Improving Safety of Burner Management Systems

Improving Safety of Burner Management Systems
Andrew Yick P.Eng

Technical Specialist
Spartan Controls
2016 Western BLRBAC Spring

Agenda
• Burner Management Systems (BMS) Fundamentals
• History of Burner Management Systems
• Understanding Regulatory Requirements
– CSA B149.3-2015 Gas Code Update
– Safety Instrumented Systems (SIS) Overview
• Improving BMS Safety Best Practices
• Helping Operators
Spartan Controls Confidential | Page 2

Section #1
Burner Management Systems (BMS) Fundamentals
What is a Burner Management System used for?

Burner Management Systems (BMS)
A Burner Management System is ….
• “A control system that is dedicated to the safety,

operator assistance in starting and stopping of fuel
preparation and burning equipment and the prevention of
mis-operation of and damage to fuel preparation and fuel
burning equipment”

Manages Safe Operations & Sequencing of Burner
Typical Boiler Sequence

Waiting For
Purge Purge Boiler Boiler
Boiler Tripped Offline Permissives Purging Complete Lighting Lit
1 2 3 4 5 6 7

Components of a Typical BMS
BMS Controller
Boiler Protection
Air
Pilot Fuel Train
Flame Scanners
Aux Fuel & Liquor Fuel Train
Igniters

Segregation of Process Control & Safety Controls
A BMS may communicate with, but is
completely independent of the combustion
control system (CCS)
Combustion
Controls BMS

BMS Instrumentation Components
Fuel Gas
Flow and Pressure
Measurement
Fuel Gas Flow
Control Valve
Fuel gas pressure regulators
Flame Scanner
Manual Valves
Test Firing Valves
CSA 6.5 Gauges
Automatic Safety
Shut Off Valves Ignitors
Automatic Safety Shutdowns
• Fuel Flame Scanning
• Fuel Pressures
• Air Flow & Fan Status
• Asset Protection
– Steam Drum Pressure
– Drum Level
– Furnace Pressure

Challenges of Recovery Boiler BMS Systems:
• Water-Smelt Hazard
– Pressure Parts / Leaks
– External Water Entry
– Low Solids Liquor
– Poorly Atomized Liquor
• Hot Restart Risk
– Aux Fuel & Pyrolyzed Liquor
– Poor Conditions for Liquor
• Liquor Header Washes / Purges
• ESP / Rapid Drain
• Dissolving Tank Explosions Reference: Babock & Wilcox

Consequence of Inadequate BMS

Section #2
History of Burner Management Systems in Recovery Boilers

History of Burner Management Systems – Relay Panels

History of Burner Management Systems – Relay Panels

History of Burner Management Systems – Purpose Built

History of Burner Management Systems – Custom PLC’s
Many Systems Being Upgraded Now

How Do I Improve Safety for next 20 years?
Section #2
Understanding Regulatory Requirements

BMS Standards and Guidelines

Standards Summary
Prescriptive
Performance
Standards Guidelines
Standards
CSA B149.3 BLRBAC
IEC 61508/61511
NFPA
Highest Overall
Safety
Opportunity for innovation and

improvement, go beyond meeting
minimum safety requirements
Black Liquor Recovery Boiler Advisory Committee (BLRBAC)
Guideline:
Recommends what to do and how to do it
Recovery Boilers:
• Black Liquor Fuel
• Auxiliary Fuel
• Emergency Shutdown & Rapid Drain

BLRBAC – It’s Online!

Canadian Standards Association
Prescribes:
Dictates what to do and how to do it
CSA B149.1 – Natural gas & propane
CSA B149.2 – propane storage and handling
CSA B149.3 – Field approval of gas fired appliances

Canadian Standards Association – Your Responsibility
Compliance to CSA 149 is mandated by Authority Having
Jurisdiction (AHJ) in each province by law (safety acts)
Compliance is required by owners, designers, vendors,

manufacturers, contractors
Violations resulting in injury or death is a criminal offence
"217.1 Every one who undertakes, or has the authority, to direct how another person
does work or performs a task is under a legal duty to take reasonable steps to prevent
bodily harm to that person, or any other person, arising from that work or task.“
(Bill C-45, Amendment to Canadian Criminal Code)

Major Changes in CSA B149.3-2015 – Summary
• Documentation Requirements
• Pressure/Temperature Safety Limits
• Gas Pressure Safety Limit Controls
• Annex F – Valve Proving Systems
• Annex H – Liquid Fuels
• Safety Instrumented Systems Programmable Controllers

Changes in CSA B149.3-2015 – Documentation
7.1.1 As a minimum the following documentation shall be provided:
(a) Description of any hazardous condition …
(b) Process and Instrumentation Diagram (P&ID).
(c) Bill of Materials (BOM) or component data sheets …
(d) Wiring diagram.
(e) Burner management system specification.
(f) Operating narrative, shutdown key/cause and effect diagram, ladder logic,
installation, operation, and maintenance manual or other suitable description
of appliance operation.
(g) Specification of electrical area classification
(h) Commissioning/combustion report with equipment/permissive set-points
and stack readings at maximum fire.
(i) For an appliance approved for use with different fuels, a switch-over
procedure to be followed by the operator ..

