IPE-TM-200 Heaters
Automatic Shutdown of Fired Heaters
IPE-TM-200-01
1. Purpose
This procedure provides the Inflection Point Engineering design requirements for automatic shutoff of fuel to fired process heaters.
2. General
Automatic fuel shutoff systems are required to safely shutdown a fired heater for malfunctions in the process flow through the heater tubes, fuel system or combustion air supply, or other abnormal process conditions. The following shutdown system design requirements are the minimum that Inflection Point Engineering considers necessary. Changes to the Inflection Point Engineering system design shall only be considered upon specific written instructions from the client.
These requirements are based on a quantitative risk analysis carried out by Inflection Point Engineering to insure our designs are compliant with the national and international standards regarding safety instrumented systems. This analysis included the determination of the required SIL (safety integrity level) for each automatic function and the typical hardware configuration recommended by Inflection Point Engineering to achieve the SIL.
Inflection Point Engineering does not specify automated vent or drain valves between the two shutoff valves in series on fired heater fuel systems. For fuel gas Inflection Point Engineering does show a manual vent valve to allow for depressuring the piping between the two valves during any maintenance that might be required. Automation of this vent valve is not recommended by Inflection Point Engineering as the potential hazards of this valve being opened during normal operation are significant.
3. Natural or Forced or Forced/Induced Draft Heaters
This section applies to all heaters. Table 1 summarizes the action to be taken for the anticipated malfunctions. The safety related instrumentation for each function needs to meet SIL 2, unless noted otherwise.
3.1 Safety Instrumented Functions (SIF)
- Pilot Gas Low pilot gas pressure downstream of the regulator shall shutoff all fuels to the heater, including pilot gas.
The recommended transmitter configuration is 2 out of 3 voting for the low pressure detection.
- Process Flow to Heater – Primary Service Primary service is defined as that service which flows through the radiant section. Primary service may optionally also flow through the convection section. Loss of primary service flow to the heater shall shutoff all fuels to the heater, except pilot gas.
Individual heater pass control valves shall have a mechanical limit stop to prevent the control valve from closing completely. An exception to this is feed control valves to reactor charge heaters. Another exception occurs for level control valves (or flow control valves with level cascaded to the flow controllers).
The recommended transmitter configuration is 2 out of 3 voting for the low flow detection. This measurement should include three separate heater passes when available. The voting system is intended for detection of loss of the pump or compressor. 1 out of X on all passes is not recommended by Inflection Point Engineering since this will lead to more spurious trips.
For dual feed source designs (e.g. Charge/Recycle Gas), simultaneous loss of both feed sources to the heater shall shutoff all fuels to the heater, except pilot gas.
For dual feed source designs, loss of one feed source (e.g. loss of recycle gas for Charge/Recycle Gas) to the heater shall shutoff all fuels to the heater, except pilot gas, when analysis shows that the flow from the remaining feed source will not prevent the tubes from overheating and/or coking.
- Process Flow to Heater - Waste Heat Recovery Service in Convection Section
Flow through a convection section waste heat recovery coil is NOT Primary Service. Low flow through the waste heat recovery coil shall shutdown the main fuel burners unless the heater specification explicitly states that this coil shall be designed for no flow condition.
- Pilot Gas Shutdown Valves
A double block configuration shall be used for isolating the pilot gas on fired heaters. Each of the two block valves is actuated by two solenoid valves connected together such that the failure of one solenoid valve does not shut the block valve. The use of two shutdown valves allows the time period between valve testing to be extended while maintaining the required safety factor. The use of two solenoid valves decreases the spurious trip factor.
- Fuel Gas Shutdown Valves
A double block configuration shall be used for isolating the fuel gas on fired heaters. Each of the two block valves is actuated by two solenoid valves connected together such that the failure of one solenoid valve does not shut the block valve. The use of two shutdown valves allows the time period between valve testing to be extended while maintaining the required safety factor. The use of two solenoid valves decreases the spurious trip factor.
- Fuel Oil Supply Shutdown Valves
A double block configuration shall be used for isolating the fuel oil supply on fired heaters. Each of the two block valves is actuated by two solenoid valves connected together such that the failure of one solenoid valve does not shut the block valve. The use of two shutdown valves allows the time period between valve testing to be extended while maintaining the required safety factor. The use of two solenoid valves decreases the spurious trip factor.
