Burner Management

System

General guidelines
Interlock and Protection

Hardware architecture
What shall we look into, in
today’s session?
 NFPA guidelines

 BMS requirements

 BMS applications dealing with

 Boiler purge control

 Fuel safety control (MFT)

 Pre light-up control

 Individual burner control

 Oil burner
 Coal burner

 BMS architecture
What is NFPA?
NFPA is an abbreviation for National Fire Protection Association

 Established in 1896, NFPA an international nonprofit membership organisation

serves as the world's leading advocate of fire prevention and is an authoritative
source on public safety

 It is the authority on fire, electrical, and building safety.

 It’s mission is to reduce the worldwide burden of fire and other hazards on the
quality of life by providing and advocating consensus codes and standards,
research, training, and education.

 NFPA's 300 codes and standards influence

 building,
 process,
 service,
 design, and
 installation
NFPA Applicable standards for
Boilers and Furnaces
NFPA 85: Boiler and Combustion Systems Hazards Code, 2007 Edition.

PURPOSE
 The standard provides minimum requirements for the design, installation,
operation, and maintenance of large commercial and industrial boilers, heat
recovery steam generators, and related combustion systems. These
requirements help prevent fires, explosions, and implosions, and contribute
to overall safety.

SCOPE
 The standard covers structural design, purging systems, and fuel-burning
systems, including fuel supplies , the main burner, combustion control
systems, burner management systems, furnace pressure control systems,
and other system and function requirements. Procedures for normal and
emergency start-up and shut-down, fuel transfer, and firing of more than one
fuel are also covered. Some requirements are specific to certain equipment
applications.
NFPA Applicable standards for
Boilers and Furnaces
NFPA 85 is a compilation of six earlier standards:
 NFPA 8501, Single-Burner Boiler Operation;
 NFPA 8502, Prevention of Furnace Explosions/ Implosions in
MultipleBurner Boilers;
 NFPA 8503, Pulverized Fuel Systems,
 NFPA 8504, Atmospheric Fluidized-Bed Boiler Operation;
 NFPA 8505, Stoker Operation; and
 NFPA 8506, Heat-- Recovery Steam Generator Systems.

 An excerpt from the above standard

“the basic cause of a furnace explosion is the ignition of an accumulated
combustible mixture within the confined space of the furnace or the
associated boiler passes, ducts, and fans that convey the gases of
combustion to the stack. “
Situations Causing Explosive
conditions?
Numerous situations can arise in connection with the operation of a
boiler furnace that will produce explosive conditions.
 Interruption of Fuel or air supply or ignition energy to the
burners.

 Fuel Leakage into an idle furnace and the ignition of the

accumulation

 Repeated Unsuccessful attempts to light up without appropriate

purging

 The Accumulation of an explosive mixture of fuel and air as a

result of a complete furnace flameout
Requirement

Multiple burner boilers require two independent

control systems.

 One to control steam production i.e. Boiler

Control System and

 One to control the fuel burning equipment i.e.

Burner Management System
NFPA definition

NFPA defines
 a Boiler Control System as “The group of control systems that
regulates the boiler process, including the combustion control
system but not the burner management system.” and

 A Combustion Control System is “The control system that

regulates the furnace fuel and air inputs to maintain the air-fuel
ratio within the limits that are required for continuous combustion
and stable flame throughout the operating range of the boiler in
accordance with demand .”
NFPA definition

NFPA defines

 a Burner Management System as “The control system that is

dedicated to combustion safety and operator assistance in the
starting and stopping of fuel preparation and burning equipment and
for preventing mal-operation of and damage to fuel preparation and
burning equipment.”
BMS – What must it do?
The Burner Management System

 must be designed to ensure a safe, orderly operating sequence in the start-

up and shutdown of fuel firing equipment and to reduce possible errors by
following the operating procedure.

 is intended to protect against malfunction of fuel firing equipment and

associated systems.

