Burner Managment System

Burner Management System
Safety Functions
On-line Lesson
Welcome to the exida.com on

- line lesson, Burner Management System
(BMS) Safety Functions. In this lesson we will explain typical and example
safety instrumented functions found in a BMS.
Copyright exida.com LLC 2001-2002
e ida.com
excellence in dependable-automation
Prerequisite and Companion Lessons

Introduction to Safety Instrumented
Systems
Introduction to Burner Management
Systems
It is recommended that the exida on

- line lesson, Introduction to Safety
Instrumented Systems, may be helpful as a prerequisiste lesson for those
not familiar with functional safety systems. The exida on
- line lesson
Introduction to Burner Management Systems should be taken by those not
familiar with the BMS hazards and BMS standards.
e ida.com
General Lesson Objectives

Review Standards for BMS
Show Safety Functions for typical/example
BMS
Review BMS design process
Present example BMS safety function
verification
3
Copyright 2002, exida.com
Over the duration of this course the participant will:

Review some standards that apply to BMS
Be introduced to typical safety instrumented functions found in a BMS
Review the BMS design process per the Safety Lifecycle
Be shown an example BMS safety verification calculation
e ida.com
NFPA Standards
8501 - Single Burner
8502 - Multiple Burner
(Previously 85C)
8503 - Pulverized Fuel
8504 - Fluidized Bed
Boilers
8506 - Ovens & Furnaces
ANSI/NFPA 85C An American National Standard August 16, 1991

ANSI/NFPA 85C An American National Standard August 16, 1991
NFPA
NFPA85C
85C
Prevention
Preventionof
ofFurnace
Furnace
Explosions/Implosions
Explosions/Implosions
in
inMultiple
MultipleBurner
Burner
Boiler-Furnaces
Boiler-Furnaces
1991
Edition
1991Edition
National Fire Protection Association 1 Batterymarch Park, POBox 9101, Quincy, MA 02269-9101
National Fire Protection Association 1 Batterymarch Park, POBox 9101, Quincy, MA 02269-9101
BMS design requires that the designer understand many standards. The
National Fire Protection Association (NFPA) standard 85 is probably the
most recognized standard worldwide for combustion systems safety. The
current standards are quite prescriptive with very specific design
requirements.
e ida.com
ANSI/ISA 84.01 Standard

Recognized by OSHA as industry accepted
good engineering practices.
Approved in 1994
Offers the Safety Lifecycle as a method for
SIS design
Risk reduction targets and compliance
measured by Safety Integrity Levels (SIL)
The ISA 84.01 standard was not written specifically for BMS. It covers
functional safety of programmable equipment used in the process industries.
Since this standard was endorsed by OSHA in the United States it is
required on many BMS projects as well. This standard describes a lifecycle
approach to risk assessment and management using safety instrument
systems (SIS) as a risk reduction mechanism. A BMS is classified as a SIS.
e ida.com
FM 7605 Equipment Certification

BMS Standard written for compliance
with IEC61508.
WEquipment must be IEC61508 certified.
Hardware architecture for specified SIL
Software compliance for specified SIL
WManufacturing facilities examination.

WDemonstrated Quality and Reliability.
6
FM standard 7605 builds upon an international functional safety standard

IEC61508. The FM standard requires that equipment for BMS applications
be functional safety certified per IEC61508. Other requirements in addition
to those of IEC61508 are listed as well.
e ida.com
IEC61508 - Consensus Standard
HSE
PES
ISA
S84
DIN V 19250
DINV VDE0801
EWICS
IEC61508
IEC 61508 is an international standard for functional safety created by a number of

active groups from around the world.
e ida.com
IEC 61508 - Objectives

Safety
Management
Accident
Causes
Technical
Requirements
IEC61508
Safety Life
Cycle
Competence
of Persons
Certification
A key objective of of IEC61508 was to address accident causes by creating

a system to manage safety, to assure proper technical requirements and to
assure competent personnel.
A Safety Lifecycle approach is required to assess the magnitude of the
needed risk reduction and design safety instrumented functions that meet
that risk reduction target.
e ida.com
Safety LifecycleAnalysis Phase
1. Conceptual
Process Design
Process Information
2. Identify
Potential Hazards
Event History
e ida.com
Layers of Protection
Failure Probabilities
Consequence
Database
3. Layer of
Protection Analysis
Assess Potential
Risk Likelihood
e ida.com
Analyze Potential
Risk Magnitude
Safety
Requirements
Allocation
Hazard
Characteristics
Potential Hazards
Hazard Frequencies
FETCH Tool
excellence in dependable automation
4. Consequence
Analysis
Hazard Consequences
Develop non SIS Layers

