AUGUST PLC - STUDY REPORT

M/s August System is one of the leading manufacturers of programmable logic controllers. The
company was founded in 1978 and subsequently developed the unique concept of the CS
300 Series Triple Modular Redundant Fault Tolerant Safety and Control System. The main areas
of company activity are centered around systems for fire and gas detection and protection,
emergency shut down, process shut down and critical control. This CS 300 series system is based on
microprocessor technology, but also uses programmable controllers, solid state modules and relays.
The company has got all the equipment and facilities for manufacturing the range of products and
good testing facilities.

Course_Outline

During the course, the following topics were discussed:

*Systemoverview.*Systemreliability.*Fault tolerance: Redundance/isolation/voting.
* System concept. * System hardware. * System operation. * Input/output circuits. * Field devices. *
TRIGARD software, programming. * Ladder logics, developing and fault finding. * Engineering work
station. * Fault finding/system diagnostics. * Maintenance requirement. * Calibration check. * Start
up procedures. * Hands on experience on simulator system.

CS_300_System_Introduction

The August system CS 300 is an ultra reliable fault tolerant safety control system, which is fully
configurable for a wide range of application and it is well suited to sequence and batch process
control as well as general control facilities. The company claims that their system availability is
99.99%.
The main features of the CS 300 system include –

* High availability. * Triple modular redundance (TMR) fault tolerance design.

* Continuous correct operation. * Transient error-proof. * Online "hot" replacement and repair. *
Support ladder logic. * Ultra reliability. * Superior diagnostics (often down to component level)

The_fault_tolerant_concept

Fault tolerance is the ability of the system to identify fault and adopt corrective action on the
failure of any of its control system elements. The combination of TMR (Triple Modular
Redundant) and SIFT (Software Implementation Fault Tolerance) is the most effective hardware and
software solution to elimination effects of system failure and thereby maximise
availability and safety.

CS 300 system employs three basic techniques to achieve fault tolerant reliability.

Redundancy
At the heart of the CS 300 system is a triplicated set of Control computers called ICCBs (Integrated
Computer Control Board), each of which executes a copy of the programme. In this mode, no
single failure can degrade the system availability.

Isolation
A "read only" link between each ICCB prevents a faulty ICCB from corrupting another. Therefore,
all faults are isolated and not permitted to propagate.

Voting
The "read only" link allows each ICCB to read and verify. In a fault-free system, all three ICCBs will
agree. If a fault occurs, the incorrect ICCB determines its minority status and faulty operation
will be diagnosed and result changed by software control to agree with majority.

Real_Time_Task_Supervisor_(RTTS)

The RTTS is a real time multi tasking executive software programme that has been designed
to facilitate the implementation of system control logic.

RTTS is able to provide all the capabilities expected of an advanced multi tasking executive as well
as providing features for diagnostics, monitoring and trouble-shooting.
 RTTS is designed to supervise the scheduling and execution of tasks in a real time environment.
Tasks may be scheduled and dispatched by priority, periodically on the occurrence of event or on
request from other task.

RTTS provides the ability to ensure that tasks operate with correct data by voting the data in
the triple redundant hardware. Any error is immediately detected and corrected or masked.

RTTS handles all inter-module co-ordination and enables the CS 300 system to execute the
following functions:

* Discrete I/O and analogue input. * Communication to other system.

* Diagnostic to detect fault. * Voting agreement, health of the three processors. * Tracking of
maintenance activities. * Latent fault detection.
* Status and condition of any hot repair module.

3-2-0_and_3-2-1-0_controller_concept

If the results of a computer are repeatedly out-voted, a maintenance alarm is activated. The fault
unit can then be taken off line for repair, while the other two continues to operate the process.

3-2-0
With a system configured on 3-2-0, then as long as 2 channels remain healthy the system will
continue to operate. RTTS version 5.XX is 3-2-0. (Currently 5.17 version is use.)

3-2-1

With a system configured on 3-2-1, then the system will continue to operate with two faulty
channels.

Ammonia PLC system has been configured for 3-2-1-0, i.e., the system will continue to operate
with two faulty channels. In the event of last channel fault, the deadman software will deenergise
the watchdog timer and watchdog relay will cut off the module power for TM 117 TMR digital
output termination
modules, initiating safe shut down of the plant . RTTS version 6.XX is 3-2-1. (Currently, 6.04
version is used.)

CS_300_system_architecture
CS 300 triple modular redundant programmable control system consists of the following major
systems:

1. Three integrated control computers (ICCBs), each with 1 M byte byte of RAM, expandable
up to 4 M, 384 K bytes of EPROM, expandable up to 768 K.

2. Process interface modules (PIMs), which house the ICCBs and the system input/output modules.

3. Triplicated PIM power supply modules.

4. Termination panels for interfacing all field signals.

5. Termination and field power supply unit.

CS_300_resident_PIM_chassis
The CS 300 resident PIM chassis comprises three ICCBs housed on the right hand side of the
chassis. 15 process I/O and/or communication boards are located/arranged in slots provided on
the left-hand side of the chassis.

Any type of PIM I/O board digital input, digital output, analog input or serial I/O can be configured in
any of the 15 I/O slots. Fig. Part 3 Page 2 (3.2).

