04 · Safety Systems
Pre-Startup Safety Review
The PSSR is the formal, multi-discipline gate that must be cleared before a fired heater is returned to service following shutdown, maintenance, or modification. It is not a walkdown checklist — it is a documented sign-off process confirming that every system is safe to energise.
This page explains when a PSSR is required, who owns each domain, what must be verified, and what the authority hierarchy looks like. The interactive checklists below are intended as a working aid — not a substitute for site-specific PSSR procedures.
No PSSR — No Startup
A fired heater must not be lit off until the PSSR is fully signed. This is non-negotiable regardless of production pressure. An incomplete PSSR is a Stop Work condition. The shift supervisor does not have authority to waive this requirement.
What is a PSSR, and why does it exist?
A Pre-Startup Safety Review is a structured, documented verification that a process unit — in this case a fired heater — is mechanically complete, instrumented correctly, staffed with trained operators, and that all procedures and permits are in place before any energy is introduced.
The PSSR concept originates from OSHA PSM (29 CFR 1910.119) and equivalent process safety management frameworks globally. It applies whenever a new installation is brought online for the first time, or whenever a modification that affects process safety has been made — including significant maintenance work.
For fired heaters specifically, the PSSR is the mechanism that ensures a maintenance event has not left the heater in a condition that could cause a firebox explosion, tube rupture, or uncontrolled flame event on startup. The most common catastrophic startup failures trace back to a verification that was assumed rather than confirmed.
When is a PSSR required?
A PSSR is mandatory for any of the following triggers. When in doubt — if the question is being asked, a PSSR is required.
New installation
First-ever startup of a new fired heater or new burner system. Full PSSR required before any fuel admission.
Post-turnaround / major maintenance
Any shutdown involving tube replacement, refractory repair, burner overhaul, or BMS work. Full PSSR required.
Process modification (MOC)
Any change covered by a Management of Change — fuel type change, new instruments, revised setpoints, new interlocks.
Extended cold standby (> 6 months)
Heater cold and idle for an extended period. PSSR required to capture corrosion, refractory degradation, and instrument drift.
After a safety incident
Any startup following a tube failure, firebox incident, or safety trip requires a PSSR before the heater is returned to service.
Significant BMS or interlock work
Replacement of safety instrumented function components (transmitters, SDVs, logic solver). Full functional testing required.
Routine hot standby restart does NOT require a PSSR
A heater that has been in hot standby (fuel off, process flow maintained, within the last 72 hours with no work performed) does not require a PSSR. It requires only the operator pre-startup checklist in the Startup Procedure.
Who signs what — authority matrix
The PSSR requires sign-off from multiple disciplines. Each discipline signs only for their domain. No single person may sign off on all domains. The Operations Manager (or designated authority) provides the final release signature once all domain sign-offs are complete.
PSSR Authority Matrix — Fired Heater
Role / Discipline
Domain
When to sign
Required
Mechanical / Maintenance Lead
Mechanical completeness — tubes, refractory, burners, casing, blinds cleared
Before instrument loop checks
Instrument / Controls Engineer
All instruments calibrated, loops checked, BMS logic verified, SIL functions tested
After mechanical sign-off
Electrical Engineer
MCC checks, motor rotation, valve actuator power, FD/ID fan electrical
Parallel with instrumentation
Process / Operations Engineer
P&ID verification, process safety review, operating procedures current and available
Before operator familiarisation
HSE Representative
Permit system clear, gas detection operational, emergency response in place, permit to work closed
Before startup authorisation
Shift Supervisor (Operations)
Operator readiness, staffing level, communications, DCS readiness, utility supplies confirmed
Day of startup
Operations Manager / Plant Authority
Final release — confirms all domain sign-offs are complete. Issues startup authorisation.
After all domain sign-offs
PSSR domain checklists
Each tab below contains the verification items for that discipline's domain. Use the checkboxes to track progress during the review. Items marked CRITICAL must not be marked complete without physical verification — they cannot be signed off on the basis of assumed knowledge.
Blind & Isolation Register
Pending
▼
All spectacle blinds and spades removed from process lines
Reconcile against the blind register. Every blind installed during shutdown must have a corresponding removal entry. Heater inlet, outlet, pass-control, and fuel gas blinds are mandatory checks. Any discrepancy stops the PSSR.
Blind register signed off by maintenance lead
The physical register document (not a verbal confirmation) must carry the maintenance lead's signature and date.
Double-block-and-bleed valves on fuel gas confirmed in correct position
Both block valves shut; bleed valve open. This is the confirmed safe state before startup. DBB position must be field-verified, not assumed from control room indication.
Fuel oil isolation confirmed (if fuel oil capable heater)
If the heater has fuel oil capability, confirm the supply isolation is correct for the planned fuel mode. Unexpected fuel oil admission during a gas light-off is a major hazard.