SIS
Required?
Target SILs
No
Exit
SRS DOCUMENT Template
Safety Requirements SpecificationFunctional Description of each Safety

Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
requirements, Response time, etc
Yes
Tolerable Risk
Guidelines
PROBE Tool
5. Select Target
SIL
6. Develop Safety
Specification
In the Analysis phase of the Safety Lifecycle (SLC), the risk of each hazard
is assessed by obtaining an estimate of the likelihood of occurance and
consequence of occurance. For those risks that need to be reduced, safety
requirements are created. Often the needed safety can be achieved without
a safety instrumented system. For those places where a SIS is judged to be
the best solution, a risk reduction target is defined called a Safety Integrity
Level (SIL). A description of the needed safety functions along with all
important information including the SIL is documented in a safety
requirements specification (SRS).
e ida.com
Safety Lifecycle Realization Phase
Safety Requirements Specification Functional Description of each Safety

Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
requirements, Response time, etc
7. SIS Conceptual
Design
Manufacturers
Failure Data
Failure Data
Database
Manufacturers
Safety Manual
Manufacturers
Installation
Instructions
7a. Select
Technology
Choose sensor, logic solver

and final element technology
7b. Select
Architecture
Redundancy: 1oo1,1oo2,
2oo3, 1oo2D
7c. Determine
Test Philosophy
No
e ida.com
SIL
Achieved?
Yes
SILver Tool
7d. Reliability,
Safety Evaluation
DD DOCUMENT Template
8. SIS Detailed
Design
9. Installation
& Commission
Planning
SILs Achieved
10. SIS Installation,

Commissioning
and Pre-startup
Acceptance Test
10
Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic

Diagrams, Panel Layout, PLC
Programming, Installation
Requirements, Commissioning
Requirements, etc.
The realization phase begins with conceptual design of the safety

instrumented system based on the Safety Requirements Specification. The
desired technology is chosen for the sensors, logic solver and final elements.
Once the technology is chosen, often redundant devices are selected. There
are different redundant configurations that can be used with names like 1oo1
(which stands for one out of one), 1oo2, 2oo3 and 1oo2D. The architecture
chosen depends on safety and process availability needs.
10
e ida.com
Safety Lifecycle Operation Phase
11. Validation
Planning
12. Validation:
Pre-startup
Safety Review
13. Operating and

Maintenance
Planning
14. SIS startup,

operation,
maintenance,
Periodic
Functional Tests
Modify
Decommission
15. Modify,
Decommission?
11
Verify all documentation against

Hazards, design, installation testing,
maintenance procedures,
management of change, emergency
plans, etc.
16. SIS
Decommissioning
The operation phase of the safety lifecycle begins with a validation of the
design. Answer the questions. Does the system solve the problems
identified during the hazard analysis? Has the design met the target SIL for
each safety instrumented function? Have the maintenance procedures been
created and verified? Is there a management of change procedure in place?
Are operators and maintenance personnel qualified and trained?
If the answers to these questions are acceptable, the process can proceed
with startup and operation.
11
e ida.com
Safety Instrumented Function (SIF)
What to measure (sense)

What to do (actuate)
When to do (event logic)
How fast from measure to react (timing)
Loop 1
Logic
Solver
Loop 2
Loop 3
A Safety Instrumented Function (SIF) is defined as the functionality required

to protect against a specific hazard. Often this is also interpreted as the
collection of equipment needed to implement that function. Many systems
are designed using a piece of equipment in more than one SIF.
12
e ida.com
Interlocks/Safety Instrumented Functions

Light off Sequences
Trips vs. Permissives
Master Fuel Trip and Purge Sequence
Gas-Fired Systems
Oil-Fired Systems
Pulverized coal-fired systems
13
Safety Instrumented Functions for a BMS include light off sequences, trips,
permissives, fuel trip sequences and purge sequences.
13
e ida.com
Automatic Light-Off Sequence Fuel

Gas (Starting Sequence)
1. Establish an open flow path from the inlets of the
forced draft fans through the stacks.
2. An induced draft fan, if provided, shall be started.
Additional induced or forced draft fans shall be
started, as necessary, to achieve the purge flow
rate
3. Perform operational leak test of fuel header piping
while maintaining purge air flow
4. Dampers and burner registers shall be opened to
the purge position
5. Airflow set to purge rate, and purge shall be
performed
14
A number of steps are required to performed in a particular order for

automatic light- off per NFPA 85.
14
e ida.com

6. Ensure fuel control and bypass valves are closed,
then set to maintain necessary burner pressure for
light-off.
7. Igniter shutoff valve opened and necessary
pressure established.
8. Air register for burner selected for primary light-off
adjusted to light-off position
9. Source of ignition (sparks) applied to selected
igniter, if no flame in 10 seconds stop and re-purge
10. After stable flame established, dampers adjusted to
normal operating position
15
These steps involve both sequence and timing.
15
e ida.com

11. Open main fuel shutoff valves
12. Establish main burner flame is stable and
close main gas header vent valve
13. Place additional burners in service
16
The sequence is automatic as studies have shown that manual light off
procedures have been the source of many industrial boiler accidents.
16
e ida.com
Trips and Permissives

Trip Conditions and action taken to move
the heater to a safe state when a hazardous
condition is present (Master Fuel Trip)
Permissive Set of conditions that must be
met prior to an action being taken (Purge
Sequence)
17
SIF for a BMS include both trips and permissives. In a trip the SIF
recognizes a dangerous condition and shuts down the fuel source. In a
permissive the SIF looks for a dangerous before allowing an action to be
taken (typically done in a sequence).
17
e ida.com
Furnace Purge System (All Fuels)

All main, igniter, and individual
burner and igniter safety shutoff
valves are closed?
One set of ID and

FD fans running?
Are required burner

registers open?
Yes
Yes
Is air at purge rate?

Yes
Yes
Five-minute
time delay
Yes
Reset master
fuel trip relay(s)
18
The fuel purge sequence has several permissives included.
18
e ida.com
Close individual igniter safety

shutoff valve(s) and
deenergize sparks
1.
Loss of igniter flame
2.
Igniter fuel pressure out of stable range
3.
See Note
Loss of ID fan
6.
Loss of ID fan
Fuel Gas Trip System
5. Cut back main fuel
8.
Combustion airflow low
9.
Excessive furnace pressure
10a.
Burner header fuel pressure high
10b.
Burner header fuel pressure low
11.
Loss of all flame
12.
Partial loss of flame introducing hazard
A
N
D
4. Loss of FD fan
7. Loss of FD fan
13.
All fuel inputs zero
14.
Manual trip switch
15.
Loss of individual burner flame with one or more additional

stable burner flames present
Master
Fuel Trip
Logic
Master
Fuel Trip
Relay(s)
Close main safety shutoff
and individual burner safety
valves
Close individual burner safety shutoff valve(s) and

its individual igniter safety shutoff valve(s) and
deenergize the associated sparks
Note: Based upon two pairs of ID and IF fans; other

arrangements of fans affect actions in blocks 3, 4, 5, 6, and 7
Based on Figure 6-6.3.1.1 NFPA 8502
Typical Cause of
Trip Indication
Close igniter header and

individual igniter safety shutoff
valves and deenergize sparks
19
There are a number of specific SIF required in NFPA standards. Thirteen

specific hazards have been identified with prescriptive safety instrumented
functions assigned.
19
e ida.com
Fuel Oil Trip System
1.
2.
3.
Igniter atomizing medium out of stable range
4.
See Note
Loss of ID fan
7.
Loss of ID fan
9.

deenergize sparks
A
N
D
5. Loss of FD fan
8. Loss of FD fan
Typical Cause of
Trip Indication

