Boiler and Burner Management Systems

Application Guide

Boiler and BMS Application Guide.doc

1 of 21

Copyright 2002 Invensys Systems, Inc. All Rights Reserved. Printed in the United States of America Information in this document is subject to change without notice and does not represent a commitment on the part of Invensys Systems, Inc. Trademark Acknowledgments Cause and Effect Matrix Programming language Editor (CEMPLE), Tricon, Trident, Trisen, and TriStation 1131 are trademarks of Invensys Systems, Inc. in the USA and other countries. Microsoft, Windows and Windows NT, Windows 2000 are registered trademarks of Microsoft Corporation. Modbus is a registered trademark of Modicon Corporation. Triconex is registered trademark of Invensys Systems, Inc. in the USA and other countries. All other brands or products names may be trademarks or registered trademarks of their respective owners.

Disclaimer
Because of the variety of uses for this equipment and because of the differences between this fault tolerant equipment and traditional programmable logic and process controllers, the user of, and those responsible for applying, this equipment must satisfy themselves as the acceptability of each application and the use of the equipment. The illustrations, charts and layout examples shown in this manual are intended solely to illustrate the text of this manual. Because of the many variables and equipments associated with any particular installation, Invensys Systems, Inc cannot assume responsibility or liability for actual use based upon the illustrative uses and application In no event will Invensys Systems, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. INVENSYS SYSTEMS, INC. DISCLAMIS ANY IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. Invensys Systems, Inc. reserves the right to make changes at any time in order to improve design and to supply the most reliable product. No patent or copyright liability is assumed by Invensys Systems, Inc. with respect to use of information, circuits, equipment or software described in this text. Reproduction of the content of this manual, in whole or part, without written permission of Invensys Systems, Inc. is prohibited.

Boiler and BMS Application Guide.doc

2 of 21

Contents
1 Overview ..................................................4 2 Typical Project Execution ..............................5 3 4 5 6
2.1 Personnel Requirement ............................... 6

Overview of SIS...........................................6 BOILER/BMS CODES AND STANDARDS ............... 13 NFPA ..................................................... 14 NFPA Requirements Triconex Response .......... 14

Triconex Response ...........................................14 NFPA Specific Requirements: ..............................15 Triconex Response ...........................................15 Triconex Response ...........................................16 Triconex Response ...........................................17 Triconex Response ...........................................17 Triconex Response ...........................................19 Triconex Response ...........................................19 Triconex Response ...........................................19 6.1 NFPA Design Section ..................................19 Triconex Response ...........................................20

Boiler and BMS Application Guide.doc

3 of 21

1 Overview
Process Steam boilers and furnaces function as critical components in most process industries. Protection of the boiler or furnace from upset conditions, safety interlock for normal startup and shutdown, and flame safety applications are combined in the single integrated Tricon controller. In traditional applications these functions
Auto Spare

would be provided in individual nonintegrated components. But with a fault tolerant, fail safe controller, the boiler/furnace operations staff can use a critical resource more productively while maintaining safety at or above the level of electromechanical protection systems. Figure 1 is an overview of the Tricon Controller:
Auto Spare

Input Leg A

I/O Bus
Main

TriBus
Main Processor

Processor

A TriBus I/O Bus

Output Leg A

Input Leg B Input Termination Input Leg C

B TriBus I/O Bus

Main Processor

Output Leg B

Voter Output Termination

Output Leg C

Figure 1 Tricon Overview As stated, independently by end users over and over again. Attributes of the Tricon Fault Tolerant Controller make it ideal for Burner Management System applications. The system is able to guarantee its availability for executive action as well as offer reduced vulnerability to spurious alarms and/or trips. Although the fault tolerant technology is inherently more expensive than traditional simplex electromechanical controllers, the ongoing cost of ownership due to lower maintenance costs, fewer plant shutdowns and higher probability of real incident prevention, make the initial investment attractive to the plant operation. Triconex has over 4000 TMR based control systems in the world with nearly 50% of the applications being some type of flame management system. Triconex has solutions on nearly every major type of furnace and boiler system in the world. The Original Equipment Manufacturer, an Engineering Contractor, the End User/Operator, or the Triconex Application Engineering Groups has either applied these systems. An example of typical types of projects are Power Utility Boilers, Industrial Heaters, Hearth Furnaces, Tangentially Fired Furnaces, Hydrogen Furnaces, Ethylene Cracking Furnaces, CO Boilers (FCCU), Special Coker Furnaces (DCU), Crude Furnaces (Crude Units), Heat Recovery Steam Generators (CoGen),

