ISA-TR84.00.05-2009 Guidance On The Identification of Safety Instrumented Functions

ISA-TR84.00.
05-2009
Guidance on the Identification of Safety
Instrumented Functions (SIF)
in Burner Management Systems (BMS)
Approved 10 December 2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Copyright International Society of Automation

Provided by IHS under license with ISA
No reproduction or networking permitted without license from IHS
Licensee=BP International/5928366101
Not for Resale, 10/04/2012 08:02:58 MDT
ISA-TR84.00.05-2009, Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner

Management Systems (BMS)
ISBN: 978-1-936007-41-7
Copyright 2009 by ISA. All rights reserved. Printed in the United States of America. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the
Publisher.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
ISA
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709

-3-
ISA-TR84.00.05-2009
Preface
This preface is included for information purposes and is not part of ISA-TR84.00.05-2009.
This technical report has been prepared as part of the service of ISA, the International Society of
Automation. To be of real value, this document should not be static but should be subject to
periodic review. Toward this end, the Society welcomes all comments and criticisms and asks
that they be addressed to the Secretary, Standards and Practices Board; ISA, 67 Alexander
Drive; P.O. Box 12277; Research Triangle Park, NC 277099; Telephone (919) 549-8411; Fax
(919) 549-8288; E-mail: standards@isa.org.
This ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general, and the International System of Units (SI) in particular, in the
preparation of instrumentation standards, recommended practices, and technical reports. The
Department is further aware of the benefits to users of ISA standards documents of incorporating
suitable references to the SI (and the metric system) in their business and professional dealings
with other countries. Toward this end, the Department will endeavor to introduce SI and
acceptable metric units in all new and revised standards documents to the greatest extent
possible. The Metric Practice Guide, which has been published by the Institute of Electrical and
Electronics Engineers (IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the
reference guide for definitions, symbols, abbreviations, and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals
and interests in the development of ISA standards. Participation in the ISA standards-making
process by an individual in no way constitutes endorsement by the employer of that individual, of
ISA, or of any of the standards, recommended practices, and technical reports that ISA
develops.
CAUTION ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR
VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND
ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE
USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF
ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR
OWN RESPONSIBILITY.
PURSUANT TO ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT
APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS
DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A
LICENSE ON A WORLDWIDE, NON-DISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE
ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE
INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR
VISIT WWW.ISA.ORG/STANDARDSPATENTS.
OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF
ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS
OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING
INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR DETERMINING WHETHER
ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A
LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR
NON-DISCRIMINATORY.
ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS
THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND
PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

Copyright 2009 ISA.NotAll

rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
-4-
ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS,

OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE
APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN
HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND
PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS
PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF
ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH
PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT.
THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED
BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE
POTENTIAL ISSUES IN THIS VERSION.
The following served as voting members of ISA84 and approved this technical report:
NAME
W. Johnson, Chair
V. Maggioli, Managing Director
R. Adamski
T. Ando
R. Avali
L. Beckman
J. Campbell
I. Chen
M. Coppler
M. Corbo
K. Dejmek
P. Early
K. Gandhi
J. Gilman
W. Goble
P. Gruhn
B. Hampshire
J. Harris
J. Jamison
R. Johnson
K. Klein
T. Layer
E. Marszal
N. McLeod
R. Peterson
G. Ramachandran
M. Scott
D. Sniezek
C. Sossman
R. Strube
A. Summers
L. Suttinger
R. Taubert
H. Thomas
T. Walczak
M. Weber
A. Woltman
P. Wright
D. Zetterberg
COMPANY
E I du Pont
Feltronics Corp
RA Safety Consulting LLC
Yokogawa Electric Co
Westinghouse Electric Corp
Safeplex Systems Inc
ConocoPhillips
Aramco
Ametek Inc
ExxonMobil
Baker Engineering & Risk Consultants
Langdon Coffman Services
KBR
JFG Technology Transfer LLC
Exida
ICS Triplex
BP
UOP A Honeywell Company
EnCana Corporation Ltd
Dow Process Automation
Celanese Corp
Emerson Process Management
Kenexis Consulting Corp
ARKEMA
Lyondell Chemical Company
Shell Global Solutions US
AE Solutions
Lockheed Martin Federal Services
CLS Tech-Reg Consultants
Strube Industries
SIS-TECH Solutions LP
Savannah River Nuclear Solutions
Consultant
Air Products & Chemicals Inc
Conversions Inc
System Safety Inc
Shell Global Solutions
BHP Engineering & Construction Inc
Chevron Energy Technology Company
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
-5-
ISA-TR84.00.05-2009
The following served as members of the ISA Standards and Practices board and approved this technical
report:
NAME
J. Tatera, VP
D. Dunn, VP Elect
P. Brett
M. Coppler
E. Cosman
B. Dumortier
R. Dunn
J. Gilsinn
E. Icayan
J. Jamison
D. Kaufman
K. Lindner
V. Maggioli
T. McAvinew
A. McCauley
G. McFarland
R. Reimer
N. Sands
H. Sasajima
T. Schnaare
I. Verhappen
R. Webb
W. Weidman
J. Weiss
M. Widmeyer
M. Wilkins
M. Zielinski
COMPANY
Tatera & Associates Inc.
Aramco Services Co
Honeywell, Inc
Ametek, Inc
The Dow Chemical Co
Schneider Electric
DuPont Engineering
NIST/MEL
ACES Inc
EnCana Corporation Ltd
Honeywell International Inc
Endress+Hauser Process Solutions AG
Feltronics Corp
Jacobs Engineering
Chagrin Valley Controls Inc.
Emerson Process Mgmt Power & Water Sol
Rockwell Automation
DuPont
Yamatake Corp
Rosemount Inc
Industrial Automation Networks Inc.
ICS Secure LLC
Consultant
Applied Control Solutions LLC
Kahler Engineering Inc.
Yokogawa IA Global Marketing (USMK)
Emerson Process Management
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
This page intentionally left blank.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
-7-
ISA-TR84.00.05-2009
CONTENTS
Foreword .............................................................................................................................................. 9
Introduction......................................................................................................................................... 10
Scope ................................................................................................................................................. 10
References ......................................................................................................................................... 11
Abbreviations and Acronyms.............................................................................................................. 12
Safety Lifecycle and Protection Concepts.......................................................................................... 13
Example of a Hazard and Risk Analysis Applied to a Single Burner Boiler ....................................... 32
Example of a Hazard and Risk Analysis Applied to a Multi-Burner Process Heater ......................... 37
Example of a Hazard and Risk Analysis Applied to a Thermal Oxidizer............................................ 43
10
Example of a Hazard and Risk Analysis Applied to an Oil Heater Treater ........................................ 47
11
Example of a Hazard and Risk Analysis Applied to a Glycol Reboiler............................................... 53
12
Example Hazard and Risk Analysis and Verification ......................................................................... 59
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
This page intentionally left blank.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
-9-
ISA-TR84.00.05-2009
Foreword
As a technical report, ISA-TR84.00.05 is provided for information purposes only and is not part of
ANSI/ISA-84.00.01-2004 (ref. 4.1)
ISA-TR84.00.05 is intended for reference in applications where it has been determined that ANSI/ISA84.00.01-2004 applies.
Throughout this technical report, the term ANSI/ISA-84.00.01-2004 is used to refer to ANSI/ISA-84.00.012004 Parts 1-3 (IEC 61511 Modified).
ANSI/ISA-84.00.01-2004 provides minimum requirements for designing and managing safety

instrumented systems (SISs) based on functional and integrity requirements established during a hazard
and risk analysis. The specific methods used to conduct the hazard and risk analysis are outside the
scope of this technical report. Additional guidance is provided in ANSI/ISA-84.00.01-2004 Part 3 (ref. 4.1)
and in Guidelines for Hazard Evaluation Procedures (ref. 4.2).
The ISA84 committee determined that it was appropriate to provide supplemental information on the
application of hazard and risk analysis to Burner Management Systems (BMS). The purpose of ISATR84.00.05 is to provide users of ANSI/ISA-84.00.01-2004 with guidance on how to identify safety
functions within the BMS. Safety functions classified as Safety Instrumented Functions (SIFs) should be
designed and managed according to ANSI/ISA-84.00.01-2004, as well as other applicable practices. The
presented work processes and illustrations are not intended to replace, but instead to supplement, the
requirements of good engineering practices applicable to BMS, such as NFPA 85, NFPA 86, API 556,
ASME CSD-1, and API RP 14C (see Clause 4).
In jurisdictions where the governing authorities (e.g., national, federal, state, province, county, city) have
established process safety design, process safety management, or other requirements, these take
precedence over the guidance provided in this technical report.
NOTE
The example BMS architectures represent possible system configurations and should not be
interpreted as recommendations. The configurations used in actual applications are specific to the
operating environment and process conditions where they are used. As such, no general
recommendations can be provided that are applicable in all situations. The user of this technical report
is cautioned to clearly understand the assumptions and data associated with the methodologies in this
document before attempting to utilize the methods presented herein.
The users of ISA-TR84.00.05 will include:
Manufacturers of BMSs who are applying the requirements of ANSI/ISA-84.00.01-2004, in

addition to other applicable good engineering practices.
Hazard and Risk Analysis teams identifying and classifying the SIFs within a BMS.
SIS designers who want an understanding of the safety requirements of BMS.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
NOTE
ISA-TR84.00.05-2009
- 10 -
Introduction
In the process industries, many types of instrumented systems are used to maintain a process within
normal operating limits. When a process exceeds these limits, protective functions are used to reduce the
risk of identified hazardous events associated with safety, environmental, and business consequences.
Protective functions are often allocated to instrumented systems, which are designed and managed to
achieve or maintain a safe state when a process reaches a prescribed condition.
ANSI/ISA-84.00.01-2004 applies to safety instrumented systems (SISs), which are instrumented systems
implemented to prevent an event that results in major consequences and unacceptable lasting effects,
usually involving significant harm to humans, substantial damage to the environment, and/or loss of
community trust with possible loss of franchise to operate. As companies apply ANSI/ISA-84.00.01-2004
to the design of their process equipment, many want to consistently apply an identification and
classification process across a facility.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Fired equipment is found throughout the process industries in many applications, including various types
of heaters and boilers, The hazards associated with burner operation are managed by an instrumented
system commonly referred to as the burner management system (BMS). The BMS provides interlocks
and permissives to prevent misoperation of equipment and to safely handle faults caused by equipment
failure. These events potentially result in uncontrolled fires, explosions, or implosions and in the
unintended release of the materials being heated. This technical report refers to these functions as BMS
functions.
This technical report shows examples of BMS functions required by good engineering practices
applicable to BMS, such as NFPA 85 (ref. 4.4), NFPA 86 (ref. 4.5), API 556 (ref. 4.6), ASME CSD-1 (ref.
4.7), and API RP 14C (ref. 4.8). This technical report demonstrates how the work processes of Clauses 8
and 9 of ANSI/ISA-84.00.01-2004 can be applied to establish the functional and integrity requirements of
the functions within the BMS. BMS functions should be implemented according to applicable good
engineering practices, such as those previously referenced. ISA-TR84.00.05 illustrates how an
identification and classification work process can be used to identify SIFs within the BMS.
Scope
3.1
ISA-TR84.00.05 is strictly informative and does not contain any mandatory requirements.
3.2
ISA-TR84.00.05 is intended to be used by those with an understanding of the basic requirements

of ANSI/ISA-84.00.01-2004 and other good engineering practices applicable to BMS (references
4.4 to 4.8).
3.3
ISA-TR84.00.05 is intended to be used in conjunction with other good engineering practices. This
technical report is not intended to stand alone or be a replacement for BMS-specific practices.
3.4
This technical report is intended to:

a) Identify and classify SIFs within typical BMSs for typical operating modes of fired equipment (e.g.,
pre-firing, light-off, shutdown, and normal operation);
b) Provide examples of typical safety assessments for the following equipment with BMSs: boilers
(single burner), fired process heaters (multi-burner), thermal oxidizers, oil heater treaters and
glycol reboilers.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 11 -
ISA-TR84.00.05-2009
References
4.1
ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the
Process Industry Sector, Parts 1, 2 & 3, ISA, 2004. www.isa.org/standards.
4.2
CCPS/AICHE, Guidelines for Hazard Evaluation Procedures, Second Edition with Worked
Examples, 1992.
4.3
ISA-TR84.00.02-2002, Safety Instrumented Systems (SIS) Safety Integrity Level (SIL) Evaluation
Techniques, ISA, www.isa.org/standards.
4.4
NFPA 85, Boiler and Combustion Systems Hazards Code, National Fire Protection Association,
2003.
4.5
NFPA 86, Standards for Ovens and Furnaces, National Fire Protection Association, 2004.
4.6
API RP 556, Instrumentation, Control and Protective Systems for Fired Heaters and Steam
Generators, 1997.
4.7
ASME CSD-1, Controls and Safety Devices for Automatically Fired Boilers, American Society of
Mechanical Engineers, 2006.
4.8
API RP 14C. Recommended Practice for Analysis, Design, Installation, and Testing of Basic
Surface Safety Systems for Offshore Production Platforms, 2001.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 12 -
Abbreviations and Acronyms

1oo2 One out of Two Voting
2oo2 - Two out of Two Voting
2oo3 Two out of Three Voting
AIChE American Institute of Chemical Engineers
ANSI American National Standards Institute
API American Petroleum Institute
API RP American Petroleum Institute Recommended Practice
BMS Burner Management System
BPCS Basic Process Control System
CCPS Center for Chemical Process Safety
E/E/P E Electrical/Electronic/Programmable Electronic
HAZOP Hazards and Operability Study
IEC International Electrotechnical Commission
IPF Instrumented Protective Function
IPL Independent Protection Layer
ISA International Society of Automation
LEL Lower Explosion Limit
LOPA Layers of Protection Analysis
MTTF Mean Time to Failure
MTTFD - Mean Time to Failure Dangerous
MTTFS Mean Time To Fail Safe
MTTR Mean Time to Repair or Restore
NFPA National Fire Protection Association
OSHA U.S Occupational Safety and Health Agency
P&ID . Piping and Instrumentation Diagram
PE Programmable Electronic
PES Programmable Electronic System
PFDavg Probability of Failure on Demand Average
PHA Process Hazards Analysis
PLC Programmable Logic Controller
SIF Safety Instrumented Functions
SIL Safety Integrity Level
SIS Safety Instrumented Systems
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 13 -
ISA-TR84.00.05-2009
Safety Lifecycle and Protection Concepts
6.1
The Safety Lifecycle
6.1.1
Overview
Safety consequences can result from the misoperation of fired equipment during start-up, normal
operation, maintenance, and shutdown. A BMS is implemented to prevent misoperation and to safely
handle faults caused by equipment failure. Misoperation can be caused by equipment failure or improper
firing and can potentially result in uncontrolled fires, explosions, or implosions and in the unintended
release of the materials being heated. Consequently, the hazard and risk analysis for the fired equipment
often focuses on events that lead to hydrocarbon fuels being introduced into the equipment under
abnormal operating conditions.
The ANSI/ISA-84.00.01-2004 Safety Lifecycle addresses SISs used to prevent unacceptable hazardous
events, generally involving harm to people and/or damage to the environment. The lifecycle is supported
by a management system that focuses on reducing the potential for SIS failure through effective SIS
design and management. The Safety Lifecycle includes steps for:
Identifying the hazardous events resulting in unacceptable consequences
Identifying the safety functions that prevent hazardous events
Establishing the performance criteria (e.g., the risk reduction) for these safety functions
Allocating safety functions to systems designed and managed to achieve the performance criteria
Documenting the functional and integrity requirements in a design specification
Verifying that the design and management practices are sufficient to meet the performance
requirements
Documenting and implementing operation and maintenance procedures to support performance

