Paper 295177

AIChE Paper Number: 136b
ETHYLENE CRACKING FURNACE BURNER MANAGEMENT

PRACTICES WITHIN U.S. PRODUCERS

Frank E. Irving
Manufacturing Technical Principal Engineer
DuPont Packaging & Industrial Polymers

Prepared for Presentation at the 2013 Spring National Meeting
San Antonio, Texas, April 28 May 2, 2013

AIChE and EPC shall not be responsible for statements or opinions contained in
papers or printed in its publications

AIChE Paper Number: 136b

ETHYLENE CRACKING FURNACE BURNER MANAGEMENT
PRACTICES WITHIN U.S. PRODUCERS
Frank E. Irving
Manufacturing Principal Technical Engineer
DuPont Packaging & Industrial Polymers

A summary of the current working practices and approaches to hazardous event
management of the cracking heaters of several US based ethylene producers will
be presented. The practices and approaches will be discussed in the context of a
safety requirement specification document as it is defined by the standard
ANSI/ISA 84.00.01 (IEC61511 mod.). The ISA standard has been recognized by
OSHA as RAGAGEP in the U.S. for safety instrumented function life cycle
management. The safety requirement specification format frames the
engineering controls of the hazards relative to the applicable Codes, individual
company standards and practices, and RAGAGEP.

Practices and approaches to allocating the layers of protection and establishing
Safety Integrity Level (SIL) of safety instrumented function applications will also
be detailed. Other elements of the safety instrumented system life cycle
covering maintenance and safety instrumented function testing considerations of
the burner management systems will also be addressed.

Ethylene furnace burner safety management practices vary among U.S. ethylene
producers. Different hazardous events and event consequences are generated
by the variations in ethylene cracking furnace process designs. Most ethylene
cracking furnaces have large numbers of burners with different orientations and
special process heater considerations that require unique burner management
safety systems. Subtle design and maintenance considerations can have
enormous impact on the heater safety, recovery from upsets, and overall
performance.

Contributors
This paper has been made possible by the sharing of burner management safety
practices and approaches of six contributing multi-national ethylene producers in
the United States (U.S.). Several of the contributing companies requested to not
be specifically identified, so all contributors will remain anonymous.
Summary of Findings
Process hazard safety studies often lead ethylene producers to pursue burner
management system safety instrumented function for the process heaters. Six
different heater configurations covering heater installations that are newly
constructed to installations that are over 40 years old are described. The safety
instrumented function approaches and practices to implement the hazards
analysis required protection applications for each configuration are detailed in
the six appendixes of this paper. In the U.S. the NFPA 86 2011 (1) and API RP
556 1997 (2) standards provide a framework for hazardous event protection for
the ethylene heaters.

The process hazards analysis process allocates layers of protection to prevent
and mitigate hazardous events. At a high level, the heater flame supervision SIF
and operation practice configurations generally fall into 3 groups:
1. Older heater installations built with only wall fired burners utilize fully
attended burner systems with qualified operators present at all times
to provide manual burner system monitoring and combustion chamber
high LEL SIF trips to satisfy flame proven monitoring requirements
during the operating window where the combustion chamber
temperature is < 1400 F.
2. Newer heater systems with floor fire burners that can elevate the
combustion chamber to > 1400 F utilize flame scanner systems to
satisfy flame proven monitoring requirements and have remotely
supervised burner systems.
3. Heater systems that utilize secondary staged fuel or wall burners with
the primary flame scanner monitored floor burners utilize combustion
chamber temperature > 1400 F to satisfy flame monitoring
requirements for secondary burner permissives.

The list below captures examples of some of the most robust and interesting
safety instrumented function approach examples from the six appendix listings:

1. Safe to start checks (isolation of fuels, purge, combustion system)
Pre-start permissives that verify ID fan status, ID fan speed, ID fan
current, damper position, ID fan d/p, fire box d/p, fuel isolation
proven, process feed isolation proven, steam drum level, no safety

instrumented function bypasses engaged, all process variables good
quality
Automated fuel system pressure test for primary and secondary burner
systems fuel system pressurized with fuel using small fuel control
valve, pressure maintained with time
Automated steam educator system for purging of natural draft fire box
Purge time completed for 5 or more minimum air exchanges
Fire box high LEL 1o2 trip function enabled at end of purge cycle
Proof of no flame in fire box & flame scanners OK
2. Ignition trial period (supervised or remote ignition, proof of flame)
Supervised local pilot ignition of maintained pilots with automated 15
second trial time
Flame supervision by flame scanners
Automated remote ignition of main burners
Automated remote ignition of staged burners
3. Combustion safeguards (master fuel trip, staged trip)
Master fuel trip integrated into safety system
No combustibles in fire box when temperature < 1400 F
Loss of combustion air (motor current, blower wheel speed, blower
d/p, fire box d/p)
Fuel pressure not high or low (applies to all fuel headers)
Staged trip where 1
st
level of trip sets system to low fire
Staged trip where 2
nd
level of trip is a total fuel trip
Staged trip where wall burners remain active in many cases as long as
fire box temperature is > 1400 F (SIF not linked solely to floor burner
states)
Staged trip of main burners where pilots remain lit in many cases
4. Flame supervision bypass above 1400 F (re-ignition after miss-fire)
Temperature > 1400 F automated bypass of combustion chamber LEL
1o2 trip
Temperature > 1400 F automated bypass of flame scanners
Temperature > 1400 F permits secondary burners (burner without
flame scanners)
5. Process Specific protection (unique to ethylene heaters)
High tube pressure protection trip
High tube temperature trip
Low process flow trip
Low steam flow trip
6. De-coke mode (permissive & protection)
Double block effluent valves with proof of position
Effluent block valve inter-chamber pressure proven permissive
Feed valve isolation proof of position
Air valve position proven
7. Steam generation specific (steam drum levels, pressure, super heat temp)

2 of 3 level transmitters for low level SIF
Low and Low-Low SIF actions that implement staged trip of heater
where first SIF is to low fire position for main burners and second
action implements a master fuel trip.
High super heat tube temperature SIF
High quench system temperature SIF
8. Manual emergency shutdown & isolation system requirements
Emergency shutdown system with hardwired trip action in master
fuel trip circuits
Emergency shutdown systems integrated with SIS system functions
Multiple levels of emergency shutdown system actions
1. Emergency trip action isolates all fuels from burners and pilots and
feeds
2. Emergency trip action that isolates burner fuel and feeds, but pilots
are maintained
9. Special Requirements
Standard SIL 3 capable SIS (in general SIFs are SIL 1 or 2)
High reliability (minimal SIFs with single vote to trip)
In line fuel isolation valve leak testing annually
Valve proof of position switches
Certification of PHA Leaders, LOPA Leaders, Safety Engineers
End to end testing of SIF actions annually
Ability to fully test & repair sensors while Unit in operation
Investigation of every actual SIF trip to confirm validation of function

Process Hazards Assessment
Process hazards analysis (PHA) studies commonly identify hazardous events
associated with ethylene cracking furnaces. The application of CFR 1910.119
Process safety management of highly hazardous chemicals (3) directs all highly
hazardous facility operators such as ethylene producers to define and manage
process hazards. PHA studies are conducted to define the hazardous events and
complete the risk assessment of the process using each companys internal risk
management criteria. The PHA will then allocate risk management to safety
function protection layers such as relief systems and safety instrumented
functions (SIF). The results of the safety management process will often lead
ethylene producers to pursue burner management system SIFs for the ethylene
process heaters.
U.S. Applicable Codes / Standards / RAGAGEP
The governing standard and code for SIFs in the U.S. is the ANSI/ISA 84.00.01
(IEC61511 mod.) (4) which was recognized by OSHA as generally accepted good
engineering practice (RAGAGEP) in 2004. Most countries in the world have
adopted IEC 61511 a national standard. Many multi-national companies have

incorporated the IEC 61511 standard into their internal compliance standards
and practices. This standard is a broad document that covers the entire life
cycle of SIFs, from conception in the PHA process to the final retirement of the
application. The standard is complex and requires significant interpretation.
This standard details the requirements to demonstrate and maintain the safety
performance of instrumented function applications. The performance level and
architecture for an application to be credibly classified as a SIF is specifically
addressed. The performance levels are further broken into 3 Safety Integrity
Level (SIL) groups. The higher the SIL value the more reliable the application.
In Table 1 (below) shows the SIL value with the range of probability of failure on
demand (PFD) for SIFs in that level and the risk reduction factor (RRF) (1/PFD)
that is provided.

Table 1 ANSI/ISA 84.00.01 (IEC61511 mod.) SIL Summary
SIL Safety Availability PFD RRF
3 >99.9 - 99.99% <.001 - .0001 >1,000 - 10,000
2 >99 - 99.9% <.01 - .001 >100 - 1,000
1 >90 99% <.1 - .01 >10 100

As the PHA function allocates the risk mitigation across the layers of protection,
the risk reduction performance of the SIF can be translated into the SIL
requirement. This target SIL is used to design and maintain the SIF.
Guidance from United States National Codes and Standards
A number of codes and recommended practices have been written to cover the
ethylene cracking furnaces, but no single standard appears to be recognized
across the US ethylene industry as being required or governing or as defining
recognized RAGAGEP. This is best demonstrated by the very selective company
participation in the national standard committees.

A well-known and broadly followed burner management standard in the US is the
NFPA 85 Boiler and Combustion Systems Hazard Code 2011 (5). This
prescriptive standard provides extensive design and performance requirements
for BMS systems and also covers maintenance practices. The standard has

broad industry participation on the committee but in section 1.1.3 this standard
specifically excludes process heaters used in chemical and petrochemical
manufacture.

Combustion systems for ethylene cracking furnaces are covered by the NFPA
86 Standard for Ovens and Furnaces 2011. This standard has limited industry
participation on the committee but some companies have adopted this standard
as a requirement. It provides extensive details and prescriptive controls for the
unique needs of the cracking furnaces. The administrative section 1.1.7 of the
standard provides exclusion for compliance that states the NFPA 86 standard
shall not apply to fired heaters in petrochemical facilities that are designed and
installed in accordance with:
API STD 560 Fired Heaters for General Refinery Service 2007 (6)
API RP 556 Instrumentation and Control Systems for Fired Heaters and
Steam Generators 1997
API RP 2001 Fire Protection in Refineries May 2005. (7)

The three referenced API standards in total follow closely with NFPA 86. STD
560 is a general standard that covers a broad range of process heaters used in
petrochemical facilities. The API RP 556 1997 covers instrumentation, controls,
alarms, and protective systems as they apply to fired heater systems such as
ethylene cracking furnaces. The API RP 2001 Fire Protection in Refineries details
practices for fired equipment such as BMS (specifically refers back to NFPA 85)
and covers emergency isolation systems.

The API RP 556 1997 version standard provides a list of prescriptive shall and
should BMS practices and relates the practices to the hazardous events.
Emphasis is given to protections for the purge cycle, flame stability, and loss of
flame. The API RP 556 1997 also refers the user back to the referenced industry
standards (NFPA) for more information. Specific guidance is provided for the
features and performance requirements of pilot and fuel safety shut off valves.
Table 2 below summarizes the 1997 guidance for a gas fired heater system.

Table 2 API RP 556 1997 Summary
EVENT PILOT
SHUTDOWN
FUEL SAFETY VALVE
SHUTDOWN
API RP 556
SECTION
Manual Trip Yes Yes 3.9.2
Low Pilot
Fuel Press
Yes 3.9.5
Low Burner
Fuel Press
Yes 3.9.3
High Burner
Fuel Press
Yes 3.9.4
Loss of
Flame
Yes Yes 3.9.8
Partial Loss
of Flame
Polling Logic allows
continued conditional
operation
Polling Logic allows continued
conditional operation
3.9.8
High box
Press
Yes Yes 3.9.12
Low Feed
Flow
Yes 3.9.15
Loss of ID
Fan
Yes Yes 3.9.18
Low Air Flow Yes Yes 3.9.19

The API RP 556 standard was extensively revised in 2011 (8) and now states in
section 1.1.3 that the API RP 556 2011 does not cover pyrolysis furnaces such as
ethylene reformers. With this change in the API RP 556 2011 standard,
practitioners are brought full circle back to NFPA 86 2011 as the guiding
document.

