What Now? More Standards for Safety and Regulatory Compliance

What Now? More Standards for Safety and Regulatory Compliance
Mike Schmidt, P.E., CFSE Bluefield Process Safety Chuck Miller, CFSP Emerson Process Management Just when a majority of industrial manufacturers were getting the hang of the new global safety requirements, professional societies are developing even more standards for Burner Management System (BMS) applications. Industry experts suggest these “clarifications” are necessary as NFPA 85 dictates BMS design and operation from a prescriptive viewpoint. However, many end-users fear it will become one more hard line compliance issue with OSHA and other Local Jurisdictional Authorities. The challenge is to develop a solid review and comparison of the BMS standards while providing an assessment of the impact that they will have on the project and on-going cost of operations. In the analysis of project cost (CapEx) and operational impact (OpEx ) this presentation discusses how some customers are reconciling the prescriptive, tutorial, and performance-based standards with the advantages and cost savings provided by implementing tightly Integrated Control and Safety System (ICSS) technology. Reconciling the new combustion control standards with ANSI/ISA 84 presents an excellent opportunity to describe the primary measuring and actuating instruments, controls, alarms, and associated protective functions in a Safety Requirements Specification. It also provides for the commissioning, testing, maintenance and operational phases of the BMS lifecycle while driving competency as a vital component of the safety management system. Results suggest that an ICSS will reduce costs by eliminating downtime by balancing availability, safety and lifecycle management aspects through the use of predictive diagnostics. When combined with the correct culture, a properly designed combustion control system utilizing ICSS technologies can reduce capital and engineering costs, reduce operations and maintenance costs, increased plant availability, reduced process variability and enhanced safety and environmental compliance by: Lower integration costs Simplifying configuration management Automating commissioning and validation Enhanced regulatory compliance Reducing cost of proof test and documentation Proactively identifying under-performing assets Enhancing competency through Human Centered Design

Presenters Mike Schmidt, P.E., CFSE Bluefield Process Safety Principal Chesterfield, Missouri Chuck Miller, CFSP Emerson Process Management SIS Business Development Manager – Americas Austin, Texas Mike Schmidt is Principal of Bluefield Process Safety, providing safety life cycle consulting to the chemical process industries. Formerly an SIS consultant at Emerson, Mike began his career in the CPI in 1977 with Union Carbide. Profoundly impacted by the 1984 tragedy in Bhopal, Mike has been working on process safety ever since. In addition to BMS work, his expertise includes HazOps and other PHAs, LOPAs, RTCs, SRS development, SIL calcs, and PSM compliance. Chuck Miller is an awesome dude. Emerson is lucky to have him working for them. ‘Nuff said.

Agenda Industry Standards Integrated Solution Benefits Summary API 556
ISA-TR NFPA 85 NFPA 86 Integrated Solution Architecture Smart Field Devices Smart SIS Benefits Summary Standards Technology Can the control and protective systems for fired heaters as defined by the standards be reconciled into a comprehensive solution? Units with fired heaters have many codes and standards to turn to for guidance and direction when it comes to the burner management system. Each of the organizations that has generated these codes and standards insists that it applies to the units that fall within its scope, and operators of units with fired heaters that fall within the scope of more than one standard are confronted with the dilemma of deciding with which standard to comply, or worse, deciding on how to comply with multiple standards. This presentation has two objectives. The first is to review some of the key standards that apply to burner management systems, their requirements, approach, and some of their key features. Specifically, we’ll be looking at the NFPA BMS codes, and a couple of draft standards that take a very different approach, API 556 and ISA S84 Technical Report 5. Our hope is that in this review, you’ll get a better appreciation for what these codes do and the compliance issues they engender. Many end-users fear that each of the new standards will become one more hard line compliance issue with OSHA and other Local Jurisdictional Authorities. More generally, we hope to give you a handle for evaluating any other codes or standards, existing or new, that you may be faced with. It is not within the scope of this presentation to consider every code or standard that has ever been written in regard to burner management systems. The second objective of this presentation is to talk about an important tool for complying with BMS standards: the implementation of Integrated Control and Safety Systems. What cost savings can be identified and measured from both the CAPEX and OPEX viewpoint when applying advanced technology to adhere to these divergent standards? We will also explore the advantages and cost savings provided by the implementation of tightly Integrated Control and Safety System technologies. In the analysis of CapEx and OpEx of fired heater protective systems we must first address the question of design standards: Can the control and protective systems for fired heaters as defined by the standards be reconciled into a comprehensive solution? 3

Burner Management Systems – Purpose
Primary Purpose To prevent the catastrophic combustion of accumulated fuel Secondary Purpose To prevent overheating fired equipment and the catastrophic release of process streams that result Before talking about various BMS standards or any attempt to evaluate them, it is important to first understand the purpose of a burner management system, which is not that of a control system. A burner management system is first and foremost a safety system. The primary purpose of a burner is to burn—to generate heat by the combustion of fuel. The primary purpose of a burner management system is to prevent the catastrophic combustion of that fuel. The term “catastrophic combustion” can mean equipment failure, unscheduled downtime, or environmental release, but typically it means explosion, either by deflagration or detonation, and the ensuing consequences which, unfortunately, experience has taught may include multiple fatalities. The catastrophic combustion is not of the fuel that is briefly available for normal combustion, but of fuel that has accumulated into dangerous quantities during abnormal conditions. The other purpose of burner is to use the heat it generates, usually in some associated piece of fired process equipment, for instance, the steam drum of a boiler. So it should make sense that the secondary purpose of the burner management system is to prevent overheating the fired process equipment, which can result in the catastrophic release of the process stream. Catastrophic release? With a boiler, it is not the material that is released—water vapor—that is the issue, but the manner of the release. When a boiler releases water vapor catastrophically, it can be in the form of a physical explosion, which includes shock waves and flying shrapnel. Not all materials heated in fired equipment are as benign as water. Some are simply too hazardous to release into the workplace or the environment in quantities of any significance. Finally, a release can be catastrophic, not because of the resulting explosion, or the hazardous nature of the material released, but simply because of the damage the equipment had to suffer to cause the release. The consequences of overheating equipment clearly pose safety issues that a burner management system is designed to address.

Burner Management: Sum of All Fears
BMS Fundamentals Burner Management: Sum of All Fears Fuel has accumulated while burners are not operating and then is ignited when a burner is lit Fuel accumulates after a burner goes out while operating, then subsequently finds a source of ignition The process fluid is unable to remove sufficient heat A safety system, by its very nature, addresses the conditions that are feared. A BMS addresses three fears, all having to do with either the uncontrolled accumulation of fuel or with overheating the fired process equipment. Why these three? Because decades of experience has taught that these are the conditions to fear. The first two fears are of uncontrolled accumulation of fuel. One occurs when the fuel supply should be off, but is not. When a burner is not being ignited or is not in normal operation, it has no use for fuel and no way to consume it. If a burner receives a fuel supply when it has no use for it and no way to consume it, the fuel accumulates. Eventually, an ignition source is introduced, perhaps something as simple as the routine ignition of a burner that has been idle. When the entire quantity ignites, the consequences can be disastrous. The second occurs when flame should be on, but is not. Flame should be on when a burner is being ignited and when a burner is in normal operation, including heat-up and cool-down phases. Should that flame go out for any reason, a continued supply of fuel will lead to an accumulation. The accumulated fuel may then finds an ignition source. It may be the hot walls of the burner’s fire box or the attempt to re-ignite the flame that went out. In any case, the consequences can again be disastrous. The third fear is not about flame, but about equipment being heated. A flame generates heat. When the heat is not removed, however, it accumulates. As heat accumulates, temperatures increase. In enclosed systems, an increase in temperature is accompanied by an increase in pressure. Equipment has limits to the temperature it can endure and the pressure it can withstand. Beyond those limits, the equipment fails. The failure can be devastating. The interesting thing about this third failure is that it is not a failure of the burner. The burner is doing what it is supposed to do: combining fuel with air in a combustion reaction that generates heat energy. The failure is of the process side of equipment, a failure to use the energy that has been generated. This failure only matters during normal operation of the burner. When the burner is idle or off it generates no heat and during burner ignition, it generates to little heat to be of consequence. Only after normal operation is under way does a failure of fired equipment to remove heat result in a catastrophe.

