Specification for a Burner Management System

Table of Contents
1 Instructions to Bidders ...........................................................................................................4
2

Scope of Work .......................................................................................................................6

Process Equipment Overview................................................................................................7

Burner Management System Overview .................................................................................9

4.1

Applicable Codes and Standards ...................................................................................9

4.2

Preliminary Layout Diagrams .........................................................................................9

4.3

Preliminary I/O Count ...................................................................................................10

4.4

Interfaces to Other Systems .........................................................................................10

Safety Requirements Overview ...........................................................................................11

5.1

IEC 61508 Certified CPU..............................................................................................11

5.2

IEC 61508 Certified I/O Modules ..................................................................................11

5.3

BMS and Control System Separation ...........................................................................11

5.4

Safety Manual...............................................................................................................11

5.5

External System Watchdog ..........................................................................................11

5.6

Safety Functions...........................................................................................................12

5.7

Master Fuel Trip Relay .................................................................................................12

5.8

Emergency Stop Switches............................................................................................12

5.9

Bypass Functions .........................................................................................................12

5.10 Alarms ..........................................................................................................................12

6

Environmental Specification Requirements .........................................................................13

6.1

Heat ..............................................................................................................................13

6.2

Humidity........................................................................................................................13

6.3

Mechanical Shock and Vibration ..................................................................................13

6.4

Electrical Noise Immunity .............................................................................................13

6.4.1

Electro-Static Discharge........................................................................................13

6.4.2

Radio Frequency Interference...............................................................................13

6.4.3

Fast Transients (Burst Pulses) ..............................................................................13

6.4.4

Power Line Surge..................................................................................................13

Electrical Requirements.......................................................................................................14
7.1

Electrical Area Classification ........................................................................................14

7.2

Electromagnetic Compatibility (CE Compliance) ..........................................................14

7.3

Wiring and Cabling .......................................................................................................14

7.4

Cabinet and Workstation Grounding ............................................................................14

7.5

Module Hot-Swap Capability ........................................................................................14

Hardware Requirements......................................................................................................15

Page 1 of 30

Specification for a Burner Management System

8.1

CPU ..............................................................................................................................15

8.1.1

IEC 61508 Certification .........................................................................................15

8.1.2

Support for BPCS and Combustion Control ..........................................................15

8.1.3

Redundancy ..........................................................................................................15

8.1.4

Memory .................................................................................................................15

8.1.5

Diagnostics............................................................................................................15

8.1.6

System Power .......................................................................................................16

8.1.7

Scan Rate..............................................................................................................16

8.1.8

Voting of Inputs and Outputs.................................................................................16

8.2

I/O Modules ..................................................................................................................16

8.2.1

Technology............................................................................................................16

8.2.2

IEC 61508 Certification .........................................................................................16

8.2.3

Redundancy ..........................................................................................................16

8.2.4

Diagnostics............................................................................................................17

8.2.5

Online Modification................................................................................................17

8.3

Cabinets .......................................................................................................................17

8.4

Field Terminations ........................................................................................................17

8.5

Emergency Stop Switches............................................................................................18

8.6

Human Machine Interfaces...........................................................................................18

8.6.1

Local Operator Station ..........................................................................................18

8.6.2

Control Room Stations ..........................................................................................18

8.6.3

PC .........................................................................................................................18

8.6.4

Monitors.................................................................................................................19

Communication and Networking Requirements ..................................................................20

9.1

Safety Fieldbus.............................................................................................................20

9.2

Communication between BMS systems ......................................................................20

9.3

Communication to field devices....................................................................................20

9.4

Communication Between the BMS and BPCS .............................................................20

9.5

Communication Between the BMS and Other Safety Systems ....................................20

9.6

Communication Between the BMS and Third-Party Systems ......................................20

9.7

Communication Between Field Devices .......................................................................21

10

Application Software Requirements .................................................................................22

10.1 IEC 61508 Certified Function Block Library..................................................................22

10.2 Program Security..........................................................................................................22
10.3 Configuration Tools ......................................................................................................23
10.3.1 Configuration Languages ......................................................................................23

Page 2 of 30

Specification for a Burner Management System

10.3.2 Function Blocks .....................................................................................................23
10.3.3 Sequential Function Charts ...................................................................................24
10.3.4 Cause and Effect Programming ............................................................................24
10.4 Configuration Management ..........................................................................................25
10.4.1 General Requirements ..........................................................................................25
10.4.2 Version Management ............................................................................................25
10.4.3 Comparison Tool (Version Cross Manager) ..........................................................25
10.4.4 Show Changes Prior to Download ........................................................................25
10.4.5 Change Log...........................................................................................................25
10.5 Integrated Historian ......................................................................................................26
10.5.1 Backing Up the Database......................................................................................26
10.6 Alarm System ...............................................................................................................26
10.6.1 Alarm Message Display.........................................................................................26
10.6.2 Alarm Priorities ......................................................................................................26
10.6.3 Alarm Acknowledgement.......................................................................................27
10.6.4 Alarm Suppression ................................................................................................27
10.6.5 Alarm Response Procedures ................................................................................27
10.7 Human Machine Interfaces...........................................................................................27
10.7.1 Security .................................................................................................................27
10.7.2 Displays.................................................................................................................27
10.7.3 Display Navigation.................................................................................................27
10.7.4 Trend Displays ......................................................................................................28
10.7.5 Bypass Switches ...................................................................................................28
10.7.6 Configuration Capabilities .....................................................................................28
10.7.7 Screen Composition Favorites ..............................................................................28
10.8 Revisions ......................................................................................................................29
10.9 Licensing ......................................................................................................................29
11

Terms and Conditions ......................................................................................................30

Page 3 of 30

Specification for a Burner Management System

1 Instructions to Bidders
The information provided in Table 1 provides basic instructional information for submittal of the
bid.

