Professional Documents
Culture Documents
Comparison of Integrated Versus Dedicated Turbine Safety Systems
Comparison of Integrated Versus Dedicated Turbine Safety Systems
Author:
Rich Kamphaus
Steam Turbine & Safety Market Manager
Woodward Inc.
United States
Integrated vs. Dedicated Turbine Safety Systems
Page 1
Overview
The safety of rotating equipment including steam turbines is under increased scrutiny throughout
the petrochemical industry. Due to an increase in catastrophic turbine system failures resulting
in lost revenue, expensive equipment repairs or people being hurt or killed, companies have
begun to treat safety critical components and related logic with much more scrutiny.
General safety standards like IEC61511, IEC61508 and ISA 84.00.01-2004 are now being used
and followed to assist with reducing the risk of these catastrophic and expensive system failures.
As is typical when applying a general standard to a very specific application like turbine safety,
some level of interpretation is required in the actual application of it. One interpretation that
turbine OEMs and owners continue to debate is whether or not to integrate turbine control into
the turbine safety system or not. Note that with regard to safety standards, turbine control
functions are considered non-safety functions as all critical functions that could result in a
catastrophic turbine failure is being monitored and managed by the turbine safety system.
This tutorial compares the differences between an integrated turbine control and safety
instrumented system (SIS) verses a system where the SIS is separate (dedicated) from the turbine
control function. The following IEC61508 and IEC61511 based comparisons will be made:
Probability of failure on demand (PFD)
Failure mode effects design analysis effort (FMEDA)
In an effort to reduce confusion in the petrochemical market, American Petroleum Institute has
added requirements to its Machinery Protection Standard API670 5th Edition to direct customers
on the acceptable levels of turbine control and SIS integration. This paper will list these new
API670 requirements and will explain each of the standards allowed system architectures.
Page 2
Page 3
Assures that operation of non-safety hardware, software, and logic does not interfere with
operation of any safety function
Page 4
Assures that failures within non-safety hardware, software, and logic does not interfere
with safety functions
Greatly simplifies the required system HAZOP analysis, criticality analysis and failure
mode effects and dynamic analysis
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
settings which are field changeable and protected through controlled access.
Typical Turbine Safety Functionality (as defined within Machinery Protection Standard
API670)
10.3.2.2 As a minimum the following shutdown input signals shall be included in the Emergency
Shutdown System
a) Overspeed shutdown
b) Shutdown initiated by unit speed controller
c) Bearing lube oil pressure
d) Radial Vibration (if specified)
e) Axial Position (if specified)
f) Unit speed controller failure
Note: Refer to the respective equipment standard (API 611, API 612, API 614, API 616, and
API 617) for a complete list of the required safety critical shutdown inputs.
General Safety Standards Requirements:
General safety standards like IEC61508, IEC61511, and ISA-84.01 allow the integration of nonsafety functions with safety functions if the related system devices (logic solver hardware,
sensors, operating system and application logic) used is safety certified to the highest safety
integrity level (SIL) required by any of the of safety instrumented functions (SIFs) within the
integrated system. For example if one of the systems SIFs requires a SIL level of SIL-2 then all
Integrated vs. Dedicated Turbine Safety Systems
Page 5
the related hardware, operating system and application logic must be shown to also meet safety
integrity level two.
Sections 7.4.2.3 through 7.4.2.5 of Standard IEC-61508-2 (2010 Edition) provides the following
guidance when considering integrating both safety and non-safety systems into one system:
Related Standard IEC61508 Requirements:
7.4.2.3 Where an E/E/PE safety-related system is to implement both safety and non-safety
functions, then all the hardware and software shall be treated as safety-related unless it can be
shown that the implementation of the safety and non-safety functions is sufficiently independent
(i.e. that the failure of any non-safety-related functions does not cause a dangerous failure of the
safety-related functions).
NOTE 1: Sufficient independence of implementation is established by showing that the
probability of a dependent failure between the non-safety and safety-related parts is sufficiently
low in comparison with the highest safety integrity level associated with the safety functions
involved.
NOTE 2: Caution should be exercised if non-safety functions and safety functions are
implemented in the same E/E/PE safety-related system. While this is allowed in the standard, it
may lead to greater complexity and increase the difficulty in carrying out E/E/PE system safety
lifecycle activities (for example design, validation, functional safety assessment and
maintenance).
7.4.2.4 The requirements for hardware and software shall be determined by the safety integrity
level of the safety function having the highest safety integrity level unless it can be shown that
the implementation of the safety functions of the different safety integrity levels is sufficiently
independent.
7.4.2.5 When independence between safety functions is required (see 7.4.2.3 and 7.4.2.4) then
the following shall be documented during the design:
a) The method of achieving independence;
b) The justification of the method.