Changes in CSA B149.3-2015 – Temp/Pressure Safety Limits
9.4.1 An appliance that heats a liquid or vapor shall be equipped with

approved safety devices provided with a manual-reset feature or shall
require operator attention before resuming operation, the sole function
of which shall be to shut off the fuel supply in the event of
(a) low liquid level in an appliance with a minimum liquid level that requires
continuous immersion in a liquid for safe operation;
(b) low liquid or vapor flow in an appliance that requires flow for safe
operation;
(c) high fluid temperature for an appliance where the temperature can exceed
a safe operating limit. Where portions of the appliance are sufficiently
independent, multiple temperature sensors might be required;
(d) high pressure for vaporizing appliances which are pressure controlled and
pressure is a function of temperature; or
(e) low water in a water boiler located above the hot-water circulating system.

Changes in CSA B149.3-2015 – Annex H (Liquid Fuels)
This Annex is not a mandatory part of this Code. However, it is written in

mandatory language to accommodate adoption by the authority having
jurisdiction.

Changes in CSA B149.3-2015 – Annex H (Liquid Fuels)

Changes in CSA B149.3-2015 – Programmable Controllers
9.7.1 General
When programmable microprocessors are used as a primary safeguard
device, they shall conform to CSA C22.2 No. 0.8, or to the requirements
of Clause 9.7.2, or be certified to IEC 61508.
Where IEC 61508 is used, a functional safety assessment shall be

performed by competent personnel other than the designer, to verify
full compliance with the IEC 61511 standard.

IEC 61508 / 61511(ANSI/ISA S84) - Safety Instrumented Systems
• “How to You Measure Safety in a Traditional PLC Controller?”
• Performance Based Standard

– Safety needs to be quantified
– Internationally recognized
– Auditable
• IEC 61508 – Functional Safety of electrical, electronic and

programmable electronic safety related systems.
• IEC 61511/ISA S84 – Safety Instrumented Systems for Process Sector

Why Safety Instrumented Systems (SIS)?
• Safety is performance-based – designed to required SIL level to

mitigate identified risks.
• Independent from all other control systems
• Includes sensors, logic solvers, and final control elements
• Designed, maintained,
inspected and tested per
logic
applicable standards and solver
recommended practices
sensor
final
control
element

The IEC 61511 Safety lifecycle

Safety Instrumented System Design Process
• Identify hazards
PHA • Evaluate safeguards
• Define SIF’s
SRS • Define SIL for each SIF
• Specify devices
Design • Design architecture
• Verify SIL meets SRS

Verify

Process Hazard Analysis (PHA)
HAZOP
What If?
Checklist
PHA FMEA
Fault Tree
Event Tree
LOPA
Layers of Protection Analysis (LOPA) Risk Reduction

Safety Integrity Level (SIL) Matrix
Risk = Likelihood x Consequence
SIL General description

4 Catastrophic community impact
3 Employee & community impact
Major Property and Production Impact;
2
Possible Injury to Employee
1 Minor Property and Production Impact

SIL Risk Reduction Factor
The level of risk reduction provided by a Safety

Instrumented Function is quantified into “Safety
Integrity Levels” or “SILs”.
Risk Reduction Probability of Failure Safety Integrity

Factor (RRF) on Demand (PFD) Level (SIL)
10,000 to 100,000 10-5 ≤ and < 10-4 SIL 4
1000 to 10,000 10-4 ≤ and < 10-3 SIL 3
100 to 1000 10-3 ≤ and < 10-2 SIL 2
10 to 100 10-2 ≤ and < 10-1 SIL 1

Safety Instrumented Functions
Safety Process conditions What to do SIL
function
SIF #1 High level Drive output 1 1
SIF #2 High pressure Drive outputs 1 + 2 3
SIF #1
SIF
#2

Safety Calculations
PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101
SIF #1 Logic
solver
PT-101
FV-101
Engineer the System to Meet/Exceed SIF Requirement

Safety Lifecycle Management Plan
• Security
• Proof Testing Cycle
• Calibration Procedures
• Valve Leak Testing Procedures
• Checklists & Documentation

