Professional Documents
Culture Documents
Functional Design Spec
Functional Design Spec
For
Page 1 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
Document history: -
Page 2 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
Contents: -
1 Safety Guidelines. .................................................................................................................................. 4
1.1 Product Application. ........................................................................................................................4
2 Scope ..................................................................................................................................................... 5
3 Applicable documents & abbreviations .................................................................................................. 6
3.1 Applicable documents.....................................................................................................................6
4 Overview of scheme............................................................................................................................... 7
5 BMS PLC hardware ............................................................................................................................... 8
5.1 Introduction .....................................................................................................................................8
5.2 Control description ..........................................................................................................................8
5.3 Alarms .............................................................................................................................................8
5.4 BMS operator interaction ................................................................................................................8
6 Alarm definition ...................................................................................................................................... 9
6.1 Alarm Philosophy ............................................................................................................................9
6.2 Conditional alarms ..........................................................................................................................9
6.2.1 Automated valves ....................................................................................................................9
6.2.2 Fuel gas pressure low low .......................................................................................................9
6.2.3 Fuel gas pressure high high ....................................................................................................9
6.2.4 Pilot gas pressure high & low alarms ....................................................................................10
6.2.5 Fuel oil pressure low low .......................................................................................................10
6.2.6 Fuel oil temperature low low..................................................................................................10
6.2.7 Dark check.............................................................................................................................10
6.2.8 Furnace pressure low low......................................................................................................10
6.3 Analogue alarm points ..................................................................................................................10
7 BMS/ESD Sequences .......................................................................................................................... 11
7.1 Furnace Purging ...........................................................................................................................11
7.1.1 Stand timer ............................................................................................................................11
7.1.2 Post purge .............................................................................................................................11
7.2 Pilot Start Sequence .....................................................................................................................12
7.3 Burner Start Sequence on Gas.....................................................................................................13
7.4 Burner Start Sequence on Oil .......................................................................................................13
7.5 Burner Stop Sequence on Oil .......................................................................................................14
7.6 Double block and vent valve operation.........................................................................................14
7.7 Oil MFT operation .........................................................................................................................14
7.8 Air register operation.....................................................................................................................14
8 Interlocks & Alarms .............................................................................................................................. 15
8.1 Main Interlocks..............................................................................................................................15
8.2 Common valve status ...................................................................................................................16
8.3 Main gas interlocks .......................................................................................................................17
8.4 Main oil interlocks .........................................................................................................................18
8.5 Individual burner trips....................................................................................................................19
8.5.1 Pilot flame failure ...................................................................................................................19
8.5.2 Gas flame failure....................................................................................................................19
8.5.3 Oil flame failure......................................................................................................................19
Page 3 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
1 Safety Guidelines.
These safety guidelines are an important and integral part of this document. Failure to adhere to these
guidelines may adversely affect system safety and/or render warranty and liability claims invalid.
The burner management system (BMS) must be carefully designed to protect plant equipment and
personnel. However, the purchaser or operator of the BMS must have due regard for the safety and
operational requirements of that process.
To ensure the BMS and the equipment connected to and used with it operates in a safe, predictable and
correct manner, all applicable local and national codes that apply to its installation and operation must be
understood and followed by competent, qualified personnel.
Personnel responsible for the installation and operation of the system should carefully study all
documentation and instructions associated with the equipment supplied.
It is essential that the Purchaser's maintenance and operational staff are provided with adequate training,
both in the design principles of the product and it's correct operation.
Where a BMS is designed around a “fail safe” programmable logic controller (PLC), the "user" must be
aware that the control devices can fail to an unsafe condition.
The BMS product will have been designed to limit such an eventuality by incorporating, where
appropriate, specific electrical and electronic control standards and HSE guidelines.
It is unlikely that Charter Tech will have full access to the technical and operational details of the process
to which its product is to be applied and the "user" must, therefore, ensure that there is adequate
protection to personnel and equipment.
Any product produced using this documentation must be fully tested & checked to ensure that it complies
with the user requirements, the applicable codes, and operates in a safe and appropriate manner.