The design and implementation of a BMS system for an ethylene cracking
furnace is a significant engineering and capital commitment. To insure a
complete design is produced the following codes and standards can be
referenced for additional prescriptive guidance and recommended practices:
FM 7605 is working Standard for programmable logic controls of BMS (9)
ISA-TR84.00.05-2009 Guidance for the Identification of Safety Instrumented
Functions (SIF) in Burner Management Systems (BMS), Approved 10
December 2009 (10)

Translating the PHAs & Standards & Codes into Action
The life cycle model of the ANSI/ISA 84.00.01 (IEC61511 mod.) standard Table 3
(below) defines the steps that are implemented in the SIS Safety Life Cycle.

Table 3
SIS Safety Life-Cycle - ANSI/ISA 84.00.01 2004 Part 1 (IEC61511 Mod)

Once a SIF action has been assigned by a hazards assessment and a target SIL
level established in the allocation of safety functions, the next step is detailed in
clause 10.3 of the ANSI/ISA 84.00.01 (IEC61511 mod.). The SIF life cycle
directs that a safety requirements specification (SRS) for the safety instrumented
functions be developed. Some companies document the SRS in multiple
documents such as drawings, standards, and procedures. Other companies
compile and issue a single SRS document. In either format, the SRS serves as
the primary design basis and performance document for the SIFs in the safety
instrumented system (SIS). It becomes a one-stop-shop for all SIS design

Design and
development of other
means of risk
reduction
Hazard and risk
assessment
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
Design and engineering of
safety instrumented
system
4
Installation,
commissioning, and
validation
5
Operation and
maintenance 6
Modification
7
Verification
Decommissioning
8
Safety requirements
specification for the
safety instrumented
system
Allocation of
safety functions to
protection layers
2
10
9
11
1
3
4a

details, for testing procedure development, and for the operating and recovery
procedures.

It is very challenging for PHAs to fully develop all of the hazardous event cases
and routes that can lead to the particular catastrophic events that are required to
be addressed by each companies risk management criteria. PHAs will also differ
in the methodology to allocate protection across the protection layers including
the SIFs. So this means each company has different reference PHA for the
ethylene cracking heaters that are structured in accordance with specific
standards and practices required by the respective corporation.

To compare practices across a more universal bench mark, the NFPA 86
standard has been used in this report. This standard provides a broad summary
of the concepts and elements needed in a BMS for the ethylene cracking
furnaces. It is a prescriptive standard, similar in organization and requirements
to the familiar NFPA 85. Section 8 of the NFPA 86 document makes
references to safety interlocks but this terminology does not conform
completely with the SIF definitions and structures that are detailed in the
ANSI/ISA 84.00.01 (IEC61511 mod) standard and supporting documents. The
hazard framework considerations detailed in chapter 8 of the NFPA 86
standard cover:
1. Safe to start checks
a. Isolation of Fuels (including secondary fuels) & Pre-light permissive
b. Purge & Proof of Purge of radiant box and convection section
c. Combustion air flow adequacy / loss if ID fan / high fire box
pressure / damper position
d. Fuel and / or pilot fuel pressure not high or low
e. Instrument air pressure
f. Valve proving systems (isolation position indication, low fire
position)
2. Ignition trial period
a. Low fire position for main burner
b. Igniter / Pilot trail (safe)
c. Flame supervision (proof of flame)
d. Ignition sequencing of burners (floor and/or wall)
3. Combustion safeguards
a. Master fuel trip considerations
b. ID fan status and/or combustion air flow
c. Assurance of stable flame (fuel high or low pressure)
d. Prevent re-ignition after miss fire
e. Fuel rich (burner fuel/air ratio or heater tube process leak)
f. Staged trip (concept)
4. Flame supervision bypass above 1400 F (760 C)

a. Re-ignition after miss-fire with chamber & surfaces less than auto
ignition temperature
b. Re-ignition after miss-fire with chamber & surfaces above the auto
ignition temperature
5. Process Specific protection
a. Excess temperature protection such as high tube temperature or
low flow
b. Heater tube steam flow
c. Heater tube over pressure
6. De-coke mode
a. Permissive & protection
7. Steam generation specific
a. Steam drum level &/or fired tube steam generators
b. Steam drum pressure not high
c. Steam super heat high temperature
d. Quench system high temperature
8. Manual emergency shutdown & isolation system requirements
a. Emergency and remote shutdown configured in SIS
b. Emergency and remote shutdown configured in hardwired master
fuel trip system
9. Special requirements for hardwired SIFs
a. Dual final devices
b. Master fuel trip logic string
10. Special requirements for safety PLCs (SIL 2 minimum SIS & certain
transmitters)
11. Safety shut off valve requirements
a. Double block and bleed
b. External position indication
c. Leakage testing and valve cycle rate accounting
ANSI/ISA 84.00.01 Elements of a Safety Requirements Specification
The elements of the SRS are broken down in a 27 item list in the ANSI/ISA
standard section 10.3.1. To give a presentation of considerations that is
generally applicable across ethylene producers, some of the SRS elements have
been omitted and others have been combined into the following 12 point
summary:
1) Describe SIFs necessary to achieve target risk criteria including target SIL and
requirements for proof interval testing
2) Define safe state for each SIF
3) Define safe process states and states that if concurrent can lead to a
separate hazard
4) Assumed sources of trip & rate on SIFs (demand or continuous)
5) SIF process measurements and trip values

6) SIF actions and criteria (e.g. shut off class, speed) such as response time
requirement to bring process to a safe state
7) Manual SD requirement
8) Energize to trip or fail safe? Energize to trip or de-energize to trip
requirements
9) Reset considerations including requirements for startup and restart of SIS
10) Define modes of Operation for Plant & SIFs for each mode and requirements
for overrides, inhibits, bypasses
11) Identify & define special Unit mode of operation SIF such as for startup,
standby, shut down
12) Identify & define special functions or performance in event of a major event
Qualification of Engineers / Operators / Maintenance
Another area that is important to the Unit safe operation is that of personnel
training and qualification. This topic is covered extensively in the ISA and NFPA
standards:
1. PHA process or other methodology to establish target SIL
2. Operator training (emergency response, safe operation, recovery from SIF
action)
3. Engineering training or certification requirements (e.g. internal company
training, ISA84 Certificate or CFSE certified, LOPA, PHA, etc.)
4. Maintenance training or certification requirements (e.g. internal company,
2 year IT program, ISA certificate, etc.)
Considerations for Long Testing Intervals
Some producers have special considerations for long testing intervals of the BMS
application. These may include:
1. Using actual process trips as proof of function
2. How is testing done & managed in the organization
3. How to manage test records of actual, partial and segment tests, and full
tests
4. Design considerations for high reliability and long testing intervals (such
as no single vote to trip, high reliability instrumentation, partial stroke
testing)
5. Design considerations for long testing intervals (support of online testing,
segmented testing)
6. Considerations for energize to trip devices (MOVs)

Contributing Company Practices
The practices and approaches of the contributing companies are summarized in
attached Appendixes 1 thru 6. The appendixes do not associate practices to any
specific company. The 12 point SRS summary format is used and the SIFs are
organized in the hazard framework used in NFPA 86. Additional information
that summarizes the practices and approaches of the contributing companies

with respect to training and qualification of personnel and in the other
considerations is provided at the end of each appendix.

Attachments -
Appendix 1 - Practices and Approaches Company A - Ethylene induced draft
cracking furnace system consisting of main floor burners & wall burners
Appendix 2 - Practices and Approaches Company B - Ethylene natural draft
cracking furnace system with floor burners
Appendix 3 - Practices and Approaches Company C - Ethylene induced draft
cracking furnace system consisting of multiple piloted main floor burners &
staged fuel floor burners & wall burners
Appendix 4 - Practices and Approaches Company D - Ethylene induced draft
cracking furnace system consisting of 156 wall burners
Appendix 5 - Practices and Approaches Company E - Ethylene induced draft
cracking furnace system consisting of fully automated multiple piloted main
staged fuel floor burners and manually lit wall burners
Appendix 6 - Practices and Approaches Company F - Ethylene furnace with
multiple bottom burners and multiple upper level burners, ID fan for draft

References:

1) NFPA 86 Standard for Ovens and Furnaces 2011
2) API RP 556 Instrumentation and Control Systems for Fired Heaters and
Steam Generators 1997
3) CFR 1910.119 Process Safety Management of Highly Hazardous
Chemicals
4) ANSI/ISA 84.00.01 (IEC61511 mod.)
5) NFPA 85 Boiler and Combustion Systems Hazard Code 2011
6) API STD 560 Fired Heaters for General Refinery Service, 2007
7) API RP 2001 Fire Protection in Refineries May 2005
8) API RP 556 Instrumentation, Control, and Protective Systems for Gas
Fired Heaters, Second Edition, April 2011
9) FM 7605 is working Standard for programmable logic controls of BMS
10) ISA-TR84.00.05-2009 Guidance for the Identification of Safety
Instrumented Functions (SIF) in Burner Management Systems (BMS),
Approved 10 December 2009

Appendix 1 - Practices and Approaches Company A - Ethylene
induced draft cracking furnace system consisting of main floor burners
& wall burners
1. Safe to start checks - cold fire box
start up
a. Isolation of Fuels (including feed & secondary fuels) & Pre-light
permissive permissive for start of purge
1) SIFs necessary to achieve target risk
criteria including target SIL and requirements
for proof interval testing
Permissive where all process feeds & fuels isolated from the fire box &
start-up is in progress - SIL 1 - 12 month test frequency
2) Define safe state for each SI all valves at SIF action positions
3) Define safe process states & states that
if concurrent can lead to a separate hazard
all process feeds & fuels isolated from the fire box & start-up is in
progress
4) Assumed sources of trip & rate on SIFs
(demand or continuous)
demand - caused by the system being taken down on purpose
5) SIF process measurements and trip values List of permissive states that are checked -
closed position switches on fuel safety shutoff valves (main fuel header
isolation valve, main fuel header fuel vent valve, each automated burner
fuel header isolation valve)
low fire position switches on fuel flow valves
closed position switches on feed valves
no flame indicated by scanners
temperature transmitters (box) where proof of furnace temp < 1400 F
(760 C), 2o3 voting
pressure transmitter (instrument air & fuel & pilot & box pressure)
main burner fuel pressure not low, switch downstream of 1st safety shut
off valve, SIF enabled after safety valves are open with delay
pilot fuel pressure not low, pressure switch located before pilot safety
shut off solenoid valves
main burner fuel pressure not high, pressure switch downstream of
safety valves and before the flow valve
pilot pressure not high, pressure switch located after pilot shut off valves
& regulator
relay contact logic status
pressure switches (pilot fuel gas not high or low pressure)
6) SIF actions and criteria (e.g. shut off
class, speed) such as response time
fuel isolation valves are closed - Class IV shutoff - position switches /
contacts provided with the valve
open on all fuel vent valves - position switches / contacts provided with
the valve
floor fuel valves at low fire position - position switch on the valve
proof of closure of all feed valves - position switch on the valve
proof of no flame from flame scanners
proof of furnace temp < 1400 F (760 C), 2o3 voting from 3
transmitters
power to igniters shut off
7) Manual SD requirement N/A
8) Energize to trip or fail safe? Energize to
trip or de-energize to trip requirements
fail safe
9) Reset considerations including
requirements for startup and restart of SIS
proof of position feedback from feed & fuel isolation valves
10)Define modes of Operation for Plant &
SIFs for each mode and requirements for
overrides, inhibits, bypasses
normal mode for this state is no flames in fire box, temp < 1400 F
(760 C), Operations is making preparations to ignite a burner system
11)Identify & define special Unit mode of
operation SIF such as for startup, standby,
shut down
this is the 1st action in the start-up sequence
12)Identify & define special functions or
performance in event of a major event
this is the system safe state position

