It is planned to replace the existing PLC used for the Burner management system (BMS) and other related interlock of a group of 4 steam boilers in one control room with new Safety PLC. The question is as per the latest applicable standards related to ESD PLC in boiler applications, whether one PLC an be used for all the 4 boilers and also whether one PLC is exclusively required for BMS and another one for the balance interlocks.

 

First we need to know which country so we know the appropriate standard.

Interesting question whether you can put everything in the one PLC. A few years ago one prominent safety "guru" related to the 61508/11 committee said "If you can defend that decision in court,(all in one PLC) then go ahead". That argument has quietly disappeared as a number of control system suppliers combine the safety trips within the Boiler logic, and argue that this okay because the memory is in separate sections!

I do not agree with the concept of one "safety" PLC for 4 boilers. Keep them separate. Also not sure what you mean by "balance interlocks". What are they?

Tell us some more but be prepared for a deluge of replies from suppliers and "gurus" selling you fear.

Behind all this, as I have said many times before, is Good Engineering Practise as well as the diligent use of hard wired trips. By the way, why do you want to change, and how long has the existing system been operational?

 

Thanks .. Mr. Allan Evans,

In reply to your post:

The country is India.

The 'balance Interlocks' refers to interlocks other than those connected to the burners directly. Like the Feed water pump, Fuel oil pumps, FD fan, etc. Coming to the reason for change, the existing one is more than 15 years long with frequent operator console failures, cramped marshaling panel wiring making it difficult for Maintenance and no space for any new additions. Also the existing one is not a 'safety' PLC.

Could you pls elaborate on 'diligent use of hard wired trips'.
Looking for more comments!!

 

Hi

We operate four 122te/hr Nat Gas and Hydrogen fueled boilers that were built a few years ago to comply with 61508 in the UK.
The 'control' for the boilers and the balance of plant is via an Emerson DeltaV DCS with a separate controller for each boiler.

The BMS is a Hima H51q, one for each boiler, with hardwired liks between the DCS for interloacks and control and serial links for other data transfer.

All of the safety critical trips and interlocks (SIL 1 and above) are in the BMS (as are most of the non-critical ones)

This set up works very well with a high level of diversity. It also means that as the BMS is physically separate from the DCS and uses different programming software, the safety functions cannot be affected by DCS programmers. (very important for SIL rated systems)

If I was building the plant today, I would consider a SIS (BMS) hardware that was closely integrated into the DCS hardware infrastructure such as DeltaV SIS (most of the major vendors have similar offerings).

This makes it easier to transfer data between the two as serial links can be time consuming to set up and alter in the future, and the DCS programmers can assist with fault finding using the BMS logic (the BMS software will still be write protected)

Hope this helps.
Steve

 

How many PLC's for 4 boilers? has nothing to do with the BMS requirement or the SIL requirement.

It is all about availability/reliability of the system? how much availability You want for Your system? may be You need to ask yourself what will happen if the whole system failed? meaning all boilers will be tripped @ the same time, what is the impact of that? consider for example each two boilers in one system,these sort of questions.

regards
hawiya [at] gmail.com

 

Steve,

I agree with you. Go for best practice of segregated SIS per boiler and select a small SIS.

IEC61508/61511 does not say anything about boiler-control. These are guidelines. EU law says you need to follow best practices in time.
NFPA is USA related.I can recall he nr. (85.1 or 86.1 or else) are described especially for boilers.

I would start with using common sense. Where is the regulatory control and DCS likely to cause failing. Ensure your FMEA is correct and let it being signed-off by your boiler supplier. Any TUV-certified system for boiler applications is sufficient if your FEED and Safety study is done correctly.

Good luck.

 

I'm really surprised that there aren't some widely accepted standard for burner management system and its implementation. In my opinion, for every boiler, there must be a fail safe system (that includes fail safe CPU of PLC and fail safe I/O). Burner management system can be also implemented in plant's DCS but in that case, CPU that contains the program and I/O modules must be at least SIL 2 certified. I'm not an expert with SIL standards but as a rule of thumb is to go with SIL 2 whenever probability of equipment destruction is much higher than risk for personel.

In any case, BMS (burner management system) must be a fail safe system. This applies equally to field equipment (fail safe design of valves with springs, transmitter that will guaranteed go to up or downscale in case of error) as well as to PLC equipment.

In my experience (and I have seen at least a dozen of burner management systems PLC implementations), for one fail safe transmitter or valve you should use redundant channels on separate PLC I/O cards. In my opinion this cost a lot of money, but you'll sleep and live better. No matter how small probability of failure exist, it is alwazs better to ensure safe state of your boiler.

Hope this helps.

 

The question of how many boilers per PLC, as mentioned earlier in the thread, is a question of process availability requirements. The question of combining the BMS and control in the 1 PLC is more interesting. The control system is in itself a layer of protection. The BMS is there to provide risk reduction for failures that are not detected and acted upon by the control system. If you combine the 2 in one PLC a system failure removes both layers of protection. NFPA 85 also prohibits this practice on all but simple single gas burner systems.