Avoiding Unintentional Safety Standard Violations for Burner-Management Systems
When evaluating the safety systems supporting ovens, furnaces and boilers, you may find yourself in violation of an applicable standard. If your installation is truly safe, should you be concerned?
Many process industry manufacturing plants have some sort of boiler or fired heater as part of their processes. Heat is a basic element for making everything from ketchup to polymers, so there are invariably burners somewhere in the plant. And, where there are burners, there are burner-management safety standards that need to be met.
A burner-management system (BMS) does exactly what its name suggests: It prevents a hazardous condition from occurring due to an accumulation of unburned fuel capable of causing an uncontrolled fire or explosion. This makes sense given the dangers involved, but regulations governing how they work and who has responsibility for them can be confusing.
Conscientious companies wanting to operate safely and maintain compliance with regulations can find themselves in violation of some statute, unaware it applies to them. In a worst-case situation, two groups may claim jurisdiction over a company and push it in conflicting — or at least different — directions. Such a situation does not help anyone, but there are ways to cope.
A Practical Qualification
An organization like NFPA understands its fallibility. It does not believe its recommendations are ever necessarily wrong, but it is willing to acknowledge it might not always have the best answer in every situation. No company should ever be able to point to a problem and suggest the source of the problem was following NFPA or another standard. NFPA is acknowledging this reality when it adds an equivalency clause:
“Nothing in this standard is intended to prevent the use of systems, methods or devices of equivalent or superior quality, strength, fire resistance, effectiveness, durability and safety over those prescribed by this standard.”
If you follow your own approach and it is not NFPA to the letter, you might have to convince the AHJ of the validity of your solution under this clause. If you do it differently than NFPA recommends, you must be able to argue why your approach is better than what is outlined in the standard. The decision will likely be made by the AHJ because he or she may need to approve your system.
Too Many Authorities Having Jurisdiction?
Situations like this arise when various industries are regulated by many entities defined as an authority having jurisdiction (AHJ), either because of geography or by virtue of being in a specific type of industry. National Fire Protection Association (NFPA) defines an AHJ as “An organization, office or individual responsible for enforcing the requirements of a code or standard, or for approving equipment, materials and installation, or a procedure.”
When a company exists in isolation and is subject to inspection by only one AHJ, there is no problem. But, sometimes, those silos come down. A plant in Ohio subject to state inspection may discover it also falls under an industry-specific safety organization, and it now has to answer to both. Two AHJs may be just the beginning because the list of regulatory agencies can grow over time.
Companies struggling with operational issues may find their situation made worse by growing regulatory complexity. The regulators see their job as critical because boiler and pressure vessel inspections show boiler controls as the leading source of violations. So, there is good reason to pay attention to burner-management systems, both for regulatory compliance and safety.
NFPA Safety Standards and Other Organizations
The most commonly followed BMS regulations are driven by NFPA and comprise three major standards:
NFPA 85, Boiler and Combustion Systems Hazards Code.
- NFPA 86, Standard for Ovens and Furnaces.
- NFPA 87, Recommended Practice for Fluid Heaters.
However, there are other standards applicable in certain situations:
- FM 7605, Approval Standard for PLC-Based Burner-Management Systems.
- API-556, Instrumentation, Control and Protective Systems for Fired Heaters and Steam Generators.
- ISA-TR84.00.05, Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner-Management Systems.
Reading the titles, it is not difficult to see how more than one standard may apply for a single BMS. Each organization takes a particular spin in the way it approaches the topic, and each standard was targeted to the needs that existed at the time it was published. Differences range from subtle to outright conflict.
NFPA is very prescriptive. It tells you exactly what you should be doing, so in most situations, it is best to start with NFPA and implement those regulations first.
Other standards such as ISA are more performance based. They tend to describe how “good” the system should be, when redundancy is needed and what kind of testing program should be scheduled. ISA tells you, in effect, how to work with the system you set up following NFPA. As you will see shortly, sometimes these two standards do not pull in the same direction.
What Qualifies as a BMS?
Because we are talking about standards, at some point, every element is defined, including exactly what constitutes a BMS. NFPA 85, 2004 describes it as:
“The control system dedicated to combustion safety and operator assistance in the starting and stopping of fuel preparation and burning equipment and for preventing misoperation of and damage to fuel preparation and burning equipment.”
