The document discusses burner management systems (BMS) and how programmable electronic systems (PES) can be used for burner control while ensuring safety. It outlines several key requirements for PES-based BMS to be certified, including using redundant safety-related PES, obtaining independent safety certification, and the designer demonstrating proper development and testing practices. The document also describes various safety features that can be designed into BMS, such as input/output monitoring, guarded outputs, processor watchdog timers, and power monitoring. It discusses architectures for safety programmable logic controllers (PLCs) including 1oo1D (one out of one with diagnostics) and 1oo2D (one out of two with diagnostics).
Practical Advanced Process Control for Engineers and TechniciansLiving Online
In today's environment, the processing, refining and petrochemical business is becoming more and more competitive and every plant manager is looking for the best quality products at minimum operating and investment costs. The traditional PID loop is used frequently for much of the process control requirements of a typical plant. However there are many drawbacks in using these, including excessive dead time which can make the PID loop very difficult (or indeed impossible) to apply.
Advanced Process Control (APC) is thus essential today in the modern plant. Small differences in process parameters can have large effects on profitability; get it right and profits continue to grow; get it wrong and there are major losses. Many applications of APC have pay back times well below one year. APC does require a detailed knowledge of the plant to design a working system and continual follow up along the life of the plant to ensure it is working optimally. Considerable attention also needs to be given to the interface to the operators to ensure that they can apply these new technologies effectively as well.
WHO SHOULD ATTEND?
Automation engineers
Chemical engineers
Chemical plant technologists
Electrical engineers
Instrumentation and control engineers
Process control engineers
Process engineers
Senior technicians
System integrators
MORE INFORMATION: http://www.idc-online.com/content/practical-advanced-process-control-engineers-and-technicians-26
Maximizing the return on your control investment meet the experts sessions part2Emerson Exchange
The design and commissioning of the controls associated with a continuous or batch process directly impact plant operating efficiency and production quality and throughput. In this session we review techniques that may be used to identify control opportunities to reduce production costs, minimize variations in product quality and to maximize production within the limits set by market demand. Several common application examples from the process industry will be used to illustrate how plant production rate and product quality are directly influenced by process control variation and constraints in plant operation. Starting with an assessment of control loop utilization and automatic control performance, a step by step process is outlined that may be used to identifying and addressing areas where it is possible to justified the time and material costs required to improve control performance. In particular, information will be provided on how to quickly tune single loop control of self-regulating or integrating process and to recognize when variations in control loop performance are not associated with loop tuning. An overview will be provided of tools and techniques that may be used to achieve best control performance over a wide variety of operating conditions. Also, guidance will be provided on when it is possible to justify the cost associated with the installation and commissioning of multi-loop techniques such as feedforward control, ratio and override control. The steps required to commission multi-loop control strategies will be address along with common mistakes to avoid. Also, input will be provided on how to recognize when advanced control techniques such as Fuzzy logic or MPC are needed to achieve the desired control performance. At the end of this session a drawing will be held to give away 10 copies of “Control Loop Foundation – Batch and Continuous Processes”. Many of the ideas discussed in this session are addressed in this book.
Commissioning highly interactive process an approach for tuning control loopsEmerson Exchange
The size of the process equipment used in a pilot plant dictates a little buffering and interaction between process units. We examine a skid mounted high temperature CO2 recovery process with a high degree of process interaction. An effective tuning approach provided high performance control. A dynamic process simulation optimized performance by exploring various control strategies.
Since 2007 there has been a choice of harmonised standards
to use for Functional Safety in the machinery sector.
The choices are:
ISO standard EN ISO 13849
IEC standard EN 62061
source TUV-SUD
www.regeltechnieken.org
www.ie-net.be/reg
Utilizing DeltaV Advanced Control Innovations to Improve Control PerformanceEmerson Exchange
Many functions of the DeltaV system are unique in the process industry. In this presentation we explore and discuss innovative features of the DeltaV PID and embedded Advanced Control products that can be applied to improve control performance. In particular, PID options are addressed that enhance cascade and override applications and allow effective single loop control using a sampled or wireless measurement. Application examples are used to illustrate how MPC can be easily added and commissioned online with no changes in the existing control strategy. Also, continuous data analytics is used an example that illustrates how future tools will enable improvements to be made in plant operations.