1. Safe to start checks when fire box is
< 1400 F (760 C)
b. Purge & Proof of Purge of radiant box and convection section -
permissive for start of ignition steps
Permissive where Operator starts purge cycle. Purge conditions
maintained for 10 minutes & permissive for start of purge are
maintained for entire purge cycle & up to time of 1st pilot ignition - SIL 1
- 12 month test frequency
2) Define safe state for each SI all valves at SIF master fuel trip action positions -
ID fan running
VFD ID fan speed at minimum
dampers confirmed open
air flow adequate in fire box
purge time satisfied - time for 5 volumes of air turnover in fire box
progress
demand - caused by Operator request
5) SIF process measurements and trip values all valve positions for fuel & feed at step 1a position for entire purge
cycle
starter contact & VFD speed
2o3 pressure transmitters
flow transmitter
logic timer started by operator request for purge
purge requested by Operator
permissive for start of purge are maintained
ID fan running minimum speed
fire box pressure not high
air flow not low
purge time satisfied
fail safe
proof of position feedback from feed & fuel isolation valves & Operator
request to purge
Operator starts purge cycle, if any condition is not achieved purge is
stopped.
shut down
this is the 2nd action in the start-up sequence
system is in safe state position with ID fan running

2. Ignition trial period ignition of
pilots when fire box temperature is
< 1400 F (760 C)
a. remote unattended ignition trial with no flame proven requires purge
to perform ignition trial - 1st pilot & burner can be lit following:
1. operator requests pilot ignition
2. pilot ignition with maintained flame is proven
3. operator then requests associated main burner to be lit
4. floor burner ignition with pilot maintained is proven
Operator initiated step after purge, ID fan at minimum speed. All purge
cycle permissive must be maintained and flame must be proven in
allowed time or re-purge is required - SIL 1 - 12 month test frequency
2) Define safe state for each SI if ignition of the 1st burner is not proven in trial period then the furnace
must be run thru the purge cycle again
all process feeds & fuels isolated from the fire box
igniter problems demand
5) SIF process measurements and trip values loss of purge complete or no flame proven in ignition trial period
logic condition
logic condition & relay contact
position switches
logic timer
flame scanners
ignition of pilot is requested by Operator
purge complete
low fire position switches for main floor burners
ignition of pilot requested (10 second time for flame proven)
ignition of floor burner follows after pilot proven by Operator request for
ignition
7) Manual SD requirement yes - manual SD will shut down all burners & pilots
fail safe
proof of purge maintained & Operator request to ignite
Operator starts ignition cycle, if condition is not achieved system restart
is required
shut down
this is the 3rd action in the start-up sequence
this burner returns to not purged status

main floor burners when fire box
temperature is < 1400 F (760 C)
b. remote unattended ignition of next floor burners - 2nd and
subsequent floor pilot & burner ignition
1. operator requests pilot ignition
2. pilot ignition with maintained flame is proven
3. operator then requests associated main burner to be lit
4. floor burner ignition with pilot maintained is proven
Operator initiated step after purge, ID fan typically minimum speed.
Flame must be proven in allowed time or restart this burner is required -
SIL 1 - 12 month test frequency
2) Define safe state for each SI if ignition of the next burner is not proven in trial period then the next
ignition is delayed by 1 minute to allow a partial furnace purge
fuel for this burner proven isolated
5) SIF process measurements and trip values no flame proven in ignition trial period
flame scanners & logic condition
position switches
flam scanner
no flame proven in ignition trial period
remote unattended ignition of pilot is requested by Operator
at least 1 floor burner flame proven (proven flame permits 1 minute
partial furnace purge timer for subsequent burner misfires events)
low fire position switch for main floor burner
fail safe
proof of purge maintained & Operator request to ignite after 1 minute
wait period
is required
shut down
this is the 4th action in the start-up sequence

3. Combustion safeguards a. General safe guards
master total fuel trip is triggered by -
Emergency shut down
low ID fan current / fan not running
low ID fan flow characterized flow
high combustion chamber pressure
polling logic for loss of flame in 2 or more adjacent burners with temp
<1400 F (760 C)
low instrument air pressure
2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from floor &
wall burners
master fuel trip - where
main floor burner fuel valves (main header shut off valve & individual
burner shut off valves) - closed - Class IV shut off
main floor burner fuel vent valves - open
floor pilot fuel valves - closed
main wall burner fuel isolation valves - closed - Class IV shut off
main wall burner fuel vent valves - open
coil feed inlet valves - closed
coil steam flow valves - at set point
fire box air ID fan - minimum speed
power or utility upset demand
5) SIF process measurements and trip values air flow characterization from blower speed
ID fan starter contacts
ID fan current
2o3 chamber pressure transmitters
flame scanners
2o3 for temperature meters
instrument air pressure transmitter
fail safe
restore stable flame system conditions - fan &/or temperatures &/or fire
box pressure &/or fuel system supply pressure - activate reset
master fuel trip conditions
shut down
shutdown mode
ID fan will continue to run to remove latent heat in fire box

3. Combustion safeguards b. Assurance of stable flame (fuel high or low pressure)
low main burner fuel pressure
high main burner fuel pressure
low floor burner pilot gas pressure
high floor burner pilot fuel pressure
low wall burner fuel gas pressure
high wall burner fuel gas pressure
wall burners
fuel utility upset demand
5) SIF process measurements and trip values main burner fuel pressure not low, switch downstream of 1st safety shut
& regulator
fail safe
restore fuel supply - activate reset
master fuel trip
shut down
shutdown mode

4. Flame supervision bypass above
1400 F (760 C) & wall burner
enable
a. flame supervision bypass above 1400 F (760 C) wall burner enable
SIF action will bypass only the flame supervision system for all burners
when combustion chamber temperature is at or above 1400 F (760 C)
2) Define safe state for each SI N/A
N/A
N/A
5) SIF process measurements and trip values 2o3 temperature transmitters
transmitters have upscale burn out
fail safe
SIF action will automatically restore flame supervision when temperature
is below 1400 F (760 C)
flame scanners will continue to indicate and will become part of master
fuel trip below 1400 F (760 C)
shut down
start-up mode

1400 F (760 C)
b. Wall burner permit above 1400 F (760 C)
wall burner fuel isolation valves when requested by Operator
floor burner flame scanner bypass / seal in
2) Define safe state for each SI all process feeds isolated from the fire box & fuel isolated from wall
burners
Master fuel trip position for wall burner fuel system will fail off during a
control power upset
N/A
5) SIF process measurements and trip values List of permissives for reset of the wall burner isolation valves
Main floor burners not tripped
temperature transmitters (box) where proof of furnace temp > 1400 F
(760 C), 2o3 voting with transmitter down scale burn out
reset of the wall burner fuel isolation valves is requested by Operator
fail safe
SIF action will permit Operator to request wall burner fuel gas when
combustion chamber temperature is 1400 F (760 C)
wall burner fuel must be requested by the Operator during the heater
system start-up
shut down
start-up mode
during a major upset that caused the fire box temperature to drop, the
wall burner system would be automatically removed from operation by
isolating the fuel system

5. Process specific protection Steam standby trip
low hydrocarbon feed flow
high fire box pressure
burners & floor burners at low fire position
main wall burner fuel isolation valves closed
floor burners to min fire position
major Unit upset or extremely high wind event - demand
5) SIF process measurements and trip values feed flow meter
2o3 pressure transmitters (fire box pressure)
fail safe
restore feed & pressure - activate reset
Feed & pressure upsets are only allowed with all fuels tripped
shut down
standby mode
low fire with ID fan running to allow for system restoration or cooling
down

6. Decoke Mode - permissive Steam standby trip
permissive to start decoke mode are defined, low process feed flow SIF
is bypassed during decoke mode, all other BMS SIFs are in service
2) Define safe state for each SI process feed proven isolated from the fire box & heater effluent valve
proven isolated from quench system
Steam standby mode for heater -
decoke demand - 6 times per year - this is a permissive so demand rate
is N/A if procedures are followed for establishing decoke mode
5) SIF process measurements and trip values decoke selector switch in decoke mode position
process feed valve closed position switch
effluent valve closed position switch
if decoke procedure and permissive are not established, low process flow
SIF will activate, de-energize to trip - fail safe
establish permissive - follow decoke procedure
standby mode will put the Unit in a safe mode to move to decoke
shut down
decoke mode
down

(concerning steam drum levels &/or
fired tube steam generators)
a. low steam drum level (2o3) or high superheat steam temperature
(2o3) or high steam drum pressure (2o3)
Steam standby trip
major upset of steam header or upset in BFW - demand
5) SIF process measurements and trip values 3 independent level meters (steam drum level)
3 independent pressure meters (steam drum pressure)
3 independent temperature meters (superheated steam)
de-energize to trip - fail safe
restore level & temperature & pressure control of the system - activate
reset
level and pressure upsets are only allowed with all fuels tripped
shut down
standby mode
down

b. low low steam drum level (2o3)
master fuel trip
wall burners
de-energized - device will be in the interlock position - dual safety rated
relays, master fuel trip circuit
5) SIF process measurements and trip values 3 independent level meters 2o3 voting
restore level & boiler feed water supply - activate reset
level upsets are only allowed with all fuels tripped
shut down
shutdown mode
down

8. Manual emergency shutdown &
isolation system requirement
NFPA 86 8.4.5 can be interpreted to require the emergency trip and
isolation logic to be hardwired in the "master fuel trip" logic string,
separate from the SIL rated logic solver
master fuel trip
SIL N/A - 12 month test frequency
wall burners
main floor burner fuel valves - closed - Class IV shutoff
main wall burner fuel isolation valves - closed - Class IV shutoff
fire box air ID fan - 25% speed
manual activation by Operator - demand
5) SIF process measurements and trip values manual activation of the master fuel trip - 1 local activation switch & 1
CCR activation switch
manual activation of the master fuel trip - 1 local activation switch & 1
CCR activation switch - master fuel trip - where
main wall burner fuel isolation valves - closed - Class IV shutoff
manual reset by Operator
manual activation by Operator
shut down
this is an emergency response application - places heater in shutdown
mode
this is an emergency response application

9. Special requirements for hardwired
SIFs
Master fuel trip application per NFPA 85 & NFPA 86
Master fuel trip application per NFPA 85 & NFPA 86 - master fuel trip
de-energized - device will be in the interlock position
N/A
5) SIF process measurements and trip values N/A
N/A
N/A
shut down
N/A
N/A

10. Safety PLCs Prescriptive requirements in NFPA 86
SIS - SIL 2 minimum per NFPA 86
N/A
N/A
N/A
shut down
N/A
N/A

11. Safety shut off valve requirements rated fuel shut off valves - per NFPA 86 & NFAP 85
2) Define safe state for each SIF N/A
N/A
double block and bleed rated valves for floor burner system - Class IV
shut off, 1st block master shut off valve on fuel header, common vent
valve, 2nd burner shut off valve at each burner system
double block and bleed rated valves for wall burner system - Class IV
valve, 2nd master fuel shut off valve. Manual isolation valve at each of
27 burners.
external position indication & position switches on all fuel isolation and
vent valves
all valves with provisions for annual Class IV leakage testing per NFPA 85
N/A
N/A
shut down
N/A
N/A

