Fired equipment safety in the oil & gas industry A review of changes in practices over the last 50 years
Abstract and Figures
This paper reviews how the requirements of safety, availability, energy efficiency and environmental compliance have influenced the design and operation of fired equipment over the last 50 years. It presents the various norms and standards relevant to the classes of fired equipment used in the Oil & Gas industry and highlights the differences between prescriptive norms and performance based standards. The main hazards and common causes of accidents of process heaters, petrochemical furnaces and boilers are described. Finally, this paper reviews the evolution of the risk mitigations and design best practices over the last decades. It discusses in particular the particular challenges of improving the safety performance of existing equipment. Before the first oil crisis of 1973, the price of refinery fuels was very low and it was common practice to run heaters inefficiently with high excess air (e.g. 5 to 8 % O2 in the flue gas) and high draft to reduce the probability of sub-stoichiometric combustion and positive pressure in the combustion chamber. Since the safety margin was provided by operating with high excess air and high draft, control improvements were considered unnecessary. Fired equipment safety was essentially distributed between operator response to alarms (e.g. process upset conditions), instrumented protective functions programmed in the safety instrumented system and solutions such as explosion doors and snuffing steam to mitigate the consequence of explosions. In the last 25 years, the drive for safer operation with higher energy efficiency, lower NOx emissions and fewer nuisance trips has led operating companies to adapt their approach to fired equipment safety. The modern approach to fired equipment safety is to distribute the risk across independent protection layers. These safety barriers rely on a comprehensive control system with constraints and a safety instrumented system, but also on operational excellence with well-trained operators, good operating procedures and reliability-centered maintenance and risk-based inspection. As an important benefit, constraint controls with automated fuel cutbacks have proven effective at minimizing nuisance trips by keeping the heater within operational limits.
![Firebox purging with atomization steam [American, 1963]](https://www.researchgate.net/publication/319916714/figure/fig1/AS:864800863162374@1583196001716/Firebox-purging-with-atomization-steam-American-1963_Q320.jpg)
Content may be subject to copyright.
Discover the world's research
- 20+ million members
- 135+ million publications
- 700k+ research projects
Join for free
Content may be subject to copyright.
ScienceDirect
Available online at www.sciencedirect.com
Available online at www.sciencedirect.com
ScienceDirect
Energy Procedia 00 (20 17) 000–000
www.elsevier.com/locate/procedia
1876- 6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the Scientific Committee of The 15th International Symposium on District Heating and Cooling.
The 15th International Symposium on District Heating and Cooling
Assessing the feasibility of using the heat demand-outdoor
temperature function for a long-term district heat demand forecast
I. Andrića,b,c *, A. Pinaa, P. Ferrãoa , J. Fournierb ., B. Lacarrièrec, O. Le Correc
aIN+ Center for Innovation, Technology and Policy Research -Instituto Superior Técnico,Av. Rovisco Pais 1, 1049 - 001 Lisbon, Portugal
bVeolia Recherche & Innovation, 291 Avenue Dreyfous Daniel, 78520 Limay, France
cDépartement Systèmes Énergétiques et Environnement -IMT Atlantique, 4 rue Alfred Kastler, 44300 Nantes, France
Abstract
District heating networks are commonly addressed in the literature as one of the most effective solutions for decreasing the
greenhouse gas emissions from the building sector. These systems require high investments which are returned through the heat
sales. Due to the changed climate conditions and building renovation policies, heat demand in the future could decrease,
prolonging the investment return period.
The main scope of this paper is to assess the feasibility of using the heat demand –outdoor temperature function for heat demand
forecast. The district of Alvalade, located in Lisbon (Portugal), was used as a case study. The district is consisted of 665
buildings that vary in both construction period and typology. Three weather scenarios (low, medium, high) and three district
renovation scenarios were developed (shallow, intermediate, deep). To estimate the error, obtained heat demand values were
compared with results from a dynamic heat demand model, previously developed and validated by the authors.
The results showed that when only weather change is considered, the margin of error could be acceptable for some applications
(the error in annual demand was lower than 20% for all weather scenarios considered). However, after introducing renovation
scenarios, the error value increased up to 59.5% (depending on the weather and renovation scenarios combination considered).
The value of slope coefficient increased on average within the range of 3.8% up to 8% per decade, that corresponds to the
decrease in the number of heating hours of 22-139h during the heating season (depending on the combination of weather and
renovation scenarios considered). On the other hand, function intercept increased for 7.8-12.7% per decade (depending on the
coupled scenarios). The values suggested could be used to modify the function parameters for the scenarios considered, and
improve the accuracy of heat demand estimations.
© 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the Scientific Committee of The 15th International Symposium on District Heating and
Cooling.
Keywords: Heat demand; Forecast; Climate change
Energy Procedia 120 (2017) 2–19
1876-6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11
10.1016/j.egypro.2017.07.151
10.1016/j.egypro.2017.07.151
© 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11
1876-6102
Available online at www.sciencedirect.com
ScienceDirect
Energy Procedia 00 (20 17) 000–000
www.elsevier.com/locate/procedia
* E-mail address: jacques.dugue@total.com
1876- 6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11.
INFUB - 11th European Conference on Industrial Furnaces and Boilers, INFUB-11
Fired equipment safety in the oil & gas industry
A review of changes in practices over the last 50 years
Jacques Dugué *
TOTAL Refining & Chemicals, France
Abstract
This paper reviews how the requirements of safety, availability, energy efficiency and environmental compliance have
influenced the design and operation of fired equipment over the last 50 years. It presents the various norms and standards relevant
to the classes of fired equipment used in the Oil & Gas industry and highlights the differences between prescriptive norms and
performance based standards. The main hazards and common causes of accidents of process heaters, petrochemical furnaces and
boilers are described. Finally, this paper reviews the evolution of the risk mitigations and design best practices over the last
decades. It discusses in particular the particular challenges of improving the safety performance of existing equipment.
Before the first oil crisis of 1973 , the price of refinery fuels was very low and it was common practice to run heaters
inefficiently with high excess air (e.g. 5 to 8 % O2 in the flue gas) and high draft to reduce the probability of sub-stoichiometric
combustion and positive pressure in the combustion chamber. Since the safety margin was provided by operating with high
excess air and high draft, control improvements were considered unnecessary. Fired equipment safety was essentially distributed
between operator response to alarms (e.g. process upset conditions), instrumented protective functions programmed in the safety
instrumented system and solutions such as explosion doors and snuffing steam to mitigate the consequence of explosions.
In the last 25 years, the drive for safer operation with higher energy efficiency, lower NOx emissions and fewer nuisance trips
has led operating companies to adapt their approach to fired equipment safety. The modern approach to fired equipment safety is
to distribute the risk across independent protection layers. These safety barriers rely on a comprehensive control system with
constraints and a safety instrumented system, but also on operational excellence with well-trained operators, good operating
procedures and reliability-centered maintenance and risk -based inspection. As an important benefit, constraint controls with
automated fuel cutbacks have proven effective at minimizing nuisance trips by keeping the heater within operational limits.
© 2017 The Authors. Published by Elsevier Ltd .
Peer-review under responsibility of the organizing committee of INFUB -11.
Keywords: Fired equipment safety, risk analysis, HAZOP, LOPA
Available online at www.sciencedirect.com
ScienceDirect
Energy Procedia 00 (20 17) 000–000
www.elsevier.com/locate/procedia
* E-mail address: jacques.dugue@total.com
1876- 6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11.
INFUB - 11th European Conference on Industrial Furnaces and Boilers, INFUB-11
Fired equipment safety in the oil & gas industry
A review of changes in practices over the last 50 years
Jacques Dugué *
TOTAL Refining & Chemicals, France
Abstract
This paper reviews how the requirements of safety, availability, energy efficiency and environmental compliance have
influenced the design and operation of fired equipment over the last 50 years. It presents the various norms and standards relevant
to the classes of fired equipment used in the Oil & Gas industry and highlights the differences between prescriptive norms and
performance based standards. The main hazards and common causes of accidents of process heaters, petrochemical furnaces and
boilers are described. Finally, this paper reviews the evolution of the risk mitigations and design best practices over the last
decades. It discusses in particular the particular challenges of improving the safety performance of existing equipment.
Before the first oil crisis of 1973 , the price of refinery fuels was very low and it was common practice to run heaters
inefficiently with high excess air (e.g. 5 to 8 % O2 in the flue gas) and high draft to reduce the probability of sub-stoichiometric
combustion and positive pressure in the combustion chamber. Since the safety margin was provided by operating with high
excess air and high draft, control improvements were considered unnecessary. Fired equipment safety was essentially distributed
between operator response to alarms (e.g. process upset conditions), instrumented protective functions programmed in the safety
instrumented system and solutions such as explosion doors and snuffing steam to mitigate the consequence of explosions.
In the last 25 years, the drive for safer operation with higher energy efficiency, lower NOx emissions and fewer nuisance trips
has led operating companies to adapt their approach to fired equipment safety. The modern approach to fired equipment safety is
to distribute the risk across independent protection layers. These safety barriers rely on a comprehensive control system with
constraints and a safety instrumented system, but also on operational excellence with well-trained operators, good operating
procedures and reliability-centered maintenance and risk -based inspection. As an important benefit, constraint controls with
automated fuel cutbacks have proven effective at minimizing nuisance trips by keeping the heater within operational limits.
© 2017 The Authors. Published by Elsevier Ltd .
Peer-review under responsibility of the organizing committee of INFUB -11.
Keywords: Fired equipment safety, risk analysis, HAZOP, LOPA
2 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
1. Introduction
The spectacular accidents that accompanied the industrial revolution caused many governments and industry
representatives to take action to minimize loss of life and to protect the environment. Process Safety emerged as a
key engineering field with techniques to assess process hazards, initiating event frequencies, consequence severity
levels and safeguards to achieve an acceptable level of risk reduction. S ince the turn of the 20th century, each decade
brought continuous improvements in terms of regulations and techniques as well as a reduction in the public
perception of acceptable risk. What- ifs, checklist, HAZOP, Fault- and Event- Tree analyses were some of the
essential techniques developed in the early 1960s [Lees, 2012]. Their use as safety systems and reliability techniques
quickly gained widespread interest and represent some of the commonly used process safety techniques used today.
The late 1990s saw the development of the layer of protection analysis (LOPA) method [Bridges, 2014]. The first
international standards were published soon after [EN 746-2, 1996; ISA S84.01, 1996; IEC 61508, 1998 and IEC
61511, 2003], setting new industry practices and standards for the design of safety instrumented systems (SIS) in the
process industries.
This paper review s how the design and operation of fired equipment has evolved over the last 50 years to address
growing requirements on safety, availability, energy efficiency and environmental performance at a reasonable cost.
Process heaters, furnaces and boilers built in the 1950s and 1960s were considered modern designs and represented a
significant progress compared to inefficient designs seen before 1940. Many of the heaters, furnaces and boilers built
before the first oil crisis of 1973 are still in operation today. During the period from 1950 to 1975, the energy
consumption of fired equipment was mostly ignored because refinery fuel oil and fuel gas were a byproduct of
refining operations and had no commercial value. This period was characterized by manual mode operation, limited
automation and protective functions and a preference for operator initiated emergency shutdown (ESD). As operator
procedures were in their infancy, operator experience was the prime protection from the risk of explosion at startup.
The risk of sub-stoichiometric firing and subsequent explosion was mitigated by operating with high excess air and
high draft. In this period of limited instrumentation and controls, the frequency of combustion upsets and emergency
shutdowns was fairly high.
The codes, standards and safety requirements introduced since the late 1990s have brought greater emphasis on
safety and increased compliance with codes and practices on all new projects. These requirements, combined with
industry objectives to achieve not only a high level of safety but also a high level of availability, energy efficiency
and environmental performance have led to changes in fired equipment design and operation. A specific objective of
this paper is to address the sp ecific challenge of achieving today's safety and availability requirements on the fired
equipment built before 1975.
Based on the author's experience, the fired equipment referred to in this paper includes mostly refinery process
heaters, petrochemical cracking furnaces, steam-methane reformers and industrial boilers. However, some analogy
may be inferred for other combustion equipment such as the furnaces, ovens and kilns used in the glass, mineral and
iron & steel industries. In the terminology of this paper, fired heaters refer to process heaters used to heat a
hydrocarbon feed in coils. Furnaces refer mostly to petrochemical cracking furnaces used for ethylene production
and steam methane reformer (SMR) furnaces used for syngas production.
Nomenclature
API American Petroleum Institute
DCS Distributed Control System
ESD Emergency Shut down
HAZOP Hazard and Operability
LEL Lower Explosive Limit
LOPA Layer of Protection Analysis
SIL Safety Integrity Level
SIS Safety Instrumented Systems
SCR Selective Catalytic Reduction
SMR Steam Methane Reformer
Jacques Dugué / Energy Procedia 120 (2017) 2–19 3
Available online at www.sciencedirect.com
ScienceDirect
Energy Procedia 00 (20 17) 000–000
www.elsevier.com/locate/procedia
* E-mail address: jacques.dugue@total.com
1876- 6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11.
INFUB - 11th European Conference on Industrial Furnaces and Boilers, INFUB-11
Fired equipment safety in the oil & gas industry
A review of changes in practices over the last 50 years
Jacques Dugué *
TOTAL Refining & Chemicals, France
Abstract
This paper reviews how the requirements of safety, availability, energy efficiency and environmental compliance have
influenced the design and operation of fired equipment over the last 50 years. It presents the various norms and standards relevant
to the classes of fired equipment used in the Oil & Gas industry and highlights the differences between prescriptive norms and
performance based standards. The main hazards and common causes of accidents of process heaters, petrochemical furnaces and
boilers are described. Finally, this paper reviews the evolution of the risk mitigations and design best practices over the last
decades. It discusses in particular the particular challenges of improving the safety performance of existing equipment.
Before the first oil crisis of 1973 , the price of refinery fuels was very low and it was common practice to run heaters
inefficiently with high excess air (e.g. 5 to 8 % O2 in the flue gas) and high draft to reduce the probability of sub-stoichiometric
combustion and positive pressure in the combustion chamber. Since the safety margin was provided by operating with high
excess air and high draft, control improvements were considered unnecessary. Fired equipment safety was essentially distributed
between operator response to alarms (e.g. process upset conditions), instrumented protective functions programmed in the safety
instrumented system and solutions such as explosion doors and snuffing steam to mitigate the consequence of explosions.
In the last 25 years, the drive for safer operation with higher energy efficiency, lower NOx emissions and fewer nuisance trips
has led operating companies to adapt their approach to fired equipment safety. The modern approach to fired equipment safety is
to distribute the risk across independent protection layers. These safety barriers rely on a comprehensive control system with
constraints and a safety instrumented system, but also on operational excellence with well-trained operators, good operating
procedures and reliability-centered maintenance and risk -based inspection. As an important benefit, constraint controls with
automated fuel cutbacks have proven effective at minimizing nuisance trips by keeping the heater within operational limits.
© 2017 The Authors. Published by Elsevier Ltd .
Peer-review under responsibility of the organizing committee of INFUB -11.
Keywords: Fired equipment safety, risk analysis, HAZOP, LOPA
Available online at www.sciencedirect.com
ScienceDirect
Energy Procedia 00 (20 17) 000–000
www.elsevier.com/locate/procedia
* E-mail address: jacques.dugue@total.com
1876- 6102 © 2017 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of the organizing committee of INFUB-11.
