Incorporating

performance and
prescriptive based
standards for BMS
Charles M. Fialkowski, CFSE
Standards
Siemens Industry Inc.
Certification
Education & Training
Publishing
Conferences & Exhibits
Introduction of Presenter

• Charles M. Fialkowski, C.F.S.E.

– National Process Safety Manager for
Siemens Industry Inc.
– Safety Systems Specialist for 15 years
– Member of the ISA’s technical committee
(SP84) for Safety Instrumented Systems
– ISA instructor for Safety Instrumented
Systems
– BMS course developer Exida.com
– PAS ISA Safety Division Chairman on Fire
and Gas and BMS systems
– ISA expo 2009 & 2010, Safety Theme Chair
– CFSE, Certified Functional Safety Expert
– CTM, Certified Toastmaster

2
Today‘s Agenda

• Defining a BMS
• Relevant Standards and
guidelines
• Prescriptive vs Performance
requirements
• Safety Lifecycle for SIS

3
 BMS Definition (Yesterday)

The Burner Management System is a system to

monitor/control the FUEL BURNING EQUIPMENT
during all start-up, shut-down, operating and transient
conditions.
PURPOSE
• To protect against start-up when unsafe conditions
exist.
• To protect against the unsafe operating conditions and
admission of improper quantities of fuel to the furnace.
• Provide the operator with status information
• Initiate a safe operating condition or shut-down
procedure if unsafe condition exists.

4
BMS Definition (Today)

The Burner Management System

is a control system dedicated
to COMBUSTION SAFETY
AND OPERATOR
ASSISTANCE in the starting
and stopping of fuel
preparation and burning
equipment and to prevent
misoperation.

5
Relevant BMS Prescriptive Standards

• NFPA 85 – Boiler and

Combustion Systems
Hazards and Code
• 2007 Edition
• NFPA 86 – Standard
for Ovens and
Furnaces
• 2007 Edition

6
Relevant BMS Performance Standards (and
Guidelines)

• FM 7605, Approval
Standard for
Programmable Logic
Control (PLC) Based
Burner Management
Systems

• ISA TR 84.00.05
(technical report) Guidance
on the identification of safety
instrumented functions in
burner management systems

7
Why Misoperation is Important

Source: AIS accident database

8
Compared with Control System Incidents

Changes after
Specifications Commissioning 20 %
44 %

Operation &
Maintenance 15 %

Design & Installation &

Implementation 15 % Commissioning 6 %

Source: “Out of Control: Why Control Systems Go Wrong and How to Prevent Failure,”
U.K.: Sheffield, Health and Safety Executive, 1995

9
Why a SIS for BMS?

10
Understanding ANSI/ISA-84.00.01-2004

• Performance based standard tells us “how well” to adequately

design a safety system by effectively quantifying performance, risk
reduction levels, and device failure rates.
• Considered to be a “best practice” in the industry
• The SP84 Committee is currently working on a technical report
(TR05) titled “Guidance on the Identification of Safety Instrumented
Functions (SIF) in Burner Management Systems (BMS)”

Key Point:
Performance based standards tell us how well we must
implement the prescriptive standard. Both types of
standards are important in BMS design; with the release
of TR05, the performance and prescriptive standards will
be tied together.
11
A Simple Braking Example

Prescriptive Standard (NFPA 85 & 86)

VS

Performance Standard (ISA TR 84.00.05) 12

NFPA 85 Safety Interlocks for BMS

Other fuel input

trip logic
13
NFPA (85/86) Safety interlock Requirements

• Valve Proving System

– To Check Integrity of Shutoff Valves
– Monitor the rising and falling pressure before the gas filling to
prevent the startup or initiate shutdown if leak detected
– Gas Tightness Test or Leakage Test

14
NFPA (85/86) Safety interlock Requirements

Purge Test
– A flow of air (or inert medium) at a rate that will
effectively remove any gaseous or suspended
combustibles and replace them with the purging
medium.
1. To begin the preignition purge interval, both of the following conditions
shall be satisfied:
1. (1) The minimum required preignition airflow is proved.
2. (2) The safety shutoff valve(s) is proved closed
2. The minimum required airflow shall be proved and maintained
throughout the timed purge interval.
3. Failure to maintain the minimum required purge airflow shall stop the
purge and reset the purge timer.

Purge By-Pass - The heating chamber temperature is proven above

1400°F (760°C).

15
NFPA (85/86) Safety interlock Requirements

• Fuel Pressure Shutdown

– To prevent startup or initiate shutdown if fuel pressure is out of
normal range
– Oil: Low Pressure
– Gas: High/Low Pressure

16
NFPA (85/86) Safety interlock Requirements

• Combustion Air Flow Monitoring

– Detects correct purge execution
– Detects inadequate air flow rate during startup and steady state
operation

– Flame Monitoring
– Loss of or failure to establish flame
– Verify stable flame during steady state operation

• Furnace Temperature Monitoring

– Monitor the temperature of the furnace chamber
– In some cases this is used for shutdown
– Eliminate the need to re-purge during a short trip

17
Challenge – prove compliance to standards

18
Challenge – How to prove compliance to
standards

19
Compliant to the NFPA Standards

20
Compliant to the NFPA Standards

21
Compliant to the NFPA Standards

22
Compliant to the NFPA Standards

23
Applying Hazard analysis (ISA TR 84.00.05)

24
Work Process (TR 84.00.05)

25
Verification Table (ISA TR 84.00.05)

26
Conclusions

NFPA standards are prescriptive based not

performance

Field I/O (switch vs. Transmitter)

Programmable logic controllers (plc vs safety plc)

Communications (data highway vs hardwired)

Improved system designs could be realized with

perfomance based approach

Less complex

Higher system safety & availability

Documented and verified and validated

27