Aplication of on line data analytics to a continuous process polybetene unitEmerson Exchange
This Emerson Exchange, 2013 presentation summarizes the 2013 field trail results achieved by applying on-line continuous data analytics to Lubrizol’s continuous polybutene process. Continuous data analytics may be used to provide an on-line prediction of quality parameters, and enable on-line detection of fault conditions. Information is provided on improvements made in the model used for quality parameter prediction, and how the field trail platform was integrated into the process unit. Presenters Qiwei Li, production engineer, Efren Hernandez and Robert Wojewodka, Lubrizol Corp., and Terry Blevins, principal technologist at Emerson, won best in conference in the process optimization track for this presentation.
This presentation provides an overview of the book Control Loop Foundation. The book authors gave this presentation as a short course at Emerson Exchange 2010.
Deployment of the Festo PA Workstation for Undergraduate Training on Industri...theijes
Industrial automation involves the use of machines, control systems and information technologies in optimizing productivity in the production of goods and delivery of services. The Festo compact process automation (PA) workstation is a piece of laboratory equipment designed for the training of process automation engineers. It consist of programmable logic controller (PLC) rack, output devices (including several valves, a motor, a centrifugal pump etc), input devices (including flow sensor, heat sensor, level sensor, pressure sensor), switches, network of pipes, two storage tanks a heating and a cooling system. This paper presents the automation of liquid control process implemented on the PA workstation using PLC programming, manual liquid process control using Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) system. These devices and systems are all networked together with the workstation through Ethernet and Field-Bus (Profibus) technology. Process visualization from HMI and SCADA runtime screens are presented and analyzed to validate the integrity of the PA workstation in implementing process control. The results obtained shows that the workstation can mimic most industrial processes and deployable for the enhancement of students’ training on process automation.
PID is short for "proportional plus integral and derivative", three algorithm components used by this type of controller in managing a control loop. Process loop controllers use one, two or all three of these to optimally control the process system. PID control is used in a wide variety of applications in industrial control and process system management.
Practical Advanced Process Control for Engineers and TechniciansLiving Online
In today's environment, the processing, refining and petrochemical business is becoming more and more competitive and every plant manager is looking for the best quality products at minimum operating and investment costs. The traditional PID loop is used frequently for much of the process control requirements of a typical plant. However there are many drawbacks in using these, including excessive dead time which can make the PID loop very difficult (or indeed impossible) to apply.
Advanced Process Control (APC) is thus essential today in the modern plant. Small differences in process parameters can have large effects on profitability; get it right and profits continue to grow; get it wrong and there are major losses. Many applications of APC have pay back times well below one year. APC does require a detailed knowledge of the plant to design a working system and continual follow up along the life of the plant to ensure it is working optimally. Considerable attention also needs to be given to the interface to the operators to ensure that they can apply these new technologies effectively as well.
WHO SHOULD ATTEND?
Automation engineers
Chemical engineers
Chemical plant technologists
Electrical engineers
Instrumentation and control engineers
Process control engineers
Process engineers
Senior technicians
System integrators
MORE INFORMATION: http://www.idc-online.com/content/practical-advanced-process-control-engineers-and-technicians-26
Maximizing the return on your control investment meet the experts sessions part2Emerson Exchange
The design and commissioning of the controls associated with a continuous or batch process directly impact plant operating efficiency and production quality and throughput. In this session we review techniques that may be used to identify control opportunities to reduce production costs, minimize variations in product quality and to maximize production within the limits set by market demand. Several common application examples from the process industry will be used to illustrate how plant production rate and product quality are directly influenced by process control variation and constraints in plant operation. Starting with an assessment of control loop utilization and automatic control performance, a step by step process is outlined that may be used to identifying and addressing areas where it is possible to justified the time and material costs required to improve control performance. In particular, information will be provided on how to quickly tune single loop control of self-regulating or integrating process and to recognize when variations in control loop performance are not associated with loop tuning. An overview will be provided of tools and techniques that may be used to achieve best control performance over a wide variety of operating conditions. Also, guidance will be provided on when it is possible to justify the cost associated with the installation and commissioning of multi-loop techniques such as feedforward control, ratio and override control. The steps required to commission multi-loop control strategies will be address along with common mistakes to avoid. Also, input will be provided on how to recognize when advanced control techniques such as Fuzzy logic or MPC are needed to achieve the desired control performance. At the end of this session a drawing will be held to give away 10 copies of “Control Loop Foundation – Batch and Continuous Processes”. Many of the ideas discussed in this session are addressed in this book.
