Identify and label spare thermocouples and controllers by thermocouple type to prevent improper replacement.

Transparency is vital at all levels of a heat-processing operation -- including cooperation of personnel during specification, design, documentation, construction and startup. Technologies such as process simulators can be used to train operators and give them hands-on experience about how the plant feels and responds in normal -- and abnormal -- situations.

To prevent disaster at your plant, there are several steps you can take:
  • Make sure that your instrumentation provides both an overview and detailed information about the plant’s operating condition.
  • Have access to layout and schematic drawings and descriptions of wiring, equipment and piping with identification of plant items. Use them to evaluate the control and safety implications.
  • Place identification labels on indicators, controls, internal cabinet wiring, terminals, piping and components. Labeling should include such simple matters as which switch position is “off” and which way is “increase” on manual controls.
  • Put in place procedures and priority rankings to be observed when responding to plant alarms and off-normal events.
  • Post stickers on cabinets and plant items showing manufacturer’s or outside supplier’s service phone numbers.
I’ll try to be specific by referring to some well-used techniques and examples. This involves applying your knowledge of your process, its instrumentation and monitoring to the challenge of heading off predictable hazards. I’ll start with sensors.

Controller alarms can be set for high, low or rate-of-change conditions with delay and latching options.
Courtesy of Eurotherm Controls

RTDs are located where they can “see” the temperatures of interest to you and that the wiring is sound. A misplaced or pulled-out-of-place sensor, or one whose wiring is shorted, can lead to overheating of the process.

Broken Temperature Sensor.In most processes, you want a broken or burnt out (open-circuit) sensor to trip your controller default to a high reading or “broken sensor” message and turn the heat off. (This is sometimes called “upscale burnout.”) If you don’t specify otherwise, controllers normally comes configured this way.

But, some processes may require a broken sensor to default to full power or some predefined percentage of full power. This is called “downscale burnout.” It commonly is used to heat trace an outdoor pipe or a vessel that must not be allowed to cool off. If a downscale burnout controller is used, be sure that the controller is properly configured and that this type is not mixed with upscale burnout controllers.

Reversed Thermocouple.Thermocouple wires often are crossed when a process is being rewired or commissioned. This normally would send the controller indication downscale and call for full heat, perhaps damaging your equipment or making scrap product. Some controllers can recognize this as an unrealistic low temperature and default to power off or to the level of power that you specify.

Replacing Thermocouples.Some plants have a mixture of different sensors, and it is easy to take a Type R thermocouple off the spares shelf and install it where a Type K came out. This would make the controller drive the temperature up to some three or four times setpoint. Identify and label spare thermocouples and controllers by thermocouple type to prevent improper replacement.

Besides the control output, a controller can have extra relay or logic outputs that can be configured as high, low, deviation high, deviation low or deviation band alarms; deviation, that is, from the working setpoint. The usual convention is to have the relay or logic signal drop out in the alarm condition. This often is defined as “fail-safe” because bad relay contacts and broken wires will give a false alarm -- reckoned to be preferable to an unrevealed alarm which the opposite logic would suffer. However, before you rely too much on the term “fail safe,” you must thoroughly analyze the failure modes in any alarm, interlock or shutdown chain for loss of protection. For serious overtemperature protection, do not depend on the alarm circuit in the controller itself. Instead, provide an independent second opinion in the form of a separate alarm instrument or module on its own dedicated thermocouple or RTD.

A probe that lights up when its tip touches a live cable, even through the insulation, is useful for distinguishing live from neutral or grounded cables and terminals.
Courtesy of Fluke

Rate-of-Change Alarm.There are times when you want an alarm to alert you to a fast-moving temperature -- for example, to head off a large temperature change or a thermal reaction. In these cases, you would specify a rate-of-change alarm and set it in units of degrees/minute.

There are other ways to pick up heater problems that do not depend on the time-out of a temperature change.

Solid-State Relay Monitoring.Some solid-state relays use the controller’s turn-on logic-signal wires to carry a pulse-coded signal to the controller representing heater current. The controller can pick up and alarm on two kinds of contradiction in these two signals.
  • The solid-state relay has failed in the short circuit mode and is passing current in the absence of a turn-on logic signal. In this case, the alarm can be used to kick off a backup contactor.
  • The solid-state relay has failed in the open circuit mode, or the load circuit is broken, so it ignores the controller’s turn-on logic signal. Here, the alarm would give early warning of loss of process temperature.
Latching Alarms.A process can go into alarm and out again while you are looking the other way, and you might not want to miss it. Consider configuring some alarms as latching; that is, to stay active until you acknowledge and attend the problem.

Indications.If you are to trust your picture of the plant, you must pick up indications of plant condition directly from the parameter you want to monitor -- not by inference from other outputs such as the percentage output display on a controller. For example, you should look for actual heater current output or a signal from a position feedback device on a valve stem. Broken or disconnected valve actuator linkages can deceive your display.

Units of Measure.Dangers lurk in mistakingoF foroC and interchanging the imperial and metric units on your displays. Import and export of equipment will pose this threat until the world agrees on a common system.

Using solid-state relay monitoring is one way to pick up heater problems without depending on the time-out of a temperature change.
Courtesy of Carlo Gavazzi

Distributed Control Systems (DCS)

While the principles covered refer to controllers, a DCS is functionally the same but has more comprehensive graphic displays and data analysis. There is also an intermediate control package where controllers and indicators with communicating capability are integrated into a PC, which becomes the user interface for display and operator manipulation. An advantage to this approach is that the controllers can continue to independently control, protect and indicate if the computer goes offline or hangs up. Some operators feel more in control with this backup and the ability to isolate and exchange controllers and indicators.

Man-Machine Interface (MMI).You can harm yourself and the process by not understanding the meanings of the settings, readings and parameter adjustments that you have to use. Many MMIs are anything but natural and instinctive, and it is possible to find yourself out of your depth and guessing. Insist on clear MMIs and user manuals when you buy equipment, then practice so you will know the results of any adjustments, especially those where you can manually override and defeat safety features. I would recommend getting input from operators and maintenance staff at the design stage with respect to plant overviews, detailed displays, control manipulation and response to the unexpected.

Load-Break Alarm

With this feature, the controller watches and times any movement in the process temperature. At the same time, it notes its command to the power output device (a contactor, for example) and looks for a contradiction. The controller will trigger an alarm if:
  • The heater contactor is welded closed, ignores the controller’s command to turn off and produces a rise of process temperature.
  • The heater is open circuit, ignoring the controller’s command to deliver heat, so the controller sees that the temperature is falling.
  • The temperature sensor is pulled away from the process heat and shows, say, room temperature, yet the controller, seeing a low unchanging temperature, is commanding full heat.