Module 04 · Safety Systems
Safety Interlocks
Safety interlocks are the automatic barriers between a developing process deviation and a catastrophic outcome. This page covers what interlocks fire heaters use, why they exist, how they relate to the BMS, and what an operator must know to work safely around them.
Relationship to the BMS
The BMS is a specific type of safety interlock system focused on burner sequencing and flame-loss. Fired heaters also have process-side interlocks (low flow, high coil outlet temperature) that may be implemented in the DCS or a separate SIS. All interlock actions — whether from BMS or process SIS — ultimately result in the same outcome: fuel isolation and safe shutdown.
Interlock categories
Fired heater interlocks fall into four functional groups. Every trip signal belongs to one of these — understanding the group tells you immediately what hazard the interlock is protecting against.
Process
Process-Side Interlocks
Protect the process fluid and coil tubes. Low feed flow, high coil outlet temperature (COT), high tube skin temperature. Loss of these conditions risks coking, tube overheating, and rupture.
Combustion
Flame & Combustion Interlocks
Managed by the BMS. Flame loss detection, high firebox pressure, and loss of combustion air. A firebox explosion scenario follows within seconds of undetected flame loss with fuel flowing.
Fuel
Fuel Supply Interlocks
Abnormal fuel gas conditions. High/low fuel gas pressure, loss of pilot gas, high fuel gas temperature. Fuel outside design conditions changes flame stability and combustion stoichiometry unpredictably.
Draft / Utility
Draft & Utility Interlocks
Loss of induced or forced draft fan, instrument air failure, steam-atomising pressure loss (for oil firing). Draft loss can cause firebox pressurisation, flame instability, and CO accumulation.
Cause & Effect — typical interlock matrix
The Cause & Effect (C&E) matrix is the definitive reference for what each trip does and why. The table below represents typical refinery practice. Your site-specific C&E matrix — issued under document control — takes precedence over all generic guidance.
| Cause / Tag | Condition | Type | Effect | Hazard prevented |
|---|---|---|---|---|
| Feed flow — low low FSLL-xxx |
Flow falls below minimum safe throughput | TRIP | Close fuel SDV, fire BMS trip | Dry firing / tube overheating / coking |
| Coil outlet temp — high high TAHH-xxx |
COT exceeds maximum design temperature | TRIP | Close fuel SDV, fire BMS trip | Tube metallurgical failure, cracking overrun |
| Coil outlet temp — high TAH-xxx |
COT approaching trip setpoint | ALARM | Operator alert — reduce firing | Early warning before TAHH |
| Tube skin temp — high high TSHH-xxx |
Skin temp exceeds tube design limit | TRIP | Close fuel SDV, fire BMS trip | Tube creep damage / rupture |
| Flame detection — loss BE-xxx (UV/IR) |
No flame confirmed within scan period | TRIP | Close all fuel SDVs immediately | Unburned fuel accumulation / explosion |
| Fuel gas pressure — low low PSLL-xxx |
FG header pressure too low to sustain flame | TRIP | Close fuel SDV, fire BMS trip | Flame instability and blowout |
| Fuel gas pressure — high high PSHH-xxx |
FG pressure exceeds burner design rating | TRIP | Close fuel SDV, fire BMS trip | Flame liftoff, combustion instability |
| Draft fan — failure ZSL-xxx (current) |
Fan current loss / vibration high | TRIP | Close fuel SDV, fire BMS trip | Air-short combustion, CO, firebox pressurisation |
| Firebox pressure — high high PSHH-firebox |
Positive firebox pressure (loss of draft) | TRIP | Close fuel SDV, fire BMS trip | Hot gas ejection, explosion risk at openings |
| Feed flow — low (first alarm) FAL-xxx |
Flow falling, approaching FSLL | ALARM | Operator alert — investigate | Pre-trip warning, allow corrective action |
Setpoints are not on this page
Specific setpoint values (temperatures, pressures, flow rates) are intentionally omitted. They are unit-specific and must be taken only from the approved process datasheet or operating manual for your heater. Using generic values on a live unit is a procedural violation.
Layers of protection — where interlocks sit
Interlocks are one layer in a defence-in-depth stack. Understanding the full stack shows why any single layer failure is not immediately catastrophic — but also why bypassing a layer removes protection that assumes the layers below it will hold.
1
Process Design
Inherently safe design — design temperatures, metallurgy, relief valve sizing. Cannot be overridden.
2
Basic Process Control (DCS)
COT controller, fuel gas flow controller, draft pressure control. Prevents deviation from normal operating envelope.
3
Safety Instrumented System / BMS — Interlocks
Independent SIS/BMS. Fires on deviation from safe operating conditions. This is the layer described on this page.
4
Physical Relief Devices
Safety relief valves, rupture discs. Passive mechanical protection if containment is threatened.
5
Operator Response
Manual response to alarms and abnormal conditions. Credited only with adequate time, training, and procedure.
6
Emergency Response / Mitigation
Firewater, deluge, emergency isolation, evacuation. Consequence mitigation after loss of containment.
What to do when an interlock fires
An interlock trip is a message: a condition outside the safe envelope has been detected. The correct sequence is always the same, regardless of which interlock fired.
Interlock Trip Response — General Principles
01
Confirm safe state — fuel isolated
Verify SDVs have closed and fuel gas pressure has dropped to zero at the heater. Do not assume the BMS/SIS has acted — confirm in the field or on the DCS faceplate. A failed SDV that has not closed is an immediate escalation.
