ISA 77.

22 Working Copy
Table of Contents
1.0
Scope........................................................................................................................1
2.0
Purpose....................................................................................................................1
3.0
Definitions...............................................................................................................2
4.0
Concepts..................................................................................................................3
5.0
Symbols...................................................................................................................3
6.0
Block Definitions.....................................................................................................3
6.1
Drives:..................................................................................................................3
6.1.1
Motor Control (Single speed, maintained control output)...............................3
6.1.2
MOV (open/close operation, momentary output)............................................3
6.2
The Group Control Blocks...................................................................................3
6.2.1
Two Device Controller.................................................................................3
6.2.2
Three Device Controller..............................................................................3
7.0
Sequence Controller.................................................................................................3
8.0
Plant Automation.....................................................................................................3
Annex A - References..........................................................................................................3
Annex B Tutorial Information..........................................................................................3
Annex C - Figures................................................................................................................3
Annex D Application Examples.......................................................................................3
Annex E Plant configuration............................................................................................3
Annex F Notes Start-up Sequence.................................................................................3
Outline of 77.22
Notes:
1. This outline follows the general format of other 77 series documents for
consistency. Preface and credits to follow the same format.
2. Im not sure why the Figures are at the back in Annex C. I would have thought it
more convenient for the reader to have these imbedded in the text for more ready
reference. Is there a reason for not imbedding the Figures?
CONTENTS
1.0 Scope
This technical report provides guidance in the design and application of automation
strategies for plants with fuel input ratings of 25 MW thermal or greater. This technical
report addresses the terminology, documentation, and related methodology for
developing automation strategies.
2.0 Purpose

The purpose of this technical report is to provide advice and guidance for the
development of fossil power plant automation.
3.0 Definitions
definitions go here; I have taken a first attempt at a few
INTERLOCKS are also signals acting to protect equipment from damage, to prevent
unsafe operation, to prevent process upset, or any combination of these. What
differentiates them from trips is that the actions do not shut down the equipment or
process in question. The process or equipment is protected by other means.
INTERLOCKS are subdivided into two types: permissive and corrective. These terms
are analogous to passive and active sometimes used by others.
PERMISSIVE INTERLOCKS permit or prevent a control action, whether manual
or automatic, form occurring if the programmed criteria are not met. The salient
feature is that action is prevented and thus nothing occurs, including the unsafe
actions. An example of a permissive interlock is not permitting a pump to be
started if its suction isolation valve is closed.
CORRECTIVE INTERLOCKS avoid unsafe situations by taking a corrective
action. This is distinctly different from the permissive interlock which merely
prevent actions. Typically, the corrective interlock initiates a minor operation
necessary to preclude an unsafe condition from occurring.
An example is starting an aux lube oil pump upon tripping of the primary
equipment. Starting the lube oil pump constitutes taking a positive action, as
opposed to the purely passive action of a permissive interlock. The term
CORRECTVE INTERLOCK is restricted to minimal programmed protective
actions. Higher levels of automation which activates equipment are not
considered interlocks.
SEQUENCING refers to programmed actions which include multiple pieces of
equipment. Typically, SEQUENCING covers a number of actions, normally performed
sequentially, with each step commencing upon completion of the previous. Although
sequencing can consist of a linear series of connected actions, parallel steps are also
permitted when concurrent actions are desired. However, a the function of a discrete step
should be retained, so that each block alarms individually.
The distinction between a corrective interlock and a sequence is subtle. For this
document, a corrective interlock is restricted to actions necessary to protect equipment or
processes following an event. A sequence is initiated to accomplish a series of
preprogrammed steps
TRIPS are signals causing a protective action which places equipment in a safe state,
most commonly shut down. This action may be to protect equipment from damage, to

