Module 04 · Safety Systems

Burner Management System

The BMS is the safety layer between the operator and an uncontrolled fuel release. It enforces the correct startup sequence, monitors flame and fuel conditions continuously during operation, and executes a safe shutdown when any critical condition is violated — faster and more reliably than manual response.

ℹ

Scope of this page

This covers BMS principles, states, interlock logic, and the operator's role within a BMS-controlled heater. Site-specific setpoints, valve tag numbers, and bypass procedures are defined in your facility's cause-and-effect matrix and BMS manual — refer to those for plant-specific detail.

What a BMS does — and doesn't do

A Burner Management System is a dedicated Safety Instrumented System (SIS) that controls and monitors the fuel gas supply to a fired heater's burners. It is not a process control system — it does not regulate firing rate or outlet temperature. That is the job of the DCS. The BMS and DCS are separate systems with separate logic, separate power supplies, and independent field devices where good design is followed.

The BMS has one job: ensure that fuel is only present in the firebox when safe conditions for ignition and stable combustion are confirmed, and remove fuel immediately when those conditions are lost.

🔴

BMS bypass — highest risk activity

Bypassing any BMS input or output removes a layer of protection designed for scenarios that happen fast. Any bypass requires a documented Management of Change (MOC), a compensating measure, and a defined time limit. An uninvestigated or undocumented bypass is a precursor to catastrophic failure.

BMS operating states

A BMS steps through defined states in sequence. It will not advance to the next state until all permissive conditions for the current state are satisfied. The operator initiates transitions; the BMS controls whether the transition is permitted.

State 1

Safe State

All fuel valves closed. Heater depressured of fuel gas. Default condition on loss of power or communication.

State 2

Purge

Firebox is being purged of residual hydrocarbons with airflow confirmed. Timer-controlled — cannot be manually shortened.

State 3

Ready to Light

Purge complete. Pilot fuel permissives satisfied. Operator may initiate ignition sequence.

State 4

In Service

Flame confirmed. Main fuel valves open. BMS monitoring active. Normal operation state.

State 5

Trip / ESD

A trip condition was detected. All fuel valves closed and locked. Investigation required before restart is permitted.

⚠

Purge timer is not negotiable

The purge timer is calculated to achieve a minimum of 5 volume changes of the firebox (NFPA 86 requirement). Shortening the purge — by any means — invalidates this guarantee. Never attempt to defeat the purge timer.

BMS-controlled startup sequence

The following describes the BMS logic sequence from safe state through to burners in service. The operator's role at each stage is highlighted. The BMS handles all valve sequencing; the operator confirms physical conditions and authorises each transition.

Pre-condition

Operator confirms physical readiness

Burner air registers open to purge position. Pilot gas isolation valves confirmed shut. No personnel inside firebox. All peepholes and access doors closed.

Operator action

Physical walkdown of heater. Sign off on pre-light checklist. Request BMS reset from DCS.

BMS State 2

Purge initiated

BMS confirms minimum airflow via flow element or damper position. Purge timer starts — typically 5–15 minutes depending on firebox volume. All fuel SDVs remain closed and de-energised during purge.

BMS State 2 → 3

Purge complete — state transition

Timer satisfied. BMS transitions to Ready to Light. A new trip condition during this window (e.g. loss of airflow) resets the purge and restarts the timer.

Operator action

Confirm BMS status display shows "Purge Complete / Ready to Light" before proceeding.

BMS State 3

Pilot ignition

Operator initiates ignition from BMS panel or DCS. BMS opens pilot gas SDV for a defined trial-for-ignition (TFI) period — typically 10–15 seconds. Spark igniter fires. Flame detector must confirm flame within TFI window.

TFI window

Flame confirmation or lockout

If flame is confirmed within TFI: BMS holds pilot SDV open and unlocks main fuel path. If flame is NOT confirmed: BMS closes pilot SDV immediately. Three consecutive failed ignition attempts may result in BMS lockout requiring supervisor authorisation to reset.

BMS State 4

Main fuel admitted — burner in service

Pilot flame confirmed. BMS opens main fuel SDV. Operator adjusts firing rate via DCS. BMS monitoring transitions to continuous: flame, fuel pressure high/low, firebox pressure, process flow (if applicable).

Operator action

Observe flame quality through peephole. Confirm stable, blue-based flame. Record time of lighting. Initiate warm-up rate per startup procedure.

Permissives are conditions that must be TRUE for the BMS to allow a state transition. A single permissive failure blocks the sequence. These are not alarms — they are hard gates.