Company A - Personnel Training and Qualifications
1. PHA process or other methodology to
establish target SIL
SIL is set in the PHA process using LOPA.
LOPA follows internal corporate rule
structure using trained & certified LOPA
leaders.
2. Operator training (emergency response,
safe operation, recovery from SIF action)
Operator training and response
documented in procedures and training
3. Engineering training or certification
requirements (e.g. internal company
training, ISA84 Certificate or CFSE
certified, LOPA, PHA, etc.)
Internal corporate training for SIF design
and maintenance required following
corporate standards. ISA84 or CFSE
supported and paid for by company.
Internal LOPA training and certification
process. Internal PHA training and
certification process
4. Maintenance training or certification
requirements (e.g. internal company, 2
year IT program, ISA certificate, etc.)
New hires require 2 year control technician
degree, annual Site instrument technician
training and testing for SIF testing and
maintenance

Company A - Considerations for Long Testing Intervals
1. Using actual process trips as proof of
function
Not done, systems do not support
transmitter signal analysis and
maintenance to verify trip points are
appropriate except during controlled off
line testing procedure
2. How is testing done & managed in the
organization
Operations schedules and oversees testing,
instrument technicians perform most
testing functions per written procedures
3. How to manage test records of actual,
partial and segment tests, and full tests
full testing is normally done, covering
meter sensor thru logic solver and final
element
4. Design considerations for high reliability
and long testing intervals (such as no
single vote to trip, high reliability
instrumentation, partial stroke testing)
SIFs are set at 12 month testing frequency
due to corporate BMS standards and
process fouling
5. Design considerations for long testing
intervals (support of online testing,
segmented testing)
High reliability considerations are used (no
single vote to trip, 2o3 meter voting, in
line valve leakage testing). Segmenting
testing is allowed but not needed. No
partial stroke applications
6. Considerations for energize to trip
devices (MOVs)
no MOVs are used in SIF required actions.
MOVs are used in isolation system, but this
is a manual trip, not a SIF action

Appendix 2 - Practices and Approaches Company B - Ethylene natural
draft cracking furnace system with floor burners
1. Safe to start checks cold fire box
start up
a. Isolation of Fuels (including feed & secondary fuels) & Pre-light
start-up is in progress - SIL 1 - 24 month test frequency
progress
closed position switches on fuel safety shutoff valves (main fuel header
isolation valve, main fuel header fuel vent valve, each automated burner
fuel header isolation valve)
low fire position switches on fuel flow valves
closed position switches on feed valves
no flame indicated by scanners
(760 C), 2o3 voting
pressure transmitter (instrument air & fuel & pilot & box pressure)
main burner fuel pressure not low, switch downstream of 1st safety shut
& regulator
QDLS diode laser analyzer (CO, combustibles, temperature, O2)
proof of closure on all fuel isolation valve position switches - Class IV
shutoff
proof of floor fuel valves at low fire position, position switch on the valve
proof of closure of all feed valves, position switch on the valve
proof of no flame from flame scanner
proof of furnace temp < 1400 F (760 C) using QDLS analyzer
secondary burner header maintains pressure test (assures burner valves
are closed)
fail safe
normal mode for this state is no flames in fire box, temp< 1400 F (760
C), Operations is making preparations to ignite a burner system
shut down
this is the 1st action in the start-up sequence

< 1400 F (760 C)
maintained for required minutes & permissive for start of purge are
- 24 month test frequency
steam educator purge activated
dampers confirmed open
progress
5) SIF process measurements and trip values position switches on fuel & feed valves
educator flow
educator flow
fail safe
request to purge
stopped.
shut down
this is the 2nd action in the start-up sequence
system is in safe state position with educator steam flow

2. Ignition trial period a. ignition trial with no flame proven requires purge to perform ignition
trial remote burner request for Operator safety - 1st burner can be lit
following:
1. Operator remotely requests pilot ignition
2. secondary burner header maintains pressure test (assures burner
valves are closed)
3. pilot ignition with maintained flame proven
4. operator remotely then requests main burner to be lit
5. floor burner ignition with pilot maintained
Operator initiated step after purge. All purge cycle permissive must be
maintained and flame must be proven in allowed time or re-purge is
required - SIL 1 - 24 month test frequency
2) Define safe state for each SI if ignition of the 1st burner is not proven in trial period then the furnace
must be run thru the purge cycle again
5) SIF process measurements and trip values loss of purge complete or no flame proven in ignition trial period
logic condition
logic condition & relay contact
position switches
logic timer
flame scanners
purge complete
low fire position switches for main floor burners
ignition of floor burner follows after pilot proven by Operator request for
ignition
fail safe
proof of purge maintained & Operator request to ignite
is required
shut down

2. Ignition trial period b. ignition of next burners - 2nd and subsequent burner ignition is a
manual step by Operator, permit to open double block for secondary
burner fuel is sealed in by the pilot burner flame scanner and QDLS
analyzers

Operator initiated step after pilot burner is lit. Flame must be proven in
the main pilot burner. Next burners are manually lit and supervised by
the operator - SIL 1 - 24 month test frequency
2) Define safe state for each SI ignition of the next burner is proven by the field Operator. If ignition
fails a 1 minute trial period is procedurally followed by the Operator to
allow a partial furnace purge
closed double block isolation valves for the 2
nd
and subsequent burner
fuel supply
fuel pressure upset demand
5) SIF process measurements and trip values no flame proven in pilot burner with temperature < 1400 F (760 C)
flame scanners & logic condition
position switches
QDLS analyzer
no flame proven in ignition trial period
ignition of next burner is requested by Operator
floor pilot burner flame proven with temperature < 1400 F (760 C)
or temperature > 1400 F (760 C)
fail safe
proof of flame in pilot burner when temperature < 1400 F (760 C) or
when temperature > 1400 F (760 C)
Operator action to ignite after 1 minute wait period
is required
shut down
major event will activate master fuel trip to isolate all fuels and feed
streams to heater

Emergency shut down
loss of flame in pilot burner with temp < 1400 F (760 C)
low instrument air pressure
wall burners
master fuel trip where
main floor burner fuel valves (main header double block & bleed shut off
valves) - closed - Class IV shut off
5) SIF process measurements and trip values fuel pressure transmitter
flame scanners
1o2 QDLS analyzer reading on low temperature with no flame
1o2 QDLS analyzer reading high combustibles
instrument air pressure transmitter
main floor burner fuel valves (main header double block & bleed shut off
valves) - closed - Class IV shut off
fail safe
restore stable flame system conditions - temperatures &/or fire box
pressure &/or fuel system supply pressure - activate reset
master fuel trip
shut down
shutdown mode
streams to heater

low floor burner pilot gas pressure
high floor burner pilot fuel pressure
wall burners
floor burner fuel valves - closed
secondary burner fuel isolation valves - closed
fuel utility upset demand
5) SIF process measurements and trip values Pilot burner fuel pressure not low, switch downstream of 1st safety shut
& regulator
floor pilot burner fuel valves - closed - Class IV shut off
floor pilot fuel valves closed
secondary burner fuel isolation valves - closed - Class IV shut off
fail safe
master fuel trip
shut down
shutdown mode
streams to heater

1400 F (760 C)
flame supervision bypass above 1400 F (760 C)
SIF action will bypass only the flame supervision system for all burners
when combustion chamber temperature is at or above 1400 F (760 C)
N/A
N/A
5) SIF process measurements and trip values 2o2 QDLS analyzer temperature readings
transmitters have down scale burn out
fail safe
SIF action will automatically restore flame supervision when temperature
is below 1400 F (760 C)
shut down
start-up mode

5. Process specific protection - Excess
temperature protection
Steam standby trip
low hydrocarbon feed flow
main wall burner fuel isolation valves - closed
floor burners to min fire
major Unit upset - demand
5) SIF process measurements and trip values feed flow meter
fail safe
restore flow - activate reset
feed upsets are only allowed with all fuels tripped or in steam standby
mode
shut down
standby mode
low fire to allow for system restoration or cooling down

6. Decoke Mode - permissive Steam standby trip
permissive to start decoke mode are defined, low process feed flow SIF
is bypassed during decoke mode, all other BMS SIFs are in service
process feed valve closed position switch
shut down
decoke mode
low fire to allow for system restoration or cooling down

N/A no steam generation hazards exist
2) Define safe state for each SI N/A no steam generation hazards exist
5) SIF process measurements and trip values N/A no steam generation hazards exist
7) Manual SD requirement N/A no steam generation hazards exist
shut down

NFPA has be interpreted to require the emergency trip and isolation logic
to be hardwired in the "master fuel trip" logic string, separate from the
SIS.
master fuel trip
wall burners
manual activation by Operator demand
CCR activation switch - master fuel trip - where
coil feed inlet valves closed
shut down
mode

SIFs
Master fuel trip application per API RP 556 & NFPA 85
Master fuel trip application per API RP 556 - master fuel trip
N/A
N/A
N/A
shut down
N/A
N/A

10. Safety PLCs Prescriptive requirements in API RP 556
SIS - SIL 3 capable logic solver
N/A
SIS SIL 3 capable logic solver
N/A
N/A
shut down
N/A
N/A

11. Safety shut off valve requirements rated fuel shut off valves - per NFPA 86 & NFAP 85
SIS - SIL 3 capable logic solver
N/A
double block and bleed rated valves for floor burner system - Class IV
shut off, 1st block master shut off valve on fuel header, no vent valve,
2nd burner shut off valve at each burner system
vent valves
all valves with provisions for annual Class IV leakage testing per NFPA 85
N/A
N/A
shut down
N/A
N/A

Company B - Personnel Training and Qualifications

SIF design and maintenance required
follow Site standards. LOPA practitioners
are trained and internally certified.
Internal PHA training and certification
process. Safety engineers are ISA84
certified experts.
New hires require 2 year control technician
degree or significant experience.

Company B - Considerations for Long Testing Intervals
function
Not done, systems do not support
transmitter signal analysis and
maintenance to verify trip points are
appropriate except during controlled off
line testing procedure?
organization
Operations schedules and oversees testing,
instrument technicians perform most
testing functions per written procedures.
element. Segmented testing is done
sometimes for involved logic applications.
segmented testing)
High reliability considerations are used, but
some BMS applications have single vote to
trip. Segmenting testing is allowed but
normally not done for BMS. No partial
stroke applications in BMS.
devices (MOVs)

Appendix 3 - Practices and Approaches Company C - Ethylene
induced draft cracking furnace system consisting of multiple piloted
main floor burners & staged fuel floor burners & wall burners
start up
a. check for isolation of fuels (pilot fuel & burner fuel & feed & secondary
fuels) & Pre-light permissive permissive for start of purge
start-up is in progress - SIL 1 - 12 month test frequency or at every
maintenance turnaround that disturbs the system
2) Define safe state for each SIF all valves at SIF master fuel trip action positions
progress, fuel header pressure test logic
closed position switches on main burner fuel valves
open position switch on fuel vent valve
automated fuel header pressure check (fuel cock valve closure & leakage
test for manually activated fuel isolation valves at multiple burners)
main floor staged burner fuel valve closed (valve is opened during
automated fuel header pressure check)
closed position switches on wall burner fuel valves
open position switch on wall burner fuel vent valve
minimum stop position on burner air registers
VFD on ID fan on pressure control & acceptable current load (ID fan may
optionally run at fixed speed, subject to physical limitations)
position switches on feed isolation valves
(760 C), 2o3 voting
pressure transmitters (fuel & pilot & box pressure) with trip limits active
visual proof of no flame
6) SIF actions and / or criteria (e.g. shut off
fuel isolation valves for pilot gas are closed
fuel vent valve for pilot gas is open
all fuel other valves maintained in master fuel tip position -
closure on all fuel isolation valves - Class V shutoff
open on all fuel vent valves
closure of all feed valves
minimum speed stop on ID fan VFD
physical minimum stop on burner registers
fail safe
(760 C) requiring a box purge before burner ignition is allowed,
Operations is making preparations to ignite a burner system
shut down
this is the 1st action in the start-up sequence satisfying the conditions
will allow the purge step to be done when requested