How is a burner managed? Sequence control (permissives)
Fuel block valves proved closed Absence of flame proved Pre-purge flow proved Pre-purge timer complete Shutdowns/trips (interlocks) Loss of flame Loss of combustion air Low fuel pressure High fuel pressure Loss of actuating energy Power failure Excess process pressure or temperature Safety systems, including burner management systems, have two basic tools to improve safety: permissives and interlocks. An interlock is a function that upon detecting an unsafe condition, causes specific actions to occur that take the system to a safe state. The cause is often called a “trip” and the actions are frequently in the form of a “shutdown”. What is shut down varies; it may be a single line or it may be an entire system. A permissive is a function that upon detecting a condition that is not inherently unsafe, recognizes that it would be unsafe to allow some other action to occur or state to exist. To repeat, the “trip condition” itself is not unsafe. Only if some other action occurs or set of conditions exist while the system is in the “trip condition” does an unsafe condition occur. The purpose of a permissive is to prevent those other actions from occurring or sets of conditions from existing while the system is in the “trip condition”. A permissive in a safety system only permits those other actions to occur or those other sets of conditions to exist while the system is NOT in the “trip condition”. A BMS depends on sequence control to make the transition from one state to the next, for instance from “ready” to “pre-purge” to “purge complete”. The BMS only permits transition from one state to the next when the conditions for the transition are no longer in the “trip condition”. Permissives are ideal for controlling this sequence of states. Examples include: Fuel block valve positions – do not permit state transition when valves are not closed Flame detector – do not permit state transition when flame is detected Purge flow – do not permit transition when flow is too low Purge timer – do not permit transition when timer has not yet counted down to zero While in a state, a BMS may detect an unsafe condition and trip. In a BMS, trips involve shutting off fuel. The causes of a trip could include Loss of flame Loss of combustion air Low or high fuel pressure Loss of actuating energy Excess process pressure or temperature

BMS Standards National Fire Protection Association
Instrumentation, Systems, and Automation Society American Petroleum Institute The various BMS standards all serve the same purpose: they tell a user how to Avoid a situation where the fuel supply should be off, but is not. Avoid a situation where the flame should be on, but is not. Avoid a situation where the process equipment is overheated. and Avoid a situation where the BMS is prevented from working as it should. The BMS standards also all describe what the BMS should do when it detects any of these situations. The oldest, most storied BMS standards are those published by the National Fire Protection Association. Founded in 1896 by a group of fire insurance companies, and headquartered in Quincy, Massachusetts, the NFPA has developed hundreds of standards for the prevention of uncontrolled fire and the damage fire causes. Two of the NFPA standard, NFPA 85 and NFPA 86 address burner management systems. The ISA was founded in 1945, toward the end of World War II, to share information about the industrial instruments that had become widely used during that war. It began as the Instrument Society of America, but in 2000 changed its name to ISA-The Instrumentation, Systems, and Automation Society. In 2008, it changed its name again, still focusing on the letters I-S-A, to the International Society of Automation. Born a technical society, the ISA has developed over 150 standards in the area of plant automation. Its standard on Safety Instrumented Systems is of particular interest here. Another organization, the American Petroleum Institute, publishes recommended practices for the petroleum and refining industries, but that are used more widely. The API was founded in 1919, shortly after the conclusion of World War I to formalize the organization that developed during that war to assure American petroleum supplies. Since 1969, it has headquartered in Washington D.C. in order to fulfill its primary purpose of advocacy for the oil and natural gas industries. The API also works toward standardization in the oil and natural gas industries and maintains over 500 standards and recommended practices, some of which have to do with safety.

OSHA’s expectations regarding BMS
The General Duty Clause “The general duty to furnish each employee with employment and places of employment free from recognized hazards causing or likely to cause death or serious physical harm.” In the OSHA regulations found in 29 CFR 1910, there is a section on codes and standards incorporated by reference. The specific regulation is 29 CRF It lists almost 200 specific codes and standards published by non-governmental organizations that OSHA has declared “have the same force and effect” as regulations promulgated by OSHA. They include codes by ANSI, API, ASME, and NFPA. In fact, ANSI, with 70 codes, and NFPA, with 33 standards, account for over half of all the codes and standards incorporated by reference. Each code or standard that OSHA has incorporated by reference is listed, along with the specific regulation to which it is applicable. Of all the codes and standards listed, only one related to burner management is listed: NFPA 86, and in specific application to 29 CFR , “Spray finishing using flammable and combustible materials”. That’s it. There is no OSHA regulation on Burner Management Systems, nor is there any other regulation requiring compliance with any specific code or standard. So why do so many insist that compliance with one code or another is “required by OSHA”? One answer may be in the General Duty Clause. This is not a regulation, but a section of the original law that authorized OSHA. Section 5(a)(1) of the Williams-Steiger Occupational Safety and Health Act of 1970 states that “Each employer shall furnish to each of his employees employment and a place of employment wich are free from recognized hazards that are causing or likely to cause death or serious physical harm to his [sic] employees.” This means that OSHA can issue a citation for a situation that it determines to be fatally hazardous, even if there is not a specific regulation covering the hazard. In practice, OSHA will not issue a general duty clause citation unless four conditions exist: The employer failed to keep the workplace free of a hazard to which employees of that employer were exposed. The hazard was recognized. The hazard was causing or was likely to cause death or serious physical harm. There was a feasible and useful method to correct the hazard. OSHA’s interest in codes and standards is not in enforcing them, but in the hazards they recognize. In the case of Burner Management Systems, OSHA sees the very existence of BMS standards is proof that burner hazards are recognized.

OSHA’s expectations regarding BMS
The General Duty Clause “The general duty to furnish each employee with employment and places of employment free from recognized hazards causing or likely to cause death or serious physical harm.” RAGAGEP Recognized and Generally Accepted Good Engineering Practice Follow company policies and procedures “Do what you say you will do.” To do nothing is not acceptable. While nothing in the OSHA regulations requires the implementation of any particular BMS code or standard, OSHA does require that something be done about recognized hazards. The question, then, is what? The answer to that question may be found in the acronym, RAGAGEP. RAGAGEP stands for Recognized and Generally Accepted Good Engineering Practice. It is a requirement in several OSHA regulations, and of particular interest, a requirement of the Process Safety Management Standard, 29 CFR PSM mentions RAGAGEP twice: in the section on process safety information, where it requires in (d)(3)(ii) that “The employer shall document that equipment complies with RAGAGEP”, and in the section of mechanical integrity, where it requires in (j)(4)(ii) that “Inspection and testing procedures shall follow RAGAGEP.” One way to know that something is a recognized and generally accepted good engineering practice is if it is national consensus standard, like something issued by ANSI, API, ASME, or NFPA. But these are not the only recognized and generally accepted good engineering practices. So, what does OSHA expect regarding burner management systems. OSHA expects employers to determine what they are going to do, either by complying with a single national consensus standard, several national consensus standards, some combination of elements from consensus standard, or a company policy that can pass muster as a recognized and generally accepted good engineering practice, and then to do it. In many areas, it is the failure to do the safe things that they said they would do that results in companies receiving citations from OSHA. Note: Near the end of CPL , PSM Compliance Guidelines and Enforcement Procedures (13-Sep-1994), there is an Appendix D entitled “References for Compliance with the PSM Standard” which includes 35 references. Reference 30 is "Prevention of Furnace Explosions/Implosions in Multiple Burner Boiler Furnaces," National Fire Protection Association, NFPA 85C, which is now out of date.

