes floor burner ignition




Burner fuel gas high or low trip value with fire box temp < 1300° F will trip system to not purged status

manual emergency trip will isolate main burner fuel system





Emergency shut down

low ID fan current

high combustion chamber pressure (process trip)




main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves – open main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open floor fuel valves at closed position closure of all feed valves minimum position on ID fan registers burner registers at minimum position coil feed inlet valves - closed coil steam flow valves - at set point



5) SIF process measurements and trip values ID fan starter contacts

ID fan current switch


2o3 fan d/p pressure transmitters


master fuel trip – where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan on pressure control de-energized - device will be in the interlock position

(fuel isolation valves for pilot gas are not tripped – pilots stay in service)

7) Manual SD requirement yes - manual SD will shut down all burners, pilots remain in operation


fail safe


restore combustion air & fire box pressures - activate reset


master fuel trip


shutdown mode


ID fan will continue to run to remove latent heat in fire box, pilots remain lit

3. Combustion safeguards b. Assurance of stable flame (high or low floor burner fuel pressure)


master total fuel trip







main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves – open main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open floor fuel valves at closed position closure of all feed valves pressure control of ID fan registers minimum position on burner registers coil feed inlet valves - closed coil steam flow valves - at set point



5) SIF process measurements and trip values 2o3 main burner fuel pressure not low, switch downstream of 1st safety shut off valve, SIF enabled after safety valves are open with delay

2o3 main burner fuel pressure not high, pressure switch downstream of safety valves and before the flow valve


master fuel trip - where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan registers at minimum position de-energized - device will be in the interlock position

(fuel isolation valves for pilot gas are not tripped – pilots stay in service) 7) Manual SD requirement yes - manual SD will shut down all burners


fail safe




master fuel trip


shutdown mode


ID fan will continue to run to remove latent heat in fire box, pilots remain lit

3. Combustion safeguards c. Assurance of stable flame (high or low pilot fuel pressure) – action is

temperature dependent –

1. when fire box temp < 1300° F pilots & master fuel trip is activated 2. when fire box temp > 1300° F only pilot trip is activated


Pilot trip


low pilot burner fuel pressure

high pilot burner fuel pressure

2) Define safe state for each SI 1. when fire box temp < 1300° F pilots & master fuel trip is activated 2. when fire box temp > 1300° F only pilot trip is activated (floor &

wall burners remain in operation)


when fire box temp < 1300° F pilot trip is activated & master fuel trip is activated pilot isolation valves are closed pilot vent valve is open master fuel trip - where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves – open main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V better shutoff main wall burner fuel vent valves - open floor fuel valves at closed position closure of all feed valves pressure control on ID fan registers minimum position on burner registers coil feed inlet valves - closed coil steam flow valves - at set point when fire box temp > 1300° F only pilot trip is activated (floor & wall burners remain in operation) pilot isolation valves are closed pilot vent valve is open



5) SIF process measurements and trip values pilot fuel pressure not low, pressure transmitters located before pilot safety shut off solenoid valves

pilot pressure not high, pressure transmitter located after pilot shut off valves & regulator


floor pilot fuel valves – temperature dependent as described above pilot trip - where pilot isolation valves are closed pilot vent valve is open master fuel trip - where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan on pressure control de-energized - device will be in the interlock position

7) Manual SD requirement yes - manual SD will shut down all burners – pilots are not tripped by manual shut down system


fail safe

9) Reset considerations including restore fuel supply - activate reset – restore pilots & burners to operation

requirements for startup and restart of SIS


Pilot trip & / or master fuel trip


shutdown mode




1300° F – staged floor burners & wall burners – fire box temperature is > 1300° F

a. flame supervision bypass above 1300° F - ignition of staged fuel floor burners & wall burners


Operator initiated step to reset the isolation valves for these burners after all floor burners are manually lit, ID fan on pressure control with fire box temp > 1300° F - SIL 2 - 12 month - ignition of the staged floor burners is done by manual operation of the individual burner manual isolation valve by the operator after the main staged floor burner isolation valves has been reset. Ignition of the wall burners is done by permitted operation by fire box temperature > 1300° F and Operator reset of the wall burner automatic isolation valves. Individual wall burners are manually valved in by field Operator.

