Identifying Safety Instrumented Functions in Burner Management Systems
ISA provides helpful guidance as Technical Report TR 84.00.05 is under review.
Industrial fired heaters are known to be the oldest and most common industrial process devices. Many manufacturing processes (if not all of them) involve heat exchange in some way or another, and the use of fired heaters is a way to provide such energy exchange. Industrial applications that use such fuel-fired heating equipment include industrial steam boilers, temperature-sensitive fluid heating, process air heating, gas turbines, furnaces and incinerators. (Similar systems are used for commercial cooking, commercial hot water boilers, and commercial fire tube, among others.) All sorts of industries — from food and beverage to gasoline refineries in the petrochemical sector — use fired heaters. What is more, hundreds (if not thousands) of different fired heater designs populate the industrial world.
When referring to burners used in industrial heaters, the variation is even greater. Burners are designed according to the fuel used:
- Stoichiometry of the reaction (liquids, gases, fuels, LPG, etc.).
- The way energy is transferred (direct, indirect, etc.).
- The energy provided (BTU/hr).
- Operating temperatures.
- Firing (pilot, etc.).
- Draft (natural, forced, induced).
- Nitrogen oxide emissions (conventional, low, extra low).
In some processes, other considerations specific to the application may come into play.
In general, heaters manufacturers define the type of burner needed in their design. Designers work together with the burner manufacturers on the type to use (direct-fired, regenerative, radiant tube, high thermal release, self-recuperative, low temperature regeneration, etc.). There are thousands of different designs, and the definition of each of the terms governing the type and use is at the burner manufacturer or designer’s discretion.
The safe operation of these burners is “mostly” supervised by a burner-management system, or BMS. These systems also are known as burner safety systems, burner control systems, combustion safeguards, flame-safeguard systems, safety shutdown systems, furnace safeguard systems and boiler safety systems.
I say “mostly” because in special circumstances, a safe condition is not immediately reached by a safety interlock. Instead, it requires a specific manual action of a skilled operator. One example of the latter situation is a high pressure scenario in specific multiple-burner furnaces. The shutting down of fuel valves in such a scenario with a source of ignition could lead to an explosion.
Specifications of a Burner-Management System
All technical specifications for any device basically answer to two questions:
- What does the device have to do?
- How well must the device perform?
Traditionally, prescriptive standards govern the design of BMS for the industrial sector. These standards successfully provide guidance on how to design burner-management systems. Due to changes in technology and the understanding of how systems perform, however, there have been several incidents in the industry.
Prescriptive standards are maintenance-intensive due to continuous technology changes. (If there is something that could be assumed as constant, it is a continuous technology evolution.) These prescriptive standards, however, have been paramount in pointing out “what does it [the BMS] have to do” with remarkable precision.
FIGURE 1. When applications demand a single gas burner, which needs a tight seal, double block-and-bleed arrangement of valves might be recommended.
There are, in fact, several prescriptive standards that were developed based on the application of the heater for which the BMS was developed. This is a convenient way to approach the design of such devices because the engineers would simply follow this prescriptive standard as the application demanded. Furthermore, because these standards are associated with legislation, the user must follow the adequate recipe to ensure compliance with the approved codes and regulations.
For example, according to AE Solutions (www.aesolns.com), if the application was a steam boiler for use in the petrochemical industry, the designer would follow the American Petroleum Institute (API) standard No 538. Yet, if the steam boiler was not for the petrochemical industry and produced less than 12.5 million BTU/hr, then the designer would follow the National Fire Protection Association (NFPA) Standard 85; otherwise, the designer would follow the American Society of Mechanical Engineers Standard CSD-1.
Likewise, if the application was a heat recovery steam generator (HRSG) in a petrochemical application, designers would follow API 534. Outside the petrochemical environment, however, NFPA 85 would be the standard to follow.
For fluid heaters, API 556 would be applicable in the petrochemical sector, and in any other sector, the engineers would follow NFPA 87. For reformers, the following standards would apply: Compress Gas Association (CGA) standards H-10 and H-11, NFPA 86 and/or API 561 (now in pre-ballot phase). For sulfur-recovery units, API 565 (now editing) would be the prescriptive standard to follow, and for dryers, vaporizers, incinerators and thermal oxidizers, users would follow NFPA 86.
As explained, these standards do a great job addressing all hazards and potential safeguards that need to be put in place. Being specific and application oriented, they determine how such safeguards should act to protect the process. For example, whilst the loss of flame should immediately trigger the closing of both valves feeding a gas burner in some applications (and in one standard), on another application low fuel pressure might be the trigger for both valves to close because loss of flame is a “too late-chained-event” that put the process on its way to an undesirable outcome (figure 1).