< 1400 F (760 C)
maintained for required time & permissive for start of purge are
- 12 month test frequency or at every maintenance turnaround that
disturbs the system
VFD on ID fan at draft pressure control & acceptable current load
logic condition time for a minimum of 5 volumes of air turnover in fire
box
progress
cycle
valid purge time satisfied
fail safe
request to purge
stopped.
shut down
this is the 2nd action in the start-up sequence at the end of the purge
cycle the pilot gas is permitted to each pilot burner

< 1400 F (760 C)
a. ignition trial with no flame in fire box as monitored by the field
operator after the box has been purged - 1st pilot burner can be lit
following:
1. Operator verifies all pilot fuel isolation valve are closed and executes
the automatic all-burners closed test
2. Operator inspects the pilot for no flame
3. Operator inserts the portable electric igniter into the pilot
4. Operator resets pilot fuel trip, then opens pilot gas valve and
confirms ignition within 15 seconds
5. Operator moves on to next pilot and repeats steps for all other pilots
Operator initiated step after purge & with ID fan on draft pressure
control. All purge cycle permissive must be maintained and pilot fuel gas
pressure must not be high or low - SIL 1 - 12 month test frequency
2) Define safe state for each SI if ignition of the pilot is not visually proven in trial period then the
operator checks the fuel system, re-purges fire box, and attempts
ignition again or tags the burner for maintenance
all process feeds & floor burner fuels isolated from the fire box
5) SIF process measurements and trip values all valve positions for fuel & feed at step 1a position until main fuel is
reset by operator after pilots are lit
pilot fuel gas high or low pressure trip value with fire box temp < 1400
F (760 C) will trip system to not purged status
ignition of pilot is by Operator manual field action
pilot fuel gas high or low trip value with fire box temp < 1400 F (760
C) will trip system to not purged status
all valves will go to master fuel trip positions
pilot fuel isolation and vent valves will be at trip position
fail safe
proof of purge maintained & Operator request to reset pilot fuel gas
Operator started & managed ignition cycle, if a pilot cannot be lit the
operator will tag it for maintenance & move on to next burner
shut down
pilot fuel gas high or low pressure trip value with fire box temp < 1400
F (760 C) will trip system to not purged status

b. ignition of main floor burners
Operator initiated step after all pilots are manually lit, ID fan on pressure
control with fire box temp < 1400 F (760 C) - SIL 1 - 12 month test
frequency of floor burner fuel trip reset
2) Define safe state for each SIF ignition of the floor burners is done by manual operation of the individual
burner manual isolation valve by the operator. Operator verifies burner
is ignited by the pilot and maintains supervision of flame stability until
fire box temperature exceeds 1400 F (760 C). If burner does not lite,
operator re-tries and if not successful will tag off for maintenance.
master fuel trip position for all floor burner isolation valves if not reset
fuel supply problems demand
5) SIF process measurements and trip values List of permissives for reset of master floor burner isolation valves
position switches on staged fuel valve (must be open before automated
pressure check, must be closed before main burner ignition)
automated fuel header pressure check (fuel cock valve closure & leakage
test for manually activated fuel isolation valves at multiple burners)
fuel flow valve set to fuel gas pressure control
VFD on ID fan set at draft pressure control & acceptable current load (ID
fan may optionally be run at fixed speed, subject to physical limitations)
(760 C), 2o3 voting prevents staged fuel firing
pressure transmitters (fuel & pilot & box pressure) with active trip points
purge sequence complete
pilot fuel reset complete
operator request of main floor burner fuel isolation valves reset
reset of floor burner fuel isolation valves is requested by Operator
pilots isolation valves are reset & all requirements for pilot ignition is
satisfied
7) Manual SD requirement yes - manual SD will shut down all burners
fail safe
proof of purge maintained & Operator request to reset floor burner fuel
isolation valves
Operator starts & completes floor burner ignition
shut down
pilot fuel gas high or low trip value with fire box temp < 1400 F (760
C) will trip system to not purged status
manual emergency trip will isolate fuel system

master total fuel trip is triggered by-
Emergency shut down
low ID fan current
wall burners (pilots remain in operation)
main floor burner fuel valves - closed - Class V shutoff
main floor burner fuel vent valves open
main wall burner fuel isolation valves - closed - Class V shutoff
coil feed inlet valves open and steam purging
5) SIF process measurements and trip values ID fan starter contacts
ID fan current switch
floor pilot fuel valves closed
floor and wall fuel control valves - closed
fire box air ID fan remains in last mode (draft pressure control or speed
control)
fail safe
Establish re-start permissives by either 1) prepare to re-purge fire box
(1a), or 2) restart main burners (2b) depending on fire box temperature
1) master fuel trip on < 1400 F (760 C) fire box or manual trip or
2) master fuel trip on > 1400 F (760 C) fire box
shut down
shutdown mode

3. Combustion safeguards b. Assurance of main burner within pressure boundaries (high or low
floor burner fuel pressure for flame stability)
master total fuel trip
control)
utility upset demand
fuel controller failure - continuous
5) SIF process measurements and trip values main burner fuel pressure not low, pressure transmitter downstream of
2nd shut off valve, SIF enabled after fuel gas pressure reset
main burner fuel pressure not high, pressure transmitter downstream of
shut-off valves and flow valve
floor and wall fuel control valves - closed
control)
fuel isolation valves for pilot gas are not tripped pilots stay in service
fail safe
Establish re-start permissives by either 1) prepare to re-purge fire box
(1a), or 2) restart main burners (2b) depending on fire box temperature
master fuel trip
shut down
shutdown mode

3. Combustion safeguards c. Assurance of pilot fuel within pressure boundaries (high or low pilot
fuel pressure for flame stability) action is temperature dependent
1. when fire box temp < 1400 F (760 C) pilots & master fuel trip is
activated
2. when fire box temp > 1400 F (760 C) only pilot trip is activated
Pilot trip
low pilot burner fuel pressure
high pilot burner fuel pressure
2) Define safe state for each SI 1. when fire box temp < 1400 F (760 C) pilots & master fuel trip is
activated
2. when fire box temp > 1400 F (760 C) only pilot trip is activated
(floor & wall burners remain in operation)
when fire box temp < 1400 F (760 C) pilot trip is activated & master
fuel trip is activated
pilot isolation valves are closed
pilot vent valve is open

when fire box temp > 1400 F (760 C) only pilot trip is activated
(floor & wall burners remain in operation)
5) SIF process measurements and trip values pilot fuel pressure not low or high, pressure transmitter located before
pilot header valves
floor pilot fuel valves temperature dependent as described above
pilot trip - where

control)
7) Manual SD requirement yes - manual SD will shut down all pilots (master fuel trip is temperature
dependent)
fail safe
restore fuel supply - activate reset restore pilots & burners to operation

Pilot trip & / or master fuel trip
shut down
shutdown mode

1400 F (760 C) staged floor
burners & wall burners fire box
temperature is > 1400 F (760 C)
a. flame supervision bypass above 1400 F (760 C) - ignition of staged
floor burners & wall burners
Operator initiated step to reset the isolation valves for these burners
after all floor burners are manually lit, ID fan on pressure control with
fire box temp > 1400 F (760 C) - SIL1 - 12 month - ignition of the
staged floor burners is done by manual operation of the individual burner
manual isolation valve by the operator after the main staged floor burner
isolation valves has been reset. Operator verifies burner is ignited by the
fire box. Ignition of the wall burners is done by manual operation of the
individual wall burner manual isolation valves by the operator after the
main wall burner isolation valve has been reset. Operator uses a
portable ignition torch to light wall burners. If burner does not lite,
2) Define safe state for each SI Staged floor burner and wall burner isolation valves are in interlock
position
master fuel trip position for all staged floor burner isolation valves and
wall burner isolation valves if not reset
Upset heater with low temperature demand
5) SIF process measurements and trip values List of permissives for reset of the stage floor burner isolation valves &
wall burner isolation valves
temperature transmitters (box) where proof of furnace temp > 1400 F
(760 C), 2o3 voting with transmitter down scale burn out
reset of staged floor burner fuel isolation valves is requested by Operator
& reset of the wall burner fuel isolation valves is requested by Operator
7) Manual SD requirement yes - manual SD will shut down all wall and staged burners
fail safe
when fire box temp > 1400 F (760 C) & Operator request to reset
staged floor burner fuel isolation valves & wall burner isolation valves
shut down
start-up mode
staged floor burners & wall burner systems would be automatically
removed from operation by isolating the fuel systems for each

5. Process specific protection a. Steam standby trip
low hydrocarbon feed pressure
high fire box pressure
low dilution steam flow
burners & staged floor burners & floor burners at low fire position &
sweep steam on heater tubes
partial fuel trip - where
main floor staged burner fuel valve closed
floor fuel valves at low fire position
major Unit upset or extremely high wind event - demand
5) SIF process measurements and trip values 2o3 feed pressure transmitters
2o3 steam flow transmitters
main floor staged burner fuel valve - closed
coil feed inlet valves open and steaming
control)
7) Manual SD requirement yes - manual SD will initiate partial trip
fail safe
restore feed pressure or fire box control - activate reset - when fire box
temp > 1400 F (760 C) the floor burners & staged floor burner & wall
burners fuel flow can be re-established by the operator
Partial firing trip, i.e. hot steam standby
shut down
shutdown mode

5. Process specific protection b. Decoke transition trip
high tube pressure
burners & staged floor burners. Floor burners at low fire position &
sweep steam on heater tubes. Open path to either the decoking facility
or fractionation train
floor fuel valves at reduced fire position (may prevent operation of
staged fuel and wall burners, depending on fire box temperature)

At least one open path to either fractionator train or decoking facilities,
but hydraulics do not allow revers hydrocarbon flow to decoking facilities
major Unit upset or failure in steam pressure control system - demand
5) SIF process measurements and trip values 2o3 effluent pressure transmitters
minimum speed stop on ID fan FVD
control)
but hydraulics do not allow revers hydrocarbon flow to decoking facilities
7) Manual SD requirement yes - manual SD will interrupt and reverse transition
fail safe
restore outlet path and proceed with transition automatically
Trip is only active during transitions to and from fractionation train (for
decoking)
shut down
Interrupt transition to prevent furnace overpressure
None

6. Decoke Mode - permissive a. Air decoke permissive
permissive to start decoke mode are defined, all BMS SIFs are in service

but hydraulics do not allow revers hydrocarbon flow to decoking facilities.
Prior to decoke air introduction, proven isolation from fractionation train
is required.
feed valve closed position switch
ONIS line blinds on process feed line & air feed line are mechanically
linked procedurally controlled
effluent valve cavity pressure low pressure switch
Allow introduction of decoking air on operator request
7) Manual SD requirement yes - manual SD will shut down will stop decoking air
shut down
decoke mode
down

6. Decoke Mode process specific b. Steam standby trip
Low dilution steam flow
proven isolated from quench system master fuel trip
Upset of steam utility during decoke cycle - demand
5) SIF process measurements and trip values steam flow meter
trips decoke air off
control)
shut down
decoke mode
down

low low steam drum level (2o3)
high superheat temperature
high quench system temperature
master fuel trip
control)
major upset of steam header or upset in BFW or low feed flow- demand
3 independent temperature transmitters in superheat & quench systems
all fuel valves maintained in master fuel tip position -
control)
restore level & temperature - activate reset
shut down
shutdown mode
Pilots on with ID fan running to allow for system restoration or cooling
down

all logic is integrated into the SIL logic solver Manual and master fuel
trip application is integrated within SIL logic solver
Manual shut down will activate the fuel trip application
wall burners pilot fuel may continue if fire box temp > 1400 F (760
C)
Operator input dependent

shut down
mode

SIFs
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
shut down
N/A
N/A

10. Safety PLCs Company standard SIL 3 capable logic solver is used
SIS - SIL 3 capable
N/A
SIS - SIL 3 capable
N/A
N/A
shut down
N/A
N/A

11. Safety shut off valve requirements rated fuel shut off valves Class V for forward flow
SIS - SIL 3 capable system
N/A
fuel manifold pressure test to test for closure of individual burner cock
valves
double block and bleed rated valves for floor burner system - Class V
valve, 2nd burner shut off valve on common fuel header, Manual
isolation valve at each burner
single Class V shut off valve downstream of main floor burner fuel
isolation valve set for the staged burner system
double block and bleed rated valves for wall burner system - Class V shut
off, 1st block master shut off valve on fuel header, common vent valve,
2nd master fuel shut off valve. Manual isolation valve at each burner
vent valves
all valves with provisions for Class V leakage testing per company
maintenance practices
N/A
N/A
shut down
N/A
N/A

Company C - Personnel Training and Qualifications
LOPA follows internal corporate rule
structure using trained & certified LOPA
leaders.
corporate standards. Internal LOPA
training and certification process. Internal
PHA training and certification process
Practices not known by contributor
representative.