prevent unsafe operation, to prevent process upset, or any combination of these. TRIPS
are spontaneous actions resulting from the logic responding to process and equipment
feedback. Classic examples of trips are to shut off a pump which has insufficient head, or
a motor which is drawing excess current. Trips respond with action to a process
condition.
Additional Clarification
Considering what an exacting process logic design is, the terminology used is remarkably
loose. Consistent terms will be used in this document, and since definitions are generally
not provided elsewhere, they will be provided here.
Trips and Interlocks
These two terms define similar concepts. Both normally involve preventing prohibited
operations to protect equipment and processes.
MULTIPLE purposes of a common condition
A single condition (e.g. low pump suction level) may constitute both a trip and a
permissive, depending upon process conditions. If the pump is running, it must be
stopped , and the occurrence of this low signal must be programmed as a pump trip.
Conversely, if the pump is not running, starting the pump is merely prevented. Note there
is a tacit assumption that there is no harm in not starting the pump if the consequences
of not starting the pump are worse than the risks of running, then such an interlock would
not be used.
4.0 Concepts
Although this cognitive capability is taken for granted, programming a digital computer
to perform a similar task has proven remarkably difficult. The mind appears to have
difficulty keeping simultaneous track of very explicit items, even when those items are
individually straightforward. Programming requires exactly these sorts of skills, and thus
has proven to be an iterative and error prone process.
Once the code exceeds more than a few dozen lines in length (and some would argue
even less than that), errors or bugs tend to creep in. This is so pervasive that a
debugging phase is considered a normal part of programming. DCS programming is
no exception, and it is quite possibly exacerbated by the need for comprehension of the
physical plant process to be controlled.
No technique can fully eliminate human error. However, engineers who design logic in
an organized, logical manner generally produce systems which start up faster and with
less confusion than their ad hoc programming counterparts. This document attempts to
lay forth principles which organizes and standardizes logic design, to assist in good
design. The intent is both the design engineers, startup personnel and end operations
users will find the DCS product easier and more consistent.

This document introduces the concepts of hierarchical control. The reasoning behind this
approach is explained and the terms are defined. Individual control blocks are then
discussed, signals defined and operation explained. Finally various programming
examples are given to clarify usage and programming technique.
Good logic design (and programming) is characterized by being organized, consistent and
normally easily understood. The concepts described herein will help achieve these
objectives. Exceptions exist, but these should be reserved for applications which
specifically require deviations in order to accomplish the required control.
Start by describing the FGC principles.
Principles of hierarchical control.
Alarming consistency
Alarm Strategy
A good alarm strategy will provide the operator with a maximum amount of useful
information, while minimizing nuisance alarms and information overload. A
hierarchical control strategy not only supports a good programming methodology, it also
lends itself to a good alarm scheme.
Fundamentally, hierarchical control can be thought of as a collection of functions blocks.
Each block has a specific purpose, and controls specific actions for equipment below it.
The block should alarm when it fails to accomplish its required actions. This requires
that a block by designed with the feedback necessary to monitor its actions.
Feedback is sometimes not provided as a cost saving measure. The additional
information provided to the DCS, while useful, may incur additional costs which are
difficult to justify. This compromise affects the engineers ability to apply the alarm
principles consistently.
A common example is providing position feedback on a modulating control valve. If
position feedback is available, then the operator can be alerted that the control valve may
not be functioning correctly. Without such feedback, the DCS cannot determine that its
output demand signal to the valve is not being followed. If there are some process
consequences resulting from this lack of control, eventually some parameter will deviate
unacceptably resulting in an alarm. The operator is then left to deduce the cause based on
his knowledge and experience with the process.
Current trends toward digital instrument communications alleviate the cost impact since
performance data (monitoring feedback) is available from the end controller. A valve
with a Fieldbus or Profibus controller can provide the required feedback at no

