safety control and monitoring system (scms)snmrec.fau.edu/sites/default/files/scms...

©2011 Florida Atlantic University

Any reference to specific equipment, manufacturer, or supplies is for descriptive purposes only and does

not constitute an endorsement of a particular product or service by the author(s) or by Florida Atlantic

University.

Safety Control and Monitoring System (SCMS)

Contributors: Thomas Pantelakis Edward Henderson Dr. Pierre-Philippe Beaujean


FAU Southeast National Marine Renewable Energy Center

P

age

2

THIS PAGE INTENTIONALLY LEFT BLANK

Safety Control and Monitoring System (SCMS) FAU Southeast National Marine Renewable Energy Center P

age

3

SUMMARY Florida Atlantic University has developed a novel Safety Control and Monitoring System (SCMS) to

address the need to monitor and control scaled ocean current energy device performance and health.

This system has been designed to be flexible, scalable, and extensible to ocean systems with motor-

generator plants and drivetrains. It allows remote access to submerged systems both for autonomous

intelligent system health intercession and operator feedback and control. It is being tested and

optimized for small (1:20 scale) device fitment but is designed to scale with commercial device

prototypes. The system is described in detail, both at the hardware and software layers, to provide an

introduction to its capabilities and features

INTRODUCTION With renewed international interest in

development of commercial ocean current

turbine technology, Florida Atlantic University’s

(FAU) Southeast National Marine Renewable

Energy Center (SNMREC) identified a need to

address early stage development of small scale

ocean flow extraction devices (1:20) and

provide on and offshore testing tools and

infrastructure. For component and subsystem

investigation, a 20kW experimental device was

developed at FAU. Concurrently, various

accelerator sector needs were identified and

addressed, especially development of a

Machine Condition Monitoring (MCM) and

Prognostics Health Monitoring (PHM) capability

which evolves with the scaled development of

commercial devices.

In order to safely test and deploy an

experimental turbine, the ability for operators

to monitor system health and then intercede

as needed is required. Since traditional

autonomous/operator monitoring capabilities

and data collection for reliability assessment

require the development and integration of

shared components, a single basic system was

developed. FAU’s Department of Ocean and

Mechanical Engineering’s Electrical Laboratory

was responsible for the development of

hardware and software systems to (1) integrate

all sensor inputs, (2) parse and combine sensor

data for intelligent machine-level intercession

and (3) transmission to top-side storage and

viewing devices as the Safety Control and

Monitoring System (SCMS). Requirements

included the capability to scale the desired

sensor inputs and full system while retaining

the flexibility to accommodate sensor inputs of

any common type. Leveraging the opportunity

to evolve the SCMS with commercially scaled

systems, this system will mature appropriately

for commercial implementation.

SYSTEM OVERVIEW The SCMS is designed to “protect” large

machinery and personnel operating the

machinery. It constantly monitors a machine’s

conditions and the surrounding environment.

If safe limits are exceeded the SCMS will safely


FAU Southeast National Marine Renewable Energy Center Pag

e 4

shut down the machinery and turn off the

power. This protects the machine and the

personnel operating it.

The SCMS is a dual data acquisition and control

system that can operate as one integrated

system while in two physical locations. One of

the two locations can be at the machine (Wet

Side) and the other location can be at the

machine’s control equipment (Top Side). The

typical application for one location could be at a

turbine generator deep in the ocean and the

other location at its power inverter on the

ocean surface (which connects to the power

grid).

To ensure the optimum quality and reliability,

all sensor input circuits and actuator output

circuits are electrically isolated to withstand

common mode voltages as high as 3750Vrms.

Excellent flexibility is obtained with individual

plug-in sensor and actuator modules. Control

Settings and Alarm Limits are also easily

changed with downloadable text tables.

The SCMS is composed of two Safety

Controller mother boards that operate

together with a single serial communications

link. The Safety Controllers can also operate

independently in the event that there is a break

in the communications link. Each Safety

Controller can be configured with up to 12

Sensor or Actuator Modules. The Modules are

smart, microprocessor controlled. Each Module

continuously queries its sensor input and

converts the input data to standard units. For

example a thermocouple sensor voltage is

converted to temperature in degrees C.