Company C - Considerations for Long Testing Intervals
function
Not done. All trips are documented and
investigated.
organization
Instrument group schedules and oversees
testing; instrument technicians perform
most testing functions per written
procedures with Operations assistance.
element
and / or a test at after major maintenance
work due to corporate BMS standards and
process fouling
segmented testing)
High reliability considerations are used
(minimal single vote to trip, 2o3 meter
voting, in line valve leakage testing).
Segmenting testing is allowed but not
needed. No partial stroke applications with
the BMS applications.
devices (MOVs)

Appendix 4 - Practices and Approaches Company D - Ethylene
induced draft cracking furnace system consisting of 156 wall burners
start up
a. check for isolation of fuels (wall burner fuels) & Pre-light permissive
permissive for start of purge
closed position switches on wall burner fuel isolation valves
fuel gas header at burners at 0.0 psig
low fire position switches on fuel flow valve
minimum stop position on ID fan air damper
minimum stop position on wall burners
Steam driven ID fan status via measurement of speed
ID fan d/p adequate
Fire box d/p adequate
(760 C), 2o3 voting (fire box LEL SIF bypassed > 1400 F (760 C))
logic status
no bad process variables indicated
no SIFs in bypass state
visual proof of no flame by Operator
fuel valve at low fire position
minimum speed stop on ID fan minimum governor speed
fail safe
(760 C), Operations is making preparations to ignite a burner system
shut down

< 1400 F (760 C)
maintained for entire purge cycle & up to time of 1st burner ignition - SIL
1 - 12 month test frequency or at every maintenance turnaround that
disturbs the system
2) Define safe state for each SI all valves at SIF master fuel trip action positions while purge cycle is
executed
progress
5) SIF process measurements and trip values all valves at SIF master fuel trip action positions in step 1a while purge
cycle is executed
governor on ID fan at minimum speed
fan speed satisfied
fan d/p satisfied
fire box d/p satisfied
logic condition time for 5 volumes of air turnover in fire box logic timer
started by operator request for purge
at end of purge cycle 2 other permissives are enabled
1. Automated pressure test of the fuel header to verify individual
burner fuel manual isolation valves are closed.
2. Fire box LEL SIF is enabled 1o2 LEL meter SIF will initiate a
master fuel trip on high LEL in the fire box when temperature is <
1400 F (760 C)
purge requested by Operator if purge conditions are not satisfied logic
status of purge complete is not attained
fuel valve at low fire position
minimum speed stop on ID fan minimum governor speed
fail safe
request to purge
stopped.
shut down
cycle the burner gas is permitted to be reset by the Operator

2. Ignition trial period ignition of 1
st

group of wall burners when fire box
operator after the box has been purged - 1st wall burner can be lit
following:
1. Operator verifies wall burner fuel isolation valve is closed, fuel
system double block & bleed isolation is reset by Operator
2. Operator inspects the burner for no flame
3. Operator inserts the portable electric igniter into the burner
4. Operator opens wall burner gas valve and confirms ignition within
15 seconds
5. Operator moves on to next burner and repeats steps for all burners
in 1
st
group
Operator initiated step after purge & with ID fan speed control. All purge
cycle permissive must be maintained and fuel gas pressure must not be
high or low - SIL 1 - 12 month test frequency
2) Define safe state for each SI if ignition of the burner is not visually proven in trial period then the
operator checks the fuel system and attempts ignition again or tags the
burner for maintenance
5) SIF process measurements and trip values All valves will move to master fuel trip (step 1a) positions when -
fuel gas high or low trip
governor on ID fan tripped
fan speed not satisfied
fan d/p not satisfied
fire box d/p not satisfied
Fire box LEL SIF is enabled 1o2 high LEL meter SIF will initiate a
master fuel trip on high LEL in the fire box when temperature is < 1400
F (760 C)
Low steam drum level
ignition of burner is supervised by Operators - manual field action
all valves will go to master fuel trip positions listed in 1a
system will change to not purged logic status
fail safe
proof of purge maintained & Operator request to reset fuel gas
Operator started & managed ignition cycle, if a pilot cannot be lit the
operator will tag it for maintenance & move on to next burner
shut down
Flame supervision is maintained by Operator until fire box temperature
>1400 F (760 C)

2. Ignition trial period ignition of next
group of wall burners when fire box
b. ignition of next group of wall burners
1. Operator inspects the burner for no flame
2. Operator inserts the portable electric igniter into the burner
3. Operator opens wall burner gas valve and confirms ignition within
15 seconds
4. Operator moves on to next burner and repeats steps for all burners
in this group
Operator initiated step after 1
st
group of wall burners are manually lit, ID
fan on speed control with fire box temp < 1400 F (760 C) - SIL 1 - 12
month test frequency of wall burner fuel trip reset
2) Define safe state for each SIF ignition of the wall burners is done by manual operation of the individual
burner manual isolation valve by the operator. Operator verifies burner
is ignited by the igniter and maintains supervision of flame stability until
fire box temperature exceeds 1400 F (760 C). If burner does not lite,
master fuel trip position for all wall burner isolation valves if not reset
fan speed satisfied
fan d/p satisfied
fire box d/p satisfied
Fire box LEL SIF is enabled 1o2 LEL meter SIF will initiate a master fuel
trip on high LEL in the fire box when temperature is < 1400 F (760 C)
Low steam drum level
ignition of burner is supervised by Operators - manual field action
all valves will go to master fuel trip positions listed in 1a
system will change to not purged logic status
fail safe
proof of purge maintained & Operator request to reset wall burner fuel
isolation valves
Operator starts & completes wall burner ignition
shut down
Flame supervision is maintained by Operator until fire box temperature
>1400 F (760 C)

3. Combustion safeguards General safe guards assurance of stable flame
Emergency shut down
burners
main wall burner fuel vent valves open
fuel valves at low fire position
minimum speed stop on ID fan governor
5) SIF process measurements and trip values fuel gas high or low trip
fail safe
restore stable flame conditions - fan & fire box pressures - activate reset
master fuel trip
shut down
shutdown mode

1400 F (760 C) staged floor
burners & wall burners fire box
temperature is > 1400 F (760 C)
flame supervision bypass above 1400 F (760 C) bypass of 1o2 fire
box LEL meter SIF
Automatic action - with fire box temp > 1400 F (760 C) - SIL 1 - 12
month
2) Define safe state for each SI Wall burner isolation valves are in interlock position master fuel trip
master fuel trip position for all wall burner isolation valves if not reset
Fire box LEL SIF is enabled 1o2 high LEL meter SIF will initiate a
master fuel trip on high LEL in the fire box when temperature is < 1400
F (760 C)
reset of the wall burner fuel isolation valves is requested by Operator
7) Manual SD requirement yes - manual SD will shut down all burners & when fire box temp <
1400 F (760 C) & LEL is high
fail safe
SIF will reset automatically when fire box temperature < 1400 F (760
C)
shut down
start-up mode
SIF will be engaged

5. Process specific protection No process specific SIFs are implemented with this heater system
N/A
N/A
N/A
N/A
N/A
N/A
N/A
shut down
N/A
N/A

6. Decoke Mode - permissive problems with decoke valve setup will initiate a master fuel trip
permissive to start decoke mode are defined, all other BMS SIFs are in
service
air feed valve closed / open position switches
Double block effluent valve closed position switches
effluent valve cavity pressure low pressure switch
Air valves will be closed if decoke permissive states are tripped
and
Master fuel will put the Unit in a safe mode
shut down
decoke mode
Master fuel trip with ID fan running to allow for system restoration or
cooling down

low steam drum level (2o3)
master fuel trip
burners
major upset of steam header or upset in BFW or low feed flow- demand
restore level - activate reset
shut down
shutdown mode
ID fan running to allow for system restoration or cooling down

Manual shut down will activate the master fuel trip application
burners
shut down
mode

SIFs
Manual shut down will activate the master fuel trip application
N/A
de-energized - device will be in the interlock position independent SVs
on all SIF valves
N/A
N/A
shut down
N/A
N/A

SIS - SIL 3 capable
N/A
SIS - SIL 3 capable
N/A
N/A
shut down
N/A
N/A

11. Safety shut off valve requirements rated fuel shut off valves Class V
N/A
fuel manifold pressure test to test for closure of individual burner cock
valves
double block and bleed rated valves for wall burner system - Class V shut
off, 1st block master shut off valve on fuel header, common vent valve,
2nd burner shut off valve on common fuel header
single Class V shut off valve used in fuel manifold automated pressure
test
vent valves
all valves with provisions for Class V leakage testing per company
maintenance practices
N/A
N/A
shut down
N/A
N/A

Company D - Personnel Training and Qualifications
SIL is set in the PHA process using risk
matrix. External certified LOPA leaders.
PHAs follow internal corporate rule
structure using trained & certified leaders.
corporate standards. External LOPA
PHA training and certification process.
2 year degree IT program or experienced
technicians. SIS maintenance group is
dedicated and all SIF components are
marked.