INFUB - 11th European Conference on Industrial Furnaces and Boilers, INFUB-11
Fired equipment safety in the oil & gas industry
A review of changes in practices over the last 50 years
Jacques Dugué *
TOTAL Refining & Chemicals, France
Abstract
This paper reviews how the requirements of safety, availability, energy efficiency and environmental compliance have
influenced the design and operation of fired equipment over the last 50 years. It presents the various norms and standards relevant
to the classes of fired equipment used in the Oil & Gas industry and highlights the differences between prescriptive norms and
performance based standards. The main hazards and common causes of accidents of process heaters, petrochemical furnaces and
boilers are described. Finally, this paper reviews the evolution of the risk mitigations and design best practices over the last
decades. It discusses in particular the particular challenges of improving the safety performance of existing equipment.
Before the first oil crisis of 1973 , the price of refinery fuels was very low and it was common practice to run heaters
inefficiently with high excess air (e.g. 5 to 8 % O2 in the flue gas) and high draft to reduce the probability of sub-stoichiometric
combustion and positive pressure in the combustion chamber. Since the safety margin was provided by operating with high
excess air and high draft, control improvements were considered unnecessary. Fired equipment safety was essentially distributed
between operator response to alarms (e.g. process upset conditions), instrumented protective functions programmed in the safety
instrumented system and solutions such as explosion doors and snuffing steam to mitigate the consequence of explosions.
In the last 25 years, the drive for safer operation with higher energy efficiency, lower NOx emissions and fewer nuisance trips
has led operating companies to adapt their approach to fired equipment safety. The modern approach to fired equipment safety is
to distribute the risk across independent protection layers. These safety barriers rely on a comprehensive control system with
constraints and a safety instrumented system, but also on operational excellence with well-trained operators, good operating
procedures and reliability-centered maintenance and risk -based inspection. As an important benefit, constraint controls with
automated fuel cutbacks have proven effective at minimizing nuisance trips by keeping the heater within operational limits.
© 2017 The Authors. Published by Elsevier Ltd .
Peer-review under responsibility of the organizing committee of INFUB -11.
Keywords: Fired equipment safety, risk analysis, HAZOP, LOPA
2 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
1. Introduction
The spectacular accidents that accompanied the industrial revolution caused many governments and industry
representatives to take action to minimize loss of life and to protect the environment. Process Safety emerged as a
key engineering field with techniques to assess process hazards, initiating event frequencies, consequence severity
levels and safeguards to achieve an acceptable level of risk reduction. S ince the turn of the 20th century, each decade
brought continuous improvements in terms of regulations and techniques as well as a reduction in the public
perception of acceptable risk. What- ifs, checklist, HAZOP, Fault- and Event- Tree analyses were some of the
essential techniques developed in the early 1960s [Lees, 2012]. Their use as safety systems and reliability techniques
quickly gained widespread interest and represent some of the commonly used process safety techniques used today.
The late 1990s saw the development of the layer of protection analysis (LOPA) method [Bridges, 2014]. The first
international standards were published soon after [EN 746-2, 1996; ISA S84.01, 1996; IEC 61508, 1998 and IEC
61511, 2003], setting new industry practices and standards for the design of safety instrumented systems (SIS) in the
process industries.
This paper review s how the design and operation of fired equipment has evolved over the last 50 years to address
growing requirements on safety, availability, energy efficiency and environmental performance at a reasonable cost.
Process heaters, furnaces and boilers built in the 1950s and 1960s were considered modern designs and represented a
significant progress compared to inefficient designs seen before 1940. Many of the heaters, furnaces and boilers built
before the first oil crisis of 1973 are still in operation today. During the period from 1950 to 1975, the energy
consumption of fired equipment was mostly ignored because refinery fuel oil and fuel gas were a byproduct of
refining operations and had no commercial value. This period was characterized by manual mode operation, limited
automation and protective functions and a preference for operator initiated emergency shutdown (ESD). As operator
procedures were in their infancy, operator experience was the prime protection from the risk of explosion at startup.
The risk of sub-stoichiometric firing and subsequent explosion was mitigated by operating with high excess air and
high draft. In this period of limited instrumentation and controls, the frequency of combustion upsets and emergency
shutdowns was fairly high.
The codes, standards and safety requirements introduced since the late 1990s have brought greater emphasis on
safety and increased compliance with codes and practices on all new projects. These requirements, combined with
industry objectives to achieve not only a high level of safety but also a high level of availability, energy efficiency
and environmental performance have led to changes in fired equipment design and operation. A specific objective of
this paper is to address the sp ecific challenge of achieving today's safety and availability requirements on the fired
equipment built before 1975.
Based on the author's experience, the fired equipment referred to in this paper includes mostly refinery process
heaters, petrochemical cracking furnaces, steam-methane reformers and industrial boilers. However, some analogy
may be inferred for other combustion equipment such as the furnaces, ovens and kilns used in the glass, mineral and
iron & steel industries. In the terminology of this paper, fired heaters refer to process heaters used to heat a
hydrocarbon feed in coils. Furnaces refer mostly to petrochemical cracking furnaces used for ethylene production
and steam methane reformer (SMR) furnaces used for syngas production.
Nomenclature
API American Petroleum Institute
DCS Distributed Control System
ESD Emergency Shut down
HAZOP Hazard and Operability
LEL Lower Explosive Limit
LOPA Layer of Protection Analysis
SIL Safety Integrity Level
SIS Safety Instrumented Systems
SCR Selective Catalytic Reduction
SMR Steam Methane Reformer
4 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 3
2. Regulations, codes and standards
Codes, standards and norms on various types of fired equipment have been developed over the last decades by
several organizations, national and international bodies [refs 1 -9, 10-13, 17]. These documents address all key
aspects of system design, construction, operation, maintenance and personnel training. Countries or jurisdictions
may require owner/operators to follow prescribed norms, codes or standards. In absence of jurisdictional
requirements for particular equipment, owner/operators apply the appropriate good engineering practices recognized
in the Industry and use a risk analysis to verify that the risks are mitigated to a safe level.
2.1. Prescriptive standards
Standards can be distinguished between prescriptive and performance based categories. Prescriptive standards
specify "what" interlocks or safeguards should be implemented based upon lessons learned from previous incidents
and near misses. However, they do not describe "how" to properly implement the prescriptive based interlocks. The
requirements from prescriptive standards are often general and not always applicable to the wide diversity of
refinery heaters, petrochemical furnaces and boilers. The main prescriptive standards pertaining to fired equipment
used in the Oil & Gas Industry are presented below.
NFPA 85 applies to gas, liquid and solid fuel fired boilers with a heat release exceeding 3.7 MW. This code
addresses combustion systems hazards, design, installation, operation and maintenance procedures and training. It
covers in particular combustion and draft control equipment, safety interlocks, alarms, trips and other related
controls that are essential to safe operation. Since its 2011 edition, NFPA 85 clarifies that its scope exclude process
heaters used in chemical and petroleum manufacture in which steam generation is incidental to the operation of a
processing system.
NFPA 86 applies to thermal oxidizers, incinerators and a number of applications such as (bakery) ovens, dryers
and specialty furnaces. It specifically states that it does not apply to process heaters used in the chemical and
petroleum industry and designed in accordance with API 560 and API 556.
NFPA 87 applies to thermal and process fluid Heaters. It also does not apply to process heaters used in the
chemical and petroleum industry and designed in accordance with API 560 and API 556.
EN 746- 2 specifies the safety requirements for industrial furnaces and industrial heating equipment. It details the
hazards associated with the use of industrial thermal equipment and specifies the safety measures required for
compliance with essential requirements of relevant European Directives. EN 746- 2 covers a broad range of fired
equipment from process industries such as cement, lime and ceramic, iron and steel, glass, waste incineration,
drying, refining, chemical and petrochemical. As EN 746-2 covers very different types of fired equipment, the
application of its generic requirements on some equipment types may be impossible, impractical or may not justify
the costs. As an example, the EN 746- 2 standard ignores that many refinery heaters and petrochemical furnaces rely
on natural draft to draw air into burners and therefore do not measure the total combustion air flow.
ISO 13577-2 was published in 2014 and applies to fired equipment from the same process industries as EN 746-
2. As an ISO standard, it applies worldwide, although it s annexes have distinct requirements for Europe, the USA
and Japan. ISO 13577-2 specifies requirements to ensure the safety of people and property during commissioni ng,
start- up, operation, shutdown, maintenance periods and dismantling, as well as in the event of possible malfunctions.
CSA B149.3 specifies requirements for fuel-related components and their assembly on appliances in Canada. It
applies to process ovens, bakery ovens, process furnaces and furnaces used for material processing.
AS 3814 is the code that provides minimum requirements for the safe operation of gas fired industrial and
commercial appliances in Australia. Of all codes and standards pertaining to industrial fired equipment, this standard
is considered the most onerous to comply with because of its complexity.
4 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
2.2. Performance based standards
Performance based standards provide performance criteria for achieving design objectives, as opposed to
prescriptive standards which prescribe compliance criteria without stating the design objectives. Performance based
standards provide different options to mitigate a hazard. Performance based standards are usually specific to
categories for fired equipment.
Advocates of performance based standards point to multiple layers of protections that can be used to demonstrate
compliance with the design objectives. The layers of protection to mitigate a hazardous situation may include
operator response to alarm, provided that the operator has sufficient response time. The operator response time is
typically assumed to be at least 10 min for panel operators and 20 min for field operators. When the hazard
scenarios develop faster than the operator can respond, automatic constraint controls should be considered to keep
the fired equipment within operational limits. Operator response to alarms and automatic overrides in the control
system are frequently omitted in prescriptive standards which are primarily dedicated to defining trip conditions. As
was widely agreed in the IFRF TOTeM 43 conference on fired equipment safety [39], tripping a heater is neither the
only nor the preferred corrective action to keep fired equipment safe. This conference highlighted that constraint
controls are an important best practice to keep the heather within operational limits and help minimize nuisance
trips.
The main performance based standards pertaining to fired equipment used in the Oil & Gas Industry are
presented below.
API 556 addresses instrumentation, control and protective systems for gas fired heaters used in the refining
industry. As it is specific to refinery process heaters, it is widely used by the refining industry, although local
jurisdictions may also bring additional requirements. API 556 was written by specialists covering the fields of fired
equipment, instrumentation, control and protective functions. It integrates the operating experience and incident
history of major refiners to reduce the overall risk exposure to equipment and personnel. For each hazard scenario,
API 556 provides recommendations on design, control system constraints/overrides, operator response to alarms and
protective functions to ensure satisfactory mitigation of the process hazard. With the exception of a few prescriptive
"shalls", the user may choose between solutions of different levels of sophistication and cost which all mitigate the
hazards but provide different availability levels. API 556 is a performance based standard that can be used by
competent practitioners to achieve a high safety level and the desired optimum between availability, reliability and
cost.
API 538 applies to industrial boilers in general refinery and petrochemical service. It was written by
manufacturers and users of industrial boilers to supplement rather than duplicate t he requirements of NFPA 85.
API 538 specifies requirements and gives recommendations for design, operation, maintenance, and troubleshooting
of industrial boilers. It covers waterside control, combustion control, burner management systems (BMS ), feedwater
preparation, steam purity, emissions, etc.
The CGA H-10 and H-11 publications from the Compressed Gas Association apply to steam reformers with
capacities of 10 000 Nm3/hr or more. The H-10 publication covers operation, maintenance, and certain design
aspects of steam reformers relative to the potential safety hazards of the combustion process inherent to these units.
Emphasis is placed on operational guidance and safeguards such as furnace control philosophies, safety interlocks
and inspection routines. The H-11 publication covers operational safety of steam reformer startup and shutdown.
Emphasis is placed on operational guidance and safeguards against the hazards associated with the transition and
infrequent nature of startups and shutdowns.
2.3. Pros and cons of prescriptive and performance based standards
Whatever the standard, code or norm required by the authority having jurisdiction, the diversity in the design or
operational modes of fired heaters and furnaces requires each equipment to be independently evaluated to ensure
that each hazard scenario is effectively mitigated. As stated in NFPA 85, designers of safety systems should be
Jacques Dugué / Energy Procedia 120 (2017) 2–19 5
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 3
2. Regulations, codes and standards
Codes, standards and norms on various types of fired equipment have been developed over the last decades by
several organizations, national and international bodies [refs 1 -9, 10-13, 17]. These documents address all key
aspects of system design, construction, operation, maintenance and personnel training. Countries or jurisdictions
may require owner/operators to follow prescribed norms, codes or standards. In absence of jurisdictional
requirements for particular equipment, owner/operators apply the appropriate good engineering practices recognized
in the Industry and use a risk analysis to verify that the risks are mitigated to a safe level.
2.1. Prescriptive standards
Standards can be distinguished between prescriptive and performance based categories. Prescriptive standards
specify "what" interlocks or safeguards should be implemented based upon lessons learned from previous incidents
and near misses. However, they do not describe "how" to properly implement the prescriptive based interlocks. The
requirements from prescriptive standards are often general and not always applicable to the wide diversity of
refinery heaters, petrochemical furnaces and boilers. The main prescriptive standards pertaining to fired equipment
used in the Oil & Gas Industry are presented below.
NFPA 85 applies to gas, liquid and solid fuel fired boilers with a heat release exceeding 3.7 MW. This code
addresses combustion systems hazards, design, installation, operation and maintenance procedures and training. It
covers in particular combustion and draft control equipment, safety interlocks, alarms, trips and other related
controls that are essential to safe operation. Since its 2011 edition, NFPA 85 clarifies that its scope exclude process
heaters used in chemical and petroleum manufacture in which steam generation is incidental to the operation of a
processing system.
NFPA 86 applies to thermal oxidizers, incinerators and a number of applications such as (bakery) ovens, dryers
and specialty furnaces. It specifically states that it does not apply to process heaters used in the chemical and
petroleum industry and designed in accordance with API 560 and API 556.
NFPA 87 applies to thermal and process fluid Heaters. It also does not apply to process heaters used in the
chemical and petroleum industry and designed in accordance with API 560 and API 556.
EN 746- 2 specifies the safety requirements for industrial furnaces and industrial heating equipment. It details the
hazards associated with the use of industrial thermal equipment and specifies the safety measures required for
compliance with essential requirements of relevant European Directives. EN 746- 2 covers a broad range of fired
equipment from process industries such as cement, lime and ceramic, iron and steel, glass, waste incineration,
drying, refining, chemical and petrochemical. As EN 746-2 covers very different types of fired equipment, the
application of its generic requirements on some equipment types may be impossible, impractical or may not justify
the costs. As an example, the EN 746- 2 standard ignores that many refinery heaters and petrochemical furnaces rely
on natural draft to draw air into burners and therefore do not measure the total combustion air flow.
ISO 13577-2 was published in 2014 and applies to fired equipment from the same process industries as EN 746-
2. As an ISO standard, it applies worldwide, although it s annexes have distinct requirements for Europe, the USA
and Japan. ISO 13577-2 specifies requirements to ensure the safety of people and property during commissioni ng,
start- up, operation, shutdown, maintenance periods and dismantling, as well as in the event of possible malfunctions.
CSA B149.3 specifies requirements for fuel-related components and their assembly on appliances in Canada. It
applies to process ovens, bakery ovens, process furnaces and furnaces used for material processing.
AS 3814 is the code that provides minimum requirements for the safe operation of gas fired industrial and
commercial appliances in Australia. Of all codes and standards pertaining to industrial fired equipment, this standard
is considered the most onerous to comply with because of its complexity.
4 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
2.2. Performance based standards
Performance based standards provide performance criteria for achieving design objectives, as opposed to
prescriptive standards which prescribe compliance criteria without stating the design objectives. Performance based
standards provide different options to mitigate a hazard. Performance based standards are usually specific to
categories for fired equipment.