Burner-Management System Performance
All these prescriptive standards do not evaluate the risk associated with the hazard. It is not the same to have a deflagration in a field due to the loss of flame of a low quality steam lift boiler for an isolated oil well, as it is to have a similar size service boiler deflagration in the middle of a refinery. In the refinery, obstacles would turn the expanding wave into a detonation, increasing the death toll in the affected zone. In the second case, the fatality accident rate is much higher due to much more damage.
In both cases, the application designers might have concluded that because the applications demanded a single gas burner, which needed a tight seal, a double block-and-bleed arrangement of valves might be recommended (figure 1). Yet, no requirements for function performance were specified. Designers followed and complied with regulatory standards, but they did not assess risk.
The required degree of performance of the group (two blocking valves and a bleeding valve) is not the same in the case of the isolated boiler as it is in the case of the refinery boiler. The questions that needs to be answered are:
- Is it OK for the isolated steam lift boiler arrangement of valves to have a performance of one failure in 10 opportunities?
- Should the refinery boiler BMS allow one failure every 100 opportunities, or 1,000 opportunities?
- How can the designer determine this?
In some processes, other considerations specific to the application may come into play.
Into these circumstances is where the standard ANSI/ISA 61511-2018 provides guidance. It is intended to determine performance requirements for both the safety instrumented functions (SIF) and burner management systems (BMS) as well as provide guidance on how to maintain such performance during the active system service. After all, a BMS (a SIF) is an interconnected arrangement of instruments with varying performance along their useful life cycle.
In both cases, questions such as, “What would be the consequences of the BMS failing to close the gas valves when the flame is lost?” should be addressed. Answering such questions is the way to estimate performance requirements of this special SIF and all its components.
The problem is how to measure performance of something that is “apparently” not doing anything. Both blocking valves in the BMS are energized continuously and, therefore, in the fully open position while the boiler is running steadily at its intended set regime. The gas valves should de-energize and close on a deviation from such normal operation. The problem is how to determine if this will happen, and how to ensure that the valves will not get stuck in the open position, failing to avoid an unwanted accumulation of gas leading to an explosion.
ANSI/ISA 61511: 2018 classifies performance of SIF and their components based on the average probability of such component’s failure to perform its protective function or failing on demand. Such performance is expressed as Safety Integrity Level (SIL).
Figure 2 explains the concept. As time passes, the probability of a component failing on demand increases. For example, the chances of a valve getting stuck in the open position increases with time. Once the valve is inspected and all required repairs are performed, the probability of failure decreases back to its original value (or near it), and the process is repeated until next inspection. If instead of one valve, we place two redundant valves in series, then both valves should get stuck for the function to fail. Probability multiplication indicates that such an arrangement is safer because both valves should now fail open for the whole function to fail. This is one leg of figure 2’s three-leg stool. It represents the performance or SIL of a function or a component of a function; i.e., random failure calculations.
The second leg of the stool is the minimum hardware fault tolerance (HFT) required to obtain a level of performance or SIL. Hardware fault tolerance is the number of failures that a redundant arrangement of components could tolerate before its functionality might be compromised.
In this case, the BMS has two valves in series. One stuck (in the open position) valve could be tolerated because there is a second fully functioning valve that could perform the protective function. Thus, in this case, the BMS has a HFT of 1, and it could reach SIL 3 (according to ANSI/ISA 61511-1 table 6, in any mode). This table is a safety net for calculations, which is based on statistics.
The third leg of the stool corresponds to systematic faults. These are faults that can only be avoided by modifying the design. Typical examples include the selection of the wrong instrument for the environment, incorrect setup of the instrument, improper installation, faulty programming, etc. The idea is to make any systematic failure rate low enough for the random failures to be relevant to the SIL calculations. Note that the best way to avoid systematic faults is to follow the safety manual of certified instrumentation.
Finally, there is a chain around the stool signifying security requirements of the function. This is now an active part of the ANSI/ISA 61511 standard. SIL are defined in discrete levels (figure 2):
- SIL 1 means that in the worst-case scenario, on average, one in 10 SIF will fail per opportunity. In other words, this function will reduce risk at least 10 times, or one order of magnitude.
- SIL 2 means that in the worst-case scenario, on average, 1 in 100 SIF will fail per opportunity. In other words, this function will reduce risk at least 100 times, or two orders of magnitude.
- SIL 3 means that in the worst-case scenario, on average, 1 in 1,000 SIF will fail per opportunity. In other words, this function will reduce risk at least 1,000 times, or three orders of magnitude.
- SIL 4 means that in the worst-case scenario, on average, 1 in 10,000 SIF will fail per opportunity. In other words, this function will reduce risk at least 10,000 times, or four orders of magnitude.
A security assessment is now required in each phase of the safety lifecycle of a SIF.
An Evolving Standard: TR 84.00.05
Shortly after the adoption of IEC 61511, 2003 (Edition 1.0) as ANSI/ISA 84.00.01:2004 by the Standard Panel 84, it was determined more work was needed. It was appropriate to provide supplemental information about the application of hazard and risk analysis to BMS to the user, so designers could determine the performance requirements of a BMS based on the application characteristics and risk analysis.