requirements
Managing changes to the process equipment and its safety systems to ensure safe operation
Many types of fired equipment are subject to application-specific good engineering practices. The hazard
and risk analysis described in ANSI/ISA-84.00.01-2004 can be used to classify these already identified
BMS functions. The BMS design should meet the intent of any applicable good engineering practice,
regardless of the perceived risk. This technical report demonstrates how ANSI/ISA-84.00.01-2004
complements other good engineering practices, allowing the owner/operator to define the requirements
for each instrumented system consistent with methods used for other process equipment. ANSI/ISA84.00.01-2004 work processes can also be used to determine whether planned BMS design and
management practices are sufficient to provide the required risk reduction for identified hazardous events.
This technical report addresses various aspects of the Safety Lifecycle and its application to BMS. While
this technical report provides examples of hazardous events, it does not illustrate all of the hazardous
events possible with the referenced equipment. Hazardous event identification can be accomplished
through a variety of methods ranging from checklists based on prior design and experience to formal,
structured techniques, such as Hazard and Operability Studies (HAZOP) and What If?/checklists. The
choice of method is not specific to BMS. More information on the hazard identification can be found in
Guidelines for Hazard Evaluation Procedures (Reference 4.2).
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
6.1.2
- 14 -
Safety Instrumented Functions
An SIS may implement one or more SIFs to address unacceptable hazardous events associated with
process equipment operation. The starting point for this technical report is a description of the
measurements and actions taken by various BMS functions required by applicable practices. The reader
is cautioned that identification of an individual SIF within an SIS may seem simple, but many errors are
common, such as:
Not including all of the process measurements that can detect the hazardous condition
Including actions that are not required to achieve or maintain a safe state
Including measurements that do not detect the hazardous condition
The risk analysis is further complicated when multiple initiating causes can result in a hazardous event,
but not all initiating causes are detected by the same process measurement. In this case, multiple SIF
may be defined, each of which provide risk reduction against a set or subset of the initiating events that
can cause the hazard. When selecting the risk reduction and the associated SIL for these SIF, the
aggregation effect of the multiple SIFs protecting against the same hazardous event should be
considered. In many cases, the lack of independence between the SIFs necessitates the consideration of
the functions as a single function with diverse process measurements.
6.1.3
Safety Integrity Level
Various hazard and risk analysis techniques are discussed in Guidelines for Hazard Evaluation
Procedures (ref. 4.2). While all techniques follow the same general steps, there is much variability in the
detail and degree of resolution between different owner/operators that apply ANSI/ISA-84.00.01-2004.
This report does not endorse a specific methodology for performing risk analysis. The CCPS concept
book Layers of Protection Analysis: A Simplified Risk Assessment discusses a semi-quantitative risk
analysis technique, which uses order-of-magnitude bands to assess the event likelihood.
The risk analysis process can be summarized as:
1) Identify the hazardous event (e.g., the event that the SIF under consideration is preventing).
2) Estimate consequence severity of the hazardous event.
3) Estimate likelihood (or frequency) of the hazardous event, considering all credible initiating
causes.
4) Assess the process risk of the hazardous event as a function of its consequence severity and
likelihood (or frequency).
5) Compare process risk to the risk criteria to determine the risk reduction requirements.
6) Identify safety functions required to achieve the risk reduction requirements.
7) Assign an SIL to the SIF that meets the risk reduction requirements.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
When a BMS function is classified as an SIS, the risk reduction allocated to the BMS function is related to
its SIL. The required risk reduction can be defined using qualitative, semi-quantitative or quantitative risk
analysis techniques. All techniques rely on process hazards analysis to identify hazardous events. The
primary difference between the techniques is the different degrees of rigor employed to estimate the
event likelihood (or frequency) and consequence severity.
- 15 -
ISA-TR84.00.05-2009
ANSI/ISA-84.00.01-2004 defines four discrete levels of SIL. Each SIL is an order of magnitude range of
values associated with the probability that the SIS will perform its required function under all stated
conditions within a specified time period. The risk reduction factor is defined in Table 6.1 as 1/PFDavg.
Table 6.1 SIL Categories

Safety Integrity Level
(SIL)
4
3
2
1
Average Probability of Failure on Demand (PFDavg)
Risk Reduction Factor
10-4 to 10-5
10-3 to 10-4
10-2 to 10-3
10-1 to 10-2
10,000 to 100,000
1,000 to 10,000
100 to 1,000
10 to 100
Step 1. Identify Hazardous Event

