Firebox Explosion in a Primary Reformer
Furnace
Analysis of the incident with some practical considerations for reducing the
risk.
R. E. Sparrow, Western Co-operative Fertilizers Ltd., Calgary, Alberta T2P 2N1, Canada
INTRODUCTION
The ammonia plant operated by Western Co-operative
Fertilizers Limited in Calgary was constructed in 1965 by
C. and I. Girdler and has a capacity of 180 tonnes/day. On
January 24th, 1984, the plant had been shut down since
early morning to repair a bearing on the reformer I.D. fan.
At 7:00 p.m. the primary reformer was lit for the first time,
as the reformer temperatures came up, steam and then nat-
ural gas were introduced to the process as normal. Prob-
lems were encountered with establishing the correct
flows in the M.E.A. system and while this was being in-
vestigated, the plant shutdown system was activated at
9:30 p.m. by a power bump. At 10:30 p.m. after the prob-
lems had been resolved on the M.E.A. system, the re-
former was lit for the second time. At 11:30 p.m., the lights
blinked and the reformer shutdown system again acti-
vated. At 11:45 p.m. the reformer was lit for the third time.
Part way through the lighting sequence a muffled explo-
sion occurred in the firebox. Upon inspection severe dam-
age to the firebox roof was found, the plant was prepared
for an extended shutdown. There were no injuries to
personnel.
THE PRIMARY REFORMER
A simplified drawing is given in Figure 1. The main
points to note are:
Twin cells, bottom fired, 36 tubes/cell arranged either
side of seven burners.
The two cells are built into a single metal structure di-
vided by a self standing brick wall. The firebox walls
are lined with brick tied back through asbestos board by
metal ties to the metal structure.
The firebox roof is constructed of brick threaded in rows
on metal bars, adjacent bricks and rows are grouted to-
gether, the bars are hung from external metal supports.
The reformer burners and the auxiliary burner each
have their own pilot burner, manually set gas flow valve
and manually operated isolation valve, and are all linked
into a Factory Mutual protection system. Pilot burners
are manually ignited using a portable gas torch.
The plant was intended to be operated with electric
drive on the I.D. fan with automatic turbine drive
takeover. No protection was provided for complete loss of
I.D. fan.
At start-up a Factory Mutual system (P.M. system) is
used to protect against start-up with any burner isolation
valve open. With all isolation valves closed, fuel gas pres-
sure reaches a pressure switch PS 115 which then closes.
This allows the low gas pressure trip (PS 102.2) to be
bridged by push button PB112, the reformer fuel gas shut-
down valve is then energized and can be latched open, sat-
isfying the low pressure trip PS 102.2. An orifice down-
stream of PS 115 bleeds off fuel gas pressure to prevent
PS 115 being held closed by trapped gas.
EXPLOSION INVESTIGATION
The main points to note were:
1) At the time of the explosion all the burners in 'A' cell
had been lit. Burners seven and six in the 'B' cell had
been lit. This was supported by the firebox temper-
ature recorder chart.
2) The explosion occurred as the ignition torch was
pushed inside burner 'B'5, the pilot and main gas
isolation valves for the burner had not been opened.
3) When the reformer tripped at 11:00 p.m. the F.D.
fan also tripped, this fan was restarted only a few
minutes prior to lighting the burners in 'A' cell. The
purging was less than usual.
4) The operators had experienced problems in lighting
the pilots and had opened both the pilot gas shut-
down valve SVI19 and the reformer fuel shutdown
valve SVI12. On each burner the pilot and main
burners were being lit together.
5) The operators were sure all pilot and burner isola-
tion valves had been shut prior to starting the light-
ing sequence.
6) The operators had isolated the process steam after
the 9:30 p.m. and 11:00 p.m. trips.
7) The explosion doors had all moved and were free to
move.
8) The reformer shutdown system was operating cor-
rectly with the exception of the F.M. system. Pres-
sure switch PS115 had failed in the closed position.
Fuel gas shutdown valve SV112 could be energized