2) Define safe state for each SI Staged floor burner and wall burner isolation valves are in interlock position


master fuel trip position for all staged floor burner isolation valves and wall burner isolation valves if not reset



5) SIF process measurements and trip values List of permissives for reset of the stage floor burner isolation valves & wall burner isolation valves – Main floor burners not tripped temperature transmitters (box) where proof of furnace temp > 1300° F, 2o3 voting with transmitter down scale burn out


reset of staged floor burner fuel isolation valves is requested by Operator & reset of the wall burner fuel isolation valves is requested by Operator

7) Manual SD requirement yes - manual SD will shut down all burners & when fire box temp < 1300° F


fail safe


when fire box temp > 1300° F & Operator request to reset staged floor burner fuel isolation valves & wall burner isolation valves




start-up mode


during a major upset that caused the fire box temperature to drop, the staged floor burners & wall burner systems would be automatically removed from operation by isolating the fuel systems for each

5. Process specific protection a. master fuel trip


low hydrocarbon feed pressure


2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from wall burners & staged floor burners & floor burners at low fire position & sweep steam on heater tubes



main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves – open main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open floor fuel valves at closed position closure of all feed valves ID fan register at minimum position on pressure control physical minimum stop on burner registers coil feed inlet valves - closed coil steam flow valves - at set point


major Unit upset event – demand

5) SIF process measurements and trip values 2o3 steam pressure transmitters


master fuel trip – where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves - open floor pilot fuel valves – temperature dependent main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan on pressure control de-energized - device will be in the interlock position




fail safe


restore feed pressure or fire box control - activate reset - when fire box temp > 1300° F the floor burners & staged floor burner & wall burners fuel flow can be re-established by the operator


pressure upsets are only allowed with all fuels tripped


shutdown mode



6. Decoke Mode - permissive a. master fuel trip


permissive to start decoke mode are defined - all other BMS SIFs are in service





main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves – open main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open floor fuel valves at closed position closure of all feed valves ID fan registers at minimum position on pressure control physical minimum stop on burner registers coil feed inlet valves - closed coil steam flow valves - at set point





ONIS line blinds on process feed line & air feed line are mechanically linked – procedurally controlled

Double block effluent valve closed position switches

effluent valve cavity pressure low pressure 2o3 transmitters


master fuel trip – where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves - open floor pilot fuel valves – temperature dependent main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan registers on pressure control at minimum position de-energized - device will be in the interlock position




if decoke procedure and permissive are not established, SIS will activate master fuel trip, de-energize to trip - fail safe






decoke mode





low low steam drum level (2o3)

high super heat temperature


master fuel trip





main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves – open main floor staged burner fuel valve – closed main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open floor fuel valves at closed position closure of all feed valves ID fan registers on pressure control minimum position on burner registers coil feed inlet valves - closed coil steam flow valves - at set point




3 independent temperature transmitters in superheat system


master fuel trip – where main floor burner fuel valves - closed - Class V or better shutoff main floor burner fuel vent valves - open main wall burner fuel isolation valves - closed - Class V or better shutoff main wall burner fuel vent valves - open coil feed inlet valves - closed coil steam flow valves - at set point fire box air ID fan registers at minimum position de-energized - device will be in the interlock position










shutdown mode


Pilots on with ID fan running to allow for system restoration or cooling down


isolation system requirement all logic is integrated into the SIL logic solver – manual emergency and master fuel trip application is integrated within SIL logic solver

3rd level of “global” plant trip will shut down pilots also


Manual shut down will activate the fuel trip application which is dependent on fire box temperature SIL N/A - 12 month test frequency

2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from floor & wall burners – pilot fuel may continue if fire box temp > 1300° F






5) SIF process measurements and trip values Manual emergency activation of the master fuel trip - local activation switch & CCR activation switches


manual activation of the master fuel trip - local activation switch & CCR activation switches master fuel trip – where














all logic is integrated into the SIL logic solver – Manual and master fuel trip application is integrated within SIL logic solver


Master fuel trip application is custom dependent on fire box temperature – fire box temp < 1300° F will give a master fuel trip to 1a valve conditions & will trip pilot fuel & will set system to not purged – fire box temp > 1300° F will give a master fuel trip to 1a valve conditions but will not trip pilot fuel & will not require a purge





N/A



de-energized - device will be in the interlock position – independent SVs on all SIF valves





N/A


N/A


N/A


N/A



SIS - SIL 3 capable





N/A



SIS - SIL 3 capable





N/A


N/A


N/A


N/A

11. Safety shut off valve requirements rated fuel shut off valves – Class V or better







N/A



double block and bleed rated valves for floor burner system - Class V or better shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd burner shut off valve on common fuel header

single Class V or better shut off valve downstream of main floor burner fuel isolation valve set for the staged burner system

double block and bleed rated valves for wall burner system - Class V or better shut off, 1st block master shut off valve on fuel header, common vent valve, 2nd master fuel shut off valve. Manual isolation valve at each burner


all valves with provisions for Class V or better leakage testing per company maintenance practices





N/A


N/A


N/A


N/A

Company E - Personnel Training and Qualifications 1. PHA process or other methodology to establish target SIL

SIL is set in the PHA process using risk ranking matrix to establish SIL. External trained and certified PHA leaders. PHAs follow corporate rule structure using trained & certified leaders.