Advocates of performance based standards point to multiple layers of protections that can be used to demonstrate
compliance with the design objectives. The layers of protection to mitigate a hazardous situation may include
operator response to alarm, provided that the operator has sufficient response time. The operator response time is
typically assumed to be at least 10 min for panel operators and 20 min for field operators. When the hazard
scenarios develop faster than the operator can respond, automatic constraint controls should be considered to keep
the fired equipment within operational limits. Operator response to alarms and automatic overrides in the control
system are frequently omitted in prescriptive standards which are primarily dedicated to defining trip conditions. As
was widely agreed in the IFRF TOTeM 43 conference on fired equipment safety [39], tripping a heater is neither the
only nor the preferred corrective action to keep fired equipment safe. This conference highlighted that constraint
controls are an important best practice to keep the heather within operational limits and help minimize nuisance
trips.
The main performance based standards pertaining to fired equipment used in the Oil & Gas Industry are
presented below.
API 556 addresses instrumentation, control and protective systems for gas fired heaters used in the refining
industry. As it is specific to refinery process heaters, it is widely used by the refining industry, although local
jurisdictions may also bring additional requirements. API 556 was written by specialists covering the fields of fired
equipment, instrumentation, control and protective functions. It integrates the operating experience and incident
history of major refiners to reduce the overall risk exposure to equipment and personnel. For each hazard scenario,
API 556 provides recommendations on design, control system constraints/overrides, operator response to alarms and
protective functions to ensure satisfactory mitigation of the process hazard. With the exception of a few prescriptive
"shalls", the user may choose between solutions of different levels of sophistication and cost which all mitigate the
hazards but provide different availability levels. API 556 is a performance based standard that can be used by
competent practitioners to achieve a high safety level and the desired optimum between availability, reliability and
cost.
API 538 applies to industrial boilers in general refinery and petrochemical service. It was written by
manufacturers and users of industrial boilers to supplement rather than duplicate t he requirements of NFPA 85.
API 538 specifies requirements and gives recommendations for design, operation, maintenance, and troubleshooting
of industrial boilers. It covers waterside control, combustion control, burner management systems (BMS ), feedwater
preparation, steam purity, emissions, etc.
The CGA H-10 and H-11 publications from the Compressed Gas Association apply to steam reformers with
capacities of 10 000 Nm3/hr or more. The H-10 publication covers operation, maintenance, and certain design
aspects of steam reformers relative to the potential safety hazards of the combustion process inherent to these units.
Emphasis is placed on operational guidance and safeguards such as furnace control philosophies, safety interlocks
and inspection routines. The H-11 publication covers operational safety of steam reformer startup and shutdown.
Emphasis is placed on operational guidance and safeguards against the hazards associated with the transition and
infrequent nature of startups and shutdowns.
2.3. Pros and cons of prescriptive and performance based standards
Whatever the standard, code or norm required by the authority having jurisdiction, the diversity in the design or
operational modes of fired heaters and furnaces requires each equipment to be independently evaluated to ensure
that each hazard scenario is effectively mitigated. As stated in NFPA 85, designers of safety systems should be
6 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 5
completely familiar with the features and weaknesses of the specific hardware and should possess a thorough
understanding of the safety code and its intent. Designers should carefully consider all the possible failure modes
and the effect that each might have on personnel safety and equipment integrity. Thus, codes and standards should
not be used as design handbooks and cannot replace sound engineering judgment and experience. Codes and
standards specifically do not discuss how to achieve even heat distribution, good flames, operating procedure and
how to avoid tube failures and nuisance trips.
There are on-going debates on the respective merits of prescriptive and performance based standards. Some
authorities argue that prescriptive checklists reduce risk exposure more effectively by reducing the potential for
inconsistent application by lesser experienced practitioners. However, incident history does not support this as a
definitive conclusion. In practice, the probability of success appears to be strongly dependent upon the skill set of
the practitioners.
The API standards pertaining to fired equipment usually assume permanent supervision from a control room and
continuous availability of outside operators of fired equipment on the fenced plant. On the other hand, NFPA, EN
and ISO standards have usually been written as to apply to unsupervised industrial or commercial fired equipment,
for example, remotely operated steam boilers and bakery furnaces. It is therefore logical that standards written for
unsupervised equipment require a higher level of instrumentation, controls and automatic safety functions. The
corollary is that there is little logic in imposing the same requirements on a fired equipment with controlled access
within a refinery or chemical plant as on a heating appliance in high occupancy spaces such as the basement of a
school or hospital.
3. Identification of fired equipment hazards
3.1. Fired equipment hazards
The main hazards associated to fired equipment operation involve principally explosions and tube rupture s.
Explosions occur mainly during the pilot and burner ignition sequence or as a result of flame blow off. Explosions
generally take place in the combustion chamber or convection section and can cause a collapse of the furnace floor,
firebox or convection section walls. Tube rupture is usually caused by loss of feed or overheating. Heaters may also
be a source of ignition for the flammable gases escaping from other parts of the plant.
There are two distinct limit behaviors for explosions in enclosures. If the chamber has a length/diameter aspect
ratio not too different from one, and if the inside of the firebox is not cluttered by partition walls or other equipment,
the explosion will generate a deflagration, i.e. an explosion characterized by a relatively slow pressure rise. While
these explosions can cause extensive damage, the blast wave that they produce is generally weak.
The other limit behavior occurs in enclosures which have a large length/diameter ratio or contain many internal
partitions. Such is the case for the convection section of tubular process heaters. Analysis of furnace explosions
shows that the presence of tube banks in the convection section may generate turbulence and recirculation behind
tubes, which results in a rapid increase in flame area and a faster pressure rise that may reach several bar. These
phenomena may lead to gas phase detonation and complete destruction of the convection section. There are ample
examples of detonation in heater convection sections in the oil & gas industry. These explosions usually produce
strong blast waves and high velocity fragments, and can cause more damage to the surroundings than overpressure
explosions.
Investigations on heater explosions have shown explosion induced overpressures up to 400 mbar. Investigations
have shown that most com bustion chamber s fail at pressure wave above 200 mbar. Fig. 1 shows a heater with a
collapsed floor. Fig. 2 shows a damaged convection section.
Jacques Dugué / Energy Procedia 120 (2017) 2–19 7
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 5
completely familiar with the features and weaknesses of the specific hardware and should possess a thorough
understanding of the safety code and its intent. Designers should carefully consider all the possible failure modes
and the effect that each might have on personnel safety and equipment integrity. Thus, codes and standards should
not be used as design handbooks and cannot replace sound engineering judgment and experience. Codes and
standards specifically do not discuss how to achieve even heat distribution, good flames, operating procedure and
how to avoid tube failures and nuisance trips.
There are on-going debates on the respective merits of prescriptive and performance based standards. Some
authorities argue that prescriptive checklists reduce risk exposure more effectively by reducing the potential for
inconsistent application by lesser experienced practitioners. However, incident history does not support this as a
definitive conclusion. In practice, the probability of success appears to be strongly dependent upon the skill set of
the practitioners.
The API standards pertaining to fired equipment usually assume permanent supervision from a control room and
continuous availability of outside operators of fired equipment on the fenced plant. On the other hand, NFPA, EN
and ISO standards have usually been written as to apply to unsupervised industrial or commercial fired equipment,
for example, remotely operated steam boilers and bakery furnaces. It is therefore logical that standards written for
unsupervised equipment require a higher level of instrumentation, controls and automatic safety functions. The
corollary is that there is little logic in imposing the same requirements on a fired equipment with controlled access
within a refinery or chemical plant as on a heating appliance in high occupancy spaces such as the basement of a
school or hospital.
3. Identification of fired equipment hazards
3.1. Fired equipment hazards
The main hazards associated to fired equipment operation involve principally explosions and tube rupture s.
Explosions occur mainly during the pilot and burner ignition sequence or as a result of flame blow off. Explosions
generally take place in the combustion chamber or convection section and can cause a collapse of the furnace floor,
firebox or convection section walls. Tube rupture is usually caused by loss of feed or overheating. Heaters may also
be a source of ignition for the flammable gases escaping from other parts of the plant.
There are two distinct limit behaviors for explosions in enclosures. If the chamber has a length/diameter aspect
ratio not too different from one, and if the inside of the firebox is not cluttered by partition walls or other equipment,
the explosion will generate a deflagration, i.e. an explosion characterized by a relatively slow pressure rise. While
these explosions can cause extensive damage, the blast wave that they produce is generally weak.
The other limit behavior occurs in enclosures which have a large length/diameter ratio or contain many internal
partitions. Such is the case for the convection section of tubular process heaters. Analysis of furnace explosions
shows that the presence of tube banks in the convection section may generate turbulence and recirculation behind
tubes, which results in a rapid increase in flame area and a faster pressure rise that may reach several bar. These
phenomena may lead to gas phase detonation and complete destruction of the convection section. There are ample
examples of detonation in heater convection sections in the oil & gas industry. These explosions usually produce
strong blast waves and high velocity fragments, and can cause more damage to the surroundings than overpressure
explosions.
Investigations on heater explosions have shown explosion induced overpressures up to 400 mbar. Investigations
have shown that most com bustion chamber s fail at pressure wave above 200 mbar. Fig. 1 shows a heater with a
collapsed floor. Fig. 2 shows a damaged convection section.
6 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
Fig.1 : Collapsed heater floor
Fig.2 : Burst convection section
8 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 7
3.2. Feedback from industry accidents
The literature on fired equipment hazard and fired equipment accidents can be found in textbooks [Lees, 2012;
Baker, 2012], in open literature [Ostroot, 1972 and 1976; Sparrow, 1986; Davis, 1987; WHSCC, 1999] and in
restricted communications from the Center for Chemical Process Safety (CCPS) and from the API Operating
Symposium. A review of the available literature over the last five decades showed that fired equipment light-off
sequences account for about 70% of the explosions and about 90% of the casualties. The common causes of heater
and boiler explosions are summarized below:
• Inadequate purge during start- up sequence, mostly because of leaking, damaged or obstructed single safety
shutoff valves. A partial list of accident causes include the following:
o Insufficient purge flow rate
o Insufficient purge time
• Inadequate or improperly followed start-up procedure. A partial list of accident causes include the following:
o Repeated attempts to light pilot without intermediate purging
o Burner ignition attempt with excessive gas flow or for a too long trial-for- ignition period, allowing fuel to
reach the explosive limit
o Insufficient time between successive ignition attempts, allowing fuel to accumulate in the combustion
chamber and reach the explosion limit
o Safety shutoff valves bypassed
• Delayed ignition at start- up, with gas n ot ignited as soon as it enters the furnace but instead collected in an
unburned cloud before being ignition. A partial list of accident causes include the following:
o Improper use of hand torch
o Pilot too small, improperly positioned or unreliable
o Poor mechanical condition of the pilot or burner
o Improper fuel flow control at low load
• Improper fuel-air ratio, causing the burners to flame out. A partial list of accident causes include the following:
o Erroneous operation of air registers, leading to operate some burners with only part of the required
combustion air
o Failure of the control system allowing the overall air/fuel mixture to become sub - stoichiometric
o Excessive draft causing a high level of tramp air ingress and operation of burners with a sub- stoichiometric
air/fuel ratio
o Unstable fuel supply due to changes in the fuel gas composition
• Presence of liquid condensates or inerts in the fuel gas system, caused by flaws in the fuel gas netw ork design.
• Tube failure, causing a large and sudden release of hydrocarbon in the combustion chamber. A partial list of
accident causes include the following:
o Overfiring the tubes above their metallurgical limit
o Operation with significant tramp air, leading to flame impingement on tubes and hot spots.
o Uneven distribution of heat release, leading to flame impingement on tubes and local hot spots
• Insufficient maintenance of the equipment, causing difficulties to ignite the pilots or burners. A partial list of
accident causes include the following:
o Fouling of the fuel gas supply to the pilots or burners
o Damage to the pilots, pilot igniters or burners
o Damage to the stack damper or fan dampers
8 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
The main learnings from this accident review are summarized below:
• Single safety shutoff valves, as seen in the past in gas lines, do not provide adequate protection against leakage
of gas into the furnace. Double block valves in gas lines reduce the chance of leakage to a very low probability.
Gas pilot or other electric igniters must be reliable. Their heat or energy release should not be too small
compared to the heat release and dimensions of the burners to be ignited. They need to be adequately
maintained.
• The fired equipment startup procedure should clearly define:
o the maximum time for introducing fuel through a pilot or burner without a confirmed stable flame
o the minimum time interval between ignition attempts of pilots and burners
o the air flow during the ignition sequence
o the prescribed (maximum) fuel flow during pilot and burner ignition attempts
o the maximum of pilot and burner ignition attempts before repeating a full purge
• The burners must be operated within their design operating range. Automatic safeguards must be provided as
defined by codes and standards and risk analysis. Sufficient excess air must be available at all times. On all
combustion system operating with a slight underpressure and potentially exposed to tramp air, means should be
provided to maintain draft within a range that cannot cause burners to become starved of air.
• The fuel supply system should be designed to provide adequate fuel control at turndown for the ignition of the
first burners. Typical solutions include using a control valve with high range or a small bypass around the ma in
regulator for handling low flow.
• The use of hand torches for lighting main burners is a practice from the past that should be eliminated as much
as possible. Where not feasible, as in process furnaces with a very large number of burners, a standard
procedure should be developed for each furnace.
• Adequate filtering should be installed upstream of all safety shutoff valves to prevent debris and particulates
from obstructing and fouling valve seats and burner orifices. The installation of coalescer filters on fuel gas
lines has proven successful to improve equipment reliability as it significantly reduces the rate of fouling of the
safety valves, control valves , flowmeter and burner fuel gas injectors.
• Specific issues pertaining to oil firing include the need to ensure good atomization. Inadequate atomization can
be caused by plugged burners, improper heating of heavy oil and excessive viscosity, insufficient atomizing
steam pressure, low oil pressure, poor burner design and excessive burner turndown. Depending on
circumstances, oil dripping from oil atomizers can vaporize and explode or can cause a fire inside the burner or
combustion air ducting.
• The fired equipment instrumentation and analyzers (oxygen, CO) must be carefully selected, installed and
maintained in order to provide useful alarms and safeguards. The minimum excess air target should take into
account the accuracy, reliability and response time of the oxygen and/or CO analyzers and the ability to
adequately control the excess air.
• The maintenance of the fired equipment (heater, furnace or boiler), burner, pilots, instrumentation and
analyzers is an essential requirement for safe operation. A formal, preventive maintenance program should be
defined and carried out on a regularly schedule.
• A risk analysis must be done to ensure that sufficient risk reduction is achieved on every fired equipment.
• Good operator training and comprehensive, written procedures are essential.