In addition to the resident PIM chassis, a system would also include a triplicated power supply unit,
a triplicated cooling fan unit and a system diagnostic panel. Up to 14 additional local PIM chassis
can be added to the CS 300 resident PIM module.

Local_PIM_chassis
Local PIMs are connected to the resident PIM via triplicated parallel interfacing cabling, each PIM
housing up to 15 I/O boards (any type of board).

PIM_power_supply
 The P331 triplicated power supply will power up to four PIMs, each holding up to 15 I/O boards.
Each PI 331 has an associated triple cooling fan mounted to the left power supply module.

PIM_cooling_unit
The PI 110 PIM cooling unit consists of three axial flow fans installed horizontally below each
resident PIM in order to divert air flow vertically between processor and communication I/O boards.

System_diagnostic_panel_(CD_901)
CD 901 system diagnostic panels are normally installed below the PI 331 PIM power supply
module and used to display any fault alarm generated by the process control system.

The CD 901 system diagnostic panel contains 12 pairs of LED status indicators. A red LED is used
to indicate an error or an alarm condition. Whereas green LED indicates normal system (healthy)
operation.

The 12 system status indicators are configured as follows:

- CCM1 Alart - PIM System Alert

- CCM2 Alert - System Alert

- CCM3 Alert - Maintenance Alert

- Watchdog Alert - Auxiliary 1 Alert

- Auxiliary 2 Alert - Auxiliary 3 Alert

- Auxiliary 4 Alert - Auxiliary 5 Alert

Panel Switches

The diagnostic panel also contains five switches, allowing the operator to perform the following
control functions:

- A Warm STart Switch ,

- A Diagnostic Report Switch,

- An Indicator Test Switch,

- An Alarm History Clear Switch and

- An Alarm Acknowledge Switch.

Panel Relays

The diagnostic panel contains 4 external relays terminated at the rear of the panel. One relay is
configured as an external alarm and is energised if a watchdog alarm occurs. The remaining
three single pole changeover relay outputs can be configured as required.

System Diagnostic Panel (CD-901)(continued)

Auxiliary Inputs
The diagnostic panel also provides for five external switch inputs and an external acknowledge
alarm input.
Maintenance
The diagnostic panel can be installed or removed and powered up or down without disrupting
control of the process. The panel is hinged at one end to allow it to swing out from the cabinet
for ease of maintenance.

ICCB_integrated_control_computer_board_(SP-116)
The ICCB forms the heart of the CS 300 system. Three ICCB processor boards are required for a
fully triplicated CS 386 system. ICCB consists of a complete control computer having 80386 16
MHz microprocessor, a minimum of 1 MB ECC (error checking and correcting) RAM and minimum
of 256 KB of EPROM
 (programmed with only the RTTS/SIFT operating systems).

EPROMS VS. NONEPROM SYSTEM

Irrespective of EPROM/NONEPROM system RTTS always resides in PROM only.

In EPROM, system application software which includes loc modules/ladders will be in PROM.
When system is powered up, it will boot up automatically and self test/diagnostics sub routine
will run, load ladder from EPROM to RAM and set the software running in a few seconds. In a
NONPROM system, on powering up, the system will carry out only self- test/diagnostics. We
have to load software, set scan rate, etc. It will take about 10 to 15 minutes for larger system. In an
EPROM system, when we make changes in application software on line, it will reside only in RAM and
hence to be reloaded if restarted from power off till EPROM is updated for revision.
PIM_process_interface_module_PI_316

The function of the process interface module PIM in the CS 300

system is twofold. One function is to house the process
control computer providing the required power and
interconnection. The second function is to house the process
I/O board, providing them with necessary power and interface
links between the process control computers (ICCBs) and the
various transducers, sensors and actuators with process
environment. Main features of the PIM include:
* Modular architecture. * Computer I/O flexibility. * Online repair/replacement.
* Up to 480 I/O power/modules. * Up to 15 modules/system. * Extension RAM of I/O card.

The modular construction and flexibility of the PIM allow any

of the following boards to be fitted in any of the 15 I/O
slots:
* Digital inputs. * Digital outputs. * Analogue inputs. * Analogue outputs.
* Serial communication interface.

PIM_module_cards

1. Digital_input_board_PI_716:

The digital input board allows the input of 32 bits of digital information to the control computer
by operating on the interface between the incoming and CS 386 system. The board may be
"hot" repaired online without affecting the system integrity.

The 32 digital input signals are presented to three Independent resistively isolated circuits.
The 32 inputs are initially organised into four 8 bit parts to enable the ICCBs to sample 8 inputs
at a time. The part selected voted circuitry guarantees that the three ICCBs simultaneously
select the same part.
The 8 bit data held in the selected part is then latched. The latching mechanism is also voted
controlled to ensure that all three ICCB latch the same data at the same time. The data now held
in the latch can then be transferred via the bus interface circuitry through the PIM bus to the ICCB.

The digital input board has three "on-board" channel station indicators and a maintenance
notification switch. If one LED is lit or if all the station LEDs are illuminated, then the board is in
an "off-line" condition.

2. Digital_output_board_PI_727
The PI 727 is electronically situated between the digital output termination panels and the
ICCBs. The 32 channel triplicated board provides an interface between outgoing signals and
CS 300 system. The triplicated digital output board supplies a controlled diagnostic for 3-2-1-0
operating
via the health protocol resident in each of three ICCB channels.