- Fuel Oil Return Shutdown Valve
The recommended valve configuration is a single valve. This valve shares the solenoid valves from one of the supply shutdown valves. Only one valve is required since the return line from the heater has a check valve in it also.
- Process Vent Line Shutdown Valves (Combustible Vent Gas)
A process vent line discharging into a fired heater shall have automatic shutoff valves actuated by the same signal(s) that shutdown the main fuel burners. Vent gas diversion to a safe location must usually be provided.
A double block configuration shall be used for isolating combustible vent gas flow to fired heater fireboxes. Each of the two block valves is actuated by two solenoid valves connected together such that the failure of one solenoid valve does not shut the block valve. The use of two shutdown valves allows the time period between valve testing to be extended while maintaining the required safety factor. The use of two solenoid valves decreases the spurious trip factor.
Note: If the vent gas is not combustible, then the process vent line shutdown is an interlock function (and not a safety instrumented function).
3.2 Interlock Functions
The features mentioned below were determined to be for equipment protection and therefore are not safety related.
- Low fuel oil or fuel gas pressure downstream of the control valve shall shutoff the respective fuel supply only. (See below for reactor heaters in series)
A single transmitter configuration is used for the low pressure detection. An exception is the Oleflex reactor heaters which use 2 out of 3 to minimize spurious trips. This is due to the complexity of the Oleflex, risk to equipment such as reactor screens during a shutdown, and the time consuming operations required to restart the unit.
- Low atomizing steam/fuel oil differential pressure for any heater shall shutoff the fuel oil to that heater only.
A single transmitter configuration is used for the low differential pressure detection.
- For reactor heaters (furnace cells) in series (i.e., one process stream flows through several heaters in series);
Oleflex: low pressure of the fuel gas downstream of the control valve to any heater shall shutoff the fuel gas to all of the heaters.
Platforming: low pressure of the fuel gas downstream of the control valve to any heater (furnace cell) only shuts off the fuel gas to that heater. If the heater also has fuel oil, then the low fuel gas pressure trip signal shall also shutdown fuel oil to that heater. The Platforming process cannot tolerate radiant coil fouling. Loss of effective radiant process surface area could potentially result on loss of fuel gas firing and continued fuel oil firing because of the potential of creating coil metal dusting / and metal catalyzed coke formation under certain process conditions. To reduce this risk (of radiant coil fouling) fuel oil firing will be stopped in any heater (furnace cell) that has lost fuel gas firing capability. Low pressure of the fuel oil downstream of the control valve to any heater shall shutoff the fuel oil to that heater only. Fuel gas firing will continue. A differential temperature override control on each heater shall always be provided to prevent overheating downstream heaters, caused by fuel shutoff to one heater.
- Process Vent Line Shutdown (NON-combustible vent gas); this requires only a single block valve.
A process vent line discharging into a fired heater shall have automatic shutoff valves actuated by the same signal(s) that shutdown the main fuel burners. Vent gas diversion to a safe location must usually be provided.
The following interlocks are not Inflection Point Engineering standard practice, but some guidance is given as to implementation should they be requested by a customer.
- High firebox pressure shutdown: In the past this shutdown was a Inflection Point Engineering standard for forced draft heaters. It is currently only an alarm since it is believed it would result in spurious trips. If this is implemented, then the single existing transmitter is sufficient. Add a time delay (0 - 60 seconds set at 30 seconds) with the trip point at 0.5 inch H2O (13 mm H2O).
- Loss of combustion air via the flow measurement: no objection to adding this provided it is supplemental to the Inflection Point Engineering specified low low pressure detection.
- High fuel pressure shutdown: Inflection Point Engineering standard is currently only a high pressure alarm since the flame would still be maintained. If this is implemented then a single transmitter is sufficient. Note: Another transmitter would need to be added for the high pressure shutdown, since the transmitter used for the low pressure trip does not have the required range (and the range of the low pressure trip transmitter should not be changed).
3.3 Manual Shutdowns
- Operator activated emergency shutdown switches (one in the control center and one in the field) shall be provided to shutoff the supply of all fuels and the pilot gas to the heater. When there are forced and/or induced draft fans, the emergency shutdown switches shall also stop all of the fans.