incremental cost other than the effort of programming. When implemented as part of a
consistent program, this effort should be negligible.
Digital communications from individual instruments may permit a further level af alarm
detail. Specifically, information concerning the nature of the equipment failure in the
field may be provided. However, this information may be more useful to maintenance
personnel than to operations staff. If field equipment has failed, then the automation
and/or operators must compensate to permit the process to continue operation. Why this
equipment has failed is secondary to process considerations. Accordingly, signals which
relate to details of equipment failure should not be processed as alarms to minimize
operator load. These details should be available to the operators as part of event/alarm
lists, but should not constitute a source of additional distraction during operation.
Certain alarms are generated for information which is external to the group or equipment
control logic. These include process variations (pressure, temperature), trouble alarms
from systems having little information in the DCS, external events (fire alarm), etc.
Such alarms do not fit well into the general hierarchical structure, but are nonetheless
essential since the DCS cannot monitor all possible causes of failure.
Emphasis must be placed on generating alarms which are:
Abbreviations are the norm in an alarm list, but must be unambiguous. The alarm
wording must also
The FGC (hierarchical) part

Graphic representation
FGC block definition
Symbology conventions
Signals definition
Sequencer blocks/sequence trips/nearest safe state

There are already ISA practices covering the following:

Plant master control
Runbacks
1-PB start/stop sequences
List of hardware required for support
Alarm management
5.0 Symbols
We need to address how to depict the control recommendations. Other 77 series
standards use SAMA representation; we need to find a good way to present our ideas. In

any case, a separate section to discuss the basic control building blocks should precede
the process application recommendations. Open for discussion.
Use function block symbols. Start here with the various function blocks, defined. The
functionality will be described in narrative form. The inners workings of the blocks may
vary, being vendor or end user specific.
These symbols are used in conjunction with ISA 5.1 logic symbols.
Common basic priniciples.
6.0 Block Definitions
6.1 Drives:
MOV
Single speed motor
Dual speed motor
Reversing motor

6.1.1 Motor Control (Single speed, maintained control output)

SIGNAL
INPUTS

CONTROL
OUTPUTS
STATUS
OUTPUTS
ALARMS
HMI
INPUTS

NAME
MOTOR RUNNING
AUTO START CMD
AUTO STOP CMD
START PERMISSIVE
STOP PREMISSIVE
OVERRIDE START
OVERRIDE STOP
DRIVE AVAILABLE
MOTOR RUN

ABBR.
RUN
AST
ASP
STP
SPP
OVS
OVP
AVL
CO

TYPE
M
P
P
M
M
M
M
M
M

DRIVE AVAILABLE

RUNNING
TAG OUT
TRIP
FAIL TO START
FAIL TO STOP
START CMD

M
FTP
FST
FSP
HST

M
M
M
P

STOP CMD
ACK ALARM
TAG OUT
TAG OUT RESET

HSP
HAA
HTO
HTR

P
P
P
P

NOTES

TRIP FUNCTION
Single maintained control output

This document does not preclude the incorporation of additional signals.

6.1.2 MOV (open/close operation, momentary output)

SIGNAL
INPUTS

NAME
OPEN FB
CLOSED FB
OPEN PERMISSIVE
CLOSE PERMISSIVE
STOP PREMISSIVE
POWER AVAILABLE
CLOSE CMD

CONTROL
OUTPUTS
STATUS
OUTPUTS

ALARMS
FACEPLATE
INPUTS

ABBR.

TYPE
M
M
M
M
M
M
P

OPEN CMD
DRIVE AVAILABLE

P
M

OPEN
CLOSED
AVAILABLE

FAIL TO OPEN
FAIL TO CLOSE
OPEN CMD

M
M
P

CLOSE CMD
ACK ALARM
TAG OUT
TAG OUT RESET

P
P
P
P

NOTES

6.2The Group Control Blocks

Control:

2-drive control
3-drive control
4-drvie control
Sequence block

Each control block has a defined function, inputs, outputs, and alarms. Blocks can be
combined in a variety of ways to construct various control strategies. Good programming
will use the control blocks for the majority of coding, with minimal use of low level (e.g.
AND, OR) logic.
6.2.1

Two Device Controller

SIGNAL

NAME

INPUTS

GROUP ON
GROUP OFF
A DRIVE PRIORITY
B DRIVE PRIORITY

ABBR.