Jacques Dugué / Energy Procedia 120 (2017) 2–19 9
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 7
3.2. Feedback from industry accidents
The literature on fired equipment hazard and fired equipment accidents can be found in textbooks [Lees, 2012;
Baker, 2012], in open literature [Ostroot, 1972 and 1976; Sparrow, 1986; Davis, 1987; WHSCC, 1999] and in
restricted communications from the Center for Chemical Process Safety (CCPS) and from the API Operating
Symposium. A review of the available literature over the last five decades showed that fired equipment light-off
sequences account for about 70% of the explosions and about 90% of the casualties. The common causes of heater
and boiler explosions are summarized below:
• Inadequate purge during start- up sequence, mostly because of leaking, damaged or obstructed single safety
shutoff valves. A partial list of accident causes include the following:
o Insufficient purge flow rate
o Insufficient purge time
• Inadequate or improperly followed start-up procedure. A partial list of accident causes include the following:
o Repeated attempts to light pilot without intermediate purging
o Burner ignition attempt with excessive gas flow or for a too long trial-for- ignition period, allowing fuel to
reach the explosive limit
o Insufficient time between successive ignition attempts, allowing fuel to accumulate in the combustion
chamber and reach the explosion limit
o Safety shutoff valves bypassed
• Delayed ignition at start- up, with gas n ot ignited as soon as it enters the furnace but instead collected in an
unburned cloud before being ignition. A partial list of accident causes include the following:
o Improper use of hand torch
o Pilot too small, improperly positioned or unreliable
o Poor mechanical condition of the pilot or burner
o Improper fuel flow control at low load
• Improper fuel-air ratio, causing the burners to flame out. A partial list of accident causes include the following:
o Erroneous operation of air registers, leading to operate some burners with only part of the required
combustion air
o Failure of the control system allowing the overall air/fuel mixture to become sub - stoichiometric
o Excessive draft causing a high level of tramp air ingress and operation of burners with a sub- stoichiometric
air/fuel ratio
o Unstable fuel supply due to changes in the fuel gas composition
• Presence of liquid condensates or inerts in the fuel gas system, caused by flaws in the fuel gas netw ork design.
• Tube failure, causing a large and sudden release of hydrocarbon in the combustion chamber. A partial list of
accident causes include the following:
o Overfiring the tubes above their metallurgical limit
o Operation with significant tramp air, leading to flame impingement on tubes and hot spots.
o Uneven distribution of heat release, leading to flame impingement on tubes and local hot spots
• Insufficient maintenance of the equipment, causing difficulties to ignite the pilots or burners. A partial list of
accident causes include the following:
o Fouling of the fuel gas supply to the pilots or burners
o Damage to the pilots, pilot igniters or burners
o Damage to the stack damper or fan dampers
8 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
The main learnings from this accident review are summarized below:
• Single safety shutoff valves, as seen in the past in gas lines, do not provide adequate protection against leakage
of gas into the furnace. Double block valves in gas lines reduce the chance of leakage to a very low probability.
Gas pilot or other electric igniters must be reliable. Their heat or energy release should not be too small
compared to the heat release and dimensions of the burners to be ignited. They need to be adequately
maintained.
• The fired equipment startup procedure should clearly define:
o the maximum time for introducing fuel through a pilot or burner without a confirmed stable flame
o the minimum time interval between ignition attempts of pilots and burners
o the air flow during the ignition sequence
o the prescribed (maximum) fuel flow during pilot and burner ignition attempts
o the maximum of pilot and burner ignition attempts before repeating a full purge
• The burners must be operated within their design operating range. Automatic safeguards must be provided as
defined by codes and standards and risk analysis. Sufficient excess air must be available at all times. On all
combustion system operating with a slight underpressure and potentially exposed to tramp air, means should be
provided to maintain draft within a range that cannot cause burners to become starved of air.
• The fuel supply system should be designed to provide adequate fuel control at turndown for the ignition of the
first burners. Typical solutions include using a control valve with high range or a small bypass around the ma in
regulator for handling low flow.
• The use of hand torches for lighting main burners is a practice from the past that should be eliminated as much
as possible. Where not feasible, as in process furnaces with a very large number of burners, a standard
procedure should be developed for each furnace.
• Adequate filtering should be installed upstream of all safety shutoff valves to prevent debris and particulates
from obstructing and fouling valve seats and burner orifices. The installation of coalescer filters on fuel gas
lines has proven successful to improve equipment reliability as it significantly reduces the rate of fouling of the
safety valves, control valves , flowmeter and burner fuel gas injectors.
• Specific issues pertaining to oil firing include the need to ensure good atomization. Inadequate atomization can
be caused by plugged burners, improper heating of heavy oil and excessive viscosity, insufficient atomizing
steam pressure, low oil pressure, poor burner design and excessive burner turndown. Depending on
circumstances, oil dripping from oil atomizers can vaporize and explode or can cause a fire inside the burner or
combustion air ducting.
• The fired equipment instrumentation and analyzers (oxygen, CO) must be carefully selected, installed and
maintained in order to provide useful alarms and safeguards. The minimum excess air target should take into
account the accuracy, reliability and response time of the oxygen and/or CO analyzers and the ability to
adequately control the excess air.
• The maintenance of the fired equipment (heater, furnace or boiler), burner, pilots, instrumentation and
analyzers is an essential requirement for safe operation. A formal, preventive maintenance program should be
defined and carried out on a regularly schedule.
• A risk analysis must be done to ensure that sufficient risk reduction is achieved on every fired equipment.
• Good operator training and comprehensive, written procedures are essential.
10 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 9
4. Changes in risk mitigation methods in the last decades
4.1. Design and operation practices prior to 1975
A large fraction of the fired heaters, furnaces and boilers operated in the Oil & Gas industry today were built
before 1975 with different technical constraints, performance standards and operation methods. It is useful to point
the salient characteristics of older fired equipments as they bring specific challenges to the current objectives of high
level of safety, availability, energy efficiency and low NOx emissions.
Fired equipment s designed before 1975 w ere characterized by simple, limited instrumentation, limited controls
and basic emergency shutdown (ESD). As written operator procedures were in their infancy, operator experience
was the prime protection from the risk of explosion at startup. The risk of sub-stoichiometric firing and subsequent
explosion was mitigated by operating with high excess air and high draft. In this period of limited instrumentation
and controls, the frequency of combustion upsets and emergency shutdowns was fairly high.
Heaters and furnaces designed before 1975 were in their vast majority equipped with conventional natural draft
burners. The conventional burners had the advantaged of wide stability limit and could maintain a stable flame from
a significant sub-stoichiometric range and up to operation with an air flow several times higher than required for
stoichiometric operation.
Fig. 3: Firebox purging with atomization steam [American, 1963]
Most of the heaters relied on natural draft to draw air into the burners. Draft was not controlled but checked
during operator rounds and adjusted by means of cables connected to the stack damper. As a result, vari ations in
draft and in excess air were significant. Purging of the combustion chamber was carried out either with the snuffing
steam line or with the atomization steam from the oil burners [American, 1963].
Boilers were often better equipped and featured o nline oxygen analyzers, air/fuel ratio control and flame
scanners, although the reliability of these devices was variable.
10 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
As a byproduct of refinery processes, residual fuel oil had a very high viscosity, a high sulfur content and
variable properties that made it unsuitable for sale. Because the liquid and gaseous fuels used in refineries and
petrochemical plants had essentially no commercial value, there was little incentive to optimize energy efficiency.
Residual fuel oil was used in combination with fuel gas on a majority of fired heaters and boilers. Because of the
regular needs to stop burners for oil atomizer cleaning, it was often difficult to keep a homogenous firing rate and
excess air on all burners.
4.1.1. Fired equipment instrumentation, controls an d emergency shutdowns
Air/fuel control by air and fuel metering or oxygen trimming was essentially nonexistent, except on some boilers.
Online oxygen analyzers were rare on fired heaters and furnaces, and excess air was occasionally checked after
analyzing flue gas samples with the Orsat method. It was therefore common practice to run heaters with very high
excess air (e.g. 5 to 8 % O2 in the flue gas) to reduce the probability of sub-stoichiometric combustion. Since the
safety margin was provided by high excess air operation, control improvements were considered unnecessary. For
natural draft heaters, stack dampers were typically operated manually and flue gas analyzers were used for alarm
indication only. Uncompensated volume fuel flow measurements prevailed (e.g. orifice plates).
Most heaters were operated on temperature control from the outlet process temperature to a control valve in the
main gas line, with a single shut-off valve upstream on the control valve. This shut-off valve was either automatic
with the plant ESD or operated manually with an operator action, with each company having various additions to
this basic concept. Because of the more primitive and less reliable combustion controls and safeguards of the time,
the automatic and manual (operator triggered) shutdowns were fairly frequent.
The limited instrumentation and controls, and frequent lack of written procedures were compensated to some
extend by the strong presence of "fire men", experienced field operators dedicated to heater and boiler operation.
Operator training at the time was based for a large part on peer companionship with senior operators.
4.1.2. Explosion doors
Explosion doors were built for the purpose of relieving the pressure wave induced by explosions. Evidence of hot
gases or flames exiting the explosion doors was also used to alert operators and get them to troubleshoot the heater.
Explosion doors were widely used on heaters and furnaces built before 1975.
4.1.3. Snuffing steam
Snuffing steam used to be widely implemented in the past and was used as a response to tube ruptures and to
purge natural draft heaters. Snuffing steam was sometimes used after shutting off the burners to dilute a potentially
flammable mixture forming from leaking fuel gas valves. As a side benefit, snuffing steam was used to purge natural
draft heaters.
4.2. Developments in design and operating practice in the last 3 0 years
The approach to fired heaters design, operation and safety has significantly evolved over the last three to four
decades under the influence of a number of factors presented below.
4.2.1. Environmental legislation on NOx and SOx emissions and energy efficiency
Environmental legislation on NOx and SOx emissions started to be implemented in the early 1980s. The high
sulfur content and a high fuel bound nitrogen content of residual fuel oils were responsible for high SOx and NOx
emissions. This caused fuel oil to be gradually ruled out from refineries and petrochemical plants, first in North
America and more recently in Europe.
Most of the original conventional burners of the 1960s and 1970s were eventually replaced by ultra low NOx
burners firing only fuel gas. The first generations of low NOx burners were much less stable than the early
conventional raw gas or premix burners that they replaced. Some of them were susceptible to flame out at startup or
in operation with a modest level of sub-stoichiometric firing. The development of more stringent NOx legislation
made flame instability an issue which further increased the focus on protective measures. In some regions such as
Jacques Dugué / Energy Procedia 120 (2017) 2–19 11
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 9
4. Changes in risk mitigation methods in the last decades
4.1. Design and operation practices prior to 1975
A large fraction of the fired heaters, furnaces and boilers operated in the Oil & Gas industry today were built
before 1975 with different technical constraints, performance standards and operation methods. It is useful to point
the salient characteristics of older fired equipments as they bring specific challenges to the current objectives of high
level of safety, availability, energy efficiency and low NOx emissions.
Fired equipment s designed before 1975 w ere characterized by simple, limited instrumentation, limited controls
and basic emergency shutdown (ESD). As written operator procedures were in their infancy, operator experience
was the prime protection from the risk of explosion at startup. The risk of sub-stoichiometric firing and subsequent
explosion was mitigated by operating with high excess air and high draft. In this period of limited instrumentation
and controls, the frequency of combustion upsets and emergency shutdowns was fairly high.
Heaters and furnaces designed before 1975 were in their vast majority equipped with conventional natural draft
burners. The conventional burners had the advantaged of wide stability limit and could maintain a stable flame from
a significant sub-stoichiometric range and up to operation with an air flow several times higher than required for
stoichiometric operation.
Fig. 3: Firebox purging with atomization steam [American, 1963]
Most of the heaters relied on natural draft to draw air into the burners. Draft was not controlled but checked
during operator rounds and adjusted by means of cables connected to the stack damper. As a result, vari ations in
draft and in excess air were significant. Purging of the combustion chamber was carried out either with the snuffing
steam line or with the atomization steam from the oil burners [American, 1963].
Boilers were often better equipped and featured o nline oxygen analyzers, air/fuel ratio control and flame
scanners, although the reliability of these devices was variable.
10 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
As a byproduct of refinery processes, residual fuel oil had a very high viscosity, a high sulfur content and
variable properties that made it unsuitable for sale. Because the liquid and gaseous fuels used in refineries and
petrochemical plants had essentially no commercial value, there was little incentive to optimize energy efficiency.
Residual fuel oil was used in combination with fuel gas on a majority of fired heaters and boilers. Because of the
regular needs to stop burners for oil atomizer cleaning, it was often difficult to keep a homogenous firing rate and
excess air on all burners.
4.1.1. Fired equipment instrumentation, controls an d emergency shutdowns
Air/fuel control by air and fuel metering or oxygen trimming was essentially nonexistent, except on some boilers.
Online oxygen analyzers were rare on fired heaters and furnaces, and excess air was occasionally checked after
analyzing flue gas samples with the Orsat method. It was therefore common practice to run heaters with very high
excess air (e.g. 5 to 8 % O2 in the flue gas) to reduce the probability of sub-stoichiometric combustion. Since the
safety margin was provided by high excess air operation, control improvements were considered unnecessary. For
natural draft heaters, stack dampers were typically operated manually and flue gas analyzers were used for alarm
indication only. Uncompensated volume fuel flow measurements prevailed (e.g. orifice plates).
Most heaters were operated on temperature control from the outlet process temperature to a control valve in the
main gas line, with a single shut-off valve upstream on the control valve. This shut-off valve was either automatic
with the plant ESD or operated manually with an operator action, with each company having various additions to
this basic concept. Because of the more primitive and less reliable combustion controls and safeguards of the time,
the automatic and manual (operator triggered) shutdowns were fairly frequent.
The limited instrumentation and controls, and frequent lack of written procedures were compensated to some
extend by the strong presence of "fire men", experienced field operators dedicated to heater and boiler operation.
Operator training at the time was based for a large part on peer companionship with senior operators.
4.1.2. Explosion doors
Explosion doors were built for the purpose of relieving the pressure wave induced by explosions. Evidence of hot
gases or flames exiting the explosion doors was also used to alert operators and get them to troubleshoot the heater.
Explosion doors were widely used on heaters and furnaces built before 1975.
4.1.3. Snuffing steam
Snuffing steam used to be widely implemented in the past and was used as a response to tube ruptures and to
purge natural draft heaters. Snuffing steam was sometimes used after shutting off the burners to dilute a potentially
flammable mixture forming from leaking fuel gas valves. As a side benefit, snuffing steam was used to purge natural
draft heaters.
4.2. Developments in design and operating practice in the last 3 0 years
The approach to fired heaters design, operation and safety has significantly evolved over the last three to four
decades under the influence of a number of factors presented below.
4.2.1. Environmental legislation on NOx and SOx emissions and energy efficiency
Environmental legislation on NOx and SOx emissions started to be implemented in the early 1980s. The high
sulfur content and a high fuel bound nitrogen content of residual fuel oils were responsible for high SOx and NOx
emissions. This caused fuel oil to be gradually ruled out from refineries and petrochemical plants, first in North
America and more recently in Europe.
Most of the original conventional burners of the 1960s and 1970s were eventually replaced by ultra low NOx
burners firing only fuel gas. The first generations of low NOx burners were much less stable than the early
conventional raw gas or premix burners that they replaced. Some of them were susceptible to flame out at startup or
in operation with a modest level of sub-stoichiometric firing. The development of more stringent NOx legislation
made flame instability an issue which further increased the focus on protective measures. In some regions such as
12 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 11
California, the legislation requires NOx emissions so low that they cannot be met only with ultra low NOx burners,
thus imposing installation of Selective Catalytic Reduction (SCR) systems downstream of the combustion chamber.
The demise of fuel oil led the refineries and petrochemical sites to import natural gas and to begin efforts to
improve fuel efficiency in order to minimize the natural import costs. The new objective of improving energy
efficiency had major impacts on fired equipment operations. Instrumentation and controls were added or improved
in order to operate at low excess air. The implementation of low excess firing on old pre 1975 heaters proved to be
challenging. Owner/operators faced a long learning curve to develop effective instrumentation and controls that
would allow safe operation at low excess air.
