ENGINE SAFETY MODULE

ESM20

POWER PLANT ELECTRIFICATION

BAP-PAU P/15030

1 © Wärtsilä INT ERNAL 29.3.2017 [Presentation name / Author]

Engine Safety Module

© Wärtsilä 2 © Wärtsilä
Engine Safety Module

ESM-development
Why ESM?
Need for a independent “stand-alone” safety
system
Need to replace old, outdated systems
Need for standardised solutions
common HW and working principles
for all engine applications
unified marine and power plant
solutions
Need for a compact, certified and classified
solution
Need for specific I/O’s and functions not
available in other systems

© Wärtsilä 3 © Wärtsilä
Engine Safety Module

ESM-development

ESM main tasks

safety system for the engine
standardised stop circuitry for all applications
predefined settings
standard interface to engine control system and external systems
speed and temperature measuring and related functions

© Wärtsilä 4 © Wärtsilä
Engine Safety Module

Redundant design
Based on microcontrollers and FPGA
Completely based on solid state technology
PhotoMOS relays used instead of mechanical relays
Low control current
Controls small analogue signals
Low leakage current
Stable on-resistance over lifetime
Extremely long lifetime
Small size
No preferred position
High vibration and shock resistance
No bouncing and no switching noise

© Wärtsilä 5 © Wärtsilä
Engine Safety Module

ESM-20 in numbers

Power supply: 18 – 32 V DC
Operating temp: -20°C to +85°C
57 indication LEDs on cover
12 digital inputs
29 digital outputs
4 frequency inputs
3 analogue inputs
9 analogue outputs
8 micro controllers ( C)
1 FPGA
4 switches

© Wärtsilä 3/29/2017
Engine Safety Module

ESM hardware
power supply construction
redundant supplies
3 internal electronic fuses

F1
Power bus #1 Power supply 1

F2
Power bus #2 Power supply 2

F3
Power supply 3

© Wärtsilä 7 © Wärtsilä
Engine Safety Module

ESM hardware
5 x Philips microcontroller P89LPC935
2 x Cypress Controller 8-BitCY8C29466
1 x Lattice FPGA LC4512V-75TN176C
1 x Atmel microcontroller AT89C51CC03
Processors functionality:
1. Frequency 1 processor
2. Frequency 2 processor
3. Speed switch processor
4. Lubrication oil pressure processor
5. HT temperature processor
6. Digital input processor
7. FPGA (various logic)
8. Communication processor
9. TC processor

© Wärtsilä 8 © Wärtsilä
Engine Safety Module

ESM hardware

• Galvanic isolation for analogue signals to external systems

• Galvanic isolation for speed switches, speed windows and status outputs
• Wire break detection on all safety critical circuits
• engine shutdown 1-3
• external shutdown 1-4
• MCU shutdown
• solenoid outputs
• Sensor failure detection on all sensor inputs
• Primary shutdown indication
• indication by status output, local LED indication and CANopen

© Wärtsilä 3/29/2017
Engine Safety Module

ESM hardware
shutdown pre-warning
adjustable shutdown pre-warning delay 0 to 10 seconds
no pre-warning on:
overspeed shutdown 1 & 2
external shutdown 2 & 4
stop

© Wärtsilä 10 © Wärtsilä
Engine Safety Module

ESM hardware

• CAN bus
• ESM-20 features one CAN bus with CANopen protocol
• Used for parametrization and diagnostics
• All parameters (except those related to CAN) can be set via CANopen
• All status and failure signals available over CANopen
• Heartbeat functionality
• Built in 120 termination resistor (can be disconnected)

© Wärtsilä 3/29/2017
Engine Safety Module

Overspeed shutdown
Two redundant speed sensor inputs
Push-pull sensors
NPN sensors
VR sensors
Overspeed trip limit adjustable:
100 -120 %
Each input has own:
power supply
microcontroller
overspeed trip circuit

© Wärtsilä 12 © Wärtsilä
Engine Safety Module

Lubricating oil pressure shutdown

physical range 0-10 bar
signal 4-20mA
sensor failure limits: 3.5 mA and 20.5 mA

shutdown levels are

2.0 bar 7.2 mA
2.5 bar 8.0 mA
3.0 bar 8.8 mA

blocking of L.O. shutdown at engine start

blocking active 0, 5, 10, 15, 20 seconds after engine running information

© Wärtsilä 13 © Wärtsilä
Engine Safety Module

Lubricating oil pressure start blocking

start blocking levels are:

0.3 bar 4.5 mA
0.5 bar 4.8 mA
0.8 bar 5.3 mA

start blocking is also active when sensor failure is detected

start blocking output is active when it is open, (fail safe)

© Wärtsilä 14 © Wärtsilä
Engine Safety Module

HT water temperature shutdown

two inputs for 3-wire Pt-100 temperature sensors
sensor failure detection
failed sensor does not cause shutdown

shutdown levels are:

105°C
110°C
115°C

possible to disable channel B if not used

© Wärtsilä 15 © Wärtsilä
Engine Safety Module

MCM shutdown input

input intended for the engine main controller
possible to configure for single or dual wire operation
single wire operation
no wire break detection possible
0V is used as signal reference
used when Motorola MCM-700 is connected to this input
dual wire operation
selectable if input has wire break detection or not
used together with new Main Controller Unit,
(development during 2004)

© Wärtsilä 16 © Wärtsilä
Engine Safety Module

Engine shutdown inputs 1 – 3

inputs for equipment mounted on engine
“close to shutdown” operation
wire break detection
requires a resistor of 22 k mounted over the switch
if input is left unused the WBD-resistor is connected to the input

Used for what?

Engine shutdown 1 for oil mist detector major alarm
Engine shutdown 2 for actuator driver shutdown
Engine shutdown 3 for BEB or HT pressure shutdown

© Wärtsilä 17 © Wärtsilä
Engine Safety Module

External shutdown inputs 1 – 3

inputs for external equipment mounted off engine
individually configurable for “close to shutdown” or
“open to shutdown” operation
when configured as “close to shutdown” the wire break detection is
active
requires a resistor of 22 k mounted over the switch
if input is left unused it should be configured as “open to shutdown” and
a jumper is placed in the connector
Used for what?
External shutdown 1 for general external shutdown
External shutdown 2 for external governor major alarm
External shutdown 3 for gear box L.O. pressure switch

© Wärtsilä 18 © Wärtsilä
Engine Safety Module

External shutdown input 4

input for emergency stop button
configurable for “close to shutdown”
or “open to shutdown” operation
when configured as “close to shutdown” the wire break detection is active
requires 2 x 22 k resistors

LCP ESM
Emergency stop Ext. shutdown 4
button

22 k External
em. stops

22 k

activates all stop solenoid outputs

© Wärtsilä 19 © Wärtsilä
Engine Safety Module

Stop 1
input for stop button
stop timer 0, 60, 120 or 180 seconds

Stop 2
input for blowing/slow turning signal
non-latching
does not activate any status outputs

© Wärtsilä 20 © Wärtsilä
Engine Safety Module

Stop/shutdown override
input for stop/shutdown override command
disables all shutdowns except:
overspeed shutdown 1&2
external shutdown 4
lubricating oil pressure shutdown, (depending on configuration)
engine shutdown 1, (depending on configuration)

Reset
input for reset signal
resets shutdowns and the stop timer
disabled while engine speed is more than ~2% of nominal speed

© Wärtsilä 21 © Wärtsilä
Engine Safety Module

Solenoid outputs 1-4

high side drivers supplying 24 VDC, 1 A
failure detection
wire break detection
short circuit detection
failure detections work in both on- and off-state
if output is left unused a 470 5W resistor should be mounted in the
connector
short circuit protection in solenoid driver stage

© Wärtsilä 22 © Wärtsilä
Engine Safety Module

Solenoid outputs 1-4

redundant design
1 and 3 are supplied by PS1
2 and 4 are supplied by PS2
stop solenoid outputs 1, 2 and 4 are energised at shutdown
stop solenoid output 3 is configurable to be energised or de-
energised at shutdown
Used for what?
solenoid 1 - pneumatic stop solenoid 1
solenoid 2 - pneumatic stop solenoid 2, (backup)
solenoid 3 - actuator driver
solenoid 4 – rigsaver / SWL control

© Wärtsilä 23 © Wärtsilä
Engine Safety Module

Stop/shutdown status outputs 1-2

potential free PhotoMOS outputs
110 VDC, 0.2 A resistive load
stop/shutdown status 1
can be configured as “closed at shutdown” or “open at shutdown”
used for run/stop signal to speed governor
stop/shutdown status 2
can be configured as de-clutching output
used for generator breaker or de-clutching

