Feature Report

Part 1

Avoid Common Mistakes

When Specifying Burner
Management Systems
While some aspects of burner management systems may seem intuitive, overcoming
misconceptions in their specification and design will help to elevate overall safety

B
Charles oilers, burners, furnaces
Fialkowski and fired heaters, along
Siemens Industry with any other fuel-burn-
ing equipment, are con-
sidered high-risk areas within the
chemical process industries (CPI).
IN BRIEF This is due to their extreme operat-
AGREEING ON THE NAME ing conditions, complex sequenc-
ing and the processing of hazard-
INDUSTRY STANDARDS
ous materials, all of which result in
REDUNDANCY IS NOT a wide range of safeguarding mea- FIGURE 1. The complexity of CPI heating processes, including boilers, burn-
ALWAYS REQUIRED sures that must be applied to pre- ers, furnaces and more, necessitates much effort being applied to ensure
NOT ALL LOGIC SOLVERS vent accidents (Figure 1). One of the their safe operation
ARE EQUAL more commonly used and widely
accepted safeguarding approaches is the flame safeguard, boiler safety system and
INTEGRATION WHILE
use of safety-related systems that are imple- so on. These multiple names continue to
INDEPENDENT
mented through programmable logic control cause a great deal of confusion throughout
MANAGE YOUR (PLC) technology. the industry.
CHANGES This article presents an overview of safe By definition, a BMS includes the logic
MORE HARDWARE, LESS burner management and reviews seven system, field devices and final control ele-
AVAILABILITY common mistakes that users of these tech- ments, and is dedicated to ensuring com-
nologies may struggle with when evaluating bustion safety and operator assistance in
and specifying a modern burner manage- the starting and stopping of all fuel-prepara-
ment system (BMS). Performance-based tion and burning equipment (Figure 2). The
standards published in recent years control Boiler and Combustion Systems Hazards
the design of these technical safety systems. Code (NFPA 85) by the National Fire Protec-
These standards include technology-oriented tion Agency (NFPA; Quincy, Mass.; www.
requirements covering so-called adequate nfpa.org) is an important industry standard
implementation, and the “fit-to-purpose” tai- that outlines these requirements [1].
loring of equipment. However, to obtain func- In the practical sense, a BMS is a safety
tional safety, this approach demands more instrumented system (SIS) since it is an in-
management, competency and planning than strumented system that includes sensors, a
the prescriptive requirements of original codes logic solver and final control elements that
and standards. is used to reduce process risk (for instance,
a furnace explosion). In conjunction with
Agreeing on the name the BMS, there exists the need to provide
Over the years, the term “burner manage- all of the non-safety-related process-control
ment system” (or BMS) seems to have functions, also known as the combustion
spawned several aliases, such as burner control system (CCS). Conventionally, the
safety system, combustion safeguard, CCS provides the regulatory control func-
44 CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM OCTOBER 2018
tions (air flow, fuel flow, drum level Industry standards
and so on), while the BMS ensures Major accidents involving fired
and maintains safe conditions as the equipment are rare today,
equipment is sequenced through mostly because of the exten-
the various operating modes sive industry experience and
(pre-lightoff, normal operation good engineering practices
and shutdown). that have been developed over
The once distinct line between the past several years.
CCS and BMS is getting more and Nevertheless, profession-
more blurred. Physical and logical als still seem to be sometimes
boundaries between the two sys- confused over which stan-
tems are constantly being adjusted dard they should reference
as new technologies emerge with when implementing a burner
new functionalities, diagnostics, ar- management system. Table 1
chitectures and communication in- provides a summary of some
terfaces. While the overall function of the most relevant non- FIGURE 2. A modern, safety-rated PLC-based BMS may