General Project Information

Project Name
Location of Jobsite

City, State, Country ( if not USA )

Estimated Project Start Date

mm/dd/yy

Required Project End Date

mm/dd/yy
General Bid Information

Bid Due Date and Time

mm/dd/yy
hh:mm ( specify time zone )

Number of Proposal Copies Required

Person to Receive Bid

Name
Title
Mailing Address

Email Address
Primary Contact for Supplemental Commercial Name
Information
Title
Mailing Address

Email Address
Phone Number
Primary Contact for Supplemental Technical Name
Information
Title
Mailing Address

Email Address
Phone Number
Table 1: Instructions to Bidders

The proposal must contain the information listed below, at a minimum, to allow for a
comprehensive and fair evaluation of the proposal:
Page 4 of 30

Specification for a Burner Management System

List of standard system documentation provided

System architecture drawing showing the quantity and functional arrangement of major
system components.
Bill of material for all major system components including quantities, make, model and
part numbers.
Product specifications for each item on the bill of material.
List of all technical and commercial clarifications and exceptions to the specification
referenced to the appropriate section of the specification.

Note: Major system components include processors, I/O modules, power supplies, operator
interfaces at a minimum.

Page 5 of 30

Specification for a Burner Management System

2 Scope of Work
This specification defines the minimum mandatory requirements for a burner management
system (BMS) and associated software and support services.
This specification excludes basic process control system hardware and software for combustion
control, field instrumentation, auxiliary systems, and management information systems. It also
excludes all application software configuration, job-site assembly and installation services for
the BMS.

Page 6 of 30

Specification for a Burner Management System

3 Process Equipment Overview

Table 2 provides an overview of the fired equipment the burner management system will be
responsible for controlling.

General
Equipment name
Equipment number
Location

Inside, outside uncovered, outside covered

Type of fired equipment

Furnace ( select NFPA class A, B, C, or D )

Oven ( select NFPA class A, B, C, or D )
Thermal Oxidizer
Single Burner Boiler
Multiple Burner Boiler
Duct Burner
Fluidized Bed Boiler
Stoker
Pulverized Fuel System
Heat Recovery Steam Generator ( HRSG )

Type of draft

Natural, forced, induced, balanced

Environment

Ambient Temperature (Min / Max)

Ambient Humidity (Min / Max)
Additional Comments
Fuel
Burner fuel #1

Fuel oil, fuel gas, natural gas, pulverized fuel

Burner fuel #2

Fuel oil, fuel gas, natural gas, pulverized fuel (

if applicable )

Burner fuel #3

Fuel oil, fuel gas, natural gas, pulverized fuel (

if applicable )

Will the equipment fire dual fuels

simultaneously ?

yes / no

Pilot fuel #1

Fuel oil, fuel gas, natural gas

Pilot fuel #2

Fuel oil, fuel gas, natural gas ( if applicable )

Burners
Page 7 of 30

Specification for a Burner Management System

Number of burners for fuel #1

Number of burners for fuel #2

( if applicable and uses different burners than

fuel #1)

Number of burners for fuel #3

( if applicable and uses different burners than

fuel #1 or #2 )

Burner Atomization Medium Used

Steam, air, mechanical, none

Pilots

Number of pilots for fuel #1

Number of pilots for fuel #2

( if applicable and uses different pilots than

fuel #1)

Pilot Atomization Medium Used

Steam, air, mechanical, none

Igniters

Number of burner igniters

Class of burner igniters

Class I, II, III, III Special

Number of pilot igniters

Class of pilot igniters

Class I, II, III, III Special

Flame Scanners

Number of flame scanners

Combustion Air
Number of blowers
Number of dampers automatically actuated
Pulverized Fuel System
Number of feeders
Number of pulverizers
Number of air dampers
Pulverizer inerting system type

( if applicable )
Auxiliary Systems

Flue gas recirculation ?

yes / no

Combustion air preheat ?

yes / no

Reburn Fuel ?

yes / no

Selective Catalytic Reduction ( SCR ) ?

yes / no

Flue Gas Path Auxiliary System ?

yes / no

Table 2: Process Equipment Overview

Page 8 of 30

Specification for a Burner Management System

4 Burner Management System Overview

4.1

Applicable Codes and Standards

At a minimum, the burner management system shall comply with the latest edition of the
following codes and standards:
Item #
N1
N2

Document #
ANSI/ISA 84.00.01: 2004 (IEC
61511: Mod)
ISA-TR84.00.05: 2009

N3

IEC 61508: 2000 Parts 1 to 7

N4

IEC 61131-3:2003

N5
N6
N7
N8
N9

NFPA 85: 2007

NFPA 86: 2007
NFPA 87: 2011
NFPA 70: 2011
ANSI / API RP 556: 1997

Document Title
Functional Safety: Safety Instrumented
Systems for the Process Industry Sector
Guidance on the Identification of Safety
Instrumented Functions (SIF) in Burner
Management Systems (BMS)
Functional Safety of
Electrical/Electronic/Programmable Electronic
Safety-Related Systems
Programmable controllers - Part 3:
Programming languages
Boiler and Combustion Systems Hazard Code
Standard for Ovens and Furnaces
Fluid Heaters
National Electrical Code (NECr)
Instrumentation and Control Systems for Fired
Heaters and Steam Generators

Table 3: Applicable Codes and Standards

4.2

Preliminary Layout Diagrams

Preliminary diagrams detailing the typical physical arrangement of the burner management
system major components shall be supplied. Note: Major system components include
processors, I/O modules, power supplies, operator interfaces at a minimum.