Identifying the hazardous event is a critical step in the risk analysis process. Errors in this step may result
in an SIF design basis that does not adequately address the process risk. Hazardous events should be
identified using a process hazards analysis as discussed previously. This technical report provides
examples of the application of the risk analysis process to identified hazardous events. The reader is
cautioned that these examples are not comprehensive and should not be considered a substitute for
performing an analysis on similar fired equipment.
Step 2. Estimate Consequence severity
The consequence severity is typically estimated qualitatively. While consequence models employing
explosion, fire, and population density calculations are possible, they are rarely used for BMS
assessments. While risk analysis techniques are often focused on an evaluation of safety impacts, many
owner/operators consider environmental and business impacts.
Step 3. Estimate Likelihood (or frequency)
Likelihood (or frequency) is estimated qualitatively, semi-quantitatively, or quantitatively. Many
owner/operators use order-of-magnitude estimates for the event likelihood, e.g., once per year, once in
10 years, etc. The likelihood should be assessed without considering the presence of any protection
layers, e.g., instrumented systems and pressure relief devices. This yields the unmitigated likelihood of
the hazardous event.
Step 4. Assess Process Risk
The process risk is a function of the estimated consequence severity (step 2) and unmitigated likelihood
(Step 3) of the identified hazardous event.
Many owner/operators represent their risk criteria as a risk matrix where event likelihood and
consequence severity are the two axes. The required risk reduction is provided as a function of the event
likelihood and consequence severity. The process risk is used to determine the required risk reduction for
the specific consequence-likelihood pair.
Some owner/operators use quantitative risk metrics, such as the individual risk of fatality or the risk to the
maximum-exposed individual (or societal risk criteria). In these cases, a numerical estimation of the
frequency of the hazardous event is compared to the risk criteria relevant for the specified consequence
severity.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Step 5. Compare Process Risk Against Risk Criteria
ISA-TR84.00.05-2009
- 16 -
When the process risk exceeds the risk criteria, safety functions are identified that reduce the process risk
to the risk criteria.
Step 6. Identify safety functions required to achieve the risk reduction requirements.
Safety functions are implemented to achieve or maintain a safe state in response to a specified
hazardous event. The safety functions are allocated risk reduction as required to reduce the residual risk
below the risk criteria. Finally, the safety functions are allocated to protection layers that are designed and
managed to achieve the required functionality and risk reduction.
Step 7. Assign an SIL to the SIF that achieves the risk reduction requirements.
Those safety functions allocated to the SIS layer are SIFs. The risk reduction allocated to an SIF is
related to its SIL as shown in Table 6.1.
6.2
Safety Integrity Level Verification
The Safety Lifecycle, as defined in ANSI/ISA-84.00.01-2004, requires the verification of the SIL of each
SIF using quantitative analysis of the average probability of failure on demand. This calculation should
consider the failure characteristics of each SIF device, the SIF architecture, and the SIF proof test
interval. These calculations can be performed using the techniques described in ISA-TR84.00.02, Safety
Instrumented Systems (SIS) Safety Integrity Level (SIL) Evaluation Techniques. Examples of the
evaluation of a BMS function are presented in clause 12 of this technical report.
6.3
Operating Modes, Undesirable Events and SIF
The various operating modes of the fired equipment should be considered during the analysis. Each
operating mode may require specific protective layers. The operating modes, undesirable events and
safety functions discussed in this section are based on a review of the existing BMS good engineering
practices. Again, the reader is cautioned that these examples should not be considered a substitute for an
analysis of a specific piece of fired equipment. There may be situations or complexities that pose process
hazards with unacceptable consequences that are not discussed in this technical report, e.g., fuel rich
conditions due to use of staged LoNox burners or flue gas recirculation. It is the responsibility of the
owner/operator to identify hazardous events pertaining to fired equipment operation.
NOTE
This section covers a variety of fired equipment including boilers, process heaters, thermal oxidizers, and ovens. The
undesirable events and SIFs covered below may not be applicable to all types of fired equipment. End users need to
identify which are applicable to their specific applications and corporate/local requirements.
6.3.1
Pre-firing cycle
The pre-firing cycle prepares the fired equipment for the introduction of fuel and light-off of the burners.
The pre-firing cycle includes prevention of fuel entering the firing chamber and purging of the chamber to
remove any residual hydrocarbon that may be present.
Excess Combustibles in the Firing Chamber
Misoperation of the fired equipment can result in an excessive amount of unburned fuel being introduced
to the firing chamber. If this fuel mixes with air in a flammable proportion and finds a source of ignition, it
may ignite. Ignition of a flammable mixture in the firing chamber may result in a fire that may propagate
into an explosion (deflagration) that could damage equipment and injure personnel in the area of the
explosion.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
6.3.1.1
- 17 -
6.3.1.1.1
ISA-TR84.00.05-2009
Fuel Valves Improperly Aligned (Permissive)
To ensure a sufficiently fuel-free environment in the firing chamber, it is necessary to verify that the valves
are lined up such that fuel is not being introduced to the firing chamber. If the fuel valves were improperly
aligned, fuel is introduced into the firing chamber during the purge period, making the purge ineffective. A
successful purge requires that the valves remain in the closed position during the purge and an adequate
purge rate be sustained for a specified period of time.
The hazardous condition is detected by monitoring position switches on the fuel valves. If the valves are
determined to be in the wrong position, the startup sequence is stopped and fuel introduction is
prevented. While this functionality is considered good engineering practice, it is rarely considered an SIF.
Failure of the fuel valves to reach the closed position when required should be detected and annunciated,
because a valve failure could allow a hazardous condition to continue to exist after shutdown or during
later re-start activities.
Accumulation of Flammable Materials and Failure to Purge (Permissive)
Prior to ignition, any accumulation of unburned hydrocarbons needs to be removed to ensure that
introduction of an ignition source(s) will not cause an undesired fire or explosion of the accumulated fuel.
To prevent this consequence, the heater firebox is purged by operating the air fans for a pre-determined
period of time.
The air flow measurement device varies from application to application, but is typically some combination
of one or more of the following: (1) differential pressure measurement across the fan, (2) pressure
measurement at the outlet of the fan, (3) flow measurement device (such as a pitot tube), or (4) fan motor
running indication using motor contacts / speed probes and pressure indication. Each of these
measurement types has benefits and limitations, and decisions regarding the measurement type should
consider the specific application under consideration. In general, more direct measurement, such as
actual flow rate, is superior to indirect means of measurement, such as motor running contacts, as there
are a number of failure modes that may result in the indirect measurement giving a false positive
indication of flow. For instance, if a fan shaft decoupled from its motor, the motor running contact
indicates that the motor is running, but air is not actually flowing. Alternatively, motor amps could be used
to indicate that the fan motor is running and has a load. The benefits and limitations of the various
measurement devices are considered during the SIL verification, where the probability of failure on
demand is calculated. Inferior measurements will result in higher probabilities of failure on demand and
thus lower achieved SIL levels.
The timer functionality will either be supplied by a time delay relay or in the programming of a
programmable electronic system. The appropriate timer settings for purging are established in the BMS
practices (refer to clause 4 for a listing).
Measuring a proper purge is straightforward in a forced, induced, or balanced draft heater. Ensuring a
proper purge in a natural draft heater is less direct, but still important. There are a number of methods
that are commonly used in the process industries.
1) Use an external purge medium, such as steam, plant air, or instrument air, for a predefined period
of time. If this method is chosen, either the flow of the medium is measured and used as an input
to the permissive function, or the medium is confirmed to be flowing by inspection (audible and/or
visual evidence) and only the timer is used in the automatic function.
2) Allowing the natural draft occurring through the heater to purge the firebox. If this method is
chosen, some feedback, via limit switches, can be used to confirm the existence of flow in
combination with the purge timer.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
6.3.1.1.2
ISA-TR84.00.05-2009
NOTE
- 18 -
If no positive automatic means is used to ensure the firebox has been purged prior to light off, some
consideration for manual testing of the concentration of combustibles in the firebox, via combustible gas
detectors, should be considered.
The risk posed by failure to purge a heater firebox is significant and has resulted in a number of fired
equipment accidents. While not always classified as an SIF, depending on hazards associated with
burner light-off, this functionality is often considered safety-related and is reviewed for risk reduction
requirements.
6.3.1.2
6.3.1.2.1
Proceeding to the Light-Off cycle when the permissives are not satisfied
Flame Detector Indicating Premature Presence of Flame (Permissive)
To ensure a fuel-free firing chamber prior to introduction of fuel gas and ignition, all sources of fuel must
be stopped. If a flame were present at the burner prior to a planned light-off sequence, it would indicate
that fuel is being introduced to the heater and is being burned at the burner tip. While this scenario is not
likely to occur, if it did, it would result in an ineffective purge that might result in accumulated unburned
fuel in the firing chamber prior to light-off. This fuel might then be ignited, causing a fire or explosion.
In this case, the flame detectors at the burners detect the hazardous condition. If a flame is detected, the
startup sequence is stopped and introduction of fuel and ignition is prevented.
While this functionality is considered good engineering practice, it is rarely classified as an SIF as it is
considered sufficiently unlikely. Premature presence of a flame either indicates failure of the flame
detector in a dangerous state or that fuel is being introduced to the heater and combustion is occurring
without the knowledge or direction of operations staff. This could also indicate the presence of an oil pool
fire or leaking fuel valves that fail to fully extinguish the burner flames. It is very unlikely that after a
successful shutdown that fuel could be re-introduced to the heater and ignite at the burner without the
direct involvement of operations staff. As a result, this functionality is typically treated as a diagnostic of
the proper operation of the flame detectors rather than an indication that a hazardous condition exists.
6.3.1.2.2
Low Fuel Gas Pressure (Permissive)
After purging, but before light-off, a heaters fuel systems typically at the header upstream of the control
valve are checked to ensure that they are prepared for introduction of fuel into the purged heater. This
preparation includes verification that the fuel gas pressure is sufficiently high to support combustion. If
fuel gas pressure were not high enough to support combustion it is possible that fuel gas could be
introduced to the firebox that would not be ignited at the burner. This fuel gas could then subsequently
accumulate in the firebox, find a source of ignition and cause an undesired fire or explosion.
Measuring the pressure of fuel gas in the main header detects the hazardous condition. If a hazardous
condition is detected, the startup sequence is stopped and introduction of more fuel and ignition is
prevented.
While this functionality is considered good engineering practice, it is rarely classified as an SIF. While
there are safety consequences that might result from low pressure conditions in the fuel gas header prior
to light-off, detection of the hazards posed by this scenario are more directly detected by the Igniter
Flame Not Proven and Main Flame Not Proven as described in clauses 6.3.2.1.1 and 6.3.2.1.2. As a
result, these pre-light off functions are typically considered an operational convenience than an SIF.
6.3.1.2.3
High Fuel Gas Pressure (Permissive)
After purging, but before light-off, a heaters fuel systems are typically checked to ensure that they are
prepared for introduction of fuel into the purged heater. This preparation includes verification that the fuel
gas pressure is sufficiently low so that the velocity of the fuel gas leaving the burner tips is not so high
that it will prevent ignition from occurring. If fuel gas pressure were too high to allow combustion it is
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 19 -
ISA-TR84.00.05-2009
possible that fuel gas could be introduced to the firebox that would not be ignited at the burner. This fuel
gas could then subsequently accumulate in the firebox, find a source of ignition and cause an undesired
fire or explosion.
Measuring the pressure of fuel gas in the main header detects the hazardous condition. If a hazardous
condition is detected, the startup sequence is stopped and introduction of more fuel and ignition is
prevented.
there are safety consequences that might result from high pressure conditions in the fuel gas header prior
to light-off, detection of the hazards posed by this scenario are more directly detected by the Igniter
Flame Not Proven and Main Flame Not Proven as described in clauses 6.3.2.1.1 and 6.3.2.1.2. As a
result, these functions are typically considered to be more of an operational convenience than an SIF.
However, each situation must be analyzed individually. For example, there could be a situation where
light-off is a manual operation. In this situation, the operator may be exposed to a flash fire.
6.3.1.2.4
Valves Not in Minimum Firing Position (Permissive)
To successfully light the heater, the fuel and air valves should be in their proper firing positions
(sometimes referred to as minimum firing positions). If the valves are not in a position where they will
generate a fuel/air mixture appropriate for combustion, ignition might not occur upon introduction of fuel.
The un-ignited fuel gas could then subsequently accumulate in the firebox, find a source of ignition and
cause an undesired fire or explosion.
In this case, the limit switches at the valves detect the hazardous condition. In some heater
configurations, special-purpose valves are used that have specified positions with associated limit
switches for minimum firing. In other applications minimum firing is set by use of a pressure regulator that
bypasses the fuel control valve. In this case, the minimum firing is proven by ensuring the fuel control
valve is confirmed closed and all fuel is entering the system through the bypass regulator. If the valves
are not proven to be in the correct position, the startup sequence is stopped and introduction of fuel and
ignition is prevented.
there are safety consequences that might result from valve misalignment in the fuel/air system prior to
light-off, detection of the hazards posed by this scenario are more directly detected by the Igniter Flame
Not Proven and Main Flame Not Proven as described in clauses 6.3.2.1.1 and 6.3.2.1.2. As a result,
these functions are typically considered to be more of an operational convenience than an SIF.
6.3.1.2.5
Burner Header Fuel Gas Does Not Hold Pressure (Permissive)
Prior to lighting a multiple burner fired heater, all of the block valves for the main gas at the individual
burners must be closed. If one or more of the individual block valves are left in the open position, then
when fuel gas is allowed into the main gas header, gas will be allowed to flow out into one or more
burners whose pilots are not lit. The un-ignited fuel gas could then subsequently accumulate in the
firebox, find a source of ignition and cause an undesired fire or explosion.
In this case, a hazardous condition is detected by a pressure measurement in the main gas header after
the pressure control valve but before the split to the individual burners. Prior to lighting, the main fuel gas
header will have its pressure increased to a normal operational level either by temporarily opening the
main fuel gas block valves or by introducing nitrogen from a separate source. If all of the individual block
valves are closed then the pressure in the header will increase above the permissive point and the startup process is allowed to proceed. If the pressure set point is not achieved after a suitable period of time,
the startup sequence is stopped and the valves introducing gas into the header (i.e., either the main fuel
gas shutoff valves or the nitrogen addition valve) are closed. It is important to note that if this permissive
is successful when nitrogen is used to pressure the header, then time should be allowed during the
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 20 -
lighting process to allow the nitrogen that is contained in the header to be purged out, allowing the fuel
gas to arrive at the burner.
This functionality is considered good engineering practice and is especially beneficial in multiple burner
fired equipment. This permissive will reveal failures that could result in a significant safety consequence.
As a result, this function is typically analyzed for risk reduction requirements
6.3.1.2.6
Steam Drum Level Not Established or Failure of Drum Level Measurement (permissive)
To ensure safe operation of the steam drum after the boiler is fired, the level of the steam drum shall be
measured and the level of water in the steam drum should be established at the desired range before
light-off of the burners. Higher level may result in water carryover to downstream equipment, such as a
steam turbine, possibly causing damage. Lower level may result in dry boiler tubes which reach their
temperature design limit leading to tube rupture and injury of personnel.
To proceed with burner light-off, appropriate steam drum level should be proven.
Light-off Cycle
The objective of the light-off cycle is to safely introduce fuel to the burner and ignite it. After ignition is
attempted, existence of a stable flame is proven prior to moving to the normal operation mode. If a proven
stable flame is not achieved in this phase, the light-off sequence will be stopped and the fired equipment
will return to the pre-firing sequence.
6.3.2.1
to the firing chamber. If this fuel mixes with air in a flammable proportion and finds a source of ignition it
may ignite. Ignition of a flammable mixture in the firing chamber will result in a fire that may propagate into
an explosion (deflagration) that could damage equipment and injure personnel in the area of the
explosion.
6.3.2.1.1
Igniter Flame Not Proven Within a Specified Time (Trip)
If igniter flame ignition does not occur, continued introduction of fuel gas into the firing chamber could
result in accumulation of a flammable mixture. Failure to ignite could occur for a number of reasons,
including: ignition transformer failure, ignition valve failure, plugged pilot nozzle, pilot gas contamination,
improper fuel air ratio, etc. The accumulated mixture can result in a fire or explosion if a source of ignition
in the firing chamber or vent stack is encountered.
In this case, detection of igniter flame is performed using a flame detector at the burner in combination
with a time delay device. The timer functionality will either be supplied by a time delay relay or in the
programming of a programmable electronic system. If no flame is detected within a set time period, the
valve supplying fuel gas to the igniter is closed.
The risk posed by failure of the time delay device could be significant if the fuel fails to ignite.
While not always identified as an SIF, this functionality is typically deemed safety-related and should be
reviewed for risk reduction requirements.
6.3.2.1.2
Main Flame Not Proven Within a Specified Time (Trip)
If main flame ignition does not occur then continued introduction of fuel gas into the firing chamber could
result in accumulation of a flammable mixture, since the fuel is not being consumed. This accumulated
mixture can result in a fire or explosion if a source of ignition in the firing chamber or vent stack is
encountered.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
6.3.2
- 21 -
ISA-TR84.00.05-2009
In this case, detection of main flame is performed using a flame detector at the burner in combination with
a time delay device. The timer functionality will either be supplied by a time delay relay or in the
programming of a programmable electronic system. If no flame is detected within a set time period, the
valve supplying fuel gas to the main burner is closed.
The risk posed by failure of the time delay device could be significant if the fuel fails to ignite.
While not always identified as an SIF, this functionality is typically deemed safety-related and should be
6.3.3
Normal Operation
The normal operation phase of fired equipment occurs when a stable proven flame is used for process
heating purpose. In this phase conditions that ensure stable operation of the flame are monitored to
detect any deviations that might compromise the flame. If these conditions are detected various degrees
of action may be taken to bring the process to a safe state.
6.3.3.1
to the firing chamber. If this fuel mixes with air in a flammable proportion and finds a source of ignition it
may ignite. Ignition of a flammable mixture in the firing chamber will result in a fire that may propagate into
an explosion (deflagration) that could damage equipment and injure any personnel in the area of the
explosion.
6.3.3.1.1
High Fuel Gas Pressure (Trip)
High fuel gas pressure can result in loss of flame and introduction of fuel gas into the firing chamber
without a flame available to ensure that ignition will occur at the burner. High fuel gas pressure typically
occurs as the result of failure of pressure control. This failure results in an uncontrolled high pressure at
the burner. If the pressure is sufficiently high, the rate of flow through the burner will be so great that the
flame will be lifted off the burner and extinguished. After the flame is extinguished, a high rate of
unburned fuel gas will continue into the firebox unless the fuel gas flow is stopped.
In this case, the hazardous condition can be detected either by the high fuel gas pressure that precedes
the actual loss of flame or by the flame detector detecting that the flame has been extinguished. If both of
these measurements are available to detect the hazardous condition, the measurements can be voted
1oo2, since either sensor can detect the hazardous condition. Detection of this condition will result in a
Master Fuel Trip or Individual Burner Valve Trip depending upon system configuration.
The risk posed by high fuel gas pressure leading to complete loss of flame and/or incomplete combustion
leading to secondary ignition can be significant. Continuous pilots may not be considered a layer of
protection in all applications. It is possible that there could be a fuel rich (or air starved) condition that
would not permit complete combustion resulting in a hazard, if air is re-introduced or the fuel rich mixture
reaches an oxygen source (near top of stack).
6.3.3.1.2
Low Fuel Gas Pressure (Trip)
Low fuel gas pressure can result in loss of flame and subsequent re-introduction of fuel gas into the firing
chamber without a flame available to ensure that ignition will occur at the burner. Low fuel gas pressure
typically occurs as the result of loss of fuel gas supply from the external source of fuel or failure of the fuel
gas control system. This failure will result in a fuel pressure at the burner tip that is not sufficient to
support combustion. This may result in loss of flame with continued addition of fuel gas.
In this case, the hazardous condition can be detected either by the low fuel gas pressure that precedes
the actual loss of flame, or by a flame detector detecting that the flame has been extinguished. If both of
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 22 -
these measurements are available to detect the hazardous condition, the measurements can be voted
1oo2, since either sensor alone can detect the hazardous condition. Detection of this condition will result
in a Master Fuel Trip or Individual Burner Valve Trip depending upon system configuration.
The risk posed by loss of flame resulting from low fuel gas pressure can be significant depending on the
fuel gas system design. This function is typically reviewed to determine risk reduction requirements,
where the design of the fuel gas system is such that loss of flame resulting from low fuel gas pressure is a
credible scenario. During the hazard and risk analysis, credit may be taken for use of a continuously
operating pilot burner system sourced from a fuel supply, which is independent of the main burner
system. Care should be taken when using continuous pilots to prevent the main flame detector from
"seeing" the continuous pilots rather than the main flame resulting in failure to identify the hazardous
scenario of the loss of main flame with fuel still entering the furnace.
6.3.3.1.3
Low Fuel Oil Pressure (Trip)
Low fuel oil pressure can result in unstable burner operation and loss of flame in fuel oil burners as the
flow of oil becomes too low to support combustion. Low fuel oil pressure typically occurs as the result of
mechanical failures of the fuel oil supply system or depletion of the fuel oil systems inventory. The fuel oil
supply system failures include, but are not limited to, a plugged strainer, failure of supply pumps and
failures of control system components regulating fuel oil flow such that flow is significantly decreased or
stopped. Fuel oil system low pressure and loss of flame may result in continued addition of fuel to the
burner which will not be burned and instead accumulate in the firebox and surrounding areas potentially
resulting in an uncontrolled fire of the fuel oil pool.
In this case, the hazardous condition can be detected either by the low fuel oil pressure that precedes the
actual loss of flame, or by a flame detector, detecting that the flame has been extinguished. If both of
these measurements are available to detect the hazardous condition, they form a 1oo2 vote, as either
sensor alone can detect the hazardous condition. Detection of this condition will result in a master fuel
trip.
The risk posed by loss of flame resulting from low fuel oil pressure can be significant, but is usually less
severe than a fuel gas explosion in terms of consequence severity. This function is typically reviewed to
determine SIL requirements on virtually all fuel oil fired equipment as it is almost always a credible
scenario. During the hazard and risk analysis, credit may be taken for use of a continuously operating
pilot burner system that is sourced from a fuel supply that is independent of the main burner system. Care
should be taken when using continuous pilots to prevent the main flame detector from "seeing" the
continuous pilots rather than the main flame resulting in failure to identify the hazardous scenario of the
loss of main flame with fuel still entering the furnace.
6.3.3.1.4
Low Atomizing Steam or Air / Fuel Oil Differential Pressure (Trip)
Low differential pressure between the fuel oil and atomizing steam or air can result in unstable burner
operation and loss of flame in fuel oil burners. As the differential pressure drops the oil fails to be
dispersed into finely divided droplets and the efficiency of the combustion decreases. As the combustion
efficiency drops not all of the fuel oil is combusted resulting in unburned oil dropping to the floor of the
firebox and the surrounding area. This incompletely combusted oil may be ignited resulting in an
uncontrolled fire in or near the heater. Low differential pressure between the fuel oil and atomizing steam
or air typically occurs as the result of failure of the steam supply or air supply system to provide the
atomizing media at an adequate pressure. This can be either the result of the loss of the overall atomizing
utility or failure of the differential pressure controller that sets the atomizing media pressure at the burner
tip.
In this case, the hazardous condition can be detected by the low differential pressure measurement
detecting that atomization is not sufficient. It should be noted that oil pooling and fire can occur without
completely extinguishing the flame at the burner. As a result, loss of flame does not accurately predict
whether or not the consequence is about to occur and should not be considered as a means of detection
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 23 -
ISA-TR84.00.05-2009
of this hazard. Detection of this condition will result in a Master Fuel Trip or Individual Burner Valve Trip
depending upon system configuration.
The risk posed by low differential pressure between fuel oil and atomizing media can be significant, but is
usually less severe than a fuel gas explosion in terms of consequence severity. This function should be
reviewed to determine SIL requirements.
6.3.3.1.5
Loss of Air Flow (Trip)
Low combustion air flow (i.e., minimum air flow required to sustain flame) can result in unstable burner
operation and loss of flame. Loss of flame resulting from low combustion air flow can occur in both fuel
gas and fuel oil fired burners. As the flow of combustion air decreases, insufficient oxygen is available to
combust all of the fuel, resulting in unburned fuel entering and accumulating in the firebox. Ignition of this
fuel may result in an explosion. Low combustion air flow typically occurs as the result of failure of the
blower supplying air to the fired equipment or failure of the control loop regulating air flow.
In this case, the hazardous condition can be detected either by the low air flow pressure that precedes
the actual loss of flame, or by a flame detector detecting that the flame has been extinguished. If both of
these measurements are available to detect the hazardous condition, they form a 1oo2 vote, as either
sensor alone can detect the hazardous condition. Detection of this condition will result in a master fuel
trip.
The risk posed by loss of flame resulting from low combustion air flow pressure can be significant. This
function is typically reviewed to determine SIL requirements on virtually all fired equipment that is not
natural draft (i.e., forced, induced or balanced draft). It is important to note that continuous pilots typically
may not be considered a layer of protection as there could be a situation where there is a fuel rich (or air
starved) condition that will not allow complete combustion resulting in a hazard if air is re-introduced or
the fuel rich mixture reaches a source of oxygen (near top of stack).
6.3.3.1.6
Loss of Flame (Unrelated to fuel gas pressure or air flow) (Trip)
Loss of flame that is not associated with fuel gas or combustion air supply problems can occur in fired
equipment. This loss of flame is typically associated with contamination of the fuel with inert materials
such as nitrogen or carbon dioxide for gas or water for oil. As the non-combustible material passes
through the burner the flame will be extinguished. After the inert material passes through and flammable
material is re-introduced, it does not combust at the burner and accumulates in the firebox and
surrounding area, resulting in a fire or explosion upon ignition.
The risk posed by loss of flame due to contaminants in the fuel can be significant. In this case, the only
means of detecting the hazardous condition is by a flame detector detecting that the flame has been
extinguished. Detection of a loss of flame will result in a master fuel trip. However, the likelihood of this
initiating cause for multi-burner process heaters needs to be carefully evaluated to determine the risk and
thereby the need for flame detectors. During the hazard and risk analysis credit may be taken for use of a
continuously operating pilot burner system that is sourced from a fuel supply that is independent of the
main burner system. Care should be taken when using continuous pilots to prevent the main flame
detector from "seeing" the continuous pilots rather than the main flame resulting in failure to identify the
hazardous scenario of the loss of main flame with fuel still entering the furnace.
6.3.3.1.7
Loss of Instrument Air or Primary Power (Trip)
The loss of instrument air or the primary power supply has the potential to cause loss of firing control and
the subsequent loss of burner flame while continuing to supply gas to the firebox. The loss of instrument
air can cause the temporary loss of fuel gas supply by closing the fuel gas control valve. Since the
process control device responses can be unpredictable when insufficient air pressure is available, an
orderly shutdown of the fired equipment is required.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 24 -
In this case, the hazardous condition can be detected either by the low instrument air pressure (or loss of
power) that precedes the actual loss of flame, or by the flame detector detecting that the flame has been
extinguished. If both of these measurements are available to detect the hazardous condition, they form a
1oo2 vote, as either sensor alone can detect the hazardous condition. Detection of this condition will
result in a master fuel trip.
The risk posed by the loss of flame resulting from loss of instrument air or power can be significant. While
not always identified as an SIF, this functionality is typically deemed safety-related and should be
6.3.3.1.8
High Pilot Gas Pressure (Trip)
High pilot fuel gas pressure typically occurs as a result of failure of pressure control. This failure results in
an uncontrolled high pressure at the pilot burner. If the pressure is sufficiently high, the rate of flow
through the burner will be so great that the flame will be lifted off the burner and extinguished. After the
pilot flame is extinguished, a protection layer for the loss of main burner flame has been lost and, if the
pilot gas is not isolated, may potentially lead to the development of an explosive mixture in the firebox.
In this case, a pilot fuel gas pressure sensor can detect the hazardous condition. Detection of this
condition will result in a pilot fuel trip.
The risk posed by the loss of pilot flame resulting from high pilot fuel gas pressure can be significant
depending on the fuel gas supply system design. While not always classified as an SIF, this functionality
is typically deemed safety-related and should be reviewed for risk reduction requirements. During the
hazard and risk analysis, credit may be taken for the main flame. If IPL (Independent Protection Layer)
credit is taken for the continuous pilot, an alarm should be implemented to alert operations to take
appropriate action to re-establish the pilot. Care should be taken when using continuous pilots to prevent
the main flame detector from "seeing" the continuous pilots rather than the main flame resulting in failure
to identify the hazardous scenario of the loss of main flame with fuel still entering the furnace.
6.3.3.1.9
Low Pilot Gas Pressure (Trip)
Low pilot fuel gas pressure can result in loss of pilot flame and, if the main burner flame were lost, the
subsequent introduction of fuel gas into the firing chamber without a flame available. Low pilot gas
pressure typically occurs as the result of loss of pilot fuel gas supply from the external source of fuel or
failure of the pilot gas control system. This failure will result in a fuel pressure at the burner tip that is not
sufficient to support combustion. After the pilot flame is extinguished, a protection layer for the loss of
main burner flame has been lost and, if the pilot gas is not isolated, may potentially lead to the
development of an explosive mixture in the firebox.
In this case, a pilot fuel gas pressure sensor can detect the hazardous condition. Detection of this
condition will result in a pilot fuel trip.
The risk posed by the loss of pilot flame resulting from low pilot gas pressure can be significant
depending on the fuel gas supply system design. While not always classified as an SIF, this functionality
is typically deemed safety-related and should be reviewed for risk reduction requirements. During the
hazard and risk analysis, credit may be taken for the main flame. If IPL credit was taken for the
continuous pilot, an alarm should be implemented to alert operations to take appropriate action to reestablish the pilot.
6.3.3.2
Loss of Water in Boiler Steam Drum (Trip)
Misoperation of a boiler can result in loss of water in the boiler steam drum. Loss of water in the boiler
tubes can result in mechanical damage and failure of the tubes if firing continues without sufficient water
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 25 -
ISA-TR84.00.05-2009
flow. In addition, personnel in the area could potentially be impacted by the release of high-pressure
steam through the ruptured tubing.
6.3.3.2.1
Low Steam Drum Level (Trip)
Low steam drum level can result in rupture of boiler tubing if firing is continued without sufficient flow of
water. Low steam drum level can typically occur under three scenarios: (1) loss of boiler feed water
system (2) failure of steam system (i.e., leaking), and (3) failure of drum level instrumentation / basic
process control.
For this function, the hazardous condition is typically detected by level measurement on the steam drum.
If the level measurement indicates a low level in the steam drum, fuel supply is stopped to the main
burners by closing the main fuel gas supply valve (or valves).
The risk posed by rupture of the boiler piping may pose a significant hazard, depending on the design of
the system. This function is typically reviewed to determine the risk reduction requirements.
6.3.3.2.2
Excessive Pressure in Steam Drum (Trip)
Misoperation of a boiler can result in excessive pressure being generated in the steam drum and
associated piping. If allowed to continue rising, unchecked, the pressure in the steam drum could exceed
the design limitations of the drum, resulting in overpressure, rupture, and explosion.
Pressure sensors connected to the steam drum detect this condition. If a high-pressure condition is
indicated in the steam drum, fuel supply is stopped to the main burner by closing the main fuel gas supply
valve (or valves).
When assessing the risks prevented for this particular SIF, many owner/operators consider the steam
drum relief valve(s) as an independent layer of protection. Depending upon the risk reduction
requirements for this SIF associated with the specific installation of the fired equipment under
consideration, it may be possible to eliminate the need for an SIF associated with excessive pressure in
the steam drum. This should be addressed on a case by case basis. While not always classified as an
SIF, this functionality is typically deemed safety-related and should be reviewed for risk reduction
requirements. The overpressure and explosion of the steam drum presents a significant hazard to those
in the vicinity. The potential for injury exists due to exposures to high temperature water and/or steam,
high-pressure energy release, and flying debris.
6.3.3.3
Low Pass Flow (Trip)
Loss of flow in the process tubes in a fired heater with continued firing can lead to increased tube
temperature and, subsequently, to heater tube damage. The increased stress on the heater tube could
lead to a tube rupture, which could lead to an uncontrolled heater fire, depending upon the flammability
characteristics of the process fluid.
Flow sensors in each pass of the process flow either on the inlet or discharge of the heater detect this
condition. Upon detection of a low or no-flow condition in a heater tube, the master fuel trip is activated,
stopping the flow of fuel to the main burner and the pilots. Alternatively, independent source of pilot gas
does not necessarily need to be immediately shut off on loss of flow of heater passes. The furnace can be
put into min. fire mode. There are a few issues that must be considered when selecting the placement of
the flow sensor either on the inlet or discharge side of the heater. A flow sensor on the discharge side can
detect loss of flow upstream of the heater and can also detect tube ruptures within the heaters. However,
the higher temperature of the process fluid at the heater discharge can make the specification and
maintenance of a flow sensor at this location difficult. Placing the sensor at the heater inlet allows for the
detection of the loss of flow to the heater, but will not provide indication of a tube rupture. The problems
and benefits associated with each location should be considered when designing this SIF.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 26 -
A ruptured tube inside a fired heater can lead to an uncontrollable fire within the firebox. Depending upon
the design of the heater, there is the potential for the flames to leave the confines of the heater and
potentially expose personnel in the vicinity to a fire hazard. This function is typically reviewed to
determine SIL requirements on fired heaters.
6.3.3.4
High Firebox or Stack Temperature (Trip)
A high temperature in the firebox or stack can be caused by a firing control failure resulting in the
temperature exceeding the desired control set point. If the temperature rises beyond the manufacturer
specified limit, there is the potential to damage the combustion chamber resulting in the loss of
containment of firebox contents. Excess temperature may also present the potential to exceed the autoignition temperature of materials being processed in an oven, heater, or dryer.
A temperature sensor should be provided to detect high temperature conditions. Upon detection of a high
temperature condition, a main fuel trip or minimum firing trip is activated. Such devices are necessary
only when the maximum temperature specification provided by the manufacturer can be exceeded. While
not always classified as an SIF, this functionality is typically deemed safety-related and should be
6.3.3.5
High Heater Pressure (Trip)
There are two conditions that are indicated by high heater pressure: tube rupture and loss of draft. The
rupture of a heater tube could lead to an uncontrolled heater fire, depending upon the flammability
characteristics of the process fluid. The loss of draft can also be detected by an increase in the heater
pressure. As the flow of combustion air decreases, insufficient oxygen is available to combust all of the
fuel, resulting in unburned gas entering and accumulating in the firebox. Ignition of this fuel may result in
an explosion. High heater pressure due to the loss of draft typically occurs as the result of failure of the
dampers to a closed position.
A master fuel trip, isolating fuel to the main burners and pilots, should be initiated upon the detection of a
high heater pressure condition. A pressure sensor located inside the firebox can detect this condition.
A ruptured tube inside a fired heater can lead to an uncontrollable fire within the firebox. Depending upon
the design of the heater, there is the potential for the flames to leave the confines of the heater and
potentially expose personnel in the vicinity to a fire hazard. The risk posed by loss of flame resulting from
loss of draft can be significant. In the case of boilers, the rupture of water or superheated steam tube
could release extensive amount of steam. The high firebox pressure function is typically reviewed to
determine risk reduction requirements on all fired heaters and on fired equipment where the combustion
air can be stopped or isolated. There are other instrumented functions that may be used in place of this
high firebox pressure to detect conditions of tube rupture or loss of draft. These functions can be
considered during the hazard and risk analysis and later verification/assessment activities.
There are two scenarios here. For scenario 1, tube rupture, low flow at heater exit is an additional
measurement. For scenario 2, loss of draft, there is no definite additional measurement.
6.3.3.6
Loss of Level in Heater Treater or Glycol Reboiler Drum (Trip)
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Misoperation of fired drum heaters can result in loss of level in the drum. Loss of level can leave the firing
tubes exposed, resulting in mechanical damage and failure of the tubes if firing continues. The exposure
of the process fluids to the fire poses a significant potential for event escalation. In addition, personnel in
the area could potentially be impacted by the release event if high-pressure, high-temperature process
materials were released from the damaged vessel.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 27 -
ISA-TR84.00.05-2009
Low drum level can result in rupture of firing tubes, if firing is continued without a sufficient liquid heat
sink. Low drum level can typically occur under three scenarios: (1) loss of flow into the vessel, (2) leakage
from the vessel, and (3) failure of drum level instrumentation / basic process control.
For this function, the hazardous condition is typically detected by level measurement on the drum. If the
level measurement indicates a low level in the drum, then fuel supply is stopped to the main burners by
closing the main fuel gas supply valve (or valves).
The exposure of the process fluids to the fire poses a significant potential for event escalation. In addition,
personnel in the area could potentially be impacted by the release event if high-pressure, hightemperature process materials were released from the damaged vessel. This function is typically
reviewed to determine SIL requirements.
6.3.3.7
High Temperature in Heater Treater or Glycol Reboiler Drum (Trip)
High temperature can result in rupture of firing tubes and the drum, if firing is continued beyond the
mechanical limitations of the equipment. High temperature can typically occur due to (1) low level (as
described above), (2) temperature control failure, or (3) the ignition of process fluids leaking into the firing
chamber.
For this function, the hazardous condition is typically detected by temperature measurement on the drum.
If the measurement indicates a high temperature in the drum, then fuel supply is stopped to the main
burners by a Minimum Fire Trip or a Master Fuel Trip.
The risk posed by rupture of the drum may pose a significant hazard, depending on the design of the
system and occupancy of the area. This function is typically reviewed to determine SIL requirements.
6.3.3.8
Excessive Pressure in Oil Heater Treater (Trip)
Misoperation of an oil heater treater can result in excessive pressure being generated in the drum and
associated piping. If allowed to continue rising unchecked, the pressure in the drum could exceed the
design limitations of the drum, resulting in overpressure, rupture, and explosion. This event can be
caused by a failure of the drum pressure control system or by over-firing caused by a failure of the burner
basic process control system.
Pressure sensors located on the drum detect this condition. If a high-pressure condition is indicated in the
drum, fuel supply is stopped to the main burner by closing the main fuel gas supply valve (or valves).
The overpressure and explosion of the drum presents a significant hazard to those in the vicinity. The
potential for injury exists due to exposures to high temperatures, high-pressure energy release, and flying
debris. This function is typically reviewed to determine SIL requirements.
Fuel Valve Trips
While assessing shutdown of the heater, the actions taken to move the fired equipment to a safe state are
common among many of the trips and permissives described in the clauses above. As such, the actions
taken are described here and referred to in the previous clauses. There are several types of heater trips
that are utilized in industry. These trips are applied at different times depending on the hazardous
condition that required the heater firing to be stopped. These shutdowns include: (1) Master Fuel Trip, (2)
Main Fuel Trip, (3) Minimum Firing Trip, (4) Individual Burner Main Fuel Trip, (5) Individual Burner Main
and Pilot Fuel Trip, and (6) Pilot Fuel Trip.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
6.4
ISA-TR84.00.05-2009
6.4.1
- 28 -
Master Fuel Trip
The master fuel trip is the most comprehensive of the heater trips. The master fuel trip isolates all fuel
sources to the greatest degree possible. This trip includes stopping both the main fuel source and pilot
fuel source, and may also include closure of purge valves. A master fuel trip is usually called for when a
firing anomaly has occurred, resulting in potential uncombusted flammable material in the firebox. As a
result, all sources of fuel are closed and the heater is required to go through its startup sequence before
relighting can occur.
When a master fuel trip is called for, both the main fuel source and pilot fuel source are required to be
stopped for the heater to be moved to a safe state. Since both fuel sources must be successfully isolated
to move to a safe state, the arrangement can be considered a two-out-of-two (2oo2) vote. In some cases,
such as thermal oxidizers, more fuel sources, such as a waste gas stream, may be available. All fuel
sources must be isolated to move the process to a safe state (i.e., NooN voting).
For each fuel, the number of shutoff valves required depends on the heater type and the application
specific standard that governs the design. In many heaters, each fuel source is isolated from the heater
using a double-block-and-bleed valve arrangement. A double-block-and-bleed arrangement consists of
two block valves along with a bleed valve that is used to vent the cavity between to the block valves to a
safe location. There are two advantages to the double-block-and-bleed arrangement. First, since two
valves must fail in order to prevent the safety function from taking its proper action the probability that the
overall system will fail to perform its safety function is much lower than if only a single valve were used.
Second, the double-block-and-bleed arrangement provides a more positive isolation between the fuel and
the firebox. Leakage into the firebox would require leakage through both valves, and failure of the bleed
valve (or vent system) to allow any gas that has leaked through the upstream valve to vent to a safe
location instead of migrating through the second closed valve into the firebox.
While the double-block-and-bleed arrangement has strong and apparent advantages, it also has
limitations. Increased equipment requirements over single valve installations lead to higher costs, both in
terms of initial capital and on-going maintenance. In addition, multiple valve installations lead to increased
complexity and operator training. There is also a possibility that leaking bleed valves can result in
additional unnecessary fuel consumption. While all options have strengths and limitations, it is important
to consult application specific practices to assist in determining the proper valve configuration for your
application.
If a single block valve is used as the final element for each fuel train, then obviously, that valve must close
to bring the heater to a safe state, which is one-out-of-one (1oo1) voting. In some cases, the fuel control
valve is commanded closed during a master fuel trip. Great care should be taken when considering the
closure of the fuel control valve to be part of the SIF. Several factors can compromise the integrity of the
fuel source control valve when considering it for safety application. First and foremost, many fuel source
control valves have appliances such as mechanical stops, minimum stop hand wheel settings, bypass
valves, or bypass regulators that allow fuel source to continue to flow to the burners even though the
valve is fully closed. This type of design is typically performed to ensure that valve closure will not result in
a loss of flame, but only a return to the minimum firing settings. If one of these conditions exists, the fuel
control valve cannot be considered to be part of the SIF as it is incapable of isolating the fuel and bringing
the process to a safe state.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
If a double-block-and-bleed arrangement is used, the valves are considered to be a one-out-of-two (1oo2)