- Each natural draft heater shall, in general, have its own set of emergency shutdown switches (one in the control center, and one in the field). Natural draft heaters that have a common convection section shall have a single set of emergency shutdown switches that shall shutdown all the related heaters
- Heaters that have a common forced draft system shall have a single set (one in the control center, and one in the field) of emergency shutdown switches that shall shutdown all the related heaters.
3.4 Additional Design Detail Requirements
Follow the design detail requirements mentioned below exactly because they are an integral part of the risk analysis done by Inflection Point Engineering. Any deviation will impact the risk analysis resulting in re-work of the specified instrumentation. No detailed instructions or automated equipment are specified by Inflection Point Engineering for testing and bypassing of safety instrumented systems. These details are left to the contractor and owner to determine based on factors such as operating cycle length, local codes and sophistication of automation for testing.
- The pilot gas supply line shall be connected upstream of any automatic shutoff valve in the main fuel gas line to the heater, and provided with separate automatic shutoff valves. Note: Pilot gas may also be a completely separate line from a dedicated source.
- Manual resets are pushbuttons connected to the logic system and shall be provided for automatic fuel shutdown systems. (e.g. One reset for the fuel gas double block assembly.) Reset levers on the solenoid valves are not permitted since with most solenoid designs it is possible to defeat the shutdown by physically tying up the reset lever so the solenoid valve can not move to its shutdown state.
- For automatic shutoff of fuel oil burners, shutdown valves shall be provided in both the circulating fuel oil line to and the circulating fuel oil line from each individual heater, even though the fuel oil may not be circulated during normal operation.
- Fuel shutdown on low recycle gas flow for special case heaters (e.g., Platforming or Unicracking) shall be provided unless analysis indicates that the heaters should not be shutdown when recycle gas failure alone has occurred. The SIL of these additional shutdown requirements are based on this analysis.
- For heat input designs, where the process duty is split between a trim heater and the convection coil of another fired heater, the trim heater in series with the convection coil (convection coil fluid flows through the coils of the trim heater) shall be automatically and simultaneously shutdown with the heater containing the convection coil.
- Automatic shutdown systems provided for special purpose heaters that are fired intermittently for relatively short periods of time will have lower SIL based on the limited use of these heaters. These heaters generally have operator attention when in service and are considered to be in a different category than continuously operating heaters.
- When proprietary heaters (i.e., Pyrolysis heaters, etc.) are part of a Inflection Point Engineering designed unit, automatic shutdown requirements shall be in accordance with Inflection Point Engineering design policy.
- A complete shutdown system for each separate heater or service shall be provided (e.g., Platforming charge and interheaters are each considered as individual heaters, but one service).
- When naphtha is used as a fuel, an interlock must be provided to prevent burner removal until the naphtha pressure at the burner is zero.
- Low pressure shutdown sensors shall be located downstream of the automatic shutoff valves.
- For a multi-burner heater, the loss or malfunction of an individual burner, no matter what the cause, shall not cause a heater shutdown.
3.5 Miscellaneous Information
- A flame failure alarm shall be provided for each pilot. Inflection Point Engineering does not recommend heater shutdowns linked to flame detection because of the potential for spurious trips. Should a client insist then the heater specialist must be consulted.
- Inspiration type pilot burners shall be specified to avoid dependance on a forced air source.
4. Forced Draft Heaters or Forced/Induced Draft Heaters
Table 2 summarizes the action to be taken for anticipated malfunctions in the forced draft system. Table 2 shutdowns are provided in addition to those described in Table 1.
4.1 Safety Instrumented Functions
- Loss of combustion air supply shall shutoff all fuels to the heater, except pilot gas. Low pressure shutdown sensors, located on the main air duct shall detect loss of combustion air supply caused by forced draft fan failure.
The recommended transmitter configuration is 2 out of 3 voting for the low pressure detection.
4.2 Interlock Functions
- High induced draft fan inlet temperature shall shutdown the I.D. fan only. A high temperature shutdown sensor located between the air preheater and the induced draft fan. High temperature may be due to a duct fire caused by air preheater leakage of combustion air into hot flue gas that contains combustibles or that the convection section and/or air preheater is severely fouled.
A single transmitter configuration is used for the high temperature detection.