Page 9 of 30

Specification for a Burner Management System

4.3

Preliminary I/O Count

Table provides the anticipated I/O count for the burner management system.

Type of Signal

Number of Signals

AI
DI
AO
DO
Total
Table 4: Preliminary I/O Count

I/O for all BMS safety critical functions shall be SIL 3 rated.
End User Note: The I/O count should include all I/O associated with both field-mounted devices
and operator interface devices. It should also include any spare capacity required.

4.4

Interfaces to Other Systems

The BMS will interface to other control systems. Table provides information regarding these
interfaces.
System 1

System 2

System 3

Connection type
( RS-232, RS-422, Modbus,
Ethernet, PROFIBUS, OPC,
etc. )
Number of soft inputs to be
read by BMS CPU
Number of soft outputs to
be written by BMS CPU
Table 5: Interfaces to Other Systems

To ensure interoperability and reliability all interface components shall be supplied by the BMS
manufacturer.

Page 10 of 30

Specification for a Burner Management System

5 Safety Requirements Overview

5.1

IEC 61508 Certified CPU

Since the BMS will most likely contain safety instrumented functions, the CPUs provided shall
be IEC 61508 certified to be SIL 3 capable as required by the ANSI/ISA 84.00.01: 2004 (IEC
61511: Mod) standard.

5.2

IEC 61508 Certified I/O Modules

Since the BMS will most likely contain safety instrumented functions, the I/O modules provided
shall be IEC 61508 certified to be SIL 3 capable as required by the ANSI/ISA 84.00.01: 2004
(IEC 61511: Mod) standard.

5.3

BMS and Control System Separation

The NFPA 85 and 86 standards require the BMS to be independent and physically separate
from the combustion basic process control system ( BPCS ). Since the BMS will most likely
contain safety instrumented functions, the ANSI/ISA 84.00.01: 2004 (IEC 61511: Mod) standard
will also require this independence and separation.

5.4

Safety Manual

The ANSI/ISA 84.00.01: 2004 (IEC 61511: Mod) standard requires equipment manufacturers to
provide safety manual for all IEC 61508 certified equipment. Therefore, a safety manual must
be provided for all IEC 61508 certified equipment provided as part of this project.
The safety manual for hardware must define how the equipment can be safely applied and
clearly list the limitations of use applicable to the equipment. For application software, the
safety manual must comply with the requirements of section 12.4.4.7 of the ANSI/ISA 84.00.01:
2004 (IEC 61511: Mod) standard:
The safety manual shall address the following items as appropriate:
a) use of diagnostics to perform safe functions;
b) list of certified/verified safety libraries;
c) mandatory test and system shutdown logic;
d) use of watchdogs;
e) requirements for, and limitations of, tools and programming languages;
f) safety integrity levels for which the device or system is suitable .
Each safety manual shall be provided in either electronic or hard copy format.

5.5

External System Watchdog

NFPA 85 and 86 requirements for monitoring the logic solver for failure shall be met by
providing a watchdog circuit that is external to the CPU. This external system watchdog circuit
shall meet the following:
independently monitor the CPUs and trip the MFT relay if a CPU failure is detected.
Page 11 of 30

Specification for a Burner Management System

be SIL 3 rated.

5.6

Safety Functions

The standards referenced in Section 4.1 require the BMS to be capable of providing the
following safety functions:
Purge interlocks and timing
Flame proving and monitoring
Safety shutdowns
Function blocks that have been IEC 61508 certified to SIL 3 shall be provided for use in
configuring these safety functions.

5.7

Master Fuel Trip Relay

.The BMS system shall support inclusion of a Master Fuel Trip Relay as necessary for
compliance with NFPA 85. End User Note: NFPA 85 requires a master fuel trip ( MFT ) relay
that is an electromechanical relay utilized to trip all required equipment simultaneously when a
master fuel trip is initiated. So, if the equipment to be controlled by the BMS is a boiler, duct
burner, thermal oxidizer, stoker, or HRSG, the BMS must include this MFT relay.

5.8

Emergency Stop Switches

The system shall include a hardwired, guarded, self-latching e-stop pushbutton, mounted and
wired to the front of the cabinet This emergency stop switch shall initiate a MFT. The ANSI/ISA
84.00.01: 2004 (IEC 61511: Mod), NFPA 85 and NFPA 86 standards all require the operator be
provided with a manually operated emergency stop switch that is independent of the BMS logic
solver.
End User Note: NFPA 85 section 4.6.3.2.4 requires the emergency stop switch to actuate the
master fuel trip relay independently and directly. So, if the equipment to be controlled by the
BMS is a boiler, duct burner, thermal oxidizer, stoker, or HRSG, the emergency stop switch
must meet this additional requirement.

5.9

Bypass Functions

The ANSI/ISA 84.00.01: 2004 (IEC 61511: Mod) standard states all bypass switches shall be
protected by key locks or passwords to prevent unauthorized use. All bypass functions
provided with this system including from the local HMI panel must meet this requirement.

5.10 Alarms
The NFPA standards require the cause of each MFT to be alarmed to the operator. This firstout alarming logic shall be configured in the application software. The HMI shall provide
dedicated displays and icons within the HMI for representing the status of safety-critical alarms.