Each of triplicated channels consist of four 8 bit part. Each of the part (8 output) is selected in turn
by the ICCB. The ICCBs then write to the selected part and output the 8 bit value to that part.

Each of the triplicated channel is isolated from its adjacent channels to process failures. Each of 32
output lines generated by the four 8 bit parts pass through a six element digital voter circuit.
The three ICCBs each provide health protocol signal to the board so that the voter outputs can
be
dynamically adopted to account for the absence of one channel. In a 3-2-1 mode, the voter output
will be valid as long as any one of the channels is healthy.
 3. Analogue_input_board_(PI-732)

It is electronically situated between analogue termination panels and the ICCBs. The PB2 16
channel triplicated board provides both interface and digital conversion so that the incoming
analogue signals can be read by the CS 380 control system.

The board may be hot-repaired on line without affecting the system integrity. The on-board cross
read facility enables each channel to compare its latched data of the other channels. The ICCBs
can each read the data latched on all three channels and then vote on the data.

The analogue input board range (0-5 V, 0-10 V, 0-5V, +0-10V) is factory configured.

4. Serial_I/O_board_(PI-774)

It is electronically situated between the serial I/O termination panel and the ICCBs.
The 4 channel triplicated board provides the serial I/O interface so that the CS 386 system can
be interfaced with other peripheral devices, engineering work station or system.

This board can be configured for either 3-2-1 or 3-2-0 operation.

5. Termination_modules

Termination modules operate on the interface between the process control system and the
various field devices such as thermocouple, valves, solenoids, printers and work stations, etc.

Additionally, it provides signal conditioning, impedance matching, isolation, noise immunity and
system protection for high voltage, surge, spikes, etc.

a) Analogue_input_termination_module_(TM117-AI11)

It provides termination for 16 nonisolated differential analogue input signals through external
field devices each circuit on the termination modules contains signal conditions and can
accommodate various voltages.

b) Digital_input_termination_module_(TMII8-DH)

The TM-118-DH high density input termination module provides 16 isolated digital inputs on a rail
mounted termination module. The module supply is redundant 5 V DC diode auctioneered on the
termination, connected to the CS 386 system P1716 via 10 way ribbon cable.

In the ESD system, the TM 118-DH modules are used to terminate both positively and negatively
switched diagnostic signals, e.g., fuse failure, MCB trip and power supply failure.

c) Digital_input_termination_module_TM-118-D

It is an 8 channel rail mounted input termination module, each panel accommodating 8, IDC-5
opto couplers. These provide optical isolation. Each channel is provided with a station LED within
the system. TM-118-D outputs are used to interface with TM-118-DH input modules for auto test
function.

d) Output_termination_module_(TM-117-DR)

The TM 117-DR is a 16 channel panel mounted output termination module. The module provides
16 two pole changeover (from C) fused output circuit which are volt-free and suitable for
driving medium power field devices. Connection to the CS 386 system PI 727 digital output card via
2 10 way ribbon cables.

e) Output_termination_module_(TM-117-TMR)

The TM 117-TMR is an 8 channel panel mounted termination module. The modules support
eight 2 out of 3 voted output connection with output maintained for use in critical process
control. The relay module is triple modular redundant by virtue of the fact that the three relays in
each channel are driven by a separate input channel.

The card requires 24 V logic supply connection to P1727 digital output card with three 10 way
ribbon cables. Feed back from the card to CS 386 via PI 176 digital input card via one 10 way
ribbon cable.
 f) 64 channel de-multiplexed display driver (TM 117-DMX)

It is used as a multichannel display drive capable of driving 64 outputs from a signal

communication interface. Its design incorporates a dual redundant configuration. The input
interface of the DMX is a dual serial communication link, driven from PI 774SIO card.

g) Serial termination panel (TM 117-SA1)

It is a serial I/O terminal panel providing modular connection for 12 external serial input/output
devices. Within the system, these devices are simplex links to Trilogger and Trigard and
Duplex link to the TM 117-DMX driving the mimic panel lamps and to DCS for data transfer.

6) System_watchdog_TM_118-TWD/2

This triplicated watchdog card provides a means of monitoring the PLC I/O operation via a group of
digital outputs. The TM 118-TWD/2 consists of a mother board and three daughter boards.
The CS 386 system configured to output three pulse train to the TM 118-TWD/2 using PI 727 digital
output card. The daughter board contains logic circuit to maintain the pulse train and to energise
a relay if the pulse train is healthy.

The status of the three relays are connected back to the CS 386 via TM 118-DH to allow the TM 118-
TWD/2 module to be maintained for fault. Each daughter board is provided with a status LED to
indicate the board status.

The loss of three pulse trains indicates a PLC I/O fault and will cause TM 118-TWD/2 to trip. A
single working watchdog timer allows the circuit to remain in operation.

For ESD system in the event of failure of 3 watchdogs, this output will be used to remove the
module supply from the TM 117-TMR output termination module. This will cause these outputs
to be placed in the safe, de-energise state in the event of PLC I/O failure.