Within the definition are two key areas: “…starting and stopping of fuel preparation and burning equipment…” and “…preventing misoperation of and damage to…”. Let’s expand those two thoughts.
A BMS does the first thing. It is a stand-alone system designed to ensure safety by assisting the operator in safe starting and stopping of burners while preventing operator error.
The second side of the picture is covered by both the BMS and combustion control, but they have separate functions. Combustion control regulates fuel and air inputs to maintain the correct ratios for continuous combustion and flame stability with maximum efficiency throughout the operating range. It is regulated by the distributed control system (DCS) or other type of basic process control system (BPCS). The BPCS also determines the firing rate based on the needs of the process. The BMS continues to perform its safety function by monitoring the flame and shutting off fuel if the flame goes out. The need for that function never stops.
Why Things Blow Up in Industrial Plants
A study of plant accidents and safety incidents will turn up many situations where some sort of furnace or fired heater blew up. Typical causes include:
- Sporadic interruption of fuel, air or ignition energy to the burners.
- Fuel leakage into an idle furnace.
- Repeated, unsuccessful attempts to light the unit without appropriate purging.
- Accumulation of fuel and air after a furnace flameout.
- Failure of flow controls, leading to excess fuel for the available air.
The common element of all of these is unburned fuel mixed with air accumulating in a confined area finding an ignition source. Consider how this unfortunate state of affairs can happen in spite of systems designed to prevent the possibility.
For our example, I’ll begin with a basic single-burner boiler (figure 1). There are four main equipment areas:
- The flame-monitoring system ensures that when fuel is flowing, it is also burning. This applies to the pilot burner as well as the main burner.
- The purge-air system pushes combustion air into the system while the main burner is lit. Also, it clears accumulated fuel out of the furnace if there is an unsuccessful light-off or flame-out.
- The steam drum system monitors water levels in the boiler. A boiler without adequate feedwater can be just as dangerous as a malfunctioning BMS.
- The fuel trip system allows fuel flow to the pilot and main burner. If something is wrong with the combustion, it should shut off all fuel flow.
These instruments are supervised by a logic solver capable of monitoring all the equipment and programmed to act appropriately if there is a problem.
A light-off follows a series of steps:
- The firebox is purged to make sure there is no accumulated fuel.
- Fuel to the pilot burner turns on.
- An igniter lights the pilot flame.
- The flame-monitoring system verifies a stable pilot flame.
- When the pilot flame is stable, fuel and air flow to the main burner commence.
- When the main burner ignites, the flame-monitoring system verifies the main flame is present.
Once this has happened and normal flow to the boiler is verified, the combustion control system manipulates the air/fuel ratio to maintain proper performance. It also optimizes combustion and controls firing rate for however long the fired equipment needs to run.
What Goes Wrong with Industrial Combustion Systems
It is a simple process, right? Normally such is the case, but many things can go wrong. It is the job of the BMS to make sure problems do not escalate. When a hazard is detected, the logic solver is programmed to remove fuel and inhibit subsequent steps. Here are some examples.
- Excess Combustibles in the Firebox.Did it purge properly after a previous lighting attempt? Is the fuel valve not shutting off completely or simply left partially open?
- Premature Light-Off.Is there an overly rich mixture due to too much fuel or too little air? Is the boiler water level correct?
- Pilot Failure.Why didn’t it light? Igniter failure, pilot fuel-valve failure, plugged pilot nozzle, contaminated gas, improper fuel/air ratio or something else?
- Main Burner Failure.The pilot lit properly but not the main burner. Why? Plugged burner nozzle, fuel gas contamination, improper fuel/air ratio or something else?
- Loss of Flame During Normal Operation.Everything started up normally, but the burner went out. Why? High fuel pressure blew out flame, low fuel pressure starved supply, combustion air blower or damper failure, fuel gas contaminated with inert material, loss of instrument air or something else?
The components set up to control all those elements are subject to regulations, and they are the topics of frequent violations.
How Industrial Process Heating Equipment Users Get in Trouble
There are many ways for users to violate standards if they are not fully aware of all the requirements for a given situation. Here are six common examples.
