As noted so succinctly in Wikipedia, the online encyclopedia, fail-safe or fail-secure describes a device or feature which, in the event of a failure, fails in a way that will cause no harm (or at least a minimum of harm) to other devices or create a dangerous hazard to personnel.1 What does fail-safe mean for you?
Consider this: You may be designing, commissioning, maintaining or operating a process. And you may wonder if you could be ambushed by an unpredictable fault or failure that threatens the process, or a person. No system is infallible, so you would do well to look for potential hazards. Your bunch of control components and their interactions call for a hard look at each component and its function in the process. Study and deal with any that could fail to danger.
The ControllerThe temperature controller has developed into a rich mixture of circuit boards, chips, power supplies, relays and software. Controllers come in packages, from the $100 discrete DIN format to a small piece of circuitry in a SCADA system.
At one time, a controller was an analog circuit that a patient circuit expert could analyze. Then he could predict whether or not the failure of any one or group of components would make the controller fail to danger. Not any more -- it is far too complex, even for the person who created it.
The controller’s main job is to watch and display the process temperature and command some other device (a final control element) to deliver enough heat or cool to get it right. But that is not its only job: The controller can display and act upon deviations from the desired temperature such as a too-fast temperature change. Other tasks it is charged with include the following.
Loop-break Alarm. With this feature, the controller times any movement of the process temperature. At the same time, it notes the control signal that goes to its final control element (a contactor for example) and looks for a contradiction. The controller would trigger an alarm in the following cases:
- The heater contactor is welded closed, ignoring its controller’s command to turn off. The controller sees an illogical rise of process temperature without a corresponding control signal.
- The heater is open circuit, ignoring the controller’s command to deliver heat, and the controller sees that the temperature is falling.
- The temperature sensor is pulled away from the process heat and shows a much lower temperature, yet the controller, seeing a low unchanging temperature, is commanding full heat.
The same fail-safe response applies for a broken platinum resistance sensor.
The above precautions apply mostly when your process uses electroheat, with the final control element being a magnetic contactor, a solid-state contactor or an SCR (a versatile type of solid-state contactor). These alarm relays can cut off power to the load, or initiate a warning or some other action. (I refer here to alarm relays, but they could be solid-state switches or DC logic signals.)
The system designer, in a step toward fail-safety, will configure the alarm relays or signals to drop out and the circuits break -- just what they would do upon loss of power or a dead controller.
Before we move on, let’s look at a controller that is still alive but crippled. It could be locked on, calling for heat. It may have lost its calibration and some of those already mentioned safety features.
If a controller failure could threaten lives or equipment, you would be wise to add a totally independent instrument using its own temperature sensor and wired to head off any danger caused by the failure of the main controllers.
Other Final Control ElementsThese are the devices that obey the controller output and provide the muscle to modulate (turn up and down) the process heat.
Among them is the air-operated control valve, which is actuated by air pressure and has a spring-return mechanism to close. It normally would close and shut down the process on failure of air pressure. It also would close and shut down the process on failure of the milliamp control signal if there is a current-to-pressure converter in the chain. Look at your process and decide whether the safe default action is air-to-open or air-to-close the valve.
Motorized valves typically are arranged to open in proportion to a milliamp control signal, so they would close on losing the signal. They also can also be arranged to close upon the loss of any of the connections to the feedback slide wire. Motorized valves also can use a spring return to go to a safe position (usually closed).
Remember, provided that the controller is sound, if the motor’s feedback potentiometer fails or has a faulty wiper or wiring, control can be arranged to shut down the heat. The feedback signal also can drive a meter or digital display showing shaft position from which you infer valve position.
But wait: Butterfly valves would have a crank-arm linked to another one on the motor shaft.
If you use a feedback potentiometer as a valve position indicator, and that is attached to the actuator (not the valve stem or axis), you can be deceived if the linkage fails. Some disasters have occurred because somebody believed an implied (not a real) position indication.
Other types of cut-off devices that actuate when exposed to the process heat include a bimetal thermostat and a thermal link that melts at a predetermined temperature and cuts off the load power.
Triple Modular Redundancy (TMR). This often is called “two out of three voting.” You connect three monitors, each with its own dedicated sensor, to watch one critical plant parameter such as temperature. The rule is: If a critical parameter goes out of limit, believe the result and act on it if all three, or two monitors out of three, agree. This is applicable to systems where use of a single monitor on that parameter is not dependable enough, so this is a call for at least a second opinion.
The practices noted here have focused on temperature control. Use them on pressure, flow, speed or indeed any other critical process variable.
1. http://en.wikipedia.org/wiki/Fail-safe, August 15, 2008.