7) FM 112_fuse_module

FM 112 fuse alarm board provides 12 independently fused distribution outputs from a single 24
V DC input. The alarm facilities from each of the fuses are connected in parallel and on to a
terminal which provides a function point, allowing for the alarm output to be linked to further fuse
alarm board in order to provide an alarm on a common service or diagnostic panel driven from
the CS 386. These modules are used to monitor the health of the fuse supplying power to 24 V DC
devices. GMT fuses of various ratings (colour coded) are used, depending upon the load.

TRIGARD ENGINEERING WORKSTATION

The TRIGARD Engineering Workstation is a user-friendly interface enabling software

programming and configuration of the CS300 system. The Engineering Workstation comprises the
following hardware:

* IBM compatible personal computer with

* MS-DOS Version 3.1 or higher
* 640 K or more of RAM
* Serial communications port
If used for creating new PCS systems (Ladder Software), then >640 K of RAM and at at least
a 10 Mbyte of hard disk are required.

The TRIGARD workstation software is the interface to TRIGARD PCS, the software resident in the
CS300 which allows the CS 300 to interpret and run ladder logic programs. TRIGARD PCS is part
of the CS300 RTTS operating system.

The workstation uses a graphical display of relay ladder logic and function blocks similar to that of
other programmable logic controllers. Ladder logics are used for logical control applications
and the functional blocks for sequential, analog and batch control operations.

The control ladder logic networks are developed from cause and effect charts. Verification of the
ladder logic against original cause and effect data is achieved using software analysis tools such
as SAPTU (Simulation Application Programme Test Unit). SAPTU is particularly useful in highly
critical
applications such as ESD and F&G. The TRIGARD workstation contains a group of 6 programs
that run under MS-DOS. The main program (TRIGARD) is a supervisory program from which the other
5 programs run, namely, VP125, COM125, MAKE123, ANN125 and CONF125.
 All programs are menu driven with pop-up windows containing help screens. The TRIGARD master
menu appears as follows:

VP125 NETWORK EDITOR LOAD, DISPLAY AND EDIT CONTROL

ANN125 LADDER ANNOTATOR ANNOTATE AND PRINT CONTROL NETWORKS

COM125 PCS COMMUNICATION LOAD PCS, SYSTEM DIAGNOSTICS, SET PCS DATE CONFIGURE
PROCESS
CONTROL SYSTEM.

CON125 I/O CONFIGURATION CONFIGURE PROCESS CONTROL SYSTEM

MAKE125 PCS BUILDER PCS SOFTWARE GENERATION

SET UP WORKSTATION DISPLAY AND COMMUNICATION SETTINGS

The VP125 (Video programmer) is used to create, edit and save control ladders. The video
programmer communicates with the PCS software in the control computers (ICCBs). This
communication link with the PCS enables on-line editing and modifications of the control ladder
networks to be carried out whilst the system continues to operate and handle all executive control
actions. The ability to carry out on-line editing whilst running control ladder network speeds up
the debugging of control action logic.

The ANN125 program is a document package that enables written descriptions to be added to the
print ladder listings. A written description of each network's function can be included with a
ladder as well as being able to assign discrete elements and registers with identifying labels which
appear everytime the devices are printed out. The print out can also include a cross reference
listing of all the devices used.

The COM125 program is used for communicating between the workstation and the RTTS
operating system in the CS300 control computers. The loading of the PCS software, setting of RTTS
time and reading RTTS I/O reports are all functions of the COM125 (PCS Communication) program.

The CON125 (I/O configurator) program is used to configure the PIM I/O tables used in the PCS
software. Any changes in the number and types of I/O required can easily be implemented to the
onsite equipment should the need arise.

The MAKE125 (Make PCS Load Module) program facilitates the building of customised PCS
software. The program also stores the special software routines which are required so that the
other devices such as de-multiplexed drivers or printers are able to be interfaced or controlled by
the system.

The TRIGARD ladder logic program uses a ladder organisation that is similar in context to
programmable controllers supplied by other companies such as Modicon or Allen Bradley.

TRIGARD ladder logic programs implement all the traditional ladder logic elements along with a
number of special and flexible function blocks. When running the VP125 program, the TRIGARD
ladders are organised into networks in a similar layout as with Modicon 584.

A typical TRIGARD ladder network would be displayed on the workstation as illustrated below:

Typical Trigard Ladder Network

Each LADDER network is scanned or looked at in turn and each element of each network is
scanned in a set operational mode, top to bottom for left hand column, top to bottom second column
and so on.

The Ladder logic networks and the various elements used form the heart of every TRIGARD
system. Each Ladder network is a matrix layout consisting of 7 rungs and 8 columns, therefore a
maximum of up to 56 elements can be used to make up each network.

As many as 999 individual network layouts may be included in one application program. Some of
the available TRIGARD elements include the following:

* Coils, contacts and transitional elements for logical control.

* Timers, counters and stepper elements for stepper control.

 * Boolean elements for performing logical operations.

* Special function blocks for I/O, analog control, diagnostics, communications and
other expanded functionality.

TRIGARD ladders can be created and edited on or off-line by running the VP125 program on
the engineer's workstation. Network operation and data can be viewed and changed at the
workstation whilst the PCS continues to run the CS300.

The states of coils and contacts can be forced on or off and the contents of registers can be
changed to enable testing, debugging, or for the overriding of outputs.

TRIGARD ladders manipulate an area of the control computers

memory called the TRIGARD MAP which contains both the discrete
and registers resident in the RAM of the CS300.