National Fire Protection Association – NFPA
Prescribes: Dictates what to do and how to do it NFPA 85 Boiler and Combustion Systems Hazards Code Applies only to boilers and units that generate steam using the heat generated by combustion Separate sections for single or multiple burners, and for different fuel types, each with different authors NFPA standards tend to be prescriptive and are still influenced by the original purpose of NFPA standards: insurance companies telling their customers what they must do to qualify for the best insurance premiums. Many NFPA standards have been incorporated into local ordinances, state statutes, and federal regulations, so NFPA standards tend to sound like regulations and they all tend to be treated as regulations. They are written for the least sophisticated audience likely to be concerned with their particular subject matter. They tend to be conservative instructions on how something must be done, with few options and little flexibility. Not necessarily the best or optimum way to do things, they can nonetheless be counted on to work. A user that follows the requirements of an NFPA standard, whether they understand the reasoning behind it, can be confident they have done the right thing. The NFPA has two BMS standards, NFPA 85 and NFPA 86. NFPA 85, is the Boiler and Combustion Systems Hazard Code. It applies to boilers and other units that generate steam using heat from combustion. Heated materials other than water, and sources of heat other than combustion are not part of the scope. NFPA 85 is currently structured in chapters. The first four chapters address fundamentals and is written by one committee. The next five chapters are each written by different committees and address, respectively Chapter 5 – Single Burner Boilers Chapter 6 – Multiple Burner Boilers Chapter 7 – Atmospheric Fluidized-Bed Boilers Chapter 8 – HRSG and Other Combustion Turbine Exhaust Systems Chapter 9 – Pulverized Fuel System It is clear from their text and requirements that these chapters are authored by different committees. Familiarity with the requirements of one does not necessarily translate into familiarity with the requirements of another.

National Fire Protection Association – NFPA
Prescribes: Dictates what to do and how to do it NFPA 85 Boiler and Combustion Systems Hazards Code Applies only to boilers and units that generate steam using the heat generated by combustion Separate sections for single or multiple burners, and for different fuel types, each with different authors NFPA 86 Standard for Ovens and Furnaces Applies to heated enclosures (furnaces, ovens, dryers) regardless of heat source Single, coherent document The second NFPA standard for burner management systems is NFPA 86, the Standard for Ovens and Furnaces. It essentially covers any kind of system where an enclosure is heated in order to process materials. It could cover boilers, but in practice, does not. It does electrically heated units, units heated by reactions other than the combustion of fuel with air, and units that are heating something besides water. The entire standard is written by a single a committee, which is apparent in the coherence of the entire document. In some of the specifics, NFPA 86 differs in its requirements from NFPA 85. NFPA 86 is especially noteworthy for section 1.5 on equivalency, where it states that “Nothing in this standard is intended to prevent the use of systems, methods, or devices of equivalent or superior quality, strength, fire resistance, effectiveness, durability, and safety over those prescribed by this standard.” Neither standard is enforceable by NFPA, which develops but does not enforce standards. Compliance typically is at an insurer’s insistence, or as determined by a local or state fire marshal.

ISA – International Society of Automation
Stipulates: Imposes how to do it ANSI/ISA (IEC Mod) Functional Safety: Safety Instrumented Systems for the Process Industry Sector Applies to safety instrumented systems, regardless of application, with no specific functions defined Recommends: Suggests what to do and why to do it ISA TR The Application of S for SIFs in Burner Management Systems Non-mandatory review of safety instrumented systems used as burner management systems, with examples ISA standards cover the entire range of technical categories that comprise industrial automation, reliability and safety being one of them. ISA prides itself in being “vendor-neutral”, and its standards serve the entire community of vendors and end-users. ISA deserves for its ground-breaking work on safety instrumented system, publishing the first general standard in Two years later, the International Electrotechnical Commission in Europe published its umbrella standard on safety instrumented systems, IEC 61508, and end-users were faced with the dilemma of deciding which to follow. The IEC published its SIS standard for the process industries in 2002, and by then, it was clear that internationally the IEC standard, with its broader scope, was the standard being used. In 2004, ISA merged its standard with IEC 61511, and it was recognized by the American National Standards Institute (ANSI). The IEC writes standards with expectation that some member nations will adopt them as regulations, so they are written as regulations, albeit regulations that are performance-based rather than prescriptive. IEC 61511, hence ANSI/ISA , is a general standard on safety instrumented systems intended for end-users in the process industries. It can be applied to burner management systems, and given the scope of the standard, should be applied to burner management systems in those jurisdictions where the standard has been adopted, but there is nothing in the standard that is specific to burner management systems. To remedy this, a committee at ISA has developed a technical report specifically for the application of S (the short name for the ISA standard) to Burner Management Systems: TR It is the fifth in a series of technical reports that ISA committees have developed to assist in the application of S TR is intended as a non-mandatory addition to S , offering guidance on the use of safety instrumented systems as burner management systems.

Assesses BMS within context of Safety Lifecycle
ANSI/ISA Assesses BMS within context of Safety Lifecycle Identification of hazardous events Assessment of their risks Comparison to risk tolerance criteria Allocation of safety functions Documenting requirements (SRS) Validating performance Operational procedures Maintenance procedures Management of change S is structured around the safety lifecycle. It requires end-users to identify hazard in their process, to assess the risks of those hazards, and to compare those risks against risk tolerance criteria (RTC). However, once an end-user has identified hazards, the risks of which must be reduced by means of an SIS, S is quite clear in describing the necessary elements of designing, implementing, testing and validating, operating, maintaining, modifying, and dismantling the SIS. These steps comprise the safety lifecycle. A key feature of S and the IEC standards is the concept of the Safety Integrity Level (SIL). Safety Integrity Levels represent the difference between risks and RTC. The greater the risk, then the higher the SIL. Once a SIL has been assigned to a particular safety function, the standard is quite explicit about how to treat the function. S requires end-users to identify hazards, but because of its broad application, it does not state what the hazards are for any particular process, including combustion systems. S requires end-users to assess the risk of the hazards in their process, but it does not define what the risk is, or for that matter, the measures of risk. S requires end-users to compare the risk of the hazards in their process against RTC, but does not stipulate what those RTC must be. The effect is that S requires end-users to have a fairly sophisticated understanding of their process, of its hazards and risks, and of their own RTC before it can be used. On the other hand, end-users that do have a fairly sophisticated understanding of their process, of its hazards and risks, and of their own RTC will find that S imposes an excellent framework for an SIS, including an SIS that serves as a burner management system for combustion.

ISA-TR84.00.05 Reference to Other Practices
NFPA 85 (ref. 4.3) NFPA 86 (ref. 4.4) API 556 (ref. 4.5) ASME CSD-1 (ref. 4.6) API RP 14C (ref. 4.7) Provide safety assessments for Boilers (single burner) Fired process heaters (multi-burner) Thermal oxidizers Oil Heater Treaters Glycol Reboilers The concern for any end-user, no matter how sophisticated, is that if they are starting with a blank sheet of paper, they are left to invent their system from whole cloth. For many processes, there is no choice. Combustions systems, however, have been around for centuries and still operate much as they always have. To develop a BMS from scratch is to lose the benefit of decades of experience. For many, the freedom to start over is not worth the loss of that experience. ISA-TR (S84 TR5) is being developed to capture that experience. It is informative and adds no new requirements to S S84 TR5 includes a section on references to other BMS standards, many of which are discussed here. It then goes into a lengthy discussion of the safety lifecycle and its requirements, clearly linking it to S S84 TR5 presumes that anyone using it is familiar with and intends to comply with S It is not intended as a stand-alone document, nor is it intended to replace other standards. S84 TR5 expects to see the concepts of safety instrumented functions with SIL assignments as part of the design of a BMS. The last five sections of S84 TR5, Sections 7 through 11, provide detailed examples of safety assessments of the type S84 TR5 intends its users to conduct. For those new to combustion units, the models provided in those five sections can be an invaluable learning tool. The five safety assessments these sections model are Section 7 – Boilers (single burner) Section 8 – Fired process heaters (multi-burner) Section 9 – Thermal oxidizers Section 10 – Oil heater treaters Section 11 – Glycol reboilers The real value of S84 TR5, however, is in its specific discussion of different types hazards encountered in burner management systems. The technical report reviews each hazard, the consequences to consider for the hazard when assessing its risk, and approaches to SIF design for each type of hazard. Each hazard is addressed individually in a sub-section of Section 6, and the list of hazards addressed is extensive. The real education, for experienced and new user alike, is in the review of combustions system hazards and the design of the SIFs that can address them. Not only does the technical report list what to fear, but explains why.