TYPE
P
P
M
M

NOTES

CONTROL
OUTPUTS
STATUS
OUTPUTS
ALARMS
FACEPLATE
INPUTS

A DRIVE AVAILABLE
B DRIVE AVAILABLE
A DRIVE RUNNING
B DRIVE RUNNING
DRIVES REQD 0
DRVIES REQD 1
DRIVES REQD 2
DRIVE AVAILABLE
MOTOR RUN

M
M
M
M
M
M
M
M
M

DRIVE AVAILABLE

RUNNING
TAG OUT
TRIP
FAIL TO START
FAIL TO STOP
START CMD

STOP CMD
ACK ALARM
TAG OUT
TAG OUT RESET

P
P
P
P

TRIP FUNCTION
Single maintained control output

M
M
M
P

Inputs:
1. Control block on (momentary)
2. Control block off (momentary)
3. First device priority (integer, range 1-2), from required faceplate
4. Second device priority (integer, range 1-2), from required faceplate
5. Quantity of subordinate devices required on (integer, range 0-2)
Outputs:
1. Start first subordinate device (momentary)
2. Stop first subordinate device (momentary)
3. Start second subordinate device (momentary)
4. Stop second subordinate device (momentary)
Status:
1. Insufficient drives running (maintained)
2. Quantity of drives running (integer, range 0-2)
Alarms:
1. Insufficient devices running
Faceplate Inputs (all momentary):
1. Group On
2. Group Off
3. Tag out
4. Alarm acknowledge

6.2.2 Three Device Controller

Inputs:
1. Control block on (momentary)
2. Control block off (momentary)
3. First device prority (integer, range 1-3), from required faceplate
4. Second device priority (integer, range 1-3), from required faceplate
5. Third device prority (integer, range 1-3), from required faceplate
6. Quantity of subordiante devices required on (integer, range 0-3)
Outputs:
1. Start first subordinate device (momnetary)
2. Stop first subordinate device (momentary)
3. Start second subordinate device (momentary)
4. Stop second subordinate device (momentary)
5. Start third subordinate device (momentary)
6. Stop third subordinate device (momentary)
Status:
1. Insufficient drives running (maintained)
2. Quantity of drives running (integer, range 0-3)
Alarms:
1. Insufficient devices running
Faceplate Inputs (all momentary):
1. Group On
2. Group Off
3. Tag out
4. Alarm acknowledge
7.0 Sequence Controller
Inputs:
1. Sequence On
2. Monitor feedback
3. Step cancel*
* This input is used to defeat the alarming (and therefore any associated automatic
actions) of a step, with stopping the entire sequence. The sequence block remains active,
and passes through the sequence on signal to the sequence complete signal, while the
equipment command remains off. A typical application is for starting equipment in a
sequence, and then turning the same equipment off later in the same sequence. The
sequence string can then remain active without the first block going into alarm.

Outputs:
1. Sequence step complete (maintained)*
2. Equipment Command (Momentary)
* Typically used to initiate subsequent sequence block
Status:
1. Sequence step failed to complete (maintained)
Alarms:
1. Sequence step failed to complete
2.
Sequence Blocks
Sequencer blocks are typically used to either start or stop equipment in a sequential
manner. Normally, a separate string of sequencer blocks is used for the start and the stop
sequence. The command outputs of the sequencer blocks must not affect the equipment
unless that particular sequence string is in service.
8.0 Plant Automation
Level of automation to what extent are we going? Single button start?
How to organize suggest start-up and shutdown be together for each plant
configuration.
Suggested organization:
Group control Systems
Cover individual plant systems here the ones which lend themselves to group
(hierarchical) control:
o Feedwater system
o Condensate system
o Boiler air/gas (FD/ID fans)
o PA system
o Other stand-alone type applications
The overall plant (and some systems) will require
o Overall start-up and shut-down sequences
o Fuel sequencing (mills, burners)
Another question is how much to cover. Below is a list of the major plant types. We
could address the different types by
a) having a separate standard (or section of a standard) for each configuration,
b) similar to (a), but all in one standard,

c) different split, with the basic 1x1 plants first, then address the added 2x1
complexities (much of which may be common)

