Prescriptive BMS standards contain a wealth of knowledge on combustion hazards, unit sequence of operation, and the equipment configuration required for combustion safeguards and combustion control. This experience cannot be overlooked; there is just not a Safety Lifecycle to tie in the Functional Safety Management of the BMS.
That being said, would I ever specify a SIL 3 capable logic solver for a fired unit installation when I can just accept the guarantees that come from Packaged Unit vendor that has designed the BMS to a prescriptive standard?
Yes, because a BMS is unique, in that the instrumented layer is the last line of defense. The majority of safety systems in the process industry have a mechanical layer as the last line of defense with the Safety Instrumented layer between it and the BPCS.
Most of the BMS safeguard functions do not have a mechanical layer of protection. This makes it more important to make the BMS layer as robust as possible and manage it properly.
- Prescriptive standards do not tell you to quantify the reliability of the BMS safeguard.
- Prescriptive standards do not tell you to determine if your devices are capable for more than one order of magnitude risk reduction; they just tell you to make sure they are “listed” or “approved” for combustion service.
- Prescriptive standards do not determine testing frequency with reliability calculations.
- Prescriptive standards do not tell you to replace devices before the end of their useful life.
- Prescriptive standards do not consider some of the independence issues between BMS and BPCS (some standards allow control and safety in the same logic solver).
If you utilize the IEC 61511 Safety Lifecycle for BMS analysis and design, the holes in the swiss cheese (as shown above) will become much smaller and robust. The management of functional safety will be monitored, and any discovered deficiencies will be input back into the analysis phase of the lifecycle for modification.