FIELD OF INVENTION
The present invention relates to configuration of 2 out of 3 Boiler protection for all
types of steam generators (boilers). More particularly, the invention relates to an
optimized configuration of a microprocessor based control system in 2 out of 3 boiler
protection.
BACKGROUND OF THE INVENTION
Combustion systems of steam generators (boilers) normally fired by gas, oil, coal or
other fuels, and employed either in the production of energy or in chemical/physical
processes, generally pose considerable threat due to the existence of explosive fuel-air
mixtures. During design of such systems, highest degree of safety must constantly be
striven for, under any conceivable state of operation.
To this end, suitable monitoring and control equipment must be used which is always in
position to check and initiate the protection to drive to a safe position.
A burner management system (BMS) is a system which has in-built combinational
sequential and protection logic for fast, yet very safe and reliable, operation of the
boiler in all operating conditions like start-up, shutdown and works in parallel with, but
independent of, the combustion control system.
According to the NFPA-85 Standard, published by national Fire Protection Association,
USA, Burner management system is defined as:

'The control system dedicated to combustion safety and operator assistance in
starting and stopping of fuel preparation and burning equipment and for
preventing mal-operation and damage to fuel preparation and burning
equipment. The burner management system includes the following functions:
- Interlock system,
- Fuel trip system,
- Master fuel trip system including backup relay trip system,
- Flame monitoring and tripping systems,
- Ignition subsystem, and
- Main burner subsystem."
Burner Management System has a decentralized hierarchical structure and is
functionally distributed but geographically centralized architecture. Burner
management System is divided into the following main subsystems:
• Master Fuel Trip (MFT) / Boiler Protection;
• Unit Common Logics;
• Oil Elevation Controls;
• Coal Elevation Controls.
OBJECTS OF THE INVENTION
It is therefore an object of the present invention to propose a method for boiler
protection in a burner management system.

Another object of the invention is to propose a method for boiler protection
which reduces the potential risk associated with industrial combustion processes.
A further object of the invention is to propose a Master-Fuel-Trip subsystem in a
Burner Management system which is implementable in 2-out-of-3 configuration
to ensure the safety and reliability of the system.
SUMMARY OF THE INVENTION
In the present invention, a method and system has been developed for boiler
protection, in particular in 2-out-of 3 configuration, which takes care of all
possible causes of hardware failures and driving the fuel cut-off drives to the
possible safe position to avoid inadvertent undesirable situation.
Possible causes of hardware malfunctioning as detected by the inventors have
been analysed and categorized as under:
> Hardware faults in the input acquisition circuit
> Processor faults and non availability of processor
> Output faults
> Communication faults
> Panel and solenoid power supply faults
Each of those possible faults as would be diagnosed by the control system the
following remedial actions are envisaged in the implementation :

>Annunciating of faults
> Fall back to 1 to 2 case of one channel fault
> Alternating power supply arrangement for fuel cut-off
The configuration takes care of the logical implementation triplicated and on occurrence
of trip equivalence is monitored and discrepancy of the input signal acquisition and trip
actuation is also annunciated.
Accordingly there is provided a method of configuring a microprocessor based control
system embedded with software structure of 2 out of 3 generation of boiler protection,
comprising:
Creating a system split into three independent channels or control islands, each channel
acquiring triplicate input from field for independent and simultaneous processing of the
same acquired field signals;
annunciating to the operator the faults detected during processing of the acquired
signals in each of the channels including display of the data on the LED of the channels;
employing a single processor in 2-out-of-3 redundant mode in each of the channels
being supported by 2-out-of-3 software modules for boiler protection, providing a plant
bus connecting all the three channels or islands having at least two sets of cables and
switches including human-machine interface capable of operating under switched fast
Ethernet standard; providing hardware back-up comprising combinational logics; using
different levels of supervised power supplies to build redundancy in safety measures in
critical process; and providing hardware diagnostics for boiler, in particular Master Fuel
Trip protection hardware enabling continuous monitoring of the system

In order to ensure maximum safety, protection logic monitors all such
parameters, which could result in hazardous explosion and implosion situations,
and ensures safe shutdown of the system through total fuel cut-off and also
ensures reliability by avoiding false actuation of protection.
DESCRIPTION OF THE ACCOMPANYING DRAWINGS
The illustrations accompanying this invention are as follows :
Fig. 1 Diagram showing boiler Protection Configuration according to the
invention.
Fig. 2 Hierarchy of monitoring of Power supplies at different levels according to
the invention.
Fig. 3 An example of Boiler protection formation according to the invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIEMNT OF THE
PRESENT INVENTION
The basic block diagram for 2-out-of-3 configuration is as per Fig. 1.
The configuration is split into three (3) independent channels or control islands,
wherein each channel has its own Input / output interfaces and Processors and
work independently with voting employed at each and every stage.