and latched in with one or more fuel gas isolation
valves open or partly open.
9) Soon after the explosion a small flame was observed
coming from the southwest reformer tube in cell 'B',
tube D18. A subsequent pressure test revealed a
small crack.
10) With the exception of four tubes the reformer tubes
had been in service since 1965. They were 106.4
mm (4-3/16") I.D. HK 40 tubes, process side pres-
sure 1792 kN/m2 (260Dpsig). Typical tube wall tem-
perature 899°C (1650 F.).
11) Gas burners 7B, 5B and 4B were found to be passing
very slightly when closed.
 VENT
1 ALL 14 BURNERS PLUS
AUX.BURNER
het«J-e
, V
* '
^-5
i
Figure 1. Simplified sketch of primary reformer.
12) The reformer wall temperatures in 'B' cell were all
below 538°C (1000°F.) at the time of the explosion.
Ignition temperature of CH4 632°C (1170°F.), igni-
tion temperature of hydrogen 571°C (1060°F.).
The following questions were difficult to resolve:
Were any of the burner valves somehow left open, or
partly open?
What contribution did the passing burner isolation
valves make?
If the leaking tube D18 was responsible, the explosion
would normally have been expected to occur when
burner B7 was lit.
Did any burners, particularly 7B or 6B blow out?
The most likely explanation of the explosion was that the
leaking tube allowed combustibles pressurized in the
front end of the plant to depressure back out of the tube
and built up somewhere in the firebox. The rare combina-
tion of an undetected tube leak, low reformer wall temper-
atures (allowing a build up of gas), successive trips, no pro-
cess steam on the reformer and possibly less than adequate
purging gave the ingredients for an explosion.
DAMAGE AND REPAIR
The first obvious problem was the severe damage to the
roof, mainly in the south cell. The pressure from the explo-
sion had lifted the brick roof, the supports had become un-
hooked in several areas, and the roof had then fallen into
the reformer. The damage to the south cell had made the
north cell roof very unstable. The central dividing wall
surprisingly showed no obvious sign of damage. It can
only be assumed that the explosion in the south cell was
relieved to the north cell by the interconnecting duct
work, thus preventing a "significant" pressure difference
across the central wall. Visually the north and south walls
of the reformer metal skin appeared bowed. A large exter-
nal horizontal "I" beam attached to the north wall halfway
up the reformer had come away from the wall by a gap of
230 mm on the northeast corner. This gap fell to 0 mm at
the centre of the reformer. By cutting a number of small in-
spection holes it was determined that there was a gap of 50
mm or more between the metal wall and the asbestos
board. The metal ties for the brickwork had parted com-
pany with the walls over a wide area. The walls were still
50
j j j
CELL 'A' CELL'S"
NOTE-.
AUX. BURNER HAVE A
18 TUBES/ROW 18 TUBES/ROW MANUALLY IGNITED
PILOT BURNER.
7 BURNERS — 7 BURNERS
PER CELL PER CELL
î a ( r 3
PRI. FUEL OAS
vertical and appeared stable. No other significant me-
chanical problems were found.
The next problem to rear its ugly head was the discovery
that the loose fill fibre used to cover the brick roof on the
outside was asbestos. This fibre had now heavily contami-
nated the head house and firebox. A specialized company
was used to decontaminate the reformer. The structure
was sealed up, the entire brick roof knocked down inside
(the floor was protected by boards) and all debris vacu-
umed up. Air monitoring and clean-up continued until the
firebox and head house were acceptable for work without
protection.
A shut down had already been planned for autumn 1984
when all the reformer tubes were to be replaced. It was de-
cided that though the reformer brick walls were suspect
they would be left intact. The reformer firebox roof was
replaced as to the original design using a mineral loose fill
fibre as the final insulation. Leaking tube D18 was re-
placed. The reformer was lit on February 2nd and the first
ammonia produced on February 4th. The total cost of the
initial repair was $80,000 CDN.
In November 1984 all reformer tubes, the brick walls
and the asbestos board was removed. Again special pre-
cautions were used to cope with the asbestos. The central