Using “Listed” Equipment. Sensible users know a safety shutoff valve for a gas line cannot come from a local hardware store. It has to be properly designed for industrial applications and often is certified by a recognized testing organization like UL. An additional complication when trying to comply with NFPA standards is the requirement to use “listed” equipment. NFPA 86, Section 3.2.4 defines listed as, “Equipment, materials or services included in a list published by an organization that is acceptable to the AHJ.”
The problem is an AHJ in a given situation may not have a list. And even when the AHJ does have a list, there is often a limited amount of equipment on said list. For example, there are very few, if any, listed logic solvers. This leaves most users to determine on their own what equipment is appropriate for their situation.
External PLC Interlocks. NFPA 86 section 8.4.5 says, “Safety PLCs shall not implement the following: (1) Manual emergency switches; (2) Continuous vapor concentration high-limit controllers; (3) Combustion safeguards; (4) Excess temperature limit interlocks.”
This is one situation where there is a significant disconnect between NFPA and ISA-S84 (figure 2). NFPA does not allow the BMS to depend on the safety PLC to close ESD valves in the event of a trip in one of the four safety functions just mentioned. While each of those four functions sends a trip to the safety PLC, there must also be a hard-wired contact for all four functions in series between the PLC and ESD valve. So, if an operator hits an E-Stop, the ESD valves all close whether the PLC tells them to or not.
ISA-S84 allows the PLC to perform the shutdown function without needing four extra relays wired to each ESD valve. If you follow ISA-S84, you will likely flunk an inspection based on NFPA regulations. Is the NFPA approach better? It places less dependence on the safety PLC, so if you believe it to be the weak link in the chain, then yes, it is safer. At the same time, the safety PLC is required by NFPA to be SIL2-rated, so it is a pretty strong link. Adding four more devices able to interrupt the process with false trips introduces a greater potential for spurious shutdowns with their corresponding issues.
Excess Temperature Interlock. NFPA 86 section 8.18.2 says, “(1) An excess temperature limit interlock shall be installed and interlocked into the safety circuitry. (2) Class B, Class C or Class D furnaces shall not be required to have an excess temperature where it can be determined that the maximum temperature limit specified by the furnace manufacturer cannot be exceeded.”
Here’s one area where NFPA is making a good suggestion. Many older installations do not have this interlock installed (figure 3). It is a good idea to retrofit it into these systems.
Location of the Low-Fuel Pressure-Level Switch. NFPA standards recommend placing the low-gas pressure-level switch immediately after the pressure regulator for the main burner supply. This location puts it upstream from the main gas safety-shutoff valves (at least two of them), the gas control valve, high-fuel pressure-level switch and manual shutoff valve. There might even be more devices in the line.
The problem is many of those devices can cause a loss of pressure, but they are past the device capable of sensing it. It is better to move the low-fuel pressure-level switch past all the other devices so it is as close to the burner as possible. This might call for some change to your operational logic during startup, but it is safer.
Location of the High-Fuel Pressure-Level Switch. NFPA 86 section 8.9 says, “A high-fuel pressure switch shall be provided and shall meet the following criteria: (1) It shall be interlocked into the combustion safety circuitry. (2) It shall be located downstream of the final pressure reducing regulator.”
Again, this is a good suggestion. Many older installations do not have this interlock installed, which is cause for failing an inspection. Like the low-fuel pressure-level switch, it should be installed close to the burner. Its position is not as critical because valves cannot make pressure increase, just stay the same or decrease.
Independent Logic Solvers. NFPA 85 section 220.127.116.11 requires, “The logic system shall be limited to one boiler or HRSG (heat recovery steam generator).” In other words, each boiler must have its own logic solver.
NFPA is the only organization still insisting on this requirement, reflecting a lower level of reliability characteristic of older units. Modern SIL-rated safety PLCs can handle multiple units, making this an unnecessary expense and level of complexity. Nonetheless, it can cause you to flunk an inspection if you cannot convince the inspector your safety PLC is better than what the standard calls for.
Ready for Industrial Safety Inspection
Conscientious plant operators recognize the role of industry standards in safe plant operation. The ultimate objective is to have a safe plant, and regulations based on good standards are a tool to implement the objective. Standards are supposed to clarify how things should work and not become a source of confusion. However, they can create impediments at times. Wise operating companies know where and how standards should be applied to the greatest advantage or intentionally violated to pursue a higher level of safety.