Mechanical Completeness
Pending
▼
All maintenance work orders closed or formally deferred
No open WO may remain without a formal risk assessment confirming it is safe to start up with the work outstanding. Verbal close-outs are not acceptable.
Process tube condition confirmed — no known thin-wall locations unflagged
Any TMT excursion data or UT readings from the shutdown that indicate reduced wall thickness must be documented and reviewed. Tube with wall thickness < 80% of minimum design wall requires engineering disposition before startup.
Refractory inspection complete and findings recorded
Cracks, spalling, and fallen tiles recorded. Any section of refractory that exposes a tube support or tube guide must be repaired before firing. Cosmetic cracking (< 3 mm surface crack) may be acceptable — refer to site refractory management procedure.
Burner assemblies inspected — tips, registers, pilots, igniters
Each burner tip inspected for blockage and damage. Pilot assemblies installed with gas connections secure. Igniter electrodes correctly positioned and leads connected. Burner air register operation confirmed — physically cycled open and closed.
Explosion doors / pressure relief doors operational
All explosion relief doors tested to open freely and re-seat. Any door that requires force to open or does not re-seat must be remedied before startup. These doors are life-safety devices.
Casing, peepholes, and access doors inspected and secured
All peephole plugs installed and seated. Access doors fully latched. Casing panels with no structural damage. Any openings in the casing that could admit uncontrolled air invalidate draft readings during operation.
FD / ID fan mechanical checks complete (if fitted)
Bearings greased, coupling guards in place, inlet screens clear, vibration baseline established. Fan rotation direction verified after any motor work.
Stack damper operability confirmed — full open to full closed stroke
Stack damper (if fitted) physically cycled full open to full closed. Actuator signal confirmed at DCS. A stuck damper discovered during purge is a startup-stopping event.
Instrument Loop Checks
Pending
▼
All process transmitters calibrated and loop-tested end-to-end
TMT thermocouples, bridgewall thermocouples, flue gas temperature, process outlet temperature, pass flow indicators, fuel gas pressure transmitters. Calibration certificates current. Loop test confirms correct reading direction (not reversed).
Draft gauges / pressure taps confirmed unblocked and reading correctly
Firebox draft and bridgewall draft transmitters equalised and zeroed. Impulse lines confirmed clear — a blocked impulse line gives false draft readings that allow over-fired conditions or incorrect damper positioning.
Flue gas O₂ analyser in service and reading ambient (~20.9% O₂)
Analyser sample probe must be clear. Reference cell gas pressure confirmed. Zero/span check performed. A failed or reading-low O₂ analyser means the operator is running blind on excess air — excess air must be confirmed by another method if analyser is out of service.
CO / combustible gas detectors bump-tested and alarms confirmed in DCS
Field bump test with calibration gas. Confirm high alarm and high-high alarm setpoints active at DCS. Confirm alert routing to control room and field panel.
Flame detector(s) functional — pilot and main burner detection confirmed
UV or UV/IR flame detectors tested using test lamp or flame simulator. Each detector confirmed at BMS logic solver. A failed flame detector must not be bypassed without formal management of change approval and compensating controls in place.
BMS & Safety Instrumented Functions
Pending
▼
BMS logic programme version confirmed — no unauthorised changes
Confirm CRC or version stamp of the BMS programme matches the approved as-built record. Any configuration change since last startup constitutes a MOC and requires full re-validation before PSSR can proceed.
Fuel gas SDVs (main and pilot) stroking and seating confirmed
Each SDV closed, energised to open (full stroke), then de-energised to confirm spring-return to closed. Seat leakage test performed per site procedure. An SDV that does not fully close on a de-energise signal is a safety-critical failure.
BMS permissive inputs confirmed — each permissive signal tested end-to-end
Minimum: process flow permissive, purge complete, pilot flame detected, air supply confirmed. Each permissive signal exercised from the field transmitter or switch through to the BMS input. Do not rely on BMS simulation mode for PSSR sign-off.
BMS trip functions tested — fuel gas shutdown confirmed on each trip condition
Low process flow trip, high process outlet temperature trip, loss of flame trip, and loss of draft trip each tested to confirm they close the fuel gas SDV within the required response time. Test records signed by I&E engineer.
All BMS bypasses confirmed inactive — bypass log reviewed
Bypass register reviewed. Any active bypass requires a formal risk assessment and approval before startup is authorised. Temporary bypasses installed for maintenance testing must all be removed before PSSR sign-off.
BMS in correct operational mode — no test/simulation modes active
Confirm BMS is in normal operational mode. Any test mode, simulation mode, or override mode must be inactive. Key switch or software mode confirmed at BMS panel and confirmed at DCS.
P&ID Verification
Pending
▼
As-built P&IDs current and accurately reflect heater configuration
Current revision P&IDs verified against physical heater configuration. Any MOC-driven changes confirmed marked up and submitted for formal revision. Operating an asset against a superseded P&ID is a process safety management non-compliance.