Boiler and BMS Application Guide.doc

4 of 21

Thermal Oxidizers (SRU), Incinerators, etc. These flame management systems are installed in refineries, chemical plants, gas plants, airports, power plants, etc. Attachment A is a list of Boiler and Furnace related projects that the Triconex Application Engineering Groups have actually been involved in. There are hundreds of additional projects done by 3rd parties that have been completed of using Triconex supplied hardware. In either case, however, the application of the Triconex controller ensures the following major operational results: Fault Tolerance Under Highest TUV Certification for Process Industries SIL 3, the TRICON is certified to operate in the presence of any fault for up to 3 months prior to a necessary repair under the certification. Safety AND Reliability No Process Compromise, Highest Reliability of Any Control Solution Available

Complete Diagnostics From Sensor to Controller to End Control Device Maintainability - Fully hot swappable less than 1 hour MTTR. Experience Over 4000 Systems Installed WW Lowest Total Operational Costs Lower Than Any PES Available High Speed Data Recording Analog Data Logs and SOE Integrated for Trip, Startup Analysis and Troubleshooting Simplicity in Use

2 Typical Project Execution

When Triconex does get involved in Boiler or BMS projects, the efforts are managed exactly the same as any other ESD type project. A typical project flow is show in Figure 2

Boiler and BMS Application Guide.doc

5 of 21

CUSTOMER / PLANT PROJECT NAME CRITICAL CONTROL SYSTEM PRE-ENGINEERING SEQUENCE FLOW SHEET

6 WEEK DURATION

CUSTOMER SYSTEM OBJECTIVE ANALYSIS PRELIMINARY CAUSE & EFFECT DIAGRAMS, P&ID's, NARRATIVES, etc. SYSTEM REQUIREMENT SPECIFICATION

Qualitative Reliability & Operability Assessment (Integrity Analysis)

BACKGROUND SYSTEM REQUIREMENT BASIS OF DESIGN STARTUP OPERATIONS ANALYSIS SYSTEM TESTING PROVISIONS SIS P&ID/OPERATIONAL FLOW CHARTS

FILED ENGINEERING AND DESIGN

SYSTEM DESIGN & TRAINING

SIS PROGRAMMING

I/E

PIPING

MECHANICAL

HARDWARE

CABINETS

LOGIC DESIGN

MMI PROGRAMMING w/ QUICK TEST

TEST PROCEDURES

MANUFACTURING FIELD CONSTRUCTION DRAWINGS LOGIC PROGRAMMING

FACTORY ACCEPTANCE TESTING FIELD CONSTRUCTION

1 WEEK DURATION
SITE INSTALLATION

6 WEEK DURATION

CUSTOMER OR TRICONEX SCOPE

SITE ACCEPTANCE TESTING

4 WEEK DURATION

10 WEEK DURATION

PROJECT DOCUMENTATION

Figure 2 Typical Project Flow

2.1 Personnel Requirement

A typical Furnace or Heater project will typically involve 4 people; a project Engineer, a Designer, a Project Manager and a Project Administrative Assistant (Not All Full Time). Large Boilers may involve 2 or more project engineers and 2 designers. The complexity of the system and project

schedule typically dictates the type of people involved in the projects.

3 Overview of SIS
The system that is ultimately delivered from a Control System standpoint is demonstrated in Figure 3:

Boiler and BMS Application Guide.doc

6 of 21

BASIC PROCESS CONTROL SYSTEM

BPCS

OPERATOR SWITCHES, LIGHTS & ALARMS

PROGRAMMABLE ELECTRONIC SYSTEM (TRICONEX TMR)

Main Power System

HMI / Programming Station - Standby

BATTERY BACKUP

Field Power System

Sensor Input Devices

Field Output Devices

Figure 3 SIS Block Diagram For Triconex projects, the Programmable Electronic System would be the Triconex controller. Examples of sensor input devices for Furnaces & Heaters would typically be as follows: Fuel Gas Pressure Process Flow (Furnace Pass Flow) Flame Detectors Valve Position For Boilers, drum level transmitters, boiler feed water flow transmitters and drum pressure transmitters are typically added to the system. Examples of field output devices would be as follows:

