When the 2011 edition of the industrial ovens safety standard NFPA 86 was released, for the first time, safety programmable logic controllers (PLCs) were recognized as logic devices suitable for the safe operation of industrial heating equipment. The safety PLC could now perform the control logic, but it still could not directly control the combustion safeguard systems.

That changed with the release of NFPA 2015 edition. As a result, designers and providers of industrial heating systems are now able to control all aspects of the heating control system from start through processing and shutdown. And, because most safety PLCs also can perform standard process-control functions, the hard-wired interconnections between separate combustion-safeguard systems, PID controllers, and fuel-flow and airflow control devices now can be eliminated.

Optimizing Traditional Designs with PLCs

The classic role of a combustion safeguard system is to monitor the fuel flow and airflow systems to ensure that both are available within the prescribed pressure and flow ranges for the system. Once these limits are met, the flame-safeguard system typically governs the start sequence of the equipment, including purging, pilot ignition, main burner valve positioning and, finally, main burner ignition and monitoring.

Traditionally, control of the thermal process — temperature, fuel and air flows/ratio — are not considered part of the combustion-safeguard system and do not require the use of safety rated (SIL) equipment. Instead, these two functions — safeguard and process — were separate tasks and usually performed by different control devices.

With the recent changes to the NFPA 86 standard, a single, modern PLC can easily perform the process-control requirements of a thermal process system. Because modern PLCs usually have PID control-loop capability, control strategies from simple temperature control to the most complex cascaded, lead/lag ratio control concepts are programmed easily. And, because PLCs easily communicate to higher-level computer systems via open networks, advanced mathematical modeling and predictive (artificial intelligence) methods also can be employed.

When the inherent processing power of the PLC is combined with the safety functionality of SIL-rated safety PLCs, the overall control strategy from start to finish can be applied in a single device.

human-machine interface

This simple human-machine interface schematic shows the burner piping system for a dual-fuel burner. By using the real-time data from the PLC, the equipment operator can easily observe the status of all relevant process parameters.

Putting It into Practice

Because the detection of a flame requires low signal levels (microamps or millivolts), the typical safety hardware of the PLC cannot ascertain the strength of a sensed flame. Hence, it often is better to employ a flame sensor that acts as a flame switch. These devices sense the presence of a flame, evaluate the signal strength and provide a “Yes” or “No” signal to the PLC as a discrete input. This greatly simplifies the system design and has the added benefit of allowing the equipment manufacturer to select the most appropriate flame-detection system for the burner/chamber geometries independent of the PLC supplier.

The flame signals — along with the other safety-relevant inputs such as low gas pressure, high gas pressure, and high air pressure — should be wired individually to the safety-rated input channels. (The current NFPA 86 standard requires the PLC and its associated safety-relevant hardware to be rated SIL2.)

combustion-safeguard system

The classic role of a combustion-safeguard system is to monitor the fuel flow and airflow systems to ensure that both are available within the prescribed pressure and flow ranges for the system.

By wiring these devices individually, the safety PLC logic will be able to easily provide performance information to the operator. Older systems that employed devices wired in series to a single input channel provided little diagnostic functions to troubleshoot a burner shutdown. Even modern, stand-alone flame-detection systems may only offer a “first out” fault indication.

Similarly, safety-relevant control devices such as the fuel safety-shutoff valves and purge control valves should be wired individually to the PLC. Many safety-rated PLC input and output modules have built-in diagnostics to detect issues such as broken wires or shorted, open or crossed circuits. These extensive diagnostics are vital to ensure proper operation of the safety components.

Going beyond the combustion-safeguard functions, safety-rated PLCs can pass operational and performance data to their standard programs. This is where equipment manufacturers can take advantage of the safeguard information to create control strategies that maximize fuel efficiency, increase production and reduce emissions — all while operating within the safe parameters of the combustion system.

Regenerative burner systems, for example, with their constant switching on and off of burners, can benefit greatly from a safety-integrated PLC system. High temperature recuperative systems — with their inherent instability on cold startups — also will function more reliably when the combustion safeguard and process-control systems are connected directly.

combustion-safeguard system

The details of the combustion-safeguard system program can be presented for operator or maintenance information. Note that the colors indicate the data values directly from the safety program.

Optimizing Purchasing

Safety PLC controllers offer cost benefits to modern industrial heating equipment. By combining the safety PLC functions with the traditional PLC functions in a single device, the cost of a safety-integrated CPU is less than the cost of two separate CPUs. In addition, because modern control systems take advantage of networked devices, if a distributed I/O system can support both standard and safety-rated I/O in remote locations (Profinet, for example), then wiring and installation costs can be reduced. Moreover, if the standard and safety I/O can reside in the same rack, additional cost savings can be realized.

Adding modern human-machine interface (HMI) devices to the control system allows the placement of operator interfaces at key locations throughout the facility. Also, because a modern PLC can be configured to send messages to mobile devices, downtime and production loss can be minimized when a shutdown does occur.

In conclusion, as noted, the current NFPA standard calls for the use of safety-rated PLCs with a rating of SIL2. Going forward, future editions of the NFPA standards are calling for safety ratings of SIL3.

Some safety PLC systems on the market can already achieve SIL3 performance levels. Because the SIL rating of the combustion system is dependent on the performance of all the components (PLC, I/O, sensors, switches, etc.), it is vital to keep abreast of current and proposed new standards.