of the BMS has not changed much industry-specific standards include several components, including sensors and final
control elements
over the years, a lot has changed, available today.
however, with the technology being If the BMS is to be designed in ac- example, performance require-
applied. Previously, the prominent cordance with a particular code or ment) for these safety functions
technology for a BMS was a simple, standard, then this should be clearly • Allocate safety functions to your
hardwired, relay logic system whose listed in a plant’s safety requirement BMS to be designed and man-
primary interface was with discrete specification. Any reference to a aged to achieve this performance
(on/off-type) field devices, and the code or standard must be specific • Document the functional and in-
operator interface was a handful of (for instance, “the system is to be tegrity requirements in a design
lights and pushbuttons. The com- designed in accordance with NFPA specification
munication interface was nothing 85”) while avoiding broad catch-all • Verify that design and man-
more than a few relay contacts wired references, as they may be inappro- agement practices are suffi-
over to the CCS. priate and could potentially increase cient to meet the performance
With the adoption of PLCs, smart system scope, add confusion and requirements
analog field devices, internet com- offer no corresponding benefit. • Document and implement op-
munications and Windows-based In addition, many types of fired erational and maintenance pro-
human-machine interfaces (HMIs) equipment may be subject to ap- cedures to support performance
on modern-day BMS designs, one plication-specific good engineering requirements
can begin to appreciate that the practices, such as those outlined by • Manage changes to pro-
once-distinct difference between NFPA 87, Recommended Practice cess equipment and the
the CCS and BMS is no longer very for Fluid Heaters. BMS to ensure continued
clear. This is all the more reason In some cases, this may appear safe operation
for industry to agree on a single, to cause problems with design- The technical report ISA-
consistent name. ers wishing to take advantage of TR84.00.05 was issued by the Inter-
The bottom line is, if the equip- newer approaches and technology national Society of Automation (ISA;
ment you are dealing with has a that currently is not prescribed as Research Triangle Park, N.C.; www.
flame, users should agree that the an approved method. These novel isa.org) to help users address various
instrumented system dedicated to approaches may in fact, still be ap- aspects of these steps specifically for
provide safety functionality to re- propriate, since all of the recently BMS applications. Simply put, pre-
duce risk will be called the burner updated NFPA standards have in- scriptive industry standards from or-
management system. Once the corporated an equivalency provision, ganizations like NFPA, the American
name is clear, the next step would where alternative designs could be Petroleum Institute (API; Washington,
be to develop a complementary considered compliant as long as cer- D.C.; www.api.org) and others may
scope document to help identify the tain conditions are met. This process find some complementary effects
major BMS components, such as its is generally known as the safety life- by leveraging the performance stan-
central processing unit (CPU), inputs cycle. The key steps are as follows: dards from ISA and other groups,
and outputs (I/Os) and engineering • Identify the hazardous events such as the International Electro-
and operator workstations, along that could result in unacceptable technical Commission (IEC; Geneva,
with a safety requirement specifica- consequences Switzerland; www.iec.ch) and Ameri-
tion that will define two key elements • Identify the safety functions in your can National Standards Institute
of the BMS — what it is supposed to BMS that could prevent these (ANSI; Washington, D.C.; www.ansi.
do and how well it must perform to hazardous events org), to ensure that the methods for
complete its function. • Determine the risk reduction (for managing the risk associated with

CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM OCTOBER 2018 45

 TABLE 1. SELECTED INDUSTRY STANDARDS
NFPA 85, 86 Prescriptive codes, standards and recommended practices that provide specific details
& 87 of what must be implemented for burner management systems based on the application
(boiler, oven, furnace, heater and so on)
IEC 61511 or Performance-based, international standard for functional safety of safety instrumented
ANSI/ISA 84 systems for use in the CPI
TR.84.00.05 ISA’s technical report written specifically for the application of ANSI/ISA 84 (IEC 61511) to
burner management systems
FIGURE 3. Certified safety PLCs offer numerous
FM 7605 Approval agency standard that requires PLC-based burner management systems to be in
benefits over standard PLCs, such as built-in
compliance with IEC 61508 (functional safety certification for PLCs)
safety concepts and extensive diagnostics

the hazards suit both the owner’s that the PLC-based BMS should be cally configured by the original equip-
operational requirements, as well as designed specifically so that a single ment manufacturer (OEM), systems
gain the approval from the authority failure in the system does not pre- engineer or end-user for use in safety
having jurisdiction. vent an appropriate shutdown. Many applications. In some cases, the
simply interpreted this to mean that PLC manufacturer might have even
Redundancy is not always required to be able to protect against a CPU received a certification from a third-
The statement “no single point of fail- failure, the BMS must utilize redun- party agency that its particular config-
ure” has been one of the most often dant CPUs in their design to avoid uration is capable of meeting a certain
misinterpreted BMS requirements in such a condition. performance level.
the industry over the past 30 years. For some systems, this might mean Both ISA and IEC standards limit
For most people using PLC tech- that in order to protect against a sin- the amount of performance these
nology, a common misconception is gle system failure and still maintain the systems can claim, based on the level
that compliance can only be achieved ability to shut down the process, the of assessment, and they also cap the
by configuring the PLC’s CPU in a PLC will need redundancy. This need highest claimed level of performance
dual-redundant architecture — most for redundancy will be necessary to to be an order of magnitude less than
think intuitively that “if one is good, improve the overall failure mode of a safety-rated PLC.
then two should be better.” Unfortu- the system, and despite marketing The concern with using safety-con-
nately, in terms of safety system per- promises, will not improve the overall figured PLCs is that many are never
formance, things are not as intuitively availability of the system. For some fully tested or accurately assessed
obvious as they may seem. In some systems, this capability has already for the level of protection measures
cases, it has been shown that sim- been designed and built into the sys- that are to be implemented in order
plex (non-redundant) systems can in tem and is not necessary. Therefore, to detect faults and to ensure appro-
fact be safer than dual systems. it is important to realize that all sys- priate responses are initiated. Simply
The primary concern here was that tems are not the same, and that one adding an external device to the PLC
the industry was moving away from needs to have a clear understanding to monitor its “heartbeat” is never
a technology that was considered of the failure modes of the system, enough. For some PLC systems,
relatively failsafe. This meant that it as well as the supported redundancy this most likely will require additional
offered a high degree of certainty architectures (single, dual or triple). hardware (CPU, power, I/O modules
that the dominant failure mode was While redundancy is not necessary to and so on) and even software pro-
toward the safe condition or where achieve this requirement, it might be, gramming (for instance, process flow
all of the circuits would become de- depending on the system selected. checks or internal watchdog timers)
energized (turned off) in the event of a such that in the event of a system
system failure. Not all logic solvers are equal fault, the system is configured to en-
As modern microprocessor-based When considering PLC designs for sure that it still has the means to stop
PLC systems started to replace pre- use in BMS applications, the indus- the process if hazardous conditions
vious-generation relay logic systems, try generally recognizes two op- are present. Diagnostics alone do not
it was realized that these systems, tions: safety-configured and safety- necessarily meet this requirement —
while offering numerous engineer- rated. In some regards, either of the the diagnostics must have the ability
ing and operational benefits, did not, two could be implemented to meet to bypass the program and automati-
however, offer the same level of safety the intention of the industry stan- cally take the system to a safe state.
in the event of a failure. dards. However, there are serious Safety-rated PLCs (Figure 3), on
Industry prescriptive standards, differences and considerations that the other hand, are purpose-built and
such as those developed by NFPA, require understanding. certified by independent third-party
tried to overcome this by developing First, one needs to understand approval agencies, such as Tech-
an exhaustive list of requirements that that a general-purpose PLC and a nischer Überwachungsverein (TÜV)
would protect against a system failing safety-configured PLC are, for the or Exida, to meet high safety require-
toward a potentially dangerous con- most part, the same thing. A safety- ments. Most safety-certified PLCs
dition or state. configured PLC is an industrial-grade, offer fault-tolerant architectures and
One of these requirements was general-purpose PLC that is specifi- extremely high diagnostics-coverage
46 CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM OCTOBER 2018
capabilities that make them ideal for use in BMS applica-