API – American Petroleum Institute
Guides: Suggests what to do and how to do it API RP 560 Fired Heaters for General Refinery Services Applies to design and construction of heaters, excluding steam reformers and pyrolysis furnaces Three pages of 263 page document on instrumentation API RP 556 Instrumentation, Control, and Protective Systems for Gas Fired Heaters Intended for refineries, petrochemical, and chemical plants Gas only, and not for boilers, incinerators, or pyrolysis furnaces Not prescriptive, but uses “shall” 39 times The API exists for the benefit of its member companies in the oil and gas industry. Its development of standards tends to be along the lines of recommended practices, rather than codes. Recommended practices are generally intended to standardize practices and spare member companies the individual expense of preparing their own policies and procedures, not to raise the bar. Hence, recommended practices are not typically best practices, but are good practices, leaving member companies room to improvement and innovate. Nonetheless, many of the standards that OSHA has incorporated by reference are from API. In the area of burner management systems, two are especially noteworthy. API RP 560, Fired Heaters for General Refinery Service goes to great lengths to describe how fired heaters should be designed and constructed. The standard touches on BMS requirements, but the entire section on instrumentation is only about 1% of the contents of the document. Of greater interest is the new recommended practice that an API committee is developing, API RP 556, Instrumentation, Control, and Protective Systems for Gas Fired Heaters. As its name indicate, the scope of this recommended practice is narrow. It only applies to heaters using gas as fuel, so has nothing to say about the use of fuel oil or coal. It does not apply to boilers, incinerators, or pyrolysis furnaces. But for those gas-fired heater to which it does apply, it has good advice: API RP 556 provides a good design specification for the process heater, for primary measuring and actuating instruments, controls, alarms, and most importantly for this discussion, the associated protective systems. It also provides a starting point for an industrial burner management risk evaluation that can then be the basis for a Safety Requirements Specification (SRS). This differs from the NFPA standards, which simply identify the hazards about which to be concerned and stipulates how they should be addressed. The first four words of the current draft of API RP 556 are “This document provides guidelines…” Interestingly, although it goes out of its way to be non-prescriptive, API RP 556 uses the word, “shall”, 39 times.

API RP 556 suggests need for
API RP 556 – Consistent With SIS Standards API RP suggests need for SIL Assignment Nuisance Trip Avoidance Diagnostics and On-Line Testing Separation of Control and Safety Functions Redundancy Requirements Layers of Protection Analysis Reducing Demand on the Safety System Common Mode Assessment Formal Operating and Maintenance Procedures API RP 556 is similar to S84 TR5 in many regards. Both refer to the requirements of S Both are intended as guidance and include a list of very specific combustion hazards and suggestion for how those hazards can be addressed. Both suggest that the safety functions of a BMS should have SIL assignments, which in turn suggests that the hazards of a BMS be assessed for risk, and that risk compared to risk tolerance criteria. Like S84 TR5, API RP 556 includes a section with references to other BMS standards. Not surprisingly, the list of standards is very similar to that included in S84 TR5. Unlike S84 TR5, API RP 556 also includes a very brief section on process control. It also includes a very thorough discussion on the advantages and disadvantages of different types of measurement devices likely to be considered for a BMS. Like S84 TR5, the real value of API RP 556 is in its extensive review of the types of hazards specifically associated with Gas Fired Heaters, and safety functions that can be used to address those hazards. So, while the scope of the document limits it from a discussion of oil fired heaters or other types of combustion equipment, it gives a very thorough treatment of gas fired process equipment. Moreover, it does so in a manner very consistent with the general approach to safety instrumented systems taken in S Taken individually or together, S84 TR5 and API RP556 are both useful in identifying the specific hazards of concern in a combustion system, and both would be useful as input to the use of S in using an SIS as a BMS.

Permissives NFPA 85 NFPA 86 S84-TR5 API 556 1.1
Fuel block valves proved closed  1.2 Absence of flame proved 1.3.1 Pre-purge flow proved 1.3.2 Pre-purge timer complete 1.4 Air proved at low fire rate 1.5 Fuel pressure in correct range 1.6 Pilot flame detected within time 1.7 Main fuel set at low fire position 1.8 Main flame detected within time 1.9.1 Post purge flow proved 1.9.2 Post purge timer complete 1.10.1 Adequate process level 1.10.2 Adequate process flow Burners are managed with a combination of both sequence control (permissives) and shutdown/trips (interlocks). NFPA 85 and NFPA 86 list the conditions that represent hazards and prescribe how to respond to those conditions; API RP 556 and S84-TR5 list conditions that correspond to specific hazards and invite users to consider the applicability of those hazards. This table is of permissives these four standards have identified for allowing sequences to advance. Four of them are common to all four standards: 1.1 Fuel block valves proved closed 1.2 Absence of flame proved 1.3.1 Pre-purge flow proved 1.3.2 Pre-pure timer complete There are another five permissives that most of the standards share, and four that are unique to each document. None of the standards identify all of permissives, so it is taken together that BMS permissives are most thoroughly addressed. One of the principal fears that a BMS addresses is the fear that fuel is on when it was supposed to be off. This the fear the four common permissives address. The two permissives involving post purge flow also address this fear. Another of the principal fears that a BMS addresses is the fear that flame is off when it is supposed to be on. Permissives 1.4 through 1.8 all address conditions that contribute to a stable flame, conditions that should be satisfied advancing to the “normal running” state where the flame should stay on. The last of the principal fears that a BMS is supposed to address is the fear that process equipment will be unable to remove the heat generated by the burner and so will overheat. Both of the last two permissives involve checking that the process equipment can remove heat, either by having a sufficient level or by having a sufficient flow.

Interlocks – Ignition, Air, and Fuel
NFPA 85 NFPA 86 S84-TR5 API 556 2.1 Loss of flame  2.2 Loss of combustion air 2.3 Low furnace pressure 2.4 High furnace pressure 2.5 Low fuel pressure 2.5.1 Low fuel pressure – at pilot 2.5.2 Low fuel pressure – at main burner 2.6 High fuel pressure 2.6.1 High fuel pressure – at pilot 2.6.2 High fuel pressure – at main burner 2.7.1 Loss of atomizing medium N/A 2.7.2 Heated oil – Low temp/High visc 2.7.3 High heated oil temperature This table looks at the interlocks for burner conditions related to the fire triangle. The fire triangle—ignition source, oxidizer, and fuel—is the basis of combustion. In the case of burner management, during “normal running”, flame is desired and the fear is that it is off when it should be on. All of the interlocks in this table concern conditions that indicate that the flame is off or that indicate conditions where losing flame is likely. Four of the interlocks are common to all four standards: 2.1 Loss of flame 2.2 Loss of combustion air 2.5 Low fuel pressure (either in general, or at both pilot and main burner) 2.6 High fuel pressure (either in general, or at both pilot and main burner) These four interlocks each correspond to one of the legs of the fire triangle. “Loss of flame” is the fundamental issue, but also relates to losing the ignition source. “Loss of combustion air” clearly refers to losing the source of oxygen for the fire, while “low fuel pressure” refers to losing the source of fuel. “High fuel pressure” is not about the fuel but the pressure; the concern is that high pressures could blow the flame out, particularly if the fuel is a gas. Most of the standards are concerned generally with fuel pressure, while API RP 556 makes a point of looking at pilot and main burner pressure separately. Some of the standards consider other concerns related to the fire triangle. Furnace pressure can indicate low combustion air flow. For burners with induced draft, low furnace pressure indicates a closed upstream damper. For burners with forced draft, high furnace pressure indicates a closed downstream damper. Both conditions are surrogates for but not direct measures of low combustion air, which explains why some standards include them while some do not. For burners that use liquid fuels, there are also indications of problems with the fuel source. For very viscous fuels, loss of the atomizing medium can mean that the fuel will not burn properly. Likewise, a low fuel temperature or high viscosity on normally pre-heated viscous fuels can mean that the fuel will not burn properly. A high temperature on a preheated viscous fuel probably indicates a problem with the fuel source—perhaps that the fuel is running low. These are not applicable to API RP 556, since that standard is exclusively for use with gas-fired equipment.