10.
11.
12.
Low main oil burner pressure
13.
Atomizing medium pressure improper
14.
Manual trip switch
15.
Loss of all flame
16.
Partial loss of flame without introducing hazard
17.
Loss of individual burner flame with one or more additional

stable burner flames present
Master
Fuel Trip
Logic
Close main safety shutoff

valve, circulating valve,
recirculating valve, and
individual burner safety
shutoff valves
Close individual burner safety shutoff valve(s) and

its individual igniter safety shutoff valve(s) and
deenergize the associated sparks

Master
Fuel Trip
Relay(s)
20
The SIF are different depending on fuel type. Although many hazards are
similar, different fuels may present different hazards.
20
e ida.com
Coal Trip System

1.
2.
3.
Igniter atomizing medium improper
9.
10.

deenergize sparks
4.
Loss of ID fan
7.
Loss of ID fan
A
N
D
5. Loss of FD fan
8. Loss of FD fan
Typical Cause of
Trip Indication


11.
12.
Manual trip switch
13.
Loss of all flame
14.
Partial loss of flame introducing hazard
15.
Loss of main burner flame
Master
Fuel Trip
Logic
Master
Fuel Trip
Relay(s)
Other subsystems
Stop coal flow to pulverizers

and burners
Follow tripping strategy

in 8-4.4.2

21
There are fewer hazards in a coal fired system and that shows in the NFPA
SIF chart for coal.
21
e ida.com
SIF Definition Example

Low Fuel Gas Pressure Causes MFT
Hazard: Low fuel gas pressure causes loss of flame and
accumulation of unburned flammable mixture, which
may explode if ignited
Sensors: Fuel gas low pressure switch, total loss of flame

Final
Main fuel header safety shutoff valve(s) are closed,
Elements: individual burner shutoff valve(s) are closed
** SIF can be manually actuated
This information should be documented in a Safety
Requirements Specification per ISA 84.01 and IEC
61508/61511
22
As an example, one particular hazard is low fuel gas pressure. This hazard
may cause loss of flame and the accumulation of unburned fuel which may
explode if ignited. A SIF designed to protect against this hazard has fuel
gas pressure sensors and a flame sensor. If dangerous conditions are
detected, the final elements will stop fuel flow via shutoff valves.
22
e ida.com
Typical SIF in NFPA 8502 Compliant

BMS (Fuel Gas Only)
Loss of igniter closes igniter
valves
Igniter pressure high/low
closes igniter valves
Loss of fans causes master
fuel trip
Low combustion airflow
causes master fuel trip
High furnace pressure
High fuel header pressure
Low fuel header pressure

Total loss of flame causes
master fuel trip
Partial loss of flame causes
burner valve trip
Low steam drum level
causes MFT
High steam drum pressure
causes MFT
23
A number of typical SIF are included in the NFPA standards as a function of

fuel type. Each SIF has sensors to detect the condition and takes some
action to move the combustion equipment to a safe state. Usually this
involves shutting off the fuel flow and possibly other actions as well.
23
e ida.com
Example SIF in NFPA 8502 Compliant

BMS
24
In one example BMS system designed using the Safety Lifecycle, risks were
assessed and a SIL level was assigned to each SIF. NFPA standards were
followed along with normal hazard identification and risk assessment. SIF
were designed to meet various levels of risk with redundancy used to
achieve NFPA standards, plant availability requirements and risk reduction
requirements.
24
e ida.com
SIF Verification
Definition: SIF Verification

The process of demonstrating by
analysis that the design of each
identified safety instrumented function
meets the integrity requirement
specified in the SRS.
When the equipment for each SIF is chosen, an analysis is done to verify
that the design meets the safety and availability requirements. This step is
called SIF verification.
25
e ida.com
BMS SIF Design
Failure Modes
Diagnostics
Architectures
Common Cause
Failure modes of the equipment, diagnostic capability of the equipment,

redundancy and any possible common cause failure of the redundant
equipment must be considered.
26
e ida.com
Programmable Electronic Systems

have multiple failure modes!
Two critical failure modes for Safety Instrumented
Systems:
For De-Energize to Trip-
1. Outputs de-energized
or open circuit.
SAFE
DANGEROUS
2. Outputs energized or
frozen short circuit.
27
The equipment used to implement protection systems has multiple failure

modes. The two of most significance are safe and dangerous.
In a normally energized safety system (de
- n
eergize to trip) safe is de
energize, dangerous is energized.
27
e ida.com
Diagnostics
Online diagnostics allow:

Quick repair of failed units reduces time operating in degraded
condition.
Conversion of dangerous failures
to safe failures with automatic
shutdown capability.
Diagnostic capability measured by C = Coverage

Factor, the percentage of failures that will be detected.
CS = Coverage Factor for Safe Failures
CD = Coverage Factor for Dangerous Failures
It is recognized that diagnostics are critical to the proper operation of a

safety equipment. Diagnostics tell the user when the a system component
has failed so that the system does not operate in a degraded mode for a
long period of time. Diagnostics may also be used to directly implement a
trip if that is justified.
The online diagnostic capability of equipment is measured by its Coverage
Factor, the chance of detecting a failure given that one occurs.
Different coverage factors are needed for safe versus dangerous failures.
28
e ida.com
ARCHITECTURES
+
Output Circuit
Sensor
Input
Circuit
Logic Solver
Common Circuitry
Actuator
MP
Final Element
1oo1 Architecture.
29
Different architectures are also used. Sometimes no redundancy is needed.

This architecture is known as 1oo1, one out of one. One set of equipment
is needed to shutdown the process and one set is there.
29
e ida.com
Output Circuit
Input
Circuit
Logic Solver
Common Circuitry
MP
Sensor
Output Circuit
Input
Circuit
Logic Solver
Common Circuitry
Actuator
MP
Final Element
1oo2 Architecture
30
Often the calculations show that one set of equipment is not enough to meet
the risk reduction targets. Another architecture used in such a situation is
the 1oo2. Only one set of equipment is needed to shutdown the process
but two sets are provided. This architecture provides higher safety but has
the disadvantage that either set of equipment can cause a false trip if it fails
safe.
NOTE: See exida on
- line lesson System Reliability Engineering for more
information on architecture evaluation.
30
e ida.com
A
Output Circuit 1
Logic Solver
Input Circuit
Common Circuitry
MP
Output Circuit 2
B
Sensor
Output Circuit 1
Logic Solver
Input Circuit
Common Circuitry
MP
C
Input Circuit
Output Circuit 2
Voting Circuit
Output Circuit 1
Logic Solver
Common Circuitry
MP
Output Circuit 2
2oo3 architecture.
Actuator
Final Element
31
In some cases a 2oo3 architecture is chosen. This arrangement has three

sets of equipment provided with a vote such that one set can fail in either
mode and the architecture remains successful.
31
e ida.com
Common Cause
The failure of two or more
units in a redundant system
due to a common stress.
Heat
Humidity
Chemical Corrosion
What Stress?
Shock
Examples?
Vibration
Electrical Surge
Electrostatic Discharge
Radio Interference
Human Errors
32
Can two or more pieces of equipment fail due to the same stress?
How about the triple redundant system with all three processors mounted in
the same rack. A mechanic calls on the radio and shuts down all three
simultaneously.
The Boeing 747 has four redundant hydralic systems. If this system fails the
plane will crash. Need all four? On July 30, 1971 a PANAM 747 took off
from San Fran on a short runway. It was too low. It failed to clear a pier at
the end of the runway. Various steel shafts ripped the hull and ruptured
three of the four systems. The fourth system worked and the plane landed
safely.
This was a common cause stress!
32
e ida.com
Common Cause
A common
cause failure
is a system
failure.
Power Supply
system failure
Power Supply Power Supply

A fails
B fails
33
Common
Cause Power
Supply
Common cause failures reduce the effectiveness of redundancy and this

must be considered in the design. A common cause failure will often fail the
system.
NOTE: See the exida on
- line lesson System Reliability Engineering for more
information on common cause analysis.
33
e ida.com
SIF Verification Task
Safety Requirements
Specification - Safety
Function Requirements
including target SIL
Manufacturers
Failure Data
7d. Reliability and

Safety Evaluation
Failure Data
Database
PFDavg, RRF
MTTFS,
SIL achieved
Given all the information about equipment type, equipment failure rates, equipment
diagnostic capability, common cause susceptibility and operating time intervals a safety
and availability analysis is done to verifiy that the design requirements have been met.
The key variables calculated are:
PFDavg Average Probability of Failure on Demend
RRF Risk Reduction Factor
MTTFS Mean Time To False, Spurious Trip
SIL Safety Integrity Level achieved by the design
34
e ida.com
BMS - Safety Function Example