The TRIGARD MAP is linked to the physical control process through the PIM (Process Interface
Module) where, by using the PIM I/O, the interaction between the MAP and the outside or 'physical
world' can be completely controlled. The Map's Relationship to the Real World

The elements in ladder networks interact directly with the Map. For example, whenever a coil is
energized in a running ladder, a bit is set in the Map. If ladder energizes coil 9012, that means it is
setting bit number 9012 in the TRIGARD Map.

The discretes and registers of the TRIGARD Map exist only in the memory of the CS330 Control
Computers. However, it is possible to have the values of discretes and registers correspond
to external electrical values so that the elements of TRIGARD ladder interact with physical inputs
and outputs (the electrical termination panels in control system). For example, the value of
discrete 2001 may correspond to the state of a digital input terminal and the value stored in register
R1277 may correspond to the voltage of an analog output terminal.

The correspondence between the TRIGARD Map and the terminals and I/O of the Process Control
System is defined in a PIM (Process Interface Module) Table. PIM Table number 1 is usually
supplied with TTIGARD PCS software. PIM Table 1 defines a PIM-to-Map correspondence that
obeys the standard configuration shown in the following diagram:

System Discretes : 0000-0999

Digital Input Discretes : 1000-2999 Working

Discretes (used by TRI-DAC) : 3000-7999 Working

Discretes/Registers (used by : 8000-8999 R000-R062* TRI-DAC)

Digital Outputs : 9000-10999 R062-R187*

Working Discretes/Registers : 11000-15999 R187-R499

Analog Input Registers : R500-R999

Analog Output Registers : R1000-R1299

Working and System Registers : R1300-R1899

System Registers : R1899-R1999

Analog Control Registers : R2000- R3999

PIM Table 1, I/O Definitions

* The definitions of the discretes in registers 62 and 187 are divided by discrete address.

PIM tables contain definitions for the PIM-to-Map correspondence. But, it is the PMIO call
that actually causes the I/O to take place according to the correspondence defined
in the referenced PIM table.

Some of the outstanding features of TRIGARD include:

 * Analogue control packages and floating point registers.

* Multirate network processing for system load leveling.

* Ladder annotation to label discrete, registers and networks for documentation purposes.

* View/Set scratch pad for viewing and changing the values of registers, discretes and floating point
registers.

* Discrete force capabilities within the network enables logic control to be overridden and invalid I/O
values to be forced into a fail-safe state or condition.
* Capability to set initial values for registers to ensure that the system start up routine is initiated
in a correct sequence.

* Print functions which allow the formatted printing of user-defined messages under network
control.

Factory Acceptance Test of Programmable Logic Controller for Ammonia

Introduction

Trip interlock system of Ammonia Plant has been unique in many ways. The trip matrix panel in the
fore front, hardwired with military grade MSC components, the Clifford and snell make relays in
the background, which executes the logic and the first out annunciator system are a few things to
be mentioned. Hence, when it was decided to implement Distributed Digital Control System for
Ammonia Plant, care was taken to maintain some of the existing operational features and improve
upon the same in line with integration with new system. The finalised PLC system configuration is
as follows:

1. The programmable logic controller will be triple modular redundant, fault tolerant system of
highest reliability. Some critical trip initiation will be triplicated at field input level. PLC will
be integrated to DCS through communication gateway for data transfer.

2. A mimic panel depicting the cause and effect matrix of the Ammonia Plant trip interlock
system fabricated out of mosaic tiles and hardwired with MSC components.

3. A TRILOGGER PC for logging the status of digital input/output to a resolution of 1/100th of

second to enable accurate trip analysis.

FAT Details

For our ammonia plant trip interlock system, ASL CS 386 system was ordered through M/s YBL,
Bangalore. Hence, factory acceptance test was carried in coordination with two YBL
engineers. The purpose of this test is to confirm that the supplied system functionalities match
with that defined in the system specification and logic diagrams.

During FAT, the following major tests were carried out:

1. Mechanical inspection

The presentation/build of the system panel and mimic panels including layout were checked with
our approved drawing and other mechanical requirements.

2. Electrical testing

System power supplies, power consumption and insulation/confirmatory tests.

3. Functionality testing

The hardware and software functionalities of the system. The hardware functionality
demonstrate that each type of interface operates correctly and the software demonstrates that
the overall functionality matches with that defined in the logic diagram.

Fault-free operational system and heat soak

The two function tests are pre-requisites of FAT, carried out by ASL and the relevant documents
were submitted for our perusal.
 Fault-free operation system means that the system to be operational for the period of over
100 consecutive hours without any fault.

Heat soak test is to ensure the abilities of the system to operate in adverse environment
conditions, in particular, prolonged operation at an elevated temperature to
detect/eliminate premature component failure.

Mechanical inspection

During mechanical inspection, the following points were checked for 6 bays and mimic panel:

1. Panel layout and painting as per drawing.

2. Labels fitted and on correct material and layout.

3. All earth bending are mechanically same.

4. All movable items free to move (swing door panel, etc.).

5. Correct MCBs and fuse bases and carriers with fuse links as
per schedule.

6. Correct size and colour of cable.

7. Crimps are of correct size of cables.

8. Wiring ferrules and correct size for cables.

9. Conduit/ducting fitted correctly and wiring loomed giving

adequate spare capacity.