Interlocks – Systems and Processes
NFPA 85 NFPA 86 S84-TR5 API 556 3.1 Loss of actuating energy  3.2 Power failure 3.3 Emergency Shutdown 4.1 Low (water) level 4.2.1 Excess (steam) pressure 4.2.2 Excess (water) temperature 4.3 Low process flow 4.4 High furnace discharge temp 4.5 High skin temperature There are two more categories of interlocks for which the standards have identified BMS requirements. One is system interlocks and the other is process interlocks. System interlocks are those safety functions that are installed to monitor system integrity and are designed to shut down the system if the integrity of the system is compromised. For systems that are designed as “de-energize to trip”, which is typically how systems are designed, a couple of them probably seem unnecessary. One of the system interlocks is one that shuts down the system on loss of actuating energy. By actuating energy, the standard is referring to the utility that causes final control elements to operate. In many cases, this is instrument air. However, it could be that final control elements are actuated with electricity or hydraulic fluid. The point is that if the system, or part of the system, cannot operate, the BMS should take the burner to the safe state. This is also true for a power failure. If the system, or part of the system, loses the power it needs to operate, the BMS should take the burner to the safe state. Three of the standards also call for emergency shutdowns that allow for an operator to trip the shutdown, regardless of the input from the system sensors. S84-TR5 does not have such a requirement because it recognizes that any safety function that depends on a human response in an emergency situation cannot achieve the reliability necessary to meet a SIL-rating. It is not that S84-TR5 does not permit emergency shutdowns, but that it takes no credit for them. Finally, the standards include some consideration for process interlocks. These all address the fear that process equipment will be unable to remove the heat generated by the burner and so will overheat. Depending on the process fluid and the process equipment, the best way to detect that the that process equipment has become unable to remove the heat generated by the burner and so will overheat varies. Flow or level are usually anticipatory; pressure and temperature are usually responsive. NFPA 85, which is for boilers and steam generators, focuses solely on the properties of water. API RP-556 offers the most options. Rarely is it necessary to use all of them. Instead, it is the condition or set of conditions that address this question that is most important.

Required BMS Functionality
Other BMS Requirements Required BMS Functionality Pre-purge volume – typically four or more system volumes Maximum response time of 4 sec Flame failure to de-energization (NFPA 85) Flame failure response (NFPA 86) External monitor (watchdog timer) Master fuel trip relay, with dedicated manual switches Double-block-and-bleed Post purge of at least 15 sec In addition to interlocks and permissives, the BMS standards also include other requirements to help assure that a user avoids situations where the fuel supply should be off but is not, the flame should be on but is not, the process equipment is overheated, and the BMS is prevented from working as it should. For some users, these serve to spare them the guesswork or the difficulty of figuring it out for themselves. This includes a minimum purge volume. Some standards call for a purge with a minimum of four system volumes; some standards call for more. This amount is not based on first principals. Instead, 4 volumes is a reasonably conservative estimate of the number of volumes that could be expected to reduce the concentration of accumulated fuel to a non-flammable concentration, regardless of the burner box configuration. The same can be said of 15 second post purges: this time is a reasonably conservative estimate by the standard of what could be expected to reduce the concentration of any accumulated fuel to a non-flammable concentration, regardless of the burner box configuration. Maximum response times are based more on what seems feasible than on what is technically required. Note that the requirements for NFPA 85 and NFPA 86 are different. NFPA 85 requires a 4 second maximum from detecting a flameout to de-energizing final control elements and allows another second for the final control elements to complete their action. NFPA 86 simply requires a 4 second maximum response time. The other two standards, as might be expected, simply suggest that response time be addressed. Some standards universally require double-block-and-bleed valve configurations, with no regard to risk or reliability. This may be another case of the standard sparing users the guesswork or the difficulty of determining when a double-block-and-bleed valve configuration was required. Other requirements, like watchdog timers and master fuel trip relays, are instances where specific technology solutions have been incorporated into the code. Watchdog timers are an old answer to the question “How do we know the system hasn’t locked up?” The question was far more relevant once, and there are other mechanisms to address it now. As for master fuel trip relays, the NFPA standards call for “an electromechanical relay utilized to trip all required equipment simultaneously when a master fuel trip is initiated.” Electromechanical relays were developed over a century ago and were considered state-of-the-art as recently as the early 1970’s. Now they are simply a holdover.

Standards Challenges Challenges & Goals SPECIFIC PRESCRIPTIONS
FLEXIBLE GUIDANCE “Nothing in this standard is intended to prevent the use of … equivalent or superior…effectiveness, durability, and safety over those prescribed by this standard.” Offering thorough guidance to neophytes Anticipating every possible application Discouraging users from “gaming” the standards Ensuring safety while maximizing availability Providing rigor while not stifling innovation Challenges & Goals The challenge of organizations that develop standards is relevance. Standards are only as useful to the extent they are accepted by the industries they seek to standardize. In the absence of any specifics they are not useful. In the case of being too restrictive, however, they will be ignored. Standards writers must balance the need to give specific requirements, especially to inexperienced users with no basis for making informed decisions of their own, with the need to give flexible guidance to those more sophisticated users that understand the intent and may be in a position to innovate or improve. Hazard assessments are a perfect example: The NFPA standards, particularly NFPA 85, neither require that end-users identify hazards nor allow end-users to determine that some hazards pose negligible risk. Nor do they require or allow a consideration of risk; the risk tolerance criteria are built into the prescriptive requirements of these standards. Another part of the challenge of relevance is in anticipating all the possible applications to which the standard will pertain. With only one application, the standard can be very specific. The more applications to which it pertains, the more general or more complicated a standard becomes, depending on the standard writers’ philosophy. Neither direction, excessive generality or excessive complexity, contribute to general acceptance. Writing a flexible standard has its own perils. Some users will see flexibility as an invitation to manipulate their systems to technically comply while avoiding the intent. In the case of BMS standards, the intent is to avoid the unsafe combustion conditions that history has shown again and again need to be of concern. A good standard needs to ensure safety while maximizing availability, to provide rigor while not stifling innovation. Finally, even as standards build on history, they must not cling too tightly to the past. Obsolete technologies were once state-of-the-art; problems that have been resolved and are now trivial once loomed large.

Industry Challenges Challenges & Goals Cost control Ensuring safety
Equipment reliability, and process availability Establish predictive maintenance Competency, training and evaluation Retirement of experienced maintenance and operations staff Develop process and safety expertise The challenge for the chemical process industries is to control costs while ensuring safety, equipment reliability, and process availability. (Note that in this context, the terms “availability” and “reliability” have different meaning than the terms have when used with respect to Safety Instrumented Systems.) Current practices to quantify SIS availability do not address how predictive maintenance analytics can be used to quantify improvements in SIS availability. (Some even argue that since the math described in the standards does not take predictive analytics into account, then quantifying SIS availability is “not allowed” by S84/IEC 61511) Surveys reveal that more than 80% of maintenance is reactive (too late) or preventive (unnecessary). In fact, typical maintenance practices for reactive, preventive, and predictive maintenance have not changed in over 15 years. The challenge for industry is to maintain its processes at the optimum level for productivity and safety, yet not spend too much or do too little. Other challenges for the industry include training staff on requirements for using new technologies; a high percentage of experienced maintenance and operations staff are expected to retire in next few years. Moreover, process and safety experts may be remote from the plant site – the industry needs communications that make location irrelevant. Both culture and competency must be considered as vital part of the design, implementation and operations process.