EXAMPLE: Addressing foreseeable failure modes that may undermine independence and their
failure rates use of FMECA or dependant failure analysis.
IEC61508-6. Page 22 (Second paragraph)
Where a failure of the EUC control system places a demand on the E/E/PE safety-related system,
then the probability of a hazardous event occurring also depends on the probability of failure of
the EUC control system. In that situation, it is necessary to consider the possibility of co-incident
failure of components in the EUC control system and the E/E/PE safety-related system due to
common cause failure mechanisms. The existence of such failures could lead to a higher than
expected residual risk unless properly addressed.
Page 6
FMEDA to verify that turbine controller logic does not affect the turbine safety logic.
Within the FMEDA the following must be shown:
o Added modules do not reduce the SISs safety integrity level
o SIS memory and CPU horsepower is not compromised
o SIS operating system prioritizes safety functions over turbine control functions
All turbine control based modules must be SIL certified to highest safety level of any
related safety instrumented function (i.e. SIL-2 or SIL-3)
Only SIL certified modules can be used for module replacement of both SIS and turbine
control functions
All system application software (turbine control & SIS) must be SIL certified to highest
safety level of any related safety instrumented function (i.e. SIL-2 or SIL-3)
It must be shown that there is sufficient security within the systems engineering work
station to protect non-qualified engineers from making changes to either the turbine
control application logic or SIS logic.
FMEDA to verify that any firmware, application or operating system (service pack
changes/uploads) software changes to the turbine controller does not affect the turbine
SISs operation. Within this FMEDA the following must be shown:
o SIS memory and CPU horsepower is not compromised by the changes
o SIS operating system prioritizes safety functions over turbine control functions
Upon changes to either the SIS or turbine control application programs a FMEDA must
be re-performed to verify no new failure modes have been introduced and that can
interfere with safety system logic
Page 7
For a typical turbine control system that utilizes a separate/dedicated safety instrumented system
(SIS) the following is required to ensure the safety functions are designed and operate correctly
and are not affected by the turbine control functions:
FMEDA to verify separation between the turbine control and SIS is such that any turbine
control function or failure cannot interfere with the SISs functionality
FMEDA
An FMEDA is useful on both electronic and mechanical systems to accurately show the impact
of automatic diagnostic coverage factors and effectiveness of proof tests.
A Failure Modes and Effects Diagnostics Analysis (FMEDA) is a systematic technique that is
designed to identify problems and the related systems diagnostic coverage. It is a method that
starts with detailed list of all components within the analyzed system. A whole system can be
analyzed one component at a time via a hierarchical structure. A component level FMEDA done
on a module will provide module level failure modes. The failure modes and diagnostic coverage
from the various modules can then be used within the device FMEDA. The results of the device
analysis will provide failure modes and diagnostic coverage that can be used within the system
FMEDA. The FMEDA can be done on each grouping in the hierarchy as required by the goals
of the analysis.
Example SIS where Turbine Control module and logic were added:
As noted above the FMEDA must show that the added modules do not reduce the SISs safety
integrity level for each SIF. The following example shows a system where a SIS included a
safety instrument function rated for a safety integrity level (SIL) of 3, however upon adding the
multiple modules and related software to perform turbine control the SIFs safety level was then
reduced to a safety integrity level of 2.
Table 2-1 shows the required average probability of failure on demand (PFDavg) levels from
IEC61508-1 a SIF is required to meet for a specific safety integrity level. In this example the
dedicated SIS system, included a Turbine Overspeed safety instrumented function (SIF) which
had a PFD average of 8.77E-04. As can be verified from Table 2-1 this PFDavg level is
adequate to meet a safety integrity level of 3. This is a common SIL level for a Turbine
Overspeed SIF.
In this example turbine control functionality was then added to the safety logic solvers duties.
As normal with an integrated SIS and turbine control system, the two controllers share resources
(chassis backplane, CPU, operating system, memory & power supply). This sharing of these
resources then requires a FMEDA to be performed with the consideration of the extra stress on
the SISs resources. The added functions and stress on the system results in an increased failure
rate for each of the shared chassis backplane, CPU, operating system, memory and power supply.
Integrated vs. Dedicated Turbine Safety Systems
Page 8
In this example the increased failure rate of the systems chassis backplane, CPU, operating
system, memory and power supply result in an increase of the overall system PFD average to
1.04E-03. This PFDavg level now only meets the requirement of safety integrity level of 2.
Refer to Table 2-1. Thus in this example by simply adding turbine control functionality to this
SIS the systems Turbine Overspeed SIF was reduced from a SIL of 3 to a SIL of 2, and no
longer met the required safety integrity level for the system.
Page 9
functions and stress on the system results in an increased failure rate for each of the shared CPU,
operating system, memory, chassis backplane, and power supply.
Figure 2-2 below displays the calculated safety integrity levels for a typical dedicated Safety
PLC without Turbine Control functionality from safety evaluation software tool exSILentia.