10.Touch up paint provided.

11.All component arrangements as per drawing.

12.Mimic panel, legend, colour coding, ducting and matrix arrangement.

Electrical testing

1. Earth bonding

Electrical continuity between the main earth stud and mechanically bonded equipment was
checked and found to be less than 1 ohm.

2. Instrument earthing

Insulation resistance between instrument earth and main panel earth stud was checked and found
to be more than 60 m.ohms.

3. Isolation field terminals, earth isolation and inter isolation

The insulation resistance between the following was checked and found to be more than 60 m.ohms.

I a) Field terminal and main panel earth stud.

b) Live to earth (S).
c) Neutral to earth (S).

II a) Bay 1 Rack 1 ('A' 24 V DC).

b) Bay 1 Rack 2 ('B' 24 V DC).
c) Bay 1 Rack 3 (5 V DC).

III a) 'A' 24 V DC and 'B' 24 V DC terminal.

b) 'A' 24 V DC and 5 V DC terminal.
c) 'B' 24 V DC and 5 V DC terminal.

Power Supply Distribution Isolation of three main 115 V AC supply bus bars A, B and C and
subsection distribution from individual feeders A, B & C and various MCB ranges were checked as
per drawing. Subsection distribution and 5 V DC module power distribution were also checked.
Power consumption was checked for each feeder and recorded. The voltage loads of 24 V DC / 5 V
DC field/module power supply units in Bay 1 - rack 1/ rack 2/ rack 3 and 24 V DC PSU in mimic panel
were checked and recorded. Also, the DC voltage levels when the input voltage supply varied
between +10% was checked for the DC PSUs and recorded.

Functional test

Functional checks were carried out to verify the system logic/functionalities. A 'loc' module
with test I/O schedule was loaded to the processors and scan rate set for functional check.

Inputs

1. Digital input

As per the I/O schedule which details the relationship between the TM118 system tag and software
discrete, labeled switches were connected to TM118 I/Os and sourcing terminals. All the inputs
were tagged one by one and checked whether the correct software discrete are changing in
workstation scratchpad.

2. Analogue inputs

As per I/O schedule, test panel labeled potentiometers were connected to analog inputs. Using
the potentiometer, all analog inputs were checked whether the correct software register
changes as well as calibration checked. (All P1732 I/O modules were originally calibrated for the
range of 0-10 V DC and recalibrated to 1-5 V DC as per our requirement.)

3. Outputs

As per I/O schedule, test panel with labeled LED were connected to digital output termination
module. Each channel was forced on and forced off from workstation scratchpad and checked
whether correct LED is illuminated and extinguished each time. Mimic panel push button and key
switch were operated and tested for continuity/discontinuity at the respective O/P terminals.

4. Diagnostic testing

Watchdog circuits were checked for any crossover. Each channel of the triplicated watchdog module
is powered from a separate PIM power supply, powered off in turn and checked.

Channel 'A' is powered by PSUA BAY 3 RACK 3

Channel 'B' is powered by PSUB BAY 3 RACK 3
Channel 'C' is powered by PSUC BAY 3 RACK 3

Halt processor A Channel A relay de-energises

Halt processor B Channel B relay de-energises
Halt processor C Channel C relay de-energises

The "System Watchdog" alarm is tested by halting any two ICCBs. To halt any two ICCBs, press the
front panel switch to the interrupt position, wait for the watchdog to time out.

Reset the ICCBs by pressing the front switch on one interrupted ICCB to the reset position, warm
start the processor, once two are running, reset the other interrupted ICCB and warm start again.
Then, wait till all ICCBs are running. Note: Non-Prom systems require the three CPUs to be
simultaneously reset (using the CPU reset switches). Since the EPROMs will be burnt and installed
later, the procedures adopted during FAT was as applicable to NONPROM system only.

Halt processors A, B & C. The system will stop running. After a time delay, the watchdog module
will drop out causing the system outputs to de-energise to a safe shut down condition.

Halt processor A & B. The system will continue to run. Halt processor A & C. The system will
continue to run. Halt processor B & C. The system will continue to run.

Time delay is 20 seconds +20%.

When the watchdog relays trip, module supply is lost to the TM117-TMRs with critical outputs, so
any normally energised outputs will de-energise.

Redundancy Check

Redundancy check of PSU (24 V DC/5 V DC) field and module power supply unit.
 CD901 Module

To test the module's indicators, use the Trigard scratch pad facility to set the relative bits to force
the LED indicators on and operate the audible alarm. To 'read' the inputs, the relative fuse
alarms will have to be actioned and the respective bits can be checked using the scratchpad
facility.

PIM power supply fuse failure alarms

PIM power supply fuse failure alarms are tested by removing the fuse from each healthy supply in
turn and replace with a "blown" fuse. The supply must be returned to the healthy state before the
next is tested.

PIM 1 SUPPLY A : REMOVE FUSE. PSU LED ILLUMINATES.

PIM 1 SUPPLY B : REMOVE FUSE. PSU LED ILLUMINATES.
PIM 1 SUPPLY C : REMOVE FUSE. PSU LED ILLUMINATES.
PIM 2 SUPPLY A : REMOVE FUSE. PSU LED ILLUMINATES.
PIM 2 SUPPLY B : REMOVE FUSE. PSU LED ILLUMINATES.
PIM 2 SUPPLY C : REMOVE FUSE. PSU LED ILLUMINATES.

PIM power supply under-voltage alarms

PIM power supply under-voltage alarms are tested by reducing the voltage set level in the PIM
supply under test, check the alarm condition comes ON, restoring the under-voltage level to its
correct setting before the next supply is tested.

PIM 1 SUPPLY A : SET SUPPLY TO UNDER-VOLTAGE STATE.

PSU LED ILLUMINATES.
PIM 1 SUPPLY B : SET SUPPLY TO UNDER-VOLTAGE STATE.
PSU LED ILLUMINATES.
PIM 1 SUPPLY C : SET SUPPLY TO UNDER-VOLTAGE STATE.
PSU LED ILLUMINATES.
PIM 2 SUPPLY A : SET SUPPLY TO UNDER-VOLTAGE STATE.
PSU LED ILLUMINATES.
PIM 2 SUPPLY B : SET SUPPLY TO UNDER-VOLTAGE STATE.
PSU LED ILLUMINATES.
PIM 2 SUPPLY C : SET SUPPLY TO UNDER-VOLTAGE STATE.
PSU LED ILLUMINATES.

Blown fuse detection

Substitute healthy fuses with blown fuses. Check the fault is detected by viewing respective bit
using the scratchpad facility. Repeat for one fuse in each fuse holder or bank or fuses within the
system.

Isolator switch and MCB trip detection

Isolator switches

Switch off and back on each isolator in turn. Check the action is detected and reported correctly.

ISOLATOR 'A'
ISOLATOR 'B'
ISOLATOR 'C'

Circuit breakers

Turn off and restore each circuit breaker in turn. Check the action is detected and reported
correctly, the CD901 audible alarm sounds and lamp 9 (AUX 2) switches to red.

MCB A1 - A5 & A7/AC (A6/AC is spare)

MCB B1 - B5 & B7/AC (B6/AC is spare)
MCB C1 - C4/AC (C5/AC is spare)
MCB A1 - A10/DC

Power supply failure

Check DC power supplies are fitted and healthy.

 Switch OFF each DC power supply in turn. Check the failure is detected and reported correctly.
Ensure each power supply is reinstated before switching OFF the next power supply.

NOTE: A short delay between switching OFF a power supply and its detection may occur due to the
decay of the supply.

SWITCH OFF POWER SUPPLIES IN TURN

BAY 1 RACK 1 SLOT 1

BAY 1 RACK 1 SLOT 2
BAY 1 RACK 1 SLOT 3
BAY 1 RACK 1 SLOT 4
BAY 1 RACK 1 SLOT 5
BAY 1 RACK 1 SLOT 6
BAY 1 RACK 2 SLOT 1
BAY 1 RACK 2 SLOT 2
BAY 1 RACK 2 SLOT 4
BAY 1 RACK 2 SLOT 5
BAY 1 RACK 3 SLOT 1
BAY 1 RACK 3 SLOT 2
BAY 1 RACK 3 SLOT 5
BAY 1 RACK 3 SLOT 6

Check that all the power supplies are back ON running healthy.

DCS communication link testing

The objective was to demonstrate the modbus RTU protocol between PLC and DCS. A separate
PC was used to simulate the DCS system. The test will demonstrate the ability of the system to
transmit a range or several ranges of data via either of its two communication cables. The software
to be run on the PC is a standard package referred to as CIT (Communications Interface Tester). The
CIT package is required to be parameterised (see CIT parameters). The CIT will request a range or
several ranges of data on a regular basis. The CIT, having made a request, will wait for the data
to be transmitted and on receipt of the data from the system will display it on the CIT screen.

CIT PARAMETERS

Comm Port (1/2) :1

Select Modbus Mode : RTU(R) ASCII(A):R
Baud Rate (110,150,300,600,1200,2400,4800,9600) : 9600

Select Facility:

Read(R), Write(W), Master(M), Slave(S), Data(D), Poll(P), Initialise(I), Quit(Q)

Master Poll Mode ESD (E), Quit(Q)

Master Poll TEst
Slave Address (1 to 247): 1
Poll Delay (1 to 120 Secs):
Timeout Delay (1 to 10 Secs):
DCS communication link testing

NOTE

The number # entered under "XXX Poll Link" refers to a configuration file of name XXX#.CFG.
The contents of this file define the data ranges to be transmitted and are detailed for example as
follows:

2 Number of register groups.

0 25 First register of group 1 and number of registers.
30 5 First register of group 2 and number of registers.
0 Number of registers to be displayed in decimal as opposed to binary.

TEST METHOD

1. Connect the DCS simulator PC, Com port 1 to the either System serial ports.

2. Run the CIT program and enter the required parameters (see CIT parameters). Once the
parameters have been entered the data will be displayed.
 3. Using the System Work Station, first enable the modbus call in the ladder networks, then change
some or all of the data and check that the CIT screen reflects the changes.

4. Break the connection between the DCS simulator and the system. Wait until both the CIT
package and the system have
reported a communication failure. Remake the connection and repeat step 3 to ensure that
communications have been re- established.