Page 12 of 30

Specification for a Burner Management System

6 Environmental Specification Requirements

6.1

Heat

All safety rated components shall be capable of operating in an environment ranging between
the following values:

Operating:

5 to 50C.

Storage:

-40 and 70C

6.2

Humidity

All safety rated components shall meet IEC1131-2, level RH-2

Operating:

5-95% relative humidity, non-condensing

Storage:

5-95% relative humidity, non-condensing

6.3

Mechanical Shock and Vibration

All safety rated components shall be tested to and comply with the following shock and vibration
standards:

6.4

Vibration:
axes

IEC 68-2-6, constant acceleration: 58 - 500 Hz, 1 g, 10 times on each of 3

Shock:

IEC68-2-29:

10 g for 6 msec, 100 times on each of 3 axes

Electrical Noise Immunity

6.4.1 Electro-Static Discharge

All safety rated components shall be tested to meet or exceed the requirements of IEC 1000-4-2
severity level 3 for protection against electrostatic discharge.

6.4.2 Radio Frequency Interference

All safety rated components shall be tested to meet or exceed the requirements of IEC 1000-4-3
severity level 3.

6.4.3 Fast Transients (Burst Pulses)

All safety rated components shall be tested to meet or exceed the requirements of IEC 1000-4-4
level 3 for protection against switch contact bounce, which produces fast electrical pulses with a
minimum of 2 kV.

6.4.4 Power Line Surge

All safety rated components shall be tested to meet or exceed the requirements of IEC 1000-4-5
severity level 2 for surge withstand protection against power line disturbances caused by load
switching and lightning. For security level 3 external protection circuits can be accepted.

Page 13 of 30

Specification for a Burner Management System

7 Electrical Requirements
7.1

Electrical Area Classification

Buildings containing the control equipment will be rated as electrically unclassified.

7.2

Electromagnetic Compatibility (CE Compliance)

Equipment shall meet all electromagnetic compatibility requirements of the IEC 61000-4-2,
61000-4-3, and 61000-4-4 standards.

7.3

Wiring and Cabling

PROFIBUS, Ethernet, and other communication cables shall maintain a minimum separation of
75 mm from any AC power cables. Fiber optic cables are excluded from this requirement.
Vendor installed cables shall be designed and installed in such a way as to allow cable
disconnection in order to service the equipment. Cables shall not interfere with circuit board
removal. All wire insulation for cables carrying power shall be rated for 600 volts.

7.4

Cabinet and Workstation Grounding

AC Safety ground and instrumentation circuit ground shall conform to the NEC, Article 250.

7.5

Module Hot-Swap Capability

.System shall support hot swapping of control, input/output, and communication modules
without requiring power-down of entire system.
.

Page 14 of 30

Specification for a Burner Management System

8 Hardware Requirements
All hardware shall be commercial off-the-shelf (COTS) equipment. All hardware provided shall
be capable of supporting the I/O provided in Section 4.3.

8.1

CPU

8.1.1 IEC 61508 Certification

The CPUs provided shall be capable of meeting SIL3, (according to IEC 61508) without
redundancy.

8.1.2 Support for BPCS and Combustion Control

The system shall include an auxiliary CPU that may be used for combustion control as part of a
basic process control system. This combustion control CPU shall meet the physical separation
and independence requirements of NFPA 85 and 86 while being located within the same
cabinet as the BMS CPU. The combustion control CPU shall not share the same backplane as
the BMS CPU.

8.1.3 Redundancy
The system provided shall be capable of supporting redundant CPUs. Redundant CPUs shall
be connected together via fiber optic cables. The redundant CPUs shall operate with a hot
backup where both CPUS execute the identical step of the user program in parallel. When a
CPU error is detected, automatic, bumpless (uninterruptible) switchover shall be initiated and
completed in 30 msec or less.

8.1.4 Memory
Each CPU shall be provided with 10 to 15 percent spare memory. CPU memory should have a
battery backup so the controller maintains its configuration and state information in the event of
an extended power outage. The controller shall have the capability of storing a retrievable copy
of the application program on a replaceable memory card within the controller.

8.1.5 Diagnostics
The CPU shall be capable of continuous, automatic online diagnostics to detect system failures.
Diagnostic coverage greater than 99 % shall be achieved.
The following failure control measures should be implemented in the CPU:
a) Memory diagnostic to verify any data or code corruption
b) Time diagnostic shall be built-in and provide redundancy to the external watchdog timer
c) Self-test of BMS operations in each cycle
d) Logical program execution and data flow monitoring
e) Comparison of the diverse diagnostics in the CPU and I/O modules
f)

Automatic, online self-tests to detect latent failures.

Page 15 of 30

Specification for a Burner Management System

This diagnostic capability shall be built-in and not require additional application design from the
user. These failures shall be alarmed on each HMI.

8.1.6 System Power

The system shall be powered from an external 115VAC power source.
Redundant 24VDC power supplies with redundancy management circuitry shall be provided.
These power supplies shall support 10A at 24VDC to power field devices outside of the BMS
cabinet. The sum of all DC power loads shall not exceed 80 percent of the rated power supply.
Separate, isolated and fused AC and DC power distribution shall be provided. A fault contact
shall be available for connection to a discrete input channel. The fault contact shall indicate the
loss of power or a drop in voltage from either of the redundant power supplies. Redundant
power supplies shall support 10A at 24VDC to power field devices outside of the BMS cabinet.

