Module 03 · Abnormal Operations
Emergency Shutdown
An ESD is an unplanned, rapid shutdown initiated automatically by the BMS or manually by the operator. Speed of fuel isolation is the primary objective. Operator response begins after the BMS has acted — your job is to verify, stabilise, and investigate.
In any ESD — isolate fuel, then assess
The instinct to diagnose before isolating is the single most dangerous mistake. If the BMS has not already closed the fuel SDVs, do it manually at the first available isolation point. Confirm zero fuel pressure at the burner header before any further action.
ESD vs planned shutdown
The two shutdown types share an endpoint — a cold, fuel-isolated firebox — but follow entirely different paths. Understanding the differences matters because post-ESD actions differ from planned shutdown actions in several critical respects.
Comparison: ESD vs Planned Shutdown
| Parameter | Emergency Shutdown | Planned Shutdown |
|---|---|---|
| Initiation | BMS automatic trip or manual ESD button | Operator instruction, coordinated |
| Process flow | May trip simultaneously or be lost | Reduced in controlled steps |
| Firing rate at trip | Full or partial load — cut instantly | Reduced progressively before extinguishment |
| Thermal shock risk | High — full-load trip creates rapid ΔT | Low — controlled cool-down |
| Refractory impact | Higher stress; inspect before restart | Lower stress; standard dryout if steam used |
| Tube metal condition | Verify TMT history before restart — high-load trip can cause creep damage | Typically known and controlled |
| Root cause investigation | Required before any restart authority | Not mandatory (unless abnormalities found) |
| Restart authority | Requires formal clearance | Standard permit process |
ESD trigger conditions
ESD trips are classified as either automatic (BMS-initiated on instrument signal) or manual (operator-initiated). Know both — automatic trips may not cover every scenario that demands immediate action.
Auto Trip
Loss of process flow (low flow trip)
Flow below minimum design rate removes the heat sink. Tubes overheat within minutes at sustained firing. The BMS cuts fuel on confirmed low-flow signal from the process flow transmitter.
FT < Min Design Flow
Auto Trip
High coil outlet temperature
COT above trip setpoint indicates either loss of flow, excessive firing, or coking. BMS trips on confirmed high signal. A single transmitter is not sufficient — most systems require 2-of-3 voting or coincidence logic.
COT > Trip Setpoint
Auto Trip
Loss of pilot flame (all pilots)
If all pilot flame detectors confirm flame loss, the BMS closes the main fuel SDV and pilot SDV. A single failed flame detector on one burner typically generates an alarm, not a trip — check your site's BMS logic.
All FDs = No Flame
Auto Trip
High firebox pressure
Positive firebox pressure (puffing) indicates combustion instability, blocked flue path, or failed draft control. The BMS trips to prevent firebox overpressure and potential blowback through burner registers.
Firebox P > +25 Pa typical
Auto Trip
Fuel gas high pressure
High fuel supply pressure above the trip setpoint indicates control valve failure or upstream pressure surge. The BMS closes the SDV to prevent over-firing or burner tip damage.
Fuel P > PAHH setpoint
Manual Trip
Tube failure / confirmed leak
A confirmed process tube leak introduces hydrocarbons directly into the firebox at high pressure and temperature. Immediate manual ESD is required. The BMS may not detect this condition automatically.
Operator initiated
Manual Trip
External fire / area emergency
Fire in the vicinity, loss of utility supply (fuel gas header failure, instrument air loss), or site-level emergency requiring heater isolation. The ESD button provides a single-point shutdown independent of the BMS instrument signals.
Operator initiated
Manual Trip
Instrument air or power failure
Loss of instrument air causes control valves to fail to their safe positions (typically fuel valves fail-closed). Confirm fuel SDV has closed. If power loss prevents BMS confirmation, manually verify at the valve.
Operator initiated
BMS automatic action sequence
On receiving a valid trip signal, the BMS executes the following sequence without operator intervention. The entire sequence typically completes within 2–5 seconds.