SIS and BMS Proof Testing
Testing of Instruments, Interlocks, Valves, Logic Solver

BLRBAC & Safety Instrumented Systems Alignment
DESCRIPTION SIS BLRBAC

PHA / HAZOP ✓
Layers of Protection Analysis ✓ ✓
Safety Requirements Specification ✓
Safety SIL Calculations ✓
Commissioning & Startup Checks ✓ ✓
Safety Lifecycle Management Plan ✓ ✓
Proof Testing ✓ ✓
System Security ✓

Safety Instrumented Systems (SIS) for ESP / Rapid Drain

Section #3
Improving BMS Safety Best Practices

Challenges with Older / Conventional PLC Based BMS Systems
• Limitations with PLC Controllers (Not IEC 61511 SIS Rated)

– “Do Not Know How Safe”
• Watchdog Timers
• Master Fuel Trip Relays
• Input & Output Checking
– Easy to Bypass Interlocks / Trips Compromising Safety
– Typically Non-Redundant Systems – Reliability Concerns

Bypasses – Not Allowed!
BLRBAC
CSA B149.3

Managing Bypasses
• User Security to Enter BMS System
• Need Logic Blocks that allow only selective bypasses
• Logic Code Cannot Be Changed Online
• Clear HMI graphics & alarm of bypass
• Logged event history
• Bypass Timeouts BMS

Change Management Process
Secure user-access for BMS is best practice
BPCS BMS

Change Management Process
MOC Workflow
Best Practices
• Audit trail of logic changes

• Comprehensive record of events and
diagnostic faults
• User security access to BMS
• Logic lock-down capability
• As-Built vs As-Found Checks (CRC)
The end user shall not make program alterations without written approval from the
system designer or a qualified professional engineer in conjunction with the system designer.
CSA B149.3-2015 (9.7.2)

Improving Safety or Reliability – Voting Schemes
• BMS redundancy at controller and I/O

• Instrument or I/O faults should trip BMS
• Improve availability and/or safety with voting algorithms
1oo1 = One out of One
1oo2 = One out of Two
2oo3 = Two out of Three

Safety Reliability Depends on the Total Safety Loop!
Scaled to match
traditional
focus
Scaled to match
actual
frequency of
failure*
Only 8% of SIS failures are in the Logic Solver!
*Source: OREDA (Offshore Reliability Database)

Improving Safety: Switches vs Transmitters

Security Concerns
• Field Set Trip “Wrench” Setpoint
• Open Access
• No Audit Trail
• Difficult to Prove Operation

Wiring:
• Fail Safe Wiring a MUST
• “Break to Trip”
• Easily Bypassed
BMS

A Better Approach…
• Setpoint Secured in BMS Logic

• 4-20 mA cannot be Jumpered
• Trends for Operators
• Easier to Commission
• Can Handle Multiple Functions
• Purge Air + Minimum Air Flow Trip
• More Accurate/Repeatable

Improved Process Visibility = Improved Safety
Example: Oil Atomizing Steam
• Steam Pressure > Oil by 20-30 psi
• Steam Temperature > Oil Temperature
• Steam Above Superheat

Improving Safety: Safety Shutoff Valves
Safety Shutoff Valves must comply with…
CSA 6.5 - Automatic Valves for Gas Applications

• Construction
• Performance
• Testing
What are the risks?

Valve Seating Issues

Section #3
Helping Operators…

Recovery Boiler Explosions
• In North America, 25 explosions from 1984 to 2012
– Most caused by Pressure Part failure
– Half of explosions involved a leak (not detected by BMS),
undetected by operators, followed by a hot restart
Reference: WBIA Industry Days, Recovery Boiler Presentation, Bob DeCaigny

The Challenge…

Alarm Management – A Problem
Oil & Gas PetroChem Power Other Best Practice Standard
Average Alarms
per Day
1200 1500 2000 900 ~150-300 ~150-300
Average Alarms/
6 9 8 5 ~ 1-2 ~ 1-2
10 Minute Interval
Peak Alarms
per 10 Minutes
220 180 350 180 ≤ 10 ≤10
Average Standing 50 100 65 35 <10 <5

Alarms
Distribution % 80/15/5 80/15/5

25/40/35 25/40/35 25/40/35 25/40/35
(Low/Med/High)
Actual Recommended
Source: Matrikon
Alarm Management – A Solution – ISA 18.2 Standard
We Need Smarter “Context Sensitive” Alarms
• Simple Alarms (ie High / Low Alarm) are Inadequate
• Require Smarter Alarms (Context Sensitive) to detect:

– Increases in ID Fan Speed / Unstable Draft
– Rapid Swings in Drum Level
– Major Differences in Steam Flow & Feedwater Flow
– Imbalances in Furnace Temperatures
• Each Alarm Requires an Action

Embedding Knowledge Into Alarm System
Alarm: Possible Leak Trip
(High Furnace Pressure and Low

Drum Pressure)
System Forced Feedwater in

Manual at 0%
Corrective Action:
Check For Boiler Leaks before
setting feedwater back to AUTO
Improving Operator Interfaces – Human Centered Design
Trip and
Permissive
conditions
clearly Detailed
displayed status of
and easily trips or
accessible permissives
available
Training / Learning Methods

Recovery Boiler Operator Training Systems / Simulators
Airplane Simulator Recovery Boiler Simulator

Basics of a Operator Training Simulation System
Trainer
Operator

Scored Training Scenarios
• Startup & Shutdown

• Hot Restart
• Responding to alarms
• Abnormal Situations
– Water Leaks
– Air Issues
– Liquor Quality Issues

Recovery Boiler “Single Input” & Consumed Air Control
Put the unit on One operator Equipment, Minimum target

“cruise control” entry or remote process, and >95% of time on
setpoint emissions automatic control
establishes constraints built
process rate in
95%
On

Summary
• Many old systems being upgraded – consider safety improvements

• Safety regulations include prescriptive standards (CSA B149.3),
performance based standards (IEC 61508/61511 SIS) and guidelines
(API, BLRBAC). Highest overall safety is achieved by utilizing all three.
• Help operators and improve safety with:
– Better Alarming & Operating Interfaces
– Simulation Training
– Simplified Controls
Thank you for your time….any questions?
Andrew Yick P.Eng

Technical Specialist
Spartan Controls
yick.andrew@spartancontrols.com
Spartan Controls Confidential

Improving Safety of Burner Management Systems - Spartan Controls

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Improving Safety of Burner Management Systems - Spartan Controls

Hochgeladen von

Copyright:

Verfügbare Formate

Andrew Yick P.Eng

2016 Western BLRBAC Spring

Spartan Controls Confidential | Page 2

Spartan Controls Confidential | Page 3

• “A control system that is dedicated to the safety,

Spartan Controls Confidential | Page 4

Typical Boiler Sequence

Spartan Controls Confidential | Page 5

Pilot Fuel Train

Spartan Controls Confidential | Page 6

Spartan Controls Confidential | Page 7

Fuel gas pressure regulators

Spartan Controls Confidential | Page 9

Spartan Controls Confidential | Page 10

Spartan Controls Confidential | Page 11

Spartan Controls Confidential | Page 12

Spartan Controls Confidential | Page 13

Spartan Controls Confidential | Page 14

Spartan Controls Confidential | Page 15

Many Systems Being Upgraded Now

Spartan Controls Confidential | Page 17

Spartan Controls Confidential | Page 18

Opportunity for innovation and

Spartan Controls Confidential | Page 20

Spartan Controls Confidential | Page 21

Spartan Controls Confidential | Page 22

Compliance is required by owners, designers, vendors,

Violations resulting in injury or death is a criminal offence

Spartan Controls Confidential | Page 23

Spartan Controls Confidential | Page 24

Spartan Controls Confidential | Page 25

9.4.1 An appliance that heats a liquid or vapor shall be equipped with

Spartan Controls Confidential | Page 26

This Annex is not a mandatory part of this Code. However, it is written in

Spartan Controls Confidential | Page 27

Spartan Controls Confidential | Page 28

Where IEC 61508 is used, a functional safety assessment shall be

Spartan Controls Confidential | Page 29

• “How to You Measure Safety in a Traditional PLC Controller?”

• Performance Based Standard

• IEC 61508 – Functional Safety of electrical, electronic and

• IEC 61511/ISA S84 – Safety Instrumented Systems for Process Sector

Spartan Controls Confidential | Page 30

• Safety is performance-based – designed to required SIL level to

Spartan Controls Confidential | Page 31

Spartan Controls Confidential | Page 32

• Verify SIL meets SRS

Spartan Controls Confidential | Page 33

Spartan Controls Confidential | Page 35

Risk = Likelihood x Consequence

SIL General description

Spartan Controls Confidential | Page 36

The level of risk reduction provided by a Safety

Risk Reduction Probability of Failure Safety Integrity

Spartan Controls Confidential | Page 37

Spartan Controls Confidential | Page 38

PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101

Engineer the System to Meet/Exceed SIF Requirement

Spartan Controls Confidential | Page 40

Testing of Instruments, Interlocks, Valves, Logic Solver

DESCRIPTION SIS BLRBAC

Spartan Controls Confidential | Page 42