THEISS (Marathon Petroleum Corporation) 

As far as interlocks being tied to fired heaters, at Marathon, we rely heavily on API (American Petroleum Institute) 556 to develop our internal practices. Inside our internal practices, we have two main potential problems we are trying to combat: preventing an explosion due to uncombusted fuel and preventing a tube rupture that can lead to a fire or an explosion. On all of our fired heaters, we have interlocks for low- and high-fuel gas pressure and loss of process flow. For our balanced draft heaters, we include loss of airflow, high furnace pressure, and loss of flame. For forced draft and natural draft, we include all of those, the exception being furnace pressure. 

We do allow shutdown time delays on several components. It is really a matter of looking at each one on an individual basis. We developed a lot of our guidance on time delays based on API 556. The current version of API 556 no longer has that specific guidance, but I think they are looking to try and include it again. Regarding time delays, we allow time delays on fuel gas pressure, firebox pressure, flame detection, process flow, process temperature, and level, if applicable. 

As far as bypassing interlocks, we generally do not allow bypassing of shutdown systems. There are some exceptions. Obviously, performing maintenance is a big one that we look to allow. Some of our facilities actually have an automated report from the DCS (distributed control system). If there is something bypassed on a shutdown system, a notification via the report gets pushed out to the Operations Group. With this report, Operations can tell if something was placed in bypassed that should not have been. We do have certain operating procedures that allow bypassing of ESD (emergency shutdown) systems; but in general, we do not allow any other bypassing. 

We do have some startup and shutdown provisions, particularly on heater interlocks. We have arming logic that initiates once you have a specific condition established. The logic is armed and ready to shut down the heater if we have greater than 50% of the burners lit and achieve a loss of flame signal. There are also turndown scenarios when the unit is turned down. The logic will arm to “all out of all” trip until greater than 50% of the burners are lit. 

 

LÉGARÉ (Andeavor Martinez Refinery) 

Andeavor’s procedures are similar to Marathon’s. We have a series of standards that we created based on API 556 and NFPA (National Fire Protection Association) 85 guidelines for heaters and fired boilers. The standard goes into a lot of detail around levels of instrumentation required on both the process side and the fuel side of the heater. Being in California, we also have requirements for CEM (Continuous Emissions Monitoring). The State outlines the requirements for CEMs as well. Chris McDowell of Andeavor is in the audience today. She can speak to all we need to do to comply with the regulators in the San Francisco Bay Area. The protective systems are also clearly defined in our standard; the recommended instrumentation levels are also there. 

 

 

The next slide shows some of the time delays we outlined in our standard as well. I will not go through each one, but you can see that they are all specified with ranges. In addition, there are also valve travel allowances that vary depending on the size of the valve. The point I do want to make, though, is that a lot of these standards apply to new construction. When you are dealing with a retrofit, the approach can change. The proverbial “it depends” comes into play where you need to look at your physical layout of your heater or furnace and see what you actually can accomplish. So, it is really best to work with your technical personnel or technology suppliers and SMEs (subject matter experts) to figure out what exactly you can achieve to get to the inherently safest solution. 

 

 

 

As far as bypasses, we operate in a way that is very similar to what Jeremy said. I will add that Andeavor also mandates that you have a procedure in place to allow for the bypass. In the event you do not have a procedure, the MOC (management of change) policy kicks in. The requirement for that MOC is that you have a clearly defined mitigation plan to deal with the bypass. The point I do want to make, which is what I have seen, is that that mitigation plan does need to involve the right level of personnel in your organization. You want to engage your instrument engineers, furnace SMEs, and process engineers, not just try to bypass the whole system to come up with the mitigation plan that is achieved at the end of shift, but which may not have the required integrity around the technical review. It is important to make sure that the mitigation plan is done properly. 

In addition, the policy we have also outlines various levels of organizational approvals depending on the amount of time that the system will be bypassed. For example, if you are looking at a three-day bypass, an Operations Superintendent has to buy off on it. If it is a three-week bypass, then the Ops Manager is the one who gets involved. Lastly, what we do with these mitigation plans is table them. We try to keep them in a file so that in the future, if we have to do a similar bypass, we can at least use that mitigation plan as a solid starting point. 

 

 

 

MIKE ADKINS (KP Engineering, LP) 

One of these subsets that you guys touched on that, from a design aspect, KPE would get involved in a lot is purging. Of course, end user always want to try to increase the purge rate to get through that purging process as quickly as possible. Some of the heaters KPE has seen have steam eductors on them, purge air blowers, or just straight steam into the heater. My question is to you guys who are refiners. What do you typically prefer and like to use during that purging sequence? 

 

LÉGARÉ (Andeavor Martinez Refinery) 

We are not typically using steam for purges. We get the fans started and use them to purge the system. 

