Creating Safe Links
with Radio Telemetry

Although the modern radio telemetry products are extremely reliable there is always the chance something can go wrong. When used in a safety system e.g. a plant emergency shut-down mechanism, it becomes imperative to ensure the signal gets through regardless of any failure. If the signal is not getting through the design must execute a shut down as a safety measure.

There are two issues that may be a concern to the safety engineer of such a plant. The first is failure of any one item as well as the notification of such a failure. The second is possible interference from another system that may render the link inoperative. An extension of this is the possibility that the interfering system may issue the shutdown command.

When designing the system all the above factors need to be taken into account. Taking the issue of interference first (as this is a radio link), we'll tackle the question of licensed vs non-licensed. A licensed frequency only offers one advantage over non-licensed - the frequency is semi-exclusively for your use for a limited range (usually ±50km). As there are only 4 units operating on the frequency it is highly likely you will not be granted exclusive use and will have to co-exist with other users.

If you are fortunate to get exclusive use within your operating area you are probably a little less prone to interference but not immune to it. If you do have interference and it happens to be on your frequency then you have the bother of locating and then having the offending party taken off the air.

skim frequencies offer a number of advantages. There is a whole spectrum to choose from (458.5-458.95 in the UK), and should you suffer interference you merely have to program the units to a different part of the allowed range. If you decide to operate at two seperate frequencies (although in this design you lose half the cross-check features) then there are no extra costs of acquiring the second frequency.

Having accepted that operating on a licence-free frequency is acceptable we need to focus on ensuring the system is not open to false triggering. The design philosophy used here is shutdown will be executed upon receipt of two complimentary signals. If only one signal is received an alarm will sound warning a supervisor of a pending problem or failure. There are effectively two issues with this design being the physical system configuration as well as the system software parameters e.g. system and unit addresses. We will cover the software settings first.

It appears to be human nature to want to program system addresses starting at 1. This opens one up to all sorts of possible problems. If you are installing all the systems in one area then you can ensure each has different address, but if not then there is a high chance you will receive commands from another system (if also set to system address 1). A rule that has worked well with many is to set the system address to the last 4 numbers of the telephone number where the host is located. There is a mathematical model to try and calculate the possibility of the number reoccurring within your area, but the result is probably worth nothing more then a waste of time. As an added measure one can also start at the highest accepted unit number and work down - also not a human approach to things.

The software configuration is simply inputs 1 & 2 of unit 1 are mapped to outputs 1 & 2 of both units 1a and 1b. Similarly inputs 3 & 4 of unit 2 are mapped to outputs 3 & 4 of units 1a & 1b. Outputs 2 & 4 of both 1a & 2a are configured to reset after an acceptable period of no updates. These indicate link failures.

On the hardware front the design has the shutdown signal on input 1 of unit 1 and input 3 of unit 2. This will correspond to the outputs used on the opposite side, this combination being highly unlikely in any system within earshot of yours. It will also be noticed that the shutdown is brought from two contacts on the shutdown switch to cater for the possible welding or rusting closed of a contact.

The outputs are wired in such a way that any failure of the system will raise an alarm with total failure forcing a shutdown. Note that all relays on the outputs are normally open and are held closed when the system is active. This will therefore cause a shutdown should any one part of the system lose power, the link fails, or the shutdown signal made active.

The Elpro 105U-1 lends itself superbly to this type of link and is used as the basis in the design of this remote shutdown link.

| | Ask a Question |