Comparison of Integrated Versus Dedicated

Turbine Safety Systems

Author:
Rich Kamphaus
Steam Turbine & Safety Market Manager
Woodward Inc.
United States
Integrated vs. Dedicated Turbine Safety Systems

Page 1

Overview
The safety of rotating equipment including steam turbines is under increased scrutiny throughout
the petrochemical industry. Due to an increase in catastrophic turbine system failures resulting
in lost revenue, expensive equipment repairs or people being hurt or killed, companies have
begun to treat safety critical components and related logic with much more scrutiny.
General safety standards like IEC61511, IEC61508 and ISA 84.00.01-2004 are now being used
and followed to assist with reducing the risk of these catastrophic and expensive system failures.
As is typical when applying a general standard to a very specific application like turbine safety,
some level of interpretation is required in the actual application of it. One interpretation that
turbine OEMs and owners continue to debate is whether or not to integrate turbine control into
the turbine safety system or not. Note that with regard to safety standards, turbine control
functions are considered non-safety functions as all critical functions that could result in a
catastrophic turbine failure is being monitored and managed by the turbine safety system.
This tutorial compares the differences between an integrated turbine control and safety
instrumented system (SIS) verses a system where the SIS is separate (dedicated) from the turbine
control function. The following IEC61508 and IEC61511 based comparisons will be made:
Probability of failure on demand (PFD)
Failure mode effects design analysis effort (FMEDA)
In an effort to reduce confusion in the petrochemical market, American Petroleum Institute has
added requirements to its Machinery Protection Standard API670 5th Edition to direct customers
on the acceptable levels of turbine control and SIS integration. This paper will list these new
API670 requirements and will explain each of the standards allowed system architectures.

Integrated Turbine Control & SIS Definition

For the purposes of this paper an integrated turbine safety instrumented system (SIS) is defined
as a single programmable logic control system which includes both the SIS functions and turbine
control functions. Figure 1-1 below displays an example system where both the turbine control
functions and SIS functions are integrated within on logic solver. This systems benefits are the
following:
1. Housed in one simple logic solver package
2. Lower total cost as fewer sensors are required (sensors are shared between functions)
3. Lower total cost as fewer logic solver packages are required

Integrated vs. Dedicated Turbine Safety Systems

Page 2

Figure 1-1. Basic Integrated Turbine Control & SIS Diagram

Dedicated Turbine SIS Definition

For the purposes of this paper a dedicated turbine SIS is defined as a programmable logic control
system where the SIS functions are performed in one logic solver and the turbine control
functions are performed in a second separate and dedicated logic solver. Figure 1-2 below
displays an example system where both the turbine control functions and SIS functions are
segregated into two logic solvers. This systems benefits are the following:
1.
2.
3.
4.
5.

Lower risk of non-safety functions interfering with safety functions

Lower risk of changes to non-safety functions interfering with safety functions
Lower risk of accidental changes to safety functions
Reduced HAZOP and FMEDA analysis is required for initial system evaluation
Reduced HAZOP and FMEDA analysis is required for evaluation of system changes

Integrated vs. Dedicated Turbine Safety Systems

Page 3

Figure 1-2. Basic Dedicated Turbine Control & SIS Diagram

Turbine Safety System Market Overview:

As turbines have evolved so have turbine safety systems. Traditionally turbine safety functions
were embedded within a turbines main control system, hardware, software and logic. However,
due to the number of turbine accidents as mentioned above, turbine manufacturers and owners
began to follow general industry safety standards which recommend a level of separation
between safety and non-safety functions.
A turbine safety function is defined as a function which protects the turbine from catastrophic
failures that could result in the hurting or killing of people. Non-Safety functions are defined as
functions which are not related to the protection of the turbine from catastrophic failure. In
general current industry safety standards recommend separation of safety and non-safety
functionality for the following reasons:

Assures that operation of non-safety hardware, software, and logic does not interfere with
operation of any safety function

Integrated vs. Dedicated Turbine Safety Systems

Page 4

Assures that failures within non-safety hardware, software, and logic does not interfere
with safety functions
Greatly simplifies the required system HAZOP analysis, criticality analysis and failure
mode effects and dynamic analysis

