NFPA Stipulations on BMS Logic Claus Interpretation

System (Clause-4.11) e
The logic system for burner 4.11.2
management shall be designed
specifically so that single failure in
that system does not prevent an
appropriate shutdown.
The BMS interlock and alarm 4.11.3
functions shall be initiated by one
of the following
1. One or more switches or 1. We can have
transmitters that are non-redundant
dedicated to the BMS. sensors in the
2. One or both signals from field which are
two transmitters exceeding dedicated to
a present value. BMS
3. The median signal from
three transmitters
exceeding a preset value.
When signals from multiple 4.11.3 For 1oo2, 2oo2, 2oo3
switches or transmitters are .1 circuits, deviation
provided to initiate interlock or alarming is a must
alarm functions, those signals shall
be monitored in comparison to
each other by divergence or other
fault diagnostic alarms.
When signals from multiple 4.11.3 Do not connect 1oo2
switches or transmitters are .2 or 2oo3
provided to initiate interlock or transmitters/switches
alarm functions, the provided to one tapping
signals shall be generated by
individual sensing devices
connected to separate process
Alarm shall be generated to 4.11.4 mis-operation will
indicate equipment malfunction, generally prevented
hazardous conditions, and mis- by logic to the extent
operation. possible. Wherever it
is still possible to mis-
operate, the logic
shall be made fail
The BMS designer shall evaluate 4.11.5
the following failure modes of
components, and as a minimum
the following failures shall be
evaluated and addressed.
(1) Interruptions, excursions, 4.11.5 In general can
dips, recoveries, transients sustain cycle loss
and partial loss of power. of power. More than
that is taken care by
fail safe
(2) Memory corruption and 4.11.5 Redundant
losses processors /
communication are
(3) Information Transfer and 4.11.5 Redundant
corruption losses communication
systems are provided
(4) Inputs and Outputs(fail-on, 4.11.5 Fail-on and Fail-off is
fail-off) followed while
designing the logic
and configuring the
IO cards fail status
(5) Signals that are unreadable 4.11.5 Alarmed as BAD
or no being read. signals and
appropriate actions
are taken.
(6) Failure to address errors 4.115
(7) Processor Faults 4.11.5 Watch dog timer
changes to working
(8) Relay coil failure 4.11.5 Takes the system to
(9) Relay contact failure 4.11.5 Two NO contacts of
different OP relays
connected in series.
(10) Time Failure 4.11.5 Timers are in
The requirements of the logic 4.11.6
solver (BMS PC)
(1) Diagnostics shall be 4.11.6 Ambiguous. Processor
included in the design to diagnostics are
monitor the process logic normally provided.
function Chanel level
diagnostics need to
be additionally
(2) Logic system failure shall 4.11.6 Manual bypass switch
NOT preclude operator for MFT to be
intervention provided.
(3) Logic shall be protected 4.11.6 It is always protected
from unauthorized changes by password.
(4) Logic shall not be changed 4.11.6 On line programming
while the associated is not recommended
equipment is running. although we ask for
the feature.
(5) System response time 4.11.6 Quite subjective. For
(throughput) shall be short AFBC/CFBC boilers
to prevent negative effect 250 ms is good
on application. enough while for gas
fire burners, 100 ms
should be adopted.
(6) Protection from effects of 4.11.6 Shielding guidelines
noise shall prevent false to be followed.
(7) No single component failure 4.11.6 This does not call for
within the logic system shall redundant
prevent a mandatory MFT components, but
requires that failure
of the processor, IO
communication card
or power supply will
cause a safe MFT.
Normally we are
using fail-safe
concept to meet this
(8) The operator shall be 4.11.6
provided with manual PB
that shall actuate the MFT
independently and directly.
(9) At least one manual switch 4.11.6 One manual MFT
referred in 4.11.6(8) shall be switch can be
identified and located provided in CCR and
remotely where it can be one in the local
reached during emergency. burner panel on the
operating floor.
(10) The logic system 4.11.6 Same as 4.11.6(1)
shall be monitored for *
(11) Failure of the logic 4.11.6
system shall require a fuel
trip for all equipment
supervised by the failed
logic system
(12) Logic shall be 4.11.6 Normally the memory So we
maintained in either non- in modern PLCs are construe the
volatile storage or in other either non-volatile or word means
memory which retains battery backed-up for the logic and
information on the loss of more than 48 hrs. But not the real
system power. the term time data,
information is preserving
ambiguous. The non- which is
volatile anyway not
memory/battery useful.
backed RAM stores
the logic but not the
real time data at the
time of failure.
Requirements of Independence 4.11.7
The burner management system 4.11.7 This precludes usage But refer to
will be provided with independent .1 of DCS or other BPCS next
logic, independent logic solving for BMS application. stiupulation
hardware, independent IO for single
systems, independent power burner
supplies, and shall be device systems
functionally and physically
separate from other logic systems