presentacion

THE RIGHT CHOICE www.WilsonMohr.com

Implementing a BMS via ISA TR 84.00.05“Guidance on the Identification of SafetyInstrumented Functions (SIF) in Burner Management Systems (BMS)”

Presented by: Steve Papp- Business Development Manager

Permission granted for ISA Houston Section Website

The ISA84 committee determined that it was appropriate to provide supplemental information on the application of hazard and risk analysis to Burner Management Systems (BMS). The purpose of ISA TR 84.00.05 is to provide users of ANSI/ISA-84.00.01-2004 with guidance on how to identify safety functions within the BMS. The presented work processes and illustrations are not intended to replace, but instead to supplement, the requirements of good engineering practices applicable to BMS, such as NFPA 85, NFPA 86, API 556, ASME CSD-1, and API RP 14C.

NOTE The example BMS architectures represent possible system configurations and should not be interpreted as recommendations. The configurations used in actual applications are specific to the operating environment and process conditions where they are used. As such, no general recommendations can be provided that are applicable in all situations. The user of the technical reportis cautioned to clearly understand the assumptions and data associated with the methodologies in the document before attempting to utilize the methods presented.


Fired equipment is found throughout the process industries in many applications, including various types of heaters and boilers, The hazards associated with burner operation are managed by an instrumented system commonly referred to as the burner management system (BMS). The BMS provides interlocks and permissives to prevent misoperation of equipment and to safely handle faults caused by equipment failure.

OUR PURPOSEIdentify and classify SIFs within typical BMSs for typical operating modes of fired equipment (e.g., pre-firing, light-off, shutdown, and normal operation);

Provide examples of typical safety assessments for the following equipment with BMSs: boilers (single burner), fired process heaters (multi-burner), thermal oxidizers, oil heater treaters and glycol reboilers.


Perm o gra ted for ISA Houston Section Website

The starting point for the technical report is a description of the measurements and actions taken by various BMS functions required by applicable practices.

• Not including all of the process measurements that can detect the hazardous condition• Including actions that are not required to achieve or maintain a safe state• Including measurements that do not detect the hazardous condition

The risk analysis process can be summarized as:1) Identify the hazardous event (e.g., the event that the SIF under consideration is preventing).2) Estimate consequence severity of the hazardous event.3) Estimate likelihood (or frequency) of the hazardous event, considering all credible initiating causes.4) Assess the process risk of the hazardous event as a function of its consequence severity and likelihood (or frequency).5) Compare process risk to the risk criteria to determine the risk reduction requirements.6) Identify safety functions required to achieve the risk reduction requirements.7) Assign a SIL to the SIF that meets the risk reduction requirements.


Operating Modes and Undesirable Events The various operating modes of the fired equipment should be considered during the analysis. Each operating mode may require specific protective layers.

a) Pre-firing cycle b) Light-off cycle c) Normal operation

Pre-firing cycleThe pre-firing cycle prepares the fired equipment for the introduction of fuel and light-off of the burners. The pre-firing cycle includes prevention of fuel entering the firing chamber and purging of the chamber to remove any residual hydrocarbon that may be present.

Excess Combustibles in the Firing Chamber

Fuel Valves Improperly Aligned (Permissive)Accumulation of Flammable Materials and Failure to Purge (Permissive)


Proceeding to the Light-Off cycle when the permissives are not satisfied:

Flame Detector Indicating Premature Presence of Flame (Permissive)

Low Fuel Gas Pressure (Permissive)

High Fuel Gas Pressure (Permissive)

Valves Not in Minimum Firing Position (Permissive)

Burner Header Fuel Gas Does Not Hold Pressure (Permissive)

Drum Level Not Proved or Failure of Drum Level Measurement (permissive)


Light-off CycleThe objective of the light-off cycle is to safely introduce fuel to the burner and ignite it. After ignition is attempted, existence of a stable flame is proven prior to moving to the normal operation mode. If a proven stable flame is not achieved in this phase, the light-off sequence will be stopped and the fired equipment will return to the pre-firing sequence.


Igniter Flame Not Proven Within a Specified Time (Trip)

Main Flame Not Proven Within a Specified Time (Trip)


Normal OperationThe normal operation phase of fired equipment occurs when a stable proven flame is used for process heating purpose. In this phase conditions that ensure stable operation of the flame are monitored to detect any deviations that might compromise the flame. If these conditions are detected various degrees of action may be taken to bring the process to a safe state.


