Control Systems Safety vs. Reliability vs. Complexity
A well-designed system built from carefully selected components will mitigate safety risks while managing costs and maintaining high reliability.
When selecting a safety control system for a combustion application, it is essential to recognize that many trade-offs will need to be weighed before making a decision. In simple terms, the reliability will decrease when adding safety to any system. This reliability decrease is related to the fact that adding safety features requires the addition of more ways to shut down the heater. It also requires adding sensors and logic solvers, which can fail. It is the job of the system designer to mitigate these potential failure points in a manner that does not decrease safety. The typical trade-off most often seen is a cost or complexity increase to the control system. Even considering the decrease in reliability, increase in complexity and higher cost, it is easy to see the value in adding safety controls to a system with the potential for loss of life, damage to the environment or damage to equipment.
This article is focused on a burner-management application; however, the general principals would apply to similar safety systems with a “power-down” safe state. This means that to enter a safe state, the controller de-energizes all outputs that are connected to devices with a mechanical fail-safe default state. In the case of a burner-management system, the outputs are connected to fail-closed fuel valves. The fuel valves are driven to a safe state by a mechanical method (typically, a spring) when power is removed.
It should be understood that mechanical components can fail, and it is the job of the safety system designer to mitigate the potential failure modes as well. The most common mitigation method in the case of a fuel valve would be to install two valves in series. The designer also would choose valves with failure rates that have been proven to be low.
Systems without a power-down safe state — systems operating a safety function where stopping or powering down is unsafe — present various additional complexities. These systems are not considered in the scope of this article. (For reference, an example of this type of system would be the braking system in a vehicle where defaulting to full lock-up is not an ideal situation. Though it may come to that in the extreme failure state, designers of these systems strive for a fail-over or partially working state before a shutdown.)
The main job of any safety system is to bring the process and thermal heating equipment to a safe state in the event of an emergency. In an industrial combustion system, this is with fuel shut off and no heat being generated.
The main job of any safety system is to bring the system to a safe state in the event of an emergency. As mentioned, in a combustion system, this is with fuel shut off and no heat being generated. While this state is desirable from a safety standpoint, it can be undesirable from a process standpoint. The interruption of heat supply to the process can cost as much as millions of dollars per day, depending on the application.
An emergency shutdown (ESD) triggered by an unsafe event is necessary, and the costs of it are deemed a worthwhile trade-off for the safety of people, environment and equipment. However, an ESD triggered by a faulty sensor or other noncritical event is considered a nuisance shutdown. Nuisance shutdowns are undesirable, so the system designer takes significant effort to minimize them.
Finding the balance between safety, nuisance shutdowns and complexity while balancing costs can be challenging. It is achievable in most cases, nonetheless. The system designer should start with an analysis of the cost of a nuisance shutdown.
In some cases, this cost can be extremely high and will easily justify adding high cost and complexity to the system. In these situations, the designer typically will opt for a two-out-of-three (2oo3) voting system. For every pressure, temperature, flow or other heater variable monitored, three sensors will be installed. Those sensors are brought back to a logic solver, which is similarly triple redundant. It is easy to understand the cost and complexity increase such a system would incur.
A more moderate (in terms of cost and complexity) approach is a partially redundant heater design. In most applications, the heater installed will have spare capacity to account for system tolerances, seasonal changes, future plant expansion or other similar variables. If the heater includes multiple burners, this spare capacity can be used as redundant backup capacity by a cleverly designed control system. Rather than a single massive fuel train for all burners, the heater can be run by several smaller fuel trains that each feed one or two burners. The cost increase for this design is less than a full 2oo3 voting system, and it is typically acceptable for the increased reliability. This results in a more complex system but one in which a single fault does not trip the entire heater.
On the low end in terms of cost and complexity, there are heaters where a nuisance shutdown is undesirable, but the cost of a shutdown is not high enough to justify a redundant control system, or there are cost constraints for other reasons. These systems cannot take advantage of the redundant options but are still required to have a safety system installed. Even with these constraints, there are still a few tools available to designers of safety controls for these heaters. In these situations, an integrated control system can be the best solution. An integrated burner-management system (BMS) can attain a basic level of redundancy without dramatic cost increases. Very high-reliability numbers can be seen if an appropriate integrated BMS is chosen.
An integrated burner-management system (BMS) can attain a basic level of redundancy without significant cost increases. High reliability can be achieved if an appropriate BMS is chosen.
Factors Affecting BMS Cost
Redundant circuits have a noticeable impact on the cost of PLC-based burner-management system designs. Even the simple aspects such as connectivity will drive up the cost and reduce reliability. Terminal blocks connected by an electrician with industrial-rated wire are not cheap and are subject to human error.
At the same time, an integrated BMS can add multiple internal connections with negligible additional cost. When manufacturing a circuit board, 10 connections can cost less than one connection in the field. Similarly, when placing parts on the circuit board, the cost is negligible for additional components. This cost optimization gives the circuit designer an advantage over a designer building a PLC-based BMS.
Another advantage of integrated systems is quality control. When building systems in larger volumes, elaborate test fixtures can be created to test each unit before shipping. These test fixtures cost much more than a single BMS and would be impractical for low volume or one-off installations. For integrated BMS, however, the cost per system is minimal because it is spread over a large quantity. Quality control procedures and test fixtures ensure that any weak systems are filtered out before being installed, thereby increasing the reliability of the end installation.
A well-designed system built from carefully selected components will be able to mitigate the safety risk while managing costs and maintaining high reliability. Due to the complex nature of finding this balance, many companies specialize in this task and can offer assistance in designing a system that will meet production demands and ensure personnel safety.
The uniformity of an integrated BMS has another benefit to the end-user. Operator training becomes simpler because they only need to learn one system. There is a minimal variance between sites, which leads to less initial training and minimizes downtime when a shutdown occurs. Troubleshooting a nuisance shutdown is a much simpler task when the system is familiar to both the operator and the technical support staff.
There are many ways in which a system designer can mitigate nuisance shutdowns when adding a safety system. The approach chosen will depend on the constraints of the application and the designer’s experience. A well-designed system built from carefully selected components will be able to mitigate the safety risk while managing costs and maintaining high reliability. Due to the complex nature of finding this balance, many companies specialize in this task and can offer assistance in designing a system that will save lives and meet production demands.