Commissioning highly interactive process an approach for tuning control loopsEmerson Exchange
The size of the process equipment used in a pilot plant dictates a little buffering and interaction between process units. We examine a skid mounted high temperature CO2 recovery process with a high degree of process interaction. An effective tuning approach provided high performance control. A dynamic process simulation optimized performance by exploring various control strategies.
Since 2007 there has been a choice of harmonised standards
to use for Functional Safety in the machinery sector.
The choices are:
ISO standard EN ISO 13849
IEC standard EN 62061
source TUV-SUD
www.regeltechnieken.org
www.ie-net.be/reg
Utilizing DeltaV Advanced Control Innovations to Improve Control PerformanceEmerson Exchange
Many functions of the DeltaV system are unique in the process industry. In this presentation we explore and discuss innovative features of the DeltaV PID and embedded Advanced Control products that can be applied to improve control performance. In particular, PID options are addressed that enhance cascade and override applications and allow effective single loop control using a sampled or wireless measurement. Application examples are used to illustrate how MPC can be easily added and commissioned online with no changes in the existing control strategy. Also, continuous data analytics is used an example that illustrates how future tools will enable improvements to be made in plant operations.
Aplication of on line data analytics to a continuous process polybetene unitEmerson Exchange
This Emerson Exchange, 2013 presentation summarizes the 2013 field trail results achieved by applying on-line continuous data analytics to Lubrizol’s continuous polybutene process. Continuous data analytics may be used to provide an on-line prediction of quality parameters, and enable on-line detection of fault conditions. Information is provided on improvements made in the model used for quality parameter prediction, and how the field trail platform was integrated into the process unit. Presenters Qiwei Li, production engineer, Efren Hernandez and Robert Wojewodka, Lubrizol Corp., and Terry Blevins, principal technologist at Emerson, won best in conference in the process optimization track for this presentation.
This presentation provides an overview of the book Control Loop Foundation. The book authors gave this presentation as a short course at Emerson Exchange 2010.
Deployment of the Festo PA Workstation for Undergraduate Training on Industri...theijes
Industrial automation involves the use of machines, control systems and information technologies in optimizing productivity in the production of goods and delivery of services. The Festo compact process automation (PA) workstation is a piece of laboratory equipment designed for the training of process automation engineers. It consist of programmable logic controller (PLC) rack, output devices (including several valves, a motor, a centrifugal pump etc), input devices (including flow sensor, heat sensor, level sensor, pressure sensor), switches, network of pipes, two storage tanks a heating and a cooling system. This paper presents the automation of liquid control process implemented on the PA workstation using PLC programming, manual liquid process control using Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) system. These devices and systems are all networked together with the workstation through Ethernet and Field-Bus (Profibus) technology. Process visualization from HMI and SCADA runtime screens are presented and analyzed to validate the integrity of the PA workstation in implementing process control. The results obtained shows that the workstation can mimic most industrial processes and deployable for the enhancement of students’ training on process automation.
PID is short for "proportional plus integral and derivative", three algorithm components used by this type of controller in managing a control loop. Process loop controllers use one, two or all three of these to optimally control the process system. PID control is used in a wide variety of applications in industrial control and process system management.
Thermal plant instrumentation and controlShilpa Shukla
Detail working description of each components used in A Thermal or Coal based Plant for generation of electricity. Controlling and automation is described.