Typical Turbine Control Functionality (as defined within Standard API612)

12.2.8 The design of the speed governor shall include but not be limited to the following:
a)

an assignable speed range corresponding to the normal range of operation (typically 70 % to

105 % of rated operating speed);

b)

speed setpoint adjustment;

c)

remote or process controlled speed setpoint adjustment;

d)

digital speed indication;

e)

individual outputs to each control mechanism actuator;

f)

adjustable speed ramp rate;

g)

slow roll control;

h)

critical speed band avoidance;

i)

high speed shutdown (set at maximum allowable speed rise (nma))

j)

manually activated override for testing the overspeed shutdown system;

k)

settings which are field changeable and protected through controlled access.

Typical Turbine Safety Functionality (as defined within Machinery Protection Standard
API670)
10.3.2.2 As a minimum the following shutdown input signals shall be included in the Emergency
Shutdown System
a) Overspeed shutdown
b) Shutdown initiated by unit speed controller
c) Bearing lube oil pressure
d) Radial Vibration (if specified)
e) Axial Position (if specified)
f) Unit speed controller failure
Note: Refer to the respective equipment standard (API 611, API 612, API 614, API 616, and
API 617) for a complete list of the required safety critical shutdown inputs.
General Safety Standards Requirements:
General safety standards like IEC61508, IEC61511, and ISA-84.01 allow the integration of nonsafety functions with safety functions if the related system devices (logic solver hardware,
sensors, operating system and application logic) used is safety certified to the highest safety
integrity level (SIL) required by any of the of safety instrumented functions (SIFs) within the
integrated system. For example if one of the systems SIFs requires a SIL level of SIL-2 then all
Integrated vs. Dedicated Turbine Safety Systems

Page 5

the related hardware, operating system and application logic must be shown to also meet safety
integrity level two.
Sections 7.4.2.3 through 7.4.2.5 of Standard IEC-61508-2 (2010 Edition) provides the following
guidance when considering integrating both safety and non-safety systems into one system:
Related Standard IEC61508 Requirements:
7.4.2.3 Where an E/E/PE safety-related system is to implement both safety and non-safety
functions, then all the hardware and software shall be treated as safety-related unless it can be
shown that the implementation of the safety and non-safety functions is sufficiently independent
(i.e. that the failure of any non-safety-related functions does not cause a dangerous failure of the
safety-related functions).
NOTE 1: Sufficient independence of implementation is established by showing that the
probability of a dependent failure between the non-safety and safety-related parts is sufficiently
low in comparison with the highest safety integrity level associated with the safety functions
involved.
NOTE 2: Caution should be exercised if non-safety functions and safety functions are
implemented in the same E/E/PE safety-related system. While this is allowed in the standard, it
may lead to greater complexity and increase the difficulty in carrying out E/E/PE system safety
lifecycle activities (for example design, validation, functional safety assessment and
maintenance).
7.4.2.4 The requirements for hardware and software shall be determined by the safety integrity
level of the safety function having the highest safety integrity level unless it can be shown that
the implementation of the safety functions of the different safety integrity levels is sufficiently
independent.
7.4.2.5 When independence between safety functions is required (see 7.4.2.3 and 7.4.2.4) then
the following shall be documented during the design:
a) The method of achieving independence;
b) The justification of the method.
EXAMPLE: Addressing foreseeable failure modes that may undermine independence and their
failure rates use of FMECA or dependant failure analysis.
IEC61508-6. Page 22 (Second paragraph)
Where a failure of the EUC control system places a demand on the E/E/PE safety-related system,
then the probability of a hazardous event occurring also depends on the probability of failure of
the EUC control system. In that situation, it is necessary to consider the possibility of co-incident
failure of components in the EUC control system and the E/E/PE safety-related system due to
common cause failure mechanisms. The existence of such failures could lead to a higher than
expected residual risk unless properly addressed.

