April 2008

Developing a control logic specification: Device control

The control logic specification should define the configuration requirements for all of the major device-related elements.

In this context, a "device" is a control element, not a field device, though most control devices tie to a field device.

While it may appear to be daunting, there really are only a finite number of device types in any control package, regardless of the size of the project. Each field device will have at least one, but perhaps several, associated control devices.

Here is an overview of most of the major ones.

Analog input device-sensors

Sensors detect process elements such as pressure, flow, temperature, and the like. Each sensor will have several parameters that should have definition in the control specification:

  • Scaling blocks-Convert the input signal to Engineering Units (EU). EU conversions sometimes take place in the I/O module itself, depending on system capabilities; else, the calculation transpires inside the PLC program. Regardless, the input scaling feature of the system should provide a means of detecting open circuit conditions and of individually setting failure behavior on open circuit detection. For example, it is frequently advantageous for a critical temperature signal to exhibit "upscale burnout" when faulting, forcing the value to its maximum level. This will cause a severe system reaction when a temperature probe fails, forcing the system to automatically drive to its most safe condition.
  • Analog alarm blocks-Each sensor should be able to have alarm set points entered and have alarms generated from the input signal. Most pre-configured AA blocks have four alarms-two that activate on rising values and two that activate on falling values. Generally, the lesser settings generate "warnings," and the extreme settings generate "alarms." The specification should describe the difference between the two in terms of the alarm manager and HMI animation. Typically, a warning does not list in the alarm manager, whereas the alarm does. A warning might appear as a value turning yellow at the HMI, while the alarm might turn that item red.
  • Simulation-If the choice is for simulation of the analog values for testing purposes, that fact should be in the specification.
  • Animation-Define the colors and flash behavior for each alarm condition.

Discrete input device-switches

  • Debounce timers-All switches should have individually configurable debounce timers to reduce nuisance alarms and inadvertent action.
  • Simulation-If simulation of input switches for testing purposes is a desire, then include that in the specification.
  • Animation-Define the colors and flash behavior for each alarm condition.

Discrete output-motors and valves

  • Click action-Typically, two actions are required before any direct action can be taken. This is a safety requirement that we meet by forcing the user to click once to open a control overlay, and then click again to take the action. In some critical cases, a click action may need to respond after a login or entry of a security code.
  • Motor run timers-Track the number of hours a motor runs. This feeds into the plant's predictive maintenance program.
  • Motor inhibit timers-Prevent rapid restarts. Restarting too quickly will cause overheating of the windings, reducing service life. Restart times vary according to the size of the motor.
  • Mismatch timers-Alert the operator if commanded state differs from actual state for longer than reasonable expectations permit.
  • Interlock status indication-Display the interlock list, and indicate the status of each item.
  • Interlock action definition-Define what happens when an interlock is lost. Typically, loss of an interlock places its related device in a "safe" state, from the standpoint of the process, and takes the device out of automatic mode. This forces the operator to take action before the device will again react to automatic commands.
  • Permissive status indication-Describe any requirement to display the permissive list and status indication if desired.
  • Permissive action definition-Define what happens when a permissive is lost. Typically, loss of a permissive places its related device in a "safe" state, but leaves the device in automatic mode. When the permissive is back, assuming the other conditions (such as inhibit mode, etc.) still warrant, the device will start, open, or otherwise revert to its normal operating mode.
  • Animation-Define the colors and flash behavior for each state of the device. Most devices have at least three states: On, off, and travel (or mismatch). Depending on the industry, green may indicate running or open, while in other industries those conditions may be red. Travel might be solid yellow, with the mismatch alarm causing the yellow symbol to flash. Regardless of animation plan, define that plan for each end device.

Analog output device

Analog output devices include throttling valves, variable frequency drives, and others. Some of the points of discussion could include:

  • Auto/manual switching-Define user security level for switching between modes. In auto mode, the output derives from some function internal to the control system. In manual mode, the output is operator driven, via manual trim or manual loading.
  • Manual trim-Discuss the manual increment/decrement feature, whether it is required and what percent of scale per bump.
  • Manual loading-Is it necessary for the operator to be able to force the output to a specific setting? Via keypad?
  • Deviation alarm-If feedback exists to allow comparison between command and actual position, it is possible to deploy a deviation alarm.

Analog control device

One of the more common analog control devices is the Proportional-Integral-Derivative, or PID, block. Some points of discussion for this function could include:

  • Auto/manual switching-Define user security level for switching between modes. In auto mode, the output goes up or down depending of the difference between the process variable (PV) and the set point (SP).
  • Remote/local set point-Define user security level for switching between modes. In local mode, the operator enters the set point using a keypad. In remote mode, the set point links to another control function in the control system.
  • Deviation alarm-Define the alarm action if PV deviates from SP beyond a definable percentage.

A properly defined set of Device Control Requirements will greatly reduce misunderstandings and related rework and will go far toward guaranteeing the systems integrator delivers a system that will behave as desired.



Michael Whitt (mwhitt@mesainc.com) is an ISA Senior Member and the Manager of Integrated Systems at Mesa Associates, Inc. His book is Successful Instrumentation and Control Systems Design, ISA Press, 2004.