This invention relates to a logic system control and monitor circuit utilizing a programmable controller and in particular to a control and monitor circuit that monitors the integrity of two series output converter triacs and their respective image registers in the control circuit and alarms the condition when one or both triacs fail in the unsafe mode or their respective image registers fail.
Prior to starting up any safety system, it is necessary to assure that all equipment pertaining to start-up and operation is functioning in a safe and proper manner. Prior to start-up of a fossil fuel steam generating unit, the furnace volume must be purged to assure that there are no volatile fuels present in the furnace. To assure that all equipment pertaining to start-up of the boiler is operating in the prepurge mode prior to purging the furnace, the burner management control system monitors the equipment and generates a purge permissive signal. The purge is then operator initiated after the purge permissive signal is generated.
In an energize-to-start, deenergize-to-stop logic system utilizing electronic input and output modules, the shorted failure of a solid state switch such as a triac is a failure in the unsafe mode. Triacs in particular are used because triacs can be switched to the conducting state and conduct current under either voltage polarity. Furthermore, in circuits operating at 60 hertz, successful commutation occurs upon voltage reversal.
Triacs are used on the output converters within the output modules to switch power on or off to the field devices. When an output converter triac fails in the unsafe mode or an output converter image register fails, a field device can be unexpectedly energized and possibly cause a hazardous condition. In the operation of a steam generator, the hazardous condition may be caused by energizing a fuel valve motor at an improper or unsafe time. One known method to prevent the failure of an output converter triac in the unsafe mode or a failure by error in the output converter image register from producing a hazardous condition is to place a second output converter triac in series with the first output converter triac. The two series output converter triacs are then simultaneously switched to change state when it is desired to have a field device energize or deenergize. The redundant output converter triacs decrease the possibility of a field device being energized due to the failure in the unsafe mode of a single output converter triac or a single image register failure as both output converter triacs would have to fail, both image registers would have to fail, or certain combinations of failures would have to occur for a hazardous condition to occur.
Although using series output converter triacs has reduced the possibility that a field device would energize when not required thereby causing a hazardous condition, monitoring the two series output converter triacs in their respective image registers to determine if a failure has occurred, and if a failure has occurred, which of the two image register-output converter triac combinations has failed, has not been adequate. A failure in the unsafe mode has been detected only when both series triacs fail or both image registers fail as the field device remains energized. A failure of only one of the series triacs or image registers would not cause a hazardous operating condition as the field device would be deenergized by the redundant image register-output converter triac. However, should one of the two series triacs or image registers fail in the unsafe mode, the redundant output converter triac-image register combination that has not failed provides no more protection than a single output converter triac-image register.