ENGINEERING GUIDE Safety Instrumented Systems for Fired Heaters

(This practice is appropriate for attachment to Inquiry or Purchase Document)

EG 15-7-2.2
Page 1 of 6 Rev. 0 June 1997

SCOPE
I I 1.1 1.2 This guideline covers the specification and design of programmable electronic safety instrumented systems (SIS) for fired heaters. Unless otherwise noted, this guideline shall not deviate from the following International Practices (IP):
IP 15-1-1 IP 15-7-2 + EA Instrumentation for Fired Heaters Protective Systems

SUMMARY OF ADDITIONAL REQUIREMENTS

I

2.1

Table 1 lists the practices and standards which shall be used with this guideline. TABLE 1
EXXON ENGINEERING PRACTICES IP 15-6-3 Programmable Logic Controllers INDUSTRY PRACTICES ISA S84.01 Application of Safety Instrumented Systems for the Process Industries

DEFINITIONS
I 3.1 Safety Instrumented System (SIS): A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when predetermined conditions are violated. Other commonly used synonymous terms are shutdown systems, protective systems, interlock systems, or emergency shutdown systems. Logic Solver: Electronic or programmable electronic system components or subsystems that execute the application logic. Electronic and programmable electronics include input/output modules.

3.2

BASIC DESIGN
M,O 4.1 The SIS for a fired heater shall be dedicated to that fired heater. An exception may be when two or more fired heaters are closely related from a process standpoint, then one SIS may be used for those fired heaters. The SIS shall preferentially have a communication link to the Digital Control System (DCS). The system shall be configured so that the DCS cannot write to the SIS via a communication link. The failure action of the SIS shall be fail-action (fail-safe). The SIS shall be dedicated to its protective function. Alarms and start-up sequencing are considered to be part of the protective function. a. If there is a DCS/SIS communication link and there are two transmitters with the same range on a shutdown variable (one transmitter to the SIS and one transmitter to the DCS), deviation alarming between the two signals shall be performed in the DCS. The alarm shall be a Priority 2 alarm and automatically re-enabled if disabled. The application that performs the deviation alarming shall also ensure that the alarm is enabled. b. If there is not a DCS/SIS communication link and there are two transmitters with the same range on a shutdown variable, then the DCS transmitter shall be connected to the SIS as shown in Figure 1 below. Deviation alarming between the two signals shall be performed in the SIS and shall be indicated locally. Where the SIS is to be field mounted, it shall preferentially meet the following requirements: a. b. All components of the SIS shall be suitable for use in a Class I, Division 2 location. The enclosure shall be air-purged for the purpose of corrosion protection. No other environmental protection (e.g., air conditioning) shall be required.

O S S S R,M

4.2 4.3 4.4 4.5 4.6

4.7

ECA / EUSA Regional Engineering Guide

EG 15-7-2.2
Page 2 of 6 Rev. 0 June 1997

ENGINEERING GUIDE Safety Instrumented Systems for Fired Heaters

(This practice is appropriate for attachment to Inquiry or Purchase Document)

FIGURE 1 SIS/DCS COMMON TRANSMITTER WITH NO COMMUNICATION LINK

SIS

DCS

Isolator

XMTR

XMTR
EG157221

LOGIC SOLVER
S M,R S 5.1 5.2 5.3 The logic solver shall be a dual processor with diagnostics (1oo2D) PLC or a triple modular redundant (TMR) PLC. If a TMR PLC is selected, Triconex is the preferred vendor. The logic solver shall be safety certified by a third party (e.g., TUV) and shall be suitable for meeting a Safety Integrity Level (SIL) of 2 as defined in ISA S84.01, unless a different SIL is specified by the local Safe Operations Committee (SOC) or Risk Management Group for a specific fired heater.

OPERATOR INTERFACE
M,O 6.1 A local operator / maintenance panel and/or readout shall be provided. The following items will be considered for this panel / readout: a. Controls: Light Pilot Pushbuttons Bypass Flame Rods Switch Light Main Burner Pushbuttons Activate Shutdown Pushbutton b. Status Indicators and Alarms (Preferentially implemented using a smart graphic display): Fired heater Shutdown Low Pilot Gas Pressure Shutdown Fuel Gas Shutdown Bypass Valve Open High Pilot Gas Pressure Shutdown Pilot Gas Shutdown Bypass Valve Open Low Process Flow Shutdown SIS Trouble < 50% Pilots On (Flame Rod Logic) Flame Rods Bypassed Fuel Gas Shutdown Valve Closed Low Fuel Gas Pressure Shutdown Pilot Gas Shutdown Valve Closed Transmitter Deviation Alarm (1) High Flue Gas Temperature at Preheater Inlet (2) Induced Draft (ID) Fan Shutdown (2) High Temperature ID Fan Inlet (2) Drop Out Doors Open (2) Cabinet Loss of Air Purge High Bridgewall Pressure/ Open Stack Damper (2) Loss of Primary Power High Bridgewall Pressure Shutdown (2) On Battery Power Forced Draft (FD) Fan Shutdown (2) Back Up Battery Low Voltage Stack Damper Open (2)

NOTES (1) If DCS is available, then deviation alarm is handled in DCS. (2) Applies to Forced/Induced Draft fired heaters only. S

6.2

If a smart display is used for the local operator panel, it shall be read-only.

ECA / EUSA Regional Engineering Guide

ENGINEERING GUIDE Safety Instrumented Systems for Fired Heaters

(This practice is appropriate for attachment to Inquiry or Purchase Document)

EG 15-7-2.2
Page 3 of 6 Rev. 0 June 1997

POWER
R R 7.1 7.2 The power source to the SIS shall be redundant. One of the power sources shall contain one of the following: a. b. R R 7.3 7.4 An Uninterruptible Power Supply (UPS) with a holdup time of at least 15 minutes. A DC supplied system with a battery backup and battery charger.

c. Some other continuous power supply system. The power supply shall be capable of riding through momentary voltage dips or a secondary selective substation transfer. The SIS shall provide power to all SIS transmitters and actuator devices except for those on the final control element which may be pneumatically powered.