brick wall was left intact and anchored to the metal struc-
ture by casting refractory columns on both sides at each
end; these columns were then tied to the structure with
302 stainless ties. The existing brick roof was anchored in
place using refractory casting to fill the gap between the
roof and walls. The walls were then lined with 150 mm of
refractory blanket made up of six layers with all joints
overlapping and tied to the wall with Inconel 601 anchors.
New reformer tubes were then installed. Total time for
work was 28 days, total cost $130,000 CDN, excluding cost
of tubes and tube installation.
FAILURE ANALYSIS
Although there were not firm conclusions about the pri-
mary cause of the explosion, it was apparent that the re-
former was extremely vulnerable to explosion damage.
Calculations indicated as little as 1.5 kN/m 2 (6" water
gauge) pressure would be sufficient to lift the roof. The
four explosion doors each .37 m"2 (4 ft2) offered very little
protection. Our objective became not to try and establish
exactly what had happened but to try and ensure that the
chance of a future explosion would be reduced to an ac-
ceptable level.
The approach adopted was to develop a fault tree and as-
sign probabilities to estimate the frequency of explosion
damage. Initial attempts to formulate a tree were frustrated
by a combination of inexperience and the need to sort out
the credible events from all the possible events. To have
an explosion one of two events has to occur:
i) A failure leading to a fuel rich mixture which then
returns to the flammable range and is ignited, e.g.
ignition source hot brickwork.
ii) Leakage of gas allowing a build-up in the
flammable range, plus a delayed source of ignition,
e.g. operator attempts to light reformer burners. Ig-
nition at time leak starts will simply allow leak to
burn.
The reformer is at least partially protected against going
fuel rich either by loss of combustion air or by excessive
fuel gas pressure. It is also protected against going fuel
lean by a low gas pressure trip and against start-up with
burner gas valves open by the P.M. system. Calculations
indicated that during normal operation loss of the F.D. or
I.D. fan may just cause the reformer to go fuel rich if the
fuel is not isolated. The settings of the high pressure and
low pressure gas trips were also valid for normal operating
gas and air rates. The question remained how good was
this protection?
FAULT TRIES
Fault trees are widely used in hazard analysis to display
in a logical sequence the way in which a hazard may occur
[1 ]. For any reasonably complex system there are many dif-
ferent possible fault trees. Those presented in this paper
seemed the most logical at the time they were constructed.
There may well be other routes which have been ne-
glected which are both credible and significant. The fault
tree is divided into three types of explosion:
i) An explosion during lighting of the burners, Figure
2. Gas valves left open or leaking, or a tube leak.
Figure 2. Explosion at light-up.
51
ii) An explosion when operating and shutdown system
not activated, Figure 3. Either failure of shutdown
system to activate or omission in design of shut-
down system.
iii) An explosion after operation of shutdown system,
Figure 4. Failure of shutdown valves to close when
activated.
What can be loosely described as "second order" types of
events, combinations of i), ii) and iii) have been neglected
owing to their low probability. The fault trees are made up
of the following components:
Describes an event
or condition
And gate, for this to have
an output all the inputs
must exist
Or gate, to have an output
one or more inputs must
exist.
Some additional events have been added to Figures 2, 3
and 4 to improve understanding when extra protection
measures are included. Each fault tree culminates in an
explosion.
QUANTIFICATION AND DISCUSSION OF FAILURE RATES
The simple rules used for combining the probabilities
are given in the Appendix I. The frequencies or probabili-
ties are taken from operating experience at Calgary and
discussed as required below. While some of this data may
not be very statistically sound, it was the best we had ready
access to.
 i* ta
».

