Burner Management System SIS Commissioning: HIMA HIMatrix F60 and Triconex Tricon CX Field Procedures

BMS, Burner Management System, Double Block and Bleed, HIMA HIMatrix F60, IEC 61511, NFPA 85, Proof Test, Safety Instrumented System, SIL 2, Triconex Tricon CX, UV Flame Detector
April 16, 2026

BMS Architecture and Safety Function Boundaries

A burner management system governs fuel admission, ignition sequencing, flame proving, and emergency shutdown for fired equipment. NFPA 85 and IEC 61511 both apply when the BMS includes safety instrumented functions. The typical architecture places a Safety PLC — either HIMA HIMatrix F60 or Triconex Tricon CX — as the Safety Instrumented System logic solver. The BPCS handles setpoint management and air-fuel ratio control on a separate controller. The two systems exchange data over Modbus TCP but maintain hard physical separation at the I/O level.

The HIMA HIMatrix F60 is a compact SIL 3-capable TMR controller supporting up to 96 digital inputs and 48 digital outputs in the base configuration. The Triconex Tricon CX executes Triple Modular Redundancy with 2oo3 voting at the I/O module level, providing SIL 3 hardware fault tolerance. For a BMS rated at SIL 2, either platform provides adequate hardware integrity — the critical constraints come from software design and proof test interval.

UV Flame Detector 2oo3 Voting Logic

Flame detection uses three UV detectors arranged in a 2oo3 voting configuration. This architecture requires at least two detectors to confirm flame presence before the logic solver allows continued fuel admission. On the HIMA HIMatrix F60, configure the voting block in SILworx as a FB_Vote_2oo3 function block. Set the Discrepancy Timeout to 3 seconds — if one detector disagrees with the other two for longer than 3 seconds, the HIMatrix generates a Discrepancy Alarm to the DCS.

On the Triconex Tricon CX, implement the same logic using TriStation’s IEC 61131-3 Structured Text. Add a 500 ms ON-delay timer on each detector input to reject transient UV interference from igniter sparks. This prevents false flame-proven signals during the ignition sequence.

Step 1: Wire all three UV detectors to separate HIMatrix F60 digital input channels — never share a common return with the igniter circuit.
Step 2: Verify each detector’s self-check output. A healthy Fireye 45UV5 outputs a 24 VDC self-check signal every 10 seconds. Map this to a dedicated DI channel and configure a 30-second watchdog in TriStation — loss of self-check output for 30 seconds triggers a UV Detector Fault alarm.
Step 3: Perform a light-and-dark test for each detector individually. Block the UV view path with a shutter card. Verify the associated detector input drops to 0 VDC within 1 second. Confirm the 2oo3 vote does not declare FLAME_PROVEN with only one detector active.

Purge Sequence Timer: NFPA 85 Requirements

NFPA 85 requires that a combustion enclosure be purged with a minimum of four air changes before each ignition attempt. The purge flow rate must be at least 25% of the maximum design airflow. Calculate the required purge time using this formula:

T_purge = (4 × V_enclosure) / Q_airflow

For a 120 m³ combustion enclosure with a forced draft fan delivering 18 m³/min at 25% damper position: T_purge = (4 × 120) / 18 = 26.7 minutes. Round up to 27 minutes and program this as the minimum purge timer preset in the HIMatrix SILworx purge sequence function block. The timer must be a safety-rated, non-resettable timer — if airflow drops below the 25% threshold during the purge period, the timer resets to zero.

On the Triconex Tricon CX, implement the purge timer in TriStation using a TON (Timer On Delay) block with a preset of 1620 seconds (27 minutes). Interlock the timer enable input with the airflow proving switch — a differential pressure switch set at 0.5 kPa across the air damper proves the required flow rate. Verify its response time is less than 2 seconds to meet NFPA 85 Section 8.3.4 requirements.

Double Block-and-Bleed Valve Sequencing

The fuel supply uses a double block-and-bleed (DBB) arrangement — two normally-closed safety shutoff valves (SSOV) in series with a normally-open vent valve between them. NFPA 85 requires each SSOV to close within 1 second of receiving a shutdown signal. On the HIMA HIMatrix F60, sequence the DBB valves using this logic:

Step 1: On BMS trip, simultaneously de-energize SSOV1 (upstream block) and SSOV2 (downstream block) digital output channels via the HIMatrix F3 DIO safety output module. Both receive the de-energize command within one HIMatrix scan cycle — typically 10 ms.
Step 2: After a 200 ms delay, energize the vent valve (normally open, held closed during operation by a 24 VDC signal). De-energizing the vent valve DO channel allows it to open and purge the inter-valve space.
Step 3: Start a 2-second valve-closed confirmation timer. The HIMatrix reads back the SSOV limit switches. Confirm closed position within 2 seconds. If either SSOV limit switch fails to confirm closed, generate a Valve Failure alarm and prevent restart.
Step 4: For the Triconex Tricon CX implementation, use a State Machine in TriStation with five states: IDLE, PURGING, IGNITING, RUNNING, TRIPPED. Each state transition is controlled by a Boolean condition set. This structure makes IEC 61511 cause-and-effect matrix verification straightforward during the safety case review.

SIL 2 Proof Test and PFDavg Recalculation

IEC 61511 Clause 16.2.5 requires documented proof tests at intervals derived from the SIL 2 PFDavg target. For a BMS fuel shutoff function at SIL 2, the PFDavg must remain below 10⁻² (1%). A typical proof test interval for an ESD valve with a dangerous undetected failure rate (λDU) of 2.5 × 10⁻⁶ /hr is calculated as:

PFDavg = λDU × Ti / 2

To maintain PFDavg = 0.005 (50% of the SIL 2 limit): Ti = (2 × 0.005) / (2.5 × 10⁻⁶) = 4000 hours ≈ 6 months.

The Partial Stroke Test (PST) partially exercises the ESD valve without a full process shutdown. On the HIMatrix F60, configure a PST function using the SILworx PST library block. Set the PST travel limit to 15% of valve stroke — sufficient to detect seat stiction and mechanical binding without interrupting process flow. A PST response time exceeding 8 seconds indicates actuator degradation — schedule a full-stroke test during the next maintenance window.

Recalculate PFDavg after each PST event. Document each PST result in the HIMatrix diagnostic log and transfer the data to your safety case management system. IEC 61511 requires this documentation to remain retrievable for the entire system lifecycle — typically 25 years for fired equipment.

Conclusion and Action Advice

BMS commissioning is not a checkbox exercise. Every parameter — purge timer value, UV discrepancy timeout, valve response time, PST travel limit — has a direct link to a safety requirement in NFPA 85 or IEC 61511. Use HIMA SILworx’s built-in simulation mode to pre-verify the purge sequence logic before first-fire. On Triconex Tricon CX projects, use TriStation’s State Machine editor and link each transition condition to your cause-and-effect matrix line number.

After commissioning, perform the first full-stroke ESD valve test within 30 days to establish a baseline response time. Set a 6-month PST schedule and a 12-month full-proof-test schedule as standing work orders. These disciplines keep your BMS PFDavg inside the SIL 2 envelope and demonstrate IEC 61511 compliance during every safety audit.

Author: Liu Yang is an industrial automation engineer with over 10 years of experience in PLC, DCS, and control systems.