4.2.2. Emergence of norms and standards
Norms and standards were developed in the mid 1990s as a response to the increased risks associated to operation
with low NOx burners at lower excess air. The first edition of the performance based API 556 standard was
published in 1997, offering the refining industry a detailed description of the various hazards related to process
heaters and steam generators. It also addressed instrumentation, control systems, alarm and shutdown systems to
mitigate risks while still avoiding emergency shutdowns when possible. In the same year, the prescriptive EN 746- 2
norm was introduced in Europe and required designing fired equipment with more automatic safeguards and with a
highly automated burner management system (BMS). One of the main new requirements of EN 746-2 is the
automatic and permanent supervision of burner flames with flame scanners and an automatic shutdown of the burner
within 3 to 5 seconds following loss of flame detection. Prescriptive standards only focus on safety and leave it to
owner/operators to define the level of equipment availability that they wish to achieve. Thus, new refinery fired
heaters designed to achieve compliance with EN 746-2 and a high level of availability (e.g. a low frequency of
nuisance trips) need to have every burner equipped with a flame scanner and an automatic shutoff valve. It can be
emphasized that the successful implementation of prescriptive norms or performance based standards is strongly
dependent upon the skill set of the practitioners.
Important discussions took place in the early years that followed the introduction of API 556 standard and EN
746- 2 norm regarding the potential safety benefit of using permanent pilots. An early claim was that a permanent
pilot could guarantee of main burner flame re- ignition in all operating conditions. Discussion with burner and pilot
manufacturers and between operating companies showed that pilots can only be expected to light burners in
controlled start-up conditions with prescribed draft a nd air flow. Thus, more recent versions of API standards have
clarified that main flame stability cannot be expected to be guaranteed by presence of a permanent pilot. The
corollary is that loss of pilot is not a justification to trip a heater as it is not a valid safety barrier in the first place.
Thus, when flame scanners are not available on burners, pilot flame rods should not be used to infer proof or
absence of main flame. Where installed, this erroneous protection philosophy has significantly contributed to
nuisance trips on gas fired heaters. With the updated clarifications in the third edition of API 535, many
owner/operators have removed this trip logic from their BMS systems.
As several other standards, EN 746 -2 does not require permanent flame d etection and automatic shutdown if the
temperature of all combustion chamber walls exceeds 750°C. This criterion is easily achieved in steam methane
reformer furnaces and petrochemical steam cracking furnaces. However, this is never achieved in refinery he aters
with floor mounted burners. These heaters tend to have a significant vertical temperature gradient with the top of
their radiant chamber is generally above 800°C at design firing conditions, but the floor generally colder than 500°C
and not hot enough to allow smooth and safe re-ignition after a flame out.
4.2.3. Explosion doors
Decades of experience have shown that explosion doors do not prevent heater destruction. When explosions
occur, explosion doors can be blown as projectiles that may create further damage on refinery process units and
personnel. The NFPA 68 code provides a method to calculate their size. The calculations show that while explosion
doors may partially relieve the energy of a small deflagration, it is impractical to increase their size to fully mitigate
the energy of an explosion.
Experience over the last decades has shown that explosion doors often cause a significant ingress of tramp air
which leads to falsely high bridgewall oxygen readings. The consequence is a risk of incomplete combustion at the
burners, flame extinction and explosion [CCPS, 2004]. If the bridgewall pressure is positive, these doors may lift
12 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
allowing hot flue gas to escape and damage the shell metal surface around the open area. A gradual shift is seen in
the Oil & Gas Industry to remove or weld shut explosion doors as they cause particular risks w hen operating at low
excess air and do not provide the level of protection originally expected.
Fig. 4 : Partly open explosion door
4.2.4. Control system
In the past, fired equipment safety was distributed between operator response to abnormal situations,
instrumented protective functions programmed in the safety instrumented system, and solutions such as explosion
doors and snuffing steam to mitigate the consequence of explosions. The drive for safer operation with higher
energy efficiency, lower NOx emissions and reduced number of nuisance trips has led operating companies to adapt
their approach to fired equipment safety. The modern approach to fired equipment safety is to distribute the risk
across independent protection layers. These safety barriers rely on DCS constraint control and SIS functions, but
also on operational excellence (operator training and procedures), preventive, reliability -centered maintenance and
risk based inspection.
4.2.5. Burner management system
The function of a burner management system is to manage the start-up, operation and shutdown of the fired
equipment. Provided it is properly designed, configured and commissioned, a BMS will gui de the operator through a
safe and consistent operating sequence. Fig. 4 displays the operating philosophy found in all burner management
systems [Newnham, 2006].
Jacques Dugué / Energy Procedia 120 (2017) 2–19 13
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 11
California, the legislation requires NOx emissions so low that they cannot be met only with ultra low NOx burners,
thus imposing installation of Selective Catalytic Reduction (SCR) systems downstream of the combustion chamber.
The demise of fuel oil led the refineries and petrochemical sites to import natural gas and to begin efforts to
improve fuel efficiency in order to minimize the natural import costs. The new objective of improving energy
efficiency had major impacts on fired equipment operations. Instrumentation and controls were added or improved
in order to operate at low excess air. The implementation of low excess firing on old pre 1975 heaters proved to be
challenging. Owner/operators faced a long learning curve to develop effective instrumentation and controls that
would allow safe operation at low excess air.
4.2.2. Emergence of norms and standards
Norms and standards were developed in the mid 1990s as a response to the increased risks associated to operation
with low NOx burners at lower excess air. The first edition of the performance based API 556 standard was
published in 1997, offering the refining industry a detailed description of the various hazards related to process
heaters and steam generators. It also addressed instrumentation, control systems, alarm and shutdown systems to
mitigate risks while still avoiding emergency shutdowns when possible. In the same year, the prescriptive EN 746- 2
norm was introduced in Europe and required designing fired equipment with more automatic safeguards and with a
highly automated burner management system (BMS). One of the main new requirements of EN 746-2 is the
automatic and permanent supervision of burner flames with flame scanners and an automatic shutdown of the burner
within 3 to 5 seconds following loss of flame detection. Prescriptive standards only focus on safety and leave it to
owner/operators to define the level of equipment availability that they wish to achieve. Thus, new refinery fired
heaters designed to achieve compliance with EN 746-2 and a high level of availability (e.g. a low frequency of
nuisance trips) need to have every burner equipped with a flame scanner and an automatic shutoff valve. It can be
emphasized that the successful implementation of prescriptive norms or performance based standards is strongly
dependent upon the skill set of the practitioners.
Important discussions took place in the early years that followed the introduction of API 556 standard and EN
746- 2 norm regarding the potential safety benefit of using permanent pilots. An early claim was that a permanent
pilot could guarantee of main burner flame re- ignition in all operating conditions. Discussion with burner and pilot
manufacturers and between operating companies showed that pilots can only be expected to light burners in
controlled start-up conditions with prescribed draft a nd air flow. Thus, more recent versions of API standards have
clarified that main flame stability cannot be expected to be guaranteed by presence of a permanent pilot. The
corollary is that loss of pilot is not a justification to trip a heater as it is not a valid safety barrier in the first place.
Thus, when flame scanners are not available on burners, pilot flame rods should not be used to infer proof or
absence of main flame. Where installed, this erroneous protection philosophy has significantly contributed to
nuisance trips on gas fired heaters. With the updated clarifications in the third edition of API 535, many
owner/operators have removed this trip logic from their BMS systems.
As several other standards, EN 746 -2 does not require permanent flame d etection and automatic shutdown if the
temperature of all combustion chamber walls exceeds 750°C. This criterion is easily achieved in steam methane
reformer furnaces and petrochemical steam cracking furnaces. However, this is never achieved in refinery he aters
with floor mounted burners. These heaters tend to have a significant vertical temperature gradient with the top of
their radiant chamber is generally above 800°C at design firing conditions, but the floor generally colder than 500°C
and not hot enough to allow smooth and safe re-ignition after a flame out.
4.2.3. Explosion doors
Decades of experience have shown that explosion doors do not prevent heater destruction. When explosions
occur, explosion doors can be blown as projectiles that may create further damage on refinery process units and
personnel. The NFPA 68 code provides a method to calculate their size. The calculations show that while explosion
doors may partially relieve the energy of a small deflagration, it is impractical to increase their size to fully mitigate
the energy of an explosion.
Experience over the last decades has shown that explosion doors often cause a significant ingress of tramp air
which leads to falsely high bridgewall oxygen readings. The consequence is a risk of incomplete combustion at the
burners, flame extinction and explosion [CCPS, 2004]. If the bridgewall pressure is positive, these doors may lift
12 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
allowing hot flue gas to escape and damage the shell metal surface around the open area. A gradual shift is seen in
the Oil & Gas Industry to remove or weld shut explosion doors as they cause particular risks w hen operating at low
excess air and do not provide the level of protection originally expected.
Fig. 4 : Partly open explosion door
4.2.4. Control system
In the past, fired equipment safety was distributed between operator response to abnormal situations,
instrumented protective functions programmed in the safety instrumented system, and solutions such as explosion
doors and snuffing steam to mitigate the consequence of explosions. The drive for safer operation with higher
energy efficiency, lower NOx emissions and reduced number of nuisance trips has led operating companies to adapt
their approach to fired equipment safety. The modern approach to fired equipment safety is to distribute the risk
across independent protection layers. These safety barriers rely on DCS constraint control and SIS functions, but
also on operational excellence (operator training and procedures), preventive, reliability -centered maintenance and
risk based inspection.
4.2.5. Burner management system
The function of a burner management system is to manage the start-up, operation and shutdown of the fired
equipment. Provided it is properly designed, configured and commissioned, a BMS will gui de the operator through a
safe and consistent operating sequence. Fig. 4 displays the operating philosophy found in all burner management
systems [Newnham, 2006].
14 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 13
Fig. 5: Operating philosophy of a burner management system [Newnham, 2006]
Because it is up to operating companies to decide the level of availability and automation that they wish to
achieve, it is therefore common to find differences in BMS designs. Some will allow a fully automatic startup with
the operator behind a concrete wall at a safe location, whereas others will still require the operator to be on a
platform to open manual pilot and burner valves.
4.3. Current discussion points in fired equipment design and operating practice
The topics addressed in this section are examples of discussion points currently debated in the committees in
charge of writing norms and standards. More information is provided in the summary report of the IFRF TOTeM 43
conference on s afe design and operation of fired equipment in the oil and gas industry [IFRF Doc. no G 22/y/01,
2016].
4.3.1. General approach to fired equipment safety
The discussions at the IFRF TOTeM 43 conference highlighted that safe furnace operation should not attempt to
mitigate risk exclusively in the safety instrumented system (e.g. a single SIL 3 function). It was broadly agreed that
safe operation should be based on distributing the risks across independent protection layers (e.g. good design
practices, operator training, operator procedures, DCS constraint control and SIS functions).
It was widely agreed that nuisance trips should be avoided as they cause production and economic losses. More
frequent startups increase the risk of incidents and induce thermal stresses that can damage the equipment.
Proper controls and constraints and trip logics are recommended to reduce the risk of nuisance trips. In some
scenarios, time delays can be recommended to prevent nuisance trips. It was noted that reducing the number of
nuisance trips also reduces the causal frequency. As an example, reducing the causal frequency from 10 to 1 reduces
the SIL requirement, e.g. from SIL 2 to SIL 1.
4.3.2. Constraint controls to keep the heater within operational limits, avoid nuisance trips
Automatic fuel cut - back systems have been frequently implemented for hazard scenarios involvi ng a rapid
change from safe to unsafe operation. These automatic controls do act as a protection layer, because their response
time to safe state is shorter than the process safety time of the faster developing hazard scenarios. Automatic
controls also provide a much faster response time than operators, which generally are considered to respond to an
alarm in 10 min for a board operator and 20 min for a field operator.
14 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
A number of owner/operators have successfully reduced nuisance trips and improved heater performance after
implementing fuel cutback controllers with constraint controls. These overrides:
o avoid sub- stoichiometric combustion,
o limit the maximum fuel gas pressure to the main burner,
o limit the process outlet temperature ,
o keep the a ir / f uel ratio in range ,
o ensure that the excess oxygen is kept within range,
o limit the frequency of nuisance trips .
4.3.3. Oxygen analyzers
The application of oxygen analyzers on fired heaters and furnaces has brought particular challenges. When
zirconium-oxide- based oxygen analyzers were first introduced for online measurements several decades ago, they
were frequently installed after the convection section and were not equipped with flame arrestors. This location
generally implies that the zirconia cell resides inside the flue gas stream. Several drawbacks should be pointed with
this type of practice:
o The oxygen measurement may not be representative of the oxygen concentration in the combustion
chamber as tramp air ingress causes the oxygen concentration to increase across the convection section.
This measurement artifact can be dramatic if the fired equipment is operated at low excess air as it can lead
to sub-stoichiometric operation of the burners.
o The response time of the "in situ" zirconia analyzers is slow, typically one minute or more because it
depends on diffusion of the flue gas in the probe rather than on induced flow. A response time of 1 minute
is much longer than the process safety time of some hazard scenarios which have a time scale similar to the
average residence time of the combustion gases in the combustion chamber, about 10 to 15 sec for heaters,
furnaces and boilers at maximum load. The addition of a flame arrestor and fouling of the sensor
significantly increase the response time of "in situ" zirconia sensors.
o A heated Zirconium oxide sensor without flame arrestors can be an ignition source for an air/fuel mixture
during a purge sequence or during an upset.
The best practices for reliable oxygen measurements in heaters and furnaces with zirconia sensors are the
following:
o Use of a sampling probe at the top of the radiant section, preferably at the inlet of the convection section.
The sampling location should be deep enough into the flue gas stream in order to avoid a measurement bias
due to presence of tramp air close to the walls.
o Use of a system with a jet pump to guarantee a response time not longer than 15 sec, even on sensors
equipped with flame arrestors. This is most important if automatic fuel cutback is to be implemented to
correct upset in firing conditions before a hazardous situation is reached.
It should be noted that analyzers are more complex than transmitters and require considerably more knowledge
and attention to detail to ensure high analyzer availability. Low availability is frequently traceable to a lack of
proper maintenance and training, not to the analyzer.
Although zirconia sensors have been successfully used for a number of years, tunable diode lasers (TDLs) have
been introduced in the past few years and are emerging as alternative technologies. TDLs are currently more
expensive that zirconia-based analyzer s, but require less maintenance. Other advantages of TDLs include a
measurement over a line-of-sight which provides a better spatial averaging across the stream of combustion products
and a response time of 5 sec or less.
Jacques Dugué / Energy Procedia 120 (2017) 2–19 15
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 13
Fig. 5: Operating philosophy of a burner management system [Newnham, 2006]
Because it is up to operating companies to decide the level of availability and automation that they wish to
achieve, it is therefore common to find differences in BMS designs. Some will allow a fully automatic startup with
the operator behind a concrete wall at a safe location, whereas others will still require the operator to be on a
platform to open manual pilot and burner valves.
4.3. Current discussion points in fired equipment design and operating practice
The topics addressed in this section are examples of discussion points currently debated in the committees in
charge of writing norms and standards. More information is provided in the summary report of the IFRF TOTeM 43
conference on s afe design and operation of fired equipment in the oil and gas industry [IFRF Doc. no G 22/y/01,
2016].
4.3.1. General approach to fired equipment safety
The discussions at the IFRF TOTeM 43 conference highlighted that safe furnace operation should not attempt to
mitigate risk exclusively in the safety instrumented system (e.g. a single SIL 3 function). It was broadly agreed that
safe operation should be based on distributing the risks across independent protection layers (e.g. good design
practices, operator training, operator procedures, DCS constraint control and SIS functions).
It was widely agreed that nuisance trips should be avoided as they cause production and economic losses. More
frequent startups increase the risk of incidents and induce thermal stresses that can damage the equipment.