Implementation of T-Junction Traffic Light Control System Using Simatic S7-20...IJERA Editor
A conventional traffic light control system is designed by using devices such as timers, relays and
contactors etc. The critical timing operation is required to be carried out under the existence of heavy
traffic situations. This conventional practice leads to many problems that need additional maintenance
cost and subsequent delay for a long time. With the help of a PLC, the requirement of fast automation
and effective optimization of traffic light control system can be achieved. Use of PLC helps us to
develop this process not only for traffic signal on the roads, but also on the movement of trains and
the transfer of containers in ports in maritime works. In order to provide a solution to the above
problem, this paper introduces an execution and implementation of T-junction traffic control system
using SEIMENS S7-200 PLC. Programming in PLC is written in ladder logic with the help of STEP7
MICROWIN software
FAULT DETECTION AND DIAGNOSIS OF INDUCTION MACHINE WITH ON-LINE PARAMETER PR...Sheikh R Manihar Ahmed
Today all instrumentation system pertaining to industrial process controls as well as domestic application involve automatic fault finding facility. This facility detects the faulty condition of the system and draws operator’s attention towards it enabling him to take suitable remedial action to ensure proper operation of the system. The main purpose of all FDI method is to monitor the system operations and in case of faults accommodate the source of faults so that timely corrective actions are taken. Fault detection simply involves a decision based on the monitored data as to whether there is a fault or the system is running normally. Fault isolation is then executed to identify the type and location of a fault after the fault detection has triggered an alarm so that corrective actions can be made. These two steps are known as Fault Detection and Isolation. Fault diagnosis is referred to as the combination of fault detection, identification and isolation. One such method of annunciation in which activation of visual or mechanical variable takes place when a removed switch or device has been activated as a result of fault in certain system, an audio alarm may also be associated with annunciations. This FDI system is defined and the existing technique to detect & isolate the fault with on-line parameter programming facility. The main advantage of the proposed approach of Control System based fault detection and isolation is its low cost. Low cost in terms of components used makes affordable in terms of easy handling and maintenance and various sensors can be used to give different types of input signals to circuit. An additional advantage is that the real time system still works when the host crashes, the matter that increases the reliability of the system & Data-logging facility can also be provided. A data-logger captures any measurement values which can be represented by a voltage. Nowadays, sensors and transducers are available for, practically, any physical quantity. The function of data-logger is to capture and store a specified number of specified number of sensor measurement values at predefined intervals and transfer the data including date and time to a PC in the form of file.
Application of PLC’s for Automation of Processes in IndustriesIJERA Editor
Several industries utilize sequential industrial process which is respective in nature. For such processes
industries have to depend upon use of relays, stepping drum, timers and controls, considerable difficulties
experienced in reprogramming necessitated due to change in the nature of production. Often the whole system
has to be scrapped and a redesigning is required. To overcome these problems PLC control system was
introduced. The PLC can be described as a control ladder comprising a sequence program. PLC sequence
program consists of normally open and normally closed contacts connected in parallel or in series. It also has
relay coils, which turns ON and OFF as the state of these contacts change. In this paper, about all aspects of
these powerful and versatile tools and its applications to process automation has been discussed.
BIST (Built-in-Self-Test) Features for Electronic Valve ActuatorsMead O'Brien, Inc.
The development and implementation of safety related devices in plant systems is crucial for dependable operation, not to mention peace of mind. Safety and safe operation were once only high priorities for installations that involve hazardous environments. Expensive certification testing was, and still is, paramount to meeting the hazards of such environments, but a new level of plant-wide integrity is emerging — that of Safety Integrity Level (SIL) and SIS. SIL is a safety rating that can be derived by analyzing a system to determine the risk of a failure occurring and the severity of its consequences. Safety Instrumented Systems (SIS) are systems containing instrumentation or controls installed for the purpose of preventing or mitigating a failure either by emergency shut down (ESD) or diverting the hazard. New or replacement equipment must have the ability to be introduced into plant systems without jeopardizing either the SIL of the operation or negatively impacting the SIS.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
block diagram and signal flow graph representation
55419663 burner-management-system
1. Burner Management System
Introduction
The function of a burner management system (BMS) is to assure safe
operation of the combustion associated with boilers, ovens, kilns,
process heaters and furnaces. The BMS provides a safe start-up
procedure and stops fuel flow if conditions are detected that affect the
safety of the unit.