Typical BMS Permissives — Startup

Condition	Required State	Applies At	Type
Combustion air flow / damper position	≥ min purge flow	Purge start	Permissive
Fuel gas pressure — main header	Within normal range	Ready to Light	Permissive
All fuel SDVs — position feedback	Closed / de-energised	Purge start	Permissive
Process flow (coil outlet / charge)	≥ minimum flow	Main fuel admit	Permissive
BMS / SIS power supply healthy	Both supplies live	All states	Permissive
Purge timer	Elapsed	Transition 2→3	Permissive
Pilot flame confirmed	Signal present	Main fuel admit	Permissive

Trip conditions cause the BMS to close all fuel SDVs immediately and transition to Safe State or Trip/ESD. These fire without operator action. The cause must be identified and resolved — and the BMS reset — before restart.

Typical BMS Trip Conditions — In Service

Trip Condition	Typical Setpoint	Consequence	Type
Flame failure — all burners	0 flames confirmed	Immediate ESD — all fuel valves closed	Trip
Fuel gas pressure — high high	Site-specific	ESD — overpressure risk / flame instability	Trip
Fuel gas pressure — low low	Site-specific	ESD — flame extinction risk	Trip
Process flow — low low (charge heater)	Site-specific	ESD — tube overtemperature / dry-out risk	Trip
Firebox pressure — high high	Site-specific	ESD — structural / refractory risk	Trip
BMS / SIS power supply — loss	Either supply lost	De-energise-to-trip — fuel valves close on loss of power	Trip
Emergency stop pushbutton	Operator-initiated	Immediate ESD	Trip
Fuel gas pressure — high (warning)	Below trip setpoint	Alarm only — no automated action	Alarm
Stack temperature — high	Site-specific	Alarm only — indicates air/fuel imbalance	Alarm

⚠

After a trip — mandatory steps before restart

(1) Identify and document the trip cause. (2) Correct the condition — do not reset until root cause is addressed. (3) Confirm all fuel SDVs are physically closed. (4) Re-execute full purge sequence — there are no shortcuts after an unplanned shutdown. (5) Notify supervisor before lighting.

Flame detection — the BMS's eyes

The BMS cannot monitor a flame it cannot see. Flame detector reliability is therefore directly coupled to BMS effectiveness. Two common technologies are used in refinery fired heaters:

Flame Detector Types — Comparison

Type	Detects	Strengths	Limitations
UV Scanner	Ultraviolet radiation from flame	Fast response, good for gas flames, industry standard	Sunblind (direct sunlight causes false flame); lens fouling common
IR Scanner	Infrared radiation / flicker frequency	Less susceptible to sunblinding; works on oil flames	Can see hot refractory as "flame" — false signals after shutdown
UV/IR Combined	Both UV and IR required for confirmation	Significantly reduces false trips and false flames	Higher cost; two signals to maintain

⚠

Detector lens fouling — common failure mode

A fouled lens can show "no flame" when a burner is lit (causing spurious trip) or — more dangerously — show "flame" after a burner has extinguished (masking a real flame failure). Regular lens cleaning and functional testing per your maintenance schedule is not optional.

The operator's role within a BMS system

A BMS automates sequencing and safety shutdowns, but it does not replace operator judgement. The operator's responsibilities within a BMS-controlled heater are:

Physical confirmation — the BMS sees signals, not reality. The operator confirms field conditions (valve positions, burner air register settings, personnel clear) before authorising any BMS transition.
Trip investigation — the BMS records a trip but does not diagnose it. The operator identifies and resolves the root cause before resetting.
Alarm response — BMS alarms (non-trip) indicate developing conditions that the operator must address before they escalate to a trip.
Bypass management — any BMS input bypass must be authorised, documented, and time-limited. The operator holding a bypass open for operational convenience is a safety violation.
Functional test coordination — BMS proof tests (SDV stroking, flame detector testing) are scheduled activities requiring operator involvement and often process coordination.

ℹ

BMS does not manage firing rate

Once burners are in service, the DCS controls firing rate via the fuel gas control valve — which is upstream of and separate from the BMS safety shut-down valve. A BMS trip closes the SDV regardless of DCS demand. Always confirm DCS is in manual / low demand before a planned BMS reset to avoid sudden surge of fuel on re-light.

SIL — what the rating means for operators

Fired heater BMS systems are typically designed to SIL 2 (Safety Integrity Level 2), meaning the system reduces the likelihood of a dangerous failure by a factor of 100–10,000 compared to no protection. This rating is only maintained if:

Proof testing is completed on schedule (typically annually for SIL 2).
Bypasses are managed and minimised.
Any detected failures are reported and corrected promptly.
The system is not modified without a formal Management of Change review.

The SIL rating is a system rating — it assumes the instrumentation, logic solver, and final elements (SDVs) all function as designed. An undetected failed SDV or a bypassed flame detector can reduce the effective SIL to zero without any alarm appearing on the panel.

← Emergency Shutdown Safety Interlocks →