BMS logic varies by installation
The sequence below describes a typical SIL-rated BMS. Your site's cause-and-effect matrix is the authoritative source. Never assume the BMS has completed any action — always verify physically or on the DCS historian.
01
Automatic — BMS
Trip signal validated
BMS logic receives and validates the initiating signal. Voting logic (2-of-3 where fitted) confirms genuine trip condition vs. instrument failure. Spurious trip prevention logic checks for coincidence.
⏱ < 1 second
02
Automatic — BMS
Main fuel SDV closes
The main fuel safety shut-down valve (SDV) is de-energised and closes. This cuts fuel supply to all burners simultaneously. The SDV is typically a fail-closed, spring-return valve with a stroke time of 2–4 seconds.
⏱ 1–5 seconds from trip
03
Automatic — BMS
Pilot fuel SDV closes
Pilot gas supply is also isolated. On some systems this is simultaneous with the main SDV; on others it follows with a short delay to allow main flame to extinguish first. Confirm pilot SDV position indicator shows closed.
⏱ Simultaneous or +1–2 s
04
Automatic — BMS
Alarm annunciation and trip latch
BMS latches in the tripped state — it cannot be reset until the initiating condition is cleared and the operator manually resets the latch. DCS generates a first-out alarm identifying the initiating trip signal. Log this: it is the starting point for root cause investigation.
⏱ Simultaneous with SDV close
05
Operator — Verify
Confirm fuel isolation at burner header
Do not rely on SDV position indication alone. Check the local pressure gauge on the burner fuel header. Pressure should decay to zero. If pressure persists, the SDV has not fully seated — proceed immediately to manual valve isolation upstream.
⏱ Within 2 minutes of trip
06
Operator — Verify
Confirm all burners extinguished
Check flame detectors on DCS. A local visual check via peep door is preferred for confirmation, especially if any flame detector is suspect. A burner that continues to burn after SDV closure indicates a leaking valve — treat as a tube failure scenario.
⏱ Within 5 minutes of trip
Operator response procedure
The BMS acts first. Your role is to verify, secure the area, protect the equipment, and prevent escalation. Work through the phases in order — do not skip to later phases to investigate causes until the heater is fully secured.
Phase 1 — Immediate response (0–5 minutes)
01
Acknowledge alarm — do not reset the BMS latch yet
Acknowledge DCS alarms to stop audible. Record the first-out trip signal and timestamp. Do NOT reset the BMS latch until root cause is identified and cleared — resetting too early destroys the first-out record on some systems.
02
Confirm main and pilot fuel SDVs closed
Check DCS valve position indicators for both main and pilot SDVs. If any SDV shows "not closed" or "mid-travel", send a field operator to verify locally and close manual isolation valve immediately upstream.
03
Verify zero fuel pressure at burner header (field check)
This is the only definitive confirmation of fuel isolation. A local gauge at the burner header must read zero. Do not proceed to safe entry or investigation activities until confirmed. If pressure persists — treat as a stuck-open valve and isolate further upstream.
04
Assess process flow status
If the ESD was triggered by loss of flow, determine whether process flow has been restored or is still absent. If flow has been lost, the coil will be holding hot, stagnant process fluid. Do not restart until flow is confirmed stable.
05
Assess firebox condition — do not enter
Use peep doors and CCTV (where fitted) to visually check for tube bowing, visible leaks, refractory collapse, or continued combustion. Any visible flame without confirmed fuel supply indicates a leaking valve or process tube failure — escalate immediately.
06
Notify control room, shift supervisor, and on-call engineer
State: heater tag, trip initiating cause (first-out), current status (fuel isolated / flow status / firebox observations). Do not wait for full diagnosis before making notifications — early notification enables faster support.
07
Establish exclusion zone if any leak or tube failure suspected
If tube failure or external leak is a possibility, establish a 15-metre (minimum) exclusion zone and contact the site emergency response team. Do not attempt field investigation without authorisation and appropriate PPE.
