Dec-2014
Control and safety systems for turbomachinery
All plant workers want to reduce the safety risk associated with turbomachinery operation while avoiding nuisance trips.
S Staroselsky, W Jacobson and J McWhirter
Compressor Controls Corporation
Viewed : 5284
Article Summary
The goal is to run machines in an efficient manner. In this context, safety risk refers to catastrophic events, such as turbine overspeeding, which can lead to severe injury or death, not to mention lost revenue and extensive repairs. Rigorous analysis of the failure causes and their mitigation can significantly reduce the risk of catastrophic failure. However, full compliance with the safety standard requirements, such as IEC61508, can lead to additional complexity and cost in regard to control and safety system procurement. This places a greater burden on the plant engineers for selecting a safe, reliable system, and one that actually improves process operations. Thus, it is important to clarify some of the ambiguities in the definitions and usage of safety instrumented systems (SISs) and turbomachinery control systems (TCSs) and to have a discussion about various approaches to SIS and TCS implementation.
Over the last 15 years, requirements based on IEC61508 specifications have gained acceptance within a large portion of the turbomachinery controls market. IEC61508 and IEC61511 (Table 1) provide common methodology for equipment manufacturers, control system vendors, engineering companies and end users. In the past, many machinery protection functions directly related to the unit were incorporated within the TCS. To reduce risk today, those functions deemed a safety hazard are separated in some manner from the control functions. Safety functions must also be certified to the appropriate safety integrity level (SIL). The required SIL rating of the SIS is based on the tolerable risk criteria, as defined by the plant operator. In the SIL calculations, the equipment under control (EUC) risk is compared to the tolerable risk. EUC may include the control system and instrumentation. IEC61508 quantifies SIS risk (Figure 1) in terms of probability of failure on demand (PFD). If the EUC risk is above the tolerable risk, then an SIS is required. The required average PFD of the SIS translates into the risk reduction factor, which is necessary for bringing the EUC calculated risk below the tolerable risk. A given SIL rating guarantees a certain PFD level. Typically, turbomachinery safety functions are SIL 2 or SIL 3.
Deconstructing peril
The risk analysis covers not just the microprocessor-based controller (logic solver), but the entire system, including the transmitters and actuators. The PFD analysis of the logic solver includes software as well as the hardware. The SIL system rating is equal to the lowest rating of its components. Purchasing a controller that has a certain SIL rating does not guarantee that the entire SIS has the same SIL rating. In fact, most SIS failures (Figure 2) are due to field instrumentation, not the logic solver. On another note, SIL rating may be a testament to the rigorous design practices used in building the controller. However, it may not mean that a SIL-rated controller is more reliable than a non-SIL controller. The control system availability is not equivalent to the PFD.
Besides the equipment design, the control hardware and the instrumentation, there are two main methods for reducing risk. The first is the separation of the safety and non-safety functions; the second is redundancy. In terms of the software, TCS may be a complex system, consisting of multiple proportional-intergral-derivative (PID) loops, signal selectors and complicated logic. It may be difficult to predict and validate all of the interactions between various control, monitoring and protection functions. It is much easier to separate the safety functions and to analyse and validate them separately. Therefore, the logic solver, which is a part of the SIS, should contain simple code that can be easily validated. Moreover, the code should require minimal adjustments throughout the lifetime of the system, as SISs should have rigorous lifecycle management procedures, limiting the access to the logic solver’s code and parameters. In terms of hardware, the common mode failures between the safety and non-safety functions must be minimised. This means that SISs and TCSs should have separate power supplies, I/O modules, communication buses and processors. An exception to this under IEC61508 would be if it can be shown that a sufficient level of independence exists between safety and non-safety functions.
Function vs. function
The separation of the safety and non- safety functions can increase the implementation complexity and cost. Implementation complexity increases in part because, in many cases, the signals that are used in the TCS for various logic and sequencing tasks are also used in the SIS for safety functions. Therefore, the overall system either requires redundant transducers or stipulates that TCSs and SISs must share I/O, without violating the separation principle. To avoid such complications, some vendors offer integrated TCSs and SISs, which have the appropriate SIL ratings. These systems provide a certifiable separation level between safety and non-safety functions without using separate hardware. Consequently, in terms of software, an integrated system may contain safety and non-safety parts, with the TCS software running in the non-safety part of the system. If TCS is running in the SIL-rated safety portion of the system, then the overall control software (which may include turbine, generator or compressor control) must undergo safety analysis and limitations must be imposed on any modifications. This includes parameter changes, so that compliance is kept with the appropriate SIL. Thus, it may be difficult to adjust such a system to match the varying process requirements and to support and maintain it over its lifetime.
In general, TCSs and SISs have different objectives. TCSs should provide for reliable unit operation and improve process reliability. It is vital to have a TCS running the unit for as long as is safely possible. This may imply sophisticated control algorithms being able to operate the unit even with some input signals in a failed condition or involve loadsharing between compressors. Still, the job of the SIS is to safely shut down the unit and prevent catastrophic failure. SIS reliability is inversely proportional to its complexity: in most cases, the simpler the shutdown algorithm, the more reliable its functionality. While a TCS may require adjustments during commission and throughout its lifetime (as the process conditions may change), changes are strongly discouraged for the SIS.
The design and capabilities of the TCS may affect the required SIL of the SIS. A well- designed TCS may reduce the risk associated with operating the unit. For example, the function of preventing discharge pressure from exceeding the structural piping limitations may be included in the SIS due to the potential safety hazard. The risk may be reduced by building in provisions in the TCS for preventing the pressure rise by several means, such as reducing turbine speed and opening appropriate valves. A TCS may be well suited for the task, as it may already be carrying out related functions and, therefore, be capable of a fast response.
Redundancy is often employed by SIS vendors to reduce the PFD while maintaining high availability. Most of SIS redundancy is either triple modular redundancy (TMR) or dual redundancy. TCSs for critical units must also have very high availability numbers, which are not achievable without using redundancy. TCSs use essentially the same technology for redundancy. However, for SIL certification purposes, SIS design process must undergo a greater level of scrutiny. Also, the required diagnostic coverage for SISs may be larger than for TCSs. While the increased coverage reduces PFD, it may also result in larger overhead and increase software execution cycle time. While the plant is running in steady state, the TCS execution time may be less of an issue, but, during upsets, a fast response may prevent unit shutdown.
Blending standards
The 5th edition of the API Machinery Protection Standard API670 provides detailed guidelines on the implementation of the machinery protection systems (MPSs), taking into account IEC61508 and IEC61511. The standard covers the minimum requirements for an MPS. Basically, the standard divides MPS functions into several categories, which are vibration monitoring, overspeed detection, surge detection and emergency shutdown systems (ESDs). As defined in the standard, “the function of the ESD is to act as the logic solver that consolidates all shutdown commands to ensure proper timing and sequencing for a safe shutdown.”
Add your rating:
Current Rating: 3