Low O2 / High Combustibles Heater Shutdown

I received this customer question that is common enough that I thought that I would publish the answer in a blog…

>> Have you seen others in the petrochemical industry using analytical measurements (combustibles, CO, O2) of flue gas to shut down fired heaters?

Yes

>> Many of our PHAs are identifying unburned fuel in the firebox as a hazard with multiple initiating events that can be a cause, including malfunction of the BPCS controls that ratio air to gas flow for forced and balanced draft systems.

It’s not an uncommon scenario in PHA/LOPA, but the risk generally very over-blown.  The scenario usually occurs in a natural draft heater where changes in the process result in too much fuel being put into the heater for the amount of air that is coming in.  This causes a “rich” or “loaded” firebox, with a lot of CO and CH4 in the firebox and flue gas.  By itself, this is not much of a hazard, and the heater can continue to run this way for a long time with no safety consequence.  The problem is that if an operator makes the wrong choice you can have an explosion.  The correct response is to cut back on fuel until you have satisfactory excess O2, after that lead the air flow higher (buy adjusting dampers) prior to increasing the fuel gas rate.  Unfortunately, a lot of inexperienced operators will see a low O2 alarm, and then give the heater more air by opening the dampers.  When this happens you get a sudden inrush of fresh oxygen to hot hydrocarbons, and boom!  Thankfully, the booms generally not big enough to cause fatality or injury, but do often cause equipment damage (shell flexing, damper damage, etc.).  So the bottom line is that in reality this is a low consequence event that only occurs when a poorly trained operator makes the wrong decision – LOW RISK.

>> This would apply to natural draft, forced draft, and balanced draft heaters. If so, what measurements and what type of voting structure?

The most common configuration that I see for this situation is a 1oo2 vote of dual analyzers that measure both O2 and combustibles.  If the analyzer sees BOTH low O2 AND high combustibles, that analyzer votes to trip.  If either of the two analyzers (each of which measures both O2 and combustibles) votes to trip, it causes a shutdown.

>> Finally, if SIL calculations are being performed for safety instrumented functions involving analysis of flue gas, what is the source of the failure data for the analyzers (industry data, analyzer manufacturer data, site gathered data)?

Almost every time I’ve analyzed this type of situation we have used equipment vendor data for failure rate.  There is at least one (probably more) equipment vendors that have the requisite analyzers along with SIL certification and associated failure rate data.