Professional Documents
Culture Documents
Failsafe Alarm
Fault Monitor
Failsafe Shutdown
Window Alarm
by providing redundancy, simple control and critical Using this relatively simple “cause and effect” action, limit
safeguarding. Because of the potential consequences to alarm trips can be economically used in a wide variety of
plant and personnel, “hard” alarm trips continue to be the basic and complex applications:
accepted industry standard for a wide range of primary
alarming functions, as well as for backup of DCS and • Warn of trouble by providing a “hard” alarm output
PLC strategies in critical Emergency Shutdown (ESD) when a process signal exceeds a high and/or low
and Safety Related Systems (SRS). limit.
two high relays, each with its own trip point. When the High Alarm Trip Resets
input rises above Trip Point 1 (the lower trip point), the first
set of contacts will change status merely to serve as a
warning; however, should the input rise above Trip Point 2
Change over Time
(the higher trip point), the second set of contacts change
High/Low Alarm—A dual high/low alarm accepts one Figure 7. Averaging Alarm Trip.
input and has two relays, each with a separate trip point
(Figure 3). AVERAGING ALARM TRIP
Rate-of-Change Alarm
Used to detect changes in the measured value in units
per minute or second, a rate of change alarm monitors an
High Alarm Trip Point
input for a change in value with respect to time (Figure 6).
The alarm is set to trip when the input rate-of-change High Alarm Trip Resets
RATE-OF-CHANGE ALARM
Window Alarm
∆T
∆T The Window Alarm is activated when the process variable
> limit ∆t
∆t is outside of the low/high trip point ranges (Figure 8).
Change in Input Signal
WINDOW ALARM
Alarm State
Non-Alarm State
On some alarm trips, you can set one or more of the Process Input Signal
relays to trip when an input is interrupted, such as in the
Change in Input Signal
Reset
instance of a sensor break. This provides an alert of a
non-critical sensor break without causing a costly false
shutdown.
Self-Diagnostic Alarm
Some limit alarm trips continuously monitor their own Change over Time
status during operation, and trip if they are not operating
properly.
Relay ON C NO
Relay OFF
FORM C
Change over Time
FAILURE!
NO N
E
Relay
Energized 120V U
HOT Light T
C R
A
NC L
Change over Time
The other relay action is non-failsafe. This unit’s relay is If the SPDT relay is failsafe, by definition it is energized
de-energized when the input signal is in the normal when in normal state and de-energized when in alarm
condition (Figure 15) and energized when an alarm state. When the trip point is exceeded, the relay de-
occurs. In this configuration, the alarm trip will not energizes and sends the contact from NO to NC (Figure
16), turning on the light by completing the circuit between
Figure 14. Non-Failsafe Relay Action Upon Power Failure. the NC and C terminals. In this configuration, the light
needs to be wired to the NC side of the contact. As
NON-FAILSAFE RELAY ACTION stated earlier, this strategy is preferred because if power
to the alarm trip is lost, an alarm is initiated to warn of
NO ALARM OUTPUT trouble.
Trip Figure 16. A failsafe alarm trip is energized when it is not in the
Point
Deadband alarm state and de-energized when in alarm state (shown below).
POWER
FAILURE! Reset NO N
Change in Input Signal
Point E
Relay
De-energized 120V U
Relay
De-energized HOT T
C R
A
NC Light L
Change over Time
Figure 17. Deadband Reduces Relay Chatter. ALARM RESPONSE TIME DELAY
Less Than 5 Exceeds
ADJUSTABLE DEADBAND Seconds Above 5 Seconds High Alarm Trips
Trip Point Above Trip
Point
Trip
Trip Point
Deadband
Deadband Point
Reset
Point
Reset
Point
5 Second Intervals
In recent years, there has been a growing concern on For example, one plant engineer was using 3 temperature
improving the safety of process operations. Increased sensors to monitor the burn-off flame of an emissions
efforts to protect personnel, product, equipment and the flare stack. However, when the wind blew, the flame
environment stems from the possible threat of leaning away from the stack gives a false output signal.
explosions, fires and toxic releases. Other interest is The solution was to change the strategy to rely on low
based on first hand accounts that improving safety and readings from two sensors to indicate no flame in a 2-out-
increasing reliability reduces costly downtime and of-3 voting scheme. This ladder rung approach creates a
production costs. These concerns led the IEC to issue “flame out circuit” only in the event that two of the three
standard IEC 61508 Functional Safety of Electrical/ alarms are tripped. Using an alarm time delay with this
Electronic/Programmable Electronic Safety Related strategy will also help prevent false trips (Figure 20).
Systems.
Figure 20. Alarm Trips in a 2-Out-of-3 Voting Scheme.
Limit alarm trips are increasingly asked to play a role in
Safety Related Systems (SRS) as primary alarm
stategies, to back up “soft” PLC and DCS alarms, and in
other especially critical applications such as those that
require 2-out-of-3 voting strategies (Figure 20). Trip 1A
Trip 1B
FMEDA Reports—To help companies implement Safety Trip 3A
Related Systems (also called Safety Instrumented Trip 3B
Trip 2A
Systems or SIS), some limit alarm trips are available with
Trip 2B
Failure Modes, Effects and Diagnostic Analysis (FMEDA)
reports. An FMEDA is a detailed circuit and performance
Voting Logic Circuit
evaluation that estimates the failure rates, failure modes, (in power-off condition)
and diagnostic capability of a device. It includes both 120V Hot 120V Neutral
mathematical analysis and specific physical tests. The 1A 2A
results of the analysis include verifying the instrument’s
predictable and repeatable failure mode(s), and 1B 3A
determining its associated failure rates. It is employed by
the instrument user to determine the suitability for use of 2B 3B Flame Out
a specific device in a safety related application. Circuit