vote to bring the process to a safe state since closure of either one of the two valves can successfully
isolate fuel from the firebox. It is important to note that failure of the bleed valve to successfully open is
not considered to be part of the core Safety Instrumented Function that required the master fuel trip. If the
bleed valve failed to open, it would not prevent the immediate isolation required to bring the process to a
safe state from occurring. Instead, failure of the bleed valve to open is part of a secondary safety function
that prevents a separate hazard. If the bleed valve does not open, then leakage through the primary and
secondary valve may lead to an unsafe condition in the firebox (i.e., accumulation of a flammable mixture
at a time significantly subsequent to the heater shutdown).
ISA-TR84.00.05-2009
Other conditions affecting a control valves ability to bring the process to a safe state include: (1) control
valves typically cannot provide the tight-shutoff required for isolation and (2) control valves are
necessarily connected to the basic process control systems, and as such may fail as the result of
problems in the basic process control system. While most of the failure modes associated with these
conditions can be accounted for in the design, use of control valves as SIS final elements should be
undertaken with extreme caution and additional risk analysis. Typically, the closure of the fuel control
valve is considered an additional action that is not part of the core safety function, and as such, no credit
is typically taken for the fuel control valve closures ability to take the process to a safe state.
6.4.2
Main Fuel Trip (Minimum Firing Trip)
In some cases a comprehensive fuel trip is not required. When the hazardous condition that is being
acted upon by the heater safety system is an excessively high temperature or other hazard that can
compromise heater safety, but is not related to the release of unburned fuel, a main fuel trip or a minimum
fuel trip may occur. The advantage of the main fuel trip and minimum firing trip over a master fuel trip in
these circumstances is that the heater is moved to a safe state from which recovery is easier, and the
down-time and start-up effort is minimized. This is possible because during a main fuel trip or minimum
firing trip, the burners will stay lit, at least at the pilot burners. This will prevent a requirement for purging
and re-light of the pilots.
The key difference between a main fuel trip and a minimum firing trip is whether or not the main flame is
extinguished. In a main fuel trip, the block valve(s) used to isolate main fuel source are closed, causing
the main flame to be extinguished. Since the pilot valves are not closed, the pilot flames stay ignited. In a
minimum firing trip, the main fuel source block valve(s) are not closed. Instead the fuel control valve is
sent to its minimum firing position. This is typically accomplished by de-energizing a solenoid valve on the
control valves pneumatic signal, causing the valve to go to its closed position. The fuel control valve is
equipped with a bypass valve, bypass regulator, or some form of mechanical stop in order to allow a
minimum amount of fuel to continue to the burners. This will decrease the main flame to a minimum size,
but allow the flame to continue burning. This allows a rapid return to normal operations, as all of the
burners are still lit, and normal operation can be re-established by resetting the safety function and
returning to automatic control after the situation that caused the trip to occur has been addressed.
For a main fuel trip or a minimum firing trip, only the main fuel train (not the pilot fuel train) needs to be
stopped, resulting in a 1oo1 vote for the fuel train. As described in 6.4.1 above, if a double-block and
bleed, or double-block assembly, is used to isolate fuel source flow (for a main fuel trip) voting in either of
these two configurations is 1oo2 voting of the two block valves. If only a single shutoff valve is used for a
main fuel trip, then it is a 1oo1 arrangement. If a minimum firing trip is used, it is a 1oo1 vote using the
fuel control valve. As noted in 6.4.1 above, caution should always be exercised when using a BPCS valve
for safety purposes. It is important to ensure that no failure in the BPCS can result in the dangerous
failure of the SIS functionality. In practice this means that the solenoid valve, which is electrically
connected to the SIS but acts on the BPCS pneumatic signal, should be positioned so that it will vent the
actuator of the fuel control valve regardless of the control action taken by the BPCS. The control valve is
part of the BPCS and could be the initiating cause for the need to trip. Achieving minimum firing should be
verified and if it is not successful then a Master Fuel Trip should be initiated.
6.4.3
Individual Burner Valve Trips
In some cases, it is desirable to isolate fuel to an individual burner. This type of trip is performed when
loss of flame occurs at an individual burner while the remaining burners remain operational. The
advantage of this type of trip is that a firing anomaly at an individual burner, or a nuisance failure of an
individual burner flame detector, will not result in a complete shutdown of a multiple burner heater.
Instead, only the affected burner is shutdown. This allows continued operation of the remaining burners of
the heater while the affected burner is repaired, and relatively easy restart of only the affected burner,
which does not require a complete purge cycle for the entire heater.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
- 29 -
ISA-TR84.00.05-2009
- 30 -
When loss of flame at an individual burner is detected, the fuel supply to that burner is isolated. This is
done by closure of the individual fuel supply block valve to that burner. Depending on the extent of the
situation that causes this trip to occur, either the main fuel source block valve alone will be closed, or the
main fuel source block valve and the pilot gas block valve will be closed. The valves which close will be
determined by which flame detectors cause the trip to occur. If only a main fuel source shutoff is required,
then only the main fuel source block valve is closed. This is typically a single valve, resulting in a 1oo1
vote. If both main and pilot fuels need to be isolated, then both fuel trains are required to move the
process to a safe state, resulting in a 2oo2 vote for both trains. Since each fuel typically has a single
valve for isolation, each trains fuel block valve operates in a 1oo1 configuration.
6.4.4
Pilot Fuel Trip
In some cases, only the pilot valves are required to be closed. This situation typically only occurs during a
failed attempt to light the pilots. From a functional perspective, this trip is often considered a master fuel
trip, because functionally the BMS will take the same action as a master fuel trip. The difference between
a pilot fuel trip and a master fuel trip is subtle but important in terms of what equipment needs to be
considered when determining if the target SIL has been achieved.
The difference between a master fuel trip and a pilot fuel trip is that when a pilot fuel trip is called for, the
main fuel valves have never been opened. As such, the probability of the fuel valves failing to close does
not need to be considered (because the valves are already closed). In order to perform a pilot fuel trip
only the pilot fuel source needs to be isolated. This results in a 1oo1 vote for the fuel source. The pilot
fuel source will typically be isolated by either a double-block-and-bleed assembly or a single block valve.
The strengths and limitation of each approach are discussed in clause 4.4.1. If a double-block-and-bleed
assembly is used, either of the two block valves can be used to bring the process to a safe state, resulting
in a 1oo2 vote. If a single valve is used, that valve must be able to bring the process to a safe state,
resulting in a 1oo1 vote. Unlike the main fuel source trip, basic process control system valves are typically
not used for pilot shutoff, because control of pilot fuel pressure is typically performed by a self-contained
regulator instead of an external control system.
6.5
Other Safety Instrumented System Design Considerations
ANSI/ISA-84.00.01-2004 provides specific design and management requirements for implementation of

