Understanding use of Limit Switches

[ali.abbas]

Quoted information has been extracted from another website. It gives an amazing overview of the use of limit switches with control valves in particular.

Source: http://www.driedger.ca/limitsw/LimitSw.html

INTRODUCTION:
There is a great variety of possible combinations for installing and connecting limit switches on valves. The number of switches depends on the particular control objective and may be influenced by redundancy considerations. The way they are connected depends on the safety and reliability requirements.

LS-1.jpg

In order to clarify this discussion, diagrams like Figure 1 will be used. All signals, switch positions, etc. are shown with the valve at the center of travel. No limit switches are actuated, all are shown in their shelf position as determined by their internal springs. Imagine the valve to be like a guillotine where the stem travels upward to open the valve and downwards to close it. The diagrams show the switches connected to indicating light bulbs but the logic is identical if a DCS or other form of MMI is used.

The limit switch that is actuated when the valve is fully open is labeled ZSO. The one at the extreme opposite end is labeled ZSC.

The terminals on the electrical switches are labeled Common (C), Normally Open (NO), and Normally Closed (NC). This unfortunate choice of terminology has nothing to do with the state of the valve nor even the "normal" position of the switch. It refers to the state of the switch when nothing is pushing on it.

SINGLE SWITCH, DIRECT APPROACH:

LS-2.jpg

A single limit switch at the OPEN end of the valve (ZSO), as shown in Figure 2, will tell us when the valve is fully open. It cannot tell us if the valve is fully closed. The problem is that the term "open" is a bit ambiguous. Question: Is a half-open valve open, closed, neither open nor closed, or both open and closed? This discussion will use the following definitions:

• OPEN = Partly or fully OPEN
  CLOSED = Partly or fully CLOSED
  Not OPEN = Fully CLOSED
  Not CLOSED = Fully OPEN

According to these definitions the half-open valve is both open and closed. A single ZSO switch can only tell us if the valve is "fully open" and "not closed". It cannot tell us if the valve is partly open.

Example 1: We need a limit switch and a status light to tell the operator that the fuel gas to a furnace is OPEN. If so, it is not safe to begin the light-off sequence. A ZSC switch at the closed end of travel is used so that we can be sure the valve is "fully closed" and "not open" even a little bit. The correct contact is NC. If the valve is even the slightest bit open, the OPEN light comes on.
Example 2: We need a limit switch and a status light to tell the operator that the fuel gas to a furnace is CLOSED. If so, it is safe to begin the light-off sequence. This is exactly the same limit switch as before: ZSC. We want to know if the valve is "fully closed". The only difference is that Example 1 uses the NC contact of the switch to turn off an OPEN light when the valve is not fully open while Example 2 uses the NO contact to turn on a CLOSED light when the valve is fully closed.

SINGLE SWITCH, FAILSAFE:
"Failsafe" is a much abused word. It is very dramatic because it combines the apparently contradictory concepts of failure and safety in a single word. The reality is not so dramatic. It means that the failure of a component is unlikely to cause any harm. The formal definition I prefer is:

A FAILSAFE design is one in which the most probable failure mode results in the most probably safe condition.

Note that there are several "probablies" in this definition. Failsafe design is a technique for stacking the deck in favor of safety. It does not guarantee safety but it makes it more probable. The Examples 1 and 2, above, accomplish exactly the same thing. The difference is in the behaviour of the two methods when failures occur. Table 1 shows all the possible modes of failure. All those failure modes marked "*" result in the bulb failing to light. The most probable failures are marked "+".

LS-3.JPG

For an arrangement like that of Example 1, there are eleven failures that would lead the operator to believe that the valve is not OPEN and to proceed to light the furnace. An explosion could result. Of these 11 possible failures, 6 have high probability. This would not be a failsafe arrangement!

If the circuit is arranged as in Example 2 and any of the above mentioned eleven failures occurred, the operator would conclude that the valve is not CLOSED and would attempt to close the valve. The CLOSED light would still not come on. He would then, we hope, call maintenance to find the cause of the problem. Of the two possible circuits, Example 2 is the one that is most probably safe.

In the case of Example 2, only failures 5, 7, and 10 could give the operator unsafe information. Note that these three are all low probability failures.

• 5. Limit switch fails to return
  7. Limit switch fails as short circuit
  10. Signal wire shorts to power

Thus we have eleven safe failures and three unsafe failures. All the most probable failures result in the same safe response: The operator does not attempt to light the furnace. Example 2 is a failsafe arrangement. The odds in favor of safety are greatly improved.

continued on next post....

[ali.abbas]

DOUBLE SWITCH, DIRECT APPROACH:

LS-4.jpg

Often it is necessary to be certain that a valve is either fully open or fully closed. The suction valve to a compressor must be fully open when the machine is being operated and it must be fully closed during an emergency. Two limit switches are required to provide this information. Figure 3 shows these arranged using direct wiring. The two limit switches have four combinations of states, as shown in Table 2 which also shows that there are 11 single failures that would lead an operator, or a logic system, to believe that the valve was stuck in transit. Only three of the fourteen possible failures are identified to the operator or logic system.

