Вы находитесь на странице: 1из 10

The challenge of updating existing furnace burner management

systems (BMS) to meet international safety requirements

Charles M. Fialkowski, CFSE Daniel Molnar

National Process Safety Manager President
Siemens Energy and Automation Global Research & Engineering, LLC


SIS, safety instrumented systems, BMS, burner management system,

SIF, safety instrumented function, MFT, master fuel trip, Emergency
shutdown, Safety Communications, diagnostics, NFPA, national fire
protection agency, ISA, International society for automation


One of Global Research and Engineering LLCs areas of expertise is to

provide thermal process design and application engineering for rotary
hearth furnaces. Their knowledge and experience helped them to land
a major project with a large international company whose business
was to recycle hazardous waste that was generated by recycling steel
scrap. Their long term objective was to develop a process in which
they could operate a network of these recycling plants covering many
of the major steel recycling regions in the world.

With over eight years of research and development to find the best
way of processing this waste material, it was determined to use
existing technology that had been previously optimized for the
recovery of zinc. While this approach met both their energy efficiency
and high recovery goals, they knew their traditional way of
implementing burner management (BMS) was not going to meet
todays safety and reliability requirements.

In the past, prescriptive standards such as NFPA, provided

requirements on how to safely startup, shutdown and operate most
fired equipment (boilers, ovens, furnaces, process heaters etc.).
However, there was not much discussion around the performance
requirements around the equipment performing these safety
interlocks. For example, NFPA states that for a gas fired burner, the
fuel gas pressure should be monitored for unsafe conditions (both high
and low pressure conditions). Even going so far as to provide guidance
on proper location on where the measurement point should be made
(after the gas regulator, and before the main control valve), however
no statement regarding the overall safety performance of this critical
interlock was covered, leaving much of that responsibility to others.

This paper will review how NFPA 86 (Standard for Ovens and
Furnaces) can be further improved by incorporating many of the
concepts listed within the latest ISA technical report TR.84.00.05,
Guidance on the identification of safety instrumented functions in
burner management systems.


The ISA safety committee (S 84) determined several years ago, that it
was necessary to provide supplemental information on the application
of hazard and risk analysis to Burner Management Systems (BMS).
Their years of work resulted in the recently published technical report,
ISA-TR84.00.05 Guidance on the Identification of Safety Instrumented
Functions (SIF) in Burner Management Systems (BMS). The main
purpose of this technical report was to provide users of the functional
safety standard, ANSI/ISA-84.00.01-2004 with guidance on how to
identify safety functions within BMS applications. Safety functions
classified as Safety Instrumented Functions (SIFs) should be designed
and managed according to ANSI/ISA-84.00.01-2004, as well as other
codes, standards and applicable practices. The information and
methods described in the ISA technical report are not intended to
replace, but instead to supplement the requirements of good
engineering practices application to BMS, such as NFPA 85, NFPA 86,
NFPA 87, API 556, ASME CSD-1, and API RP14C.


For many years BMS systems were constructed from non-

programmable, hardwired electro-mechanical relays. These relay
systems were relatively simple and their failure characteristics were
well known. A properly designed relay system was considered by most
to be relatively safe. The drawback of relay systems becomes quickly
apparent when the number of I/O (inputs and outputs) increases much
beyond 20. The wiring is cumbersome, the logic is difficult to change,
documentation must be done manually, there is no form of automatic
diagnostics, no digital communications, etc. Relay systems have a low
initial price, but the overall cost of ownership can be relatively high.
Since relay systems are typically simplex, and are inherently safe by
design, they suffer from nuisance trips (i.e., shutting the process down
when nothing is actually wrong). This results in lost production and
lost income, and is obviously not desirable.