8.1.7 Scan Rate

The CPU should provide strict cyclic program execution. To optimize control of critical
processes, the CPU shall support variable and configurable scan rates down to a minimum rate
of 10 msec. The system should have ability to run parts of the user application at different cycle
times (multiple scan rates).

8.1.8 Voting of Inputs and Outputs

The CPU shall support voting of sensors as a means of providing the necessary safety integrity
and availability. The following architectures shall be supported:
a)
b)
c)
d)

8.2

Single Sensor (1oo1) Voting

Dual Sensor (1oo2) Voting
Dual Sensor (2oo2) Voting
Triple Sensor (2oo3) Voting

I/O Modules

8.2.1 Technology
All I/O modules shall be electrically isolated from the communication backplane. All I/O modules
shall have ON/OFF indication for each I/O. This indication shall be located on the front of each
module.

8.2.2 IEC 61508 Certification

Analog input, discrete input and discrete output modules shall be capable of achieving SIL 3
availability according to IEC 61508.

8.2.3 Redundancy
Single, dual and triple redundant I/O modules shall be supported. To minimize the potential for
common cause failures, redundant I/O Modules must be able to be located in physically
separate racks. It is not permissible for redundant I/O modules to share a common backplane.
I/O redundancy shall be independent of the controller redundancy.
Page 16 of 30

Specification for a Burner Management System

8.2.4 Diagnostics
All I/O modules provided shall contain self-diagnostics that detect any potentially dangerous
component failure. The diagnostic capabilities shall be verified with extended diagnostic
functions and fault injection testing.
At a minimum, the I/O modules shall report to the control module the following diagnostic
information:
a) Internal hardware faults
b) Power lost
c) Field wiring diagnostics (e.g. open or short circuit)
d) Communication Error
e) Discrepancy error (1oo2D evaluation)
f) RAM, EPROM failure
g) Microprocessor failure
In case of loss of communication to the CPU, the I/O modules shall automatically return to the
safe sate by driving the outputs of the I/O modules to the safe state.

8.2.5 Online Modification

Online ( hot ) replacement of the modules shall be possible without process interruption.
Extending the system with additional I/O modules must be possible without shutting down the
system (online modification).

8.3

Cabinets

Pre-assembled, painted NEMA 12 cabinets shall be provided. Control cabinets shall conform to
CE standards for electromagnetic compatibility with the EMC standard (IEC 61000), and ensure
protection against unauthorized access, mechanical influences, contamination, and other
environmental influences. The standard cabinet shall conform to NEMA 12 and a cabinet
upgrade to a NEMA 4X (304 SS) shall be available.
Cabinets shall be equipped with interior lighting and a convenience outlet as well as options for
fans, AC and/or Vortex cooling. All internal cabinet wiring shall be identified by fire-retardant,
heat shrink sleeve labels. All wire insulation shall be rated for 600 volts.
The panel assembly will be designed and inspected for Underwriters Laboratories Standard for
Safety of Industrial Control Panels (ICP) "UL508A " .
End user note: Indicate any physical space limitations for each cabinet.

8.4

Field Terminations

All I/O terminations shall be simple, front panel terminal connections. Terminals shall be
capable of terminating wire of 16 AWG on typical 16 channel I/O modules. Assemblies for
marshalling terminations for larger systems shall be available. Ability to connect directly to
custom wiring schemes using third-party terminal blocks shall be provided.

Page 17 of 30

Specification for a Burner Management System

8.5

Emergency Stop Switches

A MFT push button shall be hardwired to the MFT relay if so equipped, allowing an operator trip
of the equipment controlled by the BMS. A MFT push button shall be located on the local
operator station and support the ability to connect additional MFT push buttons per customer
requirements.. Each push button shall be clearly labeled and designed to avoid inadvertent
actuation. Each MFT push button shall meet the requirements in Section 5.8.

8.6

Human Machine Interfaces

8.6.1 Local Operator Station

The system shall include a Local Operator station with a color touch-screen operator interface
and keyboard. The Local Operator Station shall include the following pre-engineered BMS
graphic displays at a minimum:
a)
b)
c)
d)
e)
f)

Overview of Process / System

Purge Cycle
Burner Status
Ignitor Status
Fan Control
Master Fuel Trip Status

The pre-engineered screens shall be easily extendable / customizable to represent the actual
application via copy/paste.
All pushbuttons other than E-Stop shall be configured as soft push buttons in the HMI.

8.6.2 Control Room Stations

The system shall support connection of optional remote control stations via Ethernet

8.6.3 PC
The system shall include a rack-mounted compact industrial PC housed in an all metal
enclosure achieving degree of protection IP 20. It shall include the capability to alarm on high
temperature and failure of device or power supply fan. It shall include the following interfaces:
a) Flash Drive for Compact Flash Card
b) 4 x USB ports
c) Ethernet Ports 2 x 10/100/1000 Mbit/s (RJ 45)
d) Serial Port 1 x COM1 (V.24)
e) PROFIBUS (12Mbit/sec)
The PC shall be preloaded with the following components:
a) Engineering tools for configuration of the hardware
b) Engineering tools for configuration of the application software
c) SQL-based archiving system
d) Human Machine Interface (HMI) software for process visualization
e) OPC Client / Server
f) Process Device Manager (Optional) - for managing instrumentation

Page 18 of 30

Specification for a Burner Management System

8.6.4 Monitors
The Monitor for the local operator station shall be as designed for industrial applications meeting
the following requirements, at a minimum:
Flatscreen Color TFT touchscreen display
Diagonal measurement 17 or 19 inches nominal
Minimum Resolution: 1280 x 1024

Page 19 of 30

Specification for a Burner Management System

9 Communication and Networking Requirements

All communication and networking equipment and protocols shall be commercial off-the-shelf
(COTS) hardware or software. Communication networks shall be designed to allow for system
growth.