 

TARIQ MALIK (CITGO Petroleum Corporation) 

Eric, I think you had the time delay reflected on the screen, right? 

 

LÉGARÉ (Andeavor Martinez Refinery) 

Yes. 

 

TARIQ MALIK (CITGO Petroleum Corporation) 

What is the purpose of having a four-second time delay? That was about the maximum in one of them. So, in four seconds, what are you going to accomplish? You cannot react to these alarms. 

 

LÉGARÉ (Andeavor Martinez Refinery)  

No. I think, like Jeremy said earlier, the API standards specify these time delays. I think this is like a legacy system that we still have in our standard.  

 

TARIQ MALIK (CITGO Petroleum Corporation) 

I thought the purpose was to give the board operator a chance to react or do something to make sure they are not spurious or are actually happening. I know some controls are touchy over there. But a four-second delay? You might as well not have a time delay. 

 

LÉGARÉ (Andeavor Martinez Refinery) 

Yes. I do not think we are looking at really four seconds for an operator response. It may just be four seconds to deal with the blip in the instrumentation and get a balancing out of the signal. 

 

TARIQ MALIK (CITGO Petroleum Corporation) 

You have a warning system on this? You have multiple instrumentations – two out of three – at the SIL 3 (safety-instrumented level 3) or SIL 2 level? 

 

LÉGARÉ (Andeavor Martinez Refinery)  

That is correct. 

 

TARIQ MALIK (CITGO Petroleum Corporation) 

Okay. My follow-up question for the panel actually has to do with the heaters. Do your heaters have explosion doors, or have you done away with them, sealed them shut, or thrown them away? 

 

LÉGARÉ (Andeavor Martinez Refinery) 

We still have some of them in our furnaces. 

 

THEISS (Marathon Petroleum Corporation) 

Yes, I am sure we still have some, but probably not all. We have some new construction that may exclude them. 

 

GAMBOA-ARIZPE (CITGO Refining & Chemicals, L.P.) 

Yes, we still have them. 

 

CHRIS STEVES (Norton Engineering Consultants, Inc.) 

Jeremy, you mentioned flame detection. Are you doing that on all of your heaters and all burners individually, or are you looking at trying to just verify if there is any flame in the firebox? How does that work? 

 

THEISS (Marathon Petroleum Corporation) 

 Most of our heaters, especially the new designs, have flame detection. I would say there are very few within Marathon that do not have flame detection within the system. 

 

BILL CATES (Hunt Refining Company) 

Are you doing the flame on the main flame or are you doing a pilot? 

 

THEISS (Marathon Petroleum Corporation) 

In some applications, both. 

 

EREMY THEISS (Marathon Petroleum Corporation) 

Shutdown Interlocks 

Marathon Petroleum Corporation (MPC) standard practices rely heavily on the guidance recommended by API 556. Most of our heater shutdown interlocks are derived from this API Recommended Practice. Our internal practices are intended to prevent a heater explosion due to uncombusted fuel in the firebox or a tube rupture that can lead to an explosion or uncontrolled fire. Specific interlocks that result in a fired heater shutdown, as defined in our standard practice, include low/high fuel gas pressure and loss of process flow. Further guidance on alternate heater configuration is also given. Balanced draft heaters shutdowns include loss of air flow, high furnace pressure, and loss of flame. Although forced draft and natural draft heaters’ interlocks do not include high furnace pressure, they do include loss of flame. 

Shutdown Time Delays 

We do allow certain time delays within the SIS logic. These delays were derived from original API 556 guidance. The length of the time delay is based on acceptable risk tolerance evaluated independently by MPC subject matter experts. MPC has time delays on the following shutdowns: fuel gas pressure, firebox pressure, flame detection, process flow, process temperature, and level (where applicable). Currently, API 556 does not include time delays, but including guidance on time delays is under consideration for the next revision. 

Interlock Bypass Philosophy 

In general, we do not allow bypassing of shutdown interlocks during operations. We do provide guidance to bypass under specific instances of maintenance. During periods of maintenance, alternate monitoring plans are established with Operations to ensure that the intent of the shutdown system is intact. There also may be special circumstances conducted that involve bypassing, but these instances will only be executed under a specified procedure. When possible, we recommend that these special procedures be implemented through operation mode selectors that an operator can select to automate the logic. If deviations to the procedure are required, an MOC is necessary to execute the deviation. 

For periods of startup and shutdown, we develop arming logic for flame detection to prevent unnecessary trips, which can lead to unsafe conditions. For startup conditions, this logic is armed once the first burner detects flame for “all out of all” voting; meaning, a loss of flame on all burners is a vote to trip. Once greater than 50% of the burners detect flame, the logic reverts to the normal shutdown logic, which is typically that less than 50% of the total burners detect flame is a vote to trip. To manage process turndown scenarios, we also have low-fire mode which will revert back to “all out of all” voting logic.  