With the advancement of microprocessor technology, programmable
systems have become the preferred solution for burner management
design. When issues like documentation, configuration management,
diagnostics, capabilities for operator graphics and communications to
other Plantwide control systems are considered, the advantages of
programmable technology over relay/solid-state technology become
very significant. Since the failure modes of microprocessor technology
is not readily predictable, the Australian Gas Association (AGA) and a
number of other international standards and regulatory agencies
(NFPA, TUV, FM, IRI) have established recommended practices and
guidelines for applying this technology in burner management
applications.
The needs of a Burner Management System.
There are strong economic reasons to ensure combustion equipment
operates safely. These reasons include possible equipment losses,
personnel injury and loss' and production downtime as a result of an
accident. When risk analysis is combined with life cycle costing
techniques, many companies realise that the financial impact of safety
risk is higher than imagined.
Gas & Fuel Authorities are bringing out newer, tougher requirements
including requirements for approvals from independent testing
agencies like TUV. The IEC61508 standard for the functional safety of
electrical/electronic/programmable electronic (E/E/PE) safety-related
systems has been released and the Australian version AS61508 will be
fully published soon. Safe operating combustion equipment design is
not becoming easier.
The latest Australian Standard AS3814/AG 501 – 2000 for industrial
and commercial gas-fired appliances states that for a Programmable
2. Electronic System (PES) to gain acceptance on Type B appliances the
following applies as in clause 2.26.3, sections: -
“If it is desired to use a PES controller to perform safety-related
functions, then it shall be a redundant safety-related PES and possess
a TUV safety certificate to the appropriate safety class of DIN V 19250
or some equivalent certificate. Only TUV approved "firmware" (or
equivalent) is to be used in the controller.”
“Like computer programs, the only true way of assessing a PES user-
program to ensure that it functions the way it was designed, is to test
run the program. It is not possible to inspect a PES program in its
entirety by visual examination and conclude that the program does
what it is required to do under all possible operating situations.
Therefore in order to ensure the integrity of the PES user software,
the person/company who designed the system shall have QA
accreditation, and shall have adhered to the principles outlined in AS
61508. It is the designer's responsibility for the development of the
program, and for test-running the program by simulating the inputs,
and proving that the outputs occur at the right time and duration. A
signed written statement to that effect shall be submitted to the
Authority.”
The NFPA 8502 standard for the prevention of furnace
explosions/implosions in multiple burner boilers, 1999 edition clause 4-
3.2.1, lists the following minimum failures that must be evaluated and
addressed: -
(a) Interruptions, excursions, dips, recoveries, transients, and
partial losses of power
(b) Memory corruption and losses
(c) Information transfer corruption and losses
(d) Inputs and outputs (fail-on, fail-off)
(e) Signals that are unreadable or not being read
(f) Failure to address errors
(g) Processor faults
3. (h) Relay coil failure
(i) Relay contact failure (fail-on, fail-off)
(j) Timer failure
The new FM 7605 standard, first released in January 2000, for PLC
based BMS systems also requires compliance with the IEC 61508
saying: -
“The system shall conform at a specified Safety Integrity Level (SIL) to
IEC 61508, Part 1, General requirements. The hardware architecture
shall include self-checking firmware, external and internal watchdog
systems, redundant processors, and dual I/O cards as required to
achieve the specified SIL. Software architecture shall include
communications drivers, fault handling, executive software,
input/output functions, and derived functions as required to achieve
the specified SIL. Redundant components shall be separated so as to
reduce common cause failures.”
This need to meet regulations and properly implement safety
protection equipment adds another dimension to the trade offs that
must be made by design engineers.
Regardless of these requirements many control engineers are
selecting programmable electronic systems for burner management
applications. Advantages include ease of installation, lower false trip
rate, math capability and more sophisticated logic capability - in newer
generation PLCs, other benefits include IEC 61131 standard language
capability, self-documenting graphical configuration and management
of change functions among a growing list of other user friendly tools.
