Controls Integration White Paper
on Mon, 03/26/2018
1. Purpose of Document1.1. In today’s world, there is an ever increasing awareness and focus on safety. A system designer needs to understand all aspects of design that can affect the safety and reliability of the system they are implementing. The control and limit devices are an integral part of that design, but in and of themselves cannot fully cover all aspects unless a design review has properly identified all hazards, risks and fault modes of the system and how to properly configure the controller and limits to cover these risks.
1.2. After the initial design is complete and system built, a thorough validation of the system should be instigated to verify all safety issues have been resolved. This should test each fault mode to verify that is has been properly mitigated in the system design and wiring of the system has no errors. A 3rd party Nationally Recognized Test Laboratory “NRTL” should be consulted to review the design. This is one of the most critical steps in the design process to ensure everything is designed correctly and hooked up correctly and programmed correctly. A system validation guide should be created with the machine for the operators and maintenance personnel to use for future reference.
1.3. It is also the installer’s responsibility to ensure that any changes made to the system after initial setup should be reviewed in the same light as the original system validation. We all know things break down over time, any replacement items need to perform as well or better than the original device, and if a controller or limit is replaced, or settings altered, the safety of the system needs to be verified to ensure continued compliance.
1.4. Proper documentation and a general understanding of the machine risks and how are they mitigated is a must, so these considerations can be understood over the lifetime of the machine.
1.5. With the connectivity of the world and devices increasing, consideration of the use of passwords and other security features to lock the user settings from being unintentionally or maliciously adjusted needs to be considered.
1.6. With that in mind, this document is an effort from Watlow’s standpoint of helping the system designer and maintenance personnel understand and implement the safety and reliability features available within our products and show how to properly implement them.
1.7. As Watlow cannot possibly know or take into account all of the different possible system setups, this is not meant to be the ultimate say on safety, please consult other risk analysis and functional safety standards below or other similar standards for more guidance or third party safety agencies for guidance.
1.7.2. IEC 61511 Functional Safety - Safety Instrumented Systems for the Process Industry Sector and associated sub-standards.
1.7.3. ISO 14971 MEDICAL DEVICES - RISK MANAGEMENT and associated sub-standards
1.7.4. NFPA 70 – National Electrical Code
1.7.5. NRTL Safety Standards – ANSI/UL/IEC 61010-1 Safety Requirements for Electrical Equipment for Measurement, Control, and Laboratory Use and associated substandards.
1.7.6. Other NRTL Safety Standards as applicable.
1.7.7. FM Class 3545 Temperature Limit Switches.
System Setup Example
System Setup Example Hardware Setup
- EZ-ZONE® PM6C1CC-ALEJAAA Integrated Control Limit Device.
- Sensor 1 – Control Loop – Thermocouple Type “J”, Control and alarm sense input
- Output 1 Switched DC to Solid State Relay – Heater Power
- Output 2 Switched DC to Solid State Relay – Boost Heater Power
- Sensor 2 – Limit Function – Thermocouple Type “J”, limit sense input
- Output 3 Mechanical Relay – Alarm Relay output
- Output 4 Mechanical Relay – Limit Relay output
System Setup Example – Firmware Setup
- Sensor 1 controls Output 1 control loop to drive the heat output in closed loop control.
- Sensor 2 controls Output 4 Limit High at 250°F for overtemperature and Limit Low at 0°F for reverse sensor protection.
- Sensor 1 controls Alarm 1 (Output 2) Low Deviation Alarm 10°F Below Setpoint for Boost Heat. Invert alarm function to be closed on alarm, open in safe condition.
- Sensor 1 controls Alarm 2 (Output3) High/Low Process Alarm for Limit sensor short protection.
Benefits of Setup
- Independent Sensor and output for Limit function with redundant alarm. Enhance system safety.
- Heater ½ sized so it controls at 60 – 75% power during normal operation. Reduced risk of thermal run away if heater output device shorts. Better control and heater life. Reduced flicker for EMC compliance.