Internal corporate training for SIF design and maintenance required following corporate standards. Internal SIS training for personnel that design and maintain the SIS. ISA84 Expert Certificate is supported.


Only experienced technicians with 2 to 5 years are hired. SIS maintenance group is dedicated and all SIF components are marked.

Company E - Considerations for Long Testing Intervals


All trips are reviewed for proper action and used to validate SIF action. Test interval timing is reset.


Instrument group schedules and oversees testing; instrument technicians perform most testing functions per written procedures with Operations assistance. Tests cover SIS thru final element, all sensors maintenance and testing is done on line.


full testing is done for 1st test, all other tests are segmented - covering logic solver and final element


SIFs for fire box SIFs are set at 12 month testing frequency


High reliability considerations are used (no single vote to trip, 2o3 meter voting, in line valve leakage testing). Partial stroke applications are used with the BMS applications.


no MOVs are used in SIF required actions. MOVs have been removed from the process in favor of fail-safe devices

Appendix 6 - Practices and Approaches – Company F - Ethylene furnace with multiple bottom burners and multiple upper level burners, ID fan for draft 1. Safe to start checks a. Isolation of Fuels (including feed & secondary fuels) & Pre-light

permissive


Permissive where all process feeds & fuels are isolated from the fire box & start-up is in ready to begin

2) Define safe state for each SIF all elements at SIF action positions



Purge requirement met; air flow adequate in the box

firebox draft at set-point

main feed valves are closed

bottom burner and upper burner fuel gas valves are closed

fuel gas vent valve(s) open

no flame detected (or flame scanner problems)

MOVs closed to cracked gas header and open to decoke position

No combustibles in the firebox

No pressure between 2 MOVs to cracked gas header


demand - caused by the system being taken down on purpose or by automatic trip of furnace

5) SIF process measurements and trip values All permissives must be met Air flow in box - (SIS) firebox pressure transmitters (SIS) steam drum level (SIS) fuel gas position switches (SIS) flame scanners (SIS) feed valve position switches (BPCS) Combustible analyzer input (BPCS) Position switches on cracked gas and decoke MOVs (BPCS) pressure transmitter between 2 cracked gas valves (BPCS)


All permissives must be met Proof the individual burners have had adequate purge before attempting to light (SIS) Total purge time satisfied (SIS) Proof of adequate air flow in box (SIS) fire box pressure not high (SIS) Proof of steam drum level (SIS) proof of closure on all fuel isolation valve position switches - valves shall be "tight shutoff" (SIS) proof of no flame in firebox (SIS) proof of closure of the feed valves (BPCS) Proof of no combustibles in firebox (BPCS) No MOV alarms (cracked gas valves and decoke valve) (all limit switches show in correct position) (BPCS) No pressure between 2 cracked gas valves (BPCS)



fail safe




normal mode for this state is no flames in fire box, temp < AIT (Auto-Ignition Temperature), Operations is making preparations to ignite a burner system


Start-up sequence



1. Safe to start checks b. Purge & Proof of Purge of radiant box and convection section


Permissive where Operator starts purge cycle. Permissives for start of purge are maintained for entire purge cycle & up to time of 1st burner ignition attempt



all process feeds & fuels isolated from the fire box & start-up is in progress permissives for start of ignition steps at least one burner ready for light-off


Purge requirement met; air flow adequate in the box

firebox draft at set-point

main feed valves are closed

bottom burner and upper burner fuel gas valves are closed

fuel gas vent valve(s) open

no flame detected (or flame scanner problems)

MOVs closed to cracked gas header and open to decoke position

No combustibles in the firebox

No pressure between 2 MOVs to cracked gas header



5) SIF process measurements and trip values All permissives must be met

logic condition (SIS)

logic timer (SIS)

Air flow in box- (SIS)

firebox pressure transmitters (SIS)

steam drum level (SIS)

fuel gas position switches (SIS)

flame scanners (SIS)

feed valve position switches (BPCS)