o
S
r,
b '
8 1
Sf
o §
*
•
tï e 3. ja
o*
-»Ss 3s fJ Js
Uil 3SÏCÏ }

l!
X O
,

K
'
î ?
Sî3
i »- IS
1 ^
*l
s S? °-

Î
a 1
^--J-— " -*; -
S^< Cfl^X^^

•—*T77^—^—^_ -2 < 1
M' - J
o °. |

! . Is «* •^
3. i |C SS 9
::: îo Ja. •=. o o
9
l* 4
ܻJ *i
UM
*>•*
U
-«O
C VI U
t H < H
MI4
Q 3
J «
a
-U « » U 3<M&U ••*M^ß
" Xu Ä *i & V» O O » fc. Ci "O S

S i
o
a
u

il«
25"* 3t
SS
.1 r
ïJ
i °
ZS25
r
t
C « 1
i o
i l[
*>
1. >.
1„ 4 «

i ' II S

fi
*•
3"
ö *
•1
•o

1
o a
s;
2 <
U) > • <H
11 ii H13 w •* 1
i o
*\
t 0

1s

Figure 3. Explosion when operating (shutdown system does not operate).

Initial estimates of frequency or probabilities are shown Explosion During Lighting of Burners (Figure 2)
above the connecting lines (frequency given as rate/year,
probability given as simple number between .0 and !.)• Initial hazard rate estimates based on not testing for
Where an event is marked negligible it can be neglected combustibles, less attention to purging rate, less strict con-
either because of little or no effect, or because of trol of lighting pilots first and low reliability of P.M. sys-
insignificant frequency or probability. Revised estimates tem. See Appendix II for discussion of P.M. system. The
after modifications are given below the connecting lines auxiliary burner is not separated on the tree as it is linked
in parentheses. into the P.M. system.
52
 The shutting of all fuel isolation valves correctly is as-
signed a probability of .9. This is often carried out in a high
stress situation and no special precautions such as a
checklist is employed. The most likely error is to not close
the auxiliary burner valve as it is remote from the reformer
isolation valves. Gas from blowing out a burner (likely to
be fuel lean), or from a leaking burner valve is considered
negligible. The probability of a leaking tube undetected
prior to start-up is based on one undetected leak in 18
years, six start-ups/year, probability .01. Approximately
half the light-ups occur when the furnace is below 704°C
vu' DO' (1300°F.), taken as the practical ignition temperature.
§* s Probability of S VI12 or S VI14 leaking prior to being ener-
o J«
gized is .05, while the probability of leak being undetected
J3 a § uS is .1.
1 3 353
•H U The initial estimate of the hazard rate comes out at one
Q Ifl X C ' 4 --4
^i nj •*
fc. t* S
D» ' 4 U
M O JQ
explosion in 19 years. It is interesting to note the apparent
unimportance of purging. By some simple modifications
to P.M. system(see Appendix II), ensuringthe pilots are lit
first (still allow 1 in 10 chance this is not done), and more
attention to purging and testing for combustibles, the esti-
mate is improved to 1 in 600 years. With a total loss of
$500,000 for an explosion, the average cost is $800/year.
Thus, a crude analysis might suggest it is worth spending
up to $800 to significantly reduce the risk further [1 ].

Explosion When Operating (Shutdown System Does Not Operate)

(Figure 3)

The main problem in assessing this fault tree was the

availability of failure rate data. Owing to lack of failure fre-
quencies it was not possible to include the effect of testing
period to calculate the probability of being in a failed state,
often called the "Fractional Dead Time." Reference [2]
does include relevant data, however some of it appears op-
timistic when applied to the chemical industry. The data
in Table 1 was used for this analysis.
The effect of fuel gas pressure control PIC5 suddenly fail-
ing open (air fail close) was considered negligible since
during normal operating it is almost fully open. The panel
1
operated fuel gas flow valves MLS120/121 present no haz-
O
o 8
ard if they were to fail open; manually set flow valves to
each burner are adjusted so that little pressure drop occurs
-< « over MLS 120/121. A probability of .5 is assigned to the
•35
3 fl C* £3 ^
g s flame actually going out as the reformer goes fuel rich.
U C O >
eu S 4J w
14 C O >
«J 3 W W
This is because it was not certain from calculations that
E
O
O
•O 01
-U r-»
V
B
•H O
-4 "O « «
••4 U -< 0)
F.D. or I.D. failure would increase the fuel composition
x a •* o above its upper flammable limit. The probability of the
a-SJS-3 < « *w rj
flame failing to relight on low gas pressure is based on the
fraction of the year the reformer is likely to be below 704°C
(1300°F.).
The hazard rate comes out at one explosion in 80 years.
At the time this assessment was carried out it was proposed
to run the I.D. fan as much as possible on steam drive. If
this is done then the explosion rate increases to one in 22
years. It was therefore proposed to install a firebox high
pressure trip designed to shut the reformer down in the
event of a total I.D. fan failure. Actually, two independent
switches were installed, one directly monitoring the
firebox pressure and the second using the signal from the
j draft indication, these were on independent signal lines.
U
"N 0
M
' W.'
v« \ TABLE 1—FAILURE DATA
tN
O
0 v
o3 •-414 ?
-H
•-ia. 5o •o «
«J
q> Item Probability of Being in a Failed
» n
e
14
4J
U M
C O State when Required to Operate
O
u
a "0
U ?S o
o n
1 FD fans
1 cxcludi