High Fuel Gas Pressure (Trip)

Low Fuel Gas, Oil or Atomizing Steam Pressure (Trip)

Loss of Air Flow (Trip)

Loss of Flame (Unrelated to fuel gas pressure or air flow) (Trip)

Loss of Instrument Air or Primary Power (Trip)

High Pilot Gas Pressure (Trip)

Low Pilot Gas Pressure (Trip)


Loss of Water in Boiler Steam Drum (Trip)

Low Pass Flow (Trip)

High Firebox or Stack Temperature (Trip)

High Heater Pressure (Trip)

Loss of Level in Heater Treater or Glycol Reboiler Drum (Trip)

High Temperature in Heater Treater or Glycol Reboiler Drum (Trip)

Excessive Pressure in Oil Heater Treater (Trip)


Fuel Valve TripsWhile assessing shutdown of the heater, the actions taken to move the fired equipment to a safe state are common among many of the trips and permissivesdescribed previously. There are several types of heater trips that are utilized in industry. These trips are applied at different times depending on the hazardous condition that required the heater firing to be stopped. These shutdowns include: (1) Master Fuel Trip, (2) Main Fuel Trip, (3) Minimum Firing Trip, (4) Individual Burner Main Fuel Trip, (5) Individual Burner Main and Pilot Fuel Trip, and (6) Pilot Fuel Trip.

Master Fuel TripThe master fuel trip is the most comprehensive of the heater trips. The master fuel trip isolates all fuel sources to the greatest degree possible. This trip includes stopping both the main fuel source and pilot fuel source.


Individual Burner Valve TripsIn some cases, it is desirable to isolate fuel to an individual burner. This type of trip is performed when loss of flame occurs at an individual burner while the remaining burners remain operational.

Pilot Fuel TripIn some cases, only the pilot valves are required to be closed. This situation typically only occurs during a failed attempt to light the pilots.

Main Fuel Trip (Minimum Firing Trip)In some cases a comprehensive fuel trip is not required. When the hazardous condition that is being acted upon by the heater safety system is an excessively high temperature or other hazard that can compromise heater safety, but is not related to the release of unburned fuel, a main fuel trip or a minimumfuel trip may occur.


Other Safety Instrumented System Design Considerations

ResetANSI/ISA-84.00.01-2004 requires that once an SIF has placed a process into a safe state, it shall remain in the safe state until reset. The reset functionality is generally performed manually, but the actual equipment used to perform the reset can vary. The essential difference is the location of the reset. Resetting is typically performed in one of two methods, either through a device that holds the final element in its safe state until it is manually reset, or through the logic solver which maintains its outputs in the safe condition until an operator reset has been initiated.Manual Trip RequirementsANSI/ISA-84.00.01-2004 suggests that manual means of bringing a process to a safe state, independent of the logic solver, are provided. An independent manual master fuel trip is also a requirement of the referenced NFPA practices.


Example of a Hazard and Risk Analysis Applied to an Oil Heater Treater

Assumptions1) The Oil Heater Treater is a natural draft fired vessel.2) A continuous pilot is provided on the oil heater treater that is supplied with fuel gas that is shared with the main burner.3) The oil heater treater is assumed to be designed to operate in a de-energize to trip capacity.4) The P&ID sketch provided depicts the use of transmitters for measurement of various process conditions. Transmitters are typically used in new SIS applications because of the potential reduction in proof testing requirements and the additional diagnostic benefits associated with transmitters.5) The symbols used in the P&ID are based on ANSI/ISA–5.1 and have been modified from the simplified sketches presented in API RP 14C.6) Basic Process Control System (BPCS) instrumentation has not been completely depicted to simplify the P&ID and keep the focus on BMS related sensors and final elements.7) High oil/water treater level and low oil level were not addressed because they are associated with equipment either upstream or downstream of the fired component.8) The fusible plug loop fire detection system was deemed beyond the scope of this evaluation because the system involves the entire platform.9) The purpose and use of stand-alone safety devices, such as relief valve and stack flame arresters, are shown on the P&ID drawing; however, their functionality was not considered in the hazard analysis table. The risk reduction provided by these devices should be considered in the risk analysis for equipment of this type.


Design ConsiderationsThe following design considerations are applicable to the Oil Heater Treater:1) The low fuel gas pressure design consideration is applicable to the oil heater treater.2) The design considerations for the loss of control system actuating energy is applicable to the oil heater treater.3) Double actuated block valves are provided to isolate the fuel gas supply to the main burner.4) The fuel gas isolation block valves have been equipped with a closed position switch to allow for proper line-up in the pre-firing sequence. This position switch is in addition to the equipment presented in API RP 14C.5) A pressure transmitter has been added to the API RP 14C oil heater treater design located upstream of the pilot and main burner fuel gas isolation valves to provide detection of adequate fuel gas supply.

Sequence ConsiderationsThere are several permissives and sequence steps listed in clause 10.2 that should be considered for safe start-up of an oil heater treater. This list is not all-inclusive, but should provide a starting point for discussion on sequencing requirements for a safe oil heater treater start-up. The following consideration is listed as specific for this type of equipment as it is not implemented automatically as a SIF.1) The operator shall accomplish, via documented operating procedure, the confirmation of a successful purge of the firebox for the natural draft oil heater treater because no means of detecting air flow is provided.


Example Oil Heater Treater Process SchematicPermission granted for ISA Houston Section Website

presentacion

Documents

process risk

hazardous event

burner management system

process measurements

various bms functions

process heaters multiburner

process industries

process conditions