Company D - Considerations for Long Testing Intervals
function
Not done. All trips are documented and
investigated.
organization
element
and / or a test at after major maintenance
work due to corporate BMS standards and
process fouling
segmented testing)
line valve leakage testing). No partial
stroke applications with the BMS
applications.
devices (MOVs)

Appendix 5 - Practices and Approaches Company E - Ethylene
induced draft cracking furnace system consisting of multiple piloted
automated main floor burners & manually lit wall burners
start up
a. check for isolation of fuels (pilot fuel & burner fuel & feed) & Pre-light
closed position switches on staged fuel valve
low fire position switches on fuel flow valve
ID fan and dampers at pressure control & acceptable current load
temperature transmitters (box) where proof of furnace temp < 1300 F,
2o3 voting
pressure transmitters (fuel & pilot fuel system pressure)
pressure transmitters (fire box pressure pressure)
SIS contact logic status
visual proof of no flame
fuel isolation valves for pilot gas are closed
fuel vent valve for pilot gas is open
closure on all fuel isolation valves - Class V or better shutoff
floor fuel valves closed with fuel minimum flow bypass regulator
ID fan dampers at minimum position (pressure control)
fail safe
normal mode for this state is no flames in fire box, temp < 1300 F,
Operations is making preparations to ignite a burner system
shut down

< 1300 F
- 12 month test frequency or at every maintenance turnaround that
disturbs the system
ID fan dampers on pressure control & acceptable current load
fan d/p adequate
fire box d/p adequate
logic condition time for 5 volumes of air turnover in fire box
progress
cycle
fan d/p adequate
pressure control of ID fan dampers
fail safe
request to purge
stopped.
shut down
cycle the pilot gas is permitted to each pilot burner

< 1300 F
All pilots are lit before any burners
operator after the box has been purged - 1st pilot burner and all
following floor pilot burners can be lit following:
1. Operator verifies no flame in system
2. Operator inspects the pilot for no flame
3. Operator inserts the portable torch igniter into the pilot
4. Operator requests start of pilot and SIS confirms ignition within 15
seconds
5. Operator moves on to next pilot and repeats steps for all pilots
Operator initiated step after purge & with ID fan pressure control speed.
All purge cycle permissive must be maintained and pilot fuel gas pressure
must not be high or low - SIL 2 - 12 month test frequency
2) Define safe state for each SI if ignition of the pilot is not proven in trial period t by flame scanner,
then SIS action isolates pilot fuel and requires 1 minute pause for partial
system purge.
5) SIF process measurements and trip values all valve positions for fuel & feed at step 1a position until main fuel is
reset by operator after pilots are lit
pilot fuel gas high or low trip value will trip all pilots and SIS will set
system to not purged status
ignition of pilot is by Operator manual field action
all valves will go to master fuel trip positions
pilot fuel isolation and vent valves will be at trip position
7) Manual SD requirement yes Global shutdown will shut down all burners & pilots
fail safe
proof of purge maintained & Operator request to reset pilot fuel gas
Operator started ignition cycle, if a pilot cannot be lit the operator will
tag it for maintenance & move on to next burner
shut down

temperature is < 1300 F
b. ignition of all main floor burners
Operator initiated step after all pilots are lit, ID fan on pressure control
with fire box temp < 1300 F - SIL 2 - 12 month test frequency of floor
burner fuel trip reset
2) Define safe state for each SIF ignition of the floor burners is done by remote operation of the individual
burner resets by the operator. Flame scanners verify burner is ignited by
the pilot and maintains supervision of flame stability until fire box
temperature exceeds 1300 F. If burner does not lite, operator re-tries.
Excess attempts to lit, if not successful will trigger the SIS to require a
re-purge.
master fuel trip position for all floor burner isolation valves if not reset
5) SIF process measurements and trip values List of permissives for reset of master floor burner isolation valves
closed position switches on staged fuel valve
closed position switches on fuel flow valve
minimum position on burner air registers
ID fan on pressure control & acceptable current load
Fire box d/p satisfied
Fan d/p satisfied
temperature transmitters (box) where proof of furnace temp < 1300 F,
2o3 voting
pressure transmitters (fuel & box pressure)
purge sequence complete
pilot fuel reset complete
operator request of main floor burner fuel isolation valves reset
reset of floor burner fuel isolation valves is requested by Operator
pilots isolation valves are reset & all requirements for pilot ignition is
satisfied
7) Manual SD requirement yes - manual SD will shut down all floor burners when fire box temp <
1300 F (pilots remain lit)
fail safe
proof of purge maintained & Operator request to reset floor burner fuel
isolation valves
Operator starts & completes floor burner ignition
shut down
Burner fuel gas high or low trip value with fire box temp < 1300 F will
trip system to not purged status
manual emergency trip will isolate main burner fuel system

Emergency shut down
low ID fan current
high combustion chamber pressure (process trip)
main floor burner fuel valves - closed - Class V or better shutoff
main wall burner fuel isolation valves - closed - Class V or better shutoff
floor fuel valves at closed position
minimum position on ID fan registers
burner registers at minimum position
5) SIF process measurements and trip values ID fan starter contacts
ID fan current switch
2o3 fan d/p pressure transmitters
fire box air ID fan on pressure control
(fuel isolation valves for pilot gas are not tripped pilots stay in service)
7) Manual SD requirement yes - manual SD will shut down all burners, pilots remain in operation
fail safe
restore combustion air & fire box pressures - activate reset
master fuel trip
shut down
shutdown mode
ID fan will continue to run to remove latent heat in fire box, pilots remain
lit

3. Combustion safeguards b. Assurance of stable flame (high or low floor burner fuel pressure)
master total fuel trip
pressure control of ID fan registers
minimum position on burner registers
5) SIF process measurements and trip values 2o3 main burner fuel pressure not low, switch downstream of 1st safety
shut off valve, SIF enabled after safety valves are open with delay
2o3 main burner fuel pressure not high, pressure switch downstream of
fire box air ID fan registers at minimum position
(fuel isolation valves for pilot gas are not tripped pilots stay in service)
fail safe
master fuel trip
shut down
shutdown mode
ID fan will continue to run to remove latent heat in fire box, pilots remain
lit

3. Combustion safeguards c. Assurance of stable flame (high or low pilot fuel pressure) action is
temperature dependent
1. when fire box temp < 1300 F pilots & master fuel trip is activated
2. when fire box temp > 1300 F only pilot trip is activated
Pilot trip
low pilot burner fuel pressure
high pilot burner fuel pressure
2) Define safe state for each SI 1. when fire box temp < 1300 F pilots & master fuel trip is activated
2. when fire box temp > 1300 F only pilot trip is activated (floor &
wall burners remain in operation)
when fire box temp < 1300 F pilot trip is activated & master fuel trip
is activated
main wall burner fuel isolation valves - closed - Class V better shutoff
pressure control on ID fan registers

when fire box temp > 1300 F only pilot trip is activated (floor & wall
burners remain in operation)
5) SIF process measurements and trip values pilot fuel pressure not low, pressure transmitters located before pilot
safety shut off solenoid valves
pilot pressure not high, pressure transmitter located after pilot shut off
valves & regulator
floor pilot fuel valves temperature dependent as described above
pilot trip - where

7) Manual SD requirement yes - manual SD will shut down all burners pilots are not tripped by
manual shut down system
fail safe
9) Reset considerations including restore fuel supply - activate reset restore pilots & burners to operation

Pilot trip & / or master fuel trip
shut down
shutdown mode

1300 F staged floor burners &
wall burners fire box temperature
is > 1300 F
a. flame supervision bypass above 1300 F - ignition of staged fuel floor
burners & wall burners
Operator initiated step to reset the isolation valves for these burners
after all floor burners are manually lit, ID fan on pressure control with
fire box temp > 1300 F - SIL 2 - 12 month - ignition of the staged floor
burners is done by manual operation of the individual burner manual
isolation valve by the operator after the main staged floor burner
isolation valves has been reset. Ignition of the wall burners is done by
permitted operation by fire box temperature > 1300 F and Operator
reset of the wall burner automatic isolation valves. Individual wall
burners are manually valved in by field Operator.
2) Define safe state for each SI Staged floor burner and wall burner isolation valves are in interlock
position
master fuel trip position for all staged floor burner isolation valves and
wall burner isolation valves if not reset
5) SIF process measurements and trip values List of permissives for reset of the stage floor burner isolation valves &
wall burner isolation valves
temperature transmitters (box) where proof of furnace temp > 1300 F,
2o3 voting with transmitter down scale burn out
reset of staged floor burner fuel isolation valves is requested by Operator
& reset of the wall burner fuel isolation valves is requested by Operator
7) Manual SD requirement yes - manual SD will shut down all burners & when fire box temp <
1300 F
fail safe
when fire box temp > 1300 F & Operator request to reset staged floor
burner fuel isolation valves & wall burner isolation valves
shut down
start-up mode
staged floor burners & wall burner systems would be automatically
removed from operation by isolating the fuel systems for each

5. Process specific protection a. master fuel trip
low hydrocarbon feed pressure
burners & staged floor burners & floor burners at low fire position &
sweep steam on heater tubes
ID fan register at minimum position on pressure control
major Unit upset event demand
5) SIF process measurements and trip values 2o3 steam pressure transmitters
floor pilot fuel valves temperature dependent
fail safe
restore feed pressure or fire box control - activate reset - when fire box
temp > 1300 F the floor burners & staged floor burner & wall burners
fuel flow can be re-established by the operator
pressure upsets are only allowed with all fuels tripped
shut down
shutdown mode

6. Decoke Mode - permissive a. master fuel trip
permissive to start decoke mode are defined - all other BMS SIFs are in
service
ID fan registers at minimum position on pressure control
ONIS line blinds on process feed line & air feed line are mechanically
linked procedurally controlled
Double block effluent valve closed position switches
effluent valve cavity pressure low pressure 2o3 transmitters
floor pilot fuel valves temperature dependent
fire box air ID fan registers on pressure control at minimum position
if decoke procedure and permissive are not established, SIS will activate
master fuel trip, de-energize to trip - fail safe
shut down
decoke mode
down

low low steam drum level (2o3)
high super heat temperature
master fuel trip
ID fan registers on pressure control
3 independent temperature transmitters in superheat system
fire box air ID fan registers at minimum position
shut down
shutdown mode
Pilots on with ID fan running to allow for system restoration or cooling
down

all logic is integrated into the SIL logic solver manual emergency and
master fuel trip application is integrated within SIL logic solver
3
rd
level of global plant trip will shut down pilots also
Manual shut down will activate the fuel trip application which is
dependent on fire box temperature
wall burners pilot fuel may continue if fire box temp > 1300 F
5) SIF process measurements and trip values Manual emergency activation of the master fuel trip - local activation
switch & CCR activation switches
manual activation of the master fuel trip - local activation switch & CCR
activation switches
shut down
mode

SIFs
Master fuel trip application is custom dependent on fire box temperature
fire box temp < 1300 F will give a master fuel trip to 1a valve
conditions & will trip pilot fuel & will set system to not purged
fire box temp > 1300 F will give a master fuel trip to 1a valve
conditions but will not trip pilot fuel & will not require a purge
N/A
de-energized - device will be in the interlock position independent SVs
on all SIF valves
N/A
N/A
shut down
N/A
N/A

SIS - SIL 3 capable
N/A
SIS - SIL 3 capable
N/A
N/A
shut down
N/A
N/A

11. Safety shut off valve requirements rated fuel shut off valves Class V or better
N/A
double block and bleed rated valves for floor burner system - Class V or
better shut off, 1st block master shut off valve on fuel header, common
vent valve, 2nd burner shut off valve on common fuel header
single Class V or better shut off valve downstream of main floor burner
fuel isolation valve set for the staged burner system
double block and bleed rated valves for wall burner system - Class V or
better shut off, 1st block master shut off valve on fuel header, common
vent valve, 2nd master fuel shut off valve. Manual isolation valve at
each burner
vent valves
all valves with provisions for Class V or better leakage testing per
company maintenance practices
N/A
N/A
shut down
N/A
N/A

Company E - Personnel Training and Qualifications
SIL is set in the PHA process using risk
ranking matrix to establish SIL. External
trained and certified PHA leaders. PHAs
follow corporate rule structure using
trained & certified leaders.
corporate standards. Internal SIS training
for personnel that design and maintain the
SIS. ISA84 Expert Certificate is supported.
Only experienced technicians with 2 to 5
years are hired. SIS maintenance group is
dedicated and all SIF components are
marked.
Company E - Considerations for Long Testing Intervals
function
All trips are reviewed for proper action and
used to validate SIF action. Test interval
timing is reset.
organization
Tests cover SIS thru final element, all
sensors maintenance and testing is done
on line.
full testing is done for 1
st
test, all other
tests are segmented - covering logic solver
and final element
SIFs for fire box SIFs are set at 12 month
testing frequency
segmented testing)
line valve leakage testing). Partial stroke
applications are used with the BMS
applications.
devices (MOVs)
MOVs have been removed from the
process in favor of fail-safe devices