combust

b. en
caused

1-4> *J
before

w S •• £ •D
O u a E
«8 73 D
'M «J >
o u o B
fl -a S
O
IM î» Failure of relief valve to .02
n
e 3 «
U M n u *J
0) C 3 W
ä open when required
1
1

•0 JS >.
'*4 M (fl 3 ^ 5 ïr Failure of pressure switch .05
to operate
Failure of electric relay to .001 (when de-energized)
Figure 4. Explosion after shutdown system operation. open
53
V ith either pressure switch capable of shutting the re-
former down, the probability of the trip not working be-
comes .05 x .05. The overall hazard rate decreases to one
explosion in 1666 years. In view of the available data no
other improvements were implemented.
An Explosion after Operation of Shutdown System (Figure 4)
The main mechanism here is that after activation of the
shutdown system, the fuel gas shutdown valve, either
SV112 or SV114 fails to close. In addition, there must ei-
ther be loss of combustion air or the combustion air must
be shut off prior to isolation of the fuel gas system. If the
combustion air is normal, the burners will continue to burn
until the gas is isolated. The failure rates for SV112 and
SV114 are taken from operating experience of one valve
failed open in 18 years, four valves in service, six demands
on valves per year—probability of being failed .002. While
this estimate may not statistically be very sound, it does fit
in well with the probabilities used to evaluate Figure 3. It
is assumed that there is only a one in 50 chance that the
operator will cut back on the reformer combustion air be-
fore isolating the fuel gas.
Using the initial estimates from Figure 3 for the fre-
quency of reduction in combustion air, the hazard rate is
one explosion in 500 years. The result is almost entirely
dependent on the failure rate of SV112 and SV114. To date
we have made no changes, however a back-up by automat-
ically shutting pressure controller PIC5 upon shutdown
activation would be an inexpensive modification. An-
other approach would be to install bypasses round SV112
and SV114 to allow on-line testing with strict testing pro-
cedures.
Summary of Fault Trees
The initial estimate of an explosion during lighting of
the burners with gas valves left open or a tube leak, was
one in 19 years. By some simple equipment changes and
emphasis on certain operating techniques, this was re-
duced to one in 700 years.
The initial estimate for an explosion when operating and
when the shutdown system does not activate was one in 80
years. Operating the I.D. fan turbine drive almost continu-
ously increased the predicted hazard rate to one in 22
years, this was reduced to one in 1666 years by two pres-
sure switches monitoring the firebox draft. The hazard
rate associated with failure of fuel gas shutdown valves to
close when activated was one in 500 years, which was con-
sidered adequate.
DISCUSSION
Following an accident, attention is normally directed at
what was the cause and how it can be avoided in the future.
When we looked at the firebox system we were surprised,
considering its vulnerability and large number of failure
routes, that we had not experienced problems earlier. Al-
though the explosion did not result in a large financial loss
and repairs were fairly straightforward, we wished to en-
sure the chance of a future explosion was reduced to an ac-
ceptable level. The total hazard rate for the reformer from
all causes at the time of the explosion was estimated at one
explosion in 15 years. We had actually experienced one in
20 years. By some relatively simple modifications the pre-
dicted hazard rate has been reduced to one in 250 years.
More work is needed in quantifying the chances of a shut-
down valve leak causing a problem at light-up, and
devising a system for checking for such leaks immediately
when the fuel gas is unblocked at PIC5. An additional area
for improvement would be to provide back-up for failure of
the shutdown valves to close following a trip. Time will
demonstrate the value of the modifications especially to
the Factory Mutual System. One Other modification
54
which was implemented, was to shut the pilot fuel gas
shutdown valve SV119 on process steam low flow and
W.H.E. low level in addition to loss of F.D. fan. Experi-
ence has shown that the pilots blow out when operated
alone at normal combustion air rates. In the future, we may