Vendor Challenges Challenges & Goals Improve asset performance
Reduce installed cost (CapEx) System design Installation Commissioning Operation/maintenance planning Reduce operational costs (OpEx) System simplicity Communications reliability Self-diagnostic functionality Reduce unscheduled downtime Streamline training In today’s economy, many manufacturers are under extreme pressure to continuously improve the performance of their assets. Metrics including return on CapEx and operational costs are being considered by the process engineering groups during early phases of project definition and into the design cycle. These metrics drive the budget for implementation, but how do these metrics contribute to the overall goal of reducing the cost of producing the product as expressed by OpEx? In some facilities, the most worrisome factor impacting the bottom line is the unscheduled downtime that results from equipment failure. This includes the downtime caused by operator and maintenance errors, as well as nuisance trips by process interlocks and safety instrumented functions. Factors that contribute to these nuisance trips include inadequate training of operations and maintenance personnel and insufficient or excess redundancy, depending on how the architecture is constructed. Traditionally, separate process control and safety systems were integrated using a variety of communications solution platforms. These separate systems were limited by the ability of the communication interfaces to transfer information back to operator and maintenance personnel. This communication bottleneck often stranded much of the data potentially available for safe and efficient operation of the facility. To complicate the support strategy, each separate system required its own operator interface and engineering workstation, and used different configuration and diagnostic tools. To make matters even more laborious, each system interface required the management of a unique database with interfaces to data historians, event historians and asset management systems.

Technology Challenges
Increase operator attention and avoid alarm overload Early identification of problems 20/20 diagnostics Integrate Control and Safety Instrumented Systems Integration of smart devices Avoiding unexpected shutdowns via device status Remote Verification and Calibration of Field devices Automated documentation of testing Wireless access to maintenance and SIS testing records Provide an audit trail for management of change What do these challenges mean to the technology of Safety Instrumented Systems in general, and Burner Management Systems specifically? Operator interfaces must employ human centered design principles that increase operator attention and avoid alarm overload (“alarm flooding”) during abnormal situations. Equipment will have predictive diagnostics for early identification of problems; assets will be “self aware”. They will be smart field devices and will have data integration from equipment to the CMMS/ERP. Smart field devices with the capability of communicating with the logic solver will reduce the amount of time that maintenance technicians will need to spend in the field, improving safety by minimizing exposure—”time at risk”. “Time at risk” for maintenance technicians will also be reduced by checking field device calibration status remotely and performing required calibrations remotely, again reducing the amount of time personnel are required to spend in the field, which also improves safety. Integration of smart devices within the SIS will provides device status and alerts that can be used to increase the availability of the SIS, reducing spurious trips, so avoiding unexpected shutdowns. This integration will not be just to the SIS but to the maintenance systems. Refinery maintenance and safety personnel will have wireless access to all maintenance and SIS testing records. For that matter, modern Safety Instrumented Systems will provide an audit trail to ease management of change with automated documentation of testing to address that aspect of regulatory compliance All of the above are available today. Call-To-Action: When a refinery considers modernization of their existing control system, upgrading their safety instrumented systems should be part of their plan. Integrated Systems

Defining the Integrated Solution
By implementing an Integrated Control and Safety System, what cost savings can be identified and measured from both the CAPEX and OPEX viewpoint when applying advanced technology to these various BMS standards? If traditional approaches to compliance with process safety standards are driving costs up and yielding diminishing returns, which control architecture can provide cost savings while enabling the unit to be started-up, operated, and shut down safely? Let’s review the options for a tightly Integrated Control and Safety System (ICSS) and define the advantages of integrating scalable redundancy, automated compliance, and on-line diagnostic testing to drive both CAPEX and OPEX cost savings in industrial flame management applications. This section will also demonstrate how the ICSS systems unique architectural framework provides cost savings through transparent communications between control schemes, safety systems, historical archiving, environmental reporting, and other subsystems required for the users to maintain, inspect, test and cost effectively operate the system in compliance with industry standards. Source: ARC Research Group

Features of Integration
Integrated Architecture Features of Integration Common Configuration Database User Security Management Program Audit Trail / Version Control Access Control with Audit Trail Management of Change Data Historian Sequence of Events Recording Asset Management Capabilities Automated Loop Checking Native File Process Simulation Multiple Cyber Security Options Field Device Health Monitoring ISA 18.2 Alarm Management Capability Native File Operator Training Systems “Integrated operations, engineering and maintenance functions for the DCS and SIS should be seamless:” The primary litmus test for an ICSS is that it has been designed from the ground-up as one system. A redundant broadband communication network must integrate all subsystems into a single control architecture, allowing direct communications between the control and safety functions and direct access to the event and asset management systems. The ideal ICSS will also be flexible and scalable, with the ability to add controllers and logic solvers on-line with no impact on system performance. Typical sub-systems of a modern ICSS include a redundant Ethernet based control network, distributed and scalable process controllers, distributed and scalable safety controllers, common human machine interfaces, a common engineering workstation environment and application servers. All operations, engineering and maintenance functions for the two systems are integrated including: Alarm handling Configuration Time synchronization User security Device health monitoring. Security management Access control Support for Multiple field busses Management of change tracking Audit trail / Version control Data Historian Sequence of Events Recording Asset Management Capabilities Native File Process Simulation Native File Training systems

Meeting Tight Project Schedules
ICSS Reduces Engineering Centralized configuration database High speed communication system Flexible redundancy to ensure availability Scalability from 25 to 100K I/O On click access to alarms, trends and on-line help screens Bulk import capability from 3rd party spreadsheet Embedded predictive diagnostics Enterprise access to data Multi-bus support Add additional system components without shutdown Meeting Tight Project Schedules The labor required to engineer and integrate these diverse systems increased the cost of the project. Considering the additional costs of installation and commissioning, as well as ongoing expenses to provide training and support, costs often ballooned exponentially. Today, manufacturer’s want to avoid highly engineered solutions that integrate divergent basic process control system (BPCS) and SIS solutions platforms, particularly if these systems come from different manufacturers. Twenty-first century economics dictate that speed of implementation stands as the new hallmark for project success, and that many projects are measured in terms of week and not months or years as previously accepted. Meeting tight project schedules often requires globally distributed project teams using secure communication technologies to support 24/7/365 project activities. While this can lead to CapEx savings, it requires that the ICSS architecture be designed with a common database and engineering environment to facilitate parallel and geographically distributed engineering activities. In such a diverse and fast moving engineering environment, the ICSS engineering database must include management-of-change and audit trail features. Without these two features in place, resources can be wasted in re-engineering and re-testing. Though it may not seem very important during the early engineering phases, having these two features in place helps ensure that the ICSS solution that is delivered on-site is “Approved for Construction.”