Annex A - References

Annex B Tutorial Information

Annex C - Figures

Annex D Application Examples

The simplified figure below depicts a simple group control for 3x50% condensate pumps.
Each pump has an individual motor drive module. Permissives and trips are used here for
equipment protection. Generally, this protection is connected at the lowest level, and
supersedes any control commands, whether auto or manual. Each pump may be operated
in manual mode, or placed in auto for by higher levels of automation.
The group of three pumps is controlled by a three device controller, which starts or stops
the individual drives as required. Internal to this block are contained important control
features:
The number of operating pumps is compared against the required number, and
pump(s) started and stopped accordingly.
The drive priority sequence (order of pump starting) may be manually set, but
will automatically adjust for the unavailability of the subordinate drive, as
determined from the drive module available status signal
The drive priority sequence transfers to auto in a bumpless manner, so as to
leave running pumps running. However,

EXAMPLE:
3x50%
CONDENSATE
PUMP GROUP

GROUP ON/OFF
MAY BE LINKED TO HIGHER
CONTROL LEVELS

2 PUMPS REQD
REQD

UNIT LOAD
H/

3 DEVICE
CONTROL

DRIVE CONTROL &

STATUS

PERMISSIVES
TRIPS

P&T

PUMP A

MOTOR DRIVE
CONTROLS
ONE PER PUMP

P&T

PUMP B

PUMP C

Annex E Plant configuration

The plant types:
1) Combined cycle (Gas/oil)
a) 1x1x1
b) 2x2x1
c) 1x1x1 single shaft
2) Rankine Cycle drum units
a) PC 1x1
b) PC 2x1
c) Gas/Oil 1x1
d) Gas/Oil 2x1
e) CFB 1x1
f) CFB 2x1
3) Supercritical
a) PC 1x1
b) Gas/oil 1x1
I recommend we target the CC 2x2x1 and PC 1x1 for our first draft document.
Henriks notes, fyi:
This draft outline is largely a collection of my writing to date, with some input from
others. This means it has no consensus, and I am sure the 77.22 members will not be shy
with recommendations! I have included the personal notes herein to convey my thought
process and intent this too is fair game for critique.
A word on state diagrams
State diagrams were suggested at the last subcommittee meeting as a means of
representing the logic. I along with a couple of colleagues here at Bechtel reviewed
this possibility. My only previous experience with this method dates from my college
days, when this was taught as a method of logic design (to be built with chips in the lab).
Pros for this method:
Taught formally to engineering grads (not sure how many)
Already documented in ISA S88
Rigorous treatment of states and state transitions (good for avoiding
unintended states)
Cons for this method:
Not used much in power plant applications; I have not seen it used by utilities,
A/E firms, or vendors (on the other hand, the proponents must use and like it)
Functional block (FB) representation would be more familiar to most power
plant users

FB compatible with SAMA representation, its one of the IEC ???

programming languages
FB used by most DCS vendors, so its closer to this type of implementation
More familiar to power plant I&C staff (personal opinion here)

Based on the above, this document proceeded with FB notation. We arent far enough
that cant be reversed by consensus.

Annex F Notes Start-up Sequence

ISA 77.45 Notes Start up sequence
Notes:
1) This is a draft beginning only might as well get started somewhere.
2) For the time being, I am excluding the following from consideration:
a) Combined cycle plants
b) Supercritical plants
c) Plants with multiple boilers per turbine (2x1 arrangements, etc.)
3) This is a start-up outline only, I have not considered shutdown yet.
4) Not listed below is the sequencing of drain valves, which occurs at various
times throughout the startup process. This is also important.
5) CAUTION: This was created from memory, and I have probably omitted
some items. Also, I realize I havent been consistent in the level of detail.
6) See additional thoughts lists after the sequence outline.
Start-up Sequence (high level overview):
1) Basic utilities need to be operational:
a) Electrical systems and UPS
b) Service and instrument air systems
2) Start aux water system
3) Start CW system
a) Valve alignment
b) CW pipe fill
c) Vacuum priming
d) CW pump(s) start requires discharge valve sequencing
4) Start Condensate system
a) Condensate polisher in service
b) Pump min recirc, hotwell level controls in auto
c) Start condensate pump(s)
d) Fill DA storage tank
5) Start Feedwater system
a) Lube oil system on
b) Pump min recirc controls in auto
c) Disch MOV closed
d) Start BFP
e) Open Disch MOV
f) Boiler/drum fill to suppressed setpoint (could also be by condensate
system earlier)
6) Rotary air Heater
a) Sector plate control on
b) Air heater running
7) ID Fan Start