With all these advantages, why not? The big problem is that solid-
state components can fail in several ways, many of which may create
dangerous undetectable failures.
The BMS maintains safe operation of the boiler during start-up,
operation, and shutdown. Both PLCs and DCSs can accommodate
safety and process control in a single processor, but the National Fire
Protection Association, Factory Mutual Research Corporation, and good
engineering practice call for independence between burner
management systems and all other control systems.
4. Early automated BMS were either proprietary hardware or relay based.
Since the 1980s, PLCs are preferred for their reliability, flexibility,
configurability, and lower life cycle cost.
With any automated electronic control-based system, the designer
must pay close attention to failure modes. Safety features that can be
designed into a BMS include input checking, critical output monitoring,
external watchdog circuit, coil monitoring, fuse monitoring, circuit
breaker monitoring, and related alarming and diagnostics.
Many other processes in a power house can be controlled with PLCs to
cut installed system cost, reduce spare parts requirements, speed
maintenance and operator training, and ease installation and
troubleshooting.
Output Monitoring
Output monitoring (or readback) is a technique that uses an input
channel to measure an output channel's value and compares it to the
value demanded by the system logic. This diagnostic can determine if
the output has failed ON or failed OFF. Figure 1 shows how output
monitoring is typically implemented in a PLC. Ladder logic must be
written to ensure that each output is compared with its corresponding
diagnostic input channel and appropriate diagnostics are generated.
fig.1
Safety PLCs incorporate output monitoring into their I/0 module
hardware using special circuitry and an onboard microprocessor to
generate the diagnostics, as illustrated in Figure 2. This eliminates the
wiring and programming required by general purpose PLCs.
Furthermore, this relieves the application controller from the burden of
generating these diagnostics.
5. fig.2
Output monitoring provides valuable diagnostic information. However,
it can do nothing more than annunciate the problem on its own. In
order to convert the potentially dangerous failure into a safe failure, an
additional technique must be applied in addition to the output
monitoring.
Guarded Outputs
Series wired trip relays could be incorporated to "protect" the
monitored outputs. Figure 3 illustrates the typical addition of a trip
relay to the general purpose PLC output monitoring in Figure 1. The
output to the trip relay is programmed to de-energise if any of the
outputs it is protecting reports a dangerous fault. This provides a
secondary means of de-energising an output if for some reason, the
output fails to turn-off when commanded. Additionally, a contact of
the trip relay should be monitored to ensure that it is functioning
properly. The trip relay must be manually reset before it can be re-
energised. This can be accomplished by wiring a reset pushbutton to
an input circuit or via an engineer's console.
fig.3
Most safety PLCs incorporate protected or guarded outputs. Figure 4
shows the incorporation of a diagnostic cut-off relay to the typical
safety PLC block diagram, which provides guarded outputs. Note that
the relay is also monitored for proper function. Here, the diagnostic
generated by the faulted output or relay must be manually cleared
before the relay can be re-energised.
6. fig.4
Processor Protection
Watchdog timer circuits are employed to ensure that outputs fail-safe
upon detection of a processor failure. The typical implementation with
a general purpose PLC is to configure one or two outputs to continually
generate square wave output(s). The watchdog timer will trip if the
output(s) fail to change state within the timer's specified preset. This
will cause the trip relay to de-energise. Figure 5 shows the addition of
a watchdog timer to the general purpose PLC application in Figure 3.
There should be at least one watchdog timer monitoring every CPU in
the system. Two watchdog timers are required to detect watchdog
timer failure.
fig.5
Safety PLCs also employ watchdog timers, however, watchdog timers
are integral to the modules and usually implemented redundantly.
That is, every CPU circuit is monitored by two watchdog timers, and
the timers also monitor each other to detect watchdog timer failure. If
either watchdog trips, the diagnostic cut-off relay is de-energised.