 In some phases of operation, the BMS shall provide permissive interlocks

only to ensure safe startup of equipment. Once the equipment is in service,
the operator must follow acceptable safe operating practices.

 all parts of the BMS shall remain in good working order and in service
whenever the burner is in service if the system is to provide the protection
for which it is designed.
BMS - What are the basic
Functions?
The BMS shall be designed to perform the following functions:

 Prevent firing unless a satisfactory furnace purge has first been completed.

 Prohibit start-up of the equipment unless certain permissive interlocks have first
been completed.

 Monitor and control the correct component sequencing during start-up and shut-
down of the equipment.

 Provide component condition feedback to the operator and, if so equipped, to the

plant control systems and/or data loggers.

 Provide automatic supervision when the equipment is in service and provide

means to make a Master Fuel Trip (MFT) should certain unacceptable firing
conditions occur.

 Execute a MFT upon certain adverse unit operating conditions.

How do we categorize the
different controls
A Boiler Control System shall have the following
applications
 Combustion control
 Excess air control
 Steam drum level control
A Burner Management System shall have the
following applications
 Boiler purge control
 Fuel safety control
 Pre-light up control
 Individual burner control
Boiler Purge Control
Why: For removing all combustibles from the boiler furnace and replacing them
with air to prevent any explosive mixture from remaining in the furnace prior to
light up.

When: After a Master Fuel Trip has occurred

How:
A. Ensuring that a predetermined set of fuel and air related permissive
conditions are satisfied which shall include
 All fuel valves (Shut-off valves, oil valves) closed
 Either of one FD Fan & ID Fan running
 All Mills and Feeders stopped and Mill discharge valves closed
 All PA Fans stopped and PA to Mill inlet dampers closed
 All scanners sense no flame
 Air flow is not less than 25% - 35 % (multiple burner boilers) of full load air flow
 4 out of 6 secondary air dampers at Purge position
 No MFT conditions present
 MFT relay tripped

Now the Boiler is Ready for Purge

Boiler Purge Control
B. Initiate Boiler Purge
 Dampers are initiated to move to Purge position (air flow 30 to 80 T/hr)
 5 minute purge timer triggers
 Boiler purge in progress is indicated
After 5 minutes has elapsed the Purge process is complete and the boiler is ready for firing
If any of the condition mentioned in ‘A’ fails during purging process, purging is interrupted and
the timer resets.
Fuel Safety Control
Why: To prevent any explosive condition in the furnace

What: Withdraws fuel feed to the Furnace

When: If any of the predetermined trip conditions has occurred.

Classification
Depending on the fuels involved the fuel safety control can be
made up of the following:
 Master fuel trip

 Oil fuel trip

Master Fuel Trip
If any of the predetermined master fuel trip condition occurs a master fuel
trip is initiated. The first out cause of trip indication is displayed and
alarmed. Conditions of a master fuel trip are:

 All FD Fans off

 All ID Fans off
 Boiler air flow low for 3 secs
 Loss of all fuel
 Loss of all flame
 Furnace pressure very high/Low
 Drum level very high/low
 Critical Flameout
 Delayed light-up
 Re-heater protection operated
Master Fuel Trip

Some more Conditions of a master fuel trip (continued) :

 Loss of HT power
 Loss of UPS power

 Loss of 220V DC power

 Condenser vacuum low

 MFT hard relay tripped

 2 out of 3 main processors failed

 Both emergency trip push buttons operated

Any of the above occasions will result in a MFT

MFT can be reset when

 None of the above trip conditions exist
 Boiler purge is complete
 Reset MFT is initiated
NEXT
MFT – all FD fans off

 All FD fans Off

Source : Breaker off signal from both fans

Implication: Will result in in-sufficient air for the

combustion process and the fuel cannot burn

Action: MFT

MFT conditions
MFT – all ID fans off

 All ID fans Off

Source : Breaker off signal from all 3 fans

Implication: Will result in an uncontrolled furnace

pressurization.