Appendix 6 - Practices and Approaches Company F - Ethylene furnace
with multiple bottom burners and multiple upper level burners, ID fan
for draft
1. Safe to start checks a. Isolation of Fuels (including feed & secondary fuels) & Pre-light
permissive
Permissive where all process feeds & fuels are isolated from the fire box
& start-up is in ready to begin
2) Define safe state for each SIF all elements at SIF action positions
progress
Purge requirement met; air flow adequate in the box
firebox draft at set-point
main feed valves are closed
bottom burner and upper burner fuel gas valves are closed
fuel gas vent valve(s) open
no flame detected (or flame scanner problems)
MOVs closed to cracked gas header and open to decoke position
No combustibles in the firebox
No pressure between 2 MOVs to cracked gas header
demand - caused by the system being taken down on purpose or by
automatic trip of furnace
5) SIF process measurements and trip values All permissives must be met

Air flow in box - (SIS)
firebox pressure transmitters (SIS)
steam drum level (SIS)
fuel gas position switches (SIS)
flame scanners (SIS)
feed valve position switches (BPCS)
Combustible analyzer input (BPCS)
Position switches on cracked gas and decoke MOVs (BPCS)
pressure transmitter between 2 cracked gas valves (BPCS)
All permissives must be met
Proof the individual burners have had adequate purge before attempting
to light (SIS)
Total purge time satisfied (SIS)
Proof of adequate air flow in box (SIS)
fire box pressure not high (SIS)
Proof of steam drum level (SIS)
proof of closure on all fuel isolation valve position switches - valves shall
be "tight shutoff" (SIS)
proof of no flame in firebox (SIS)
proof of closure of the feed valves (BPCS)
Proof of no combustibles in firebox (BPCS)
No MOV alarms (cracked gas valves and decoke valve) (all limit switches
show in correct position) (BPCS)
No pressure between 2 cracked gas valves (BPCS)
fail safe

normal mode for this state is no flames in fire box, temp < AIT (Auto-
Ignition Temperature), Operations is making preparations to ignite a
burner system
shut down
Start-up sequence

1. Safe to start checks b. Purge & Proof of Purge of radiant box and convection section
Permissive where Operator starts purge cycle. Permissives for start of
purge are maintained for entire purge cycle & up to time of 1st burner
ignition attempt
progress

permissives for start of ignition steps
at least one burner ready for light-off
Purge requirement met; air flow adequate in the box
firebox draft at set-point
main feed valves are closed
bottom burner and upper burner fuel gas valves are closed
fuel gas vent valve(s) open
no flame detected (or flame scanner problems)
MOVs closed to cracked gas header and open to decoke position
No combustibles in the firebox
No pressure between 2 MOVs to cracked gas header
5) SIF process measurements and trip values All permissives must be met
logic condition (SIS)
logic timer (SIS)
Air flow in box- (SIS)
firebox pressure transmitters (SIS)
fuel gas position switches (SIS)
feed valve position switches (BPCS)
Combustible analyzer input (BPCS)
Position switches on cracked gas and decoke MOVs (BPCS)
pressure transmitter between 2 cracked gas valves (BPCS)
Fuel gas pressure (BPCS)
Proof the individual burners have had adequate purge before attempting
to light (SIS)
Total purge time satisfied (SIS)
Proof of adequate air flow in box (SIS)
fire box pressure not high (SIS)
Proof of steam drum level (SIS)
proof of closure on all fuel isolation valve position switches - valves shall
be "tight shutoff" (SIS)
proof of no flame in firebox (SIS)
proof of closure of the feed valves (BPCS)
Proof of no combustibles in firebox (BPCS)
No MOV alarms (cracked gas valves and decoke valve) (all limit switches
show in correct position) (BPCS)
No pressure between 2 cracked gas valves (BPCS)

Proof of no fuel gas in fuel gas piping system (BPCS)
fail safe
All permissives for starting the purge must be maintained throughout the
purge or the sequence will step back to previous start-up step
Operator starts purge cycle. The first step is to pressure test the fuel gas
piping system to ensure all burner valves are closed, followed
automatically by the purge. If any condition is not achieved purge
counter is automatically stopped and the system goes back to pre-purge
step.
shut down
Start-up sequence

2. Ignition trial period

a. ignition trial with no flame proven
- This step requires at least one flame in furnace to be established to be
successful.
Operator initiated step after purge, ID fan at purge speed. All purge cycle
permissives must be maintained and flame must be proven in allowed
time or re-purge is required
2) Define safe state for each SI If ignition of the 1st burner (in each furnace section) is not proven in trial
period then the furnace goes through "total trip" step and must be run
thru the purge cycle again
igniter or flame scanner problems - demand
5) SIF process measurements and trip values logic condition (SIS)
logic timer (SIS)
firebox temperature transmitters (SIS)
logic condition (BPCS)
purge complete (SIS)
ignition requested (time limit for flame proven) (SIS)
proof of flame or no flame in firebox (SIS)
proof of furnace temp > AIT (SIS)
permissives for start of purge are maintained (BPCS)
fail safe
proof of purge maintained & Operator request to ignite following
successful purge; re-purge required after unsuccessful light-off
Operator starts ignition cycle, if condition is not achieved a system
restart is required (re-purge of the furnace)
shut down
Start-up sequence
furnace goes to "total trip"

2. Ignition trial period b. ignition of next floor burners - 2nd and subsequent floor burner
ignition
Operator manually lights remaining burners after completion of 1st
burner light-offs; 1x purge required after each unsuccessful light-off
2) Define safe state for each SIF if ignition of the next burner is not proven in trial period then the next
ignition is delayed to allow a 1x volume furnace purge
fuel for this burner proven isolated
burner problems - demand
5) SIF process measurements and trip values no flame proven in ignition trial period (manual operation)
light-off manually performed by Operator
at least 1 floor burner flame proven (SIS)
fail safe
Operator requests light-off after successful purge; re-purge required
after each unsuccessful light-off
Operator manually lights off upper level burners
shut down
Run step (in burner management system); warm-up step for furnace

Emergency shut down
loss of ID fan
Loss of flame indication in an individual firebox section (below AIT)
Master total fuel trip
wall burners
master fuel trip
main floor burner fuel valves - closed
Adequate air flow in the box
process upset or demand
5) SIF process measurements and trip values chamber pressure transmitters (SIS)
Loss of ID fan (SIS)
master fuel trip
main floor burner fuel valves - closed - Valves shall be "tight shutoff"
main wall burner fuel isolation valves - closed - Valves shall be "tight
shutoff"
fire box air ID fan -adequate air flow
fail safe
restore fan & temperatures & pressures - activate reset
master fuel trip
shut down
shutdown mode

wall burners
master fuel trip
fuel utility upset - demand - instrument failure
5) SIF process measurements and trip values Fuel pressure transmitters - (SIS)
Fuel pressure transmitters (SIS)
master fuel trip
shutoff"
fail safe
master fuel trip
shut down
shutdown mode

1400 F (760 C)
a. flame supervision above 1400 F (760 C)
SIF action will bypass the flame supervision system for all burners when
combustion chamber temperature is at or above the pre-determined safe
auto-ignition temperature (AIT)
burners
N/A
N/A
5) SIF process measurements and trip values firebox temperature transmitters (SIS)
fail safe
SIF action will automatically restore active flame supervision when arch
temperature is below AIT
flame scanners will become part of master fuel trip below AIT
shut down
shutdown mode
flame scanners will become part of master fuel trip below AIT

1400 F (760 C)
b. Wall burner permit above 1400 F (760 C)
Allow light off only above AIT; wall (upper) level burners are manually lit
by operator
burners
N/A
5) SIF process measurements and trip values firebox temperature transmitters (SIS)
side wall block valves (SIS)
main wall burner fuel isolation valves - closed below auto-ignition -
Valves shall be "tight shutoff" (SIS)
wall burner double block and bleed valve system reset to run position
when requested by Operator and when furnace temp > AIT
fail safe
SIF action will permit Operator to request wall burner fuel gas when
combustion chamber temperature is above auto-ignition temperature
wall burner fuel must be requested by the Operator during the heater
system start-up
shut down
shutdown mode
during a major upset that caused the fire box temperature to drop below
AIT, the wall burner system would be automatically removed from
operation by isolating the fuel system

5. Process specific protection High Transfer Line Exchanger outlet temperature
High Coil Outlet Temperature
burners
master fuel trip
Unit upset, instrument failure, demand
5) SIF process measurements and trip values Cracked gas header temperature (SIS)
Total coil flow (SIS)
Quench oil pump run relay (BPCS)
Coil outlet temperature measurements (BPCS)
master fuel trip
shutoff"
restore level & temperature & pressure - activate reset
master fuel trip
shut down
shutdown mode

6. Decoke Mode
N/A
2) Define safe state for each SI The burner management system is identical for "furnace run" and
"furnace de-coke" modes
Cracked gas header MOVs closed
Feed valves closed & blinded
De-coke steam source evaluated for safe operation

5) SIF process measurements and trip values

7) Manual SD requirement



shut down


low steam drum level
high superheat steam temperature
burners
master fuel trip
5) SIF process measurements and trip values High pressure steam temperature (SIS)
BFW pump run indication (BPCS)
master fuel trip
shutoff"
restore level & temperature & pressure - activate reset
level and pressure upsets are only allowed with all fuels tripped
shut down
shutdown mode

Prefer not to make interpretations of standards for this exercise since
interpretations may be different from one company to another.
2) Define safe state for each SI all valves at SIF action positions for master fuel trip
master fuel trip
manual activation by Operator - demand
control room activation switch
control room activation switch
master fuel trip
shutoff"
7) Manual SD requirement manual activation by Operator
shut down
mode

SIFs
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
shut down
N/A
N/A

10. Safety PLCs N/A
N/A
de-energized - outputs will be in the interlock position
N/A
Meets SIS requirements
fail safe
N/A
N/A
shut down
N/A
N/A

11. Safety shut off valve requirements
tight shutoff rated fuel shut off valves
N/A
double block and bleed rated valves for floor burner system - valves shall
be "tight shutoff"
double block and bleed rated valves for wall burner system - Valves shall
be "tight shutoff"
vent valves
all valves with provisions for online leakage proof testing (acceptable
leakage rates defined based on valve sizes)
fail safe
N/A
N/A
shut down
N/A
N/A

Company F - Personnel Training and Qualifications
A variety of scenario identification methods
may be used. LOPA can be used to
evaluate the risks further, develop
protection strategies, and allocate
mitigation functions across IPL types and
integrity levels. LOPA follows internal
corporate rule structure using trained
LOPA leaders and independent SIS
functional safety assessors.
Operator training required (initially and at
least every 3 years); training to be
documented; operator response to SIS
alarms, etc. is documented in procedures
and training
corporate standards. Internal LOPA
PHA training.
Internal corporate training.

Company F - Considerations for Long Testing Intervals
function
Yes, if properly documented; process trip
(if based on the function in question) may
qualify as a functional check
organization
Scheduling and testing is done via
instrument group with input from
operations on timing and feasibility; testing
must follow written procedures and be
performed by qualified personnel
Full end-to-end loop validation is normally
required on installation or modification.
Documented procedures require, must be
completed by qualified personnel, and
must verify response times.
There is no single vote to trip
5. Design considerations for long testing Additional instruments are sometimes

segmented testing)
included in design to allow longer testing
intervals (when system must be taken off-
line for testing)
devices (MOVs)
No SIF final elements are energized to trip.
MOVs are used only as BPCS functions and
manual isolation system, but this is a
manual trip, not a SIF action. In some
cases we may de-energize a MOV except
when needed to assure no inadvertent
closing which might cause an unsafe
condition.

Paper 295177

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Paper 295177

Uploaded by

Copyright:

Available Formats

AIChE Paper Number: 136b

ETHYLENE CRACKING FURNACE BURNER MANAGEMENT

You might also like