SENSORS
R R R M,R S,R 8.1 8.2 8.3 8.4 8.5 Transmitters shall preferentially be used instead of field switches as initiators. Smart transmitters are preferred. Transmitters shall transmit to the logic solver using 4-20 mA signals. Smart transmitters shall be operated in the analog mode. Transmitters using DE digital protocol or other digital communication protocols that interrupt the analog signal are prohibited. All sensors for a given service (e.g., flow measurement) shall be supplied by the same vendor. The number of different vendors supplying components for the SIS shall be minimized. A typical installation shall have one transmitter per initiator which will achieve an SIL of 2. If additional reliability is required, 2oo3 voting of sensors (with one of them permitted to be shared with the DCS) may be used, as indicated in Figure 2. FIGURE 2 2003 SENSOR VOTING WITH SHARED DCS TRANSMITTER

SIS

DCS

Isolator

XMTR A

XMTR B

XMTR C

EG157222

FINAL ELEMENTS
S 9.1 The bypass around the shutdown valve(s) shall have a limit switch as an SIS input which indicates when the valve is closed, as in Figure 3.

ECA / EUSA Regional Engineering Guide

EG 15-7-2.2
Page 4 of 6 Rev. 0 June 1997

ENGINEERING GUIDE Safety Instrumented Systems for Fired Heaters

(This practice is appropriate for attachment to Inquiry or Purchase Document)

FIGURE 3 SHUTDOWN VALVE BYPASS WITH LIMIT SWITCH

Shutdown Valve (N.O.)

Bypass Valve (N.C.)

PNC (Process Normally Closed)

EG157223

R S R

9.2 9.3 9.4

Dual solenoid valves, as shown in Figure 5, shall be used for increased reliability of the final element. The SIS shall send an alarm to the control center on high fuel gas pressure after a trip is initiated. This indicates that the shutdown valve has not closed. The SOV assembly shall be stainless steel.

TESTING AND MAINTENANCE

M S M 10.1 10.2 10.3 The SIS shall allow for on-line testing of all initiators, logic, and final elements by bypassing the final element. (THIS IS A DEVIATION OF RP 15-7-2, 12.5a.) The frequency of required on-line testing of the SIS shall be calculated based on the design SIL. Standardization of design and supplier for the SIS at a site is strongly recommended for maintainability.

TYPICAL SCHEMATICS
I 11.1 A typical schematic of an SIS for a natural draft fired heater is shown in Figures 4 and 5. A typical I/O list for this design is given in Table 2. This schematic was based on a design SIL of 2. TABLE 2 - INPUTS/OUTPUTS FOR SAFETY INSTRUMENTED SYSTEM TYPICAL SINGLE FUEL, NATURAL DRAFT FIRED HEATER
INPUTS Individual Pass Flows or Total Process Flow Pilot Gas Pressure Fuel Gas Pressure Pilot Gas Valve Closed Limit Switch Pilot Gas Bypass Valve Closed Limit Switch Fuel Gas Valve Closed Limit Switch Fuel Gas Bypass Valve Closed Limit Switch Flame Rod #1 On Flame Rod #2 On Flame Rod #3 On Local Shutdown Switch Remote Shutdown Switch Flame Rods Bypassed I/P Relay "A" for Fuel Gas Control Valve I/P Relay "B" for Fuel Gas Control Valve OUTPUTS System Bypass Lamp Bypass Valve Open Lamp SIS Trouble Pilot Gas Valve SOV A Pilot Gas Valve SOV B Fuel Gas Valve SOV A Fuel Gas Valve SOV B Fired Heater Shutdown Lamp I/P Relay "A" for Fuel Gas Control Valve I/P Relay "B" for Fuel Gas Control Valve

Other outputs shall be implemented on discrete devices or smart display panel.

ECA / EUSA Regional Engineering Guide

ENGINEERING GUIDE Safety Instrumented Systems for Fired Heaters

(This practice is appropriate for attachment to Inquiry or Purchase Document)

EG 15-7-2.2
Page 5 of 6 Rev. 0 June 1997

FIGURE 4 TYPICAL SIS FOR NATURAL DRAFT FIRED HEATER

F Feed F Fired Heater SIS

Communication Link

DCS

SOV Assembly (Figure 5)

I/P

Fuel Gas

Shutdown Valve LS CLOSED

Control Valve

SOV Assembly (Figure 5)

LS CLOSED

EG157224

ECA / EUSA Regional Engineering Guide

EG 15-7-2.2
Page 6 of 6 Rev. 0 June 1997

ENGINEERING GUIDE Safety Instrumented Systems for Fired Heaters

(This practice is appropriate for attachment to Inquiry or Purchase Document)

FIGURE 5 DUAL SOLENOID VALVE ASSEMBLYFOR INCREASED RELIABILITY

SOV A

SOV B

E Manual Reset C

LS P

Air Set, Set at 25 PSIG

Pneumatic Pilot Valve

PILOT VALVE OPERATION Either or both coils energized and manual reset latched-- C and P are common, E is blocked.

To Shutdown Valve

Both coils de-energeized or loss of air supply (<25 psig) trips manual reset (unlatched) -- C and E are common, P is blocked.

EG157225

6/97

Revision Memo Revision 0 - Original Issue of Engineering Guide

Exxon Company, U.S.A., Exxon Chemical Americas, 1997

ECA / EUSA Regional Engineering Guide