Page 4 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
2 Scope
The scope of the Functional Design Specification (FDS) is to identify and collate, all the information
necessary to facilitate the design of the control system for the control scheme associated with the two
burner dual fuel boiler.
Page 5 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
Page 6 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
4 Overview of scheme
This document concerns the control system associated with the two burner boiler.
The boiler is fitted with a pair of dual fuel burners. These burners are capable of firing fuel gas and/or oil.
The boiler will be fitted with a SIL rated burner management system (BMS). This burner management
system is designed to control the safe operation of the burner plant. Processes will include control of pre
purge, burner light up sequences, burner shutdown sequences and safety interlocking.
The operator interfaces with the control system via push buttons, lamps & HMI screens. Diagnostic and
alarm information is also passed to the DCS.
This document covers the specific aspects associated with the operation of the burner management
system, and the effect of burner failure on other associated items of plant.
Each burner is fitted with an oil gun, which can be controlled individually via dedicated oil, atomising
steam and scavenge block valves. The gas is supplied to each burner via dedicated double block and
vent arrangement, as is the pilot gas.
Each burner is fitted with a pair of failsafe, self checking flame scanners. These scanners are arranged in
a one out of two arrangement (1oo2) i.e. any one out of the two scanners must be sensing a flame to
allow the burner to continue to operate. These flame scanners are used to detect the ignition flame, and
the main flame.
Both burners are supplied oil from a dedicated ring main, common to both burners, which is fitted with a
MFT and a recirc valve, together with sensors for pressure and temperature. Gas is supplied from a
dedicated header, common to both burners, fitted with a MFT and header vent valve, together with
sensors for gas pressure.
It should be noted that each burner can be started and stopped either by local pushbuttons or via remote
control. For the first burner start, feedback from the fuel and air control devices are required to ensure
that they are at the correct positions. Subsequent fuel and burner start firing rate is under the direct
control of the combustion control system. This must ensure that the burner firing rate and airflow is
appropriate for the selected fuel start and stop. According to NFPA standards, this combustion control
function should be separate to the burner management function. This document will cover the operation
of the BMS only.
Page 7 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
The BMS controls a number of valves around the process as well as various other items of plant. If
conditions are present that dictate that the BMS should take action all the valves and critical outputs are
tripped to their predetermined safe state, effectively isolating the plant from any other process on site. If
the BMS is healthy, then the valves under its control are driven to their normal operating positions,
dictated by the current operational conditions.
The equipment under the control of the BMS is listed in the I/O schedule document.
5.3 Alarms
Alarms can signal that a device or process has ceased operating within acceptable, predefined limits, and
can indicate breakdown, wear, or process malfunctions. Alarms are also used to indicate the approach of
a hazardous or undesirable condition. Alarms are an important part of this control application.
In this configuration, all interlock alarms are generated and latched within the PLC control system. This
prevents any possibility of spurious events affecting the control system without raising an alarm i.e. the
PLC will trap any spurious events and raise the appropriate alarm flag. It is then this alarm flag that will
affect the action of the PLC. This trapped alarm event should also be transferred to the DCS for operator
information and diagnostic purposes.
By handling the control and alarm logic within the same controller, the likelihood of missing alarm events
is eliminated, and is independent of the network communication update time. This configuration also
allows the system to mask selected alarms under certain process conditions, and should thus reduce
nuisance or standing alarms.
The system is also fitted with a remote/local selector switch. In local control the burners can be started
from the local burner panel. In remote control the burners can be started from the remote system. It
should be noted that the burner stop function will operate from any location regardless of mode of
operation selected.
There is also a hardwired emergency stop pushbutton, that will operate at all times and override any
currently active sequences.
The BMS should also communicate alarm and status information to the DCS. This information can be
sent via a comms link if required. This information should include all hardwired input and output status
information and all alarm information.
Page 8 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
The information transferred in this manner should be presented to the operator in a logical, clear concise
manner to enable effective and efficient operation of the plant.
Depending on site practices and procedures, it may be desirable to separate some of this information into
an engineering area to aid engineering staff with fault diagnostics and to decrease the amount of
information presented to the operator.