Integrated vs. Dedicated Turbine Safety Systems

Page 6

Challenges of Integrating Turbine Control & SIS:

Based on requirements of IEC61508-6 sections 7.4.2.3 to 7.4.2.5, entities involved with
integrating non-safety functions (turbine control) with safety functions (protection from
catastrophic turbine failure shall perform a thorough study of each function and by showing that
the probability of a dependent failure between the non-safety and safety-related parts is
sufficiently low in comparison with the highest safety integrity level associated with the safety
functions involved.
Depending on design of the turbine control and safety instrumented system (SIS), different levels
of system validation are required to ensure that failure of any one turbine control system
component cannot affect the integrity/operation of the SIS. Turbine original equipment
manufacturers (OEMs) and turbine owners and users often do not understand the increased level
of system verification and validation required in order for control vendors to provide a SIS that is
integrated into the turbine control system.
For a typical integrated turbine control and safety instrumented system (SIS) the following is
required to ensure the turbine safety functions are designed and operate correctly and are not
affected by the turbine control functions:

FMEDA to verify that turbine controller logic does not affect the turbine safety logic.
Within the FMEDA the following must be shown:
o Added modules do not reduce the SISs safety integrity level
o SIS memory and CPU horsepower is not compromised
o SIS operating system prioritizes safety functions over turbine control functions

All turbine control based modules must be SIL certified to highest safety level of any
related safety instrumented function (i.e. SIL-2 or SIL-3)

Only SIL certified modules can be used for module replacement of both SIS and turbine
control functions

All system application software (turbine control & SIS) must be SIL certified to highest
safety level of any related safety instrumented function (i.e. SIL-2 or SIL-3)

It must be shown that there is sufficient security within the systems engineering work
station to protect non-qualified engineers from making changes to either the turbine
control application logic or SIS logic.

Upon changes to module firmware software code or service pack changes/uploads a

FMEDA must be re-performed to verify no new failure modes have been introduced

FMEDA to verify that any firmware, application or operating system (service pack
changes/uploads) software changes to the turbine controller does not affect the turbine
SISs operation. Within this FMEDA the following must be shown:
o SIS memory and CPU horsepower is not compromised by the changes
o SIS operating system prioritizes safety functions over turbine control functions

Upon changes to either the SIS or turbine control application programs a FMEDA must
be re-performed to verify no new failure modes have been introduced and that can
interfere with safety system logic

Integrated vs. Dedicated Turbine Safety Systems

Page 7

For a typical turbine control system that utilizes a separate/dedicated safety instrumented system
(SIS) the following is required to ensure the safety functions are designed and operate correctly
and are not affected by the turbine control functions:

FMEDA to verify separation between the turbine control and SIS is such that any turbine
control function or failure cannot interfere with the SISs functionality

FMEDA
An FMEDA is useful on both electronic and mechanical systems to accurately show the impact
of automatic diagnostic coverage factors and effectiveness of proof tests.
A Failure Modes and Effects Diagnostics Analysis (FMEDA) is a systematic technique that is
designed to identify problems and the related systems diagnostic coverage. It is a method that
starts with detailed list of all components within the analyzed system. A whole system can be
analyzed one component at a time via a hierarchical structure. A component level FMEDA done
on a module will provide module level failure modes. The failure modes and diagnostic coverage
from the various modules can then be used within the device FMEDA. The results of the device
analysis will provide failure modes and diagnostic coverage that can be used within the system
FMEDA. The FMEDA can be done on each grouping in the hierarchy as required by the goals
of the analysis.
Example SIS where Turbine Control module and logic were added:
As noted above the FMEDA must show that the added modules do not reduce the SISs safety
integrity level for each SIF. The following example shows a system where a SIS included a
safety instrument function rated for a safety integrity level (SIL) of 3, however upon adding the
multiple modules and related software to perform turbine control the SIFs safety level was then
reduced to a safety integrity level of 2.
Table 2-1 shows the required average probability of failure on demand (PFDavg) levels from
IEC61508-1 a SIF is required to meet for a specific safety integrity level. In this example the
dedicated SIS system, included a Turbine Overspeed safety instrumented function (SIF) which
had a PFD average of 8.77E-04. As can be verified from Table 2-1 this PFDavg level is
adequate to meet a safety integrity level of 3. This is a common SIL level for a Turbine
Overspeed SIF.
In this example turbine control functionality was then added to the safety logic solvers duties.
As normal with an integrated SIS and turbine control system, the two controllers share resources
(chassis backplane, CPU, operating system, memory & power supply). This sharing of these
resources then requires a FMEDA to be performed with the consideration of the extra stress on
the SISs resources. The added functions and stress on the system results in an increased failure
rate for each of the shared chassis backplane, CPU, operating system, memory and power supply.
Integrated vs. Dedicated Turbine Safety Systems