5. Disable the modbus call in the ladder networks.

6. Repeat steps 1, 3, 4 and 5 using the second System serial port.

NOTE: This Modbus test tests the Modbus on a point to point basis. It will not test the multi drop
system.
Matrix & Mimic Panel PLC system is interfaced with operator via a separate stand-alone
matrix/mimic panel located in a remote location. The front side of the matrix panel is fabricated
with removable type mosaic tiles wherein the trip initiation, annunciation windows, reset push
buttons, bypass keys and valve status LED were fixed.

The trip initiator push button (normally closed contact), bypass keys (normally open contact),
reset push buttons (normally closed contact) are hardwired to digital input termination module
(TM118-D). The lamps and LED are driven by dual multiplexed output drivers (TM117-DMX) which
are serially
connected to CS386 system.
Each de-multiplexed board has a communication watchdog which is triggered when in valid address
or message length is received or if no communication has been received for a period of 5
seconds. The lamp test facility is configured in software and activated by pressing the lamp test
push button. This feature has the advantage that not only all the lamps are tested together but
also the DMX drives themselves are tested.

Trip Annunciation Sequence

The status of indication directly reflexes the state or condition of its input. In case of healthy
condition, the lamp illumination will be OFF and audible alarm will be silent. When a single
alarm is initiated, the annunciation window associated with the alarm will flash and audible alarm
will be
initiated and it will be first detected by the system logic. If any subsequent alarms occur, those
alarms will be steadily illuminated. When the ACCEPT push button is pressed, the audible alarm
will be ON and lamp illumination will change from flash to steady ON state. The action of
pressing the ACCEPT push button also resets the internal first up logic such that any new alarm will
be now treated as a first up and will therefore flash.

Mimic panel communication link testing

The System panels and the Mimic panel are connected together using the diagram SP1-EW-082.

Using the system scratchpad facility the respective DMX memory bits are set to illuminate the
associated panel indicators.

The dual redundant communication link facility was checked by removing the 'A' connection leaving
the 'B' connected and then removing the 'B' connection leaving 'A' connected.

Trilog Data Logger

Trilog is a data logger package which runs on a stand-alone IBM compatible PC and receives data
from CS386 system via independent serial communication links. The standard hardware plate
form are given here:

386 16MHz IBM compatible PC , 1M byte RAM , 4 x serial port , 1 x parallel port

An on-screen menu allows the user to access current and archived data files for viewing and
printing. Data screen can be scrolled and paged up and down with a search facility on data time
and tag reference. Viewing, archiving, retrieving and printing functions do not affect the ability of
TRILOG to log events from the CS386 system it is connected to.

The TRILOGGER is a PC based software package that is used to log data from up to 4 independent
sources on to two separate media: hard disc and floppy disc. TRILOGGER has the ability for data
to be viewed on screen and sections of data can be down-loaded to a wide carriage printer.
 Features

* Continually receive incoming data on up to four serial ports via interrupt driven software.

* Direct serial information to data log directories in achievable sections.

* Archive data into ASCII files.

* Provides the interface for archiving/retrieving ASCII files to floppy disc.

* Allows archived files to be copied or printed.

* Menu type displays.

The TRILOGGER displays a selection menu where a particular system can be selected for viewing
and archiving of data. Once a system has been selected, all actions taken will only apply to that
system. TRILOGGER automatically logs all messages received and stores the messages on the
hard disc in the directory appropriate to the system selected. Each directory has the capacity to
store up to 312,000 messages. When any of the system directories reaches 75% capacity, the
operator is informed via an on screen message to archive the files.

Data logging is controlled by three separate interrupt routines which enable data to be logged
irrespective of any other tasks that may be running on the TRILOGGER. It should be noted that
This will only occur if the TRILOGGER software is running. Viewing of data can be achieved in two
ways. The operator can either view the current data (125 messages of the most recent data) or
archived data (the first 7s files stored on the hard disc). Files on floppy disc can also be accessed for
display. Displayed data can be printed on a wide carriage printer. A minimum of 17 and a maximum
of 125 messages can be printed at any one time. Files on the hard disc can be achieved to 3- 1/2"
floppy.

Logging of Data

The logging of data is controlled by three separate interrupt routines and will log data into
memory irrespective of any other task that might be running on the TRILOGGER software
system. When 125 messages have been received, a file is created in the respective directory on
the hard disc and the messages are copied into this file. The format of the file created is made
up from the current date, time and system, i.e., if the date is 4.3.95, the time is 09:42:27 and
the system currently running in System 1, the file name created will be as shown below:

04 03 95 9 . 42 x Date/Time/Packet Number

Testing of Application Software Generated by YBL

Ammonia Trip System

The ladder network for Ammonia Plant interlock was generated based on logic diagrams given by
SPIC. The software included analog blocks and floating point computations as analog inputs are
directly connected to PLC analog input modules and referred as alarm set in the ladder software.
Since the number of AI and AL blocks referred are more than the standard, it has been
reconfigured as follows:

AI: 75 AL: 75 PI: 1 AO: 1

Functional test of analog networks was carried out and found to be as per our requirement.
However, while making some modifications in analog network with FMOVE block, the system
crashed twice. It was diagnosed by ASL and software rectified.

The application software SPIC-LOC module specific to our system was generated and run on the
system and found to be all right.

2.Factory Acceptance Test of PLC for Ammonia plant. -23