9.1 Safety Fieldbus

Fieldbus communication must be capable of sharing safety-related and non-safety-related
devices and data. The safety functionality of the SIF must not be impacted by the non-safety
related devices and data. It shall be interference-free. If the fieldbus has to be extended no
revalidation should be necessary. It also must be possible to do these extensions online without
shutting down any system.

9.2 Communication between BMS systems

Safety related communication between independent safety-systems should exist on an open
communication network like Industrial Ethernet. This communication shall implement an IEC
61508 compliant safety protocol to ensure the required SIL.

9.3 Communication to field devices

Fieldbus communication must be available to field devices which includes I/O, sensors and final
elements. The fieldbus communications should support redundancy as needed for high
availability. The fieldbus communication shall implement a IEC 61508 compliant safety protocol
to ensure the required SIL.

9.4 Communication Between the BMS and BPCS

End user note: Delete this section if the BMS system does not need to communicate with the
BPCS.
A broadband communication network or fiber optic media shall be used to integrate all
subsystems into a single control architecture, allowing direct communications between the
control and safety functions and direct access to the event and asset management systems.
The BMS shall include a built-in switch to allow easy connection of multiple control systems.
The BMS shall support communication with the combustion control BPCS via Industrial Ethernet
for sharing of data in a read-only format.

9.5

Communication Between the BMS and Other Safety Systems

End user note: Delete this section if the BMS system does not need to communicate with other
safety systems.
Communication between independent safety systems shall exist on an open communication
network such as Industrial Ethernet. The communication network and associated protocol shall
be IEC 61508 certified to SIL 3 and shall support deployment in redundant architectures. The
communication network and associated protocol shall be capable of detecting a network failure
in a ring architecture and rerouting communication in 300 msec or less.

9.6

Communication Between the BMS and Third-Party Systems

End user note: Delete this section if the BMS system does not need to communicate with other
third-party systems.

Page 20 of 30

Specification for a Burner Management System

The system shall include a built-in OPC server to simplify interfaces with third-party systems.
The vendor shall also be capable of providing a Modbus interface module for this
communication.

9.7

Communication Between Field Devices

Embedded, failsafe fieldbus communications shall be used to provide seamless connectivity

between the CPU and I/O. This fieldbus and associated protocol shall be IEC 61508 certified to
SIL 3. For redundant CPU architectures, redundant fieldbus shall be used.

Page 21 of 30

Specification for a Burner Management System

10 Application Software Requirements

All application software shall be commercial off-the-shelf (COTS) software. All software
provided shall be capable of supporting the I/O provided in Section 4.3.

10.1 IEC 61508 Certified Function Block Library

An IEC 61508 certified function block library shall be provided for all BMS control functions.
These blocks shall be easily distinguishable from blocks used for process control and shall be
capable of being connected and and parametrized.
The certified BMS application library shall contain the following pre-engineered function blocks:
a)
b)
c)
d)
e)
f)

Control and Monitor the ignition process for oil and gas burners
Valve Proving of Fuel Supply Valves
Control position of the air damper during ignition and purge
Control and Monitor oil program that must be blown out after shutoff
Supervise the position of the actuators for air and fuel supply
Supervise the temperature and air / fuel flow

10.2 Program Security

Access to the controller database (program) shall be supervised to limit user ability to modify the
program. The following layers of protection shall be implemented to ensure security of
configuration:

Application Program Password Protection - When attempting to change the application

program, the user shall be required to enter a password that has been established during
configuration. Program downloads shall be password protected at the controller level using
a separate password.

Application Program Protection via authorization key Changes of the application program
shall only be possible, when a software authorization key is installed on the engineering
station. It should be possible to upload and download this key from a external data device.

Hardware Configuration Password Protection - When attempting to change the F-CPU

parameters, the user shall be required to enter a password that has been established during
configuration.

A definite checksum (signature) of the whole safety application program shall be provided
for documentation and certification of an application program. For the seamless integration
in the lifecycle documentation, a comparison function for the safety program must be part of
the engineering tool. As minimal requirements it must include follow comparison functions:
a)

Overall signature

b)

Individual signatures per function block/group

c)

Parameter Values

d)

Modified or deleted blocks and interconnections, etc.

Page 22 of 30

Specification for a Burner Management System

10.3 Configuration Tools

The tool for hardware configuration and the user application programming shall be of graphical
type and according to IEC 61131-3. The tool must support object oriented design which helps
the modeling and reuse of designed functions. All I/O modules shall be configurable by this
graphical engineering tool.

10.3.1 Configuration Languages

Numerous configuration languages shall be offered that are traditionally associated with both a
PLC and DCS programming environment. These shall include, but not be limited to the
following:
a)
b)
c)
d)
e)
f)
g)

Continuous Function Chart (CFC)

Sequential Function Chart (SFC)
Structured Control Language (SCL)
Ladder Logic (LAD)
Function Block Diagram ( FBD )
Instruction List (STL)
Cause and Effect Matrix

The engineering system shall support the creation of custom function blocks from a high level
(pascal-like) programming language. For maximum flexibility, the high level programming
language provided by the system shall support the use of standard mathematical functions in
addition to allowing other function blocks to be called directly from within the program.