interconnect SVI14 so that it can only be energized when
SV112 is already energized. At present it is possible to
latch open S VI14 without having shut the auxiliary burner
fuel isolation valve.
The use of the fault trees allowed a systematic approach
to generating and quantifying failure routes. While the
fault trees may seem complex, they do represent a fairly
complex system in a logical and easy to understand way.
The probabilities and frequencies used for the analysis, al-
though crude, highlight those areas requiring the most at-
tention. Although little has been added to the actual cause
of the explosion, it is comforting to know that the predicted
explosion hazard rate has been reduced at least by a factor
of 10. Areas for attention in operator training have also
been indicated. Finally, it is hoped that this paper may
prompt some other companies to look at their own re-
former firebox protection systems. The fault trees pre-
sented here are unlikely to be directly applicable, but they
should provide a starting point for analysis.
APPENDIX I
Rules for combining probabilities.
If PA is probability event that A occurs and PB is probability
event that B occurs then:
P(A and B) — PA X
PB
P<A or B)= PA "*" PB ~ PA x PB
(strictly either A or B or both)
If f c is the frequency that event C occurs e.g. number of times a
year the reformer trips then:
f(C and A) = »C X
PA
Çc and A and B)= fc X
PA X
PB
APPENDIX II—THE FACTORY MUTUAL SYSTEM
Over the last three years on testing our F.M. system we have
found the following failures:
1) Pressure switch PS 115 failed closed.
2) Blockage of orifice and trapped gas holding PS 115 closed.
3) Low gas leak on auxiliary burner isolation valve with cold am-
bient conditions (—30°C) allowed condensation of hydrocar-
bons in vent line. Static head satisfied PS 115. PS 115 is vented
to top of reformer.
Based on the above information, a probability of .5 was used for
the initial estimate of the F.M. system failing to protect.
In addition, the following are possible:
4) F.M. system defeated by the low gas pressure switch PS102.2
failing closed.
5) High gas leak on auxiliary burner valve satisfying PS 115.
6) Leakage past SV112 satisfying PS102.2. This would normally
only result in failure to detect an open auxiliary burner valve.
When the reformer is operating it is possible to check nearly all
aspects of the system. The small bore tubing can be disconnected
and inspected for blockages and leaks from valves. The orifice
and PS 115 can also be tested.
Our own installation suffered from the defect that it had no indi-
cating light to show that power was past the contacts of PS 115. By
installing this simple light it is possible to prove that PS 102.2 is
not failed closed (the light only comes on when PB112 is pushed).
All valves in the correct position, orifice and PS 115 working (light
goes off when energizing gas for F.M. system is temporarily isola-
ted). Thus, three simple operations can test the entire system at
every start-up. By rearranging the vent line on F.M. system, as
well as installing a new filter, orifice and suitable pressure
switch, we are confident the probability of the F.M. system fail-
ing to detect an open valve would drop to .1 or better. By
introducing the simple test at every light-up, assuming the chance
of operator error or failure to perform the test is .2, the overall
probability of failure of F.M. system to detect an open valve be-
comes .1 x .2 — .02, a factor of 25 times better than the original
system. It would also be possible to automate this simple test.
LITERATURE CITED
1. Kletz, T. A., Hazop and Kazan. Notes on the Identification
and Assessment of Hazards. I. Chem. Eng., England.
2. Lees, F. P. Loss Prevention in the Process Industries,
Butterworth, 1980.
Robert E. Sparrow is the process superintendent of
the Nitrogen Division at Western Co-operative
Fertilizers Limited in Calgary. He holds a B.Tech.
in Chemical Engineering and a M.A. in Systems
Engineering. He also has a doctorate in computer
aided design from Swiss Federal Institute of Tech-
nology in Zurich. For the last ten years he has
worked on process engineering design, technical
and operational plant supervision. He is a member
of the British Institute of Chemical Engineers.