Image in modal.

Many modern process control systems are built with one or more independent protection layers (IPLs). The purpose of this two-part article series is to point out possible scenarios in which rationalized alarm IPLs — that is, highly managed alarms (HMAs) or safety alarms — are deemed appropriate to be implemented by the authority having jurisdiction.

The first part of this series, which appeared in the December 2021 issue of Process Heating, discussed IEC61511 clauses on the subject as well as user standards such as Namur NE 165. In this second installment, I will illustrate the point with a case study based on a typical API 556 furnace application (Annex A TR84.00.05).


Control and Safety in a Single Box for Safety Alarms

If you recall, in the first article in this series, I discussed the conditions that denote an independent protection layer (IPL) alarm:

  • Must be a safety alarm as defined in IEC 62682, implying a highly managed alarm (HMA).
  • Must have instrumentation with safety performance better than SIL 1.
  • Must be rationalized and deemed acceptable for the authority having jurisdiction (AHJ).

Let’s now consider an example where all three conditions are met: A high pressure scenario in which the process hazard analysis (PHA) team has determined it has a frequency of less than once per year, and which could generate a loss of flame, resulting in a deflagration at the base of the stalk (or at the heat radiation zone) with possible injuries (although no fatalities are expected). The layer of protection analysis (LOPA) team determines that there is the need to reduce the risk a total of four orders of magnitude (10,000 times) and recognizes the basic process control system (BPCS) as capable of reducing risk one order of magnitude. (It is not the source of the hazard.) The cause for the high pressure scenario is variable gas composition; the furnace in this scenario burns process gases. (This is referred to by the experts as “flogging,” a word derived from “flooding” and “bugging.”)

In this scenario, if a mix of gases with less calorific power suddenly reaches the burners, the temperature of the process decreases, and the firing controls increase the flow of gas. This could increase the pressure in the burners to the point where the flame is lost. In those circumstances, an air-gas cloud is formed and, if an ignition source is found — generally in the zone ranging from neighboring burners to the base of the stalk — a deflagration (or subsonic explosion) could compromise the furnace integrity and the safety of any operators in the furnace area.

This was not such a problem in the 1970s when the release of carbon monoxide (CO) was the main concern, and the fuel prices were relatively low. In those days, operating with excess air was an acceptable way of making the furnace stable, favoring CO2 formation. But with the realization that NOX is not only greenhouse gas (like CO) but more poisonous — and with the increases in the price of fuel, which makes operators reluctant to waste energy heating up nitrogen — these furnaces have evolved to allow operations with as low free oxygen content as possible.

The authorities usually allow 3 percent free O2. This yields approximately 0.03632 million BTU of NOX for natural gas (30 ppm), which is deemed acceptable (figure 1).


2 PH 1221 Siemens IPL Alarm. FIGURE 1.  The authorities usually allow 3 percent free O2. This yields approximately 0.03632 pounds per million BTU of NOX for natural gas (30 ppm), which is deemed acceptable.

FIGURE 1. The authorities usually allow 3 percent free O2. This yields approximately 0.03632 pounds per million BTU of NOX for natural gas (30 ppm), which is deemed acceptable. (Click on the image to enlarge.)


A possible solution to this problem would be to implement a SIL 3 burner management system (BMS). Yet, the idea is quickly rejected because it would mean the heater would suffer a false trip every six months due to the double block valves (611 and 614). This would eventually destroy the refractory in the furnace. (Note: Two SIL 2 valves with SC SIL 3 in the 1oo2 configuration — where the hardware fault tolerance is equal to one — would trip often.)

Instead, the AHJ favors the intervention of the operator, who would be alarmed (flogging alarms) before the pressure is too high for the burners. This would be an IPL alarm, and credit of one order of magnitude would be allowed in such a design.

The AHJ determines that there is plenty of time from the moment the alarm sounds until burners flame out due to high pressure. Yet, the team cannot guarantee a human performance better than two failures in 100 opportunities, with a worst-case scenario of eight failures to control the surge in 100 occurrences. Therefore, a minimum performance of 1 in 100 should be required from the sensor (SIL 2), and a SIL 2 or better performance from the logic solver or alarm annunciator.

