-Howard Wells, Preferred Utilities, Danbury, CT
Have you ever seen a PLC-based burner management system and wondered “Why are the inputs turning on and off every few seconds?” This “flashing” of the inputs is a type of error checking for the PLC discrete input channels and is required by NFPA 85 for all non-SIL3 rated PLC-based burner management systems. In the following article, we will explore the reason why NFPA requires these error-checking measures and discuss the primary methods of hardware error checking in PLC-based burner management systems.
No Single Point of Failure
A burner management system is the control responsible for ensuring that a burner is operated in a safe manner. This includes monitoring the safety limits (such as “Low Fuel Pressure” and “Low Combustion Air Flow”) and shutting the burner down if any of these limits change to an unsafe state. Burner management system design requirements are set by the National Fire Protection Agency and published in NFPA 85: Boiler and Combustion Systems Hazard Codes. It is this document that all system creators must adhere to when designing a burner management system. Within NFPA 85, a basic design requirement for burner management systems is that no single point of failure within the system should prevent a burner shutdown.
NFPA 85, 4.11.3 The logic system for burner management shall be designed specifically so that a single failure in that system does not prevent an appropriate shutdown.
It is for this reason that IO modules are error checked, as their failure can create a single point of system failure. Consider the input channels that monitor boiler safety limits; if one of these inputs were to fail in the “on” or “safe” state, the burner management system would be unaware if the safety limit in question were to change to an unsafe state, creating a potentially dangerous situation. Also consider the output channel responsible for opening pilot fuel solenoids; if this output fails in the “on” state, the burner management system, commanding it to turn “off,” would otherwise be unaware that the valves were still open, creating another potentially dangerous situation. These examples of a single component failure within the burner management system would prevent a safe burner shutdown, and they are precisely what the creators of NFPA 85 want to avoid.
In section 4.11.6, NFPA 85 states that “the burner management system designer shall evaluate the failure modes of components” including “Inputs and outputs (fail-on, fail-off),” and section 4.11.7 states “No single component failure within the logic system shall prevent a mandatory master fuel trip.” In order to follow these guidelines and prevent IO module failures from being single points of failure for the entire burner management system, the system must be designed to continually “error check” these input and output modules. (SIL 3 capable PLC’s have built-in IO module error checking and, as such, are not required to have external error checking). The error checking methods typically used are described below.
In PLC-based burner management systems, both the input and output channels that monitor or control critical devices, such as safety limits and fuel shutoff valves, are continually error checked to ensure that they do not fail in an unsafe state. Inputs are monitored by a 120V “watchdog circuit” that operates as follows:
1. All safety limits (also referred to as “critical inputs”) are powered with “watchdog” electricity. This electricity originates from an output on the BMS and cycles off every 3 seconds; all critical inputs receive 120V for 2.8 seconds and 0V for 0.2 seconds.
2. The inputs are monitored by logic within the BMS; if any of the critical inputs stay powered for longer than 3 seconds without cycling off, the BMS interprets this as a failure of that input channel and initiates a lockout.
3. This is done to ensure that no input channel fails in the “on” state, which would otherwise be interpreted by the BMS as permission to run the burner.
4. The watchdog electricity is also monitored by a series of external watchdog timer relays that are tied directly to the “master fuel trip” relay; if these watchdog relays detect that the watchdog electricity has not cycled within 3 seconds, they can open the master fuel trip relay and shut the burner down independently of the PLC, complying with NFPA requirements 4.11.7 (7) and (8).
5. This is to ensure that, even in the event of a complete BMS failure where all outputs are frozen in the “on” position, the burner will still be shut down.
Output channels that control critical devices, such as fuel shutoff valves, are error checked in the following manner:
1. Each output channel is tied to an independent input that monitors the state of the output.
2. If the output proves to be in a different state than what was commanded by the BMS, the BMS interprets this as a failure of the output channel and initiates a lockout.
3. This is to ensure that no output channel providing electricity to a critical device will fail in the “on” state, which, if unchecked, could cause a fuel valve to open in an uncontrolled manner.
Burners, if not controlled properly, have the potential to be very dangerous. However, the goal of NFPA 85 is to mitigate this inherently unsafe operation by providing a set of design standards for burner management systems. One of these guidelines is to perform a failure mode analysis on all components within the burner management system and design the system so that no single component failure can prevent a safe burner shutdown. It was this guideline that led to the development of IO module error checking, a practice now viewed as standard for all non-SIL3 rated PLC-based burner management systems.