Low steam drum level causes Master Fuel
Trip
9 On detection of low level of water firing should

be stopped
9 Low level of water may result in loss of integrity
of the stream drum vessel and potential physical
explosion of the steam drum
9 A level switch accomplishes detection of an
abnormal condition
35
As an example, consider the high steam drum level hazard. If this hazard is
detected, a master fuel trip is done.
35
e ida.com
Safety Function Architecture

Fuel
Level
Switch
Logic
Solver
To burners
BMS system consists of 6 individual burners

36
This system has six burners. The equipment for this SIF includes a level
switch wired into a safety PLC. The safety PLC must deenergize seven
outputs that control the main fuel valve and six burner fuel valves. One set
fo equipment is provided in a 1oo1 architecture.
36
e ida.com
Fault Tree BMS safety function (I)

Drum level SIS fails
Sensor
system fails
Logic solver
system fails
Actuator
system fails
Level
switch
fails
Logic
solver
fails
37
A fault tree for this set of equipment starts with an OR gate as failure of the
sensor subsystem or the safety PLC or the valve subsystem will cause a SIF
dangerous failure.
37
e ida.com
Fault Tree BMS safety function (II)

1
Master
fuel
valve
fails
Burner
1
valve
fails
Burner
2
valve
fails
38
Burner
3
valve
fails
Burner
4
valve
fails
Burner
5
valve
fails
Burner
6
valve
fails
The valve subsystem is more complicated. It will fail to stop the fuel if the
main valve fails dangerously and any one of the burner valves fail
dangerously.
38
e ida.com
BMS Equipment Data

Dangerous
failure rate
(1/106 hours)
Dangerous
MTTF (years)
Test
Interval
(months)
Dangerous
Pfd
Approx.
Dangerous
Pfdavg
4.6
24.82
12
0.03949
0.02015
12
0.0000353
Main Fuel Shutoff valve
3.7
30.85
12
0.03189
0.01621
Burner Shutoff valve
2.9
39.36
12
0.02508
0.01217
Equipment item
Level Switch
Safety PLC
39
The dangerous failure rates for the various pieces of equipment are collected
and PFD calculations are done for each device. It is assumed that there are
no diagnostics for the level switch or the valves.
The PFDavg for the safety PLC was provided by the manufacturer.
39
e ida.com
Fault Tree Results

Drum level SIS fails
Sensor
system fails
0.03949
Logic solver
system fails
---
Level
switch
fails
Logic
solver
fails
Fault Tree calculations

only with probabilities
not with average probabilities
---
Actuator
system fails
0.14138
Burner
1
valve
fails
Burner
2
valve
fails
Burner
3
valve
fails
Burner
4
valve
fails
0.02508
0.02508
0.02508
40
0.02508
0.00451
0.03189
Burner
5
valve
fails
Master
fuel
valve
fails
Burner
6
valve
fails
0.02508
0.02508
Feeding the probability numbers into the fault tree provides an overall
probability of failure for the SIF.
40
e ida.com
Markov Model BMS safety function

DMV
6DBV
Master
fuel
valve
fails
DMV
System
OK
6DBV
System
fail
dangerous
One
burner
valve
fails
DLevel Switch + DLogic Solver

MV : Master fuel valve
BV : Burner valve
41
The SIF probability of failure could also be calculated with a Markov model.
41
e ida.com
PFDavg Calculation (I)

IEC 61508 states:
Pfdavg(Safety Instrumented Function) =
Pfdavg(Sensor) + Pfdavg(Logic Solver) + Pfdavg(Actuator)
BMS SIF:
Pfdavg
= 0.02015 + 0.0000353 + 0.00157

= 0.02172
SIL 1
Pfdavg(Actuator): calculated using Markov Model
42
When the PFD numbers are obtained, they are compared to the SIL chart
and it is determined that a SIL1 requirement could be met by this design.
42
e ida.com
PFDavg Calculation Results

0.07
0.00
Sensor
Logic Solver
Actuator
0.93
43
Looking at the PFD numbers, it is clear that the sensor is contributing most
of failure probability.
43
e ida.com
Conclusion SIF Example