6 Alarm definition
The boiler and associated plant is constantly monitored by the control system. The actions taken by the
control system depend on the alarm event.
Any alarm latched within the boiler control system is reset by the operation of an alarm reset push button. If
the alarm-initiating event is still present then it will not be possible to reset the alarm.
It has been recognised that the system should only generate genuine alarm conditions, and as such
many of the alarms configured in the control system should be conditional. This technique greatly reduces
the number of alarms that an operator is presented with in the event of an incident to only a few relevant
points. It will also reduce the number of standing alarms present when the unit is not running.
The logic has been configured to allow (under normal operating conditions) sufficient time for the valves
to prove open when instructed to open. If the valve fails to open within this preset time the system will
raise a valve failed to open alarm, and take the action appropriate for the valve in question. Although
valve opening times are subject to variations, sufficient time has been allowed to enable the valve to open
without causing nuisance trips.
The logic has also been configured to allow (under normal operating conditions) sufficient time for the
valves to prove closed when instructed to close. If the valve fails to close within this preset time the
system will raise a valve failed to close alarm and initiate the appropriate action. Although valve closing
times are subject to variations, sufficient time has been allowed to enable the valve to close without
causing nuisance trips.
Page 9 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
remain active all the time the valves are open. Coding the alarm in this way will prevent the alarms from
activating when the burner is stopped and the gas line vented.
It should also be noted that the pilot gas pressure high and low alarms will be alarm conditions only, and
will alert the operator to possible causes of pilot ignition problems.
The oil MFT valve has been instructed to open for a preset time period (typically 60 seconds)
Or
The oil temperature is above the low low temperature threshold (for at least short time period to allow for
short transients as the temperature rises)
Once either of these conditions has been met, this alarm will then remain active all the time the valves are
open. This alarm needs to be dealt with in this fashion to allow the oil sufficient time to circulate and to get
up to correct operating temperature.
Page 10 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
7 BMS/ESD Sequences
The BMS/ESD system manages the trips, interlocks and safety critical sequences for the boiler through a
dedicated safety PLC.
The burners associated with the boiler are each fitted with an ignition pilot that is designed to fire
intermittently. Before a burner can be started a furnace pre purge must be undertaken. Once a pre purge
has been completed a burner can be started. The furnace pre purge is designed to purge the furnace of
any un-burnt fuels or explosive gases. Stopping the last firing burner will initiate a post purge sequence.
If a burner is said to be at normal stop, then by definition, it is not sequencing and is not tripped. If a
burner is tripped, a reset needs to be operated before any further action can take place associated with
the tripped burner.
The pre purge should involve at least five volume changes of the boiler enclosure and a minimum of five
minutes whilst the pre purge conditions are maintained. Conditions for pre purge are: -
When the above conditions are met, the BMS should start the pre purge timer. If the conditions fail at any
point in the purge, the purge timer should reset, and a further full purge will be required. When the ‘start
purge’ pushbutton is operated, provided the boiler is at normal stop, the CCS is signalled to increase the
airflow to purge settings. When the pre purge timer completes, the CCS is signalled to decrease the
airflow to ignition settings.
On completion of a pre-purge, the BMS removes the ‘air to purge’ signal to CCS and sets the ‘air to
ignition’ signal to CCS.
If the purge flow fails during the purge period, the BMS logic prevents any subsequent actions. When the
purge flow is re-instated the timer is re-started.
Once the ignition settings are achieved the fuel ‘ready to start’ signal is energised. At this stage either of
the burners can be started on either fuel.
Initiating a pre-purge during a post-purge is permitted. There is no need to perform two purges if an
immediate re-start is required.
Page 11 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
The pilot start sequence is initiated as part of the main burner start routine (either oil or gas). The pilot
start routine is also initiated as part of an oil burner normal stop gun purge.
The pilot ignition sequence steps are time limited according to EN 746-2. Failure to achieve a step in the
given time will cause a burner lockout and raise an alarm.
If the ignition sequence fails, no ignition re-trial is permitted before the burner is locked out. A lockout
condition will require a manual reset before any further actions can be taken with this burner.