Action: MFT

MFT conditions
MFT – Air flow less than 25%

 Boiler air flow less than < 25% for 3 secs

Source : Flow transmitters at FD suction

Implication: Will result in in-sufficient air for the

combustion process and the fuel cannot burn completely

Action: MFT

MFT conditions
MFT – Loss of all fuel

 Loss of all fuel

Source : Any oil burner in operation (MFT trip resets) and
closure of all burner valves and all Mills ‘off’ and no mill
in shutdown mode.

Implication: As no fuel is being fed into the furnace

generation of heat for sustenance of combustion and
subsequent production of steam cannot take place

Action: MFT
MFT conditions
MFT – Loss of all flame

 Loss of all flame

Source : Any oil burner in operation and no scanners see

flame.

Implication: Will proactively safeguard all adverse effect

due to non burning of fuel (detected from the intensity of
flame) being injected into the furnace

Action: MFT
MFT conditions
MFT – Furnace pressure very
high/low
 Furnace pressure very high /low

Source : Pressure switch and transmitter.

Implication: Will result in explosion or implosion of the

furnace resulting in mechanical deformity

Action: MFT

MFT conditions
MFT – Drum level very
high/low
 Drum level very high / low
Source : Hydrastep and drum level transmitter

Implication:
High: Will result in Flooding of superheaters causing
a. carryover of dissolved solids and hence deposition downstream effecting
heat transfer
b. fall of steam temperature and quenching of Turbine

Low: Will result in starvation of water in the furnace tubes which will lead to
tube metal overheating as no cooling medium is present

Action: MFT
MFT conditions
MFT – Critical flameout

 Critical Flameout
Source : Furnace flame scanners detect 2 out of 3 zones
no flame

Implication: Is a consequence of improper combustion in

pre-identified zones within the furnace resulting in flame
instability which may give rise to improper heat
distribution

Action: MFT
MFT conditions
MFT – Delayed light-up

 Delayed light up
Source : MFT reset , LDO shut off valves open and no oil
gun in operation (or in other words put into service) within
10 mins of opening of LDO shut-off valves.

Implication: Repeated unsuccessful attempts to light up

the boiler with oil gun has resulted in accumulation of un-
burnt fuel (oil) in the furnace and hence the furnace
requires purging.

Action: MFT
MFT conditions
MFT – Re-heater protection
 Re-heater protection
Source : All governor valves closed, HP bypass valve < 2% open with
a. at least one feeder running from remote
or
b. More than 8 out of 12 oil guns in operation

Implication: Damage to tubes that can result from firing in excess of

safe limit which will cause overheating of re-heater tubes due to
absence of a steam flow through it.

Action: MFT

MFT conditions
MFT – Condenser Vacuum
Low
 Condenser Vacuum Low
Source : Pressure switch installed at condenser (500 mmHg abs)

Implication: Under turbine tripped condition and bypass in operation

steam dumping continues at condenser which can result in
pressurization. Under such poor vacuum conditions the condenser
is not capable of dissipating the heat load with existing CW flow and
with effect the temperature rises.

Action: MFT

MFT conditions
EFFECTS OF MFT
 MFT RELAY OPERATED

 LDOT

 HFOT

 TRIP SEAL AIR FANS

 TRIP ALL MILLS

 TRIP ALL FEEDERS

 CLOSE ALL ATTEMPERATION BLOCK VALVES

 TRIP TURBINE
Oil Fuel Trip
If any of the predetermined oil fuel trip conditions is exceeded the oil fuel trip is initiated. The first
out cause of trip indication is displayed and alarmed. All oil fuel is removed from the boiler and all
oil burners are shutdown. Depending on other conditions a master fuel trip may be generated.
Conditions of an oil fuel trip are:

 LDO trip valves close command

 LDO trip valves not closed and LDOT condition is present
 LDOT relay fail to trip and LDOT condition is present
 LDO pressure very low for 3 secs and any LDO burner valves not closed
 Atomising air pressure very low for 3 secs and any LDO burner valves not closed
 LDO trip valve not open within 10 secs of LDOT reset
 Any burner valve fail to close despite boiler load being > 50%
 LDOT hard relay tripped

LDOT can be reset when

 None of the above trip conditions exist
 MFT relay is reset
 Trip valve open is initiated
 All LDO burner valves are closed
Pre Light-up Control
Why : To ensure all predetermined boiler LIGHT-UP conditions are satisfied
prior to introducing any fuel in service.