Purge valves Ignition Transformers Fuel chopper valves Furnace dampers Forced draft fans
Boiler and BMS Application Guide.doc 7 of 21

The operator switches, lights and alarms are typically either in the field or in the control room and these switches and alarms are intended to allow the operator input to the flame management from either the field or at the control room operator console. Some customers exclusively use the DCS system as the Human Machine Interface (HMI) with no field or console mounted devices. Others perform the complete startup and operation of the furnaces from the boiler or furnace deck in the field. Triconex has direct connect interfaces to Foxboro and Honeywell, with serial modbus and OPC connections all other major DCS systems in the world (ABB, Yokogawa, Bailey, Westinghouse, Fisher Rosemont, etc.). This allows the Flame Management system a dependable link to the Basic Process

Control System (DCS). The Triconex controller is typically powered from either a UPS or a battery backed power system, and this power is used for the controller and the field device powering. This allows for dependable operation in the event
Terminal Strip #1 Terminal Strip #2

of a power outage or a black start arrangement. An overview schematic of the Power Bus, I/O Bus and Communication Bus architecture is shown in the backplane overview in Figure 4.

ELCO Connectors for I/O Termination

Power Terminal Strip

TRIBUS

Power Supply #1

DUAL POWER RAILS

Power Supply #2

Leg A Leg B Leg C

Comm Bus

Leg A Leg B Leg C

I/O Bus

Main Processors A, B, & C

Right I/O Module* Left I/O Module Communication Module

One Logical Slot

* Either the left module or right module functions as the active or hot spare module at any particular time.

Figure 4 Tricon Backplane

An example of a local field panel that contains lights, alarms, and switches is shown in Figure 5.

Boiler and BMS Application Guide.doc

8 of 21

B-1601 FIELD STATUS PANEL

Emergency Shutdown XPB-6142A

Lamp Test XPB-6144

Master Reset XPB-6145

Master Trip Cleared XL-6142

Emergency Shutdown XPB-6142B

Ready To Purge FL-6400-1

Start Purge FPB-6400-A

Purge Air Flow OK FL-6400-2

Purge In Progress FL-6400-3

Purge Complete FL-6400-4

Ready To Light XL-6810

Flame On LIght

IGNITOR
Header Valves Close Header Valves Open

Flame On LIght

XL-6001

XL-6002

Off Standby On

Off Standby On

Burner #1 Start XPB-6001-A1 & A2

XL-6300-A1

XL-6300-A2

Burner #2 Start XPB-6002-A1 & A2

MAIN GAS
Closed Open Header Valves Close Header Valves Open Closed Open

XL-6011-A XL-6011-B Off Standby On

XL-6310-A XL-6310-B

XL-6021-A XL-6021-B Off Standby On

Burner #1 XS-6011-A1 & A2

Burner #2 XS-6021-A1 & A2

ATOMIZING GAS
Close Open

WASTE FUEL
Close Standby Open
Header Valves Close Header Valves Open

XL-6019-A

XL-6019-B

Off Standby On

Main Valve XS-6110-A1 & A2

XL-6110-A

XL-6110-B

Burner #1 XPB-6019-A1 & A2

VICINALS
Close Standby Open
Header Valves Close Header Valves Open

VICINALS STEAM
Close Standby Open

Main Valve XPB-6239A-A & A-B

XL-6239-A

XL-6239-B

Main Valve XPB-6239B-A & B-B

Figure 5 Local Control Panel

Boiler and BMS Application Guide.doc

9 of 21

Operational Flow Chart and Cause & Effect Matrix Examples Typically the equipment is started up, monitored and shutdown with the flame management system. The plant basic process controller typically governs the regulatory control of the fuel and steam flows, etc. A major contributor to the success of a project is clearly defined and simple to understand project deliverables. It is important to the successful operation of the protected equipment that the initial stages of system design are followed and understood by the plant operations staff, the maintenance staff and the engineering staff. Therefore the project staff should produce documents that are easy to understand by all disciplines. Examples of initial design documents that are produced by the Triconex Application groups are the Operational Flow Charts and Cause & Effect Matrices. The operational flow charts were initially only used for