ICSS – Open Field Device Communication
Increasing safety by revealing a wider range of previously Dangerous Undetected failures in real-time HEALTH

ICSS Utilizes Intelligent Field Devices
Diagnostics & Alerts Plugged impulse line Reverse flow Calibration error Device health Empty pipe Sensor probe suspect RTD drift Travel pressure high Travel accumulation Cycle counter Valve signature Valve drive signal Signal saturation PV out of range Valve stem position Long term OpEx improvement begins with intelligent field devices. These devices can anticipate problems, report current device health, control variability and perform multiple measurements. In some cases, intelligent field devices can perform local control when necessary to maintain plant availability. Intelligent devices contain a wealth of diagnostic information, all available to the control and safety system. This information not only allows streamlining of maintenance efforts but can also provide for the timely distribution of actionable data to avoid nuisance trips. However, gaining access to all this data can become a challenge in the traditional distributed control system (DCS) architecture, especially when a DCS is paired with a separate safety control system. Without the open communications architectures found in today’s ICSS systems, mapping all of the available data becomes a cost barrier and resulted in valuable information being stranded at the field device. Because leading instrument manufacturers build intelligent devices to global industry standards, ICSS systems give users the freedom to choose the best devices from the best suppliers without being limited by proprietary technologies. Examples of diagnostic data and predictive maintenance alerts that are available to ICSS system from intelligent field devices include: Plugged impulse line Reverse Flow Calibration error Device health Empty pipe Sensor probe suspect RTD drift Travel pressure high Travel accumulation Cycle counter Valve signature Valve drive signal Signal Saturation PV out of range Valve stem position Long term OpEx improvement begins with intelligent field devices that anticipate problems, report current device health, control variability and perform multiple measurements.

ICSS & Smart Safety Instrumented Systems
Improved process reliability Flexibility to meet project needs Increased visibility into process Reduced engineering and complexity Simplified regulatory compliance A review of the Offshore Reliability Database (OREDA) shows that 50% of SIS malfunctions – failure to perform on demand – result from final element malfunctions. Another 42% of SIS malfunctions result from sensor malfunctions. Only 8% of SIS malfunctions result from logic solver malfunctions. Within the ICSS architecture, the SIS data and alarms should be capable of being displayed on the same operators interface as the BPCS. However, power supplies, communication channels, hardware, configuration software, and real-time operating systems should remain completely independent of the BPCS and any of its components and sub-systems. This will ensure the separation required by the API, ANSI/ISA and NFPA safety philosophies - including the divergence of both hardware and software platforms to minimize the opportunity for common mode failure. In addition, the smart SIS should utilize the intelligence embedded in the total SIS loop including sensors, logic solvers, and final control elements to increase overall system availability and to reduce risks.

X ICSS and Smart Safety – Diagnostics
Bad status HART PV Fixed Since Last Proof Test A smart SIS uses a holistic approach by diagnosing the sensors, logic solvers, and final elements ability to perform on demand. Topics relating to the compliance with combustion control safeguarding philosophies that a smart SIS can address with protective functions include control loops designed to prevent or mitigate the hazardous event, permissive functions and interlocks designed to prevent or mitigate the hazardous event, alarm management systems, and safety and protective functions. Safety and protective functions will typically include: Pre-ignition purge sequence permissives Ignition sequence permissives Loss of Flame High or Low Fuel Gas Pressure Loss of Combustion Air High Process Pressure but may include any of the safety and protective functions described earlier, even those not demanded by the standard in use.

Programming Standards
Smart Safety – Intelligent Function Blocks Programming Standards Built-in sequence of events handler with automatic first-out trapping. Built-in bypass handling Built-in override bundling Automatic MOC compliance to the API, IEC and ANSI/ISA standards File based off-line simulation and Operator Training Solutions Advanced alarm management system Asset Management interface. The SIS standards – IEC and ANSI/ISA alike – insist that an SIS logic solver operate with software that is rigorously developed and tested. When an SIS offers a full range of third-party certified, e.g. TÜV-certified, intelligent function blocks designed specifically for combustion control, configuration is simplified, and more importantly, so is validation. Ideally, combustion control function blocks would be capable of input bypass and output override management. These intelligent function blocks would minimize programming time and replace what used to be pages and pages of ladder logic programming with much simpler documentation. Truly smart SIS software would also include other capabilities that would enormously simplify the job of project execution: Voter blocks that simplify device upset and diagnostic condition handling Step sequencer State Transition Diagram (STD) blocks that allow logic solver configuration in this format when it is used Cause and Effect Matrix (CEM) blocks that allow logic solver configuration in this format when it is used Built-in sequence of events handler with automatic first-out trapping. Built-in bypass handling Built-in override bundling Automatic documentation of changes to aid in MOC compliance File based off-line simulation and Operator Training Solutions Advanced alarm management system Asset Management interface. These capabilities have the power to save hours of engineering over conventional ladder logic approaches, and to provide simple fill-in of state, transition inputs, and desired outputs, also saving hours of engineering. Sensors for pressure, temperature, flow and level play an important role in risk reduction strategy. It’s important to consider improvements in sensor and measurement technology as well as best installation and maintenance practices. A safety loop accumulates the weaknesses of all its components, so in an ICCS solution the entire safety loop – sensor, logic solver, and final element — should consist of smart devices. The use of smart devices throughout the safety loop delivers predictive diagnostics by replacing switches with transmitters. Smart transmitters have far fewer dangerous undetected failures than switches. In addition, the latest generation of smart measurement devices extends embedded diagnostics beyond the device and into the process. Today’s leading smart transmitters extend health diagnostics by going beyond detecting component failures. Smart transmitters evaluate the performance of the complete measurement system, extending diagnostics to detect formerly undetectable dangerous failures outside the physical bounds of the transmitter, thereby providing both transmitter and process diagnostics. The end result is lower probability of failure on demand, easier compliance with the standards, higher safe failure fractions, less redundancy, and less frequently required proof testing.

Program Standards & Functionality
Smart Safety – Reduces Engineering Program Standards & Functionality The ICSS should include intelligent function blocks specifically designed for combustion control. These function blocks should include facilities to define transitions from state-to- state during all phases of startup, normal operation and shutdown. The function blocks should be exactly the same as the intelligent field device function blocks. States Outputs Transitions State Transition Diagram Function Block Step Sequencer Function Block To be cost effective for process heater applications, the ICSS should include function blocks specifically designed for combustion control. These function blocks should be intelligent and include facilities to define transitions from state-to-state during all phases of startup, normal operation and shutdown. Unlike existing DCSs or Programmable Logic Controllers where complicated mapping for field function blocks to legacy data structures are required, the ICSS’s function blocks should be exactly the same as field device function blocks. This makes the system simpler to engineer and easier to maintain. Peer-to-peer control among field devices broadly distributes control and provides a higher degree of single-loop integrity. The ICSS should provide the complete freedom to choose where control schemes should be executed, either in the controller or at the intelligent field device. Ideally, this should be an drag-and-drop exercise and not require complex programming. Recently, industrial wireless communications have been made secure and robust enough to deploy intelligent field devices in locations too remote for hard wiring. This extends the ability of the ICSS to monitor remote process data and provides a communication pathway so that desired or required data is not stranded in the field. Reducing the manpower required to meet compliance issues is a big factor in the reduction of lifecycle operating costs. Including a Document Management and Workflow Execution tool set simplifies the management of test procedures required for the periodic validation of Safety System integrity. The workflow engine should guide the technician through a step by step procedure while capturing all of the data associated with the tests in real time, eliminating data entry errors. The engine should track who executed the test, the time it was started and completed, the pass/fail conditions and results along with the “as found” and “as left” parameter settings. Each executed test can then become an electronic PDF record that can be securely controlled in the document management system for later retrieval. Complicated mapping for field function blocks to legacy data structures should be avoided