an SIS based on its SIL. These requirements are in addition to verifying the PFDavg using quantitative
calculations. Some additional considerations are listed in the following clauses.
6.5.1
Reset
ANSI/ISA-84.00.01-2004 requires that once an SIF has placed a process into a safe state, it shall remain
in the safe state until reset. The reset functionality is generally performed manually, but the actual
equipment used to perform the reset can vary. The essential difference is the location of the reset.
Resetting is typically performed in one of two methods, either through a device that holds the final
element in its safe state until it is manually reset, or through the logic solver which maintains its outputs in
the safe condition until an operator reset has been initiated. Both options are acceptable and each option
has its strengths and limitations. Owner/operators are encouraged to review other applicable practices to
determine what type of reset functionality is required.
6.5.2
Manual Trip Requirements
ANSI/ISA-84.00.01-2004 suggests that manual means of bringing a process to a safe state, independent
of the logic solver, are provided. An independent manual master fuel trip is also a requirement of the
referenced NFPA practices. Where required or deemed appropriate, manual trip facilities for fired
equipment should be provided and tested.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 31 -
6.6
ISA-TR84.00.05-2009
Hazard analysis tables
Hazard analysis tables for various types of fired equipment are provided in clauses 7 11 of this technical
report. Hazard and risk analysis is applicable to fired equipment regardless of its position in the process
flow. The boundaries of each process component include the inlet piping, control devices and the outlet
piping to another component. Every outlet pipe and pipe branch should be included up to the point where
safety devices on the next component provide protection.
The safety analysis of fired equipment highlights undesirable events (effects of equipment failures,
process upsets, etc.) from which protection should be provided, along with detectable abnormal
conditions that can be monitored for input into an SIF and the safety actions that should be taken upon
detection. These detectable conditions are used to initiate action through the SIS to prevent or minimize
the effect or undesirable events. The tables present the logical sequence of safety system development,
including, causes, consequences, detectable abnormal conditions, and safety actions that should be
taken. Note: Safety actions are defined as shutoff of fuel supply to main burner and pilot. Actions such as
de-energizing the igniter or performing a 15-second post purge are important additional functions, but do
not prevent the hazard in question and are not listed in the table. As such, these functions are classified
as secondary actions performed by the BMS and are not included as part of any identified SIF.
The generic causes of each undesirable event are listed. The primary causes are equipment failures,
process upsets, and misoperation, but all primary causes in a category will create the same undesirable
event. The undesirable events should be determined from a detailed evaluation of the failure modes of
the component and its ancillary equipment. These failure modes are grouped under causes, according to
the manner in which they may generate the undesirable event.
The hazard analysis table identifies the following operating phases:
a) Pre-firing cycle
b) Light-off cycle
c) Normal operation
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 32 -
Example of a Hazard and Risk Analysis Applied to a Single Burner Boiler
The following is an example of a hazard and risk analysis for a single burner boiler firing natural gas using
a Class 1 continuous fired pilot. The purpose of this example is to illustrate a methodology for identifying
and classifying the SIF within the BMS. The identified hazards are common to most boilers, and the
illustrated functions are listed in NFPA 85 Boiler and Combustion Systems Hazards Code. The
schematic in Figure 7.1 provides a simplified single burner boiler design used for this example.
7.1
Assumptions and Clarifications
To assist one in interpreting the hazard analysis table and the associated single burner boiler P&ID
sketch, the following assumptions and clarifications have been made regarding this design:
Assumptions
1) Many different approaches and designs are utilized in industry with respect to BMS functions
associated with the single burner boiler operations. This example is not recommending any
specific best and / or mandatory design approach. The intent of this example is to assess typical
NFPA 85 installations and minimum design requirements. It is recognized that many designs
currently exist in industry. The system designer or owner/operator may apply the illustrated
concepts to their designs to better understand the application of ANSI/ISA-84.00.01-2004.
2) The boiler is assumed to be designed to operate in a de-energize to trip capacity.
3) The P&ID sketch depicts the use of switches instead of transmitters for measurement of various
process conditions. The system designer, when performing design / SIL verification activities,
may need to evaluate switches versus transmitters based upon the desired proof test interval and
selected SIL target. Switches were depicted on the P&ID sketch due to the large installed base
that currently exists in industry utilizing this architecture. Note: the use of transmitters is typically
used in new SIS applications because of the potential reduction in proof testing requirements and
the additional diagnostic benefits associated with transmitters.
4) Basic Process Control System (BPCS) instrumentation has not been completely depicted to
simplify the P&ID and keep the focus on BMS related sensors and final elements.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
5) For the purposes of this example, a high drum level trip was considered to be a BPCS function
associated with protection of the downstream steam system. BPCS controls are outside the
scope of this document and as such are not included in this example. Each owner/operator
should review this decision for their particular situation to determine if they need to evaluate this
as a potential SIF.
6) Note: not all items contained in the hazard analysis table will result in assignment of an SIL.
Qualitative or quantitative techniques should be used to determine whether specific functions
should be assigned an SIL based on a owner/operators risk criteria. As a result of this process
some permissives and / or trips will be assigned an SIL and others will not.
Design Considerations
There are several events that can lead to loss of flame, which are listed below with some non-interlock
means of protection against the hazard to consider.
1) Low Fuel Gas Pressure Typical causes of low fuel gas pressure are failure of the fuel gas
regulator or loss of supply. A non-interlock layer of protection to consider is a minimum fire
bypass around the control valve to maintain fuel gas pressure above the point of loss of flame in
the event that the controller closes the fuel gas control valve completely. Note: one should


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 33 -
ISA-TR84.00.05-2009
carefully review the location of the low pressure sensor and its ability to detect a control valve
failure. Many different designs exist in industry. One option is to move the control valve upstream
of low pressure sensor. Another option is to move the low pressure sensor downstream of control
valve with the addition of another low pressure sensor on the gas header for the light-off
permissive. Once flame is established the low pressure sensor downstream of the control valve is
used to trip the boiler. The main consideration is what is the hazard and how is it detected.
Careful consideration of the piping arrangement and low pressure sensor location is necessary to
detect low pressure due to control valve failure.
2) Loss of control system actuating energy and / or power failure The boiler is assumed to be
designed to operate in a de-energize to trip capacity. However, it is recognized that some BMS
are designed as energize to trip. Utilization of an energize to trip design poses some unique
challenges for the owner/operator with respect to SIS design and the ability of the system to
achieve the allocated risk reduction. Design verification should be carefully reviewed, as many
simplified calculation methods assume the application is de-energize to trip scenarios.
Sequence Considerations
There are several permissives and sequence steps listed in section 7.2 that should be considered for safe
start-up and operation of a boiler. This list is not all-inclusive, but should provide a starting point for
discussion on sequencing requirements for a safe boiler start-up and operation.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 34 -
Figure 7.1 Single Burner Boiler Process Schematic
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

- 35 -
7.2 Example Hazard Analysis Table for a Single Burner Boiler

Phase
Prefiring
Cycle
Undesirable Event
Excess Combustible Vapors
in Firing Chamber
Proceeding to the Light-Off

cycle when the permissives
are not satisfied
Light-Off
Cycle

in Firing Chamber
Consequence Description
Combustibles in the firing chamber may
result in development of a flammable or
explosive mixture, which may then be
exposed to a source of ignition, causing
undesired combustion, and potentially an
explosion, which may result in mechanical
damage to the boiler and may also result
in personnel impacts to persons near the
equipment.
Mechanical damage to the equipment and
personnel exposure/harm may occur if the
identified permissives are not met prior to
proceeding with the sequence.

equipment.
Function #
Permissive
(P) or Trip (T)

in Firing Chamber

Detectable
Abnormal
Condition
Actions
Taken
1
(P)
Fuel supply valves improperly aligned

(i.e. block valves not closed and / or
vent valve not open) prior to Light-off.
See Clause 6.3.1.1.1
Valve fully closed limit

switch(es) not proven
Inhibit subsequent
start-up steps.
2
(P)
Failure to purge firebox.

Air flow does not exist for

specified time period at
sufficient flow rate
Inhibit subsequent
start-up steps.
3
(P)
Light-off of the burner when the fuel

gas valve position and / or air damper
position is such that an excessive fuel
rich mixture is entering the
combustion chamber.
Fuel control valve and air

damper not at minimum fire
positions during attempted
light-off
Inhibit subsequent
start-up steps.
4
(P)
Steam drum level not established or

failure of drum level instrumentation.
Low steam drum level
Inhibit subsequent
start-up steps.
5
(T)
Failure to ignite pilot due to:

Ignition transformer failure
Ignition valve failure
Plugged burner nozzle
Pilot gas contamination with
non-flammable material results
in unstable mixture that cannot
support combustion
Improper fuel / air ratio
Failure to ignite main flame due to:
Fuel gas contamination with
support combustion
Plugged burner nozzle.
High fuel gas pressure causes
unstable flame operation and loss of
flame with subsequent introduction of
unburned fuel gas due to fuel gas
regulator failure
Igniter flame not proven

within specified time
Shutoff fuel supply

to pilot
Main flame not proven within

specified time
Shutoff fuel supply

to main burner
High fuel gas pressure or

loss of flame
Shutoff fuel supply

to main burner and
pilot
6
(T)
Normal
Operation
Cause(s)
7
(T)
Copyright 2009 ISA. All rights reserved.
- 36 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009
Phase
Undesirable Event
equipment.
Function #
Permissive
(P) or Trip (T)
8
(T)
9
(T)
10
(T)
11
(T)
Loss of Water in Boiler Steam

Drum
Possible mechanical damage to water

tubes if boiler firing is continued without
sufficient water present to remove heat.
Mechanical damage to the boiler and may
also result in personnel impacts to
persons near the equipment.
12
(T)
Excessive Pressure in Steam

Drum
Possible steam drum rupture or explosion.

