Burner Management

System
General

guidelines
Interlock and Protection
Hardware architecture

What shall we look into, in

todays session?

NFPA guidelines

BMS requirements

BMS applications dealing with

Boiler purge control

Fuel safety control (MFT)

Pre light-up control

Individual burner control

Oil burner
Coal burner

BMS architecture

What is NFPA?
NFPA is an abbreviation for National Fire Protection Association

Established in 1896, NFPA an international nonprofit membership organisation

serves as the world's leading advocate of fire prevention and is an authoritative
source on public safety

It is the authority on fire, electrical, and building safety.

Its mission is to reduce the worldwide burden of fire and other hazards on the
quality of life by providing and advocating consensus codes and standards,
research, training, and education.

NFPA's 300 codes and standards influence

building,
process,
service,
design, and
installation

NFPA Applicable standards for

Boilers and Furnaces
NFPA 85: Boiler and Combustion Systems Hazards Code, 2007 Edition.
PURPOSE

The standard provides minimum requirements for the design, installation,

operation, and maintenance of large commercial and industrial boilers, heat
recovery steam generators, and related combustion systems. These
requirements help prevent fires, explosions, and implosions, and contribute
to overall safety.
SCOPE

The standard covers structural design, purging systems, and fuel-burning

systems, including fuel supplies , the main burner, combustion control
systems, burner management systems, furnace pressure control systems,
and other system and function requirements. Procedures for normal and
emergency start-up and shut-down, fuel transfer, and firing of more than one
fuel are also covered. Some requirements are specific to certain equipment
applications.

NFPA Applicable standards for

Boilers and Furnaces
NFPA 85

is a compilation of six earlier standards:

NFPA 8501, Single-Burner Boiler Operation;

NFPA 8502, Prevention of Furnace Explosions/ Implosions in
MultipleBurner Boilers;
NFPA 8503, Pulverized Fuel Systems,
NFPA 8504, Atmospheric Fluidized-Bed Boiler Operation;
NFPA 8505, Stoker Operation; and
NFPA 8506, Heat-- Recovery Steam Generator Systems.

An excerpt from the above standard

the basic cause of a furnace explosion is the ignition of an accumulated
combustible mixture within the confined space of the furnace or the
associated boiler passes, ducts, and fans that convey the gases of
combustion to the stack.

Situations Causing Explosive

conditions?
Numerous situations can arise in connection with the operation of a
boiler furnace that will produce explosive conditions.

Interruption of Fuel or air supply or ignition energy to the

burners.

Fuel Leakage into an idle furnace and the ignition of the

accumulation

Repeated Unsuccessful attempts to light up without appropriate

purging

The Accumulation of an explosive mixture of fuel and air as a

result of a complete furnace flameout

Requirement
Multiple burner boilers require two independent
control systems.

One to control steam production i.e. Boiler

Control System and

One to control the fuel burning equipment i.e.

Burner Management System

NFPA definition
NFPA defines

a Boiler Control System as The group of control systems that

regulates the boiler process, including the combustion control
system but not the burner management system. and

A Combustion Control System is The control system that

regulates the furnace fuel and air inputs to maintain the air-fuel
ratio within the limits that are required for continuous combustion
and stable flame throughout the operating range of the boiler in
accordance with demand .

NFPA definition
NFPA defines

a Burner Management System as The control system that is

dedicated to combustion safety and operator assistance in the
starting and stopping of fuel preparation and burning equipment and
for preventing mal-operation of and damage to fuel preparation and
burning equipment.

BMS What must it do?

The Burner Management System

must be designed to ensure a safe, orderly operating sequence in the startup and shutdown of fuel firing equipment and to reduce possible errors by
following the operating procedure.

is intended to protect against malfunction of fuel firing equipment and

associated systems.

In some phases of operation, the BMS shall provide permissive interlocks

only to ensure safe startup of equipment. Once the equipment is in service,
the operator must follow acceptable safe operating practices.

all parts of the BMS shall remain in good working order and in service
whenever the burner is in service if the system is to provide the protection
for which it is designed.

BMS - What are the basic

Functions?
The BMS shall be designed to perform the following functions:

Prevent firing unless a satisfactory furnace purge has first been completed.

Prohibit start-up of the equipment unless certain permissive interlocks have first
been completed.

Monitor and control the correct component sequencing during start-up and shutdown of the equipment.

Provide component condition feedback to the operator and, if so equipped, to the

plant control systems and/or data loggers.

Provide automatic supervision when the equipment is in service and provide

means to make a Master Fuel Trip (MFT) should certain unacceptable firing
conditions occur.

Execute a MFT upon certain adverse unit operating conditions.

How do we categorize the

different controls
A Boiler Control System shall have the following
applications

Combustion control
Excess air control
Steam drum level control

A Burner Management System shall have the

following applications

Boiler purge control

Fuel safety control
Pre-light up control
Individual burner control

Boiler Purge Control

Why: For removing all combustibles from the boiler furnace and replacing them
with air to prevent any explosive mixture from remaining in the furnace prior to
light up.
When: After a Master Fuel Trip has occurred
How:
A.

Ensuring that a predetermined set of fuel and air related permissive

conditions are satisfied which shall include
All fuel valves (Shut-off valves, oil valves) closed
Either of one FD Fan & ID Fan running
All Mills and Feeders stopped and Mill discharge valves closed
All PA Fans stopped and PA to Mill inlet dampers closed
All scanners sense no flame
Air flow is not less than 25% - 35 % (multiple burner boilers) of full load air flow
4 out of 6 secondary air dampers at Purge position
No MFT conditions present
MFT relay tripped

Now the Boiler is Ready for Purge

Boiler Purge Control

B.

Initiate Boiler Purge

Dampers are initiated to move to Purge position (air flow 30 to 80 T/hr)
5 minute purge timer triggers
Boiler purge in progress is indicated
After 5 minutes has elapsed the Purge process is complete and the boiler is ready for firing
If any of the condition mentioned in A fails during purging process, purging is interrupted and
the timer resets.

Fuel Safety Control

Why: To prevent any explosive condition in the furnace
What: Withdraws fuel feed to the Furnace
When: If any of the predetermined trip conditions has occurred.
Classification
Depending on the fuels involved the fuel safety control can be
made up of the following:
Master fuel trip
Oil fuel trip

Master Fuel Trip

If any of the predetermined master fuel trip condition occurs a master fuel
trip is initiated. The first out cause of trip indication is displayed and
alarmed. Conditions of a master fuel trip are:

All FD Fans off

All ID Fans off
Boiler air flow low for 3 secs
Loss of all fuel
Loss of all flame
Furnace pressure very high/Low
Drum level very high/low
Critical Flameout
Delayed light-up
Re-heater protection operated

Master Fuel Trip

Some more Conditions of a master fuel trip (continued)

Loss of HT power
Loss of UPS power
Loss of 220V DC power
Condenser vacuum low
MFT hard relay tripped
2 out of 3 main processors failed
Both emergency trip push buttons operated
Any of the above occasions will result in a MFT

MFT can be reset when

None of the above trip conditions exist

Boiler purge is complete
Reset MFT is initiated
NEXT

MFT all FD fans off

All FD fans Off

Source :

Breaker off signal from both fans

Implication: Will result in in-sufficient air for the

combustion process and the fuel cannot burn
Action: MFT
MFT conditions

MFT all ID fans off

All ID fans Off

Source : Breaker off signal from all 3 fans
Implication: Will result in an uncontrolled furnace
pressurization.
Action: MFT

MFT conditions

MFT Air flow less than 25%

Boiler air flow less than < 25% for 3 secs

Source : Flow transmitters at FD suction
Implication: Will result in in-sufficient air for the
combustion process and the fuel cannot burn completely
Action: MFT

MFT conditions

MFT Loss of all fuel

Loss of all fuel

Source : Any oil burner in operation (MFT trip resets) and
closure of all burner valves and all Mills off and no mill
in shutdown mode.
Implication: As no fuel is being fed into the furnace
generation of heat for sustenance of combustion and
subsequent production of steam cannot take place

Action: MFT
MFT conditions

MFT Loss of all flame

Loss of all flame

Source : Any oil burner in operation and no scanners see
flame.
Implication: Will proactively safeguard all adverse effect
due to non burning of fuel (detected from the intensity of
flame) being injected into the furnace

Action: MFT
MFT conditions

MFT Furnace pressure very

high/low

Furnace pressure very high /low

Source : Pressure switch and transmitter.
Implication: Will result in explosion or implosion of the
furnace resulting in mechanical deformity
Action: MFT

MFT conditions

MFT Drum level very

high/low

Drum level very high / low

Source : Hydrastep and drum level transmitter
Implication:
High: Will result in Flooding of superheaters causing
a. carryover of dissolved solids and hence deposition downstream effecting
heat transfer
b. fall of steam temperature and quenching of Turbine
Low: Will result in starvation of water in the furnace tubes which will lead to
tube metal overheating as no cooling medium is present
Action: MFT
MFT conditions

MFT Critical flameout

Critical Flameout
Source : Furnace flame scanners detect 2 out of 3 zones
no flame
Implication: Is a consequence of improper combustion in
pre-identified zones within the furnace resulting in flame
instability which may give rise to improper heat
distribution

Action: MFT
MFT conditions

MFT Delayed light-up

Delayed light up
Source : MFT reset , LDO shut off valves open and no oil
gun in operation (or in other words put into service) within
10 mins of opening of LDO shut-off valves.
Implication: Repeated unsuccessful attempts to light up
the boiler with oil gun has resulted in accumulation of unburnt fuel (oil) in the furnace and hence the furnace
requires purging.

Action: MFT
MFT conditions

MFT Re-heater protection

Re-heater protection
Source : All governor valves closed, HP bypass valve < 2% open with
a. at least one feeder running from remote
or
b. More than 8 out of 12 oil guns in operation
Implication: Damage to tubes that can result from firing in excess of
safe limit which will cause overheating of re-heater tubes due to
absence of a steam flow through it.
Action: MFT

MFT conditions

MFT Condenser Vacuum

Low

Condenser Vacuum Low

Source : Pressure switch installed at condenser (500 mmHg abs)
Implication: Under turbine tripped condition and bypass in operation
steam dumping continues at condenser which can result in
pressurization. Under such poor vacuum conditions the condenser
is not capable of dissipating the heat load with existing CW flow and
with effect the temperature rises.
Action: MFT

MFT conditions

EFFECTS OF MFT

MFT RELAY OPERATED

LDOT

HFOT

TRIP SEAL AIR FANS

TRIP ALL MILLS

TRIP ALL FEEDERS

CLOSE ALL ATTEMPERATION BLOCK VALVES

TRIP TURBINE

Oil Fuel Trip

If any of the predetermined oil fuel trip conditions is exceeded the oil fuel trip is initiated. The first
out cause of trip indication is displayed and alarmed. All oil fuel is removed from the boiler and all
oil burners are shutdown. Depending on other conditions a master fuel trip may be generated.
Conditions of an oil fuel trip are:

LDO trip valves close command

LDO trip valves not closed and LDOT condition is present
LDOT relay fail to trip and LDOT condition is present
LDO pressure very low for 3 secs and any LDO burner valves not closed
Atomising air pressure very low for 3 secs and any LDO burner valves not closed
LDO trip valve not open within 10 secs of LDOT reset
Any burner valve fail to close despite boiler load being > 50%
LDOT hard relay tripped

LDOT can be reset when

None of the above trip conditions exist

MFT relay is reset

Trip valve open is initiated

All LDO burner valves are closed

Pre Light-up Control

Why : To ensure all predetermined boiler LIGHT-UP conditions are satisfied
prior to introducing any fuel in service.
When : Once the boiler purge has been completed and the master fuel trip
has been reset.
How : It ensures that individual fuel and air conditions for pre lightup are
satisfactory for igniter and burner operation, which shall include following
checks and hence provide permission to light LDO,

LDO trip valves open

LDOT reset
LDO pressure healthy
Atomizing air pressure healthy

Individual Burner Control

Classification of burners

Burner for gas firing nozzle type

Burner for oil firing sprayer plate type

Burner for coal firing gravity fed down shot fired, corner
fired, front fired

Individual Burner Control Oil

Why : To ensure on light up a healthy flame is detected at the oil burner else
burner is to be taken out of service ensuring no remnants of fuel in the
burner
When : Once the permission to light LDO is given
How : It ensures that individual burner shall operate in 4 modes

Oil burner start permissives

Oil burner light-up
Oil burner shutdown
Oil burner scavenging

Oil burner start permissives

The following permissives are to be satisfied in order to proceed towards
light-up

Permission to light LDO is present

Burner LDO valve is closed
No flame is detected at burner
Burner shutdown condition is not initiated
Burner spark ignitor power healthy

This gives the Burner permission to start

Oil Burner Light-up : Notes

Note 1:

Burner Permission to start is present

Burner start PB operated

This puts the burner in lighting mode

Note 2 :

Atomising air valve open

LDO valve open
Oil gun inserted
Oil flame detected

These conditions indicate burner in operation

Oil Burner Light-up

Sequence of operation
Step 1:

Burner is in lighting mode

Burner is not in operation
Feeder is not running from remote

Secondary air dampers are initiated to move to oil position ( air flow 30 to 120
T/hr)
Step 2:

Burner is in lighting mode

Secondary air dampers are in oil position or Feeder is running from remote

Oil gun insertion initiated

Step 3:

Burner is in lighting mode

Oil gun inserted

Atomising air valve open initiated

Oil Burner Light-up

Sequence of
operation
Step 4:
Burner is in lighting mode
Oil gun inserted
Atomising air valve open
Scavenge valve closed
Spark ignitor insertion initiated (and
15 secs timer triggered)

Step 5a:

Burner is in lighting mode

Oil gun inserted
Atomising air valve open
Scavenge valve closed
Spark ignitor inserted

Energise spark ignitor

Oil Burner Light-up

Sequence of operation
Step 5b:
Burner is in lighting mode
Oil gun inserted
Atomising air valve open
Scavenge valve closed
Spark ignitor inserted
LDO selected
LDO valve open initiated
Oil flame is detected
After 15 secs of ignitor insertion, command is withdrawn and hence ignitor
retracts

Burner Light up done

Oil Burner shutdown

If any of the predetermined conditions occurs a burner shutdown is
initiated. It denies permission to start and resets lighting mode and as a
result it closes atomising air valve and LDO valve, but oil gun remains
inserted

Burner in lighting mode for 60 secs and oil gun not inserted
Burner in lighting mode for 60 secs and LDO valve closed
Burner in lighting mode for 60 secs and atomising air valve not full open
LDO valve not closed and oil gun not inserted
LDO valve neither full close for 15 secs nor full open
LDO valve not closed for 10 secs and oil flame not detected
LDO valve not closed and scavenge valve not closed
LDOT
MFT
Air flow < 10 %

Oil Burner Scavenging

A condition which sees LDO valve close from open condition generates Burner oil gun scavenge
required (resets when oil gun is retracted or LDO valve is not closed)

Sequence of operation
Step 1:

Burner oil scavenge required persists

Oil gun scavenge not blocked
Indicates burner oil gun in scavenge mode
Step 2:

Oil gun in scavenge mode

Oil gun inserted
Atomising pressure healthy
Spark ignitor insertion initiated and 2 min timer triggered to start countdown of scavenge process
Step 3a:

Spark ignitor inserted

Energise spark ignitor

Oil Burner Scavenging

Burner oil gun scavenge is blocked when

MFT
LDOT
Either scavenge valve or atomising valve not full open when burner is in
scavenge mode, oil gun is inserted, atomizing air pressure is healthy,
ignitor is inserted and sparking
Either ignitor power is not available or ignitor not inserted when burner is
in scavenge mode, oil gun is inserted, atomizing air pressure is healthy,
Oil gun scavenge required persists and Atomizing air pressure not
healthy
Oil gun scavenge required persists and Oil gun not inserted
Oil Burner stop command

The above conditions block scavenge mode

Oil Burner Scavenging

Sequence of operation
Step 3b:
Oil gun in scavenge mode
Oil gun inserted
Atomising pressure healthy
Spark ignitor inserted
Spark ignitor power available
Scavenge

valve open initiated

Step 4:
Scavenge valve open
Step 3b condition satisfied
Atomising air selected
Atomizing

air valve open initiated

Oil Burner Scavenging

Sequence of operation
Step 5:
Atomizing air valve open
Scavenge valve open
Spark ignitor inserted
Spark ignitor power available
2 mins has not elapsed since starting of scavenge process
Indicates

Burner oil gun purge/scavenge in progress

Step 6:
Step 5 all conditions remaining except that 2 mins has elapsed since
starting of scavenge process
Oil

gun retract initiated

Oil Burner Scavenging

Sequence of operation
Step 7:
Oil gun retracted

Initiates

scavenge valve to close,

atomising air valve to close,
de-energise spark ignitor,
retract spark ignitor and
simultaneously scavenge required message will disappear

Back to Individual Burner Control

Individual Burner Control Coal

Why : To transfer the firing from oil to coal and attain a stable

flame in the furnace at high loads

When : Once oil flame is detected, mill discharge valves are

closed and PA to Mill inlet damper is closed

How : It ensures that individual burner shall operate in 6 modes

Mill start permissive and Mill starting

Operation of Mill discharge valves
Feeder starting
Feeder normal shutdown
Mill normal shutdown
Preferential Mill tripping

Mill Trip Conditions

The following conditions shall cause a Mill to trip

LOS or emergency stop pressed

Mill and feeder running from remote, oil flame not detected with either feeder
speed <30 % or coal flame not detected signifying low coal and no ignition source
Feeder running from remote and coal and oil flame neither detected assuming
flame monitoring system is healthy signifying loss of coal flame without ignition
source
Loading gas pressure very low
Lub oil pressure very low signifying no lubrication to Mill gear box and bearings
Both PA fans stopped
Mill running from remote for >30 secs and PA flow below minimum
Mill running from remote for >30 secs and Secondary air flow < 45%
Seal air pressure very low
MFT or Mill hard relay

Mill trip reset conditions

The following conditions if satisfied will reset the Mill Trip
Relay

Oil flame is detected

Mill discharge valves are closed

PA to Mill inlet damper is closed

Note:
Mill running from remote for 10 secs moves the secondary air
dampers to PF position

Mill Start Permissive

The following conditions shall be satisfied prior to starting a Mill

No mill trip condition present and Trip relay reset

Either both PA fans running OR one PA fan running with less than 3 mills
running
Selector switch in remote and breaker in service
Seal air pressure healthy
Mill outlet temperature > 60C but < 110C
Oil flame detected
Mill discharge valve open
Mill lub oil pressure healthy
Mill loading gas pressure healthy
PA to mill inlet damper closed

The above conditions gives the permissive to start a Mill and when
Mill start is initiated from remote.. MILL STARTS provided Mill
is not in shutdown mode

Mill discharge valve open

and close
The following conditions need to be true prior to opening a Mill Discharge
Valve

Mill Trip relay reset

Oil flame detected
MDV not open
Seal air pressure healthy

The above conditions gives the permissive to open Mill discharge valve and
when Open is initiated .. MDV opens
The following conditions need to be true prior to closing a Mill Discharge
Valve

Feeder stopped
Mill stopped
MDV open

The above conditions gives the permissive to close Mill discharge valve and
when Close is initiated or MFT or Mill hard relay trip occurs.. MDV
closes

Feeder Starting
The following conditions generates a start permissive for a Feeder

Mill Trip relay reset

Oil flame detected
Feeder selected to remote
Seal air pressure healthy
Mill running from remote
Feeder selected in remote
Mill secondary air dampers in PF position ( air flow 80 to 140 t/hr)
Mill PA flow not below minimum (not less than 45 T/hr)
Feeder trip condition not present and not running from remote

The above conditions gives the permissive to start a Feeder from remote

and when start is initiated .. Feeder starts provided Feeder

is not in shutdown mode

Certain points to note

The following conditions generates a permission to shutdown oil
burners

Coal flame has been detected

Coal flame is healthy
Feeder is running from remote for more than 10 mins

The oil burners are now taken out of service

For providing support ignition the following conditions need to be true

Coal flame has been detected

Coal flame is not healthy
Feeder is running from remote

This generates an alarm Mill support ignition required and accordingly oil
burners are to be put in service

Feeder Normal Shutdown

The following conditions generates a permission to stop
a Feeder

Oil flame detected

LDO valve open for both oil burners
Feeder running and speed at minimum

Either of the following conditions generates a trip

condition for a Feeder and indicates Feeder in shutdown
mode

Permission to stop Feeder persists, Feeder selected to remote, Stop

feeder initiated
MFT
Mill Trip relay
Feeder motor protection operated

Mill Normal Shutdown

The following conditions generates a permission to stop a Mill

Mill running from remote

Mill differential pressure low

OR

Mill running from remote

Oil flame detected
LDO valve open
Feeder stopped

The above condition need to persist for more than 5 mins to initiate a
permission to stop a Mill . It signifies Mill is empty.
Either of the following conditions below de-energize Mill hard relay and
indicates Mill in shutdown mode

Mill is empty, Mill selected to remote, Stop Mill initiated. Inhibits oil burner
shutdown until Mill outlet temperature is < 60C and mill is stopped
MFT
Mill Trip relay

Mill Seal Air valve Open /

Close
Either of the following conditions will result in opening of Mill Seal Air
Valve

Mill Trip relay reset

PA to Mill inlet damper not closed
Open Seal air valve initiated

Provided no Seal air valve close signal persists

Either of the following conditions will result in closing a Mill Seal Air
Valve

Mill trip relay tripped

Mill stopped and close seal air valve command initiated

Provided PA to Mill inlet damper open does not persist

Preferential Mill Tripping

Why : To take out certain running Mills out of service as per preference in order
to reduce firing and compensate for the furnace conditions prevailing

When :

On Turbine trip
Load rejection >50 %
Single FD or PA fan running

How : It ensures that extreme burners shall trip

Under 4 mill condition

if Mill D is not in service then Mill A trips

If Mill A is not in service then Mill D trips
If both Mill A and Mill D are in service, Mill A trips if Mill D is the single Mill in the rear OR Mill D trips if
Mill A is the single Mill in the front
If Mill A and Mill D both are not in service then Mill B trips

Under 5 mill condition

Mill A and Mill D trips if they are both in service

Mill A and Mill B trips if Mill D is not in service
Mill B and Mill D trips if Mill A is not in service

Hardware - PLC
EFFECTIVE AND RELIABLE SYSTEM
FOR OVERALL SUPERVISION OF
BOILER SAFETY IN A POWER PLANT.

Transferring control to
Fault Tolerant pair and
running self diagnostics

CONTAINS SAFETY GUIDELINES

PROGRAMMED INSIDE FOR

TAKING PREVENTIVE MEASURES

IN EXTREME CASES TO TAKE THE
WHOLE SYSTEM TO STEP-BY-STEP
SHUTDOWN.

Chassis
with
Processor
and I/O
cards

IT FORESEES FUTURE ERROR AND

GENERATE ALARMS.

BMS IS THE SUPPORTIVE SYSTEM

WITH THE DCS TO MANAGE THE
PLANT IN SIMPLER WAY.

Running self
diagnostics and
monitoring

Hardware - PLC
THE BMS IS A PLC, PROGRAMMED ACCORDING TO USER NEED.
LIKE CONVENTIONAL PLC SYSTEMS THE BMS ALSO CONSISTS
OF THE FOLLOWING PARTS:1. MOUNTING RACK
2. POWER SUPPLY
3. MAIN PROCESSOR
4. I/O CARDS
5. SPECIAL MODULES
6. SPECIAL FUNCTIONS

FOR HOUSING THE WHOLE PLC

SYSTEM.
FOR SUPPLYING POWER TO THE
PLC SYSTEM.
THE BRAIN OF THE SYSTEM
INTERFACING UNITS BETWEEN
SYSTEM & FIELD
COMMUNICATION WITH OTHER
SYSTEMS, ETC.
HIGH SPEED COUNTER,
THERMOCOUPLE SENSORS (NOT IN BBGS)

What is TMR architecture?

It means Triple Modular Redundant

TMR architecture integrates three isolated parallel
control systems ( as evident in diagram)
Extensive diagnostics carried out in each Control
System
The system uses TWO-OUT-OF-THREE voting to
provide high integrity, error free uninterrupted
process operation with no single point failure

WHAT ARE THE KEY FEATURES?

The Tricon controller uses three identical channels to process single data
from field

Each channel independently and parallely executes the application program

which can remain in the form of Ladder Logic, Functional Block Diagram
or Statement List in the processors

Specialised hardware / software voting mechanisms qualify and verify

digital inputs / outputs from / to field

Analog inputs are subjected to a MEDIAN VALUE selection

Each channel is isolated from the others and no single point failure in any
channel can pass to another channel

TMR Architecture
Input
Leg
A

Input
Leg
B

Input
Leg
C

Main
Process
or A

Output
Output
Leg
Leg
A
A
Output
Output
Leg
Leg
B
B

Main
Process
or B

Main
Process
or C

Output
Output
Leg
Leg
CC

+V
C

Loopback
Loopback

Terminology and buzz words

Fault Tolerant
The Ability of the System to Continue to Perform its
Function in the Presence of Faults and Errors.
No Single Point of Failure will Shutdown the System
Fail-Safe
If the System does Fail it will Fail to the Safe State or the
state of the Equipment Under Control (EUC) when safety
is achieved - de-energized for ESD Systems
PFD - Probability-to-Fail On Demand
Availability
The probability that the system will be operational at
some instant of time

WHAT ARE THE KEY FEATURES?

Diagnostic Features

Input card checks for stuck on points

Output card checks for output voter diagnostic

2OO3 voting

Processor checks for faults at input and output

modules as well as itself and generates appropriate
alarms for corrective action