Triconex based ESD systems and these summary documents allowed a complete review to take place by all disciplines for these most critical safety systems (ESD) in the plant. This initial QA document proved to be very successful and instrumental in smooth startups and operation of the modernized equipment. An example of the operational flow charts for a typical startup sequence is summarized in Figures 6 and 7. This is an example of initial logic design Quality Assurance (QA) that is developed from the Triconex application groups. The documents are simple to understand and are considered imperative for the general review process that is typically required of operations, maintenance and plant engineering staff members. With the final flow diagrams in place the remainder of the project and the test out of the systems are very efficient.

Boiler and BMS Application Guide.doc

10 of 21

B-1201 BOILER PURGE

B

FPB 2605-A

OR

FPB 1505-B

"Start Purge" Pushbutton Pressed?

No

Yes

ACTION TRICON does the following: Starts the 5-Minute Purge Timer Turns on bit to ramp up Forced Draft Fan to Purge Air Flow Opens Air Registers (Energizes Solenoids) Verifies Air Registers open XS-1201A

TAG

XSOV-2616, XSOV-2617, XSOV-2618, XSOV-2619 XSO-2616, XSO-2617, XSO-2618, XSO-2619

No FT2605 Yes Tricon verfies Air Flow OK

"Purge Air Flow OK" Light On

FL2605-2

5-Minute Purge Timer Starts

Yes

To Sheet 3

Figure 6 Sample Sequence Chart

Boiler and BMS Application Guide.doc

11 of 21

B-1201 BOILER PURGE

Initial Start

Operations to Start Forced Draft Fan

A No

XPB1585

Master Reset Pushbutton Pressed?

"Master Trip Cleared" Light On

XL2642

START-UP PERMISSIVES
1. 2. 3. 4. 5. 6. 7. 8. 9. 13. 14. 15. 16. 17. Emergency Shutdown Button (Field) Not Pushed Emergency Shutdown Button (Control Room) Not Pushed Drum Level Not Low Instrument Air Pressure Not Low Not Loss of Flame Ignitor Valves Closed/Vent Valves Open Gas Valves Closed/Vent Valves Open Oil Valves Closed/Vent Valves Open Oil Fuel Header Closed/Return Open H2 Valve Closed/Vent Valves Open Ignitor Gas Header pressure ok Main Gas Header pressure not High Not Excess Furnace pressure Main Gas Header Valves Closed

TAG
XPB-2642A/B XPB-2643A/B LZT-2604A/B, LZS-2602 PCL-2620 BCL-2616, BCL-2617, BCL-2618, BCL-2619 XSOV-2021A/B/C, XSOV-2022A/B/C, XSOV-2023A/B/C, XSOV-2024A/B/C XSOV 2613A/B/C, XSOV 2613A/B/C, XSOV 2615A/B/C, XSOV 2620A/B/C XSOV-2230-1A/B/C, XSOV-2230-2A/B/C, XSOV-2230-3A/B/C, XSOV-2230-4A/B/C XSOV-2241, XSOV-2229 XSOV-2111, XSOV-2612A/B/C PCH-2607 PCH-2603 XSOV-2609

No

Permissives Met?
"Ready To Purge" Light On
FL2605-1

Figure 7 Sample Sequence Chart

Boiler and BMS Application Guide.doc

12 of 21

Effect

FUNCTION

Oil Header Recycle Valve

Oil Header NG Header NG Control Block Valve Block Valve Valve

Cause SERVICE Low Drum Level 3 Element Voting TAG NO. LZT-1502A, LZT-1502B, LZS-1504 Trip # 110-1

TAG NO.

