Knowing Your Limits: Traversing the Ups and Downs of Alarm Trips
When something happens in your plant, whether it's a signal peak or fall, you have to know about it. A limit alarm trip can be a life saver, triggering the response needed to maintain normal, safe operations
By Gary Prentice
A limit alarm trip, known by many names, is a hardware device that monitors a process signal such as temperature, pressure, level, or flow and compares it against a preset limit. If the process signal moves to an undesirable high or low condition, the alarm activates a relay output to warn of trouble, provide on/off control, or institute an emergency shutdown.
(click image for larger version)
Limit alarm trips monitor a process signal and send one or more relay outputs when a monitored signal exceeds preset high and/or low limits. This image shows a dual high/low alarm configuration.
Because they're hard-wired into the process and provide relay outputs, independent limit alarm trips are often referred to as "hard" alarms. This term differentiates a hard alarm trip from the software-implemented alarm a "soft" alarm which is found within a distributed control system (DCS) or a programmable logic controller (PLC).
Most plants perform alarm functions using soft alarms, and some might argue that hard alarms are not necessary. However, hard alarm trips complement DCS and PLC systems by providing redundancy, simple control, and critical safeguarding. Because of the potential consequences to plant and personnel, hard alarm trips continue to be the accepted industry standard for a wide range of primary alarming functions, as well as for backup of DCS and PLC strategies in critical emergency shutdown (ESD) and safety related systems (SRS).
Soft alarms can be susceptible to failures of a computer-based system's power supply, hardware, or software that could disable all the soft alarms in the entire system. Therefore, soft alarms may be inappropriate for providing the degree of protection demanded for critical applications.
Hard alarms are not susceptible to such failures because they maintain complete independence from the DCS or PLC. Hard alarm trips distributed throughout a facility can be used to provide warnings and safety backup measures in the event of a system failure. That's why in critical and safety-related applications, the use of hard alarms is a requirement of many insurance companies.
Another good reason why hard alarms should be considered in place of, or to back up, soft alarms is that rather than intermittent scanning of individual points as in a DCS or PLC, each hard alarm provides continuous supervision of an individual process signal. In some fast-changing applications, the computer's scanning speed or network throughput time may be inadequate. In addition, hard alarms are typically easier to set up, which eliminates potential programming errors. They are also less prone to failure, inadvertent changes, and tampering.
Anything from simple annunciation to shutdown of an entire process can be handled by a limit alarm trip. An alarm trip accepts a process variable input signal from a monitoring or control instrument such as a signal transmitter or sensor. When the monitored variable falls outside a user-set trip point also called a setpoint the alarm trip activates one or more of its relay outputs. The relay(s) are typically used to control a warning light, annunciator, bell, pump, motor, or shutdown system.
In most units, once an alarm trips, it remains in an alarm condition until the process signal re-crosses the trip point and passes out of the deadband. An adjustable deadband makes it possible to increase or decrease this range, thus affecting what point the relay returns to its normal, non-alarm state.
Using this relatively simple "cause and effect" action, limit alarm trips can be economically used in a wide variety of basic and complex applications.
High and Low Limit Alarms
Just the Facts About Limit Alarm Trips
Limit alarm trips can be used to handle the following:
Warn of trouble by providing a "hard" alarm output when a process signal exceeds a high and/or low limit.
Create an independent emergency shutdown system to avert undesirable situations in the event of a central power failure or DCS shutdown.
Provide redundant warning or shutdown capabilities to back up and compensate for failure of DCS or PLC soft alarms.
Replace complicated PLCs with alarm trips that are easier to set up and use.
Reliably and cost-effectively provide on/off control of pumps and motors in batching and similar applications.
Sense dangerous conditions and shutdown control equipment before it's damaged.
Monitor an input for a change in value; trip an alarm when the input rate of change exceeds a selected rate over a selected time period.
A high or low limit alarm is triggered when the variable being measured exceeds a preset high or low alarm trip point. This type of alarm trip is typically used to warn of unwanted process conditions or to provide emergency shutdown.
A limit alarm trip can have one, two, or even four relay outputs. Typically, each relay output can be set to respond to a different trip point. This would include any combination of high or low alarm trips with different trip point settings for each. Some alarm trips also offer the option of setting the relay to trip if there is an input fault such as a broken sensor or to alert that there is a problem with the alarm trip itself.
The following examples describe how alarm trip points might be set for a dual output limit alarm trip. If the alarm trip had four relay outputs, any combination of these same trip options could be applied to the remaining two relays.
High Alarm: A status change (alarm condition) of a single high alarm occurs when the input rises above the trip point.
High/High Alarm: This alarm accepts one input but has two high relays, each with its own trip point. When the input rises above Trip Point 1 (the lower trip point), the first set of contacts will change status to serve as a warning. Should the input rise above Trip Point 2 (the higher trip point), the second set of contacts change status, which may initiate an emergency shutdown. With four relay outputs, you can provide three levels of warning and then an emergency shutdown.
Low Alarm: A status change (alarm condition) of a single low alarm occurs when the input falls below the trip point. A typical application of a low alarm is warning of a low tank level to avoid problems with a pump running dry.