10.3.2 Function Blocks

To minimize engineering time, connecting parameters between two different function blocks
shall be possible via two mouse clicks (auto routing). Manual drawing of lines shall not be
acceptable for connecting function block parameters. The system shall prevent the user from
connecting function block parameters that have incompatible data types. For instance the
system should prevent the user from connecting a real value from one function block to a
Boolean value of another function block.
For ease of use and to minimize engineering costs, it shall be possible to program device
interlocks via simple point and click operations between function blocks. All parameters
contained in a control module (composite of multiple function blocks) shall be able to be directly
connected to another control module without the need for additional parameter function blocks.
When a function block instance name is modified, the system shall be capable of automatically
updating all references to the changed block within the entire HMI application (pictures, scripts,
faceplates etc) and Historian database without requiring the user to manually search and
replace each reference.

Page 23 of 30

Specification for a Burner Management System

10.3.3 Sequential Function Charts

The system shall support Sequential Function Charts (SFC) as necessary for real-time control
of sequential processes. The SFC programming language shall include the following features:
Access to process control and other database information.
The ability to modify the program logic while other sequences are active.
Support execution of the chart in Manual or Automatic Mode.
The ability to automatically connect SFC steps and transitions during configuration,
based on their placement in the SFC chart, without requiring the user to manually
connect them.
The ability to configure multiple states within a single SFC container. This allows for
effective coordination of sequences which have more than one mode (e.g. Heating and
Cooling) or that contain safe-state logic (e.g. Aborting or Holding Logic)
The ability to create master SFC elements which can be copied and used throughout the
configuration just like a function block. Changes to a single instance of the SFC will
result in automatic updates to all other instances in the configuration.
The ability to automatically create displays for visualization and control of the SFC
directly from the controller configuration.
The ability to configure the scan execution order for both individual function blocks and
for higher level modules consisting of multiple function blocks.
The SFC editor shall include a test/debug mode which does not write to the outputs

10.3.4 Cause and Effect Programming

A tool for cause & effect programming shall be available. It must include minimum functionalities
like:

Automatic generation of certified logic

Automatic visualization for HMI
First failure detection (first out)
Voting
Alarm and trip set points
Sequence of events recording
Operator event logging
MOS (Maintenance Override Switch)
POS (Process Override Switch)
Online display of data and status
Online limit changes (with security)
Integrated management of change (life cycle documentation)
Consistent view for design, documentation, test and monitoring.
Import function from external safety life cycle tools to automatically generate C&E matrix
ensuring consistency of the data.

The configuration and programming tools shall run on standard PC with Windows operating
system.

Page 24 of 30

Specification for a Burner Management System

10.4 Configuration Management

10.4.1 General Requirements
Configuration additions, changes, and deletions shall automatically update all modules and tags
affected by the change. When configuration data are compiled or downloaded to the system,
invalid configuration entries shall be identified and the parameters affected shall be indicated.
It shall be possible to change, delete, and add any independent loop in the controller without
affecting the other loops.

10.4.2 Version Management

The system shall provide version management capability allowing the user to catalog, manage,
archive and retrieve unique versions of entire projects, libraries, and recipes. The following
specific functions shall be provided:
Ability to add a comment to each version
Automatic incrementing of version numbering
Ability to print out a copy of the version history

10.4.3 Comparison Tool (Version Cross Manager)

A tool shall be available to perform a detailed comparison of two applications or versions of an
application. This tool shall use a MS Windows Explorer-like interface to graphically highlight
what elements of a configuration are different (CFCs, SFCs, Function Block types, Scan Rate
Order etc). By selecting a flagged element, the user can dive deeper to determine exactly what
is different (such as an Alarm Limit or Tuning Parameter).
The comparison tool should be able to identify differences in the following elements at minimum:
Application Program (Function Blocks, Charts, SFC, hierarchy / layout)
Hardware Configuration
Communication / Network Configuration
Alarms
SFC details (Steps, Transitions and Properties)

10.4.4 Show Changes Prior to Download

Configuration changes shall follow a prompt-validation sequence requiring a final
acknowledgment step before the change is downloaded to the on-line system. An option shall
be provided to allow the user to view a detailed report of changes as part of the download
confirmation process.

10.4.5 Change Log

A tool shall be available for use on the Engineering workstation to enforce user access control
for execution of protected actions (such as downloading a configuration change to the
controller) and to allow recording of comments (detailed reason for change). Information will be
recorded in a change log file, which shall be continuously updated with each new change. The
change log shall be capable of being reviewed at a later point in time.

Page 25 of 30

Specification for a Burner Management System

10.5 Integrated Historian

The system shall include an integrated high-performance archiving system based on MS-SQL
server capable of long-term archiving (at least one year) of alarms, events and operator actions.
The Operator Interface shall provide a complete historical (archiving) subsystem providing the
user the capability to capture and analyze historical data.
The system shall allow selection of any point in the system to be added and configured for
archiving.
The historical subsystem shall promote the visualization of historical data in both tabular and
graphical form.

10.5.1 Backing Up the Database

The system shall supply tools for automatically backing up the database to removable media or
to an alternate storage location. The backup utility shall execute the database backups
automatically based on either of the following configurable criteria:
Time-based (e.g. every 24 hours)
Based on the size of the database (e.g. after the size reaches 1 Mbyte)

10.6 Alarm System

The alarm system shall alarm any change of state that the system detects including:
Any violation of limits
First out indication of trips
Any change of state of a device connected to the system including all of its peripherals
The failure of any communications channel used by the system
The failure of systems hardware, which results in an automatic fail-over of the systems
functions from the active to standby device.