HSOV-1141 HSOV-1128, HSOV-1322 HSOV-15061 O C C C

Combustion FT-1505 Air Flow Low Furnace Pressure High PCH-1503

110-2

110-3

Master XPB-1582A, Shutdown XPB-1582B Pushbutton Instrument Air Trip PCL-1522

110-4

110-5 110-6

O O

C C

C C

C C

Emergency XPB-1583A, Shutdown XPB-1583B Natural Gas PCH-1506A Pressure High

111-1

Figure 8 Sample Cause and Effect Matrix Figure 8 is an example of a partial Boiler Control Cause and Effect Matrix, which is another logic design tool used to ensure complete understanding of the logic system functionality. Triconex will be offering a Cause and Effect Matrix programming language addition to the current TriStation 1131 software that will allow the programmer to generate these types of matrices into the workstation and compile them as the actual program. ASME pressure vessel and boiler code, etc. However, from a process industries standpoint the closest thing to a standard specifically for instrumented control system has been the NFPA 85, 86, 8501 and 8502 standards. And even these do not address specifically process industry equipment. In any case the NFPA along with the ISA S84.01 ANSI standard have governed instrumented control solutions for process heaters, boilers, furnaces, etc. From a generic standpoint the Occupational Health and Safety Administration has also audited plants to ensure Good Engineering Practice and recognizes the standards mentioned above.

4 BOILER/BMS CODES AND STANDARDS

From a mechanical standpoint the design and construction of Boilers and Furnaces has been governed by the
Boiler and BMS Application Guide.doc 13 of 21

5 NFPA
The NFPA 8501 document is primarily the document used for most industrial boilers and furnaces that the Triconex application groups get involved in. As stated in the standard the basic cause of a furnace explosion is the ignition of an accumulated combustible mixture within the confined space of the furnace or the associated boiler passes, ducts, and fans that convey the gases of combustion to the stack. Numerous situations can arise in connection with the operation of a boiler furnace that that will produce explosive conditions; the most common experiences are as follows: Interruption of Fuel or air supply or ignition energy to the burners. Fuel Leakage into an idle furnace and the ignition of the accumulation Repeated Unsuccessful attempts to light off without appropriate purging The Accumulation of an explosive mixture of fuel and air as a result of a complete furnace flameout The Triconex based flame management system specifically is applied to address these and other types of furnace dangers (Forced draft fan failure, etc.). The Tricon based logic system is a fault tolerant system and provides outputs in a particular sequence in response to external inputs and the internal governing logic program. The Tricon based logic system is designed and certified to meet the intent of the NFPA standards by providing complete fault tolerance as well as other documented criteria.

6 NFPA Requirements Triconex Response

The following code to response correlation is an example of how Triconex meets the intent of the standard: NFPA General Requirements: The logic system for burner management shall be specifically designed so that a single failure in that system shall not prevent an appropriate shutdown.

Triconex Response
All TMR modules are 100% triplicated for guaranteed safety as well as maximized process availability. Each leg of electronics in the TMR module conditions signals independently and provides isolation between the field and the TRICON. All TMR Modules sustain complete, on-going diagnostics for each leg. Failure of any leg activates the modules fault light as well as the common chassis trouble alarm. The fault signal is also aliased and available for the DCS display alarming. The FAULT indication points to a leg fault, not a module failure. The module is guaranteed to operate properly in the presence of a single fault and may continue to operate properly even with certain types of multiple faults. As an example of these diagnostics, the Digital Input boards self test for "Stuck On" switch contacts. Since most safety systems are "De-Energize To Trip, the ability to detect OFF points is an important feature. To detect "Stuck On" inputs, a switch within the input circuitry is closed to allow a zero point (OFF) to be read by the
14 of 21

Boiler and BMS Application Guide.doc

optical isolation circuitry. This same level of diagnostics is available with every type of TMR module. Diagnostics are also available even to the end device wit the available Supervised Digital Input Modules whereby the coils of relays or solenoids are under TRICON surveillance. See Technical Product Guides for further information. Any diagnosed parameter that is aliased is available to the outside world via the communication channel (i.e. I/O Module Failure, MP Failure, etc.). No single System Fault will affect the process. A Tricon can, and has, run with multiple faults without affecting the process. Depending on the application configuration, a second fault in line with an existing fault may then initiate a safe trip sequence. The primary goal of a Tricon System Alarm is to alert maintenance personnel of the fault. On-Line replacement of the module without any special tools or programming is allowed. The modules automatically reeducate (Including the Main Processors). There is very detail information about System Faults available.

effects shall be evaluated and addressed: (a) Interruptions, excursions, dips, recoveries, transients, and partial loss of power.