PRECISE
tions. While there may appear to be an initial purchase-
price premium for a safety-rated PLC, most studies indi-
cate that the overall cost difference will become marginal
after applying all of the necessary hardware and software
additions that are required with the standard PLC. CONTROL
Integration while independent OVER EVERY
Just like an automobile needs both acceleration and
braking functions, any industrial plant that has a need ASPECT OF YOUR
for heated medium, regardless if it is used for processes, GAS OPERATION
utilities or emissions control, will ultimately need equip-
ment that will provide both control (CCS) and safety func-
tions (BMS). Traditionally, these control strategies would MODEL 2296 ›
have required physical separation between the main logic The Model 2296 is an ideal compact and
units of the CCS and BMS (Figure 4). However, today, versatile linear control valve for applications
including cryogenic and high pressure drop
the industry has started to see an evolution in how these gas applications.
control systems can be implemented, particularly for
simple, low-risk applications (for example, single-burner,
single-fuel systems) where two separate control systems
just seems like too much. In addition, industry standards ‹ MODEL PGR-1
have started to loosen their long-standing position on re- Available in five different body
sizes, the PGR-1 has the highest
quiring two separate systems to provide complete inde- capacity in the industry, enabling
pendence between the control (CCS) and safety (BMS) you to use a smaller body size than
systems. Users are now starting to consider a combined competitive brands.
strategy, where these two systems are now integrated
into one where they can realize the benefits of lower sys-
tem costs and less complexity (one is easier to manage MODEL 6A00 ›
than two), as long as they continue to manage their risks. The Model 6A00 inline deflagration flame
As recently as 2015, NFPA 85 included a statement arrestor is designed to be fitted to the
opening of an enclosure, allowing the flow
that permitted this single-system concept that could be of gases or vapor of flammable liquids
implemented as both a BMS and CCS as long as certain through the enclosure while preventing
conditions were met. One of these conditions was that the transmission of a flame.
the PLC system must be certified via a third-party agency
to be SIL 3 capable, which is a measure of safety per-
formance as defined by the IEC 61508 standard. Again, ‹ MODEL HP-1+6+S
this condition was only for certain applications (single- Model “HP-1+6+S” is a heavy-duty, high
burner) and for specific qualified equipment (SIL 3 rated). pressure reducing differential regulator.
Inlet pressure may be as high as 3000
Functional safety standards like IEC 61511 do permit psig (207 Barg). Outlet pressure may be
combined control and combustion safeguarding in one as high as 1500 psig (103 Barg).
system. Other standards, like the 2015 edition of NFPA
85, now explicitly allow combining combustion con-
trol and combustion safety in the same logic solver for
certain applications.
MODEL RANGER QCT ›
The Ranger QCT features Quick Change
However, several design issues must be considered Trim that allows the use of several seal
and properly addressed in order to maintain or improve retainers and inserts to vary orifice size
safety performance. A properly designed combination and help control cavitation.
combustion-control and combustion-safeguarding sys-
tem can enhance the safety lifecycle by reducing engineer-
ing, operations and maintenance errors and improving For immediate access to our product resource files, visit
combustion safety.
www.cashco com
Innovative Solutions
Manage your changes
During the early adoption years of PLCs being used for
BMS applications, one NFPA requirement stated that Cashco, Inc.
“logic shall be protected from unauthorized changes.” P.O. Box 6
This required some PLC manufacturers to implement Ellsworth, KS 67439-0006
burned-in, electrically erasable programmable read-only Ph. (785) 472-4461
Fax: (785) 472-3539
memory (EEPROM) technology to protect their program-
ming. This practice became so commonplace in the in-
For details visit adlinks.chemengonline.com/70311-06

CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM OCTOBER 2018 47

CAS-243B.indd 1 12/28/17 10:18 AM
 change procedures. ready built in, tested and certified.
When we look at the re- To make matters worse, one of the
quirements stated by NFPA leading industry certification bodies
regarding protection against updated its own standard in 1999
unauthorized changes, the to require that all PLC-based burner
intent is clear (protect against management systems conform to
unauthorized changes) but the SIL-rated IEC 61508 standard,
the implementation (how, as well as have external watchdog
when and why) is not. In this timers. Some liken this to the herd
case, one can turn to the mentality, where decisions are made
guidance of performance following the lead buffalo. In this
standards, such as IEC 61511 case, the manufacturer might have
FIGURE 4. A programmable BMS may include cause-and-
effect diagrams and enable users to deeply examine process- or ANSI/ISA 84, for direction. noticed a deficiency in its design and
safety functions, whereas a traditional CCS will mainly focus These standards further ex- developed a solution, while others
on regulating functions, but new systems are beginning to plain that management-of- just followed along. While this super-
integrate these capabilities for some simple applications
change procedures shall be fluous requirement may still be found
dustry that many of the code-enforce- in place to initiate, document, review, in specifications today, in 2014,
ment inspectors started to expect this implement and approve changes a paper was published [3] where
technology to be in place, regardless to the SIS (BMS). Furthermore, they many of these “extraneous” hard-
of whether it was even needed. add that procedures also need to be ware requirements are addressed
Burning memory into an EEPROM in place where changes outside the and debunked.
was not the only way to prevent un- BMS could affect the system perfor- In light of these updates to in-
authorized program changes, and mance (for instance, re-design of the dustry standards and accepted
was considered a very old-fashioned CCS). The goal is simple — maintain practices, as well as the growing
way to offer non-volatile memory. your BMS safety integrity over the adoption of new technologies, it is
Users wanted programmable sys- system’s entire lifecycle. increasingly important that users of
tems specifically for their software burners and other fired equipment
flexibility, and burning memory into More hardware, less availability understand the significance of a
EEPROMs worked against that goal. Industry standards, such as NFPA, BMS and its uniquely critical role in
In fact, burning in EEPROM prevented have long recognized that to prop- process safety. ■
any online changes altogether. Today, erly design a failsafe PLC-based Edited by Mary Page Bailey
many safety-rated PLCs incorporate BMS, several failure modes inherent
both software and hardware security to microprocessor-based technol- References
features that will serve to prevent un- ogy must be addressed, including 1. National Fire Protection Agency, Boiler and Combustion
authorized changes, while still allow- the following: Systems Hazards Code (NFPA 85), 2015.
ing (with caution) online changes. • Unsafe failure conditions of the I/O 2. Rutherford, T.J., Schroll, J.K., Safeguarding Methods for
Applying Programmable Logic Controllers in Burner
For any type of programmable circuits (fail-on, fail-off) Management Systems, “Instrumentation in Chemi-
system, management-of-change • CPU faults, such as processor cal and Petroleum Industries,” Instrument Society of
rules are often quite different for stalls, loss of communication with America, 1996.
the CCS and BMS. CCS control I/O modules, failure to execute 3. Fialkowski, C.M., Polagye, M. and Scott, M., Invoking the
Equivalency Clause in NFPA Standards for Designing
functions are not as critical, and program logic and so on Compliant Burner Management Systems, 69th Instru-
many sites allow not only con- In 1996, a leading PLC manufac- mentation Symposium for the Process Industries, Texas
A&M University, Jan. 2014.
trol parameter changes, but con- turer at the time published an influ-
trol strategy changes without much ential article [2] that described sev- Author
formal administrative intervention eral methods that should be used to Charles M. Fialkowski is the di-
and approval. protect against specific PLC failures, rector of process safety with Sie-
mens Industry, Inc. (2060 Detwiler
Safety requires far more administra- one of which was the use of an ex- Rd., Harleysville, PA 19438;
tive control with justification and ap- ternal watchdog timer. A watchdog Phone: +1-267-218-4808; Email:
proval required before any changes timer is a technique that bolts onto charles.fialkowski@siemens.
com). He has been a safety sys-
are made. One easy way to help the PLC and monitors for logic and tems specialist for more than 20
enforce this is to never have control I/O execution, and in the event of years, with a focus on burner
management systems (BMS) and
and safety together within one pro- a fault will automatically cause the fire and gas solutions. He represents Siemens Industry
grammable controller. Some in the system to fail safe. While this tech- as their voting member on the ISA 84 safety committee
safety community even have a rule nique may be necessary to improve and was the former chair for the division’s Burner Man-
agement section. His ISA involvement has included both
that dictates different manufactur- the safety performance of a general- instructing and developing technical courses on safety
ers and perhaps different technolo- purpose PLC, studies have shown instrumented systems (SIS) and burner-management
gies be used so that entirely differ- that the use of these timers may, in and combustion-control courses. He has published nu-
merous articles on SIS and related technologies. Fi-
ent configuration languages and safety-rated PLCs, provide no ben- alkowski received his B.S. in electrical engineering from
procedures act as additional means efit, and will increase the nuisance Oklahoma State University and is a C.F.S.E. (Certified
of enforcing the management-of- trip rate, since this capability is al- Functional Safety Expert).

48 CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM OCTOBER 2018