- Boost heat allows for rapid warm up of system on start up with reduced risk of thermal run away if heater output device shorts. Better control and heater life. Reduced flicker for EMC compliance. Enhance system safety and reliability if one heater fails, other can be used as primary control. The method of switching control and boost heat should be clearly documented.
- Alarms help protect against shorted and miss-wired sensors.
2.1. For processes that can exceed a safe condition in a fault mode, a separate independent Limit device is needed. However, the definition of independent only applies to a single fault mode. The Watlow EZ-ZONE® controllers have the ability to integrate the control and limit within the same unit. There is no single point of failure that could cause both the control and limit to fail in an unsafe manner. Use of an alarm as a limit is not permitted as it would share the same sensor as the control and a sensor fault would cause a hazardous situation. Alarms have also not been through the rigorous testing that limits have under FM Class 3545.
2. Proper System Design Considerations
2.2. A limit device needs an independent power device to safety shut down the hazard in a safe manner. Solid state devices cannot reliably disconnect power and sharing of the contactor with the control output is not allowed as the control will wear out the contactor and have a single point fault.
2.3. As stated above, an alarm that uses the control sensor cannot be used to take the place of a safety limit, but it can be used to enhance a safety limit so that either device will shut down power safety. The alarm normally closed terminal can be used to turn on cooling fans or other features to increase the safety of systems. Care must be used if sharing the alarm and limit shutdown contactor is utilized so that excessive alarms do not prematurely wear out the limit contactor.
2.4. The Standard Watlow uses for Safety Limit approval is Factory Mutual Class 3545 Temperature Limit Switches. It has some requirements that need to be followed by the installer to maintain compliance.
2.4.2. Requires a manual action to reset the Limit device. This is a requirement to prevent a fault in the system from going undetected and repeated cycling wearing out the safety device and causing an unsafe fault. A good system design should never have the Limit trip unless there is a fault. The process should not operate so close to the Safety Limit trip point that nuisance failures result. Software monitoring programs shall not be used to automatically reset limit devices! This can mask the fault and not prompt the operator to look for what is truly causing the fault.
2.4.3. If there is a fault in the system that caused a Limit to trip, it should be investigated to determine the cause and any necessary repairs made so the fault does not repeat.
2.6. Many users want systems to be operational as quickly as possible on startup. This results in using larger heaters than necessary to get the process up to temperature quickly. This adds a hazard to the system as large heaters can quickly reach unsafe temperatures in fault mode. It also requires the power switching device to be larger and rapid switching of large loads causes light flicker and unit to fail IEC flicker test.
2.6.2. Using multiple loads also will reduce the load current switched with each output so smaller devices can be used and flicker problems will be reduced.
2.6.3. Multiple loads also help from a reliability standpoint. If one heater opens, the system is not down. The other heater can be used to control the process until the system can be taken offline to be fixed.
3. Links to other Watlow white papers.3.1. http://www.watlow.com/literature/whitepapers.cfm
3.2. Use of Temperature Safety Limits In the Semiconductor Industry
3.3. When to select a Limit, versus an Alarm Controller
3.4. Cascade control with multiple inner loops
3.5. Delta Wye Boost heat application
3.6. Reversed Thermocouple Detection
3.7. SCCR – Short Circuit Current Rating for Watlow Power Controls
4. System Sensor Setup Options.4.1. Sensors are used to accurately measure a process value and this value is used by the controller for a decision making process. Sensors can by robust and reliable, but consideration needs to be given to issues that can arise in order to protect system reliability
4.2. Sensors can open, short, or come loose from mounting surfaces giving poor thermal response. Sensors can have poor placement and respond slowly to process changes. Sensors can have ground loops and give incorrect information to the controller. Sensors can
be programmed to the wrong type, the wrong units; can be setup incorrectly in the controller, pointed to the wrong control loop etc.
4.3. Depending on the reliability and system response time, many if not all of these items need to be considered. On initial design of systems, there are many features built into Watlow controllers that can be used to enhance system reliability and system safety. Careful consideration to these and validation of system design after installation are critical to ensuring the safety of the system. Keep in mind that enhancements made for system reliability (up time of system or ability to limp through errors), can reduce system safety depending on how they are implemented.
4.4. To protect against an open thermocouple, RTD and Thermistor sensor errors, Watlow EZZONE® controllers offer several features.
4.4.2. The controller output can be programmed to go to a desired state on sensor failure such as control mode is set to off, the output goes to a fixed power or the output continues at the last stable power when certain conditions are met. Note that if alarm is used to interrupt control heater output, and is based on the control sensor input, it will turn off process regardless of loop settings. Use of the limit sensor as alarm sensor can reduce system safety!
4.4.3. When RTD S2 opens on three wire sensors, this causes temperature to read higher than actual by the amount of lead wire resistance. Use of 1000 ohm RTD sensors mitigates this risk as wire length errors become less of a consideration.
4.4.4. NOTE: This table takes into account that both leads of wire will add to error. The table below is the total length of the sensor wire for the control to see the amount of error.
4.4.5. 1 ohm of error is approximately 4.61°F with 100 ohm RTD.
4.4.6. A process sensor using default setup under a short or open condition may turn the output full on which is a hazardous condition. To mitigate this fault, set process error enable to low and set process error limit to less than the minimum normal valid condition. For 4 to 20 mA as an example, set to 3.5 mA. Default of these parameters is OFF and 0.00. If a normal process input value is 0 in normal condition when using a 0 to 20 mA or 0 to 10V, then this feature will not provide protection. Scale sensor input so that the 0 setting is below normal use value and set process error limit to 0.1 or some value below normal operation but above 0.
4.5.1. The primary safety for a shorted control sensor is by use of an independent limit sensor
and output. This should be configured so that under normal operating conditions, the
limit should not trip. But on a fault such as shorted sensors or a shorted heater power
device it will trip in a timely manner.
4.5.2. Utilizing the Open Loop Detect feature will allow the controller to respond to this condition by displaying an open loop error and the controller’s outputs will be disabled. See Open Loop Detect Enable feature in user’s manual. Set open loop detect deviation to a time appropriate based on system response time; i.e. how quickly does sensor respond to control power. Open Loop Detect Deviation is a process value in degrees that you would expect the sensed value to change when heater is working within the detection time. An understanding of system response is needed to properly set this prompt to avoid nuisance tripping of this alarm, while still providing adequate protection.
4.5.3. Another method will help protect against a limit sensor fault is to use an alarm to act as a redundant limit. The alarm input should be based on the controller sensor input so that it is independent of the limit sensor to detect limit sensor faults. It cannot be used to replace a limit as it does not protect against a controller sensor fault. The alarm can be set to the same temperature trip point as the limit and should also be latching to prevent an auto reset feature from wearing out the alarm/limit contactor by excessive cycling.
4.5.4. Also set the alarm for low process alarm, if the sensor shorts and shows too low a value, then the alarm will trip. Use Alarm Blocking and Alarm Silencing to allow system to startup without the alarm tripping, then once within range, any excursion outside of the normal control band will cause the alarm to trip.
4.6.2. Utilizing the Open Loop Detect feature may allow the controller to respond to this condition by displaying an open loop error and the controller’s outputs will be disabled. See Open Loop Detect Enable feature in user’s manual.
4.6.3. Use care on initial power up as limit sensor may be set incorrectly and will not properly shut down system safely.
4.8. If a sensor is poorly placed; or comes loose from mounting, it will not read the actual process temperature but may not be so displaced that it reads ambient. It may only be a couple degrees off, or may lag the process severely. To protect against sensor placement errors or sensor coming loose from mounting;
4.8.2. Use independent mounting hardware for Controller and Limit sensors to avoid both having same fault due to a broken mounting bracket.
4.8.3. Validate the system response for correct sensor placement before placing the system into service.
4.9.2. Enable security to prevent unintentional changes
4.9.3. Ensure the display represents the calibration offset values in effect. Calibration offsets apply to the entire sensor range. Ensure that the offset is linear across the span of interest. Validate calibration offset values at multiple readings including minimum and maximum sensed values.
4.10.2. Use security to prevent operators from changing display units type. When using communications to adjust controller setpoint or other values, ensure the temperature units are set correctly. The communications units are independent of the panel display units. Once configured, validate the system with the software used.
4.11.2. Utilizing the Open Loop Detect feature will allow the controller to respond to this condition by displaying a loop reversed error and the controller’s outputs will be disabled. See Open Loop Detect Enable feature in user’s manual.
4.12.2. Use security to prevent operator from changing these values if changes do not need to be done in the field.
4.13.2. Use security to prevent operators from changing limit trip point values if changes do not need to be made in the field.
4.13.3. In actuality, once set by the factory for the maximum safe limit temperature there should be no need for the end user to adjust this parameter. If adjustable trip points are desired, an alarm is the preferred method to adjust trip points in the field. These typically are utilized to protect product and not protect the system. i.e. Product in a temperature chamber that cannot exceed 100°C, an alarm should be set to this value. The Limit should remain at the maximum that the chamber can handle which may be much hotter.
4.14. Sensors can be wired to the wrong connector. Several of Watlow products offer multiple sensor inputs or systems can have multiple controllers. If careful tracking of wires is not observed, it is possible to hook the wrong sensor to the wrong control loop, or to program the unit internally for the wrong sensor. If sensors are in very close proximity it may not be an issue, but if controlling different processes it can have disastrous results.
4.14.2. The EZ-ZONE® PM and RM controllers have polarized keyed connectors to prevent incorrect slot placement. However if the keys fall out, are removed, or excessive force is used they could be plugged in wrong. Some models do not offer keying function and care must be taken when plugging connectors in especially where an installer does not have a good view of the connector labels. Labels may have been removed making the correct connector placement more difficult.
4.14.3. By properly using alarm features, loop detection specific to each process mis-wiring of sensors can be detected if the processes are different enough.
4.15.2. Ground loops can be caused within a system when there are multiple points of reference for similar signals. If multiple sensors are on the machine and each grounded at a different point, noise can cause a voltage difference between these connections. If non-isolated analog inputs are used with grounded sensors and outputs are referenced to ground, ground loops can occur. These can cause shifts in sensor calibration.
220.127.116.11. The Watlow EZ-ZONE® products can be ordered with isolated sensor inputs to prevent these issues.
18.104.22.168. Ungrounded element sensors can also be used to prevent ground loops.
4.15.3. A critical safety concern is using sensors to measure live electrical heaters or traces or ungrounded sheathed heater elements. These voltages on the sensor line can cause errors in measurement, but of more concern is that this can cause all other non-isolated parts of the controller to be electrically live; communications ports, digital inputs digital outputs can become a shock hazard. The isolation between Watlow sensor inputs is a functional isolation for low voltage noise only; it is not meant to isolate from hazardous voltages.
6. Proper selection of output devices.6.1. An installer needs to understand the type of load to be switched, the currents involved, and how fast the outputs need to be switched for proper control in order to select the proper output device. Faster cycle times result in better heater life. Fast cycle times can quickly wear out some output devices. Very fast cycle times can cause flicker on the power lines that can be an issue for EMC compliance. The following are characteristics of different output types:
6.1.2. Solid State Relays – moderate current, very fast cycle rates, adds heat to enclosure, fault mode is typically shorted output which can be a hazardous situation if not protected. Long life if used within ratings. Cannot be used with DC voltages.
6.1.3. Switched DC – Used to control external solid state devices.
6.1.4. Open Collector – A higher power version of switched DC used for switching coils of relays or small DC loads or multiple solid state devices. Requires an external power source.
6.1.5. Process outputs – programmable milliamp and voltage ranges for proportional valves or phase angle control devices.
6.1.6. NO-ARC Relays – Hybrid type device, mechanical relay and solid state relay in parallel. Offers some of the benefits of solid state relays, long switching life without the generation of heat caused by solid state devices. Should not be cycled to fast, cannot be used with DC, low voltage AC loads or inductive loads. With an estimated life of 2,000,000 cycles this is still less than a 2 year life at a cycle time of 20 seconds for 16 state relay. Since this output is a hybrid type output, it cannot be used as a limit output device, due to the triac in parallel with the relay it has some leakage current and the triac has the potential to fail shorted.
6.2. The installer has to understand the maximum use temperature the control device will see in service and properly derate the current switched based on the output rating curve published by the manufacturer. Many output devices will have different current ratings depending on the ambient temperature of use.
6.2.2. Quad 2A SSR output types – Depending on the number of outputs actually used on this card, and how many cards are installed in the unit, the current rating will change. Consult the user’s manual for the unit to understand the ratings of this card. This card does have a thermistor onboard that measures the temperature of the output device and shuts it down if it gets too hot to protect the output from thermal overload. However; there is no indication to the end user, other than the fact the output will shut down periodically. This can be difficult to troubleshoot. It will look like the product has poor temperature control. Adjustments to load rating need to be made to prevent these situations.
6.2.3. Dual 10A SSR output types – This output type has different output ratings depending on the ambient temperature of the product. It uses a small fan to cool a heatsink to increase the current rating of the product. This fan cycles on and off based on the temperature of the heatsink. This card does have a thermistor onboard that measures the temperature of the output device and shuts it down if it gets too hot to protect the output from thermal overload. However; there is no indication to the end user, other than the fact the output will shut down periodically. This can be difficult to troubleshoot. It will look like the product has poor temperature control. Adjustments to load rating need to be made to prevent these situations.
6.2.4. Mechanical Relays – Some mechanical relays need to be derated with ambient temperature. This is due to the coil insulation temperature rating. Long term use at extended temperatures can cause this insulation to break down and cause the relay coil to fail. If a relay coil opens this is the typical reason. Lowering load currents, duty cycle or ambient temperature will help this issue.
6.2.5. Use a snubber device when driving inductive loads. Inductive loads such as relay coils have a high inrush current upon turn on and when turning off, the inductive field collapses and causes a high voltage spike to travel back on the power lines to the switching device. This high voltage pulse can quickly damage that device. To protect those devices a “snubber” is used. This is typically a safety capacitor and resistor wired in series and place across the coil to absorb or snub this high voltage pulse. Watlow recommends a Quencharc suppressor which is a trade name of Paktron.
22.214.171.124. For switching of DC loads, a reverse bias diode across the coil can be used to suppress the inductive voltage spike, validate diode orientation in system.
126.96.36.199. Proper placement of the snubber is across the coil being switched.
188.8.131.52. If the snubber is placed across the contacts of the switching device this can cause issues. If a high impedance devices is being switched such as an AC input solid state device, the snubber can cause a leakage current across the switching device that can turn on, or hold on a load once turned on causing a hazardous situation.
6.3.2. If low voltage is applied to a high voltage power supply unit, operation of the controller may be erratic. The controller may power up even at low voltages. However, depending on the loads applied to the controller it can have erratic operation or reset whenever the output devices turn on as it does not work efficiently or reliably at these voltages. A longer term issue can be blown power supply fuse as the inrush current can exceed the unit’s power supply fuse.
7. Conclusions.7.1. Once system is setup, document settings and if controller allows, store them as default configuration in memory. If multiple machines use same settings, consider ordering unit with preset parameters or using communications to store settings in each unit. Be sure to read back configuration to be sure all information is correct.
7.2. By using this guide, it should help reduce the likelihood of errors in system due to setup or wiring issues. Validation of system is the key to safe operation. Any time changes are made to system, validate the change and update any associated documentation. The only one who can understand the risks of the system is the one who designs it. It is incumbent upon them to take all issues into consideration and understand the fault modes and mitigation techniques. We hope this paper has helped in understating the controllers role in system safety.
7.3. If help is needed in configuration of controller, consult user’s manual or for further guidance factory. Be sure to have schematic, model number description of controller used and other system information handy.