Triconex Response
Each TMR chassis houses two Power Modules arranged in a dual redundant configuration. Each module derives power from the backplane and has independent power regulators for each leg. Each can support the power requirements for all the modules in the chassis in which it resides, and each feeds a separate power rail on the chassis backplane. The power module has built in diagnostic circuitry which checks for outof-range voltages and overtemperature conditions. A short on a leg disables the power regulator rather than affecting the power bus. These chassis power supplies are fed from either an Uninterruptible Power Supply (UPS) or a DC source of battery backed power. This combination of power sources and regulator distribution provides for and exceeds the requirements of this NFPA code. In addition to the redundant sources of extremely reliable power subsystems, the Triconex provides 2Mbytes of SRAM for User written program control logic, the SOE data, the I/O data and the diagnostics and communication buffers. In the event of a complete external power failure, system batteries that reside on the backplane of the main chassis protect the SRAM. The batteries maintain the integrity of the program and the retentive variables for a
15 of 21

NFPA Specific Requirements:

As a minimum, the following shall be included in the in the design to ensure that a logic system for burner management meets the intent of these standards: Failure EffectsThe logic system designer shall recognize the failure modes of components when considering the design application of the system. As a minimum the following failure

Boiler and BMS Application Guide.doc

minimum of 6 months in an absence of power to the Tricon. (b) Memory corruption and losses

Triconex Response
The TMR controller shown above contains three Main Processors (MPs) to control three separate, isolated, and independent legs of system electronics (Channels). Each channel consists of one input leg, one main processor and one output leg. The TMR controller is designed to continue operation after failures. These failures may occur in an input leg, in a main processor, or in an output leg. All failures are transparent to the application program; the programmed logic will be executed regardless of detected failures. Each Main Processor operates in parallel with the other two MPs, as a member of a TRIAD. A dedicated I/O Communication (IOC) processor on each Main Processor manages the data exchange between the MPs and their corresponding I/O module processor leg. A triplicated I/O

bus is located on the chassis back plane and is extended from chassis to chassis by means of I/O Bus Cables. As each input module is polled, the new input data is transmitted to the MAIN PROCESSOR over the appropriate leg of the I/O bus. The input data from each input module is assembled into a table (Matrix) in the MAIN PROCESSOR and stored into memory for use in the hardware voting process. The individual input table in each Main Processor is transferred to its neighboring Main Processor over the proprietary TRIBUS. During this transfer, hardware voting takes place. The TRIBUS uses a Direct Memory Access programmable device to synchronize, transmit, vote and compare data between the three MPs. If a disagreement is discovered, the signal value found in two out of three Main Processor tables (Matrices) prevails, and the third table is corrected accordingly. Figure 9 is a schematic of the Main Processor system in the Tricon Controller.

Boiler and BMS Application Guide.doc

16 of 21

Dual Power Rails Dual Power Regulators Failure Detect Circuitry

Vcc

Status Indicators Main Processor NS32GX32

512K EPROM 2MB SRAM

Timing Generator

Interrupt Controller

Floating Point Processor NS32381 Internal System Bus

DMA TriBus Up Stream Down Stream Up Stream Down Stream

Dual Port RAM Comm Processor

Dual Port RAM I/O Processor Fault Tolerant I/O Bus

Debug Comm Port

Fault Tolerant Communication Bus

Figure 9 Simple Internal Overview One-time differences that result from sample timing variations can be distinguished from a pattern of differing data. The three independent Main Processors each maintain data about necessary corrections in local memory. Any disparity is flagged and used at the end of the scan by the built in Tricon Fault Analyzer routines to determine whether a fault exists on a particular module. the main chassis protect the SRAM. The batteries maintain the integrity of the program and the retentive variables for a minimum of 6 months in an absence of power to the Tricon.