Proper controls and constraints and trip logics are recommended to reduce the risk of nuisance trips. In some
scenarios, time delays can be recommended to prevent nuisance trips. It was noted that reducing the number of
nuisance trips also reduces the causal frequency. As an example, reducing the causal frequency from 10 to 1 reduces
the SIL requirement, e.g. from SIL 2 to SIL 1.
4.3.2. Constraint controls to keep the heater within operational limits, avoid nuisance trips
Automatic fuel cut - back systems have been frequently implemented for hazard scenarios involvi ng a rapid
change from safe to unsafe operation. These automatic controls do act as a protection layer, because their response
time to safe state is shorter than the process safety time of the faster developing hazard scenarios. Automatic
controls also provide a much faster response time than operators, which generally are considered to respond to an
alarm in 10 min for a board operator and 20 min for a field operator.
14 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
A number of owner/operators have successfully reduced nuisance trips and improved heater performance after
implementing fuel cutback controllers with constraint controls. These overrides:
o avoid sub- stoichiometric combustion,
o limit the maximum fuel gas pressure to the main burner,
o limit the process outlet temperature ,
o keep the a ir / f uel ratio in range ,
o ensure that the excess oxygen is kept within range,
o limit the frequency of nuisance trips .
4.3.3. Oxygen analyzers
The application of oxygen analyzers on fired heaters and furnaces has brought particular challenges. When
zirconium-oxide- based oxygen analyzers were first introduced for online measurements several decades ago, they
were frequently installed after the convection section and were not equipped with flame arrestors. This location
generally implies that the zirconia cell resides inside the flue gas stream. Several drawbacks should be pointed with
this type of practice:
o The oxygen measurement may not be representative of the oxygen concentration in the combustion
chamber as tramp air ingress causes the oxygen concentration to increase across the convection section.
This measurement artifact can be dramatic if the fired equipment is operated at low excess air as it can lead
to sub-stoichiometric operation of the burners.
o The response time of the "in situ" zirconia analyzers is slow, typically one minute or more because it
depends on diffusion of the flue gas in the probe rather than on induced flow. A response time of 1 minute
is much longer than the process safety time of some hazard scenarios which have a time scale similar to the
average residence time of the combustion gases in the combustion chamber, about 10 to 15 sec for heaters,
furnaces and boilers at maximum load. The addition of a flame arrestor and fouling of the sensor
significantly increase the response time of "in situ" zirconia sensors.
o A heated Zirconium oxide sensor without flame arrestors can be an ignition source for an air/fuel mixture
during a purge sequence or during an upset.
The best practices for reliable oxygen measurements in heaters and furnaces with zirconia sensors are the
following:
o Use of a sampling probe at the top of the radiant section, preferably at the inlet of the convection section.
The sampling location should be deep enough into the flue gas stream in order to avoid a measurement bias
due to presence of tramp air close to the walls.
o Use of a system with a jet pump to guarantee a response time not longer than 15 sec, even on sensors
equipped with flame arrestors. This is most important if automatic fuel cutback is to be implemented to
correct upset in firing conditions before a hazardous situation is reached.
It should be noted that analyzers are more complex than transmitters and require considerably more knowledge
and attention to detail to ensure high analyzer availability. Low availability is frequently traceable to a lack of
proper maintenance and training, not to the analyzer.
Although zirconia sensors have been successfully used for a number of years, tunable diode lasers (TDLs) have
been introduced in the past few years and are emerging as alternative technologies. TDLs are currently more
expensive that zirconia-based analyzer s, but require less maintenance. Other advantages of TDLs include a
measurement over a line-of-sight which provides a better spatial averaging across the stream of combustion products
and a response time of 5 sec or less.
16 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 15
4.3.4. CO analyzers
Although CO analyzers have not been commonly used to detect sub-stoichiometric firing due to the lack of
reliable analyzers and slow response time, the situation is changing. Tunable diode lasers (TDLs) for CO and have
demonstrated several key advantages as their ability to measure the CO concentration over a line-of–sight up to
about 20 m allow s detect ing CO emissions from one poorly operating burner or firebox flooding. Tunable diode
lasers for CO measurements can be expected to be more widely used in the coming years as their cost reduces.
4.3.5. Improvements in fuel gas flow measurement
Considering the regular changes in refinery fuel gas composition, controlling the fuel gas mass flow rather than
volume flow is considered a good practice to reduce the dependence on flue gas analyzers to keep the heaters within
operational limits. Fuel gas m ass flow is often measured with differential pressure systems compensated for
pressure, temperature and density. In recent years, Coriolis mass flow meters have shown to be more accurate and
provide a wider measurement range as they offer a direct measurement of mass flow with no need to pressure,
temperature or density compensation. The improved measurement accuracy allows operating more reliably with a
lower oxygen concentration setpoint.
4.3.6. Flame scanners
Flame scanners have been required by the NFPA 85 boiler code since its first edition in 1964. They are generally
required by the prescriptive standards applicable to new industrial heaters and furnaces. Flame scanners, however,
have not been commonly used in refinery heaters and petrochemical furnaces. Few operating companies use them
systematically; many do not unless the jurisdiction requires them to.
A common practice in the refining industry has been to consider that the burner is presumed to be firing after
initial light-off and subsequent operation provided that:
o the fuel gas is clean, without inerts or only a low and stable concentration of inerts,
o the fuel gas supply is kept within the pressure range per the burner manufacturer,
o the burners are operated with adequate excess air ,
o the burner flame stability has been proved.
It can be noted that flame scanners are no panacea for fired equipment safety. They only indicate whether a flame
is present or not and they cannot detect fuel rich condition, which is one of the highest risks of heater operation.
Although a large majority of fired heaters are not equipped with flame scanners, statistics on fired heater do not
indicate a higher rate of accidents than on boilers which generally do have flame scanners.
When included in a burner management system and combined with an automatic shut off valve on every burner,
the main benefit of flame scanners is to allow the startup of fired equipment with the operator at a safe location. The
BMS can automatically close the burner manual valve if the flame is not detected after a prescribed time (typically 3
to 5 sec). Many in the Industry have argued that the benefit of introducing flames scanners, new automatic valves on
every burner and new burner management systems on existing heaters does not justify the huge cost and complexity.
One can further note that the justification to use or not to use flame scanners should be made on technical
grounds. Calculation of the time required to reach the Lower Explosive Limit (LEL) in case of a delayed burner
ignition shows that the explosion risk is strongly dependent on the fuel and air flows during the trial- for- ignition
period. Practically, assuming that the burners are ignited at a similar turndown condition, the time required to reach
the LEL is strongly dependent on the number of burners. If the number of burners is high, the low fuel gas rate
through one burner is diluted with a high air through all burners. This results in a time to reach LEL long enough to
be compatible with a manual operator procedure. This is consistent with the long-standing practice of manual ly
igniting fired heaters and furnaces which typically have many burners. The corollary is that during startup
conditions, the LEL can be reached more rapidly in fired equipments with a low number of high capacity burners.
This situation is encountered in boilers and some forced draft heaters with few high capacity burners. It can be
suggested that when the number of burners in a combustion chamber is between one and six, the benefit of a burner
management system with flame scanners and automatic shutoff valves on every burner is easier to demonstrate and
the extra cost and complexity are justified by the extra risk reduction.
16 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
4.3.7. Techniques for improving purge in cold firebox (e.g. stack eductors to keep firebox dry)
Experience has shown that purging a combustion chamber with snuffing steam can severely affect the reliability
of the flame scanners and pilots, particularly if they are fitted with ignition rods and ionization flame detection.
Purging with snuffing steam can also damage the refractory lining. A more modern solution implemented by a
growing number of owner/operators is to use a steam eductor above the stack damper to establish a purge flow into
natural draft heaters. Nowadays, the use of snuffing steam appears to be owner/operator dependent. Some will not fit
snuffing steam on new heaters and let a fire burn itself off in the firebox in the event of a tube rupture. Others
continue to equip their heaters with snuffing steam and will use snuffing steam at the final stage of an uncontrolled
heater fire essentially to purge and cool the firebox.
4.3.8. C ontrol of the fuel gas flow at startup
It is largely agreed that controlling the fuel gas pressure at light-off is an important safety requirement. In the
past, the norm was to ignite burners manually. The operator procedure would specify to open the burner manual
valve slowly to ensure a smooth ignition. More recent burner ignition methods with the operator at a safe location
have shown that when the fuel gas control valve lacks the required turndown to light the first few burners, the first
burners will need to be ignited at a higher pressure to prevent tripping on low fuel gas pressure. A startup override to
defeat the high pressure trip is then required until enough burners can be ignited for the control valve to be within
control range.
Thus, the correct selection and sizing of the fuel gas control valve is a critical design issue. Unfortunately, the
process data on valve specification sheets is typically provided for all burners in service and rarely identify the
turndown requirements to light the first few burners of a multiple burner system. If a heater is equipped with six
burners and if burner ignition is to be performed at ¼ of the burner capacity, the required turndown of the control
valve should be a very minimum of 24. This widely exceeds the 1 to 10 turn- down of a globe valve.
A preferable, inherently safer practice is to p roperly size the control valve or install a startup regulator to assist
the operator, is lighting the burners at lower pre ssure. When the control valve lacks sufficient startup turndown to
light the first burner, the common best practices to maintain the desired light -off pressure are to install a small
bypass line with a startup regulator or to select a Vee-ball with improved startup turndown (estimated at 300:1 or
better). The benefit of a startup regulator is that it requires no action by the operator to hold light-off pressure. In
contrast, the controller output to the Vee-ball will have to be manually adjusted (from burner curve calculations)
until the valve is within control range for automatic pressure control.
5. Conclusions
The design and operation of fired equipment has seen in the last 50 years continuous improvements in safety,
efficiency and environmental performance. In the Oil & Gas industry, heaters and furnaces designed prior to 1975
were often of natural draft type with many low capacity burners. Their level of instrumentation and controls was
low, and the risk mitigation measures rested for a large part on operator procedures, operator skills, operator
response to upsets and alarms and other severity reduction means such as explosion doors and snuffing steam. The
risk of sub- stoichiometric firing was mitigated by operating with high excess air and high draft.
The drive for safer operation with higher availability, energy efficiency, lower NOx emissions and fewer
nuisance trips has led operating companies to modify their approach to fired equipment safety. The modern best
practice is to distribute the risks across independent protection layers. These safety barriers rely on control systems
with constraints and safety instrumented functions, but also on operational excellence (operator training and
procedures), preventive, reliability -centered maintenance and risk based inspection.
New fired equipment designs will involve better instrumentation, better controls and a more comprehensive
safety instrumented system. As specified by the current legislation, European process heaters will be equipped with
flame scanners and two safety shutoff valves per burner. Th ese requirement s will promote the use of forced draft
furnaces with a small number of high capacity burners. The use of high capacity burners will be made possible by
the use of higher pressure drop burners which help keep the flame length short. As the approach to fired equipment
safety shifts from mitigating consequences to mitigating the risk of explosions and fires, explosion doors and
snuffing steam may become obsolete. Operators will still have a key ro le in fired equipment operation. However, the
Jacques Dugué / Energy Procedia 120 (2017) 2–19 17
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 15
4.3.4. CO analyzers
Although CO analyzers have not been commonly used to detect sub-stoichiometric firing due to the lack of
reliable analyzers and slow response time, the situation is changing. Tunable diode lasers (TDLs) for CO and have
demonstrated several key advantages as their ability to measure the CO concentration over a line-of–sight up to
about 20 m allow s detect ing CO emissions from one poorly operating burner or firebox flooding. Tunable diode
lasers for CO measurements can be expected to be more widely used in the coming years as their cost reduces.
4.3.5. Improvements in fuel gas flow measurement
Considering the regular changes in refinery fuel gas composition, controlling the fuel gas mass flow rather than
volume flow is considered a good practice to reduce the dependence on flue gas analyzers to keep the heaters within
operational limits. Fuel gas m ass flow is often measured with differential pressure systems compensated for
pressure, temperature and density. In recent years, Coriolis mass flow meters have shown to be more accurate and
provide a wider measurement range as they offer a direct measurement of mass flow with no need to pressure,
temperature or density compensation. The improved measurement accuracy allows operating more reliably with a
lower oxygen concentration setpoint.
4.3.6. Flame scanners
Flame scanners have been required by the NFPA 85 boiler code since its first edition in 1964. They are generally
required by the prescriptive standards applicable to new industrial heaters and furnaces. Flame scanners, however,
have not been commonly used in refinery heaters and petrochemical furnaces. Few operating companies use them
systematically; many do not unless the jurisdiction requires them to.
A common practice in the refining industry has been to consider that the burner is presumed to be firing after
initial light-off and subsequent operation provided that:
o the fuel gas is clean, without inerts or only a low and stable concentration of inerts,
o the fuel gas supply is kept within the pressure range per the burner manufacturer,
o the burners are operated with adequate excess air ,
o the burner flame stability has been proved.
It can be noted that flame scanners are no panacea for fired equipment safety. They only indicate whether a flame
is present or not and they cannot detect fuel rich condition, which is one of the highest risks of heater operation.
Although a large majority of fired heaters are not equipped with flame scanners, statistics on fired heater do not
indicate a higher rate of accidents than on boilers which generally do have flame scanners.
When included in a burner management system and combined with an automatic shut off valve on every burner,
the main benefit of flame scanners is to allow the startup of fired equipment with the operator at a safe location. The
BMS can automatically close the burner manual valve if the flame is not detected after a prescribed time (typically 3
to 5 sec). Many in the Industry have argued that the benefit of introducing flames scanners, new automatic valves on
every burner and new burner management systems on existing heaters does not justify the huge cost and complexity.
One can further note that the justification to use or not to use flame scanners should be made on technical
grounds. Calculation of the time required to reach the Lower Explosive Limit (LEL) in case of a delayed burner
ignition shows that the explosion risk is strongly dependent on the fuel and air flows during the trial- for- ignition
period. Practically, assuming that the burners are ignited at a similar turndown condition, the time required to reach
the LEL is strongly dependent on the number of burners. If the number of burners is high, the low fuel gas rate
through one burner is diluted with a high air through all burners. This results in a time to reach LEL long enough to
be compatible with a manual operator procedure. This is consistent with the long-standing practice of manual ly
igniting fired heaters and furnaces which typically have many burners. The corollary is that during startup
conditions, the LEL can be reached more rapidly in fired equipments with a low number of high capacity burners.
This situation is encountered in boilers and some forced draft heaters with few high capacity burners. It can be
suggested that when the number of burners in a combustion chamber is between one and six, the benefit of a burner
management system with flame scanners and automatic shutoff valves on every burner is easier to demonstrate and
the extra cost and complexity are justified by the extra risk reduction.
16 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
4.3.7. Techniques for improving purge in cold firebox (e.g. stack eductors to keep firebox dry)
Experience has shown that purging a combustion chamber with snuffing steam can severely affect the reliability
of the flame scanners and pilots, particularly if they are fitted with ignition rods and ionization flame detection.
Purging with snuffing steam can also damage the refractory lining. A more modern solution implemented by a
growing number of owner/operators is to use a steam eductor above the stack damper to establish a purge flow into
natural draft heaters. Nowadays, the use of snuffing steam appears to be owner/operator dependent. Some will not fit
snuffing steam on new heaters and let a fire burn itself off in the firebox in the event of a tube rupture. Others
continue to equip their heaters with snuffing steam and will use snuffing steam at the final stage of an uncontrolled
heater fire essentially to purge and cool the firebox.
