phone: (973) 394-9330
fax: (973) 394-9336
email: nortoninfo@nortonengr.com

Norton University

Engineering Expertise
14 Dec 2020
0 Comments

Process Safety Time for Fired Heaters

NOTE: This article, written by Chris Steves, Richard Todd, James P. Norton, and Jerry Zhang, originally was published in PTQ 4th Quarter 2020. A PDF copy of this article can be downloaded here.

The fired heater is a common unit operation in the refining and petrochemical industries that is used to increase the temperature of a process fluid. Fired heaters are required when a process-to-process heat exchanger or a utility exchanger (i.e. steam condenser, hot oil heater) cannot provide sufficient driving force to raise the temperature of a process fluid for downstream processing. There are numerous applications for fired heaters throughout the refining and petrochemical industry, from preheating feed to process units to reboiling distillation towers.

During the course of normal operation a fired heater will be exposed to disturbances in the supply of fuel, combustion air or process fluid that may lead to a potentially hazardous condition developing. To manage these disturbances and take appropriate action to safely operate and control the fired heater, several layers of protective systems are normally provided [1].  These protective systems are designed to take independent action that will prevent the fired heater from reaching a hazardous condition. Protective actions can include:

  • Operator intervention based on alarms or other indication of a process upset.  Typically this intervention can only be effective for slow responding systems that have extended times to reach a hazardous condition.
  • The Basic Process Control System (BPCS), typically a DCS, which automatically responds to process conditions to maintain stable and safe operation.   
  • A fault-tolerant PLC is also commonly used on fired heaters.  The independence of the PLC system allows actions to be taken in cases where components of the BPCS are not functioning correctly.  These Safety Instrumented Systems (SIS) are critical components in maintaining the safe operation of the fired heater.

The combination of protective systems on a fired heater ensures that the unit can be safely started up and operated within its Safe Operating Limits (SOLs). The design of these systems can vary depending on the process fluids passing through the heater, the specific safety concerns that are present due to these services and the configuration of the heater, along with any design standards or guidelines that are applied by the owner. For the protective systems to be effective in protecting the fired heater and preventing a catastrophic failure, the process safety time for various hazardous events must be calculated and used to ensure the systems offer adequate protection.

Process safety time (PST) is defined as “the time period between a failure occurring in the process or its control system and the occurrence of the hazardous event” [2].

Process safety times are functions of equipment design and operating parameters, and can be estimated for various failures and resulting hazardous events based on modeling of system dynamics. Process safety time estimates do not take into account any mitigating action that would be performed to protect the heater. Figure 1 provides a pictorial representation of a fired heater response to an initiating event and the resulting process safety time.  Several commonly used process safety time analysis terms are also graphically displayed in the figure.

Process safety times should be defined and calculated for different initiating events, usually based on input from a multi-functional team participating in a Process Hazard Analysis (PHA) or HazOp (Hazard and Operability study). As the PHA team reviews potential hazards associated with process equipment and the different modes of operation (i.e. startup, shutdown, normal operation, operational upset, etc.), the severity of the potential consequence and likelihood of occurrence will then be used to define which type of mitigating action should be taken to prevent the negative consequence from occurring (i.e. is an automated safety system required or can manual Operator response be utilized). An understanding of the process safety time is critical in deciding on the best hazard mitigation strategy.

In order to evaluate and determine the process safety time for a particular scenario, several simplifying, conservative assumptions about operation prior to the initiating event must be made. Critical review by the multi-disciplined PHA team, including subject matter experts, to verify these assumptions is good practice to improve the efficacy of the process safety time estimation process. For example, it is common to assume that a fired heater is operating at design fired duty prior to any “initiating” event, but if the unit is often operated at firing rates above design then this should be considered when developing the conditions to be used to initiate the static and/or dynamic simulations of the event necessary to determine the process safety time.

Some initiating causes and their hazardous event that may need to be considered and evaluated for a fired heater include:

  • Loss of process flow to one or more passes causing the tubes to overheat and rupture,
  • Gas burner fuel block valves open before lightoff, or a flameout at the burners occurs due to a disturbance in the fuel supply during normal operation, causing an accumulation of unburned fuel in the firebox which can lead to an explosion,
  • Damper closed in a natural draft heater causing an accumulation of unburned fuel in the firebox which can lead to an explosion,
  • Loss of combustion air from a FD fan causing an accumulation of unburned fuel in the firebox which can lead to an explosion.