Figure 6 depicts the addition of watchdog timers to the typical safety
PLC block the diagram. As shown, the watchdog timer has direct
control of the relay, de-energising it upon a watchdog time-out.
fig.6
Power Monitoring
The quality of output signals is only as good as the power used to drive them.
To insure that outputs are not turned on when the power supply is out of
tolerance, a power monitor diagnostic can be added to the general purpose
7. PLC. Figure 7 shows the addition of a signal conditioner (trip alarm), which
detects if the power supply is under range or over range. To protect the outputs
from damage, possible dropout, or oscillation during brownout conditions, the
PLC must be programmed to de-energise the trip relay output if the power supply
goes out of range.
fig.7
Figure 8 shows the complete safety PLC output module block diagram
with the addition of the power monitor circuit. Like the trip alarm, the
power monitor circuit detects if the power supply goes over or under
range and can automatically trip the diagnostic cut-off relay to protect
the outputs. This circuit can also detect if the main fuse is blown.
fig.8
Input Circuit Protection
Input circuits can fail ON or OFF, which if left undetected, can leave a
Safety System unprotected. There are multiple techniques for
detecting failed ON or failed OFF outputs. They are pulse testing
(automatic input testing) and redundant input circuits comparison.
During the test, inputs are briefly de-energised by turning off an
output that supplies power to the inputs. Programmed logic must then
prove that all of the inputs successfully detected the change in state.
However, additional logic must ensure that the application logic holds
the inputs during the test. Some safety PLCs incorporate automatic
input testing in their input modules or redundant input detection
circuits for each input channel.
Communication Protection
Inter-module communications require diagnostics that can detect
corrupted messages or a loss of communication. Cyclical redundancy
checking (CRC) is a very reliable technique for confirming correct
8. transmission and receipt of data. Communication watchdog timers
should also be employed by every module on a bus to detect a loss of
bus activity. Safety PLCs will automatically set their outputs to a pre-
determined safe state (OFF) when an I/0 module has lost
communication with its control module. Redundant communications
paths, standard in safety PLCs, should be considered for general PLCs
for higher availability.
Address Verification
To insure input data is originating from the correct module and going
to the correct module, the processor should incorporate some form of
address verification. Safety PLCs use redundant serial data links to
communicate between the processor and the I/0 modules. Serial
communications allow for source and destination addressing to be
embedded into messages and compared with the hardware address
established by the backplane. Parallel backplane designs typically
found in general purpose PLCs do not usually incorporate any address
verification.
Memory Corruption and Losses
All programmable control system memory (RAM, ROM, and EEPROM)
should be fully tested upon power-up and continuously tested on-line
with background diagnostics' Volatile memory (RAM) should be battery
backed and a low battery diagnostic should indicate to the operator
when a battery needs to be replaced.
Common Cause
A "common cause" failure is defined as the failure of two or more
similar components due to a single stress event (a single cause). The
key word here is "stress." Stressor events include electrical events like
power spikes, lightning, and high current levels. Mechanical stress
includes shock and vibration. Chemical stress includes corrosive
atmospheres, salt air, and humidity. Physical stress includes
temperature. Heavy usage including high data rates is even a stress,
especially to system software. If the stress level is high enough, two
or more similar components can fail at the same time.
Software may be the most significant contributor of all to the common
cause failure rate. A "stress' to a software system is the combination
of inputs, timing, and stored data seen by the CPU. Imagine a fault
tolerant system with two or three processors where all the CPUs are
running the exact same program in lock-step synchronous operation.
The CPUs will all see the exact same inputs, the same stored data with
9. the same timing. The chance of simultaneous failure due to a common
software bug is high.
A Safety PLC can achieve “common cause strength” through a number
of mechanisms:
· Physical separation of redundant units. The worst implementation has
redundant circuits on the same circuit board. The best implementation
allows redundant circuits to be located in different cabinets.
· Asynchronous operation of redundant units to reduce software
common cause. The worst implementation has identical software
running the same functionality in perfect synchronisation. The best
implementation runs asynchronously with different operating modes
between redundant units.
· Diversity. The worst implementation has identical software and hardware
in redundant units. The best implementation uses diverse components
that respond differently to a common stress.