4.3.8. C ontrol of the fuel gas flow at startup
It is largely agreed that controlling the fuel gas pressure at light-off is an important safety requirement. In the
past, the norm was to ignite burners manually. The operator procedure would specify to open the burner manual
valve slowly to ensure a smooth ignition. More recent burner ignition methods with the operator at a safe location
have shown that when the fuel gas control valve lacks the required turndown to light the first few burners, the first
burners will need to be ignited at a higher pressure to prevent tripping on low fuel gas pressure. A startup override to
defeat the high pressure trip is then required until enough burners can be ignited for the control valve to be within
control range.
Thus, the correct selection and sizing of the fuel gas control valve is a critical design issue. Unfortunately, the
process data on valve specification sheets is typically provided for all burners in service and rarely identify the
turndown requirements to light the first few burners of a multiple burner system. If a heater is equipped with six
burners and if burner ignition is to be performed at ¼ of the burner capacity, the required turndown of the control
valve should be a very minimum of 24. This widely exceeds the 1 to 10 turn- down of a globe valve.
A preferable, inherently safer practice is to p roperly size the control valve or install a startup regulator to assist
the operator, is lighting the burners at lower pre ssure. When the control valve lacks sufficient startup turndown to
light the first burner, the common best practices to maintain the desired light -off pressure are to install a small
bypass line with a startup regulator or to select a Vee-ball with improved startup turndown (estimated at 300:1 or
better). The benefit of a startup regulator is that it requires no action by the operator to hold light-off pressure. In
contrast, the controller output to the Vee-ball will have to be manually adjusted (from burner curve calculations)
until the valve is within control range for automatic pressure control.
5. Conclusions
The design and operation of fired equipment has seen in the last 50 years continuous improvements in safety,
efficiency and environmental performance. In the Oil & Gas industry, heaters and furnaces designed prior to 1975
were often of natural draft type with many low capacity burners. Their level of instrumentation and controls was
low, and the risk mitigation measures rested for a large part on operator procedures, operator skills, operator
response to upsets and alarms and other severity reduction means such as explosion doors and snuffing steam. The
risk of sub- stoichiometric firing was mitigated by operating with high excess air and high draft.
The drive for safer operation with higher availability, energy efficiency, lower NOx emissions and fewer
nuisance trips has led operating companies to modify their approach to fired equipment safety. The modern best
practice is to distribute the risks across independent protection layers. These safety barriers rely on control systems
with constraints and safety instrumented functions, but also on operational excellence (operator training and
procedures), preventive, reliability -centered maintenance and risk based inspection.
New fired equipment designs will involve better instrumentation, better controls and a more comprehensive
safety instrumented system. As specified by the current legislation, European process heaters will be equipped with
flame scanners and two safety shutoff valves per burner. Th ese requirement s will promote the use of forced draft
furnaces with a small number of high capacity burners. The use of high capacity burners will be made possible by
the use of higher pressure drop burners which help keep the flame length short. As the approach to fired equipment
safety shifts from mitigating consequences to mitigating the risk of explosions and fires, explosion doors and
snuffing steam may become obsolete. Operators will still have a key ro le in fired equipment operation. However, the
18 Jacques Dugué / Energy Procedia 120 (2017) 2–19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 17
fired equipment will be designed to keep the field operator at a safe location during the pilot and burner startup
sequence, thus reducing the operator's exposure to startup hazard .
The modernization of old fired equipment will be more challenging and will require compromises. Detailed risk
analysis should demonstrate that better instrumentation, control safety and safety instrumented systems reduce the
risks to a tolerable level. The retrofit of flame scanners and automatic shutoff valves on burners of existing fired
equipment may be neither practical nor technically justified on heaters equipped with many low capacity burners.
The use of performance based standards defining best practices for different classes of fired equipment may be
recommended. On the positive side, experience h as shown that implementation of controls with constraints and
automatic fuel cutbacks have demonstrated good results at operating safely and minimizing nuisance trips. Current
trends are to evaluate the change in air demand in response to change in fuel gas composition in order to reduce the
burden on flue gas analyzers to keep the heater within operational limits. Additional considerations should be given
to startup control turndown (e.g. startup regulator) to reduce the risk of creating a hazardous gas mixture at startup.
Acknowledgements
The author wishes to express his deepest gratitude to Doug Smith and Dave Wilson for sharing their extensive
experience on fired equipment safety through many hours of personal discussions. The author would also like to
acknowledge the numerous fruitful discussions with his colleagues at TOTAL Refining & Chemicals and TOTAL
HSE and his counterparts at API meetings.
18 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
References
Regulations, Codes, and Standards
[1] API RP 538; "Industrial fired boilers for general refinery and petrochemical service", 1st ed.; 2015.
[2] API RP 556; "Instrumentation, control, and protective systems for gas fired heaters", 1st ed.; 1997, 2nd ed.; 2011.
[3] AS 3814 Australian Standard , "Industrial and commercial gas-fired appliances"; 2009.
[4] CGA H- 10, "Combustion safety for steam reformer operation", Published by the Compressed Gas Association, 1st ed; 2012.
[5] CGA H- 11, "Safe startup and shutdown practices for steam reformers", 1st ed.; 2013.
[6] CSA B149.3; "Code for the field approval of fuel-related components on appliances and equipment", 1st ed.; 1989; 5th ed.; 2015.
[7] EN 746-2; Industrial therm. equipment; Part 2: "Safety requirements for com bustion and fuel handling systems", 1st ed.; 1997, 2nd ed. 2010.
[8] ISO 13577, Industrial furnaces and associated processing equipment safety; Part 1: "General requirements", 1st ed.; 2012.
[9] ISO 13577, Industrial furnaces and associated processing equipment safety; Part 2: "Combustion and fuel handling systems", 1st ed.; 2014.
[10] NFPA 68; "explosion prevention by deflagration venting"; 2007.
[11] NFPA 85; "Boiler and Combustion Systems Hazards Code"; 2015.
[12] NFPA 86; Standard for Ovens and Furnaces; 2015.
[13] NFPA 87; "Recommended Practice for Fluid Heaters"; 2015.
[14] ISA TR84.00.02, Part 1; Safety instrum . functions (SIF) and safety integrity level (SIL) evaluation techniques, 1st ed. 2002, 2nd ed. 2015.
[15] IEC 61508- 1; "Functional safety of programmable safety-related systems; Part 1: General requirements", 1st ed.; 1998, 2nd ed.; 2010.
[16] IEC 61511-1; "Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system,
hardware and application programming requirements", 1st ed.; 2003; 2nd ed.; 2016.
[17] Arrêté du 26 août 2013 relatif aux installations de combustion d'une puissance supérieure ou égale à 20 MW soumises à autorisation au titre
de la rubrique 2910 et de la rubrique 2931 ; Titre VII : Prévention des risques d'incendie et d'explosion.
Textbooks
[18] "Safe furnace firing", American Oil Company, American, revised 2nd ed.; 1963.
[19] "Safe furnace and boiler firing", Process safety booklet three, BP, 4th ed.; 2003.
[20] W.E. Baker, P.A. Cox, J.J. Kulesz, R.A. Strehlow, P.S. Westine; "Explosion hazards and evaluation"; Elsevier; 2012.
[21] Lees' "Loss Prevention in the Process Industries, Hazard Identification, Assessment and Control" (3 volumes); Elsevier; 4th ed.,; 2012.
[22] Roger Newnham; Direct-fired heaters; Operator training manual; Kingsley Knowledge Publishing; 2013.
Literature
[23] G. Ostroot, Jr., "Explosions in Gas or oil-fired Furnaces : A look at the causes of over 200 furnace explosions and the primary lessons
derived from them; Monsanto Co." ; St. Louis, Mo; Loss prevention, vol. 6; 1972.
[24] G. Ostroot, Jr., "Case history: A two burner boiler explosion" ; Monsanto Co., St. Louis, Hydrocarbon Processing, Dec. 1976.
[26] R.A. Hancock, P. Spittle and R.G. Ward; "Safety standards for large burners: new criteria for burner start-up"; British Gas Corporation,
Midlands Research Station, IFRF Doc F21/ca/25; 1977.
[27] W.S. Lee, D.L. Grosh, F.A. Tillman, C.H. Lie, "Fault tree analysis, methods, and applications-A r eview", IEEE; Trans . on Reliability; 1985.
[28] R. E. Sparrow, "Firebox e xplosion furnace in a primary reformer , Analysis of the incident with some practical considerations for reducing
the risk"; Western Co-operative Fertilizers Ltd., Calgary, Canada ; Plant/Operations Progress (Vol. 5, No.2); April 1986.
[29] G.D. Davis, "Investigation and repair of an auxiliary boiler explosion"; Plant/Ope rations Progress (vol. 6, no.1); Jan 1987.
[30] T.A.Kletz, "Hazop-past and future"; Reliability Engineering; System Safety; 1997.
[31] P Fewtrell, "A review of high-cost chemical/petrochemical accidents since Flixborough 1974"; WS Atkins Consultants Ltd, Warrington,
Cheshire, UK, IchemE Loss Prevention Bulletin no 140 ; April 1998.
[32] "Modifications After a Primary Reformer Explosion at a Reforming Plant"; Ammonia Technical Manual ; 1999.
[33] WHSCC, "Accident Investigation Report on the Explosion and Fire at the Irving Oil Refinery Saint John, New Brunswick"; June 1999.
[34] "Explosion at a styrene plant", Center for Chemical Process Safety, AIChE; Jan. 2004.
[35] R. Newnham and P. Chau, "Safety c ontrols and burner management systems (BMS) on direct-fired multiple burner heaters"; Born Heaters
Canada Ltd; 2006.
[36] A. Hawryluk, "Hazardous flue gas mixtures in furnaces due to fuel-rich combustion"; NOVA Chemicals Corp., Ethylene Producers Conf.,
April 2008.
[37] R. Limaye, "Operator response to alarms is an important protection layer"; Praxair, Houston, Texas; Hydrocarbon Processing; M arch 2013.
[38] William G. Bridges, "Lessons Learned from Application of LOPA throughout the Process Lifecycle", 10th Global Congress on Process
Safety, New Orleans, LA, March 31- April 2; 2014.
[39] P. Fisher, "Monitor safety with improved risk performance indicators" ; ACM Facility Safety, Calgary, Alberta, Canada ; Hydrocarbon
Processing; Dec. 2014.
[40] L.D. Wilson, "Conclusions from TOTeM 43 on safe design and operation of fired equipment in the oil and gas industry";
IFRF Doc. no G 22/y/01; 28 Sept. 2016.
Jacques Dugué / Energy Procedia 120 (2017) 2–19 19
Jacques Dugué / Energy Procedia 00 (20 17) 000–000 17
fired equipment will be designed to keep the field operator at a safe location during the pilot and burner startup
sequence, thus reducing the operator's exposure to startup hazard .
The modernization of old fired equipment will be more challenging and will require compromises. Detailed risk
analysis should demonstrate that better instrumentation, control safety and safety instrumented systems reduce the
risks to a tolerable level. The retrofit of flame scanners and automatic shutoff valves on burners of existing fired
equipment may be neither practical nor technically justified on heaters equipped with many low capacity burners.
The use of performance based standards defining best practices for different classes of fired equipment may be
recommended. On the positive side, experience h as shown that implementation of controls with constraints and
automatic fuel cutbacks have demonstrated good results at operating safely and minimizing nuisance trips. Current
trends are to evaluate the change in air demand in response to change in fuel gas composition in order to reduce the
burden on flue gas analyzers to keep the heater within operational limits. Additional considerations should be given
to startup control turndown (e.g. startup regulator) to reduce the risk of creating a hazardous gas mixture at startup.
Acknowledgements
The author wishes to express his deepest gratitude to Doug Smith and Dave Wilson for sharing their extensive
experience on fired equipment safety through many hours of personal discussions. The author would also like to
acknowledge the numerous fruitful discussions with his colleagues at TOTAL Refining & Chemicals and TOTAL
HSE and his counterparts at API meetings.
18 Jacques Dug u̩/ Energy Procedia 00 (2017 ) 000 Р000
References
Regulations, Codes, and Standards
[1] API RP 538; "Industrial fired boilers for general refinery and petrochemical service", 1st ed.; 2015.
[2] API RP 556; "Instrumentation, control, and protective systems for gas fired heaters", 1st ed.; 1997, 2nd ed.; 2011.
[3] AS 3814 Australian Standard , "Industrial and commercial gas-fired appliances"; 2009.
[4] CGA H- 10, "Combustion safety for steam reformer operation", Published by the Compressed Gas Association, 1st ed; 2012.
[5] CGA H- 11, "Safe startup and shutdown practices for steam reformers", 1st ed.; 2013.
[6] CSA B149.3; "Code for the field approval of fuel-related components on appliances and equipment", 1st ed.; 1989; 5th ed.; 2015.
[7] EN 746-2; Industrial therm. equipment; Part 2: "Safety requirements for com bustion and fuel handling systems", 1st ed.; 1997, 2nd ed. 2010.
[8] ISO 13577, Industrial furnaces and associated processing equipment safety; Part 1: "General requirements", 1st ed.; 2012.
[9] ISO 13577, Industrial furnaces and associated processing equipment safety; Part 2: "Combustion and fuel handling systems", 1st ed.; 2014.
[10] NFPA 68; "explosion prevention by deflagration venting"; 2007.
[11] NFPA 85; "Boiler and Combustion Systems Hazards Code"; 2015.
[12] NFPA 86; Standard for Ovens and Furnaces; 2015.
[13] NFPA 87; "Recommended Practice for Fluid Heaters"; 2015.
[14] ISA TR84.00.02, Part 1; Safety instrum . functions (SIF) and safety integrity level (SIL) evaluation techniques, 1st ed. 2002, 2nd ed. 2015.
[15] IEC 61508- 1; "Functional safety of programmable safety-related systems; Part 1: General requirements", 1st ed.; 1998, 2nd ed.; 2010.
[16] IEC 61511-1; "Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system,
hardware and application programming requirements", 1st ed.; 2003; 2nd ed.; 2016.
[17] Arrêté du 26 août 2013 relatif aux installations de combustion d'une puissance supérieure ou égale à 20 MW soumises à autorisation au titre
de la rubrique 2910 et de la rubrique 2931 ; Titre VII : Prévention des risques d'incendie et d'explosion.
Textbooks
[18] "Safe furnace firing", American Oil Company, American, revised 2nd ed.; 1963.
[19] "Safe furnace and boiler firing", Process safety booklet three, BP, 4th ed.; 2003.
[20] W.E. Baker, P.A. Cox, J.J. Kulesz, R.A. Strehlow, P.S. Westine; "Explosion hazards and evaluation"; Elsevier; 2012.
[21] Lees' "Loss Prevention in the Process Industries, Hazard Identification, Assessment and Control" (3 volumes); Elsevier; 4th ed.,; 2012.
[22] Roger Newnham; Direct-fired heaters; Operator training manual; Kingsley Knowledge Publishing; 2013.
Literature
[23] G. Ostroot, Jr., "Explosions in Gas or oil-fired Furnaces : A look at the causes of over 200 furnace explosions and the primary lessons
derived from them; Monsanto Co." ; St. Louis, Mo; Loss prevention, vol. 6; 1972.
[24] G. Ostroot, Jr., "Case history: A two burner boiler explosion" ; Monsanto Co., St. Louis, Hydrocarbon Processing, Dec. 1976.
[26] R.A. Hancock, P. Spittle and R.G. Ward; "Safety standards for large burners: new criteria for burner start-up"; British Gas Corporation,
Midlands Research Station, IFRF Doc F21/ca/25; 1977.