(d) Inputs and Outputs Fail On & Fail Off Triconex Response DIGITAL OUTPUT MODULES
Triconex offers four basic types of Digital Output Modules: Dual, Supervised, DC Voltage and AC Voltage. Every TMR digital output module houses the circuitry for three identical, isolated legs. Each leg includes an I/O microprocessor that receives its output table from the I/O communication processor on its corresponding main processor. All of the digital output modules, except the dual DC modules, use
17 of 21

(c) Information Transfer corruption & losses Triconex Response

In addition to the redundant sources of extremely reliable power subsystems, the Triconex provides 2Mbytes of SRAM for User written program control logic, the SOE data, the I/O data and the diagnostics and communication buffers. In the event of a complete external power failure, system batteries that reside on the backplane of
Boiler and BMS Application Guide.doc

special quadruplicated output circuitry that votes on the individual output signals just before they are applied to the load. This voter circuitry is based on parallel/series paths which pass power if the drivers for leg A and B, or legs B & C, or

Legs A and C command them to close in other words, 2 out of 3 drivers voted ON. The quadruplicated voter circuitry provides multiple redundancy for all critical signal paths, guaranteeing safety and maximum availability.

TRIPLICATED I/O BUS

INTELLIGENT I/O CONTROLLER(S) A

FIELD CIRCUITRYTYPICAL POINT (16)

Bus Xcvr

Proc

Point Register

Output Switch Drive Circuitry

+V

*
A and B
Output Switch Drive Circuitry

B
Loopback

B C

Detector

Bus Xcvr

Proc

Point Register

to other points

B
Output Switch Drive Circuitry

Bus Xcvr

Proc

Point Register

*
C
Output Switch Drive Circuitry

A and B

LD A

Loopback Detector
to other points

RTN

* All output switches are opto-isolated.

Figure 10 is a schematic of the supervised Digital Output Module.

DIGITAL INPUT MODULES

Each Digital Input module has three isolated input legs that independently process all data input to the module. A microprocessor on each leg scans each input point, compiles the data, and transmits it to the Main Processors upon demand. Then input data is voted at the Main Processors just prior to processing to insure the highest integrity of the signal. All digital input modules sustain complete, on-going diagnostics for each leg. Failure of any diagnostic on any leg activates
Boiler and BMS Application Guide.doc 18 of 21

the modules Fault indicator that in turn activates the chassis alarm signal. The Fault indicator points to a leg fault, not a module failure. The module is guaranteed to operate properly in the presence of a single fault and may continue to operate properly even with certain kinds of multiple faults. The TMR High Density Digital Input Module continuously verifies the ability of the Tricon to detect transitions to the opposite state (ON or OFF). Special self-test circuitry detects all Stuck-ON and Stuck-

OFF fault conditions in less than a half second. The Simplex Digital Input modules are optimized for safety critical applications where low cost is more important than maximum availability. On a simplex module, only those portions of the signal path that are required to ensure safe operation are triplicated. Special Self Test circuitry, even on the Simplex Module, detects all stuck-ON and Stuck-OFF fault conditions within the non-triplicated signal conditioners in less than 500 milliseconds. This is a mandatory feature of a fail-safe system.

Triconex Response
I/O Module and Main Processor Extensive diagnostics, as well as the triplicated I/O bus infrastructure of the Tricon controller ensures that the signal from the field and out to the end control device is correct. Through the use of Analog Transmitters to Analog Input Modules, and Supervised Digital Output Modules to Output end device coils (Relays and/or Solenoids), even the field devices are diagnosed. Line Monitoring of Digital Switches (For Field Wiring Integrity) is also available by using the 32-point Analog Input Module for Digital Switch Inputs and end device parallel/series circuitry.

ANALOG INPUT MODULES

Analog Input module includes three independent input legs. Each input leg receives variable voltage from each point, converts them to digital values (Machine Counts), and transmits the values to the three main processors on demand. One value is then selected using a mid-value selection algorithm to ensure correct data every scan. Sensing of each input point is performed in a manner that prevents single failure on one leg from affecting another leg. Each Analog Input Module sustains complete, on-going diagnostics for each leg. Stuck ON and Stuck OFF detection is an inherent part of Analog Data processing and diagnostics. (e) Signals Un-Readable or Not Being Read

(f) Addressing Errors Triconex Response See Item (b) Response

(g) Processor Faults

Triconex Response
See Item (b) Response

6.1 NFPA Design Section

The NFPA Section on Design lists eight specific requirements for design as follows: Diagnostics in Logic Functionality Logic Failure Shall Not Preclude Proper Operator Intervention Protection from Unauthorized Changes

Boiler and BMS Application Guide.doc

19 of 21

 Logic Changes While Unit Is In Operation Not Allowed System Response Time shall be Short Enough to Not Cause Negative Effects on Application Noise Immunity adequate to prevent false operation Single Component Failure shall not prevent the possibility of a manual trip intervention Operator shall be provided with Manual Trip Switch(s)