- A high air preheater flue gas inlet temperature alarm shall be located in the common flue gas duct near the preheater to detect afterburning in the duct caused by maldistribution of combustion air and fuel or by severe fouling of the convection section. When flue gas from multiple heater fireboxes combine into a common air preheater duct, a high temperature alarm shall be additionally located in the flue gas stack (before the damper) of each heater firebox to detect afterburning caused by maldistribution of combustion air and fuel or by severe fouling of the convection section.
| Table 1 |
|---|
| Natural or Forced or Forced/Induced Draft Heaters |
| Malfunction | Pilots | Fuel Gas | Fuel Oil Supply and Return | Other (1) |
|---|---|---|---|---|
| 1. Emergency Shutdown Switches | X | X | X | X |
| 2. Low pilot gas pressure (6) | X | X | X | X |
| 3. Low Process Flow (Primary Service) to Heater Coil | ||||
| a. Vapor only | ~ | X | X | X |
| b. Charge/Recycle Gas (3) | ~ | X | X | X |
| c. All Liquid | ~ | X | X | X |
| 4. Low Process Flow - Waste Heat Removal (5) | ||||
| a. Steam Superheater | ~ | X | X | X |
| b. Hot Oil | ~ | X | X | X |
| c. Reboiler Coil | ~ | X | X | X |
| d. Circ. Water for Steam Gen. (2) | ~ | X | X | X |
| 5. Other abnormal process conditions (as required) | ~ | X | X | X |
| 6. Low fuel gas burner pressure | ~ | X (4) | ~ | X |
| 7. Low fuel oil burner pressure | ~ | ~ | X (4) | X |
| 8. Low Atomizing Steam (Air) vs. Fuel Oil Differential Pressure (6) | ~ | ~ | X (4) | X |
X = Shutoff Device Actuated
Notes:
1. Such as waste gas: In addition to shutoff, an additional diversion valve to an alternate vent destination is usually required.
2. If spare circulating water pump has auto start, a time delay is added to the shutdown to allow the pump to come up to speed.
3. Low recycle gas flow activates shutdown.
4. See text of Interlock Functions for requirements for reactor heaters that are in series.
5. The low flow heater shutdown may be deleted provided that the heater specification clearly states that design of the coil must be based on no flow condition. Note: Depending on heater arrangement, a start-up bypass may be required.
6. A time delay is added to avoid nuisance trips due to “blips”.
| Table 2 |
|---|
| Forced Draft Burners or Forced/Induced Draft Heaters |
| Malfunction | Pilots (1) | Fuel Gas | Fuel Oil Supply and Return | Other (3) |
|---|---|---|---|---|
| 1. Emergency Shutdown Switches (4, 5) | X | X | X | X |
| (shuts off fans also) | (shuts off fans also) | (shuts off fans also) | (shuts off fans also) | |
| 2. Low Combustion Air pressure (2) | ~ | X | X | X |
| 3. High I.D. Fan Inlet Temperature | shuts off induced draft fan only | shuts off induced draft fan only | shuts off induced draft fan only | shuts off induced draft fan only |
X = Shutoff Device Actuated
Notes:
1. Pilots are specified as inspirating type which operate independently of forced draft system.
2. A time delay is added to avoid nuisance trips due to “blips”.
3. Such as waste gas: In addition to shutoff, an additional diversion valve to an alternate vent destination is usually required.
4. These shutdown switches take the place of the individual Emergency Shutdown switches on natural draft heaters. For forced draft heaters there are no individual Emergency Shutdown switches at each heater.
5. All fans are stopped.
© 2026 Inflection Point Engineering, LLC. All rights reserved. The content of this page — including calculation methods, reference data, written analysis, interactive tools, and source code — is the intellectual property of Inflection Point Engineering, LLC and is protected under applicable copyright, trademark, and trade secret laws. Unauthorized reproduction, redistribution, modification, or derivative use in whole or in part is prohibited without prior written consent.
Disclaimer. This material is provided for informational and educational purposes only and does not constitute professional engineering advice. Calculations, reference data, and methodologies are based on published standards and accepted engineering practice but are not a substitute for engineering judgment, site-specific analysis, or review by a licensed Professional Engineer. Inflection Point Engineering, LLC makes no warranties, express or implied, regarding the accuracy, completeness, or fitness for a particular purpose of any content presented here, and shall not be liable for any direct, indirect, incidental, or consequential damages arising from its use. Users assume all risk associated with applying this content to real-world design, operations, or decisions.
© 2026 Inflection Point Engineering, LLC. All rights reserved.