[27] W.S. Lee, D.L. Grosh, F.A. Tillman, C.H. Lie, "Fault tree analysis, methods, and applications-A r eview", IEEE; Trans . on Reliability; 1985.
[28] R. E. Sparrow, "Firebox e xplosion furnace in a primary reformer , Analysis of the incident with some practical considerations for reducing
the risk"; Western Co-operative Fertilizers Ltd., Calgary, Canada ; Plant/Operations Progress (Vol. 5, No.2); April 1986.
[29] G.D. Davis, "Investigation and repair of an auxiliary boiler explosion"; Plant/Ope rations Progress (vol. 6, no.1); Jan 1987.
[30] T.A.Kletz, "Hazop- past and future"; Reliability Engineering; System Safety; 1997.
[31] P Fewtrell, "A review of high-cost chemical/petrochemical accidents since Flixborough 1974"; WS Atkins Consultants Ltd, Warrington,
Cheshire, UK, IchemE Loss Prevention Bulletin no 140 ; April 1998.
[32] "Modifications After a Primary Reformer Explosion at a Reforming Plant"; Ammonia Technical Manual ; 1999.
[33] WHSCC, "Accident Investigation Report on the Explosion and Fire at the Irving Oil Refinery Saint John, New Brunswick"; June 1999.
[34] "Explosion at a styrene plant", Center for Chemical Process Safety, AIChE; Jan. 2004.
[35] R. Newnham and P. Chau, "Safety c ontrols and burner management systems (BMS) on direct-fired multiple burner heaters"; Born Heaters
Canada Ltd; 2006.
[36] A. Hawryluk, "Hazardous flue gas mixtures in furnaces due to fuel-rich combustion"; NOVA Chemicals Corp., Ethylene Producers Conf.,
April 2008.
[37] R. Limaye, "Operator response to alarms is an important protection layer"; Praxair, Houston, Texas; Hydrocarbon Processing; M arch 2013.
[38] William G. Bridges, "Lessons Learned from Application of LOPA throughout the Process Lifecycle", 10th Global Congress on Process
Safety, New Orleans, LA, March 31- April 2; 2014.
[39] P. Fisher, "Monitor safety with improved risk performance indicators" ; ACM Facility Safety, Calgary, Alberta, Canada ; Hydrocarbon
Processing; Dec. 2014.
[40] L.D. Wilson, "Conclusions from TOTeM 43 on safe design and operation of fired equipment in the oil and gas industry";
IFRF Doc. no G 22/y/01; 28 Sept. 2016.
... Decision making: According to the risk reduction control measures and principles, consider the cost-effectiveness to formulate improvement strategies, and regularly implement supervision and assessment to determine the risk reduction performance [11][12][13][14]. ...
... • Risk control: According to the risk assessment results compare with the critical risk value, then take control measures for risk reduction. • Decision making: According to the risk reduction control measures and principles, consider the cost-effectiveness to formulate improvement strategies, and regularly implement supervision and assessment to determine the risk reduction performance [11][12][13][14]. ...
... T' = (X4+X5+X6+X7)' + X2' + (X10+X11+X12)' (13) T' = X4'·X5'·X6'·X7' + X2' + X10'·X11'·X12' ...
To prevent and mitigate chemical risks in the petrochemical industry, such as fires and spillage, process safety management (PSM), is essential, especially where flammable, corrosive, explosive, toxic, or otherwise dangerous chemicals are used. We investigated process safety (PS) between man–machine (material equipment) and environmental interfaces by using process hazard analysis (PHA) and fault tree analysis (FTA). By analyzing the data obtained through machinery and mechanical integrity (MI), pre-startup safety review (PSSR), current operating modes, and areal locations of hazardous atmospheres (ALOHA) simulations of the disaster's aftermath, the cause of the styrene plant accident was found to be the fuel furnace (F101) switching process. Although the furnace had been extinguished, fuel continued to enter the furnace, and it was exposed to a high-temperature surface, resulting in the flashing ignition of the C4 fuel. The plan-do-check-act (PDCA) management model can be used to forestall the system from accident, and it is used to improve the proposal and develop countermeasures that would increase PSM performance and substantially lessen the impact of the thermal hazard. Disasters are often attributable to the unsafe state of machinery, equipment, or the environment, dangerous behaviors of the operator, and the lack of a thorough management system. It is anticipated that the investigation and analysis of the accident would not only find the real cause of the disaster but also lead to the establishment of better effective solutions for common safety problems.
... However, no data analysis was conducted for this study. Additional research papers [ see (Dugué 2017), (Pan and Dias 2017), (Ye et al. 2019), (Attwood, Khan, and Veitch 2006), (Jocelyn, Ouali, and Chinniah 2018),] also involved only data analysis for machinery safety research. Hence, no model formation for machinery safety improvements was done for most research papers involving data analysis. ...
... In case of restarting the boiler firebox, if the operators feed in fresh air very quickly, oxygen will rapidly combust with already present unburnt hydrocarbons, leading to uncontrolled risk. Various investigations have suggested these conditions as a precursor to firebox explosions (Dugué, 2017). Second, if air is stoichiometrically increased for hydrogen, the boiler's radiation zone duty will shoot up aggressively (base case boiler duty was 25 Million kJ/hr compared to 63 Million kJ/hr of duty with pure H 2 at stoichiometric AFR). ...
Flare gas integration with a cogeneration plant benefits from utilizing waste gases containing high heating value hydrocarbons as a supplemental fuel to the boilers. A key challenge in integrating flare gas with a cogeneration system is the need to ensure operational safety and satisfactory performance. Conventional hazard identification techniques require collective team knowledge, experience, and information about the process. Because of the limited information on a new flare gas integrated cogeneration plant, unawareness of warning signals, inability to predicts specific atypical scenarios, or general limitations in organizational systems, it is possible for the evaluation team to miss potential risks associated with the process. To overcome these limitations, this paper proposes a model to identify process hazards through process simulation, sensitivity analysis, and data evaluation during the initial stages of process design. The model uses commercial software Aspen HYSYS for process simulation. In sensitivity analysis, manipulated variables are systematically selected based on scenario predictive methods, and the variations in the processes are analyzed using linear regression models to develop quantitative insights without information loss. The model investigated the effect of variable flare gas conditions and their quality on the existing fired gas boiler. Results showed that the flare gas temperature has a nominal effect on the process. However, changes in flare gas composition - high hydrogen carryover (above 70 mol% with CH4 or above 40 mol% with C2H4) can affect the boilers radiation zone temperature and combustion profile inside the firebox. If not prevented, these events can further amplify to loss-control events such as flame impingement, firebox instability, steam explosion, and tube rupture.
... [12][13][14][15] Many mathematical-based equations and models have been introduced over the years to facilitate the determination of such temperature. [16][17][18] Dugue 19 has reviewed how the operation and design of fired equipment had been developed over the previous 50 years to address growing requirements on energy efficiency, safety, environmental performance, and availability at an agreeable cost. ...
Energy costs represent about 65% of the running cost of a chemical, petrochemical, or refining plant. Furnace fuel represents the largest percent of this cost as it consumes large amounts of fuel to produce the necessary heat duty. Therefore, it is important for fired heaters to have an efficient system for monitoring operational parameters to reach the optimum performance and minimum stack emissions with an acceptable safety levels. One of the most critical operational parameters to be measured is the tube metal temperature (TMT) inside the radiation section. Excessive TMT can accelerate tube creep, hydrogen attack, and external and internal corrosion of the tube wall. The objective of this work is to develop a program capable of calculating precisely and continuously TMT instead of using external pyrometers that measure it only at certain times for heaters not equipped with thermocouples. The program can also be a predictive tool for estimating the changes of TMT at various temporarily conditions such as raising the fired heater capacity. Four case studies were investigated; the results showed a good agreement between the actual results and the proposed program results with a maximum deviation lower than 6%, which indicates the validity of the introduced program.
... New boiler management systems are equipped with many interlocks to keep the furnace in purged conditions under any unsteady state. Tube side failures are mostly attributed to corrosion or brittleness caused by operational mishandling or manufacturing [14][15][16][17][18]. Disturbed water chemistry has also been reported to trigger such incidents because of scaling which causes localized overheating [19][20][21][22][23]. Localized overheating can also be caused by the outer layer deposits [24] and dry running of the tubes [25]. ...
Industrial boilers simulation can serve number of purposes like training, optimization, HAZOP studies, and incident investigation. Simulation including trip logics, interlockings, safety devices, start-up and shutdown procedure is presented in this work. Simulation is directly accomplished in dynamic mode to benefit from the holdup approach to avoid anomalies because of recycling. The industrial DCS/PLC diagrams are replicated to imitate the boiler-integrated behavior. Trip logics, start-up and shutdown procedures are programmed using event scheduler. The inbuilt pressure relief module validates the simulated PSVs and rupture disc capacities. The model is then verified at three stages including 'steady state' achievement in dynamic mode, controller validation by start-up and shut down procedures and finally by direct industrial data under deviant conditions. Where an unfortunate event is a concern, it also provides an opportunity to ponder and to evolve at various levels. Operational simulation of any such incident may help in getting a deep insight and thus to take accurate countermeasures. One such attempt is done in this work. A boiler accident has been reported. The complete response of the controllers and interlockings/trip system is imitated. The obtained results were compared with the chain of events that took place. © 2019 American Institute of Chemical Engineers Process Saf Prog, 2019
A historical analysis was carried out on 189 accidents that occurred in gas and oil fuel fired equipment. The variation of frequency as a function of time, the main causes leading to a fire or an explosion, as well as the consequences of the accidents were studied. Explosion was the most frequent accident, followed by fire; in a few cases the final outcome was a release. Accidents in gas fired combustion equipment were significantly more frequent than those in the liquid fired ones. The main causes were tube rupture and/or error in ignition/reignition sequences, followed by loss of flame in the combustion chamber and, with a minor frequency, entrance of non-expected fuel and presence of non-combusted materials. The consequences on people were much more important in case of explosions than in case of fires. Even though the equipment involving combustion chambers can be considered essentially safe, this historical analysis has shown that accidents continue to occur with certain frequency because the number of existing units is quite high and the possibility of human error during its operation and maintenance is still significant.
- Mostafa Mirzaei Aliabadi
To address human error in system reliability, Human Reliability Analysis (HRA) is an essential issue. Human Error Assessment and Reduction Technique (HEART) as a rather straightforward technique for HRA has successfully been used in many areas to predict human error probability (HEP). However, knowledge acquisition of experts during assessed proportion of affect (APOA) calculation is subjected to vagueness and ambiguity. To overcome this challenge, in this paper Intuitionistic Fuzzy (IF) set due to their advantage to represent more fuzzy information than a classical fuzzy set adopted through APOA calculation. To demonstrate this hybrid approach short for, IF-HEART, the furnace start-up operation is handled, since analysis shows that most of explosions and losses occur during furnace start-ups operation. Further, a sensitivity analysis is carried out to approve the proposed integrated approach. In addition to its academic contribution, the results of the paper enable to improve the overall safety level of a furnace by taking into account potential human error.
- Alexander V. Golikov
- Dmitry I. Subbotin
Relevance. Due to the widespread use in practice, tubular furnaces were chosen as the object of study of this work. The article provides an analysis of damage to the supporting structures of oil refining tubular furnaces. The causes of damage and the physical nature of the development of damage are established. According to the results of field surveys, it was found that about 10% of the furnaces are operated with damage in the form of significant curvature of the supporting structures that developed as a result of the explosion of the gas-air mixture and the technological product inside the furnace space. The aim of the work is to analyze the damage and assess the impact of damage on the operation of the supporting structures of furnaces. Methods. The main research results were obtained by static numerical analysis of spatial models of furnace frameworks in the LIRA-SAPR software package. This complex belongs to the class of software products that implement the finite element method. Results. According to the results of calculating a series of models of structures, the effect of damage on the operation of the supporting structures of the furnace is determined. Based on the analysis of calculation data for models of tube furnaces with damage and comparison of calculation results for furnace models with structural damage identified during the survey, ways to optimize the design decisions of an industrial furnace are determined. Studies have shown the need to improve the design of tube furnaces in the direction of improving technology and improving the structural form of the supporting frame of the furnace.
-
![Rupali J Limaye]()
Operator response to alarms is important layers of protection (LOP). When implemented with good design, engineering and maintenance practices, an alarm can help reduce the safety integrity level (SIL) of a safety instrumented function (SIF).
- Andrew Hawryluk
Although most furnace incidents occur at light-off, it is also possible to create hazardous gas mixtures in an operating furnace. Fuel-rich combustion produces hot flue gases with residual combustibles that can burn or explode if mixed with fresh air too quickly. This is most likely to occur when a furnace transitions suddenly from rich combustion to lean combustion. This paper describes the composition and behaviour of fuel-rich flue gases, as predicted by chemical equilibrium calculations. For furnaces that burn methane and hydrogen, it was found that above 700C all unburned methane will be reduced to hydrogen and carbon monoxide. The relative hazard of the flue gases was estimated based on the amount of chemical energy that they can release as mechanical energy. Finally, a methodology was found to determine a safe rate of transition from rich combustion to lean combustion.
-
![William Garlen Bridges]()
LOPA has been implemented throughout major capital projects, on existing facility PHAs, and in PHA revalidations and management of change risk reviews. This paper discusses lessons learned for implementing LOPA in each phase of a process lifecycle and outlines some of the ways to optimize the use of LOPA. The paper describes how implementation of standards for IPLs and initiating event maintenance is necessary in each company. The paper also covers consolidation of SIL evaluation into the related PHA and LOPA at each life cycle phase. Special emphasis is given to optimizing the application of LOPA and SIL evaluation through the various phases of a major capital project.
- Gerald D. Davis
On August 1, 1985, an accident occurred at Triad Chemical damaging portions of the primary reformer. The accident was caused by ignition of natural gas pockets which entered the system during attempts to light an auxiliary boiler burner. The article reviews the cause of the accident, the resulting damage, the required repair, and the modifications made to prevent a recurrence.
- W. S. Lee
- Doris Lloyd Grosh
- Frank A. Tillman
- Chang Hoon Lie
This paper reviews and classifies fault-tree analysis methods developed since 1960 for system safety and reliability. Fault-tree analysis is a useful analytic tool for the reliability and safety of complex systems. The literature on fault-tree analysis is, for the most part, scattered through conference proceedings and company reports. We have classified the literature according to system definition, fault-tree construction, qualitative evaluation, quantitative evaluation, and available computer codes for fault-tree analysis.
Recommended Practice for Fluid Heaters
NFPA 87; "Recommended Practice for Fluid Heaters"; 2015.
Functional safety of programmable safety-related systems
IEC 61508-1; "Functional safety of programmable safety-related systems; Part 1: General requirements", 1st ed.; 1998, 2nd ed.; 2010.
Functional safety -Safety instrumented systems for the process industry sector -Part 1: Framework, definitions, system, hardware and application programming requirements
IEC 61511-1; "Functional safety -Safety instrumented systems for the process industry sector -Part 1: Framework, definitions, system, hardware and application programming requirements", 1st ed.; 2003; 2nd ed.; 2016.
Explosion hazards and evaluation
- W E Baker
- P A Cox
- J J Kulesz
- R A Strehlow
- P S Westine
W.E. Baker, P.A. Cox, J.J. Kulesz, R.A. Strehlow, P.S. Westine; "Explosion hazards and evaluation"; Elsevier; 2012.
Posted by: estebanestebangroenendyke0272185.blogspot.com
Source: https://www.researchgate.net/publication/319916714_Fired_equipment_safety_in_the_oil_gas_industry_A_review_of_changes_in_practices_over_the_last_50_years