After all process safety times for a particular piece of equipment like a fired heater have been determined, the SIS can be designed to ensure that it will successfully keep the hazardous event (the consequence) from occurring after the initiating event (the cause) has started. The SIS will usually incorporate multiple Safety Instrumented Functions (SIFs), each of which may be considered as an Independent Protection Layer (IPL) for mitigating the hazard and usually evaluated as part of a PHA and Layer of Protection Analysis (LOPA).

The total response time for the SIF is composed of the detection time (based on instrumentation used to detect the initiating event), any process delay built into the SIF to filter out spurious instrument or process issues, the time for the SIF to complete its action (logic controller time and valve closure time), and any process lag present in the system after the SIF has completed its action. One example of a SIF to close the fuel shutoff valve upon a loss of process flow to the heat transfer coil is shown in Figure 2.

In order for the SIF to be successful in preventing the hazardous event from occurring, the total response time for the SIF must be less than the process safety time. In many cases, Owners will choose to incorporate some conservatism into the design of the SIF, and many will specify that the total response time must be less than one half of the process safety time. [2]

The following examples illustrate the steps involved when evaluating process safety times for a fired heater. These examples will focus on a vertical-cylindrical, natural draft heater that is in the reboiler circuit of a distillation column, see Figure 3 for a general arrangement drawing. The fired heater has 4 burners installed in the floor for a combined design firing rate of 60 MMBtu/hr. The fired heater is burning a refinery fuel gas that is a mixture of light, paraffinic hydrocarbon species along with hydrogen, while the process fluid entering the convection coil is an oil stream characterized by a true boiling point curve.

Case 1: Accumulation of Combustibles in the firebox during lightoff

The first case study considers the scenario where the fired heater has been steam purged to remove any hydrocarbons and prepare the firebox for burner lightoff. The following conditions are assumed:

  • The heater is at 250°F.
  • All pilots on the burners are lit.
  • O2 concentration in the firebox is equal to that of ambient air.
  • The stack damper is in light-off position.
  • The air registers were inadvertently closed following the purge. 

With these assumptions, the primary source of O2 for combustion comes from the initial concentration of air in the firebox. At time zero, 2 of the 4 burners are lit at their minimum firing rate, which represents the lowest firing rate that can be sustained for startup. As time progresses combustion is maintained on the 2 lit burners while O2 is still available in the firebox. Once O2 is exhausted the flame goes out and combustion is extinguished. Although the pilots on the burners remain lit, flame instability at the burners under sub-stoichiometric combustion in a cold firebox results in loss of flame. Hence the operating point at 0% O2 results in a transition where the 2 lit burners flameout and unburned fuel now starts to rapidly accumulate in the firebox. Figure 4 presents the trend in firebox fuel composition with time from the onset of the initiating event, which was when the 2 burners were lit with the air registers closed. Although the firebox is depleted in O2 and there is no O2 available to burn the fuel, the condition in the firebox at times greater than 120 seconds presents a very dangerous situation. If the air registers were suddenly opened and air was allowed to enter the firebox the potential exists for a rapid and uncontrolled detonation of the combustible mixture. The fact that the pilots are lit and will continue to run with the air registers closed means there is always a source of ignition in the firebox. Another potential detonation event may arise if the heater is old and is known to leak air into the firebox (i.e. tramp air).

Figure 4

For this case, the process safety time is the difference in time between the burners being lit (initiating event) and the point where the fuel concentration in the firebox crosses the LEL for the refinery fuel gas mixture (consequence), which is around 120 seconds. Per API 556 “the accumulation of combustibles within the firebox should not be permitted to exceed 25% of the LEL before corrective action is initiated”. [1] This will set the practical limit on any delay times that are applied. Per Figure 4, 25% of the LEL is reached approximately 50 seconds after the initiating event. The SIF needs to be designed to identify the failure (gas detector that samples flue gas at the bridgewall in the heater) and start initiating the necessary action to mitigate the event (shut the fuel gas emergency shutoff valve to the burners), including any delay, within 50 seconds. When the process safety time is relatively short like that calculated here the gas detector response time and accuracy at the low end of the concentration range will be important factors in the design of this SIF. In this case the delay time that is applied in the logic solver to avoid a spurious trip may be very short given that the response time of the gas detector may be a significant fraction of the available process safety time (catalytic bead detectors may have a 20 to 30 second response time).