02
Identify the initiating cause
Read the first-out alarm on the BMS/SIS panel — this is the cause, not the consequence. Multiple alarms will appear after a trip fires; the first-out tells you what triggered the shutdown. Do not reset until the cause is understood.
03
Do not reset without resolving the cause
Resetting the interlock without addressing the root cause re-exposes the process to the same hazard. If the cause is not understood, treat the trip as valid and hold the unit in shutdown. Notify your supervisor before any reset attempt.
04
Verify process conditions allow restart
Before re-lighting: confirm feed flow is confirmed and stable above FSLL, COT is within limits, fuel gas header conditions are normal, and the initiating fault condition has cleared and been corrected.
05
Follow the full startup sequence — no shortcuts
After any unplanned shutdown, treat re-light as a cold startup: full purge, confirm purge complete, pilot light sequence, main burner in sequence. The firebox must be treated as potentially containing unburned fuel until the full purge cycle is confirmed complete.
06
Complete trip report and log entry
Document the first-out alarm, time, process conditions at trip, corrective action taken, and who was notified. This is a site requirement and a regulatory expectation under most jurisdictions' process safety management frameworks.
Spurious trips — when the interlock fires incorrectly
A spurious trip is an interlock action not caused by a real process hazard — typically instrument failure, sensor fouling, or logic solver faults. They are operationally disruptive, but the correct response is still to treat the trip as valid until the cause is confirmed to be instrumentation.
Never assume a trip is spurious without field verification
Assuming a trip is instrument-related and immediately resetting is a route to catastrophic consequence if the process hazard was real. Every trip must be investigated before reset. A spurious trip that recurs without root cause investigation is a precursor to a bypass being applied — which escalates risk significantly.
Common causes of spurious trips and their investigation approach:
Spurious Trip Investigation Guide
| Common Cause | What to Check | Corrective Action |
|---|---|---|
| Flame detector lens fouling | Cross-check against other flame detectors on same burner; inspect lens physically | Clean lens; functional test before restart; schedule replacement if recurrent |
| Flow transmitter impulse line blockage | Compare to independent flow measurement; check DP transmitter zero | Clear impulse lines; verify transmitter reads correctly against known flow |
| Thermocouple failure (COT) | Cross-check against redundant thermocouple; check continuity and reading drift history | Replace thermocouple; do not reset TAHH bypass without replacement |
| Pressure transmitter calibration drift | Compare to local gauge; check calibration date | Recalibrate or replace; enter MOC for temporary bypass if continued operation required |
| Power supply / signal wiring fault | Check SIS panel diagnostics; continuity check on field wiring | Restore supply or repair wiring; notify instrument technician before restart |
Interlock bypass management
Occasionally, operational necessity or instrument maintenance requires that an interlock be temporarily bypassed. This is a managed activity — not a field decision. The following requirements apply in every well-run facility, regardless of the specific bypass procedure document.
When a bypass is permissible
▶
Bypasses are permissible only in defined circumstances:
- During proof testing of the interlock (testing that the interlock works — it must be bypassed to test the final element without tripping the unit).
- When a sensor has failed and a replacement is not yet available, requiring temporary compensating measures.
- During startup conditions where a permissive cannot yet be met but the associated hazard is managed by other means.
Compensating measures required during bypass
▶
Whenever an interlock is bypassed, the protection it provided must be compensated for. Typical compensating measures include:
- Increased operator surveillance frequency — typically 15–30 minute manual checks of the bypassed parameter.
- Temporary high-alarm at a lower setpoint to give earlier operator warning.
- Reduced throughput or firing rate to reduce the rate of approach to the hazardous condition.
- Continuous presence of a qualified operator at the panel during the bypass period.
Time limits and removal
▶
Every bypass must have a defined expiry time — typically a maximum of one shift or 12 hours for instrument faults, extending only with a renewal and management approval. At shift handover:
- Active bypasses must be explicitly communicated to the incoming operator.
- The incoming operator must acknowledge the bypass and the compensating measures in place.
- An open bypass that is not re-confirmed and re-approved at shift change must be removed.
The most dangerous bypass is the one everyone has forgotten about
Multiple incident investigations — including major refinery fires — have identified an interlock bypass that had been in place for months or years as a causal or contributing factor. A bypass tracking register, visible to all operators, is a non-negotiable control.
Proof testing — confirming the interlock will work
An interlock that is never tested may have failed silently. SIS and BMS proof testing verifies that each sensor, logic solver, and final element (SDV) will function correctly on demand. Testing intervals are set by the SIL assessment — typically annual for SIL 2 systems. The operator's role in proof testing:
- Coordinate with instrument and operations to schedule tests during planned shutdowns or low-criticality windows where possible.
- Confirm unit conditions before testing — some tests require partial load reduction or process isolation.
- Witness SDV stroke tests and confirm valve travel meets specification.
- Do not accept a "pass" on a partially-stroked valve test if full closure is required for the interlock function.
- Sign the proof test record — this forms part of the SIL verification audit trail.
Partial stroke testing
Some SDVs are partial-stroke tested during operation — the valve is stroked 10–15% to confirm movement and actuator function without full closure. This is better than no testing, but does not fully verify that the valve will achieve tight shutoff. Full stroke testing (valve to full closed) is required at the intervals specified in the SIS proof test schedule.