The Input Sensor Module types are:

Thermocouple, Thermistor, Leak Detector,

Contact Sensing, Incremental Encoder, Load

Cell, IMU, Pressure, GFI, Oil Condition, RS485,

RS422, RS232, DC Voltage, DC Current, AC

Voltage and AC Current. The output module

types are: DC power, Relay Contacts, Lamps,

Buzzers, RS485, RS422 and RS232.

The Safety Controllers have two basic

functions. They control the flow of data and

they operate a Process Controller. The Safety

Controllers continuously flow status and sensor

data from all the Sensor modules (as a

background task), to a special PC Interface

Module. The PC Interface Module can then be

used by an external personal computer to

obtain all input sensor data and the system

status. The input sensor data that the personal

computer receives is in ASCII characters and

standard units.

Input

ModulesSensors

Output

Modules

Wet Side

Safety

Controller

Input

Modules PC

Interface

Module

Actuators

Sensors

Output

Modules

Top Side

Safety

Controller

Actuators



e 5

The sensor data is always available to the PC

without any delay however the age of the data

can be 2 or 3 seconds old. The system status is

also available to the PC. This system status is

the high/low warnings and alarms which were

generated when input sensors exceeded the

limit values in a Limits Table. Since the system

status flow takes priority over the sensor data

flow its age is less than 400mS. The PC can also

be used to set and clear actuators during

certain testing conditions.

The PC interface may also be used to link

directly to each Safety Controller. This allows

process control tables to be down loaded into

each Safety Controller’s micro-processor. The

table types that make up the Safety Controller’s

Process Controller are: the Module

configuration and Limits Table, The Mode

Control Table and the Output Control Table.

During this direct link time to the Safety

Controller, normal data flow is suspended.

The Process Controller on each Safety

Controller runs at a 10Hz cycle rate. At the

start of each cycle all sensor data is collected

from all of the Safety Controller Modules. This

data is then compared to a high/low Limits

Table. All limits that were exceeded during

the compare are stored in a Sensor Status file.

Next the Mode Control Table and the Sensor

Status File are compared to establish a Process

Control State. The Process Control State is then

used with the Output Control Table to update

all Actuator settings. These Actuator settings

are then sent to the modules at the start of the

next cycle.

A Personal Computer can use a Hyper Terminal

to view data and download tables. The Hyper

Terminal should be configured as follows: Bits

Mode

Table

Output

Control

Output

Table

Scanner

Scanner

Output

Modules

Limits

Table

Limits

Compare Input

Modules

Mode

Control

Actuators

Sensors



e 6

per second 115200, Data bits 8, Parity None,

Stop bits 1, Flow control None, Send line end

with line feed, Echo type characters locally, Line

delay 20 mS, character delay 0, Force incoming

data to 7-bitsASCII. The 20mS line delay is

needed when down loading tables. The PC

must be connected to the PC Interface

Module’s RS232 serial port as follows: the PC

Interface Module’s J3-2 receive terminal

connected to the PC’s pin 3 transmit pin, the PC

Interface Module’s J3-3 transmit terminal

connected to the PC’s pin 2 receive pin and the

PC Interface Module’s J3-4 ground terminal

connector to the PC’s pin 5 ground.

Commanding the PC Interface Module is

accomplished by typing a single command

character on the Hyper Terminal. The list of

command characters is displayed when any key

is typed that is not a command character on the

list. The space bar can be used to view the

command list. The Safety Controller’s system

status, including warnings, alarms and errors,

can be viewed on the Hyper Terminal.

MODULES Safety Controllers (part number 200-262) have:

12 Module Slots, two 10 amp Power Switched

Outputs, one RS232/RS422 Communication

Port, a Real Time Clock, Flash Memory Card Slot

and a DSP Microprocessor. The 12 Module slot

may be configured with any combination of the

followings module types: All of the modules are

electrically isolated to withstand common mode

voltages as high as 3750Vrms.

