Recognizing Burner Management Systems as Independent Protection Layers in Process Hazard Analysis

Best Practices and Standards for Crediting Fired Equipment

by Karen Morton, P.E., Hargrove Controls & Automation SIS Technical Consultant

Process hazard analysis (PHA) is the foundation of safe plant design, systematically identifying risks, and establishing protective layers to mitigate hazards. Accuracy is essential, as overlooking existing safety measures can create gaps in risk assessment, potentially leaving critical hazards unaddressed. While safety instrumented systems (SIS) are often the primary focus of PHA facilitators, other safety systems, such as burner management systems (BMS), also play a crucial role in mitigating risk. To ensure comprehensive evaluation and compliance with safety standards, facilitators must properly account for all protective systems, including BMS, rather than focusing solely on SIS.

Crediting Fired Equipment Protection Systems in PHA

Fired equipment – which includes boilers, heaters, incinerators, and thermal oxidizers – burns fuel for steam generation, emissions control, or process heating. These systems rely on combustion controls and safety interlocks, functioning similarly to a basic process control system (BPCS) and SIS. Combustion controls often include an alarm layer, giving operators the chance to react to a potential deviation before it reaches a trip setpoint.

Burner management systems serve as critical safety layers for fired equipment. A BMS provides a startup permissive to prevent unsafe ignition and safety trips that shut off fuel supply when hazardous conditions arise. These trips may be triggered by fuel pressure deviations, loss of combustion air, flame detection failure, or utility failures .

While fired equipment also relies on combustion controls and safety interlocks, these systems differ from BMS in their functionality. Combustion controls typically operate within a BPCS, maintaining normal operation, while BMS acts as an independent protective layer, intervening when abnormal conditions occur. Some combustion control systems include alarm layers, providing operators a chance to respond before reaching a trip setpoint.

Evaluating whether a BMS qualifies as an independent protection layer (IPL) is critical for accurate risk assessment. While fired equipment safety standards establish key safety requirements, determining IPL credit requires additional evaluation, including factors such as system reliability and effectiveness in mitigating specific hazards. Ensuring that all safeguards are properly credited strengthens a facility’s overall risk mitigation strategy.

Standards and Codes for Fired Equipment

When conducting a PHA for fired equipment, facilitators must identify the applicable safety standards. Three primary organizations govern BMS standards: the National Fire Protection Association (NFPA), the American Society of Mechanical Engineering (ASME), and the American Petroleum Institute (API).

NFPA and ASME Standards: NFPA 85 and ASME-CSD1 provide guidelines for boiler safety. The applicable standard depends on the fuel input rating:
- NFPA 85 applies to systems with a fuel input rating of 12.5 million BTUs per hour or greater
- ASME-CSD1 (sections CG-120 & CG-140) applies to smaller systems below this threshold
API Standards and Performance-Based Approach: While NFPA 85 has historically been a prescriptive standard defining specific requirements for compliance, API’s standards, derived from ISA 84 and IEC 61511, follow a performance-based approach.
- A prescriptive standard outlines specific requirements that must be followed
- A performance-based standard defines the desired safety outcome but allows flexibility in how facilities achieve compliance
- To accommodate flexibility, NFPA 85 includes an equivalency clause, allowing alternative methods—such as API Recommended Practice 538 or the process safety management lifecycle from IEC 61511—to meet safety requirements

Clarifying SIL Capability in NFPA Standards

Recent NFPA updates regarding equipment safety integrity level (SIL) capability have led to confusion among engineers and operators. Many mistakenly believe all burner management system (BMS) logic solvers must meet SIL requirements, but this is not the case.

What does SIL-capable mean? SIL is a measure of a system’s reliability and ability to perform a safety function when needed. When a system or component is SIL-capable, it meets specific performance criteria outlined in IEC 61508 or IEC 61511, ensuring a certain level of fault tolerance and risk reduction.

Key points regarding SIL capability and BMS compliance include:

NFPA does not require all BMS logic solvers to be SIL capable
The misconception originated when transmitters began replacing switches in BMS trip functions, offering advantages such as setpoint trending and improved diagnostics
In response, NFPA 86 and NFPA 87 introduced a requirement: If transmitters are used instead of switches, they must be IEC 61508 capable
More recently, regulatory attention has shifted to logic solvers, but only systems that combine combustion control and BMS into one logic solver require SIL capability
The NFPA annex explicitly states that NFPA’s reliability requirements do not trigger IEC 61511 safety instrumented function documentation compliance

Understanding these distinctions is critical when applying standards to fired equipment in a PHA. Determining whether SIL capability is required, and distinguishing between prescriptive and performance-based standards, ensures compliance while avoiding unnecessary complexity in system design.