Figure 2-4 below displays the calculated safety integrity levels for a typical integrated Safety
PLC with Turbine Control functionality included from safety evaluation software tool
exSILentia. As can be noted by including the extra stress on the systems shared CPU, operating
system, memory, chassis backplane, and power supply the SIFs PFD average was changed to a
point where the SIF no longer meets the required system safety integrity level.
Figure 2-1. SIS Module Failure Rate Chart Before Adding Turbine Control
Page 10
Figure 2-2. SIF Safety Integrity Level Before Adding Turbine Control
Figure 2-3. SIS Module Failure Rate Chart After Adding Turbine Control
Page 11
Figure 2-4. SIF Safety Integrity Level After Adding Turbine Control
Page 12
architecture is considered best practice and safest for high speed rotating equipment used within
petroleum plants globally.
API Machinery Protection Standard API670 5th Edition now provides detailed guidelines
requiring physical separation between turbine control and turbine safety functions to reduce:
1. System complexity
2. The cost of lengthy and expensive analysis
3. The risk of an accident where the turbine controller could accidently be applied in a
manner which inhibits a turbine safety function
4. The risk of an accident where the turbine control functionality could accidently be
changed in a manner which inhibits a turbine safety function
Related API670 5th Edition Safety & Non-Safety Segregation Requirements:
10.1.2 - The Emergency Shutdown (ESD) System performs the machine train shutdown logic by
integrating all shutdown functions and interfaces with the final element(s). The default
architecture is the Overspeed Detection System and ESD are separate systems (see Distributed
section 10.3.2).
10.5.1 - Unless otherwise specified, the ESD system shall be separate and independent from all
other monitoring systems defined by this standard. (see 10.5.2)
10.5.1.1 - If application requirements or testing requirements dictate and with purchaser approval
an integrated ESD and overspeed system may be provided. (see 10.5.3)
Note: When combining any system with the ESD system, consideration should be given to all
the effects on the ESD systems and the combined systems requirements to react to a
machine event.
Page 13
Page 14
Page 15
Low rotor inertias of small and medium steam turbines pose problems for general purpose safety
PLCs (programmable logic controllers), and DCSs (distributed control systems). Purpose built
turbine controllers and turbine SISs, however, are designed to utilize fast and deterministic scan
rates which ensure that the turbine rotor speed, acceleration and torsionals are sensed and
responded to accordingly. This level of performance ensures that the turbines performance,
stability, and protection are not compromised at any operating level.
Because safety PLCs and DCS systems could be as slow as 50 milliseconds under certain
circumstances due to limited CPU computational horsepower and or the lack of software to
hardware synchronization to ensure deterministic responses, care should be taken when applying
such systems as safety logic solvers for high speed rotating equipment. These types of logic
solvers may seem to function correctly during normal machinery operation, however upon fast
system transient conditions, they have proven to be too slow in some cases to truly protect the
high speed equipment which they were applied on.
However a number of safety-certified logic solvers which were purpose built to be applied on
and protect high speed rotating equipment are available. These safety logic solvers have the fast
scan rates, deterministic responses, and mathematical calculation capacity to sense un-safe
events on a high speed rotating equipment and safely shut them down.
Conclusion:
The greater the level of separation between turbine control and turbine safety functions the
simpler the system is and the simpler the related analysis is to prove that turbine control related
hardware and software does not interfere with the turbine safety functions.
Where both turbine safety functions and turbine control are embedded into the same
programmable logic controller, with little separation, then all related hardware and software shall
be treated as safety-related unless it can be proven through analysis that the turbine control
functions cannot interfere with the operation of the turbine safety functions.
Proving that turbine control functions cannot interfere with the operation of the turbine safety
functions requires a high level of analysis at multiple levels (hardware, operating system,
firmware, and application logic). Through this analysis it must be shown that the probability of a
dependent failure between the turbine control and turbine safety functions is sufficiently low in
comparison with the highest safety integrity level associated with the safety functions involved.
Tools like failure mode effects diagnostic analysis must be used to validate that the embedded
turbine control functions do not reduce the safety integrity level of the related turbine safety
instrumented functions.
American Petroleum Institute Standard API670 now recommends physical separation between
turbine control and turbine safety functions to reduce system complexity, reduce the cost of
Page 16
expensive analysis and reduce the risk of accidents where the turbine controller functions could
accidently be applied or changed to inhibit a turbine safety function.
Bibliography
[1] IEC 61511 (all parts), Functional safety Safety instrumented systems for the process industry sector
[2] IEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
[3] IEC 61508-6:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
[4] ANSI/ISA S84:1996, Application of safety Instrumented Systems for the Process Industries
[5] Control Systems Safety Evaluation and Reliability-Third Edition; William M. Goble
th
Page 17