Page 8

In this example the increased failure rate of the systems chassis backplane, CPU, operating
system, memory and power supply result in an increase of the overall system PFD average to
1.04E-03. This PFDavg level now only meets the requirement of safety integrity level of 2.
Refer to Table 2-1. Thus in this example by simply adding turbine control functionality to this
SIS the systems Turbine Overspeed SIF was reduced from a SIL of 3 to a SIL of 2, and no
longer met the required safety integrity level for the system.

Table 2-1. Probability of Failure on Demand

Safety Evaluation Tool exSILentia:
In the effort to show the affect of integrating turbine control functionality with SIS functionality,
safety evaluation tool exSILentia from safety certification entity EXIDA was used. The
exSILentia tool from Exida uses, OEM based failure rates, specific SIF architecture and basic
FMEDA techniques to calculate each SIFs PFDavg and safe failure fraction (SFF). The below
report spreadsheets were copied from to show the relative affect of integrating turbine control
functionality with turbine safety functionality. Note: That the below examples are based on true
system component failure rates based on performed FMEDAs on each type of system.
Figure 2-1 below displays the associated system failure rates of a typical dedicated Safety PLC
without Turbine Control functionality from safety evaluation software tool exSILentia. Figure 23 below displays the associated system failure rates of a typical integrated Safety PLC with
Turbine Control functionality included from safety evaluation software tool exSILentia. As can
be noted the respective failure rates of the shared components (chassis backplane, CPU,
operating system, memory and power supply) increases with the added functionality. The added
Integrated vs. Dedicated Turbine Safety Systems

Page 9

functions and stress on the system results in an increased failure rate for each of the shared CPU,
operating system, memory, chassis backplane, and power supply.
Figure 2-2 below displays the calculated safety integrity levels for a typical dedicated Safety
PLC without Turbine Control functionality from safety evaluation software tool exSILentia.
Figure 2-4 below displays the calculated safety integrity levels for a typical integrated Safety
PLC with Turbine Control functionality included from safety evaluation software tool
exSILentia. As can be noted by including the extra stress on the systems shared CPU, operating
system, memory, chassis backplane, and power supply the SIFs PFD average was changed to a
point where the SIF no longer meets the required system safety integrity level.

Figure 2-1. SIS Module Failure Rate Chart Before Adding Turbine Control

Integrated vs. Dedicated Turbine Safety Systems

Page 10

Figure 2-2. SIF Safety Integrity Level Before Adding Turbine Control

Figure 2-3. SIS Module Failure Rate Chart After Adding Turbine Control

Integrated vs. Dedicated Turbine Safety Systems

Page 11

Figure 2-4. SIF Safety Integrity Level After Adding Turbine Control

American Petroleum Institutes Guidelines:

Upon interviewing multiple turbine control vendors, EPC (engineering, procurement and
contractors) firms and end-users, American Petroleum Institute (API) understands that there is a
miss-understanding by many of these entities with regard to what level of evaluation and
verification is required when an integrated turbine control and SIS is provided. As many entities
are just now beginning to implement safety standards like IEC61508, IEC61511, and ISA-84.01,
it is apparent that many do not understand the level of rigor required to verify that integrated
non-safety functions (turbine control) do not interfere with safety instrumented functions (turbine
safety functions).
Furthermore through the related interviews it also became apparent that the related entities did
not understand the level of rigor required to verify that changes to the integrated non-safety
functions (turbine control) do not interfere with safety instrumented functions (turbine safety
functions).
Due to a concern that this confusion in the market place will result in multiple people being hurt
or killed throughout the world due to poorly designed and evaluated integrated turbine control
and SIS systems, the API SOME committee directed its Machinery Protection Standard API670
5th Edition re-write committee to include SIS-based architectural requirements in its 5th Edition
release, in the attempt to direct all turbine control vendors, EPC (engineering, procurement and
contractors) firms and end-users to only use dedicated/independent SIS systems. This type of