Sensor system is most dominant in Pfdavg of
Safety Instrumented Function

Improving sensor system will be most effective
9 Consider adding voting
9 Additional level indications
9 Capacitance type level switch
9 Differential pressure level transmitter
44
If SIL1 is not acceptable for this SIF, a better sensor subsystem must
designed. Alternatives include the use of an analog level transmitter or
redundant level switches or even a combination of both.
44
e ida.com
General Lesson Objectives

Review Standards for BMS
Show Safety Functions for typical/example
BMS
Review BMS design process
Present example BMS safety function
verification
45
This lesson has presented a review of some standards tht apply to BMS
design focusing on NFPA 85 and IEC 61508. Typical SIF listed in NFPA
were presented along with an example BMS set of SIF. The Safety Lifecycle
design process was reviewed and a particular SIF verification example was
presented.
Review the lesson again if all the concepts were not clear. When ready,
proceed to the on
- line quiz.
45
e ida.com
Questions
Questions: please send any questions to
info@exida.com We will respond as soon as possible.
Additional Resources:
Free articles are available to download from the
exida.com website. These can be reached at
http://www.exida.com/articles.asp
Additional resources including books, tools, and reports
are available from the exida on-line store. A product
listing is available at http://www.exida.com/products2/
46
If have any questions, they may sent via email to info@exida.com. Please
refer to this particular lessonBurner Management System Safety Functions.
exida.com is a knowledge company focused on system reliability and safety.
We provide training, tools, coaching, and consulting. For general information
about exida, please view our detailed website at www.exida.com.
Thank you for your interest. Please consider other lessons in the on
- line
training series from exida.com.
46

Burner Managment System

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Burner Managment System

Hochgeladen von

Copyright:

Verfügbare Formate

Burner Management System

Welcome to the exida.com on

Copyright exida.com LLC 2001-2002

Prerequisite and Companion Lessons

It is recommended that the exida on

Copyright exida.com LLC 2001-2002

General Lesson Objectives

Copyright 2002, exida.com

Over the duration of this course the participant will:

Copyright exida.com LLC 2001-2002

ANSI/NFPA 85C An American National Standard August 16, 1991

Copyright 2002, exida.com

Copyright exida.com LLC 2001-2002

ANSI/ISA 84.01 Standard

Copyright 2002, exida.com

Copyright exida.com LLC 2001-2002

FM 7605 Equipment Certification

WManufacturing facilities examination.

Copyright 2002, exida.com

FM standard 7605 builds upon an international functional safety standard

Copyright exida.com LLC 2001-2002

IEC61508 - Consensus Standard

IEC 61508 is an international standard for functional safety created by a number of

Copyright exida.com LLC 2001-2002

IEC 61508 - Objectives

A key objective of of IEC61508 was to address accident causes by creating

Copyright exida.com LLC 2001-2002

Safety LifecycleAnalysis Phase

excellence in dependable automation

Develop non SIS Layers

SRS DOCUMENT Template

Safety Requirements SpecificationFunctional Description of each Safety

excellence in dependable automation

Copyright 2002, exida.com

Copyright exida.com LLC 2001-2002

Safety Lifecycle Realization Phase

Safety Requirements Specification Functional Description of each Safety

Choose sensor, logic solver

excellence in dependable automation

10. SIS Installation,

Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic

Copyright 2002, exida.com

The realization phase begins with conceptual design of the safety

Copyright exida.com LLC 2001-2002

Safety Lifecycle Operation Phase

13. Operating and

14. SIS startup,

Verify all documentation against

Copyright 2002, exida.com

Copyright exida.com LLC 2001-2002

Safety Instrumented Function (SIF)

What to measure (sense)

A Safety Instrumented Function (SIF) is defined as the functionality required

Copyright exida.com LLC 2001-2002

Interlocks/Safety Instrumented Functions

Copyright 2002, exida.com

Copyright exida.com LLC 2001-2002

Automatic Light-Off Sequence Fuel

A number of steps are required to performed in a particular order for

Copyright exida.com LLC 2001-2002

Automatic Light-Off Sequence Fuel

Copyright 2002, exida.com

These steps involve both sequence and timing.