Triconex Response
The Tricon controller directly satisfies the first seven of these requirements. The eighth relates to a dedicated manual switch for direct master trip actuation, independent of the logic controller. This eighth requirement is a project specific integration issue that is addressed by the project engineer. The NFPA Independence of Control is completely met by the Triconex controller. Although the Tricon

communicates with any major DCS company for operation information displays, the communication is configured to be unidirectional only from the Tricon to the DCS. Tricon program or configuration changes are impossible to do from the DCS. This safety feature eliminates intentional or accidental corruption of the BMS. In addition to the independence and isolation features mentioned above, the Tricon programming workstation (TriStation 1131) allows up to 256 independent programs to be written in a single Tricon controller. Each program is independent and can have separate password protection for each. This allows for testing, simulation, maintenance, etc. from one program application without disturbing other applications in the single Tricon. Therefore, if the End User desires, several boilers/furnaces can be run in a single Tricon Controller. These types of applications are largely dependent on the individual plant/operations view on the translation of independence from the NFPA standard.

Boiler and BMS Application Guide.doc

20 of 21

For more information, please visit our web site, or contact your local Triconex office. Triconex Headquarters Irvine, California Tel: +949 885 0700 Fax: +949 753 9101 Triconex Webster, Texas Tel: +281 709 1200 Fax: +281 709 0015 Triconex Baton Rouge, LA Tel: +225 297 5231 Fax: +225 293 0539 Mexico Regional Office Tel: +52 52 63 0123 Fax: +52 53 95 2463 Triconex Singapore Pte., Tel: +65 738 5488 Fax: +65 738 5188 Triconex Solutions, S.A. Cedex, France Tel: +33.1 34 43 26 26 Fax: +33 1 34 43 26 27 Triconex Middle East Dubai, UAE Tel: +971 4 3314 222 Fax: +971 4 3314 666 Triconex Moscow Tel: +70 95 232 05 68 Fax: +70 95 232 05 67 Triconex Saudi Arabia Tel: +966 3 894 0087 Fax: +966 3 895 0050 Triconex Ltd. United Kingdom Tel: +44 1293 574 800 Fax: +44 1293 574 840

About Triconex
Triconex is an operating unit of the Invensys Process Systems (IPS) Group and is a global leader in the supply of products, systems, and services for safety, critical control, and turbomachinery applications. Since its inception in 1983, the company has installed thousands of control systems solutions in a wide variety of industries and applications worldwide. Triconex products are based on patented Triple Modular Redundancy (TMR) technology. Today, Triconex TMR products operate in over 4,000 installations throughout the world, making Triconex the largest and most successful TMR supplier in the world. In January 2002, the TRICON Version 9 became the first TMR system to be approved by the U.S. Nuclear Regulatory Commission for use in 1E nuclear power plants. For more information, visit the Triconex home page at http://www.triconex.com

About Invensys Process Systems

Invensys Process Systems is part of the US-based Process Management Division of Invensys plc. Invensys Process Systems automation solutions provide measurable performance improvements across a broad spectrum of customer industries. Invensys Process Systems includes focused business units such as Invensys Process Solutions, plus well-known brands such as APV, Avantis, Esscor, Foxboro, Pacific Simulation, Simulation Sciences, Triconex and Walsh Automation.

About Invensys
Invensys plc is one of the global leaders in automation and controls. Headquartered in London, England, Invensys operates in all regions of the world through 2 focused divisions Process Management, Energy Management. With just over 75,000 employees, the Group supplies a wide range of products and services, including advanced control systems, remote diagnostics and energy management for process plants, factories, and commercial environments; electronic devices and networks for residential buildings; as well as complete power systems for the industrial, telecommunications, and information technology sectors. For more information, visit the Invensys home page at http://www.invensys.com

2002 Invensys Systems Company. All Rights reserved. 15345 Barranca Parkway Irvine, CA 92618 USA Telephone: 949.885.0700 Fax: 949.753.9136 http://www.triconex.com Document Number: INDAG01 Issued: 4/02

Boiler and BMS Application Guide.doc

21 of 21