Fuel Safety Guide
Introduction
Combustion of fossil fuels has a long history in human civilization. It is still the dominant source of energy in today’s world, despite the rapid development of renewable energy. Energy-intensive industries such as petro-chemical and power generation rely on combustion applications in boilers, heaters, cogeneration systems, etc. If not handled well, industrial combustion can be dangerous, which can cause fire and explosions with the potential of severe losses.
Due to the inherent high risk of combustion, fuel safety code is established by authority having jurisdiction to prevent incidents and protect the public. In Canada, the national fuel safety standard is the CSA (Canadian Standard Association) B149.3: the field approval of fuel firing equipment. As a prescriptive standard, the code identifies detailed requirements for designing the valve train and Burner Management System (BMS). However, it does not include supplementary explanation on why such requirement is specified. Simply reading the code does not provide a holistic understanding.
This article intends to provide a reading guide of fuel safety code for BMS designers, automation and control engineers; it discusses the rationale behind the fuel safety requirements on BMS logic solver, safety shut-off valves, and safety limit detection. BMS can be considered as a special type of Safety Instrumented System (SIS). The functional safety concept of SIS provides a framework to understand the BMS requirements in the fuel safety code.
Layered Protection
Similar to the Independent Protection Layer (IPL) concept in the process safety, fuel safety is achieved by multiple IPLs. Combustion Control System (CCS) acts as the first IPL, often implemented as part of the Basic Process Control Systems (BPCS). CCS is responsible for firing load modulation to meet the heat and process demand, such as the steam header pressure in boilers. It also monitors the allowable range of operating parameters and generates alarms upon excursion.
The BMS provides the second layer of protection. It is responsible for starting and stopping burners safely. After burner light-off, BMS sends “release to modulation” signal to CCS. Then, CCS starts modulating control, and BMS monitors operating parameters independently. If parameters indicate unsafe operation, BMS generates critical alarms and initiates burner shutdown sequence which involves fuel isolation and purge of furnace.
Typically, both BMS and CCS are composed of a logic solver (microprocessor based or hardwired relay logic), sensing elements (transmitters) and final elements (valves). Each system should be designed with dedicated components in order to meet the independence requirement of IPLs. BMS and CCS provide the instrumented protection layers with automatic control actions. Other protection layers involve manual intervention and emergency responses by human operators and mechanical relief devices such as pressure relief valves.
The controls requirement in the fuel safety code is mainly for BMS. With the development of microprocessor-based Programmable Logic Controllers (PLCs), new installations of BMS are mostly implemented on PLCs. The complexity of PLCs can lead to unpredictable failures if they are not designed and manufactured per industry standard. For this reason, the fuel safety code identifies requirements for using PLCs as BMS logic solvers (see section 9.7 of code): The PLC must be certified to IEC 61508 functional safety standard; the BMS needs to be designed according to the safety manual of the PLC. Such certified PLCs, often referred to as safety PLCs, have lower failure rate, predictable failure state, and redundant components for higher availability.
Similar to the SIS architecture, logic solver acts as the brain of the BMS. To complete a SIF loop, it also needs the sensing elements to detect unsafe condition and final elements to carry out protective actions. Next two sections discuss the requirements on sensing and final elements in the fuel safety code.
Safety Limit: Hazard Detection Requirement
There are many potential hazards that need to be considered in industrial combustion processes. The biggest hazard is fire and explosion. Fire can be defined as a rapid chemical reaction between a fuel and an oxidant, which is often uncontrolled and undesirable. For distinction purpose, the controlled fire in a burner is called a flame. An explosion is a rapid expansion of gases that results in a shock wave. This section lists three common causes of fire and explosion and how the fuel safety code specifies requirement to detect them.
1) Improper Startup Sequence
Many explosion incidents happen because of improper startup sequence during burner startup, such as an ignition attempt without a valid purge, repeated failed ignition attempts, etc. Fuel safety code has listed proper startup sequence that needs to be implemented in BMS logic (see section 9.1, 9.2, and 9.3 of code). For example, before a burner can be started, the firebox needs to be purged. A proper purge requires the source of fuel is isolated and verified; dampers are fully open for sufficient purge flow rate; multiple volume changes are completed to purge out flammable substances.
2) Heat Damage Leading to Tube Rupture
Excessive heat to heater tubes can lead to tube rupture with flammable gas entering firebox, resulting in fire and severe damage. Excessive heat can be caused by overfiring or lack of tube cooling. Heater tubes are cooled by process fluid; boilers are cooled by water flow. The fuel safety code requires temperature and pressure limit controls to prevent overfiring; it also requires detection of low process flow or low water drum level to prevent tube damage by lack of cooling (see section 9.4 of code).