The 2-out-of-3 configuration is split into the following three parts:
i) Input Acquisitions;
ii) Processing;
iii) Output Formalisation.
Triplicate inputs of the field data acquired in all the three channels with each of
the input being processed in independent modules for the same field signal. In
view of the paralleling capability of the input modules these field inputs are
connected parallely to each of the channels, which ensures triplicate inputs of
the field are independently available in all the three channels. The input modules
are so designed that the fault in one channel of module will not affect other
channels and also other input modules of the configuration. These modules are
designed with filtering current limiting and opto-isolation between field and the
logic circuit. The fault associated with the module is being annunciated to the
operator and also in the module front LED. This acquisition will avoid distribution
acquisition circuits and enhances the availability of the input acquisition. The
discrepancies in actuation associated with these inputs are monitored for
equivalence and annunciated to the operator. Due to fast scanning nature of the
inputs even the analog (from transmitters) values are acquired and processed in
these stations which will avoid usage of process actuated switches at the field.
This would further enhance the flexibility of input acquisition. Usage of analogue
also embeds the checking of the quality of the signal at the input level. Further,
software is built to fall back to 1 of 2 mode or 2 of 2 mode in case of fault (bad
quality) in one of the input acquisition channels with annunciation to the

operator. The concept, which is implemented, ensures the high reliability and
availability of the acquisition.
Depending on the process requirement, identical programs is made to run in the
processor module of the protection channel. Single processor (Distributed
processing Unit) in 2 out of 3 redundant mode is being employed in each of the
three channels, which will have software of 2 out of 3 for generation of Boiler
Protection. The employed plant bus is having physically separate two sets of
cables and switches, operating on Switched Fast Ethernet Standard',
interconnects all the functional islands and HMI (Human Machine Interface)
provides redundant data highway for transfer of data such as drive status /
permissive / trip conditions among another.
The trip outputs are generated in each of the processing islands and are
available over Plant Bus for shutting off the fuel cut-off drives. In addition to this,
hardwired back up is realized in 2-out-of-3 mode, which works on combinational
logics of the relays.
The system has in built strong capability of hardware diagnostics specifically for
Boiler protection (Master Fuel Trip) apart from normal hardware diagnostics,
which monitors continuously for input / output / processor / communication
sections. The annunciation in the form of events and alarms are provided.
Al the common logics like purge, auto fan logics, flame indications etc, are
implemented in a separate island where equivalence of Boiler protection outputs
are also monitored and used for annunciation. Sequential start-up shutdown and
associated drive level protections of each elevation are implemented in separate

islands depending on the specification and process complexity. The fuel cut off
drives are driven to fail safe position with soft network signal as well as
hardwires back up system.
To build redundancy in safety measures in critical processes, the Boiler
protection uses different levels of supervised power supplies, so that failure of
one power supply does not jeopardize the safety of the boiler. The critical power
supplies normally used for operation of fuel cut off equipment are :
The power supply is supervised for under and over voltage (<21.5 and >28.25
V). In the event of power supply going beyond these limits, the power supplies
to the protection islands are isolated. For the protection channel (boiler
protection), the +24 V DC is monitored for non-availability including the limit
monitoring, which will generate a hardwired trip signal.
Unit level common trip values operate on 220 V DC power supply or alternatively
+ 24 V DC for deenergised to trip single coil solenoid values from separate
feeders. 220 V DC /24 V DC is also monitored and loss of 220 V DC / 24 V DC is
used for generation of BOILER PROTECTION. Corner level drives operate on 110
V AC or alternatively + 24 V DC for deenergised to trip single coil solenoid valves
from separate feeders. The 110 V AC / 24 V DC at each elevation control panel is
monitored for non-availability. The logics associated with this are realized in all
the three protection channels for generation of BOILER PROTECTION, which
depends on the conditional generation of boiler protection depending on the
firing in the boiler. The hierarchy of the Power supplies monitored as per fig 2.