© Wärtsilä 24 © Wärtsilä
Engine Safety Module

Status outputs
potential free PhotoMOS outputs
24 VDC, 0.2 A resistive load
configurable for “open when active” or “closed when active”
operation, common setting for all status outputs
status outputs:
• Engine shutdown 1 • Shutdown indication
• Engine shutdown 2 • Stop/shutdown override
• Engine shutdown 3 • HT water temp. shutdown
• External shutdown 1
• L.O. pressure shutdown
• External shutdown 2
• External shutdown 3 • Overspeed shutdown 1
• External shutdown 4 • Overspeed shutdown 2
• Stop • Shutdown pre-warning

© Wärtsilä 25 © Wärtsilä
Engine Safety Module

Speed switch 1-4

potential free PhotoMOS outputs
110 VDC, 0.2 A resistive load
speed switch 1
adjustable set point up to 50% of nominal engine speed
set point for engine running information
set point for shutdown blocking functions
running hour counter output utilises same set point
speed switch 2 – 4
adjustable set point up to 120% of nominal engine speed
speed switch 4 has also on-delay setting 0, 2, 5 or 10 seconds

© Wärtsilä 26 © Wärtsilä
Engine Safety Module

Speed switch 1-4

Used for what?
speed switch 1 - engine running
speed switch 2-4 – e.g. AVR activation

© Wärtsilä 27 © Wärtsilä
Engine Safety Module

Speed window 1-2

potential free PhotoMOS outputs
110 VDC, 0.2 A resistive load
2 seconds delay before output is activated
upper limit of speed window is adjustable up to 120% of nominal
engine speed
lower limit of speed window is adjustable up to ~2% below upper limit
Used for what?
e.g. clutch-in permission

© Wärtsilä 28 © Wärtsilä
Engine Safety Module

ESM alarm
alarm output is active when open, (fail safe)
alarm output is activated by any failure indicated by ESM
re-trigs at new alarm
failures lasting for less than 2 seconds are not indicated as alarm

© Wärtsilä 29 © Wärtsilä
Engine Safety Module

ESM alarm
failures indicated by ESM
power supply failure
engine speed sensor failure
lubricating oil pressure sensor failure
Pt-100 sensor failure
wire break on shutdown switch inputs
wire break / short circuit on solenoid outputs
speed differential failure

© Wärtsilä 30 © Wärtsilä
Engine Safety Module

Engine speed
2 x speed sensor inputs for engine speed
the higher input frequency is converted to an analogue output signal
engine speed 1 output is an isolated analogue output for external systems,
(isolation is common with TC speed 1 outputs)
engine speed 2 output is a non-isolated analogue outputs for local
indication
output range set by trimming output value for nominal engine speed
Two different material numbers:
0050E044601 = 4-20 mA analogue outputs (Marine applications)
0050E044602 = 0-10 V analogue outputs (Power plant applications)

© Wärtsilä 31 © Wärtsilä
Engine Safety Module

Turbo charger speed

2 x TC speed sensor inputs
TC speed 2 A&B - non-isolated analogue outputs for local indication
TC speed 1 A&B - isolated analogue outputs for external systems, (isolation
is common with engine speed 1 output)
output range set by setting the frequency corresponding
to 20 mA / 10 V output value

Two different material numbers:

0050E044601 = 4-20 mA analogue outputs (Marine applications)
0050E044602 = 0-10 V analogue outputs (Power plant applications)

© Wärtsilä 32 © Wärtsilä
Engine Safety Module

HT water temperature
2 x Pt-100 sensor inputs
the higher temperature is converted to a 4-20 mA analogue signal
used for local indication of HT water temperature
0-160°C 4-20 mA

© Wärtsilä 33 © Wärtsilä
Engine Safety Module

Speed pulse output

potential free opto coupler output
24 V, 0.2 A resistive load
controlled by speed sensor 1

Running hour counter output

high side driver supplying 24 VDC, 0.2 A
controlled by speed switch 1

34 © Wärtsilä
© Wärtsilä
Engine Safety Module

Documentation

4V53L1250 (rev.f) – ESM specification (WFI-ED)

DAAB038630 – ESM setting table (WFI-ED)
DAAB038320 – ESM tuning and calibrating instruction (WFI-ED)
DAAB038681 – this ESM presentation

© Wärtsilä 35 © Wärtsilä
THANK YOU

© Wärtsilä INT ERNAL 3/29/2017