Case 2: Loss of Process Fluid Flow during Normal Operation

The second case study addresses a disturbance during normal operation at the fired heater. Process fluid is flowing through the tubes, originating from an upstream pump that is connected to the bottom of the distillation column. If the pump were to trip while the heater was firing at design rate, then oil flow through the tubes will stop. In this scenario the process fluid is no longer carrying the heat that is released from the flue gas inside the firebox out of the heater at the same rate it would do otherwise, and tube metal temperatures will start to increase. While most fired heaters include outlet thermocouples to alert the Operators of a high coil outlet temperature, with the loss of flow through the tubes due to the pump trip these outlet thermocouples are in a stagnant region and will not provide an accurate indication of the process fluid temperature inside the heater. The process safety time for this scenario can be determined once initial and short term boundary conditions are established.

The following operating conditions and design information were validated for this case:

  • Heater firing rate: All 4 burners are assumed to be in service and firing at the design rate of 60 MMBtu/hr.
  • Tube metallurgy in the firebox: ASTM P9 (9%Cr-1%Mo)
  • Maximum allowable tube metal temperature: Based on the design pressure, tube OD, and minimum wall thickness (using design corrosion allowance), the stress for this material can be calculated using procedures outlined in API 530. [4] Once stress has been calculated, then the curves in API 530 are utilized to determine the maximum tube metal temperature, which for this example is 1,100°F.
  • Heater geometry: Determine volume, tube surface area and cold plane surface area within the firebox. Shield tubes located in the convection coil are also included in this analysis as they can “see” the radiating flue gas and provides an additional sink for heat that is released in the firebox.

The complicating factor with this analysis is tube metal temperatures are changing with time. Radiant heat transfer in the firebox is a complex function of heater geometry and the difference in the fourth power of radiating flue gas temperature and tube metal temperature. As tube metal temperature increases the amount of incident radiation absorbed by the tubes will decrease, which means bridgewall temperature increases. Being able to characterize the radiant heat transfer characteristics of the firebox and incorporate this into the transient analysis is an important aspect when evaluating process safety time.  Proprietary models have been developed for determining both bridgewall and tube metal temperatures in the short time periods of interest in this analysis. The trend in Figure 5 shows the dynamic response of these two variables to the initiating event. The change in the slope of the curve for tube metal temperature at time greater than 60 seconds is the result of the liquid boiling away inside the tubes and vapor being left behind. Once the inside of the tube is blanketed with vapor that is not flowing, the ability to absorb the heat released from the flue gas rapidly decreases and tube metal temperature rapidly increases. 

Figure 5

The process safety time for this case is the time difference between the initiating event (pump trip) and the resulting consequence (tube failure and release of hydrocarbon into the firebox). Figure 5 shows the process safety time is around 180 seconds. If conservatism is applied (using the recommendation of using less than half of the calculated process safety time), then the total response time of a SIF to mitigate this hazard must be less than 90 seconds. The SIF will need to be designed to detect the failure (typically via flow measurement of the process fluid), and take mitigating action (closing the emergency shutoff valve in the fuel supply), including any delay, in less than 90 seconds. Since detection time and mitigation time for this example would be typically an order of magnitude faster than the process safety time, a fairly long delay time could be incorporated into the design of the SIF to avoid a spurious fired heater trip.

Case 3: Inadvertent Closure of the Stack Damper during Normal Operation

The third case study addresses the scenario where a malfunction or mis-operation results in the stack damper going to its minimum open position at design firing rate. Most stack dampers will not completely close but instead will be limited in how far closed they can go before reaching a hard mechanical stop that prevents the damper from totally closing the flow path for flue gas. The minimum stop is generally set to maintain some measure of flue gas control at minimum turndown. At design firing rate a “closed” (pinched or throttled) damper will limit the amount of air that can be drawn through the burners which in extreme cases can cause sub-stoichiometric combustion to occur.

The following operating conditions and design information were validated for this case:

  • Heater firing rate: All 4 burners are assumed to be in service and firing at the design rate of 60 MMBtu/hr.
  • Stack damper travel: It takes 4 seconds for the stack damper to reach the minimum stop position from its initial position.
  • Stoichiometric ratio: When the stack damper fails at its minimum position, hydraulic analysis of the flue gas circuit determines that the estimated equilibrium stoichiometric ratio is 85% of the theoretical stoichiometric air required for complete combustion.
  • It is assumed that combustion continues in the firebox, although combustion becomes sub-stoichiometric the assumption is made that the firebox is hot enough to maintain combustion in a fuel-rich environment for relatively short periods of time (i.e. less than 5 minutes). For extended periods of time this assumption will breakdown.