Other Factors in Meeting Criteria of Independent Layers of Protection

While NFPA compliance establishes important safety requirements, compliance alone does not automatically qualify a system as an independent protection layer in a PHA. Additional factors must be evaluated to determine whether a BMS, or any other protective system meets the necessary reliability criteria.
Many facilities have internal procedures for crediting non-SIS protective layers, but system reliability depends on more than procedural guidelines. Factors such as equipment age, complexity, and maintenance history can affect performance. For example, a decades-old boiler may not provide the same level of protection as a newly installed system, even if both meet the NFPA standards.

To assess whether fired equipment protection systems can be credited as IPLs, PHA facilitators should consider:

Equipment reliability
Record of past system issues, including any fuel supply issues, instrument failures, or unexpected trips
Equipment maintenance track record
Equipment history of inspections and performance

These factors determine whether a system can be credibly relied upon as an independent protective layer. Evaluating reliability beyond compliance ensures that all credited safeguards provide meaningful risk reduction.

Challenges and Misconceptions in Burner Management System Compliance

Burner management systems (BMS) are often misunderstood, particularly regarding their role in safety compliance and their relationship to SIS requirements. One common misconception is that all BMS functions must meet IEC 61511 compliance. In reality, SIL capability applies only in specific cases, such as when combustion control and BMS are integrated into a single logic solver. NFPA standards do not require standalone BMS logic solvers to be SIL capable.

Another challenge in BMS compliance involves legacy equipment. Older systems do not meet current standards or provide the same level of reliability required for independent protection layers. In some cases, PHA facilitators may recommend system upgrades or alternative safeguards to improve system reliability, ensure compliance with current NFPA standards, or enhance safety performance beyond regulatory requirements. Some facilities voluntarily upgrade their BMS to meet SIS standards, even when not required, to align with corporate risk management policies or maintain consistency in how safety functions are managed across different systems.

Addressing these misconceptions and challenges is essential for accurately crediting BMS as a protective layer in a PHA and ensuring the system provides reliable protection within the facility’s overall safety framework.

Best Practices for Assessing a BMS in a PHA

To ensure a BMS is properly credited as an independent protection layer (IPL) in a PHA, it must be evaluated in the context of specific risk scenarios. Simply complying with standards does not automatically mean the BMS provides effective risk mitigation; it must be capable of preventing or mitigating the identified hazard.

One key consideration is whether the BMS provides protection against the specific risks in the facility. For example, if air movement within a plant carries flammable gas from another area, fired equipment could remain hot even after flames are extinguished, creating an ignition hazard. In this case, the BMS would not provide protection, since it only responds to conditions within the burner itself. PHA facilitators must also assess how the BMS interacts with other protection layers, such as distributed control systems (DCS), safety instrumented systems (SIS), and built-in BMS safety functions, such as flame detection and fuel shutoff.

Selecting a qualified PHA facilitator is essential for accurately assessing a BMS. The ideal expert should have both technical expertise and hands-on field experience, particularly in sensor technologies, system limitations, and valve performance. Understanding pressure, temperature, and flow sensors, as well as valve selection and safety functions, is crucial for evaluating system reliability.

Beyond technical expertise, a PHA facilitator must also demonstrate leadership and communication skills to effectively collaborate with plant employees. Ultimately, once the facilitator’s work is done, it is the plant employees who will operate the system and manage any risks identified in the PHA. Ensuring that the PHA process includes clear documentation and training helps maintain long-term safety and compliance.

Conclusion

Burner management systems (BMS) play a critical role in protecting fired equipment, but if not properly accounted for in a PHA, facilities may overlook key hazards or misjudge risk severity. This can lead to gaps in protection, increasing the risk of equipment failures, fires, or explosions.

Properly crediting BMS as an independent protection layer (IPL) ensures a more accurate risk assessment and strengthens a facility’s overall safety strategy. Hargrove Controls & Automation can help you fully integrate your BMS into the PHA process, ensuring compliance with safety standards, improved risk mitigation, and a safer operating environment.