controls instruments polagye

7/28/2019 Controls Instruments Polagye

1/29

SIS and BMSAn Insurance Carriers Perspective

ABMA Annual MeetingPresented by M. C. Polagye, January 14, 2006


2/29

Boiler Safety Systems

Burner Management System (BMS)prevent fuel

explosions

Low Water Protectionprevent dry firing

Over-pressure Protectionprevent steam/water

explosions


3/29

Current Boiler Safety Codes & Standards

ASME Boiler & Pressure Vessel Code, Sections I & IV NFPA 85, Boiler and Combustion Systems Hazards

Code ASME CSD-1, Standard for Controls and SafetyDevices for Automatically Fired Boilers

National Board Inspection Code Others

ANSI Z21.13/CSA 4.9, Gas-Fired Low PressureSteam and Hot Water Boilers

Insurance RecommendationsFM Global PropertyLoss Prevention Data Sheets


4/29

These standards tell:

What needs to be done for safe boiler operation.

Some prescriptive guidance on how to do it.

Reliance is placed on the competent engineer to designa system that meets the intent of the standards/codes.


5/29

BMS

Prescriptive Guidance/Requirements

A hardwired/separately wired system from operatingcontrols.

Input checking Separate transmitter for safety system

Exception for some signals such as drum level,furnace pressure, and air flow.

No intermittent trip signals to SSOVs Functional test at installation, annually, and following

maintenance or upgrades/changes.


6/29

When a PLC is used for BMS Logic Fail safe design External watchdog timer

Output checking

Internal diagnostics

Redundancy

Logic is protected from unauthorized changes

No logic changes performed while on-line

Quick response to trip conditions

Independent of other logic systems

Logic is non-volatile

Independent Hardwired manual emergency shutdownswitch


7/29

Performance Based Standards IEC 61508, Functional safety of electrical/electronic/

programmable electronic safety-related systems

IEC 61511, Functional safety - Safety instrumentedsystems for the process industry sector

ANSI/ISA-84.00.01, Functional Safety: SafetyInstrumented Systems for the Process Industry Sector ISA-TR84.00.02, Safety Instrumented Functions

(SIF)Safety Integrity Level (SIL) Evaluation

Techniques ISA-TR84.00.05(Draft), The Application of

ANSI/ISA 84.00.01 for Safety InstrumentedFunctions (SIFs) in Burner Management Systems


8/29

Performance Based Criteria

No prescriptive rules apply Identify the undesirable event

Look at the damage/consequence if the event occurs

Look at the likelihood of occurrence if no safety system

is provided Look at the available independent layers of protection

Determine if a Safety Instrumented Function (SIF) isrequired

Determine the required Safety Integrity Level (SIL)appropriate for the risk the event presents

Design a Safety Instrumented System (SIS) to achievethe SIL


9/29

The undesirable event

BMSExcess combustible vapors in the furnaceenclosure

Low Water Protection SystemLoss of water in boilersteam drum

Overpressure Protection SystemExcessive pressurein steam drum/boiler


10/29

Consequence

BMSDevelopment of explosive mixture, contact withan ignition source, explosion causing mechanical

damage to boiler with possible injury to nearbypersonnel

Low Water Protection SystemMechanical damage toboiler (one or more tube ruptures) with possible injuryto nearby personnel

Overpressure ProtectionPressure part failure,possible failure of steam drum, with possible injury tonearby personnel


11/29

Likelihood if no safety system is provided

Fuel explosionhigh

Dry firingmoderate to high

Overpressurelow (safety valves)


12/29

Independent Layers of Protection


13/29

Independent Layers of Protection

Fuel explosionnone

Dry firingmay have two

Low level alarm and operator interventionLow-low level alarm with operator manual shutdown

Overpressuremay have three

Safety valvesHigh pressure alarm with operator interventionHigh-high pressure alarm with operator manual

shutdown


14/29

Is a SIF required?

Fuel explosionYes, no independent layers ofprotection.

Dry firingYes, even at constantly attended boilers,operators may not be available when needed to performthe required shutdown.

OverpressureYes, unnecessary popping of safetyvalves increase probability of leakage and maintenancecosts.


15/29

Safety Integrity Level (SIL)


16/29

SIL

Fuel Explosion

Moderate damage

High probability

No independent layers ofprotection

SIL 3


17/29

SIL

Dry Firing

Minor to severe damage

High probability

Up to two independent layersof protection

With two layers SIL N/A

With no layers SIL = 2 or 3


18/29

SIL - Overpressure

Minor to sever damage

High probability ofoccurrence

One to three independentlayers of protection

Three layers SIL N/AOne layer SIL = 1 or 2


19/29

Designing to Achieve Required SIL


20/29

Approach to Calculating SIL

Sensor

Transmission to processor

Input module

Processor

Output module

Transmission to final element Final element (SSOVs)

Determine the probability offailure of each component

Evaluate impact of commonfailures

Determine system probability

of failure on demand for eachSIF


21/29

Component Probability of Failure

Safe detected

Safe undetected

Dangerous detected

Dangerous undetected


22/29

SIFs for BMS (Gas Firing)

Low fuel gas pressure (igniter or pilot) High fuel gas pressure (igniter or pilot)

Low fuel gas pressure (main burner) High fuel gas pressure (main burner) Purge air flow adequate Igniter flame proven within trial for ignition period

Main flame proven within trial for ignition period Low air flow Loss of flame Loss of control system power (air and/or electric)


23/29

Determining Probability of Failure on Demand

Complex process

Evaluation Techniques (ISA-TR84.00.02)SIL of SIF

Equations

Fault tree analysis

Markov analysisPFD of Logic solvers

Markov analysis


24/29

Prescriptive Design Requirements

Advantages

Easy to determine ifrequirements are met.

The same design/logic appliesregardless of manufacturer/components.

Standardized design.

Disadvantages

Restrictive of technology.

Requires labor intensivewiring and cables.

No real measure ofeffectiveness/reliability.


25/29

Performance Based Design

Advantages

Allows latest technology to beused.

A separate stand-alone PLC isnot required.

Reliability can be quantified.

Disadvantages

Each system is unique andre-invents the wheel.

The analysis is complex.

Data on probability of failureor mean time to failure isoften not available.

Each time a differentcomponent is selected, theanalysis has to be rerun.


26/29

Performance Based Design Results

Anecdotal evidence that SIL reliability requirementsresult in systems that are more complex with moreredundancy than that commonly found in prescriptivesystems.


27/29

FM Global 10 Year Boiler Loss History

Peril/Event Number ofLosses

%

Loss Amounts%

Fire 5 3

Explosion 11 67

Electrical 1 Nil

Mechanical Breakdown 6 6

Pressure Failure 77 24


28/29

Other Observations

With programmable systems, the most common losscause has been software/programming errors.

With each installation re-creating logic, the chancesfor these errors increase.

Some of the most dramatic losses have been the resultof DCS lock-up.


29/29

FM Global Supports use of SIL for SIS DS 7-45, Instrumentation and Control in Safety

Applications

Approval Standard 7605, Approval Standard forProgrammable Logic Control (PLC) Based BurnerManagement Systems

For BMS both prescriptive and performance basedsystems will be accepted

controls instruments polagye

Documents