a) CEMS operational
b) Boiler water seal filled
c) Seal, scanner, and/or cooling air fans running
d) Baghouse, precip, AQCS in service
e) IDF lube oil system on
f) Box up IDF
g) Start IDF
h) Release to furnace pressure control
8) FD fan start
a) Box up FD fan
b) Start FD fan
c) Release to modulating air flow control
9) Start gas recirc fans (if applicable)
10)Purge boiler and AQCS
a) Air flow to purge rate
b) Time purge (BMS function)
c) Reset MFT relay (BMS function)
11) Fuel system ready (this is highly dependent on the boiler and fuel system
design)
a) Light off fuel pressure (pumps for oil, valves for gas)
b) NFPA 85 checks complete (varies with fuel)
c) Steam/water drains set for light off
d) HP bypass valve open
i) Temperature loop in auto
ii) Pressure setpoint coordinated with turbine controls
iii) Open HP bypass
e) Atmospheric vent valves (on HRH) open
12)Light off & warm up
a) Light off boiler ignitors (air register sequencing)
b) Light off warm up guns (air register sequencing)
c) Control firing to match permitted warming rates
d) Release drum level setpoint to normal
13)Seal steam turbine (usually in turbine controls, not DCS)
a) Steam conditions ok
b) Gland steam exhauster fans on
c) Gland steam system in service
d) Gland steam condenser in service
e) Admit steam to seals
14)Pull vacuum
a) Start hogging pumps or ejectors
b) Start holding pumps or ejectors
c) When pressure setpoint is reached, stop hogging equipment
15)Start bypass system (if the plant has one)
a) IP bypass valve open
i) Temperature loop in auto
ii) Pressure setpoint coordinated with turbine controls

iii) Open IP bypass valve to condenser

b) Close atmosphere vent valves
16)Prepare coal system for firing
a) Start PA related seal air fans
b) Ensure PA system is sealed at the coal silo end for all
mills:
i) Adequate level in coal bunker
ii) Coal on feeder belt and in feeder inlet pipe
iii) Alternatively, coal bunker outlet gate may be closed
c) Start PA fans
d) PA pressure control to auto
e) Mill temperature control to auto (selected mills only?)
f) Warm up mills
g) Place ash systems in service
17)Verify steam/water chemistry is acceptable for turbine roll
18)Turbine roll via turbine controls.
a) Sequence depends upon:
i) Temperature requirements
ii) HP vs. IP turbine roll admission
iii) Coordination with bypass valves (may be affected by bypass valve
capacity)
b) Roll turbine
c) Sync generator
d) Load up to remain above reverse power relay setting
19)Load up unit
a) Add mills as required
b) Support fuel removed when second mill in service (typ.)
c) Close bypass valves
d) Follow equipment ramp rate limits during loading
20)Load to dispatched power level and/or switch to remote dispatch control.
****** End ********
Other points to consider:
1) The following systems were glossed over (or omitted entirely) in the above,
but are also essential to proper operation:
a) AQCS various systems and numerous supporting subsystems
b) Bottom ash
c) Flyash
d) Wastewater
e) Boiler blowdown
2) The following additional startup sequences may also be needed:
a) BPF turbine warm up and roll
b) Transfer between main and start up BFPs
c) Economizer recirc pump and control

d) Forced circulation pumps, if any

3) The startup sequence controls will need to account for runbacks, rundowns,
trips, and holds due to various problems. The logic probably should be
designed to fail back to some safe previous logic step.