All MOC actions completed and closed
If the outage was triggered or accompanied by any management of change, confirm all MOC action items are marked complete. MOCs with outstanding actions require engineering review before startup is authorised.
Relief valve(s) confirmed in service — blinding or isolation removed
Any PSV that was isolated or blinded during maintenance must be confirmed back in service. PSV test certificate current (typical interval: 2–3 years per site schedule). A heater operating with a blinded PSV is a pressure vessel violation.
Procedures & Operating Limits
Pending
▼
Current startup procedure available at DCS and field operator location
Confirmed current revision. Soft copy on DCS and hard copy in field. If the procedure has been revised since last startup (e.g., due to MOC), the revision must have been communicated to all operators performing the startup.
Operating limits (normal, alarm, trip) confirmed and loaded in DCS
DCS alarm setpoints reviewed and confirmed match the current approved operating envelope. Any setpoint changed during the outage requires engineer sign-off. Confirm alarm rationalisation has not inadvertently disabled critical alarms.
Heat-up rate curve reviewed and confirmed with operators
Maximum heat-up rate confirmed (typically ≤ 50°C/hr for process coil, refractory-specific limits may be lower for new or repaired refractory). Operators briefed on the curve before startup begins.
Permit System & Work Clearance
Pending
▼
All active work permits in heater area closed and signed off
Permit register reviewed. No permit may be active — including confined space entries, hot work, and cold work — in the heater area at the time of startup. Any open permit is a Stop Work condition.
LOTO (Lockout/Tagout) clearances confirmed — all locks removed
All energy isolation locks applied during maintenance confirmed removed by their owners. LOTO log reconciled. Any lock that cannot be accounted for must be investigated — do not cut locks without authorisation from HSE and the permit authority.
No hot work or open ignition sources within 15 m during startup phase
Area communicated to all supervisors. Hot work suspension covers the period from first fuel gas admission through to stable fire confirmation. Any grinding, cutting, or open flame in the area during this period is a major hazard.
Emergency Response Readiness
Pending
▼
Fire water and steam smothering systems confirmed in service
Deluge system isolation confirmed open. Fire water ring main pressure confirmed. Steam smothering supply to firebox confirmed lined up (if fitted). These systems must be live before the first burner is lit.
Emergency shutdown (ESD) system confirmed operational
ESD pushbutton test performed. Emergency fuel isolation confirmed closes the master fuel isolation valve. Confirm ESD test record is current. ESD must be operable before startup begins.
Mustering and evacuation routes confirmed clear
No scaffold or temporary structures blocking muster point access or escape routes. All personnel working in the area briefed on the muster point and wind direction for the shift.
Control room and field communication confirmed
Radio check between DCS operator and field operators. PA system functional. Communication protocol agreed for the startup sequence (who leads, what words confirm each phase complete).
Operator Readiness
Pending
▼
Lead operator and backup confirmed competent on this heater type
Confirm the operator performing startup holds valid sign-off for fired heater startup on this unit. If the unit is new or significantly modified, a dedicated familiarisation session must precede the PSSR sign-off.
Startup pre-brief conducted — all operators understand their roles
Pre-start meeting held. Startup procedure reviewed. Each operator knows their role: who is at DCS, who is in field, who monitors passes, who communicates phase completions. Key hold points and abort criteria communicated.
DCS graphics and alarming confirmed functional and correctly configured
DCS display for the heater confirmed active — all key points reading plausible pre-startup values. Alarm suppression audit completed — confirm no critical alarms have been inadvertently inhibited.
Utility supplies confirmed — fuel gas, instrument air, electrical
Fuel gas header pressure confirmed within specification. Instrument air header pressure confirmed ≥ minimum (typically 5–7 barg). Plant electrical supply confirmed stable. Confirm utility records show no planned interruptions during the startup window.
Process flow established through all passes above minimum
Minimum flow through every pass confirmed before any fuel is admitted. Flow must be confirmed on individual pass indicators — not header flow only. A pass with zero flow at ignition is a tube coking and potential tube rupture event.
Flare system confirmed available and operational
Flare knock drum level acceptable. Flare pilot confirmed lit. Any planned flare maintenance should not overlap with a heater startup. During startup, fuel gas and process vapours may be flared — flare system must be ready to receive them.
Final release — startup authorisation
When all domain sign-offs are complete, the Operations Manager (or designated plant authority) issues the startup authorisation. This is a documented act — verbal authorisation alone is not acceptable. The authorisation must specify the heater tag number, the date and time of issue, and the name of the authorising individual.
Production pressure is not a justification
The most common root cause in post-incident PSSR failures is time pressure. A PSSR that is signed without the physical verifications being performed is not a PSSR — it is a piece of paper. If a domain sign-off cannot be completed, the startup does not proceed. Document the reason for delay and escalate through the proper management chain.