With the above, critical power supplies in the system are monitored, ensuring
safety of the boiler.
EXAMPLES / PREFERRED EMBODIEMNT
Fig. - 3 shows an example formation of total protection system, which
encompasses the triple channel Boiler protection, and various aspects of the
configuration.
Following are the components considered for this implementation
> Binary / Analog input module of the control system hardware
> Processor module of the control system
> Binary output module of the control system
> Relays
> Contractors
> Network cables
> HMI
> Emergency trip Push button,
> Power supply module
> Power supply monitoring circuit

REFERENCES :
1."Boiler and combustion Systems hazards Code", NFPA - 85, 2005 edition
National Fire Protection Association, Quincy MA, USA.
2. "safe and reliable Processor based Burner Management Systems" paper
presented at Boiler 2007 seminar.

WE CLAIM:
1. A method of configuring a microprocessor based control system in 2 out of 3 boiler
protection, comprising:
Creating a system splitted into three independent channels or control islands, each
channel acquiring triplicate input from field for independent and simultaneous
processing of the same acquired field signals;
annunciating to the operator the faults detected during processing of the acquired
signals in each of the channels including display of the data on the LED of the channels;
employing a single processor in 2-out-of-3 redundant mode in each of the channels
being supported by 2-out-of-3 software modules for boiler protection;
providing a plant bus connecting all the three channels or islands having at least two
sets of cables and switches including human-machine interface capable of operating
under switched fast ethernet standard;
providing hardware back-up comprising combinational logics;
using different levels of supervised power supplies to build redundancy in safety
measures in critical process; and

providing hardware diagnostics, in particular Master Fuel Trip protection
hardware enabling continuous monitoring of the protection system.
2. The method as claimed in claim 1, wherein the configuration comprises
three modules for example, input acquisition module, processing module,
and output formalisation module.
3. The method as claimed in claim 1 or 2, wherein the modules are
configured with paralleling capability, and wherein the modules are
connected parallely to each of said three channels or islands.
4. The method as claimed in claim 1, wherein the common logics for
example purge, auto fan, flame indication including equivalence of boiler
protection output are implemented and monitored in a separate island.
5. The method as claimed in claim 1, wherein the sequential start-up,
shutdown, and associated drive level protections of each elevation are
implemented in separate islands.
6. The method as claimed in claim 1, wherein the critical power supplies
used for fuel cut-off equipments are redundant 220 V DC for common
drives or alternatively + 24 V Dc for deenergised trip single coil solenoid
valves from separate feeders, and 110 V AC for individual drives or
alternatively + 24 V DC for deenergised to trip single coil solenoid valves
from separate feeders.

7. The method as claimed in any of the preceding claims, wherein the power
supply is supervised for under and overvoltage for example < 21.5 V and
> 28.25V.
8. The method as claimed in claim 1, wherein the power supplies to the
protection islands are isolated if the power supply exceeding the limits of
said <21.5 V and > 28.25.V.
9. The method as claimed in claim 1, wherein the trip outputs are generated
in each of the processing islands, and wherein the trip outputs are
available on the plant bus for shutting off the fuel cut-off drives and
additionally hardwired back up through combination relay circuits.
10. A method of configurating a microprocessor based control system embedded with software structure of 2 out of 3 generation of boiler
protection, substantially as herein described in the body of the
specification and illustrated in the accompanying drawings.

ABSTRACT

A METHOD OF CONFIGURING A MICROPROSSOR BASED CONTROL SYSTEM
IN 2 OUT OF 3 BOILER PROTECTION
The present invention relates to configuration of 2 out of 3 boiler protection for all types
of steam generators (boilers) normally fired by gas, oil, coal or other fuels, and
employed either in the production of energy or in chemical/ physical processes. This
invention is for optimized configuration of microprocessor based control system for
reliable protection, considering all modes of possible malfunctions and failures. The
method adopted in implementing is developed based on the feedbacks received from
the operating experts and available failure mode details/ detection techniques.
Combining the power of microprocessor based system with backing up of conventional
relay based output formalization to take care of all possible malfunctions and safety
aspects. This method of adaption gives better reliability and safety of the main
equipment and improves the availability of the system.