digitalrefining.

com

Safety system separation - examination of

three types of machinery protection systems

8-10 minutes

Ian Popplewell, Trinity Integrated Systems

Rich Kamphaus, Woodward Inc
Steve Sabin, SETPOINT Vibration
Serge Staroselsky, Compressor Controls Corporation

Turbomachinery and rotating equipment often form the part

of industrial processes where safety instrumented systems
(SIS) are used to reduce the operating risk to a tolerable
level. The SIS consists of a number of safety instrumented
functions (SIF), which is one of the preventive and mitigation
layers intended to reduce the likelihood of a hazardous event.
The hazard and operability study (HAZOP) process is often
used to identify such events.
However, the implementation of such SIFs, whilst meeting the
desired safety integrity level (SIL), can be subject to spurious
trips. These are trip events caused by failures in the system
even when there is no hazardous event. For the purpose of
business integrity, such trips can be expensive in terms of lost
production and downtime. Likewise, an undetected dangerous
failure, commonly referred to as a missed trip, can be
significant to the business and may have safety,
environmental, asset or production impacts. Designing a
system that meets the complementary, yet sometimes
conflicting, requirements of reliability and availability can be
challenging. There are standards (IEC61508 and IEC61511)
that define the processes for designing and implementing
safety systems, but these do not address the spurious trips.

A rigorous approach of determining the required availability of

a system can help companies design systems and operate
their processes safely whilst maximizing business integrity.
This article will examine three types of machinery protection
systems: overspeed, surge detection and vibration
monitoring, to help clarify when a SIL certification is truly
necessary. It is interesting to note that some machinery
measurements are almost always safety related, while others
are almost never safety related, yet they all have a positive
contribution to the business integrity.

Rotating equipment safety systems protection

The safety of rotating equipment, including steam turbines, is

under increased scrutiny throughout the petrochemical
industry due to a recent increase in catastrophic turbine
failures related to overspeed events.
As turbines have evolved, so have turbine safety systems.
Traditionally, turbine safety functions were embedded within a
turbine’s main control system, hardware, software and logic.
However, due to the increases number if turbine accidents,
turbine manufacturers and owners have begun following
general industry safety standards in the implementation of
their turbine safety systems including the turbine overspeed
SIF.

Although safety standards such as IEC61511, IEC61508 and

ISA 84.00.01-2004 are being followed by many turbine
owners and manufacturers, some level of interpretation is
required in the actual application of such standards.

In the interest of reducing the level of interpretation when

designing, applying, testing, and maintaining a turbine
overspeed SIF within a turbine safety system, the American
Petroleum Institute (API) has added requirements to its
machinery protection standard, API 670 5th edition, to guide
turbine manufacturers and users on best practices when
implementing and maintaining turbine overspeed SIFs.

The machinery protection standard API 670 5th edition now

provides detailed guidelines requiring physical separation
between the turbine control and the turbine safety system.
This includes the requirement that the turbine overspeed SIF
must work to reduce:

• The risk of the turbine controller being applied, and/or

changed, in a manner which inhibits the turbine safety
system’s action. • The risk that a failure within the turbine
controller would inhibit the turbine safety system’s action. •
The cost of a lengthy and expensive safety analysis
associated with each system change. • System complexity.
Because of their quick acceleration, small to medium steam
turbines with low rotor inertias pose a problem for turbine
manufacturers and owners that implement, test, and maintain
turbine overspeed systems. Understanding that the total
response time of the turbine overspeed SIF, and not just the
logic solver, is key to verifying if a turbine overspeed SIF is
fast enough to safely shut down a turbine during an
overspeed event. API also included specific response time
guidelines, as well as basic turbine acceleration equations,
within its latest standard, API 670 5th edition. These
requirements, if specified, include:

• Total turbine overspeed system response time measurement

and recording, upon turbine commissioning, and during each
safety system-based proof test. • Diagnostics to routinely test,
measure and record, the response time of all system
components, except for the trip valve during normal turbine
operation, without affecting the integrity of the overspeed SIF.
Although the API 670 5th edition standard was only released
in November 2014, a number of safety-certified logic solvers
are now available on the market for use in turbine safety
systems, which meet all of the standard’s new requirements
including turbine control segmentation as well as total and
partial system response time verification and recording.

Surge detection system

Repeated surge cycles on centrifugal and axial compressors

can lead to machine damage, severely impacting the
operator’s bottom line. API 670 5th edition addresses the
need for preventing damage due to repeated surging by
specifying a surge detection system, which is mandated for
axial compressors and recommended for centrifugal
machines.  The standard applies the principle of segregation
for improving the reliability of protection against damage due
to surge. The independent surge detection system fulfils the
API 670 requirements by providing segregated surge
detection functionality. Two channels are used for surge
detection, typically differential pressure measurement from a
flow meter and discharge pressure. Other signals may be
utilized, depending on the surge signature of the compressor.
The independent surge detections system detects surge
based on the rate of change and oscillation amplitude. In
most cases, configuration is set to detect surge when both
channels show surge like behavior. The system identifies each
cycle and has a surge cycle counter. The discrete outputs of
the system can be used to open the antisurge valve via air-
dump solenoid –actuated valve, and to issue a unit shutdown
command, if the number of surge cycles exceed a threshold
value with a given time period. The system has provisions for
conducting surge testing and recording peak values of the
rates of change. A surge detection system should be
compatible with SIL 2 requirements.

Vibration

While overspeed almost always has safety related

implications, a surge almost never, vibration falls somewhere
in between these two extremes, but skewing heavily towards
non-safety end of the spectrum. Indeed, perhaps only 10% of
API 670 vibration, position or temperature systems are used
as part of a safety instrumented function. The most common
scenario with safety implications is a bearing failure leading
to excessive movement or vibration in radial or axial
directions, and subsequent damage to (or destruction of) the
seal, not just the bearing. If the process fluid is toxic and /or
flammable, a seal failure may release the process fluid and
introduce a hazard of sufficient risk to warrant the system be
used as part of a SIL 1 or SIL 2 loop (a SIL 3 system is almost
never a requirement for bearing vibration, position or
temperature measurements due to the relatively low
frequency of occurrence, as risk comprises not only the
consequences of a failure but also the likelihood).

Current Rating :  3

Add your rating: