71 lines
2.9 KiB
TeX
71 lines
2.9 KiB
TeX
%
|
|
% Make the revision and doc number macro's then they are defined in one place
|
|
|
|
\ifthenelse {\boolean{paper}}
|
|
{
|
|
|
|
\begin{abstract}
|
|
things can get very abstract
|
|
\end{abstract}
|
|
|
|
}
|
|
{
|
|
\section{Overview}
|
|
}
|
|
|
|
\section{Overview of A Burner Controller : Safety Perspective}
|
|
|
|
\section{Background to the Industrial Burner Safety Analysis Problem}
|
|
|
|
An industrial burner is a good example of a safety critical system.
|
|
It has the potential for devistating explosions due to boiler overpressure, low water, or
|
|
ignition of an explosive mixture, and, because of the large amounts of fuel used,
|
|
is also a fire hazard. Industrial boilers are often left running unattended
|
|
for long periods of time (typically days).
|
|
|
|
To add to these problems
|
|
Operators are often under pressure to keep them running. A boiler supplying
|
|
heat to a large greenhouse complex could ruin crops
|
|
should it go off-line. Similarly a production line relying on heat or steam
|
|
can be very expensive in production down-time should it fail.
|
|
This places extra responsibility on the burner controller.
|
|
|
|
|
|
These are common place and account for a very large proportion of the enery usage
|
|
in the world today (find and ref stats)
|
|
Industrial burners are common enough to have different specific standards
|
|
written for the fuel types they use \ref{EN298} \ref{EN230} \ref{EN12067}.
|
|
|
|
A modern industrial burner has mechanical, electronic and software
|
|
elements, that are all safety critical. That is to say
|
|
unhandled failures could create dangerous faults.
|
|
|
|
A more detailed description of industrial burner controllers
|
|
is dealt with in chapter~\ref{burnercontroller}.
|
|
|
|
|
|
Systems such as industrial burners have been partially automated for some time.
|
|
A mechanical cam arrangement controls the flow of air and fuel for the range of
|
|
firing rate (output of the boiler).
|
|
|
|
These mechanical systems could suffer failures (such as a mechanical linkage beoming
|
|
detached) and could then operate in a potentially dangerous state.
|
|
|
|
More modern burner controllers use a safety critical computer controlling
|
|
motors to operate the fuel and air mixture and to control the safety
|
|
valves.
|
|
|
|
In working in the industrial burner industry and submitting product for
|
|
North American and European safety approval, it was apparent that
|
|
formal techniques could be applied to aspects of the ciruit design.
|
|
Some safety critical circuitry would be subjected to thought experiments, where
|
|
the actions of one or more components failing would be examined.
|
|
As a simple example a milli-volt input could become disconnected.
|
|
A milli-volt input is typically amplified so that its range matches that
|
|
of the A->D converter that you are reading. were this signal source to become disconnected
|
|
the systems would see a floating, amplified signal.
|
|
A high impedance safety resistor can be added to the circuit,
|
|
to pull the signal high (or out of nornal range) upon disconnection.
|
|
The system then knows that a fault has occurred and will not use
|
|
that sensor reading (see \ref{fig:millivolt}).
|