With respect to the sensors, there are plenty of SIL 2 certified sensors with SIL 2 systematic capabilities in a single architecture in the market. However, the logic solver should be certified SIL 2 as a minimum, and the alarming must be interference-free from any failure in the hardware, firmware or software used in the same controller for regulatory control. Finally, the AHJ wants the same alarm IPL human-machine interface for operator visualization. (This is highly recommended in this case.) Figure 2 shows an option for a possible solution as approved by the AHJ. Fortunately, a few manufacturers produce safety controllers that are interference-free from regulating control run in the same system.


3 PH 0122 Siemens IPL Alarm. FIGURE 2.  An option for a possible solution for the high pressure scenario, as approved by the AHJ, is shown.

FIGURE 2. An option for a possible solution for the high pressure scenario, as approved by the AHJ, is shown. (Click on the image to enlarge.)


These controllers are regularly used for single-burner fired equipment like boilers because NFPA 85, Boiler and Combustion Systems Hazards Code, 2019 edition, states:

“A single safety-rated programmable logic system shall be permitted to be used to implement both burner management system safety and process logic where both of the following conditions are met: (a) The processor and input/output (I/O) modules are approved or certified by a notified body according to IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, to be at least SIL 3 capable; and (b) The burner management system logic is isolated from other logic and boiler controls and the related data of the burner management system program, including I/O data, are protected from being unintentionally affected by data of other user programs.”

With such precedent, we could now generate a “safety-highly managed” alarm when the temperature in the radiation zone decreases. (Notice that product temperature does not indicate changes fast enough.) A certified SIL 2 bridge temperature sensor must be added to detect radiation zone decreases in temperature despite increases in gas-flow rate. Therefore, the flow sensor should be SIL 2 rated as well.

Once the safety alarm is tripped — decreasing radiation zone temperature while increasing flow, also known as the flogging condition — the operator should perform one or both operations below:

  • Notify field operators to slowly close or restrain the main gas supply in the field.
  • Place the valve in manual operation and restrain the flow rate manually from the control valve until the furnace regains stability.

For this to be possible, the basic process control system component that alarms the operator must be managed according to IEC 61511. In addition, it must be independent of the control portion of the BPCS (figure 3). Alternatively, as stated in Namur NE 165, the BPCS-C must be independent of the BPCS-P, which would be generating the safety alarm.


4 PH 1221 Siemens IPL Alarm. FIGURE 3. If the valve is placed in manual operation, and the flow rate is restrained manually from the control valve until the furnace regains stability, the basic process control system component that alarms the operator must be managed according to IEC 61511. In addition, it must be independent of the control portion of the BPCS, or, as per Namur NE 165, the BPCS-C must be independent of the BPCS-P, which would be generating the safety alarm.

FIGURE 3. If the valve is placed in manual operation, and the flow rate is restrained manually from the control valve until the furnace regains stability, the basic process control system component that alarms the operator must be managed according to IEC 61511. In addition, it must be independent of the control portion of the BPCS, or, as per Namur NE 165, the BPCS-C must be independent of the BPCS-P, which would be generating the safety alarm. (Click on the image to enlarge.)


The BPCS function is configured in the original piping and instrumentation diagram (PI&D) by a flow transmitter, a firing control algorithm and a modulating valve. All these instruments are connected to standard I/O modules. The BMS is configured by one SIL 2 certified pressure transmitter and two standard shut-off valves (SIL 1), which by the IEC 61508 synthesis principle would reach SIL 2 in redundant architecture one out of two — 1oo2. All are wired to a separate SIL 3 capable controller and I/O modules.

This brings us to a second option: That is, to have a secondary BMS interlock associated with the BPCS as a BPCS-P. In this case, the flogging alarm would not be an IPL but a RAGAGEP (also known as a recognized and generally accepted good engineering practice) approach. Although the operator will be using the gas pressure as an indicating manual trimming, it only will be used secondarily on any algorithms limiting the flow from the valve. Then, by using a SIL 2 safety positioner and a SIL 2 capable valve, the air in the positioner could be evacuated, closing the valve when dangerously high pressure is reached (figure 4).


5 PH 1221 Siemens IPL Alarm. FIGURE 4.  By using a SIL 2 safety positioner and a SIL 2 capable valve, the air in the positioner could be evacuated, closing the valve when dangerously high pressure is reached.

FIGURE 4. By using a SIL 2 safety positioner and a SIL 2 capable valve, the air in the positioner could be evacuated, closing the valve when dangerously high pressure is reached. (Click on the image to enlarge.)


This would be a redundant-to-the-BMS safety function. The elegance and practicality would depend on the procedures followed by the operator. For example, the minimum fire startup bypass VPC should be isolated once the heater has started. To my knowledge, the performance of such pressure regulators is not certified. Yet, the regulator could compromise the performance of the interlock.

Figure 5 shows the concept of this option. This BMS function, being SIL 2, performs with reasonable reliability as spurious trips will be manageable. Yet, the total risk reduction will be four orders of magnitude as the BPCS-P can take two orders of magnitude risk reduction. Because of the diverging technology characteristics of both the BMS and the interlock, spurious trips could be managed. The DCS will control what NE 165 defines as BPCS-C (regulatory control) and BPCS-P. The BMS will provide a complete dedicated RRF of 100x interlock.


6 PH 1221 Siemens IPL Alarm. FIGURE 5.  The BMS function, being SIL 2, performs with reasonable reliability and spurious trips will be manageable. Yet, the total risk reduction will be four orders of magnitude because the BPCS-P can take two orders of magnitude risk reduction.

FIGURE 5. The BMS function, being SIL 2, performs with reasonable reliability and spurious trips will be manageable. Yet, the total risk reduction will be four orders of magnitude because the BPCS-P can take two orders of magnitude risk reduction. (Click on the image to enlarge.)


It should be noted that in this second solution, the operator is given the chance to manipulate the control valve to avoid shut down and maintain stability during this low quality gas period. If the operator fails to do so, and a high pressure hazard develops as a result, the safety-rated digital output in the BPCS — in this case, a BPCS-P as per Namur 165 — de-energizes the air piezoelectric valve in the positioner, exhausting all instrumentation air and closing the control valve. In other words, the furnace is taken to a safe state.


Control Alternatives

Reports that the action of the BMS tripping the system has never produced any deflagration seem to suggest a couple of things.

First, for the flogging mixture to become inflammable and deflagrate, two things are needed:

  • Time, for the gas to become mixed within the flammable range.
  • A source of ignition, or a hot enough point.

The mechanisms by which this mixing is achieved inside the hearth or firebox are complex. Hot gas rises much faster than hot air. Reports on gas sinking down the cooler furnace walls, and lit burners producing flogging — together with the speed at which furnaces cool down — add complexity to the modeling.

Second, other models developed suggest that the flogging mix is formed at the burner level. It rises, and it is ignited by neighboring burners. This is because, by then, the cloud is rather a column, and the reaction is completed at the base of the stalk like a long fuse.

If any of the above is true, the best way to address this occurrence would be to automate each burner. Such automation would consist of one individual valve per burner and per pilot (unless the pilot has other protections in their design such as using premixed clean gas). The flame sensor would interlock such isolating valves, giving the opportunity for the operator —reacting to an alarm — to maintain the running furnace while avoiding flogging or complete shutdown. Of course, this assumes that all clean burners are more resistant to excess pressure than dirty burners.

Figure 6 shows a complete automated furnace with individual flame detectors. One encouraging observation is that no complaint of flogging has been reported in furnaces automated this way to the best of our knowledge.


7 PH 1221 Siemens IPL Alarm. FIGURE 6. A complete automated furnace with individual flame detectors is shown.

FIGURE 6. A complete automated furnace with individual flame detectors is shown. (Click on the image to enlarge.)


In conclusion, I have discussed the performance optimization of SIF in an application for an API 556 furnace in some detail, but it is obvious that other applications like tanks, reactors and fractionators could benefit from these same principles if the authority having jurisdiction deems it appropriate.

If optimizing performance in a SIF is required, implementing a rationalized IPL alarm is one way to do it when credit is deemed acceptable for any specific hazard. Obviously, as in the case of this furnace, it is not the only solution, but it is an alternative.

In this study, using safety alarms as highly managed alarms in the same DCS — with safety available hardware, firmware and software, implemented with properly certified equipment — demonstrates one efficient method to do so. Obviously, there are alternatives such as designing interlocks that could perform adequately when implemented with the proper performing instrumentation. We have discussed how this could be done in this study. Finally, it comes to the acceptance of the authority having jurisdiction which methodology or solution is adopted. This will greatly depend on the hazards being addressed.

One thing is clear: For the process industries, all standards seem to agree that more than one IPL could be claimed in a basic process control system such as indicated in section 9.3 of IEC 61511 and Namur NE 165.