Combustible analyzer input (BPCS)

Position switches on cracked gas and decoke MOVs (BPCS)

pressure transmitter between 2 cracked gas valves (BPCS)

Fuel gas pressure (BPCS)



Proof the individual burners have had adequate purge before attempting to light (SIS)

Total purge time satisfied (SIS)

Proof of adequate air flow in box (SIS)

fire box pressure not high (SIS)

Proof of steam drum level (SIS)

proof of closure on all fuel isolation valve position switches - valves shall be "tight shutoff" (SIS)

proof of no flame in firebox (SIS)

proof of closure of the feed valves (BPCS)

Proof of no combustibles in firebox (BPCS)

No MOV alarms (cracked gas valves and decoke valve) (all limit switches show in correct position) (BPCS)

No pressure between 2 cracked gas valves (BPCS)

Proof of no fuel gas in fuel gas piping system (BPCS) 7) Manual SD requirement N/A


fail safe


All permissives for starting the purge must be maintained throughout the purge or the sequence will step back to previous start-up step


Operator starts purge cycle. The first step is to pressure test the fuel gas piping system to ensure all burner valves are closed, followed automatically by the purge. If any condition is not achieved purge counter is automatically stopped and the system goes back to pre-purge step.


Start-up sequence



2. Ignition trial period

a. ignition trial with no flame proven

- This step requires at least one flame in furnace to be established to be successful.


Operator initiated step after purge, ID fan at purge speed. All purge cycle permissives must be maintained and flame must be proven in allowed time or re-purge is required

2) Define safe state for each SI If ignition of the 1st burner (in each furnace section) is not proven in trial period then the furnace goes through "total trip" step and must be run thru the purge cycle again




igniter or flame scanner problems - demand

5) SIF process measurements and trip values logic condition (SIS)

logic timer (SIS)


firebox temperature transmitters (SIS)

logic condition (BPCS)


purge complete (SIS)

ignition requested (time limit for flame proven) (SIS)

proof of flame or no flame in firebox (SIS)

proof of furnace temp > AIT (SIS)

permissives for start of purge are maintained (BPCS)



fail safe


proof of purge maintained & Operator request to ignite following successful purge; re-purge required after unsuccessful light-off


Operator starts ignition cycle, if condition is not achieved a system restart is required (re-purge of the furnace)


Start-up sequence


furnace goes to "total trip"

2. Ignition trial period b. ignition of next floor burners - 2nd and subsequent floor burner

ignition


Operator manually lights remaining burners after completion of 1st burner light-offs; 1x purge required after each unsuccessful light-off

2) Define safe state for each SIF if ignition of the next burner is not proven in trial period then the next ignition is delayed to allow a 1x volume furnace purge


fuel for this burner proven isolated


burner problems - demand

5) SIF process measurements and trip values no flame proven in ignition trial period (manual operation)




light-off manually performed by Operator


at least 1 floor burner flame proven (SIS)



fail safe


Operator requests light-off after successful purge; re-purge required after each unsuccessful light-off


Operator manually lights off upper level burners


Run step (in burner management system); warm-up step for furnace




Emergency shut down

loss of ID fan


Loss of flame indication in an individual firebox section (below AIT)


Master total fuel trip



master fuel trip

main floor burner fuel valves - closed






Adequate air flow in the box


process upset or demand

5) SIF process measurements and trip values chamber pressure transmitters (SIS)

Loss of ID fan (SIS)




master fuel trip

main floor burner fuel valves - closed - Valves shall be "tight shutoff"

main wall burner fuel isolation valves - closed - Valves shall be "tight shutoff"



fire box air ID fan -adequate air flow



fail safe


restore fan & temperatures & pressures - activate reset


master fuel trip


shutdown mode








master fuel trip









fuel utility upset - demand - instrument failure

5) SIF process measurements and trip values Fuel pressure transmitters - (SIS)

Fuel pressure transmitters (SIS)


master fuel trip








fail safe




master fuel trip


shutdown mode




1400° F (760° C) a. flame supervision above 1400° F (760° C)


SIF action will bypass the flame supervision system for all burners when combustion chamber temperature is at or above the pre-determined safe auto-ignition temperature (AIT)



N/A


N/A

5) SIF process measurements and trip values firebox temperature transmitters (SIS)





fail safe


SIF action will automatically restore active flame supervision when arch temperature is below AIT


flame scanners will become part of master fuel trip below AIT


shutdown mode


flame scanners will become part of master fuel trip below AIT


1400° F (760° C) b. Wall burner permit above 1400° F (760° C)