This event may result in personnel
impacts to persons near the equipment
13
(T)
Cause(s)
Low fuel gas pressure causes
unstable flame operation and loss of
flame with subsequent introduction of
unburned fuel gas due to loss of fuel
gas supply; or fuel gas control valve
failure
Combustion Air Fan or Damper
Failure while firing.
Fuel gas contamination with nonflammable material causes loss of
flame and subsequent introduction of
unburned fuel gas.
Loss of control system actuating
energy and / or power failure.
Low steam drum level due to loss of

boiler feed water system; failure of
steam system (i.e. leak); or failure of
drum level instrumentation / basic
process control system with
continued firing of the boiler results in
loss of water in the steam drum.
See Clause 6.3.3.2
High steam drum pressure due to
blocked outlet of the steam drum
caused by instrumentation / basic
process control system failures or
operator error or overfiring caused by
instrumentation / basic process
control system failures or operator
error
Detectable
Abnormal
Condition
Actions
Taken
Low fuel gas pressure or

loss of flame
Shutoff fuel supply

to main burner and
pilot
Loss of combustion air

supply (i.e. air flow falls
below minimum firing rate)
or loss of flame
Loss of flame
Shutoff fuel supply

to main burner and
pilot
Shutoff fuel supply
to main burner and
pilot
Low instrument air pressure

or loss of primary power
Shutoff fuel supply

to main burner and
pilot.
Low Drum Level
Shutoff fuel supply

to main burner and
pilot
High Steam Drum Pressure
Shutoff fuel supply

to main burner and
pilot
Note: provides
discussion of
protection layers.
- 37 -
ISA-TR84.00.05-2009
Example of a Hazard and Risk Analysis Applied to a Multi-Burner Process

Heater
The following is an example of hazard and risk analysis for a natural draft multi-burner process heater
firing fuel gas and/or fuel oil. The purpose of this example is to illustrate a methodology for identifying and
classifying the SIF within the BMS. The identified hazards are common to most fired heaters, and the
associated interlocks are typical of those listed in API RP 556 Instrumentation and Controls for Fired
Heaters and Steam Generators. The schematic in Figure 8.1 provides a simplified multiple burner process
heater design that should be used when reviewing this example.
The primary hazards associated with fuel gas and fuel oil-fired heaters are accumulation of uncombusted
fuel in the firing chamber and re-ignition due to loss of flame, fire (due to release of unburned fuel oil in
the firebox), process tube rupture, and steam coil rupture. The hazards associated with the permissives
and interlocks are discussed in clause 6 of this Technical Report and more specifically in the hazard
analysis table of this example. For reference, some recommendations are given for sequencing, which
should not be considered as all-inclusive. These should only be treated as a starting point for review of
the required sequencing for a particular heater application.
8.1
Assumptions and Clarifications
To assist one in interpreting the hazard analysis table and the associated multi-burner heater P&ID
sketch, the following assumptions and clarifications have been made regarding this design.
Assumptions
1) The fired heater is assumed to be designed to operate in a de-energize to trip capacity. Note: deenergize to trip is considered to be the fail safe mode.
2) The heater P&ID is for illustrative purposes only and provides a basis for the analysis
summarized in the hazard analysis table. This example is designed to illustrate the typical
permissives and trips associated with multi-burner fired heaters. The design depicted is only one
of many ways by which the functions may be designed for a multi-burner process heater.
3) This example, in general, does not show BPCS equipment or miscellaneous piping components
(e.g., strainers) associated with the fired heater, but rather is intended to highlight the BMS
equipment. Evaluation of necessary BPCS equipment should also be conducted.
4) This heater is assumed to have continuous pilots sourced from a supply that is separate from the
main burner fuel gas supply.
5) The heater is natural draft and uses the position of the damper to protect against high firebox
pressure. This example does not take into consideration the need for a high firebox pressure trip
due to loss of containment in a process tube. That SIF should be evaluated according to the
specific process fluid being heated by the heater.
6) The method utilized in this example to verify that all individual burner and pilot valves are closed
prior to light-off is pressurization of the system with nitrogen. Use of nitrogen (or other noncombustibles) to perform this activity may be unsafe if the following considerations are not
accounted for within operating procedures:
Allowance of a purge of the nitrogen from the system prior to light-off to ensure that the
nitrogen does not interfere with flame stability.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 38 -
Measures to ensure that nitrogen is not able to enter the system during normal operation.
start-up of a fired heater. This list is not all-inclusive, but should provide a starting point for discussion on
sequencing requirements for a safe heater start-up. The following considerations are listed as specific for
this type of equipment as they are not implemented automatically as SIFs.
1) Confirm draft doors (or other facilities) are open to enable natural draft in the heater before
attempting to start the purge.
2) The operator shall accomplish, via documented operating procedure, the confirmation of a
successful purge of the firebox for the natural draft fired heater because no means of detecting air
flow is provided.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
- 39 -
ISA-TR84.00.05-2009
Figure 8.1 Multiple Burner Process Heater Process Schematic
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 40 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009
8.2 Example Hazard Analysis Table for a Multiple Burner Process Heater
Phase
Prefiring
Light-Off
Cycle
Undesirable Event

in Firing Chamber
Accumulation of uncombusted fuel in

the heater firebox may lead to a
flammable or explosive mixture. If a
source of ignition is available ignition of
the flammable mixture may lead to an
uncontrolled fire/explosion, potentially
causing injury to personnel or
mechanical damage to the heater and
surrounding equipment.
Function #
Permissive (P)
or Trip (T)
Cause(s)
Detectable
Abnormal
Condition
Action
Taken
1 (P)
Fuel gas and pilot gas valves (block valves

and vent) improperly aligned prior to lightoff.
Valve limit switches not

proven
Inhibit
subsequent
startup steps.
2 (P)
Improper purge prior to attempted ignition.

Air flow with damper and

air doors in the correct
position does not exist for
specified time period
Inhibit
subsequent
startup steps
3 (P)
Block valves at burners or pilots left open.

Two options:
1. Individual valve limit
switches not proven
2. Fuel gas line
downstream of control
valve fails to pressurize
within set time period
Low Fuel Gas Pressure
(Burner)
Inhibit
subsequent
startup steps
Light-off of the burner when fuel gas valve

position is not at min fire position and/or air
damper is closed such that a fuel rich
mixture is entering the combustion
chamber.
Pilot gas contamination with nonflammable material results in
unstable mixture that cannot support
combustion
Fuel gas control valve at

position greater than min
fire position; Damper
closed beyond light-off
position (e.g., minimum
stop)
Pilot flame not proven
Inhibit
subsequent
startup steps

are not satisfied
Mechanical damage to the equipment

and personnel exposure/harm may
occur if the identified permissives are
not met prior to proceeding with the
sequence.
4 (P)
Accumulation of
uncombusted fuel in heater
firebox and re-ignition

flammable mixture. If a source of
ignition is available, ignition of the
flammable mixture may lead to an
5(T)
Shutoff fuel
supply to pilot.

- 41 -
ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Phase
Normal
Operation
Normal
Operation
Undesirable Event
Accumulation of
Accumulation of


Function #
Permissive (P)
or Trip (T)
Cause(s)
6 (T)

Fuel gas contamination with nonflammable material results in
combustion
7 (T)
High fuel gas pressure in the main header

causes flame to blow off of burner tip, with
potential for loss of flame. Flow of fuel gas
through the burner can exceed ratio of
available combustion air and lead to a fuel
rich environment in the heater firebox. See
Clause 6.3.3.1.
8 (T)
Low fuel gas pressure at the burner causes

unstable flame operation and loss of flame.
Continued flow or reintroduction of fuel gas
leads to unburned fuel in the firebox.
Loss of draft in the heater can lead to
unstable flame, with potential for loss of
flame. Flow of fuel gas through the burner
can exceed stoichiometric rates for
available combustion air and lead to a fuel
rich environment in the heater firebox.
See Clauses 6.3.3.5
Fuel Gas Contamination with Nonflammable material causes loss of flame
and subsequent introduction of unburned
fuel gas. See Clause 6.3.3.1.6
Low fuel oil pressure in the main header
causes unstable flame operation and loss of
flame. Continued flow or reintroduction of
fuel oil leads to unburned fuel in the firebox.
Loss of control system actuating energy and
/ or power failure.
9 (T)
10 (T)
11 (T)
12 (T)
Detectable
Abnormal
Condition
Action
Taken
Main flame not proven

(This example does not
provide detectors on
main flame to detect this
condition)
Low/High fuel gas
pressure at burner
Double block and bleed
limit switches not proven
Fuel gas control valve
closed
High Fuel Gas Pressure
(Burner)
Shutoff fuel
supply to main
burners
Low Fuel Gas Pressure
Close Master
Fuel Gas Valves
High Firebox Pressure
Close Master
Fuel Gas Valves
Loss of Burner Flame
Close Master
Fuel Gas Valves
Low Fuel Oil Pressure
Close Master
Fuel Oil Valves
Low instrument air

pressure or loss of
primary power
Close Master
Fuel Gas, Oil
Valves & pilot
Close Master
Fuel Gas Valves

ISA-TR84.00.05-2009
Phase
Normal
Operation
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Normal
Operation
Undesirable Event
Accumulation of
- 42 -
Function #
Permissive (P)
or Trip (T)
13 (T)
14 (T)
Unburned Fuel Oil Directed

into the Heater Firebox
Accumulation of uncombusted liquid oil

in the firebox may lead to a large fire in
the firebox or a fire on the ground
outside of the heater.
15 (T)
Loss of Flow Through

Heater Passes
Increased tube temperature can lead to

excessive stress and tube rupture.
Extent of consequence will be
determined by process fluid in heater
tubes.
16 (T)
Cause(s)
Low pilot gas pressure causes unstable
pilot operation and loss of flame. Continued
flow or reintroduction of gas leads to
uncombusted fuel in the firebox. This
potential hazard only exists during pilots
only operation of the heater.
High pilot gas pressure causes liftoff of pilot
flame and loss of flame. Continued flow or
reintroduction of gas leads to uncombusted
fuel in the firebox. This potential hazard only
exists during pilots only operation of the
heater.
Loss of atomizing steam to the heater will
cause loss of atomization of the fuel oil and
its accumulation on the walls and at the
bottom of the heater firebox.
Loss of flow to one or more heater process
tubes.
See Clause 6.3.3.3
Detectable
Abnormal
Condition
Action
Taken
Low Pilot Gas Pressure
Close Pilot Gas

Valves
High Pilot Gas Pressure
Close Pilot Gas

Valves
Low Atomizing Steam

Flow/Low FO/Atomizing
Steam delta P
Close Master
Fuel Oil Valves
Low Pass Flow / No Pass

Flow
Close Master
Fuel Valves
- 43 -
ISA-TR84.00.05-2009
Example of a Hazard and Risk Analysis Applied to a Thermal Oxidizer
The following example shows how to perform a hazard and risk analysis for a thermal oxidizer. The
hazards listed in this example are common to most thermal oxidizers and the associated interlocks are
typical of those required per NFPA 86 Standard for Ovens and Furnaces. The schematic in Figure 9.1
provides a simplified thermal oxidizer design used for this example.
9.1
Assumptions and Considerations
To assist one in interpreting the hazard analysis table and the associated thermal oxidizer P&ID sketch,
the following assumptions and clarifications have been made regarding this design.
Assumptions
The following assumptions are made in regard to this example:
1) The waste feed stream is not in and of itself flammable, i.e., it will not continue to burn in the
absence of natural gas flow.
2) A continuous pilot is used.
3) All requirements for Class A ovens in NFPA 86 apply to thermal oxidizers, except for the
requirements for explosion relief.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
1) All design considerations listed for the single burner boiler example apply.
2) The need for a double block and bleed on the waste feed stream should be evaluated on a caseby-case basis. For cases where the waste feed stream is toxic or flammable, analysis should be
used to determine when or if a double block and bleed assembly was required to meet the SIL
requirement.
3) Environmental considerations may dictate that a minimum temperature be achieved to effectively
burn the waste feed. This is not considered in our analysis because this is not a BMS trip, but
would require a risk analysis to determine the required SIL.
start-up of a thermal oxidizer. This list is not all-inclusive, but should provide a starting point for discussion
on sequencing requirements for a safe thermal oxidizer start-up.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 44 -
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
ISA-TR84.00.05-2009
Figure 9.1 Thermal Oxidizer Process Schematic


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT

- 45 -
ISA-TR84.00.05-2009
9.2 Example Hazard Analysis Table for a Typical Thermal Oxidizer

Phase
Undesirable
Event
Function #
Permissive
(P) or Trip
(T)
Prefiring Cycle
Excess Combustible
Vapors in Firing Chamber
Combustibles in the firing chamber may result in

development of a flammable or explosive
mixture, which may then be exposed to a
source of ignition, causing undesired
combustion, and potentially an explosion, which
may result in mechanical damage to the
oxidizer and may also result in personnel
impacts to persons near the equipment.
1
(P)
Fuel supply valves improperly aligned

(i.e. block valves not closed and / or
vent valve not open) prior to Light-off.

switch(es) not proven
Inhibit subsequent
start-up steps.
2
(P)

Air flow does not exist for

specified time period at
sufficient flow rate
Inhibit subsequent
start-up steps.
Light-Off Cycle
Detectable
Abnormal
Condition
Action Taken
Proceeding to the LightOff cycle when the

permissives are not
satisfied
Mechanical damage to the equipment and

personnel exposure/harm may occur if the
identified permissives are not met prior to
proceeding with the sequence
3
(P)
Light-off of the burner when the fuel

gas valve position and / or combustion
air damper position is such that an
excessive fuel rich mixture is entering
the combustion chamber.

damper not at minimum
fire positions during
attempted light-off
Inhibit subsequent
start-up steps.
Excess Combustible

may result in mechanical damage to the boiler
and may also result in personnel impacts to
4
(T)

Pilot gas contamination with
support combustion
Fuel gas contamination with
support combustion
High fuel gas pressure causes unstable
flame operation and loss of flame with
subsequent introduction of unburned
fuel gas:
Fuel gas regulator failure
Igniter flame not proven

Shutoff fuel supply

to pilot

Shutoff fuel supply

to main burner
High fuel gas pressure or

loss of flame
Shutoff fuel supply

to main burner and
pilot
5
(T)
Normal
Operation
Cause(s)
Excess Combustible

may result in mechanical damage to the boiler
6
(T)
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009
Phase
Undesirable
Event
- 46 -
and may also result in personnel impacts to

Function #
Permissive
(P) or Trip
(T)
Cause(s)
7
(T)
Low fuel gas pressure causes unstable

flame operation and loss of flame with
subsequent introduction of unburned
fuel gas:
Loss of fuel gas supply
Fuel gas control valve failure
Combustion Air Fan or Damper Failure
while firing.
8
(T)
9
(T)
10
(T)
Uncontrolled temperature
rise in the fume
incinerator
If the maximum temperature limit specified by

the heater manufacturer is exceeded, the
combustion chamber could be mechanically
damaged and could pose a risk of injury to
personnel located in the vicinity of the
equipment
11
(T)

flame and subsequent introduction of
unburned fuel gas.
energy and/or power failure.
High combustion chamber temperature
caused by Fuel gas control valve failure
Waste Feed control valve failure
See Clause 6.3.3.4
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Detectable
Abnormal
Condition
Action Taken
Low fuel gas pressure or

loss of flame
Shutoff fuel supply

to main burner and
pilot
Loss of combustion air

supply (i.e. air flow falls
below minimum firing rate)
or loss of flame
Loss of flame
Shutoff fuel supply

to main burner and
pilot
Shutoff fuel supply
to main burner and
pilot
Low instrument air

pressure or loss of primary
power
Shutoff fuel supply

to main burner and
pilot
High combustion chamber

temperature
Shutoff fuel supply

to main burner and
pilot if deemed
necessary
- 47 -
ISA-TR84.00.05-2009
10 Example of a Hazard and Risk Analysis Applied to an Oil Heater Treater