Low/Low Alarm: A dual low alarm accepts one input but has two relays, each with its own independent trip point. When the input falls below Trip Point 1, the first set of contacts will change status merely to serve as a warning. Should the input fall below Trip Point 2, the second set of contacts change status, possibility initiating a shutdown of the process. A typical application includes monitoring the low extreme temperature of a cryogenic tank to avoid over-cooling.
High/Low Alarm: A dual high/low alarm accepts one input and has two relays, each with a separate trip point.
Most alarm trips can perform high/low functions. Other available functions, depending on the product selected, include the following:
Rate-of-Change Alarm: Used to detect changes in the measured value in units per minute or second, a rate-of-change alarm monitors an input for a change in value with respect to time. The alarm is set to trip when the input rate of change exceeds a user-selected rate (Delta) over a user-selected time period (Delta Time).
Input Fault Alarm: On some alarm trips, you can set one or more of the relays to trip when an input is interrupted such as in the instance of a sensor break.
Self-Diagnostic Alarm: Some limit alarm trips continuously monitor their own status during operation and trip if they are not operating properly.
Average and Differential Alarms: These trip when the average of two or three input signals exceeds a pre-selected high or low trip point. A differential alarm trips when the difference between two input signals, such as two RTD temperature sensors, exceeds a specific value.
Window Alarm: It's activated when the process variable is outside the low/high trip point ranges.
On/Off Control: A limit alarm trip can also be used as a simple on/off controller such as those required in level applications (pump/valve control) when filling or emptying a container or tank.
Deadband: The alarm trip fires its relay at the trip point and the relay resets when the process variable reaches the deadband point. Without deadband, if the process variable was hovering and cycling above or below the trip point, the relay would be chattering on and off, leading to premature failure. By setting the deadband just 1 or 2 percent away from the trip point, you can avoid excessive relay wear.
Latching vs. Non-Latching: A latching alarm is one where the relay cannot automatically reset. Once the relay trips, it remains in the alarm condition until an operator manually resets the relay (usually through a pushbutton). Latching alarms are most commonly employed when you want to force an operator to acknowledge the alarm condition.
Time Delay: In many applications, a momentary over-range signal may not warrant an alarm trip. Some alarm trips can be set with an alarm response time delay that stops the alarm from going into an alarm condition unless the trip point has been exceeded for a specific time. This can be used to stop false or premature alarms.
Transmitter Excitation: Some limit alarm trips offer the advantage of being able to provide 24 VDC power to a two-wire (loop-powered) transmitter. This saves the cost of specifying and installing an additional instrument power supply.
Failsafe and Non-Failsafe
Configuring an alarm trip as either failsafe and non-failsafe is a primary safety consideration. In a safety application, the foremost concern should be the alarm trip's action in the case of power failure. An alarm trip with a relay that de-energizes if the input signal exceeds the trip point is called failsafe. It's "failsafe" because, even if power to the alarm trip fails, the unit's relay de-energizes as if it were in the alarm condition. Failsafe relay action is chosen for the vast majority of alarming applications.
In a non-failsafe alarm trip, the unit's relay is de-energized when the input signal is in the normal condition and energized when an alarm occurs. In this configuration, the alarm trip will not provide a warning if there is a power failure. Should a loss of power and an alarm condition coincide, the alarm would go undetected.
The characteristics of failsafe/non-failsafe and normally open/normally closed relay action can be integrated to provide specific alarming characteristics. To illustrate, consider an application where a light needs to be turned on when a high alarm trip point is reached. If the relay is non-failsafe, it is de-energized when in normal state, and it is energized when in alarm state. Therefore, when the trip point is exceeded, the relay energizes, and the normally open (NO) side of the contact closes, turning on the light. Note that the light has to be wired to the NO side of the contact so that when the high trip occurs, the relay energizes and the circuit closes.
If the relay is failsafe, by definition it is energized when in normal state and de-energized when in alarm state. When the trip point is exceeded, the relay de-energizes, and the normally closed (NC) side of the contact closes, turning on the light. In this configuration, the light needs to be wired to the NC side of the contact.
Worldwide Safety Trend
Limit alarm trips are increasingly asked to play a role in safety systems as primary alarm strategies, to back up soft PLC and DCS alarms, and in other especially critical applications. Some processes are simply too important to rely on a single alarm trip to make a decision. For these, limit alarm trips can be used in a voting strategy. For example, one plant engineer was using three temperature sensors to monitor the burn-off flame of an emissions flare stack. However, when the wind blew, the flame leaning away from the stack gave a false output signal. The solution was to change the strategy to rely on low readings from two sensors to indicate no flame in a 2-out-of-3 voting scheme. This ladder rung approach creates a "flame out circuit" only in the event that two of the three alarms are tripped. Using an alarm time delay with this strategy also helps prevent false trips.
Gary Prentice is an applications engineer at Moore Industries-International Inc., a leader in signal interface instruments for industrial process control, system integration, and factory automation. More information is available by calling 518-399-4747, sending an e-mail to firstname.lastname@example.org , or visiting www.miinet.com .