Allow light off only above AIT; wall (upper) level burners are manually lit by operator






N/A

5) SIF process measurements and trip values firebox temperature transmitters (SIS)

side wall block valves (SIS)



main wall burner fuel isolation valves - closed below auto-ignition - Valves shall be "tight shutoff" (SIS)


wall burner double block and bleed valve system reset to run position when requested by Operator and when furnace temp > AIT


fail safe


SIF action will permit Operator to request wall burner fuel gas when combustion chamber temperature is above auto-ignition temperature


wall burner fuel must be requested by the Operator during the heater system start-up


shutdown mode


during a major upset that caused the fire box temperature to drop below AIT, the wall burner system would be automatically removed from operation by isolating the fuel system

5. Process specific protection High Transfer Line Exchanger outlet temperature

High Coil Outlet Temperature





master fuel trip









Unit upset, instrument failure, demand

5) SIF process measurements and trip values Cracked gas header temperature (SIS)

Total coil flow (SIS)

Quench oil pump run relay (BPCS)

Coil outlet temperature measurements (BPCS)


master fuel trip










restore level & temperature & pressure - activate reset


master fuel trip


shutdown mode



6. Decoke Mode


N/A

2) Define safe state for each SI The burner management system is identical for "furnace run" and "furnace de-coke" modes


Cracked gas header MOVs closed

Feed valves closed & blinded

De-coke steam source evaluated for safe operation


5) SIF process measurements and trip values


7) Manual SD requirement








low steam drum level

high superheat steam temperature





master fuel trip










5) SIF process measurements and trip values High pressure steam temperature (SIS)

steam drum level (SIS)

BFW pump run indication (BPCS)


master fuel trip










restore level & temperature & pressure - activate reset


level and pressure upsets are only allowed with all fuels tripped


shutdown mode




isolation system requirement Prefer not to make interpretations of standards for this exercise since interpretations may be different from one company to another.



2) Define safe state for each SI all valves at SIF action positions for master fuel trip


master fuel trip









manual activation by Operator - demand

5) SIF process measurements and trip values manual activation of the master fuel trip - 1 local activation switch & 1 control room activation switch


manual activation of the master fuel trip - 1 local activation switch & 1 control room activation switch

master fuel trip






7) Manual SD requirement manual activation by Operator












SIFs N/A


N/A



N/A


N/A



N/A



N/A


N/A


N/A


N/A


N/A

10. Safety PLCs N/A


N/A



de-energized - outputs will be in the interlock position


N/A



Meets SIS requirements



fail safe


N/A


N/A


N/A


N/A

11. Safety shut off valve requirements


tight shutoff rated fuel shut off valves





N/A



double block and bleed rated valves for floor burner system - valves shall be "tight shutoff"

double block and bleed rated valves for wall burner system - Valves shall be "tight shutoff"


all valves with provisions for online leakage proof testing (acceptable leakage rates defined based on valve sizes)



fail safe


N/A


N/A


N/A


N/A

Company F - Personnel Training and Qualifications 1. PHA process or other methodology to establish target SIL

A variety of scenario identification methods may be used. LOPA can be used to evaluate the risks further, develop protection strategies, and allocate mitigation functions across IPL types and integrity levels. LOPA follows internal corporate rule structure using trained LOPA leaders and independent SIS functional safety assessors.


Operator training required (initially and at least every 3 years); training to be documented; operator response to SIS alarms, etc. is documented in procedures and training


Internal corporate training for SIF design and maintenance required following corporate standards. Internal LOPA training and certification process. Internal PHA training.


Internal corporate training.

Company F - Considerations for Long Testing Intervals


Yes, if properly documented; process trip (if based on the function in question) may qualify as a functional check


Scheduling and testing is done via instrument group with input from operations on timing and feasibility; testing must follow written procedures and be performed by qualified personnel


Full end-to-end loop validation is normally required on installation or modification. Documented procedures require, must be completed by qualified personnel, and must verify response times.


There is no single vote to trip

5. Design considerations for long testing Additional instruments are sometimes

intervals (support of online testing, segmented testing)

included in design to allow longer testing intervals (when system must be taken off-line for testing)


No SIF final elements are energized to trip. MOVs are used only as BPCS functions and manual isolation system, but this is a manual trip, not a SIF action. In some cases we may de-energize a MOV except when needed to assure no inadvertent closing which might cause an unsafe condition.

Paper 295177

Documents

Transcript of Paper 295177