How to improve the reliability of critical loop wiring?

[hazel]

Some of our critical loops which could cause the whole plant to stop are designed with single loop. It means we can not allow any failure in this loop.
For example, an interlock of level switch causes to stop pump that will activate the other interlock and stop plant. We have a 2oo3 design for the level switch, but only one digital output to stop pump. Every digital output loop has a fuse in PLC cabinet. If the fuse is broken, it will stop the pump.
How can we improve the reliability or modify to prevent the failure for such a loop?

Thanks any comments not necessary base on theory.

best regards

Hazel

 

[MikeHalloran]

Use two pumps?



Mike Halloran
Pembroke Pines, FL, USA

 

[hazel]

yes, it could be a solution. In fact there is a backup pump standby. But there is no automaticly startup design.
Add a dealy off timer in the interlock. Before the trip signal activated, the spare pump must startup automaically.

How about the wiring loop?
Does anything we can do?

Thanks!

 

[IRstuff]

Reliability comes from a number of factors:

> Reduced stress on components
--> lower operating temperatures --> increase cooling to processors, drives, and motors
--> protection of components and wiring from abuse and damage --> shielding and armor, etc.
--> lower performance demands --> use components a substantially lower loading factor than maximum limits --> run motor driver boards at a small fraction of rated output --> run motors at small fraction of rated output --> downside is wasted capacity and efficiency

> Redundancy in hardware
--> multiplicity of components that are switched in when primaries fail
----> switchover requires secondaries to know what the primaries were doing --> requires "hot" backup, but that decreases overall reliability
--> multiplicity of processors doing the same thing and "voting" by majority rules --> everything is "hot" so reliability comes only because it's unlikely for 2 or 3 processors out of 3 to fail simultaneously

> Redundancy in data
--> error checking and correcting codes and processors/processing

As you can see, anything you might do will cost more money, time, or both


TTFN

FAQ731-376

 

[hazel]

Dear IRstuff
Thank you for the information.
In my case, we have redundant PLC System that means it has two Digital Output Card to deal with the signal. But the problem locates outside the system, in case the fuse, the srecw on terminal or damaging on the cable were failure. This loop will out of service and trip plant.
So I personally want to add another DO loop from the same PLC output single and then connect the two DO loop to the final device.
If one of the two loop fuses brokes, then the other loop can keep function.
Is this idea correct and meaningful?

 

[CharlieGill]

You can use the same logic on your output as you are doing on your inputs. You stated that you were using majority voting (2 out of 3) on your input sensing. Assuming 24VDC outputs, you can use simple diode or'ing to any of multiple outputs to energize the motor starter coil (must have a single DC common). You can sum outputs from different PLC cards and run the cables in separate conduits.

Charlie

 

[ScottyUK]

Where will you stop though? Will you install a second contactor too? Or a matrix of four contactors so you have increased likelihood of being able to both start and stop the motor? Is the MCC powering this pump equipped with a source changeover, or are you relying on one feeder cable, one transformer, one circuit breaker, one utility feeder?

A second pump, or three 50% duty pumps, will get around some of the problem. Suitable application code can take care of the majority votes etc and initiate a backup pump start if the first fails to spin up within a defined period or if it trips while running. Unless you duplicate the final hardware you are in danger of spending a lot of time and effort producing a high integrity control system controlling a standard single-point-failure pump. Your system is only as good as the weakest link, and things which have moving parts tend to be among the weakest: switches, motors, contactors, pumps, circuit breakers, etc.

If you are looking for higher reliability from the switches you mentioned, use transmitters instead of switches. A median select from three transmitters will inherently give you self-monitoring. Switches sometimes don't announce that they have failed until they are needed, whereas a dead transmitter is immediately apparent. Expensive, but depends on how much you value the integrity of the signal. In the power industry downtime is phenomenally costly, so we put a lot of effort into redundancy and integrity: the cost of three transmitters could easily be recouped in the first minutes following a generator trip. Some of the heavy process industries have even higher costs.

You might find BS61508 and BS61511 informative - they deal with safety instrument systems and there's a lot of analysis of redundancy, system design, failure detection, and so on. If the standards themselevs don't appeal there are lot of manufacturers dealing with 'Safety integrity levels' or 'SIL' who have made information available.


----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[IRstuff]

Seems to me that a fuse continually blowing signifies a much more serious issue than simply reliability. Fuses blow only when there's an out-of-bounds condition. That means that the fuse was sacrificed to protect something more valuable.

You should be worrying about WHY the fuse is blowing, rather than trying to work around it. If the fuse never blew, you wouldn't be asking about reliability.

And why is anyone damaging cables or screw terminals? These are all training and discipline related issues, and are solved by more vigilance and training.

TTFN

FAQ731-376