3) Flame Instability
Flame must be continuously monitored by BMS. Loss of flame needs to close fuel safety-shutoff valves immediately to prevent accumulation of combustible mixture in the firebox (see section 9.1.1 of code). Beside flame-out, flame instability can also lead to problems such as flashback and flame liftoff. Flashback is caused by lower velocity of the air-fuel mixture than the flame speed. As a result, flame travels back inside the burner and causes heat damage. On the contrary, higher velocity of the air-fuel mixture can cause flame liftoff. It can lead to flame out or pulsing flame. Therefore, matching air-fuel mixture with flame speed is critical to maintain flame stability. Burner manufacturer usually provides the allowable operating range of fuel and air pressures. BMS must ensure these pressures are kept within range (see section 9.5 of code).
Fuel Isolation: Valve Train Requirement
The purpose of a valve train is to deliver fuel to burners and isolate fuel when needed. The isolation function is achieved by multiple layers of safety shutoff valves and manual valves.
There are two types of requirements for valve train: requirement regardless of burner size and requirement that varies according to burner size. For example, all valve trains must start with appliance manual isolation valve and have a pressure regulator or controller (see section 5.1 and 5.2 of code); all safety shutoff valves must be certified to gas service per specified code (see section 5.3 of code). But the configuration of automatic safety shutoff valves for pilot and main burner differ based on burner size.
The automatic safety shutoff valves can be considered as the final elements of a Safety Instrumented Function (SIF). In the design process of SIS, a SIF is assigned a target Safety Integrity Level (SIL) based on the risk of the hazard, the risk tolerance, the existing non-SIS IPLs, and the risk gap. The SIF is to close the risk gap by achieving the target SIL. The components of the SIF are selected to meet the SIL.
The automatic safety shutoff valve requirement follows similar design process. The risk of a hazard is the potential consequence of incident multiplied by its probability of occurrence. For fuel appliances, the significance of consequence is proportional to the heat energy release rate of the fuel appliance, which is directly related to fuel consumption rate. The probability of occurrence, however, is not quantified by the fuel safety code. Therefore, the risk of the fuel appliance is solely based on the energy release rate, which determines the selection and configuration of automatic safety shutoff valves. In the discussion below, heat energy release rate is referred as burner size.
The automatic safety shutoff valves can have the following variation of configuration:
1) Number of Shutoff Valves
Valves can be single, double, or double block and bleed. The quantity of the shutoff valves indicates the redundancy of final elements. It determines the tolerance of the BMS on valve failures. BMS with single shutoff valve has no redundancy and cannot tolerate valve failure. Double shutoff valves can tolerate one valve failure. The additional bleed valve can tolerate partial valve leak failure as it provides the least resistance flow path to prevent fuel from being leaked into firebox. As the burner thermal size increases, the number of shutoff valve increases accordingly.
2) Valve Limit Switches
Valve limit switches provide positive confirmation of valve closure. BMS can monitor valve limit switches and alarm operator if valve fails to make closed position. BMS can also combine valve command output and limit switch to calculate valve close and open movement speed. The degradation of valve movement speed can detect hidden and partial valve failures. The functional safety standard has indicated that the detection of hidden and partial failure by diagnostics can reduce the component failure rate on demand and thereby increase the Risk Reduction Factor (RRF) and SIL of SIF. Therefore, the valve limit switch needs to be installed as the burner size goes up.
3) Double Block and Bleed or Valve Leak Test
As mentioned above, the bleed valve provides protection against partial valve leaking failure. Alternatively, valve leak test can detect leaking failures prior to burner lightoff. The leak test is a sequence logic which uses pressure measurements at various positions of valve train to monitor pressure changes and calculates valve leakage rate. The fuel safety code has included an informative section for designing valve leak test sequence (see annex F of code).
Summary
This article tries to uncover the structure and rationale of the fuel safety code requirement for BMS designers. It uses SIS architecture and functional safety concepts to interpret code requirement on BMS logic solver, hazard detection, and valve train. Hope this brief introduction can help automation and control engineers understand fuel safety code better and incorporate them in BMS design.
Reference
[1] B149.3-15: Code for the Field Approval of Fuel-related Components on Appliances and Equipment, Toronto: CSA Group, 2015.
[2] Basic Fundamentals of Safety Instrumented Systems, Online: http://www.pacontrol.com/safetysystems
[3] The John Zink Hamworthy Combustion Handbook: Design and Operations Vol. 2. Charles Baukal, Jr. (Ed.), New York: CRC Press, Ch. 1., 2013