If ignition fails, and it is the only burner firing, then a re-purge will be required. If however another burner
is firing, then the tripped burner can be reset and a further ignition attempt made. It should be noted that
repeated ignition attempts of either the pilots or the main flame should not be attempted without first
establishing and rectifying the cause of the failed attempts.
Page 12 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
Operation of the gas start sequence, will first initiate the pilot start sequence, and once the pilot start
sequence has successfully completed, the gas sequence will commence as detailed below.
Main burner flame proving and stabilisation times are in accordance with EN 746-2 and burner vendor
recommendations. Main burner re-trials are not permitted: main flame failure always results in a burner
lockout and a re-purge for the first burner.
Operation of the oil start sequence, will first initiate the pilot start sequence, and once the pilot start
sequence has successfully completed, the oil sequence will commence as detailed below.
• Prove that the pilot for the requested burner is on. If not, start it as above.
• Prove that the oil supply MFT valve is open. If not, open it using the ‘reset’ pushbuttons and allow
the oil temperature and pressure to reach their operational levels.
• Prove that the oil is at the required ignition position.
• Prove that the combustion airflow is at light-up.
• Prove that the atomising steam scavenge valve is closed for the requested burner.
• Open the requested burner steam block valve.
• Prove that the atomising steam is at the correct pressure.
• Open the requested burner oil block valve for a 5 second period, after which a main flame must
be detected for the valve to remain open.
• Prove that the main flame is established via either one of the two flame detectors & stop the pilot
burner.
Page 13 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
• Continue to prove that the main flame is established for the main flame stabilisation period (20
seconds).
• Signal normal run after the flame stabilisation period has completed, and removes the ‘to ignition’
signals to DCS.
Main burner re-trials are not permitted: main flame failure always results in a burner lockout and a re-
purge for the first burner.
During the gun purge period (set to 20 seconds), in order for the pilot gas valve to remain open, the pilot
gas flame must be present. Failure of the flame will result in the pilot gas valves closing.
On a double block and vent ‘to open’ command, the vent valve should close, and once proved closed the
block valves will be commanded to open.
This sequence should only be active during normal valve operation. In the event of an interlock failure,
the block valves and vent valve should operate as quickly as possible.
If should be noted that the oil temperature alarm is delayed for a time period to allow the oil to reach its
operational temperature. If the oil fails to achieve the required temperature within this time period, the oil
MFT will close. It can be re-opened by operation of the reset pushbutton. This will open the MFT and
reset the oil temperature delay timer, to allow a further period for the oil to reach the correct temperature.
The air dampers are both requested to open during a pre purge. Once a purge has completed the air
dampers are requested to close.
If a burner is requested to start, the air damper associated with the starting burner is opened, and
remains open all the time the burner is firing.
The air dampers are moved by double acting actuators that require two BMS outputs to operate. One
signal instructs the damper to open, the second instructs the dampers to close. Removal of both signals
results in the damper remaining in its present position.
Page 14 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
• Closing all individual burner isolation valves, closing the common header isolation valve and
opening the header vent valve in the pilot gas system.
• Closing all individual burner isolation valves, closing the common header isolation valves and
opening the header vent valve in the main fuel gas system.
• Closing all individual burner isolation valves, closing the common header supply and open the
return isolation valves in the oil system.
A master fuel trip does not stop the FD fan. A master fuel trip can be reset using the reset pushbuttons.
Page 15 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
Page 16 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
• Closing all individual burner isolation valves, closing the common header isolation valve and
opening the header vent valve in the main fuel gas system.
Page 17 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
• Closing all individual burner isolation valves, closing the common MFT valve and opening the
common recirc valve in the main fuel oil system, closing the atomising steam valves and the
atomising crossover valves.
The oil temperature header trip is set so that the header valves can be open for up to 1 minute before it
takes effect.
Page 18 of 19
Functional Design Specification; Rev A
Charter Tech Ltd
Doc Ref: P0661FDS
Page 19 of 19
P0661_IO_RevC.XLS IO JZ Bosicore