As a result, the working group ISA-TR84.00.05 was created with the idea of providing users of ANSI/ISA-84.00.01:2004 with guidance on how to identify safety functions within the BMS. The guidance would supplement standards such as NFPA 85, NFPA 86, API 556, ASME CSD-1 and API RP 14C.
Around five years later, the technical report was published as “The Application of ANSI/ISA 84.00.01 2004 Parts 1-3 to Safety Instrumented Functions (SIFs) in Burner Management Systems.” This document introduced the concept of a safety lifecycle (SLC) for the fired heaters community by discussing various aspects of BMS performance without claiming recognition of all possible hazards. (These are left to more prescriptive specialized standards such as those mentioned previously.)
The SLC avoids details falling through the cracks, making sure that there is a process in place for the system — from the cradle to the grave — with the goal of avoiding systematic faults. The SLC ensures that during the life of the BMS:
- All hazardous events resulting in unacceptable consequences, and the safety functions that would prevent such events, have been identified.
- The performance criteria of such safety functions (for example, risk reduction) have been calculated.
- The safety functions are designed and managed to achieve the performance criteria.
- All functional and integrity requirements are documented (specified).
- All SIFs in the BMS are verified to meet functional and integrity specifications.
- All operation and maintenance procedures to maintain functional performance are implemented and documented.
- An adequate procedure (to ensure functional performance) for management of change is implemented and documented.
FIGURE 2. ANSI/ISA 61511(2018 Edition) classifies performance of SIF and their components based on the average probability of such component’s failure to perform its protective function or failing on demand. Such performance is expressed as Safety Integrity Level (SIL). This figure explains the concept.
Further, the TR 84.00.05 defines and briefly discusses: SIL, SIL verification, operating modes, undesirable events and SIF. Subjects addressed include:
- Pre-firing cycle.
- Excess combustibles in the firing chamber.
- Fuel valves aligned improperly.
- Accumulation of flammable materials and failure to purge.
- Proceeding to the light-off cycle when the permissive is not satisfied.
- Flame detector indication of premature presence of flame.
- Low and high fuel gas pressure.
- Valves not in minimum firing position.
- Burner header fuel gas not holding pressure.
- Boilers steam drum level measurement failure.
- Excess combustibles in the firing chamber.
- Igniter flame not proven within a specified time.
- Main flame not proven within a specified time.
- Excess combustibles in the firing chamber.
- Low fuel oil pressure.
- Low atomizing steam or air/fuel oil differential pressure.
- Loss of airflow, unrelated to fuel gas pressure or airflow loss of flame.
- Loss of instrument air or primary power.
- High or low pilot gas pressure.
- Loss of water in boiler steam drum.
- Low steam drum level.
- Excessive pressure in steam drum.
- Low pass flow.
- High firebox or stack temperature.
- High heater pressure.
- Loss of level in heat treater or glycol reboiler drum.
- High temperature in heat treater or glycol reboiler drum.
- Excessive pressure in oil heater.
- Fuel valve trips.
- Master fuel trip.
- Main fuel trip (minimum firing trip).
- Individual burner valve trips.
- Pilot fuel trip.
- Manual trip requirements.
- Hazard analysis tables (pre-firing cycle, light-off cycle and normal operation).
In addition, the report presents the user with some application examples that, although it warns they should not be used “to the letter,” provide useful guidance. These are:
- An example of a hazard and risk analysis applied to a single burner boiler. This is related to NFPA 85: Boiler and Combustion Systems Hazards Code.
- An example of a hazard and risk analysis applied to a multi-burner process heater. This is related to API RP 556: Instrumentation and Controls for Fired Heaters and Steam Generators.
- An example of a hazard and risk analysis applied to a thermal oxidizer. This is related to NFPA 86: Standard for Ovens and Furnaces.
- An example of a hazard and risk analysis applied to an oil heater treater. This is related to API RP 14C: Recommended Practice for Analysis, Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms, Fired and Exhaust Heated Components.
- An example of a hazard and risk analysis applied to a glycol reboiler. This is related to API RP 14C: Recommended Practice for Analysis, Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms, Fired and Exhaust Heated Components.
- An example of a hazard and risk analysis and verification process. It is provided to help clarify how the overall concepts of the safety lifecycle can be applied to fired equipment.
IEC 61511:2016 (Edition 2.0) has been released and the panel has accepted it as ANSI/ISA 61511:2018. Working group 5, under same leadership but with new member and liaison engineers from other organizations, is reviewing the technical report.
This revision is intended to include not only all changes to the standard 61511 but also new and more detailed examples. It also will include detailed glossaries of terminologies used by different industries and revisions of all relevant prescriptive standards.