 

ERIC LÉGARÉ (Andeavor Martinez Refinery) 

Andeavor utilizes a series of internal Engineering Standards to address fired heater instrumentation, control, and protective systems. These standards were developed using the content of API 556 and NFPA 85. Andeavor’s standards define the required and recommended instrumentation for the fuel and process sides of gas fired heaters. The control and protective systems are based on instrumentation mandated by the standard. Examples of required instrumentation include fuel gas pressure; combustion air flow; firebox pressure and temperature; excess oxygen; draft; and, where applicable, flue gas analysis via CEMS for regulatory compliance. 

Protective systems and allowances for overrides, bypasses, and permissives are also defined in the standard to allow for safe and effective design and operation of fired heaters. Andeavor’s standards protect against the accumulation of combustibles in the firebox, overheating of heater tubes, high/low draft and flameout. Instrumentation linked to the protective system [Safety Instrumented System (SIS)] should be independent of the control instrumentation.  

The design of the protective system does allow for time delays with allowable ranges provided as follows: 

PALL Fuel Gas Pressure 1-4 sec  

PAHH Fuel Gas Pressure 1-2 sec  

FALL Comb Air Flow 5-10 sec  

Dropout Doors Fail to Operate 1-2 sec  

PAHH Firebox Pressure 5 sec  

Failure of Stack Damper to Open 1-2 sec  

PALL Pilot Gas Pressure 1-4 sec  

PAHH Pilot Gas Pressure 1-4 sec 

Note that the above information corresponds to new heater designs. For retrofit projects, it is recommended to work with your project team and subject matter experts to implement the design that best satisfies the standard with which you are trying to comply. 

Startup overrides are required in the protective functions of the control system to allow for the startup of fired heaters. The operator’s display will include a notification that the protective function is overridden during startup conditions. These overrides will allow for startup steps such as furnace purges and burner light off. Once the startup conditions are cleared, the protective system is engaged automatically by the DCS. 

Bypasses on input devices and/or protective systems for maintenance, calibration, and testing are permitted in accordance with the site’s operating and emergency response procedures. Sites can manage these bypasses via Operations or Maintenance procedures or MOC, if procedures do not exist. A mitigation plan should be part of the procedure or MOC being followed, and the plan must be communicated to all affected personnel. Note that the plan is only as robust as the quality of review that went into its development. Ensure controls and SIS experts are consulted when developing a mitigation plan. 

The plan should also be kept in a location accessible to the board operator. Management approval of the mitigation plan is required with escalating levels of responsibility defined as a function of the bypass period. As an example, a three-day bypass period requires the approval of an operations superintendent. A three-week bypass period requires the approval of the Operations Manager. Bypassed alarm status should be visible to the board operator. The protective system and/or input device should be put into service immediately following completion of the work. The mitigation plan should be logged for reference in the future. 

 

RICHARD TODD (Norton Engineering Consultants, Inc.) 

All fired heaters should be equipped with safety instrumented systems (SIS) that take the heater to a “safe state” upon detection of a potentially unsafe condition. Recommendations for the implementation of these systems can be found in API-556 “Instrumentation, Control, and Protective Systems for Gas Fired Heaters”. Typically, most heaters should be equipped with instrumentation and logic to remove fuel gas from the heater on the following conditions: 

• Low fuel gas burner pressure, 

• High fuel gas burner pressure, 

• Low process flow, 

• Low combustion air flow (if a heater with FD fans), and 

• Loss of flue gas removal (if a heater with ID fans). 

Other process conditions may require automated heater shutdowns as well. A HAZOP with LOPA should be conducted to determine if additional safeguards are required. 

Time delays are usually built into the logic of the SIS logic solver to prevent spurious trips due to instrument noise. A thorough review of the system and the calculation of process safety times (the time to reach an unsafe state from the start of a process upset) should be conducted to be sure that the chosen time delays do not exceed the process safety time. Multiple instruments with voting logic (i.e., two out of three voting) are also used to improve SIS reliability and to decrease the frequency of spurious trips. 

Instruments that are used in SIS should be equipped with bypasses to allow for maintenance to be conducted with the heater in service. The use of bypasses should be managed with a safety device bypass procedure that requires appropriate reviews and approvals so that the instrument can be bypassed without impacting the safety of the equipment. Typically, bypasses on safety instrumentation should not be utilized during process upsets or due to unusual operating conditions. Startup of heaters may require the high and low fuel gas pressure trips to be bypassed for a short amount of time as burners are being initially lit, but this bypass can be safely managed in a well-designed SIS that may add additional safeguards and that will automatically remove the bypass after a prescribed period of time.