The following example shows how to perform a hazard and risk analysis for an oil heater treater. The
hazards listed in this example are common to most oil heater treaters and the associated interlocks are
typical of those required per API RP 14C Recommended Practice for Analysis, Design, Installation, and
Testing of Basic Surface Safety Systems for Offshore Production Platforms, Fired and Exhaust Heated
Components. The schematic in Figure 10.1 provides a typical Oil Heater Treater that should be used
when reviewing this example.
10.1 Assumptions and Considerations
To assist one in interpreting the hazard analysis table and the associated Oil Heater Treater P&ID sketch,
the following assumptions and clarifications have been made regarding this design.
Assumptions
1) The following assumptions are made in regard to this example:
2) The Oil Heater Treater is a natural draft fired vessel.
3) A continuous pilot is provided on the oil heater treater that is supplied with fuel gas that is shared
with the main burner.
4) The oil heater treater is assumed to be designed to operate in a de-energize to trip capacity.
5) The P&ID sketch provided in Figure 10.1 depicts the use of transmitters for measurement of
various process conditions. Transmitters are typically used in new SIS applications because of
the potential reduction in proof testing requirements and the additional diagnostic benefits
associated with transmitters.
8) High oil/water treater level and low oil level were not addressed because they are associated with
equipment either upstream or downstream of the fired component.
9) The fusible plug loop fire detection system was deemed beyond the scope of this evaluation
because the system involves the entire platform.
10) The purpose and use of stand-alone safety devices, such as relief valve and stack flame
arresters, are shown on the P&ID drawing; however, their functionality was not considered in the
hazard analysis table. The risk reduction provided by these devices should be considered in the
risk analysis for equipment of this type.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
6) The symbols used in Figure 10.1 are based on ANSI/ISA5.1 and have been modified from the
simplified sketches presented in API RP 14C.
ISA-TR84.00.05-2009
- 48 -
The following design considerations are applicable to the Oil Heater Treater:
1) The low fuel gas pressure design consideration presented for the single burner boiler is also
applicable to the oil heater treater.
2) The design considerations for the loss of control system actuating energy presented for the single
burner boiler are also applicable to the oil heater treater.
3) Double actuated block valves are provided to isolate the fuel gas supply to the main burner.
4) The fuel gas isolation block valves have been equipped with a closed position switch to allow for
proper line-up in the pre-firing sequence. This position switch is in addition to the equipment
presented in API RP 14C.
5) A pressure transmitter has been added to the API RP 14C oil heater treater design located
upstream of the pilot and main burner fuel gas isolation valves to provide detection of adequate
fuel gas supply.
There are several permissives and sequence steps listed in clause 10.2 that should be considered for
safe start-up of an oil heater treater. This list is not all-inclusive, but should provide a starting point for
discussion on sequencing requirements for a safe oil heater treater start-up. The following consideration
is listed as specific for this type of equipment as it is not implemented automatically as a SIF.
1) The operator shall accomplish, via documented operating procedure, the confirmation of a
successful purge of the firebox for the natural draft oil heater treater because no means of
detecting air flow is provided.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
- 49 -
Figure 10.1 Example Oil Heater Treater Process Schematic


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT

ISA-TR84.00.05-2009
- 50 -
10.2 Example Hazard Analysis Table for Typical Oil Heater Treater (API RP14C Fired Vessel - Natural Draft)
Phase
Prefiring Cycle
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Light-Off Cycle
Undesirable Event
Consequence
Description
Function #
Permissive (P)
or Trip (T)
Cause(s)
Detectable
Abnormal
Condition
Action Taken

in Firing Chamber
Combustibles in the firing

chamber may result in
development of a flammable
or explosive mixture, which
may then be exposed to a
source of ignition, causing
undesired combustion, and
potentially an explosion,
which may result in
mechanical damage to the
vessel and may also result in
personnel impacts to persons
near the equipment.
1
(P)
Fuel supply valves improperly

aligned (i.e. block valves not
closed and / or vent valve not
open) prior to Light-off.

switch not proven
(sensor not required
by API 14C)
Inhibit subsequent
start-up steps.
2
(P)

Air flow does not exist

for specified time
period.
Inhibit subsequent
start-up steps.

are not satisfied
Mechanical damage to the

equipment and personnel
exposure/harm may occur if
the identified permissives are
not met prior to proceeding
with the sequence
3
(P)
Light-off of the burner when the

fuel gas valve position is such that
an excessive fuel rich mixture is
entering the combustion chamber.
Fuel gas control valve

at position greater
than min fire position.
Inhibit subsequent
startup steps

in Firing Chamber
Accumulation of combustibles
in the firing chamber may
result in development of a
flammable mixture, which
combustion, and potentially
an explosion, which may
result in mechanical damage
to the vessel and may also
result in personnel impacts to
4
(T)

Plugged pilot burner nozzle
Pilot gas contamination
with non-flammable
material results in unstable
mixture that cannot support
combustion
Fuel gas contamination
with non-flammable
material results in unstable
mixture that cannot support
combustion
Igniter flame not

proven within
specified time
Shutoff fuel supply

to main burner and
pilot

Shutoff fuel supply

to main burner and
pilot
5
(T)
ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

- 51 -
Phase
Undesirable Event
Consequence
Description
Function #
Permissive (P)
or Trip (T)
Cause(s)
Detectable
Abnormal
Condition
Normal Operation

in Firing Chamber
6
(T)
High fuel gas pressure in the main

burner fuel gas causes unstable
flame operation and loss of flame
with subsequent introduction of
unburned fuel gas:
High fuel gas pressure

or loss of flame
Shutoff fuel supply

to main burner and
pilot
Normal Operation

in Firing Chamber
an explosion which may result
in mechanical damage to the
near the equipment.
an explosion which may result
in mechanical damage to the
near the equipment.
7
(T)
Low fuel gas pressure in the main

burner fuel gas causes unstable
flame operation and loss of flame
with subsequent introduction of
unburned fuel gas:
Fuel control system failure
flame and subsequent introduction
of unburned fuel gas
energy and / or power failure.
Low fuel gas

pressure* or loss of
flame
(*Pressure sensor not
required by API
RP14C)
Shutoff fuel supply

to main burner and
pilot
Loss of burner flame
Shutoff fuel supply

to main burner and
pilot
Low instrument air

pressure or loss of
primary power
(sensor not required
by API 14C)
Low Level in Heater
Treater front Clause
Shutoff fuel supply

to main burner and
pilot
8
(T)
9
(T)
Normal Operation
Low level in front Clause of

Heater Treater
Possible mechanical damage

to vessel or heating tubes, if
firing is continued without
sufficient heat sink.
Mechanical damage and/ or
explosion of the vessel may
also result in personnel
impacts to persons near the
equipment.
10
(T)
Low vessel level due to:

Loss or reduced inlet flow
into vessel
Failure of drum level
instrumentation / basic
process control system
Leakage from vessel
Water vaporization
See Clause 6.3.3.6
Normal Operation
High temperature in Heater

Treater
Possible mechanical damage

to vessel or heating tubes, if
firing is continued without
sufficient liquid present to
remove heat. Mechanical
11
(T)
High vessel temperature due to:

Temperature control failure
Inadequate inlet flow into
vessel
Ignition of medium leak into
High temperature in
Heater Treater front
Clause
Action Taken
Shutoff fuel supply

to main burner and
pilot
Shutoff fuel supply

to main burner and
pilot

ISA-TR84.00.05-2009
Phase
Normal Operation
Undesirable Event
Excessive Pressure in Heater

Treater Vessel
High Stack Temperature
- 52 -
Consequence
Description
damage and/ or explosion of
the vessel may also result in
near the equipment.
Possible vessel rupture or
explosion. This event may
result in personnel impacts to
Potential to damage the

burner tubes leading to hot
process fluid leakage out of
the vessel and possible fire.
Function #
Permissive (P)
or Trip (T)
12
(T)
13
(T)
Cause(s)
fired chamber
Plus low level causes
identified in item 11, above.
See Clause 6.3.3.7
High vessel pressure due to:
Regulator failure or valve
closed in gas outlet
Overfiring caused by
failures or operator error
See Clause 6.3.3.8
High stack temperature due to:
Overfiring caused by
See Clause 6.3.3.4
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Detectable
Abnormal
Condition
Action Taken
High Vessel Pressure
Shutoff fuel supply

to main burner and
pilot
High Stack
Temperature
Shutoff fuel supply

to main burner and
pilot
- 53 -
ISA-TR84.00.05-2009
11 Example of a Hazard and Risk Analysis Applied to a Glycol Reboiler

The following example shows how to perform a hazard and risk analysis for a glycol reboiler. The hazards
listed in this example are common to most fired reboilers, and the associated interlocks are typical of
those required per API RP 14C Recommended Practice for Analysis, Design, Installation, and Testing
of Basic Surface Safety Systems for Offshore Production Platforms, Fired and Exhaust Heated
Components. The schematic in Figure 11.1 provides a typical Glycol Reboiler that should be used when
reviewing this example.
11.1 Assumptions and Considerations
To assist one in interpreting the hazard analysis table and the associated glycol reboiler P&ID sketch, the
following assumptions and clarifications have been made regarding this design.
Assumptions
2) The Glycol Reboiler is a forced draft fired vessel.

3) A continuous pilot is provided on the glycol reboiler that is supplied with fuel gas that is shared
with the main burner
4) The glycol reboiler is assumed to be designed to operate in a de-energize to trip capacity.
5) The P&ID sketch provided in Figure 11.1 depicts the use of transmitters for measurement of
various process conditions. Transmitters are typically used in new SIS applications because of
the potential reduction in proof testing requirements and the additional diagnostic benefits
associated with transmitters.
6) The symbols used in Figure 11.1 are based on ANSI/ISA5.1 and have been modified from the
simplified sketches presented in API RP 14C.
8) High reboiler level and low glycol level in the overflow were not addressed because they are
associated with equipment either upstream or downstream of the fired component.
9) The fusible plug loop fire detection system was deemed beyond the scope of this evaluation
because the system involves the entire platform.
10) The purpose and use of stand-alone safety devices, such as relief valve and stack flame arrester,
are shown on the P&ID drawing; however, their functionality was not considered in the hazard
analysis table. The risk reduction provided by these devices should be considered in the risk
analysis for equipment of this type.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
1) The following assumptions are made in regard to this example:
ISA-TR84.00.05-2009
- 54 -
1) The following design considerations are applicable to the Glycol Reboiler:
2) The low fuel gas pressure design consideration presented for the single burner boiler is also
applicable to the glycol reboiler.
3) The design considerations for the loss of control system actuating energy presented for the single
burner boiler are also applicable to the glycol reboiler.
4) A single actuated block valve is provided to isolate the fuel gas supply to the main burner.
5) The fuel gas isolation block valve has been equipped with a closed position switch to allow for
proper line-up in the pre-firing sequence. This position switch is in addition to the equipment
presented in API RP 14C.
6) A pressure transmitter has been added to the API RP 14C glycol reboiler design located
upstream of the pilot and main burner fuel gas isolation valves to provide detection of adequate
fuel gas supply.
There are several permissives and sequence steps listed in clause 11.2 that should be considered for
safe start-up of a glycol reboiler. This list is not all-inclusive, but should provide a starting point for
discussion on sequencing requirements for a safe glycol reboiler start-up.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
- 55 -
Figure 11.1 Typical Glycol Reboiler Process Schematic


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 56 --``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009
Table 11.2 Example Hazard Analysis Table for Typical Glycol Reboiler (API RP14C Fired Vessel (Forced Draft))
Phase
Prefiring Cycle
Undesirable Event
Excess Combustible Vapors Combustibles in the firing chamber

in Firing Chamber
may result in development of a
flammable or explosive mixture, which
may then be exposed to a source of
ignition, causing undesired
combustion, and potentially an
explosion, which may result in
mechanical damage to the vessel and
may also result in personnel impacts
to persons near the equipment.
are not satisfied
Light-Off Cycle
Function #
Permissive
(P) or Trip
(T)
Consequence
Description
Mechanical damage to the

equipment and personnel
exposure/harm may occur if the
identified permissives are not
met prior to proceeding with the
sequence
Excess Combustible Vapors Accumulation of combustibles in the

in Firing Chamber
firing chamber may result in
development of a flammable mixture,
which may then be exposed to a
explosion, which may result in
Cause(s)
Detectable Abnormal
Condition
Action Taken
1
(P)
Fuel supply valve not fully closed prior to

light-off.
Valve fully closed limit switch not Inhibit subsequent start-up steps.
proven (sensor not required by
API 14C)
2
(P)

Combustion air pressure not

sufficient for specified time
period
3
(P)
Light-off of the burner when the fuel gas

valve position and / or air damper position is
such that an excessive fuel rich mixture is
entering the combustion chamber.

Inhibit subsequent start-up steps.
damper not at minimum fire
positions during attempted lightoff
(Function not required by API
14C)
4
(T)

Plugged pilot burner nozzle
Pilot gas contamination with nonflammable material results in
combustion
Improper fuel / air ratio (linkage
failure, control failure)
Fuel gas contamination with nonflammable material results in
combustion
Igniter flame not proven within

specified time
Shutoff fuel supply to pilot
Main flame not proven within

specified time
Shutoff fuel supply to main burner
5
(T)
Inhibit subsequent start-up steps.

- 57 -
Phase
Undesirable Event
ISA-TR84.00.05-2009
Function #
Permissive
(P) or Trip
(T)
Consequence
Description
Normal Operation Excess Combustible Vapors Accumulation of combustibles in the

in Firing Chamber
firing chamber may result in
development of a flammable mixture,
which may then be exposed to a
explosion which may result in
Possible mechanical damage to

vessel or heating tubes, if firing is
continued without sufficient liquid
present to remove heat. Mechanical
damage of the vessel may also result
a heater fire with the potential for
personnel impacts to persons near
the equipment.
Detectable Abnormal
Condition
Action Taken
6
(T)
High fuel gas pressure in the main burner

fuel gas causes unstable flame operation
and loss of flame with subsequent
introduction of unburned fuel gas:
High fuel gas pressure or loss of Shutoff fuel supply to main burner and
flame
pilot
7
(T)
Low fuel gas pressure in the main burner

fuel gas causes unstable flame operation
and loss of flame with subsequent
introduction of unburned fuel gas:
Fuel control system failure
Low combustion air:
Combustion Air Fan failure while
firing
Blocked air inlet
Low fuel gas pressure or loss of Shutoff fuel supply to main burner and
flame
pilot
8
(T)
Low level Glycol Reboiler
Cause(s)
Low combustion air pressure, Shutoff fuel supply to main burner and
motor run contact lost on
pilot
combustion air blower, or loss of
flame
9
(T)
Fuel gas contamination with non-flammable Loss of burner flame

material causes loss of flame and
subsequent introduction of unburned fuel
gas
10
(T)
Loss of control system actuating energy and Low instrument air pressure or Shutoff fuel supply to main burner and
/ or power failure.
loss of primary power
pilot
(Sensor not required by API
14C)
11
(T)
Low vessel level due to:

Loss or reduced inlet flow into vessel
Failure of drum level instrumentation
/ basic process control system
Leakage from vessel
See Clause 6.3.3.6
Low level in reboiler
Shutoff fuel supply to main burner and

pilot

pilot
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009
Phase
Undesirable Event
- 58 -
Function #
Permissive
(P) or Trip
(T)
Consequence
Description
Cause(s)
Detectable Abnormal
Condition
Action Taken
Normal
Operation
High temperature in Glycol

Reboiler
Possible mechanical damage to

vessel, heating tubes or column, if
firing is continued without sufficient
heat removal. Mechanical damage of
the vessel and tubes may also result
a fire with the potential for personnel
impacts to persons near the
equipment.
12
(T)
High vessel temperature due to:

Temperature control failure
Inadequate inlet flow into vessel
Ignition of medium leak into fired
chamber
Plus low level causes identified in
item 11, above.
See Clause 6.3.3.7
High temperature in Glycol

Reboiler

pilot
Normal
Operation
Potential to damage the burner tubes

leading to hot process fluid leakage
out of the vessel and possible fire.
13
(T)
High stack temperature due to:

Overfiring caused by instrumentation
/ basic process control system
See Clause 6.3.3.4

pilot
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
- 59 -
ISA-TR84.00.05-2009
12 Example Hazard and Risk Analysis and Verification

The following examples are provided to help clarify how the overall concepts of the Safety Lifecycle can
be applied to fired equipment. The examples contained herein are generic in nature and do not represent
an intention to endorse any specific risk criteria and/or design architectures.
12.1 Hazard and Risk Analysis
This report does not endorse a specific methodology for performing risk assessment. Refer to ANSI/ISA84.00.01-2004 Part 3 and Guidelines for Hazard Evaluation Procedures (CCPS/AICHE) for information on
methods for risk assessment. The hazard and risk analysis results presented in this Clause are based
upon the Safety Layer Matrix presented in ANSI/ISA-84.00.01-2004 Part 3, Figure C.2. Four different
scenarios were evaluated and are shown in Table 12.1. The scenarios were selected to highlight the
design process and decisions an SIS designer should consider when selecting an architecture for a given
SIF / SIS.
12.1.1 Item Number 1
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
The first scenario analyzes the process hazards associated with low fuel gas pressure, which could result
in loss of flame. The continued addition of fuel gas without flame allows accumulation of unburned fuel
gas which if ignited results in an uncontrolled fire or explosion. This consequence is determined to be a
serious event. Two different initiating events were identified for this identified hazard. A likelihood of
medium was estimated for the failure of the fuel gas pressure control loop. A likelihood of high was
estimated for the failure of the fuel gas supply. A continuously operated, separately sourced pilot provides
protection against both initiating events. Based upon the risk analysis, the function is an SIF and needs to
meet SIL 2.
The second scenario also analyzes the process hazards associated with low fuel gas pressure, but in this
case, the likelihood of the event is judged to be less likely than the event assessed item number 1. The
consequence is determined to be a serious event and the same two different initiating events were
identified. A likelihood of medium was estimated for both the failure of the fuel gas pressure control loop
and failure of the fuel gas supply. Once again, for both initiating events, a single Independent Protection
Layer was identified consisting of a continuously operated, separately sourced pilot burner. Based upon
the risk analysis, the BMS function is an SIF and needs to meet SIL 1.
The third scenario analyzes the process hazards associated with inadequate purge due to poor air flow at
the purge rate for the purge duration. Inadequate purge could allow previously introduced fuels to remain
in the heater, which could result in a fire or explosion upon light-off. This consequence was deemed to be
a serious event. Two different initiating events for this specific hazard were identified. A likelihood of
medium was estimated to the blocked air inlet. A likelihood of low was estimated to the blower failure.
For both initiating events a single Independent Protection Layer was identified, which relies on an
operator following a procedure requiring a manual check of the combustible concentration prior to lightoff.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 60 --``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISA-TR84.00.05-2009
Table 12.1 Example Hazard and Risk Analysis Summary

Item
No.
Process
Hazard
Hazardous
Event
Low Fuel Gas

Pressure
Resulting in Loss
of Flame
(Case 1)
Loss of flame with

continued addition
of fuel gas can
result in
accumulation of
unburned fuel gas
which if ignited
could result in an
uncontrolled fire or
explosion.
2
Low Fuel Gas

Pressure
Resulting in Loss
of Flame
(Case 2)
Loss of flame with

continued addition
of fuel gas can
result in
accumulation of
unburned fuel gas
which if ignited
could result in an
uncontrolled fire or
explosion.
Initiating
Event
Consequence
(Risk Matrix)
Consequence
The team felt that

the consequence
of this event
could be serious
based on the
magnitude of the
potential
explosion and
equipment
location in a
frequently
occupied area.
Serious
The team felt that

the consequence
of this event
could be serious
based on the
magnitude of the
potential
explosion and
equipment
location in a
frequently
occupied area.
Serious
1. Failure of fuel
gas pressure
control
Likelihood
Category
L
RR
Medium
High
2. Loss of fuel gas

supply - various
reasons including
loss of utility
supply and
miscellaneous
misoperation
1. Failure of fuel
gas pressure
control
2. Loss of fuel gas

supply - various
reasons including
loss of utility
supply and misc.
misoperation - For
this case the fuel
gas supply was
considered more
reliable than the
first case.
Medium
Medium
Independent Protection
Layers
IPL
IPLs
Credit
1. Continuously1
operated separately
sourced pilot
burners
2. Low Fuel Gas
SIL 1
Pressure Causes
Fuel Gas Shutoff
1. Continuouslyoperated separately
sourced pilot
burners
2. Low Fuel Gas
Pressure Causes
Fuel Gas Shutoff
sourced pilot
burners
2. Low Fuel Gas
Pressure Causes
Fuel Gas Shutoff
sourced pilot
burners
2. Low Fuel Gas
Pressure Causes
Fuel Gas Shutoff
Highest
Required SIL
for SIF (All
Causes)
SIL 2
SIL 2
SIL 1
1
SIL 1
SIL 1
ISA-TR84.00.05-2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

- 61 -
Item
No.
Process
Hazard
Hazardous
Event
Failure to Provide
Airflow (Detected
by Low Pressure)
at Purge Rate for
the Purge
Duration
Failure to purge
the firebox prior to
addition of fuel and
light-off (an ignition
source) could
result in a fire or
explosion if
flammable
materials were
present.
Flame Detection
Prior to Purge
Prior to light-off,
pool fire of
flammable liquids
exists in the firebox
due to
misoperation.
Initiating
Event
Consequence
(Risk Matrix)
Consequence
The team felt that

based on the
location and
occupancy of the
area around the
heater the
consequence of
this event would
be serious.
Serious
The team felt that

based on the
equipment
location and
occupancy of the
area around the
heater the
consequence of
this event would
be serious.
Serious
1. Blocked air inlet
Likelihood
Category
L
RR
Medium
Independent Protection
Layers
IPL
IPLs
Credit
1. Operator
1
intervention based
on manual
combustible
concentration
analysis prior to
light-off
2. Low Air Flow (to
be detected by Low
Air Pressure) to
inhibit subsequent
start-up step
SIL 1
SIL 1
2. Blower failure
Low
1. Operator
intervention based
on manual
combustible
concentration
analysis prior to
light-off
1. Oil pool fire

existing prior to
startup
Low
1. Operator
intervention based
on walkthrough
inspection prior to
startup
Required SIL
(All Causes)
Not Applicable
ISA-TR84.00.05-2009
- 62 -

The fourth scenario analyzes the process hazards associated with starting up the fired equipment under
emergency conditions. It is included to highlight the various types of functions that might be evaluated
using risk analysis. The hazards are caused by the presence of uncontrolled pool fires within the firebox
due to equipment misoperation. If the operator attempts to start-up the equipment in this condition, a
more serious event could result. The consequence severity was deemed to be a serious. One initiating
event was identified with a likelihood of low. A single Independent Protection Layer was identified, which
relied on an operator following a procedure to inspect the combustion chamber prior to startup.
NOTE RR in the above table represents the amount of required risk reduction prior to consideration of independent protection
layers.
12.2 SIL Verification

The process of selecting an acceptable design for a given SIS / SIF in practice tends to be iterative. The
SIS designer adjusts key parameters and performs the SIL Verification calculations to determine their
impact on the overall results. Some or all of the following are key parameters typically considered during
the evaluation:
Sensor type (i.e., transmitter versus switch, etc.) and architecture (redundancy / voting with
common cause failure consideration)
Logic Solver type (i.e., E/E/PE) and architecture (redundancy / voting with common cause failure
consideration)
Final Element type (on/off valve versus on/off valve with partial stroke testing, etc.) and
architecture (redundancy / voting with common cause failure consideration)
Proof Test Interval for Sensor, Logic Solver and Final Elements
The design process typically uses a five (5) step procedure to verify the safety integrity level (see Figure
12.1). The typical five (5) step system analysis approach can be defined as:
7) Step 1 Select an architecture for evaluation (sensors, logic solver and final elements). For SISs,
ensure that the architecture meets the fault tolerance requirements of ANSI/ISA-84.00.01-2004.
8) Step 2 Determine theoretical Probability of Failure on Demand Average (PFDavg).
9) Step 3 Determine theoretical Nuisance Trip Rate or Mean Time To Fail Safe (MTTFS)
10) Step 4 Compare theoretical results to expected performance
11) Step 5 Repeat above steps for each possible SIS architecture being considered for the project
Evaluation of cost of ownership can be as simple as selecting an architecture that achieves a minimum
nuisance trip (i.e., MTTFS > 10 years) or as detailed as performing Lifecycle Cost Analysis to evaluate
order of magnitude cost of ownership, including initial capital expenditures and operating costs, over the
lifetime of the SIS.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 63 -
ISA-TR84.00.05-2009
Start
SIS Design Architecture

Options
Perform SIL or PFDAVG
Perform Nuisance Trip Rate or

MTTFS
No
Meet
SIL?
Yes
Evaluate Cost of Ownership
No
Lowest
Cost
Yes
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Figure 12.1. Work Process Used for This Example


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
ISA-TR84.00.05-2009
- 64 -
12.2.1 Assumptions and Clarifications

This technical report does not include the specific reliability calculations in this document. Instead, one
should refer to ISATR84.00.022002 for information on performing these calculations.
1) Failure Rate Data for field devices for the examples in this document were obtained from ISA
TR84.00.022002 Part 1, Table 5.1, Company B. Failure Rate Data for logic solvers for these
examples were obtained from SINTEF and the Safety Equipment Reliability Handbook, ISBN 09727234-0-4.
2) The Generic Safety PES in Table 12.2 represents a logic solver designed per IEC 61508 and
suitable for use in a SIL 2 application.
3) The generic PES contained in Table 12.2 represents a general purpose, industrial grade PE logic
solver.
4) The generic Safety PES architecture / voting scheme in Table 12.2 has been depicted as
complex to avoid the appearance of endorsing any specific platform or product. Each
owner/operator should evaluate the architecture (1oo1, 1oo2, 1oo2D, 2oo3, 2oo4, etc.) for their
given application.
Prior to selecting an architecture for a given SIF, one must consult the specific code / standard that
governs the fired equipment under consideration. For example, NFPA 85 Clause 4 places additional
requirements on the logic system where no single component failure within the logic system shall prevent
a mandatory master fuel trip. For SIFs with a requirement of SIL 1 or higher, refer to ANSI/ISA-84.00.012004 for additional information regarding PES requirements.
12.2.2 Design Results
Examples of the functions identified in Table 12.1 were assessed to determine if these functions could
meet the risk reduction requirements defined by the hazard and risk analysis. Details of the assessment
are discussed below and summarized in Table 12.2.
12.2.2.1 Item Number 1 Case 1
This design option included the use of redundant / diverse sensors in a 1oo2 voting scheme to detect low
fuel gas pressure. A general purpose industrial grade logic solver was considered for use as the logic
solver. Redundant block valves in a 1oo2 voting scheme were modeled as final elements. The sensor,
logic solver and final element subsystems were assumed to be proof tested every 12 months. As
modeled, this design does not meet the risk reduction requirements. Thus, design modifications must be
considered.
This design option included the use of redundant / diverse sensors in a 1oo2 voting scheme to detect low
fuel gas pressure. The general purpose industrial grade logic solver was replaced with a Safety PES
designed per IEC 61508 and suitable for use in SIL 2 applications. Redundant block valves in a 1oo2
voting scheme were modeled as final elements. The sensor, logic solver and final element subsystems
were assumed to be proof tested every 12 months. The upgraded logic solver made a significant
difference in the theoretical performance. The design meets the required SIL. If desired, an
owner/operator could now consider cost of ownership issues and evaluate alternative designs.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
- 65 -
ISA-TR84.00.05-2009

This potential design option under consideration included the use a single transmitter to measure the loss
of flame due to low fuel gas pressure initiating event. A general purpose industrial grade logic solver was
considered for use as the logic solver. A simplex block valve was modeled for the final element. The
sensor, logic solver and final elements were subjected to an assumed proof test interval of 48 months. As
modeled, this design cannot meet SIL 1. Thus, design modifications must be considered.
This design option included the use a single transmitter to detect low fuel gas pressure. The general
purpose industrial grade logic solver was replaced with a Safety PES designed per IEC 61508 and
suitable for use in SIL 2 applications. The simplex block valve scheme was replaced with redundant block
valves used in a 1oo2 voting scheme. The sensor, logic solver and final element subsystems were
assumed to be proof tested every 48 months. By upgrading the final element voting architecture and logic
solver, this design meets the PFDavg required for SIL 1. If desired, an owner/operator could now consider
cost of ownership issues and potentially evaluate additional designs for this SIF.

This potential design option under consideration included the use a single transmitter to measure loss of
combustion air flow as the initiating event. A Safety PES designed per IEC 61508 and suitable for use in
SIL 2 applications is modeled as the logic solver for this SIF. Because this is a permissive SIF that
prevents subsequent light-off steps and final elements are not required in the design, the sensor and logic
solver subsystems are assumed to be proof tested every 12 months.
As modeled, this design meets the PFDavg required for SIL 1. If desired, an owner/operator could now
consider cost of ownership issues and potentially evaluate additional designs for this SIF.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
No design options were evaluated for this case as the hazard and risk analysis did not identify this
function as an SIF.


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT

ISA-TR84.00.05-2009
- 66 -
Table 12.2 Example SIL Verification Summary

Item
Case#
Sensor
Subsystem
Voting
Logic
Solver
PES
Note 1
Final
Element
Final
Element
Voting
Note 3
Proof
Test
Interval
SIL
Required
SIL
Achieved
Met SIL PFD

Requirements
Met SIL
Minimum
Fault
Tolerance
Block Valve
1oo2
12 Months
NO
NO
1oo2
12 Months
YES
YES
Pressure
Transmitter
Flame Relay
1oo2
Pressure
Transmitter
Flame Relay
1oo2
Pressure
Transmitter
1oo1
PES
Note 1
Block Valve
1oo1
48 Months
NO
YES
Pressure
Transmitter
1oo1
Safety PES
Note 2
Block Valve
1oo2
48 Months
YES
YES
N/A
12 Months
YES
YES
Sensor
Subsystem
Block Valve
Safety PES
Note 2
Block Valve
Block Valve
Block Valve
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Pressure
Transmitter
1oo1
Safety PES
Note 2
None
No SIL Verification required for this scenario based upon hazard analysis summarized in Table 12.1.
Notes:
1) PES represents a general purpose industrial grade PE logic solver.
2) Safety PES represents a logic solver designed per IEC 61508 and suitable for use in an SIL 2 application.
3) Each block valve has a dedicated solenoid.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT
Developing and promulgating sound consensus standards, recommended practices, and technical
reports is one of ISAs primary goals. To achieve this goal the Standards and Practices Department
relies on the technical expertise and efforts of volunteer committee members, chairmen and reviewers.
ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United
States Technical Advisory Groups (USTAGs) and provides secretariat support for International
Electrotechnical Commission (IEC) committees that develop process measurement and control
standards. To obtain additional information on the Societys standards program, please write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, NC 27709
ISBN: 978-1-936007-41-7
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


rights
reserved.
for Resale,
10/04/2012
08:02:58 MDT

ISA-TR84.00.05-2009 Guidance On The Identification of Safety Instrumented Functions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISA-TR84.00.05-2009 Guidance On The Identification of Safety Instrumented Functions

Uploaded by

Copyright:

Available Formats

ISA-TR84.00.

Copyright International Society of Automation