LS-5.JPG

continued on next post....

[ali.abbas]

DOUBLE SWITCH, FAILSAFE:
The figure shows the failsafe arrangement that provides the same information. Note that NC contacts are used instead of NO and that each light is connected to the opposite limit switch. The double negative makes a positive. Table 3 shows the interpretation of the lights. It shows that eleven of the fourteen failures could be identified by an operator or a logic system as signal failures. Three of the failures would give a misleading, and possibly unsafe, impression.

LS-6.jpg

It is instructive to watch the status lights of a bank of valves undergoing test. The failsafe arrangement always has at least one light on for every valve. The lights begin all red. When the OPEN button is pushed and the valves begin to move, all the green lights come on as well. Then, as the valves complete their stroke, the red lights blink off one by one. At no time is the operator blind. The difference between a stuck valve and a signal failure is very evident.

The same test carried out with direct wiring begins the same: All lights are red. Then the lights go out! Finally the greens come on one-by-one. There is an interval during which the operator is left entirely in the dark. A demonstration program, ZSC-101.exe, showing how the switches and lights work in practice is available for download at the end of this page.

LS-7.JPG

continued on next post....

[ali.abbas]

TWIN, DOUBLE LIMIT SWITCHES:
The failsafe approach to signal wiring has one serious drawback: Failures interfere with the normal operation of the plant. The fundamental attitude that is being embodied in the wiring is "If in doubt, shut down!" This is certainly the safest attitude but it is also the one that makes the plant least reliable from the operations point of view.

There are also circumstances when there is no obvious safe response. Consider a single engine aircraft in flight over the sea. There is an engine oil low pressure indication. There is also some doubt that the signal is correct. What is the safest response? Now consider the same situation with a twin engine plane.

Redundancy provides a way to resolve uncertainty. The off/off state of the double limit switch, failsafe arrangement clearly indicates that there is a signal failure. The use of twin limit switches at each end of the valve provides additional information so that the state of the valve can still be determined with some degree of certainty. This extra sophistication does have its cost, however. The I/O count is doubled and there considerably more care must be taken with the logic. The value of this extra effort depends on your process. It definitely is not recommended for every application.

Four limit switches have sixteen possible combinations of states. Each has one of four possible interpretations. Table 4 lists all the states and the most appropriate interpretation of each one. Assume that the state has been stable for some time and that valve movement has ceased.

LS-8.JPG

This arrangement is in essence a three-out-of-four voting scheme. It is totally immune to single failures and can still determine the correct state of the valve despite several forms of double failures. Let us examine several examples of possible states.

LS-9.JPG

To make certain that a common mode failure does not cause the two errors that could cause a false reading, the circuits must be arranged so that an A switch circuit does not share a common component with its corresponding B switch. Note that it is acceptable for the two A switches to share components. For maximum reliability as well as failsafe response the following should occur in A/B pairs:

• • Conduits to the limit switches
  • Field junction boxes
  • Home run cables
  • DCS or PLC I/O modules

A single PLC or DCS processor will be needed to resolve the logic but this unit should have an on-line backup. Note that the use of redundant I/O modules in the PLC or DCS contributes very little safety. On the contrary, it detracts from the reliability by adding more components that can fail. We already have three out of four voting. To duplicate the input modules would result in eight input channels for a single piece of information. Questions: Which is safer, a four engine or an eight engine aircraft? Which is more reliable? This argument goes triple for triple modular redundant (TMR) systems.
Every state that is not one of the three "perfect" states is alarmed so that maintenance can be performed. As long as this is done before a second failure occurs, a nuisance shutdown of the system can never happen based on a single failure. Double failures are not only improbable but also extremely improbable if maintenance responds promptly to the first trouble signals.

THE MOST IMPORTANT THING:
This article describes a number of ways of arranging and connecting limit switches and the interpretation of their signals. But always remember the most important thing about limit switches before implementing any of these schemes. The most important thing is simply this: Make certain that the limit switches are solidly, rigidly, immovably mounted. More limit switch "failures" are due to sloppy mounting than to any other cause. Each one must be individually adjustable and must hold this setting firmly once it is set. If pulling on the conduit can move the switch, it is not firm enough. Better that the wire rip off than that the switch move! Make certain that movement of the valve stem cannot put force on the switch. If ice builds up on the face of a magnetic switch, the valve stem will move the switch. In such cases, enclose the entire assembly in a housing.

The following animation files are available for download:

• ZSC-101.exe - the original DOS version of the valve limit switch demonstration program (45K)
  ZSC-102.exe - version 2.0, the Windows version of the demo program complete with tutorial and ‘tests’. (71K)

Go to the following link for downloads:
http://www.driedger.ca/limitsw/LimitSw.html