· High strength hardware and software. Other important parameters
include the overall ruggedness of the safety PLC and the use of a
systematic audited software development process.
BMS Safety PLC System Architectures
Typically a specially designed safety PLC, provides high reliability and
high safety via special electronics, special software and pre-engineered
redundancy. The safety PLC has I/0 circuits that are designed to be
fail-safe with built-in diagnostics. The CPU of a safety PLC has built-in
diagnostics for memory, CPU operation, watchdog timer and all
communications systems. I/0 module addressing is done via serial
communications messages that have full automatic error checking.
Figure 9 shows the architecture of a non-redundant safety PLC. The
1oo1D (one out of one with diagnostics) architecture uses the special
diagnostic circuits to convert dangerous failures into safe failures by
de-energising the output. This is the most cost effective safety PLC
solution and meets IEC 61508 SIL 2 requirements.
Figure 9. The 1oo1D architecture uses special diagnostic circuits to convert dangerous
failures into safe circuits.
10. When high availability is important in addition to safety, a redundant
architecture can be used. Two primary architectures are used, 2oo3
and 1oo2D. Figure 10 shows the 2oo3 (two out of three) architecture
that was designed to provide high safety and high availability. It is
typically implemented with three physical sets of electronics. Each set
of electronics includes the input circuitry, a logic solver, and output
circuitry. A 2oo3 system can tolerate a one-unit failure but is more
susceptible to common cause than the 1oo2D. Also, because the 2oo3
architecture requires more hardware it can be a complex and
expensive to implement.
Figure 10. The 2oo3 architecture is designed to provide safety and
availability.
Figure 11 shows the loo2D (one out of two with diagnostics)
architecture. It was designed to provide high safety, high availability
and high common cause strength at a lower cost than a 2oo3 system.
It is simple to implement with typically two physical sets of
electronics. Each set of electronics includes the input circuitry, a logic
solver, and output circuitry. Each circuit has special diagnostic
circuitry that combines to form another logical channel. When two
sets of electronics are combined together a four-channel architecture
is created.
Conceptually, each of the two units reads inputs, calculates, and
stores outputs. The diagnostic circuits monitor proper operation and
will de-energise a second series output switch if a failure is detected.
Any potentially dangerous failure is converted into a safe failure if
detected by the diagnostics. If the diagnostics work perfectly, the
system is fail safe. High availability is achieved through the parallel
combination of the two sets of electronics. If one side fails safely, the
other side maintains the load and the protection function.
The loo2D architecture requires good self-diagnostics. Diagnostic
techniques have improved considerably; however, it is arguable that
perfect self-diagnostics can be achieved. Therefore, in order to assure
high safety integrity, actual implementations of the loo2D provide
interprocessor communication between the logic solvers. A
comparison of input data and calculation results between the two units
provides complete protection in addition to the self-diagnostics. When
the comparison of either unit detects a mismatch, the system is de-
energised (fail-safe).
11. Figure 11. The 1oo2D architecture provides safety, via diagnostic
circuits
and extra series output switches, availability and common
cause strength.
CONCLUSION
There are many aspects of a Burner Management System that
contribute to its operating safety and meeting IEC 61508 and
regulatory agency requirements. For example and not covered by this
paper, much can be done with flame detectors, field sensors and
actuators, such as voting redundant sensors, using analog transmitters
in place of switch interlocks, and installing limits switches on valves.
There are also now more certified field sensors becoming available that
are designed to meet the standards. However, the device that controls
all of the system I/O plays a major role in the operating safety of the
system. Selection of the control system is just as, if not more critical,
than the selection of the associated field hardware.
Depending on the mix of analog and digital I/0, the cost of a modern
safety PLCs will not be much higher than a conventional PLC. In
addition, one significant advantage of the safety PLC is eliminating the
special engineering and application level programming required in the
conventional PLC. None of the special circuits shown in Figures 1, 3, 5
& 7 are needed when using a safety PLC. The installed cost of a safety
PLC can be significantly lower than a conventional PLC when
engineering and installation expenses are considered for burner
management applications.