Closure of the stack damper reduces the available draft at the heater floor which in turn reduces the amount of combustion air that can be drawn through each burner to support combustion of the fuel. Prior to closure of the stack damper, the firebox is hot with average gas temperature well above the auto-ignition temperature of the refinery fuel gas and pilots are lit providing an ignition source at each burner. Under these conditions the fuel that enters the firebox through all burners will continue to burn to the limit of available O2. Immediately after the initiating event (normally the first several seconds), unburned fuel from the burners will consume all the available O2 in the firebox (the firebox has excess O2 at time = 0) and the firebox will then enter sub-stoichiometric combustion. For typical burners, ppmv levels of CO will be observed in the flue gas as the O2 concentration approaches 0%. Once conditions at the burners become sub-stoichiometric the combustion products will contain increasing levels of CO and H2. The combination of high temperature and high CO and H2 concentrations creates a very dangerous situation that can result in an explosion in the firebox.

To determine the concentration of flammable species in the flue gas as the burners consume the available O2 and combustion becomes sub-stoichiometric requires a dynamic analysis of the chemical equilibrium between CO, CO2, H2 and H2O formation as a function of firebox temperature. This requires the combustion algorithm in the firebox chamber to be modeled using a Gibbs free energy analysis. The necessary piece of information that is required to model Gibbs free energy reactions in a firebox is provided through the chemical equilibrium for the Water Gas Shift reaction. [5]

where

T is in Kelvin and p(i) represents the partial pressure of species i in the flue gas. The resulting composition profiles for O2 and CO+H2 that are produced from the burners is presented in Figure 6. The red dotted line on this same figure shows the corrected LEL for the resulting flue gas mixture at firebox temperature, which rapidly approaches the 2 vol% range as sub-stoichiometric combustion continues. Once the combustion becomes sub-stoichiometric, which occurs approximately 5 seconds after the initiating event, the combined concentration of CO and H2 passes the corrected LEL approximately 6 seconds after the initiating event.

Figure 6

The process safety time for this case is the time difference between the initiating event (stack damper starts to close) and the resulting consequence (CO + H2 concentration in the flue gas crosses the LEL). In this case the process safety time is very short, just 6 seconds after the initiating event, which means the ability to detect high CO levels at the bridgewall via a gas detector and take the appropriate action to close the emergency shutoff valve will be very difficult to achieve with a dedicated SIF. In cases like this further analysis of the stack damper hard stop is often required to determine if a higher position should be considered to maintain adequate O2 in the firebox to minimize the level of sub-stoichiometric combustion that is achieved at design firing rate or provide additional time for the SIF to detect and respond to the conditions in the firebox. This will require additional heater modeling to determine the achievable turndown capability of the heater under these conditions.

Conclusion

This analysis has presented three cases that vary in their calculated process safety time for various initiating events on a fired heater. The outcome from this analysis will play a key role in the determination of appropriate SIFs that should be applied to the fired heater in order to prevent the hazardous event from occurring. In some cases, i.e. stack damper failing in the closed position, more analysis is warranted to determine an appropriate course of action to mitigate the hazardous event as a dedicated SIF is unlikely to provide adequate protection. In most cases the end user will choose a smaller SIF delay time than needed, and may standardize the delay time for similar types of SIFs in the facility in order to simplify Operator training. It is always recommended to thoroughly evaluate each initiating cause when operating a fired heater to verify the SIFs that are in place are suitably designed to mitigate the event. This requires expert analysis along with the input of a multi-disciplinary team to generate the appropriate data.

References

[1] American Petroleum Institute, Instrumentation, Control, and Protective Systems for Gas Fired Heaters, API RP 556, Second Edition, April 2011

[2] CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems.  Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2007

[3] G. Barnard & W. Creel, Impacts of Process Safety Time on Layer of Protection Analysis. AICHE 2015 Spring Meeting/11th Global Congress on Process Safety, April 27-29, 2015

[4] American Petroleum Institute, Calculation of Heater-tube Thickness in Petroleum Refineries, API STD 530, Seventh Edition, April 2015

[5] M. V. Twigg, Catalyst Handbook. Second Edition, Manson Publishing, 1996

About Post Author
Chris Steves is currently President of Norton Engineering Consultants, and has over 30 years of experience in the refining industry. After graduating from the University of Delaware with a BS in Chemical Engineering, Chris held various Process Engineering, Design, Operations, and Economics & Planning roles with a variety of refining companies, including Hess Oil, Coastal Oil, Tosco, Phillips 66, and ConocoPhillips. Since starting work with Norton Engineering Consultants in 2012, Chris has provided troubleshooting and engineering support to solve our clients’ problems and provide cost effective, safe, and reliable solutions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

Blog Notification

We’ll notify you when new articles are published. Your email is safe with us and will not be shared.