Phase 2 — Stabilisation (5–30 minutes)
01
Monitor coil outlet temperature trend
COT should begin falling once firing is cut. If COT continues to rise after fuel isolation, this indicates either a leaking fuel valve (fuel still entering) or an exothermic process reaction (e.g. coke burning). Investigate immediately.
02
Check tube metal temperatures (TMT) — record peak values
Review DCS trend for all TMT points immediately before and at the time of trip. Peak values above design maximum require a tube integrity assessment before restart. Record all values in the ESD log — this data is required for the post-ESD review.
03
Maintain process flow through the coil if possible
Continued flow removes stored heat from the coil and prevents coking of stagnant process fluid. If the ESD itself was caused by flow loss and flow cannot be restored, consult the engineer before the coil temperature reaches the coking temperature for the fluid.
04
Check stack temperature trend
Stack temperature should fall steadily after firing is cut. A sustained or rising stack temperature after ESD can indicate combustion of deposits in the convection section — escalate if this is observed.
05
Do not open dampers or registers for forced cooling
Rapid cooling by forced air ingress creates thermal shock in the refractory and tube supports. Natural convection cooling is preferred. Dampers may be adjusted to assist natural draft purge but not to force rapid cool-down.
06
Log all instrument readings at 10-minute intervals
Create a time-stamped record: COT, TMT peaks, stack temp, fuel header pressure, firebox pressure, flow rates. This log is required for the post-ESD investigation and restart authorisation process.
Requirements before restart
An ESD is not complete when the heater is cold — it is complete when the cause has been identified, corrected, and the heater is formally cleared for restart. All four categories below must be addressed.
Root cause identified and cleared
The initiating trip condition must be identified — not assumed — and the underlying cause corrected or accepted with management of change. A trip caused by an instrument fault requires the instrument to be repaired or bypassed under formal authority before restart. A trip caused by an operational error requires a documented corrective action.
BMS functional test
After any ESD, the BMS and all trip-initiating instruments should be functionally tested before restart. At minimum, confirm that all SDVs will close on demand, all flame detectors are responding, and the BMS latch resets correctly once the trip condition is cleared. Document the test results.
Tube integrity assessment
If any TMT exceeded design maximum during the ESD, a tube integrity assessment is required before restart. This typically involves a review of TMT trends against the material creep life curve, and may require visual inspection via peep doors or an IR scan during the next opportunity.
Formal restart authorisation
Restart after ESD requires sign-off from the shift supervisor and, at most sites, the process or inspection engineer. A verbal "it should be fine" is not authorisation. The ESD log, instrument test results, and root cause statement must be reviewed before authority is given to re-light.
Common causes and avoidable mistakes
The most common ESD cause in refineries is a flow transmitter trip — not an actual loss of flow
Impulse line blockage, transmitter drift, and control valve hunting all cause the flow signal to fall below the trip setpoint without any actual change in process flow. This is why the BMS fires the trip but the heater may be entirely safe. The response procedure is the same regardless — isolate, verify, investigate. The investigation may reveal an instrument issue rather than a process issue.
Common ESD causes and root factors
| Trip Initiator | Common Root Cause | First Check |
|---|---|---|
| Low flow trip | FT impulse line blocked; upstream pump trip; control valve oscillation | Check FT against independent flow indicator; field valve position |
| High COT | Actual loss of flow; coking reducing heat transfer; TE calibration drift | Cross-check with adjacent TEs; compare against flow and TMT trends |
| Flame failure | FD lens fouled; fuel pressure fluctuation; primary air low | Check other burners' FD status; check fuel header pressure trend |
| High firebox pressure | Stack damper control failure; rain ingress to stack; soot bridging in convection section | Check damper position; check stack differential pressure |
| Manual ESD (operator) | Tube failure; external fire; process emergency upstream | Determined by the event that prompted the action |