Dual channel Thermocouple Adapter Module

(part number 200-267) has inputs for two Type-

K thermocouples (part number 200-267-1) or

one thermocouple and one thermistor (part

number 200-267-2). The measuring

temperature range is from 0 to 200 °C for the

Thermocouple and from 0 to 50 °C for the

thermistor. In the event of an open

thermocouple the measured value reported will

be full scale (200 °C).

Power Switch Adapter Module (part number

200-268) has a solid state switch with a rating of

70 volts and 10 amps. The Module monitors

the switched voltage and current and reports

the data to the Safety Controller. The Power

Switch main control code has been

programmed to control a turbine brake sub-

system. If voltage is applied to the brake sub-

system it is NOT activated, removing the voltage

applies the brake. The default state is that the

brake is activated unless commanded by the

safety controller otherwise. A software timeout

will occur if communication from the safety

controller does not occur within the specified

CONTROLLER_TIMEOUT period. A hardware

watchdog timer also runs on the module. If

either software or hardware timers expire, the

brake is activated.

Quad Leak Sensor Adapter Module (Part

number 200-269) has 4 leak sensor channels

that are AC coupled with one common

reference point. The leak sensor reported value

is in the range of 0% to 100% where 0% is no

leak and 100% is maximum leak. (0% is an open

circuit and 100% is a short circuit).

Incremental Encoder Adapter Module (200-

270) is an isolated Quadrature Encoder Adapter

with a range of +/- 4800 RPM. The Incremental

Encoder is mounted on the motor shaft and

has1024 PPR. There is a 25:1 gear reduction

between the motor and propeller. The motor



e 7

speed is 1740RPM and the maximum encoder

speed is 4000RPM.

Quad Digital Input/Output Module (part

number 200-271) has four, 24V isolated contact

sense inputs and 4 isolated solid state relay

outputs. The contact sensor input voltage is

15V to 36 V for a one level and 0V to 3V for a

zero level. The relay output rating is 0-36V at

1.0A AC or DC. The solid state relay contacts

have Bi-Directional Transient Voltage

Suppressors rated at 36V and 400W.

Serial RS422/RS485 to RS232 Adapter Module

(part number 200-272) is a microprocessor

controlled, 3 way communication link. It can be

configured to flow Data from any one of the 3

ports to the other ports. A typical application is

when data is flowing from the RS232 port to the

RS422 port and the microprocessor is

monitoring the data at the same time. A 5 volt

power output is also available to power sensors.

There are 5 programmed Module versions

available as follows:

The 200-272-1 is a Serial Module used

to listen to the information stream of the

OS5000 digital compass. Azimuth, pitch, roll,

& depth are extracted from the data stream

and passed to the Safety Controller.


to listen to the information stream of the

WeightSense load cell. The load data is

extracted from the data stream and passed to

the Safety Controller.


to listen to the information stream of an Oil

Condition Sensor. Sensor data is extracted

from the data stream and passed to the Safety

Controller.

The 200-274 is a Serial Module used to

listen to the information stream of the Bender

A-Isometer IRDH375-427. The measured

insulation resistance, alarm levels, relay

states, alarm states, and fault status is

extracted from the data stream and passed to

the Safety Controller.

The 200-272-5 is the Serial Module (PC

Interface Module) used for Safety System

external Control and Reporting of data to a

PC.

The 200-285-1 is an 8 channel single

ended analog input card. The inputs circuits

are configured to receive signals from the

Power Analysis Interface Board 200-283. The

card appears to the safety controller as a dual

4 channel module. ANA as the lower card slot

number for channel 1 – 4 and ANB as the

upper card slot number for channel 5 – 8.

Channels 1-3 are ANA_VAC_U, ANA_VAC_V,

and ANA_VAC_W, the turbine AC RMS Line to

Line voltage. The range is 0 to 409.6 VRMS.

Channel 4 is ANA_VDC the RMS DC load voltage.

The range is 0 to 400VDC. Channels 5-7 are

ANA_IAC_U, ANA_IAC_V, and ANA_IAC_W, the

turbine AC RMS line current. The range is 0 to

150A. Channel 8 is ANB_IDC the DC load

current. The range is 0 to 150A.