Figure 1 Typical hard-wired relay system

Engineering a standard PLC for BMS

The introduction of the PLC (programmable logic controller) in 1969

brought about many changes. PLCs were specifically designed to
replace hardwired relay control systems. They offered many potential
advantages (e.g., software flexibility, self-documentation, smaller size,
lower life cycle costs, etc.). While PLCs did offer many advantages for
many different applications, most were not suited for safety due to
their failure mode characteristics, as they have a much higher degree
of failing dangerously as compared to a relay as shown in Figure 2.
Figure 2 Failure mode comparison between relay and standard PLC

Unfortunately however, many users were (and some still are) not
aware of this simple fact. The main limitations, as far as safety is
concerned, is the lack of effective diagnostics, especially in the input
and output (I/O) modules.

NFPA standards have long recognized that standard PLCs if designed

correctly could properly operate conventional burner management
functions. They also recognized that standard PLCs possessed certain
failure modes that could place their operation in a dangerous state.
Historically NFPA standards have prescribed protective measures to
protect against these conditions. The burden of proof was placed on
the BMS designer to ensure that these protective measures were in
place and would result in a safety shutdown within 3 seconds of
detecting any of the following conditions:

1. Failure to execute any program or task containing safety Logic

2. Failure to communicate with any safety input or output
3. Changes in software set points of safety functions
4. Failure of outputs related to safety functions
5. Failure of timing related to safety functions
Figure 3 Example of Watchdog circuit used on a standard PLC

For several years much confusion has existed over what should and
could be done to comply with these NFPA requirements. White papers
and technical manuals by project engineers were developed and
published on their interpretation of the standards intent, and how it
could be implemented with their standard PLC equipment. Figure 4 is
an example of how an external watchdog circuit could be used in order
to meet the requirement detecting if the PLC had failed to execute any
program or task containing safety logic.

The watchdog is operated by oscillating two outputs from the PLC to

maintain (thru a transformer) an external relay (RW). If either of
these two channels stutters, stops or fails for any reason the watchdog
relay would trip.

Two contacts from the watchdog relay are wired in series directly into
a hardwired trip circuit which removes power from all critical outputs,
independently of the PLC processor. De-energizing the watchdog relay
coil will cause the watchdog relay contacts to open; thereby, causing a
master fuel trip (MFT). The watchdog relay is also wired to a PLC input
for monitoring and alarming purposes. The watchdog circuit works in
conjunction with a hardwired trip circuit to provide a method of
tripping the system out side of the PLC logic as shown in figure 5.
Figure 4 Example of Master Fuel Trip (MFT) on standard PLC

Safety PLCs for BMS

Since the early 1990s a new era of PLCs were developed that were
certified as fail safe or better known as Safety PLCs. These systems
utilized the advances in microprocessor performance to adapt system
level diagnostics that could improve both safety and system
availability. This level of advanced system diagnostics could lessen, or
even reduce the requirement for extra components (i.e. timers,
watchdogs, and relays). Overall, this resulted in providing a more cost
effective solution, with improved safety performance and system
availability than conventional PLC technology. System architectures
that employed these advanced self diagnostics are typically defined
as 1oo1D, 1oo2D, 2oo3D, etc., where the D indicates that the
systems diagnostics has the capability to bring the system to its safe
state if a failure is detected. While many systems claim to offer some
level of diagnostics, the difference of a safety PLC is that its
diagnostics are designed, and certified to be able to automatically
drive the system operation to its known safe state when a dangerous
failure is detected (as shown in Figure 3.).

While many experts knew and understood the improvements these

safety PLCs could provide in terms of safety, they historically received
little to no credit by the prescriptive NFPA standards. This lack of
credit made it difficult to justify the cost premium moving towards the
use of a safety PLC, particularly when the standards still required
external devices to claim compliance.

Input CPU Output
Diagnostics Diagnostics Diagnostics

Figure 5 Example of Safety PLC with diagnostics

The latest issue of NFPA 86 (2011), has added a new section under 8.4
Programmable Logic Controller Systems that identifies and describes
the characteristics for using a Safety PLC for BMS (section 8.4.5 Safety
PLCs). As warranted there are now a number of advantages using
Safety PLCs with less rigor and prescriptive requirements than
previously required when using standard PLCs. In general this
virtually eliminates the need to provide extra components and extra
user programming to detect and respond to the following conditions:

1. Failure to execute any program or task containing safety

Most modern day Safety PLCs utilize special programming blocks (i.e.
function blocks) that contain additional diagnostic features for both
detecting and reacting to execution failures. These features ensure
that errors are detected and appropriately trigger a transition of the
Safety PLC to its safe state.

2. Failure to communicate with any safety input or output

In the event of an error on a Safety PLC I/O module, one or more
channels of that affected module have the automatic ability to
passivate (switched to a safe state). Depending on the system used,
these failures may be localized to a single affected channel error, or it
may be propagated to a complete module error where all channels are
affected. In either case, the system is capable of sending the required
fault annunciation from the Safety PLC to its local HMI or other
operator interface panel.

3. Changes in software set points of safety functions

Safety related settings (such as set points) are stored non-volatile,
write-protected areas within the Safety PLCs safety program. Only
authorized changes (proper login with proper credentials) would be
permitted. Any and all changes are automatically recorded and stored
within the Safety PLCs memory. If in the event an erroneous or
unauthorized change, system diagnostics would detect and either
reject the change, or go to its failsafe mode (depending on the system

4. Failure of outputs related to safety functions

Continuous and automatic fault detection (e.g. signal monitoring and
read back) measures are built into Safety PLCs output modules.
Unlike standard PLCs, a Safety PLC provides a secondary means of
disabling all dangerous detected failures bringing the output channel to
its defined fail safe state.

5. Failure of timing related to safety functions

Ignition and purge timing is considered critical safety functions within
the BMS and was considered to risky to place within standard PLC
operation. Today, timing functions programmed within the Safety
PLCs are strictly monitored and protected against failures to very
integrity levels. This is accomplished automatically and internally
within the code of the Safety PLC using redundant (dual or triple)
timing functions of diverse technologies that have been independently
tested and approved by a 3rd party.


In the past, most burner management designers seemed to have a

pretty good idea about meeting prescriptive-based requirements of
BMS standards like NFPA, however it has typically remained unclear
what was required to claim compliance to the latest functional safety

The ISA S84 safety committee has long recognized NFPA (and other
industry standards) lacked performance-based requirement which was
the driving factor for developing their BMS technical report. In
addition, both NFPA 86 and 85 now appear to moving in the right
direction with both standards now containing linking paragraphs in
their annexs stating the following:

Furnace controls that meet the performance-based requirements of

standards such as ANSI/ISA 84.00.01, Application of Safety Instrumented
Systems for the Process Industries, can be considered equivalent.

Of course to claim compliance to the safety standards more work

would need to take place that considers the entire safety function (e.g.
field devices), but this is proof that the industry is moving in the right
direction by acknowledging the benefits of using Safety PLCs, without
requiring a host of externally wired components which increases
system complexity and lowers system availability.

1. NFPA 86 Standard for Ovens and Furnaces 2011 Edition, National Fire
Protection Association 2010
2. NFPA 85 Boiler and Combustion Systems Hazards Code 2011 Edition,
National Fire Protection Association 2010
3. ISA-TR84.00.05-2009, Guidance on the Identification of Safety Instrumented
Functions (SIF) in Burner Management Systems (BMS) 2009
4. Burner Management System Safety Integrity Level Selection, Mike Scott,
5. Making programmable BMS safe and reliable, John Cusimano, Power 1995
6. Safeguarding Methods for Applying Programmable Logic Controllers in
Burner Mangagement Systems, Thomas Rutherford, James Scrholl, ISA 1996
7. Application of Safety Instrumented Systems for the Process Industries,
ANSI/ISA-S84.01-2004 (IEC 61511 Mod.).
8. Achieving better Safety Instrumented System (SIS) performance with less
hardware, Charles Fialkowski, Hydrocarbon Engineering 2008
9. Selecting Safety System Design, Charles Fialkowski. Applied Automation