When : Once the boiler purge has been completed and the master fuel trip
has been reset.

How : It ensures that individual fuel and air conditions for pre lightup are
satisfactory for igniter and burner operation, which shall include following
checks and hence provide permission to light LDO,

 LDO trip valves open

 LDOT reset
 LDO pressure healthy
 Atomizing air pressure healthy
Individual Burner Control

Classification of burners

 Burner for gas firing – nozzle type

 Burner for oil firing – sprayer plate type

 Burner for coal firing – gravity fed down shot fired, corner
fired, front fired
Individual Burner Control -
Oil
Why : To ensure on light up a healthy flame is detected at the oil burner else
burner is to be taken out of service ensuring no remnants of fuel in the
burner

When : Once the permission to light LDO is given

How : It ensures that individual burner shall operate in 4 modes

 Oil burner start permissives

 Oil burner light-up
 Oil burner shutdown
 Oil burner scavenging
Oil burner start permissives
The following permissives are to be satisfied in order to proceed towards
light-up
 Permission to light LDO is present
 Burner LDO valve is closed
 No flame is detected at burner
 Burner shutdown condition is not initiated
 Burner spark ignitor power healthy

This gives the Burner permission to start

Oil Burner Light-up : Notes

Note 1:
 Burner Permission to start is present
 Burner start PB operated

This puts the burner in lighting mode

Note 2 :
 Atomising air valve open
 LDO valve open
 Oil gun inserted
 Oil flame detected

These conditions indicate burner in operation

Oil Burner Light-up

Sequence of operation
Step 1:
Burner is in lighting mode
Burner is not in operation
Feeder is not running from remote
 Secondary air dampers are initiated to move to oil position ( air flow 30 to 120
T/hr)
Step 2:
Burner is in lighting mode
Secondary air dampers are in oil position or Feeder is running from remote
 Oil gun insertion initiated
Step 3:
Burner is in lighting mode
Oil gun inserted
 Atomising air valve open initiated
Oil Burner Light-up
Step 5a:
Sequence of Burner is in lighting mode

operation Oil gun inserted

Atomising air valve open
Step 4: Scavenge valve closed
Burner is in lighting mode Spark ignitor inserted
Oil gun inserted  Energise spark ignitor
Atomising air valve open
Scavenge valve closed
Spark ignitor insertion initiated (and

15 secs timer triggered)

Oil Burner Light-up

Sequence of operation
Step 5b:
Burner is in lighting mode
Oil gun inserted
Atomising air valve open
Scavenge valve closed
Spark ignitor inserted
LDO selected
 LDO valve open initiated

Oil flame is detected

After 15 secs of ignitor insertion, command is withdrawn and hence ignitor

retracts
 Burner Light up done
Oil Burner shutdown
If any of the predetermined conditions occurs a burner shutdown is
initiated. – It denies permission to start and resets lighting mode and as a
result it closes atomising air valve and LDO valve, but oil gun remains
inserted

 Burner in lighting mode for 60 secs and oil gun not inserted
 Burner in lighting mode for 60 secs and LDO valve closed
 Burner in lighting mode for 60 secs and atomising air valve not full open
 LDO valve not closed and oil gun not inserted
 LDO valve neither full close for 15 secs nor full open
 LDO valve not closed for 10 secs and oil flame not detected
 LDO valve not closed and scavenge valve not closed
 LDOT
 MFT
 Air flow < 10 %
Oil Burner Scavenging

A condition which sees LDO valve close from open condition generates Burner oil gun scavenge
required (resets when oil gun is retracted or LDO valve is not closed)

Sequence of operation
Step 1:
Burner oil scavenge required persists
Oil gun scavenge not blocked
Indicates burner oil gun in scavenge mode

Step 2:
Oil gun in scavenge mode
Oil gun inserted
Atomising pressure healthy
Spark ignitor insertion initiated and 2 min timer triggered to start countdown of scavenge process

Step 3a:
Spark ignitor inserted
Energise spark ignitor
Oil Burner Scavenging
Burner oil gun scavenge is blocked when

 MFT
 LDOT
 Either scavenge valve or atomising valve not full open when burner is in
scavenge mode, oil gun is inserted, atomizing air pressure is healthy,
ignitor is inserted and sparking
 Either ignitor power is not available or ignitor not inserted when burner is
in scavenge mode, oil gun is inserted, atomizing air pressure is healthy,
 Oil gun scavenge required persists and Atomizing air pressure not
healthy
 Oil gun scavenge required persists and Oil gun not inserted
 Oil Burner stop command

 The above conditions block scavenge mode

Oil Burner Scavenging

Sequence of operation
Step 3b:
Oil gun in scavenge mode
Oil gun inserted
Atomising pressure healthy
Spark ignitor inserted
Spark ignitor power available
Scavenge valve open initiated

Step 4:
Scavenge valve open
Step 3b condition satisfied
Atomising air selected
Atomizing air valve open initiated
Oil Burner Scavenging

Sequence of operation
Step 5:
Atomizing air valve open
Scavenge valve open
Spark ignitor inserted
Spark ignitor power available
2 mins has not elapsed since starting of scavenge process
Indicates Burner oil gun purge/scavenge in progress

Step 6:
Step 5 all conditions remaining except that 2 mins has elapsed since
starting of scavenge process
Oil gun retract initiated
Oil Burner Scavenging

Sequence of operation
Step 7:
Oil gun retracted

 Initiates
 scavenge valve to close,
 atomising air valve to close,
 de-energise spark ignitor,
 retract spark ignitor and
 simultaneously “scavenge required” message will disappear

Back to “Individual Burner Control”

Individual Burner Control -
Coal
Why : To transfer the firing from oil to coal and attain a stable
flame in the furnace at high loads

When : Once oil flame is detected, mill discharge valves are

closed and PA to Mill inlet damper is closed

How : It ensures that individual burner shall operate in 6 modes

 Mill start permissive and Mill starting
 Operation of Mill discharge valves
 Feeder starting
 Feeder normal shutdown
 Mill normal shutdown
 Preferential Mill tripping
Mill Trip Conditions
The following conditions shall cause a Mill to trip
 LOS or emergency stop pressed
 Mill and feeder running from remote, oil flame not detected with either feeder
speed <30 % or coal flame not detected signifying low coal and no ignition source
 Feeder running from remote and coal and oil flame neither detected assuming
flame monitoring system is healthy signifying loss of coal flame without ignition
source
 Loading gas pressure very low
 Lub oil pressure very low signifying no lubrication to Mill gear box and bearings
 Both PA fans stopped
 Mill running from remote for >30 secs and PA flow below minimum
 Mill running from remote for >30 secs and Secondary air flow < 45%
 Seal air pressure very low
 MFT or Mill hard relay
Mill trip reset conditions

The following conditions if satisfied will reset the Mill Trip

Relay
 Oil flame is detected

 Mill discharge valves are closed

 PA to Mill inlet damper is closed

Note:
Mill running from remote for 10 secs moves the secondary air
dampers to PF position
Mill Start Permissive

The following conditions shall be satisfied prior to starting a Mill

 No mill trip condition present and Trip relay reset
 Either both PA fans running OR one PA fan running with less than 3 mills
running
 Selector switch in remote and breaker in service
 Seal air pressure healthy
 Mill outlet temperature > 60°C but < 110°C
 Oil flame detected
 Mill discharge valve open
 Mill lub oil pressure healthy
 Mill loading gas pressure healthy
 PA to mill inlet damper closed
The above conditions gives the permissive to start a Mill and when
Mill start is initiated from remote……….. MILL STARTS provided Mill
is not in shutdown mode
Mill discharge valve open
and close
The following conditions need to be true prior to opening a Mill Discharge
Valve
 Mill Trip relay reset
 Oil flame detected
 MDV not open
 Seal air pressure healthy
The above conditions gives the permissive to open Mill discharge valve and
when Open is initiated ……….. MDV opens
The following conditions need to be true prior to closing a Mill Discharge
Valve
 Feeder stopped
 Mill stopped
 MDV open
The above conditions gives the permissive to close Mill discharge valve and
when Close is initiated or MFT or Mill hard relay trip occurs……….. MDV
closes
Feeder Starting
The following conditions generates a start permissive for a Feeder
 Mill Trip relay reset
 Oil flame detected
 Feeder selected to remote
 Seal air pressure healthy
 Mill running from remote
 Feeder selected in remote
 Mill secondary air dampers in PF position ( air flow 80 to 140 t/hr)
 Mill PA flow not below minimum (not less than 45 T/hr)
 Feeder trip condition not present and not running from remote

The above conditions gives the permissive to start a Feeder from remote
and when start is initiated ……….. Feeder starts provided Feeder
is not in shutdown mode
Certain points to note
The following conditions generates a permission to shutdown oil
burners
 Coal flame has been detected
 Coal flame is healthy
 Feeder is running from remote for more than 10 mins
The oil burners are now taken out of service

For providing support ignition the following conditions need to be true

 Coal flame has been detected
 Coal flame is not healthy
 Feeder is running from remote
This generates an alarm Mill support ignition required and accordingly oil
burners are to be put in service
Feeder Normal Shutdown

The following conditions generates a permission to stop

a Feeder
 Oil flame detected
 LDO valve open for both oil burners
 Feeder running and speed at minimum

Either of the following conditions generates a trip

condition for a Feeder and indicates Feeder in shutdown
mode
 Permission to stop Feeder persists, Feeder selected to remote, Stop
feeder initiated
 MFT
 Mill Trip relay
 Feeder motor protection operated
Mill Normal Shutdown
The following conditions generates a permission to stop a Mill
 Mill running from remote
 Mill differential pressure low
OR
 Mill running from remote
 Oil flame detected
 LDO valve open
 Feeder stopped
The above condition need to persist for more than 5 mins to initiate a
permission to stop a Mill . It signifies Mill is empty.

Either of the following conditions below de-energize Mill hard relay and
indicates Mill in shutdown mode
 Mill is empty, Mill selected to remote, Stop Mill initiated…. Inhibits oil burner
shutdown until Mill outlet temperature is < 60°C and mill is stopped
 MFT
 Mill Trip relay
Mill Seal Air valve Open /
Close
Either of the following conditions will result in opening of Mill Seal Air
Valve
 Mill Trip relay reset
 PA to Mill inlet damper not closed
 Open Seal air valve initiated
Provided no Seal air valve close signal persists

Either of the following conditions will result in closing a Mill Seal Air
Valve
 Mill trip relay tripped
 Mill stopped and close seal air valve command initiated
Provided PA to Mill inlet damper open does not persist
Preferential Mill Tripping
Why : To take out certain running Mills out of service as per preference in order
to reduce firing and compensate for the furnace conditions prevailing