10.6.1 Alarm Message Display

The alarm system shall display alarm messages in a manner to facilitate easy interpretation of
the current alarm status including but not limited to:
Different text color and background color for those points that are in alarm, those that
have been acknowledged, and those that are no longer in alarm
Flashing of the current alarm message(s) in the alarm list
Alarms that have been automatically suppressed by the system or manually by the
operator
The ability to sort and filter the alarms that are displayed
The ability to segregate process alarms from system diagnostic alarms into different
displays

10.6.2 Alarm Priorities

To allow for segregation of alarms based on criticality, the system shall support the assignment
of individual alarm conditions to one of up to 16 different alarm priorities. A dedicated priority
shall be reserved for assignment to safety-critical alarms.

Page 26 of 30

Specification for a Burner Management System

10.6.3 Alarm Acknowledgement

The alarm system shall provide capability to acknowledge an alarm message when a data point
enters and / or exits alarm state. The system shall permit alarm acknowledgement including but
not limited to:
For an individual alarm from the Overview
For a filtered grouping of alarms from a Summary List
From the device faceplate
From a process display (Screen Acknowledge)

10.6.4 Alarm Suppression

To minimize the effects of nuisance alarms and ensure that alarms are presented to the
operator only when they are relevant and meaningful, the system shall support both alarm
shelving (manual suppression by the operator) and state-based suppression (designed
suppression) as standard features. A list of suppressed alarms shall be available as a standard
display.

10.6.5 Alarm Response Procedures

To support effective operator response to alarms, the system shall support making alarm
response information available to the operator through the HMI. Alarm response guidelines
shall be accessible to the operator from the alarm list and/or faceplate.

10.7 Human Machine Interfaces

The Human Machine Interface (HMI) shall provide the following basic features:
Display Date, time and name of the logged in operator.
Area overview showing the status of alarms in underlying process areas
Message line for display of most recent alarm,or the alarm with the highest priority.
Working area for plant displays and movable windows for faceplates, trends, messages,
etc.

10.7.1 Security
Two levels of security shall be provided with each HMI. An operator security level shall be
accessed without needing a password and shall provide all information required to operate the
BMS. A supervisor security level shall be accessed with a password and shall provide both
operation and maintenance capabilities.

10.7.2 Displays
A typical BMS graphical interface, including standard faceplates and detail displays shall be
provided. Additionally, a CFC chart shall be provided to allow the operator to step through the
actions required to satisfy NFPA 85 requirements for manually lighting a burner system. All
displays provided shall be capable of customization by the end user.

10.7.3 Display Navigation

The HMI shall provide the ability for the operator to directly call up the process display with the
object which caused the fault, or its associated faceplate, via a single mouseclick from the

Page 27 of 30

Specification for a Burner Management System

overview. The faceplate window can be anchored so that it remains visible even when the
display is changed.

10.7.4 Trend Displays

The system shall support user defined sets of trends so that commonly viewed historical
information can be defined in trends once and easily accessed by selecting a pre-configured
screen target incorporated in the graphic display. Trends can be displayed as a full-size picture
or as a window in the working area, and printed directly. Selection of points to be trended shall
be menu driven.
Historical trends shall support seamless integration of both real-time and historical data within a
single trend window, with seamless movement between the two. It shall be possible to call up
new historic trends and configure them online from the Operator Interface.
Pre-configured real-time trends shall be available from a faceplate. At runtime, operators can
compose their own trends, select them by process tag name, and save them for reuse. It shall
be possible to export data associated with a currently displayed trend to a .csv file for viewing in
MS Excel.

10.7.5 Bypass Switches

Capability to bypass each safety function individually shall be provided by the application
software. These bypass switches must meet the requirements of Section 5.9.

10.7.6 Configuration Capabilities

Standard Graphic Elements Provided by the System
The workstation shall be supplied with a full library of process-oriented objects for the
development of process graphics including but not limited to: pipes, motors, valves, pumps,
tanks, fans, indicators, sensors, conveyors, and electrical symbols. These objects shall be
provided in various formats (static, capable of being dynamically linked to the control strategy,
2-D, and 3-D).The system shall provide pre-configured smart control objects to represent
clocks, gauges, tables, application windows, alarm windows, and trend windows.
Dynamic HMI Symbols for the Control Library
Pre-engineered graphics symbols shall be provided for all process control elements in the
library These pre-engineered symbols shall be designed to call up their associated faceplate
and to represent the dynamic behaviors of the underlying control element, without requiring any
additional configuration effort. The workstation shall allow the user to create libraries of custom
and composite symbols. Library management shall be an integral part of the system.
Global HMI Symbols
The system shall support the creation of global HMI symbols for representation of process
control elements. Edits to one instance of a global symbol shall be propagated automatically via
a wizard to all other instances of the symbol in the application without manual reconfiguration.

10.7.7 Screen Composition Favorites

The system shall support the operators ability to save specific screen compositions or layouts
for call up at a future time. A favorite screen composition can consist of a process graphic with

Page 28 of 30

Specification for a Burner Management System

any number of specific device faceplates, trends etc. overlayed on the screen and positioned in
specific locations of the display.

10.8 Revisions
Application software shall not require modifications in order to be able to run under new
releases of the system operating software. Any new release of system software shall be
backward compatible with files created using the previous software releases.

10.9 Licensing
The software licenses (both runtime and engineering) shall be portable allowing the user to
transfer licenses from one PC to another without requiring intervention from the vendor.

Page 29 of 30

Specification for a Burner Management System

11 Terms and Conditions

End User Note: All items of a legal or contractual nature should be detailed in this section.

Page 30 of 30