Documentation & Regulatory Compliance
Safety Instrumented Function list Safety Requirement Specification SIL Verification Calculations Cause and Effect Table P&IDs SIS Logic Loop Diagrams Logic Solver Panel Design Factory Acceptance Test Site Acceptance Test Verification /Validation Checklist Functional Safety Assessment Installation and Commissioning QA/QC records Operating and Maintenance Procedures Executed Proof Test Procedures SIS Demand and Failure Tracking Log SIS Practice and Recording Audit Records MOC Records Training Records It is important to know what documentation is required and to consider the means of generation, archiving & support. The smart SIS begins and ends with field devices. Smart field devices provide the input that indicates when conditions are safe and when they are not, and provide the output to act when unsafe conditions are detected. And they do all this while monitoring the health of the entire SIS loop from sensor through the final control elements, affording non-disruptive actuator partial-stroke testing and spurious trip prevention. These devices utilize imbedded multiplexers to proactively communicate maintenance alerts. They also provide advanced diagnostic capabilities for sensors, logic solvers, and final control elements for both self-test and detection of abnormal situations in the surrounding process. When the smart SIS including sensors, logic solvers, and final elements are designed in accordance with IEC61508 and third-party certified, e.g. TÜV-certified, end-users are spared the burden of developing much of the documentation themselves. Especially when faced with the challenge of simultaneously complying with multiple standards, it helps to have a smart SIS with safety logic signature authorization, change management of safety logic and field device configuration/calibration, and security authorization of online trip point or bypass changes. A smart SIS increases the availability of an operating process by providing actionable response that allows users to convert dangerous undetected failures to detected failures in real-time, improving the probability of failure on demand, and by improving the safe failure fraction, reducing the need for potentially unnecessary redundancy. When the redundancy is necessary for complying with a standard, a smart SIS exploits that redundancy to increases system availability, avoid nuisance trips and increase uptime. Regardless, a smart SIS minimizes risky manual final element testing through automatic periodic testing, improves the probability of appropriate and timely operator response with advanced alarm management, and provides management of bypasses during startup sequences.

Conclusions – Standards Benefits
ISA TR-5 and API RP 556 provides the design guidance for: Process Heater Design Primary Measurement Devices Actuating Instruments Combustion Controls Protective systems Alarms ANSI/ISA 84 eliminates downtime by balancing the availability, safety and lifecycle aspects of the system Clarifies Risk Sets Detailed Design Requirements Defines Testing & Maintenance Requirements Operation Procedures The BMS standards that are now in general use are all valuable, first and foremost, in identifying the hazards of combustion. None is complete in its identification of “recognized hazards causing or likely to cause death or serious physical harm”, as the OSHA General Duty Clause puts it, but taken together, offer excellent guidance and direction. For those least familiar with hazards of combustion, the NFPA standards offer the firmest, most rigorous prescriptions, with NFPA 85 for steam generation and NFPA 86 for all other burner management systems. For some, corporate policies will dictate the use of these more traditional standards. For more sophisticated users, API RP 556 and S84-TR5 offer an alternative approach that places far more responsibility to make good decisions on the users. Neither purports to be a substitute for the traditional BMS standards, but the benefit of these newer standards is that they clarify the role of risk in the decision-making and highlight the requirements for the entire safety lifecycle of fired units: detailed design, testing, commissioning, operation, maintenance, and modification. Many will find that reconciling these design philosophies will not necessarily be more expensive, and in fact eliminate downtime by balancing the availability, safety and lifecycle aspects of the system. At the same time, API RP 556 and S84-TR5 offer enough in the way of specific guidance that even the most sophisticated burner operator will find something to learn in the sections on hazards and trip conditions. Both ISA TR-5 and ANSI/ISA 84 speak about the importance of highly qualified individuals and stress that competency is a vital part of the design, implementation, and operations process. Nonetheless, the opening section of API RP 556 points out that “Although it is no substitute for experience and proficiency in these fields, this document will be a help in achieving such experience and proficiency”.

Project and Development Cost Benefits
Conclusions – ICSS Benefits Project and Development Cost Benefits Reduced engineering costs from standardized engineering Lower implementation costs Reduced configuration management Reduced commissioning Remote verification Automated loop testing Device configuration Reduced training costs Automated documentation “The benefits of ICSS and intelligent field devices cannot be fully maximized unless the culture and the organizational competencies are thoroughly and completely developed.” When combined with the correct culture and organizational structure, a burner management system designed using ICSS technologies can make significant contributions to improving shareholder value by reducing both capital and operational expenditures. Implementing an ICSS is a proven strategy for implementing an all digital architecture. An ICSS optimizes plant performance by leveraging digital intelligence to connect the plant and control the process. Benefits include reduced capital and engineering costs, reduced operations and maintenance costs, increased plant availability, reduced process variability and enhanced safety and environmental compliance. ICSS project fiscal savings can come from a variety of sources spread along the entire project execution timeline. CapEx improvement opportunities include direct project savings, lower implementation costs, reduced configuration Management and better regulatory compliance. The ideal ICSS solution should provide make it easier to comply with regulations by completely integrating change management and generating, on demand, detailed documentation from its device audit trail, device calibration history, control and/or safety configuration audit trail, process history and event history. Commissioning costs are dramatically reduced as the ICSS auto-recognizes intelligent field devices and control hardware. The ICSS also automatically sets up the digital fieldbus, making deployment of intelligent field devices faster and easier. Additional commissioning areas realizing cost savings from an ICSS solution include proof testing, training and documentation. The ICSS should also provide automated performance monitoring complete with test results and documentation. Alongside the CapEx performance metric, and possibly more important, stands OpEx performance. After commissioning the process, plant efficiency comes from making more with less. Plants need to produce more product on-spec with less staff, less variability and less unscheduled downtime.

Operations & Maintenance Benefits
Conclusions – ICSS Benefits Operations & Maintenance Benefits Increased plant availability Reduced process variability Improved safety Automated regulatory compliance Integrated change management On demand documentation Audit trail Device calibration and history BPCS / SIS configuration Process history and event recording Human Centered Design 20/20 Maintenance avoid alarm overload “Under-performing assets are identified through HART Device Alerts, documented and acted upon before they can effect process availability. Predictive maintenance through asset management is the key to improving operating performance. Whether in the control room or the maintenance shop, advanced diagnostic information from asset management systems allows users to determine which intelligent field devices really need attention. Beyond the advanced warning of faltering equipment - asset management software suggests corrective action and streamlines every faucet of maintenance work including troubleshooting, diagnosing and calibration. With predictive maintenance, unnecessary trips to the field can be reduced by as much as 63% While more than 80% of maintenance is too late or unnecessary, little has changed in over 15 years. This is primarily the result of an insufficient tool-set capable of improving maintenance practices – a situation that a modern ICSS coupled with intelligent field devices can rectify. Digital technology has improved the accuracy, repeatability, and stability of primary measurement sensors – and embedded digital technologies also enable intelligent predictive diagnostics – a critical first step to achieving high-integrity process availability. Frequently, under-performing assets often go unnoticed until quality and/or rate became affected. When analyzers and transmitters are fitted with intelligent predictive diagnostics, under-performing assets and potential problems that may eventually result in off-spec product and/or an unscheduled shutdown are monitored and assessed by asset management software. If a problem is detected, such as a plugged impulse-line, an alert is automatically generated. Similarly, by using embedded sensors and advanced diagnostic algorithms, control valve-signature diagnostics can determine which control valves need attention during the next scheduled shutdown. But the features and capabilities of an ICSS and intelligent field devices cannot be fully maximized unless the culture, the organization and the competencies of the entire organization – engineering, operations and maintenance – are thoroughly and completely developed. Combining the right ICSS and intelligent field device technologies with highly trained and motivated staff will allow users to reap the full benefits of a modern burner management system. These benefits include improved performance along with substantial reductions in CapEx and OpEx.

Where To Get More Information
Contact Info Bluefield Process Safety Website ( DeltaV SIS Website ( If you have more questions, we would be pleased to hear from you. For more information about the standards—both SIS and BMS—we suggest you contact Mike at Bluefield Process Safety. For more information about ICSS, Chuck at Emerson Process Management is the best person to talk to. Or check out our websites. 38

… Questions and Comments Appreciated?
Thank you… … Questions and Comments Appreciated? Thank you.

What Now? More Standards for Safety and Regulatory Compliance

Similar presentations

Presentation on theme: "What Now? More Standards for Safety and Regulatory Compliance"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

What Now? More Standards for Safety and Regulatory Compliance

Similar presentations

Presentation on theme: "What Now? More Standards for Safety and Regulatory Compliance"— Presentation transcript:

Similar presentations

About project

Feedback