Safety Control and Monitoring System (SCMS) FAU Southeast National Marine Renewable Energy Center P

age

8

200-262 The Safety Controller Board top and bottom:

200-267 The Dual channel Thermocouple Adapter Module top and bottom:

200-268 The Power Switch Adapter Module top and bottom:

200-269 The Quad Leak Sensor Adapter Modules top and bottom:



e 9

200-270 The Incremental Encoder Adapter Module top and bottom:

200-271 The Quad Digital Input/Output Module top and bottom:

200-272 The Serial RS422/RS485 to RS232 Adapter Module top and bottom:

200-285 The 8 Channel Analog Input Module top and bottom:



e 1

0

CONTROL AND LOGIC There are 3 types of comma separated text tables that are used by the Safety Controller in the Safety

Controller Process. The following are examples when generated with MS Excel spread sheet.

The Module Configuration and Limits Table:

Each line in this table is used to specify only one input sensor. The table is composed of 4 main

columns. The Controller column is used to select the Controller type and the module slot number. The

Module column is used to select the module type and its’ input channel. The Limits Analog column

selects the high and low limit values that will generate warnings and alarms if enabled. The Event Types

column enables the warnings and alarms and specifies the type of event.



e 1

1

The Mode Control Table:

Each line in this table specifies the conditions that must exist for the controller to change from one

mode to another. There are 4 main columns that make up this table. The first column is used to select

the mode to change from and the mode to change to. The linked controller (Safety Controller) mode

must be selected and also the type and logic. The logic type specifies how the events are to be

evaluated as a logic AND or a logic OR. A logic OR line takes priority over the logic AND line. The next 3

columns are the type of events that can be generated. Use a T to indicate that the event must be true,

an F to indicate that the event must be false and an X if you don’t care. The table should be saved as a

comma separated text file with two carriage return line feeds at the end. The following is an example

Mode Control Table:

The Output Control Table:

Each line in this table specifies an output actuator’s state for all of the different modes. The actuator

type and location column is used to select the controller type and the module slot number. It is also

used to select the module type and its’ output channel. The main Digital Output Values per Mode



e 1

2

column has a separate column for each Process Control Mode. There are 5 actuator states that may be

selected for each actuator’s mode. The states are ON, OFF, PULSE, BLINK and NOCHANGE. The table

should be saved as a comma separated text file with two carriage return line feeds at the end.

There are 12 Process Control Modes. They are as follows: STANDBY1, STANDBY2, STANDBY3,

STANDBY4, STANDBY5, RUN1, RUN2, RUN3, ERROR1, ERROR2, ERROR3 and ERROR4,

The following is a typical example of the uses for each mode on a turbine generator deep in the ocean

and a power inverter on the ocean surface:

STANDBY1 mode - Power up Top Side System

STANDBY2 mode - Power up Wet Side system & Reset GFI

STANDBY3 mode - Set LED display OK

STANDBY4 mode – Wait for start button to be pressed

STANDBY5 mode - Enable Drive and disable Brake

RUN1 - Spin up turbine time

RUN2 – Normal running mode

RUN3 - Powering down mode

ERROR1 - Stop Drive control

ERROR2 - Stop Drive control and apply brake

ERROR3 - Stop Drive control, apply brake and Wet side power off

ERROR4 - Stop Drive control, apply brake and all power off

CONCLUSION The system that has been described in detail in this document represents the first generation of a

scalable, flexible, and extensible ocean current device safety, control, and monitoring package. As

commercial systems are tested at small scales, this novel approach will evolve with subsequent

technology development for future full scaled implementation. The SCMS provides not only necessary

device health and performance metrics from installed sensors to be used by operators and reliability

assessments, but also provides an opportunity for autonomous intelligent control of the plant for pre-

determined critical failure mode scenarios.

Please contact FAU’s Southeast National Marine Renewable Energy Center for demonstrations or

further information at [email protected].

safety control and monitoring system (scms)snmrec.fau.edu/sites/default/files/scms...

Documents