When :
 On Turbine trip
 Load rejection >50 %
 Single FD or PA fan running

How : It ensures that extreme burners shall trip

 Under 4 mill condition
 if Mill D is not in service then Mill A trips
 If Mill A is not in service then Mill D trips
 If both Mill A and Mill D are in service, Mill A trips if Mill D is the single Mill in the rear OR Mill D trips if
Mill A is the single Mill in the front
 If Mill A and Mill D both are not in service then Mill B trips
 Under 5 mill condition
 Mill A and Mill D trips if they are both in service
 Mill A and Mill B trips if Mill D is not in service
 Mill B and Mill D trips if Mill A is not in service
Hardware - PLC
 EFFECTIVE AND RELIABLE SYSTEM Transferring control to
FOR OVERALL SUPERVISION OF Fault Tolerant pair and
BOILER SAFETY IN A POWER PLANT. running self diagnostics
 CONTAINS SAFETY GUIDELINES
PROGRAMMED INSIDE FOR
– TAKING PREVENTIVE MEASURES
– IN EXTREME CASES TO TAKE THE
WHOLE SYSTEM TO STEP-BY-STEP Chassis
SHUTDOWN. with
Processor
 IT FORESEES FUTURE ERROR AND and I/O
GENERATE ALARMS. cards
 BMS IS THE SUPPORTIVE SYSTEM
WITH THE DCS TO MANAGE THE
PLANT IN SIMPLER WAY.
Running self
diagnostics and
monitoring
Hardware - PLC
 THE BMS IS A PLC, PROGRAMMED ACCORDING TO USER NEED.
 LIKE CONVENTIONAL PLC SYSTEMS THE BMS ALSO CONSISTS
OF THE FOLLOWING PARTS:-
1. MOUNTING RACK FOR HOUSING THE WHOLE PLC
SYSTEM.
2. POWER SUPPLY FOR SUPPLYING POWER TO THE
PLC SYSTEM.
3. MAIN PROCESSOR THE BRAIN OF THE SYSTEM
4. I/O CARDS INTERFACING UNITS BETWEEN
SYSTEM & FIELD
5. SPECIAL MODULES COMMUNICATION WITH OTHER
SYSTEMS, ETC.
6. SPECIAL FUNCTIONS HIGH SPEED COUNTER,
THERMOCOUPLE SENSORS (NOT IN BBGS)
What is TMR architecture?

 It means Triple Modular Redundant

 TMR architecture integrates three isolated parallel
control systems ( as evident in diagram)
 Extensive diagnostics carried out in each Control
System
 The system uses TWO-OUT-OF-THREE voting to
provide high integrity, error free uninterrupted
process operation with no single point failure
WHAT ARE THE KEY FEATURES?

 The Tricon controller uses three identical channels to process single data
from field

 Each channel independently and parallely executes the application program

which can remain in the form of Ladder Logic, Functional Block Diagram
or Statement List in the processors

 Specialised hardware / software voting mechanisms qualify and verify

digital inputs / outputs from / to field

 Analog inputs are subjected to a MEDIAN VALUE selection

 Each channel is isolated from the others and no single point failure in any
channel can pass to another channel
 TMR Architecture
Input
Leg Main Output
Process Output
A or A Leg
Leg A B
A A
A
+V
Input Output
Main Output
Leg Leg
Process Leg
B B C B
or B B

Input Main Output

Output
Leg Process Leg
Leg
C or C Loopback
CC Loopback
Terminology and “buzz” words
 Fault Tolerant
 The Ability of the System to Continue to Perform its

Function in the Presence of Faults and Errors.

 No Single Point of Failure will Shutdown the System

 Fail-Safe
 If the System does Fail it will Fail to the Safe State or the

state of the Equipment Under Control (EUC) when safety

is achieved - de-energized for ESD Systems
 PFD - Probability-to-Fail On Demand
 Availability
 The probability that the system will be operational at

some instant of time

WHAT ARE THE KEY FEATURES?

 Diagnostic Features
• Input card – checks for “stuck on” points

• Output card – checks for “output voter diagnostic” –

2OO3 voting

• Processor – checks for faults at input and output

modules as well as itself and generates appropriate
alarms for corrective action