Safety system separation - examination of three types of machinery protection systems
overspeed, surge detection and vibration monitoring, to help clarify when a SIL certification is truly necessary. Authors explain how companies can protect their business by ensuring separation between controls and safety systems.
Ian Popplewell, Trinity Integrated Systems
Rich Kamphaus, Woodward Inc
Steve Sabin, SETPOINT Vibration
Serge Staroselsky, Compressor Controls Corporation
Viewed : 6811
Turbomachinery and rotating equipment often form the part of industrial processes where safety instrumented systems (SIS) are used to reduce the operating risk to a tolerable level. The SIS consists of a number of safety instrumented functions (SIF), which is one of the preventive and mitigation layers intended to reduce the likelihood of a hazardous event. The hazard and operability study (HAZOP) process is often used to identify such events.
However, the implementation of such SIFs, whilst meeting the desired safety integrity level (SIL), can be subject to spurious trips. These are trip events caused by failures in the system even when there is no hazardous event. For the purpose of business integrity, such trips can be expensive in terms of lost production and downtime. Likewise, an undetected dangerous failure, commonly referred to as a missed trip, can be significant to the business and may have safety, environmental, asset or production impacts. Designing a system that meets the complementary, yet sometimes conflicting, requirements of reliability and availability can be challenging. There are standards (IEC61508 and IEC61511) that define the processes for designing and implementing safety systems, but these do not address the spurious trips.
A rigorous approach of determining the required availability of a system can help companies design systems and operate their processes safely whilst maximizing business integrity. This article will examine three types of machinery protection systems: overspeed, surge detection and vibration monitoring, to help clarify when a SIL certification is truly necessary. It is interesting to note that some machinery measurements are almost always safety related, while others are almost never safety related, yet they all have a positive contribution to the business integrity.
Rotating equipment safety systems protection
The safety of rotating equipment, including steam turbines, is under increased scrutiny throughout the petrochemical industry due to a recent increase in catastrophic turbine failures related to overspeed events.
As turbines have evolved, so have turbine safety systems. Traditionally, turbine safety functions were embedded within a turbine’s main control system, hardware, software and logic. However, due to the increases number if turbine accidents, turbine manufacturers and owners have begun following general industry safety standards in the implementation of their turbine safety systems including the turbine overspeed SIF.
Although safety standards such as IEC61511, IEC61508 and ISA 84.00.01-2004 are being followed by many turbine owners and manufacturers, some level of interpretation is required in the actual application of such standards.
In the interest of reducing the level of interpretation when designing, applying, testing, and maintaining a turbine overspeed SIF within a turbine safety system, the American Petroleum Institute (API) has added requirements to its machinery protection standard, API 670 5th edition, to guide turbine manufacturers and users on best practices when implementing and maintaining turbine overspeed SIFs.
The machinery protection standard API 670 5th edition now provides detailed guidelines requiring physical separation between the turbine control and the turbine safety system. This includes the requirement that the turbine overspeed SIF must work to reduce:
• The risk of the turbine controller being applied, and/or changed, in a manner which inhibits the turbine safety system’s action.
• The risk that a failure within the turbine controller would inhibit the turbine safety system’s action.
• The cost of a lengthy and expensive safety analysis associated with each system change.
• System complexity.
Because of their quick acceleration, small to medium steam turbines with low rotor inertias pose a problem for turbine manufacturers and owners that implement, test, and maintain turbine overspeed systems. Understanding that the total response time of the turbine overspeed SIF, and not just the logic solver, is key to verifying if a turbine overspeed SIF is fast enough to safely shut down a turbine during an overspeed event. API also included specific response time guidelines, as well as basic turbine acceleration equations, within its latest standard, API 670 5th edition. These requirements, if specified, include:
• Total turbine overspeed system response time measurement and recording, upon turbine commissioning, and during each safety system-based proof test.
• Diagnostics to routinely test, measure and record, the response time of all system components, except for the trip valve during normal turbine operation, without affecting the integrity of the overspeed SIF.
Although the API 670 5th edition standard was only released in November 2014, a number of safety-certified logic solvers are now available on the market for use in turbine safety systems, which meet all of the standard’s new requirements including turbine control segmentation as well as total and partial system response time verification and recording.
Surge detection system
Repeated surge cycles on centrifugal and axial compressors can lead to machine damage, severely impacting the operator’s bottom line. API 670 5th edition addresses the need for preventing damage due to repeated surging by specifying a surge detection system, which is mandated for axial compressors and recommended for centrifugal machines. The standard applies the principle of segregation for improving the reliability of protection against damage due to surge. The independent surge detection system fulfils the API 670 requirements by providing segregated surge detection functionality. Two channels are used for surge detection, typically differential pressure measurement from a flow meter and discharge pressure. Other signals may be utilized, depending on the surge signature of the compressor.
The independent surge detections system detects surge based on the rate of change and oscillation amplitude. In most cases, configuration is set to detect surge when both channels show surge like behavior. The system identifies each cycle and has a surge cycle counter. The discrete outputs of the system can be used to open the antisurge valve via air-dump solenoid –actuated valve, and to issue a unit shutdown command, if the number of surge cycles exceed a threshold value with a given time period. The system has provisions for conducting surge testing and recording peak values of the rates of change. A surge detection system should be compatible with SIL 2 requirements.
While overspeed almost always has safety related implications, a surge almost never, vibration falls somewhere in between these two extremes, but skewing heavily towards non-safety end of the spectrum. Indeed, perhaps only 10% of API 670 vibration, position or temperature systems are used as part of a safety instrumented function. The most common scenario with safety implications is a bearing failure leading to excessive movement or vibration in radial or axial directions, and subsequent damage to (or destruction of) the seal, not just the bearing. If the process fluid is toxic and /or flammable, a seal failure may release the process fluid and introduce a hazard of sufficient risk to warrant the system be used as part of a SIL 1 or SIL 2 loop (a SIL 3 system is almost never a requirement for bearing vibration, position or temperature measurements due to the relatively low frequency of occurrence, as risk comprises not only the consequences of a failure but also the likelihood).
Add your rating:
Current Rating: 3