Integrated vs. Dedicated Turbine Safety Systems

Page 12

architecture is considered best practice and safest for high speed rotating equipment used within
petroleum plants globally.
API Machinery Protection Standard API670 5th Edition now provides detailed guidelines
requiring physical separation between turbine control and turbine safety functions to reduce:
1. System complexity
2. The cost of lengthy and expensive analysis
3. The risk of an accident where the turbine controller could accidently be applied in a
manner which inhibits a turbine safety function
4. The risk of an accident where the turbine control functionality could accidently be
changed in a manner which inhibits a turbine safety function
Related API670 5th Edition Safety & Non-Safety Segregation Requirements:
10.1.2 - The Emergency Shutdown (ESD) System performs the machine train shutdown logic by
integrating all shutdown functions and interfaces with the final element(s). The default
architecture is the Overspeed Detection System and ESD are separate systems (see Distributed
section 10.3.2).
10.5.1 - Unless otherwise specified, the ESD system shall be separate and independent from all
other monitoring systems defined by this standard. (see 10.5.2)
10.5.1.1 - If application requirements or testing requirements dictate and with purchaser approval
an integrated ESD and overspeed system may be provided. (see 10.5.3)
Note: When combining any system with the ESD system, consideration should be given to all
the effects on the ESD systems and the combined systems requirements to react to a
machine event.

Integrated vs. Dedicated Turbine Safety Systems

Page 13

Figure 10.5.2 - API670 Dedicated SIS Architecture Option 1

Integrated vs. Dedicated Turbine Safety Systems

Page 14

Figure 10.5.3 - API670 Dedicated SIS Architecture Option 2

Related Turbine Safety System Concerns
General purposes PLCs (programmable logic controllers), safety or non-safety, may have the
following limitations when applied to a high speed rotating equipment (turbines, turboexpanders, compressors, motors):
Slow scan rates
Limited PID responsiveness due to non-deterministic scan rates
Limited Rate Group overrun protection
Limited high speed computational capacity
Limited rotor acceleration and torsional sensing algorithms

Integrated vs. Dedicated Turbine Safety Systems

Page 15

Low rotor inertias of small and medium steam turbines pose problems for general purpose safety
PLCs (programmable logic controllers), and DCSs (distributed control systems). Purpose built
turbine controllers and turbine SISs, however, are designed to utilize fast and deterministic scan
rates which ensure that the turbine rotor speed, acceleration and torsionals are sensed and
responded to accordingly. This level of performance ensures that the turbines performance,
stability, and protection are not compromised at any operating level.
Because safety PLCs and DCS systems could be as slow as 50 milliseconds under certain
circumstances due to limited CPU computational horsepower and or the lack of software to
hardware synchronization to ensure deterministic responses, care should be taken when applying
such systems as safety logic solvers for high speed rotating equipment. These types of logic
solvers may seem to function correctly during normal machinery operation, however upon fast
system transient conditions, they have proven to be too slow in some cases to truly protect the
high speed equipment which they were applied on.
However a number of safety-certified logic solvers which were purpose built to be applied on
and protect high speed rotating equipment are available. These safety logic solvers have the fast
scan rates, deterministic responses, and mathematical calculation capacity to sense un-safe
events on a high speed rotating equipment and safely shut them down.

Conclusion:
The greater the level of separation between turbine control and turbine safety functions the
simpler the system is and the simpler the related analysis is to prove that turbine control related
hardware and software does not interfere with the turbine safety functions.
Where both turbine safety functions and turbine control are embedded into the same
programmable logic controller, with little separation, then all related hardware and software shall
be treated as safety-related unless it can be proven through analysis that the turbine control
functions cannot interfere with the operation of the turbine safety functions.
Proving that turbine control functions cannot interfere with the operation of the turbine safety
functions requires a high level of analysis at multiple levels (hardware, operating system,
firmware, and application logic). Through this analysis it must be shown that the probability of a
dependent failure between the turbine control and turbine safety functions is sufficiently low in
comparison with the highest safety integrity level associated with the safety functions involved.
Tools like failure mode effects diagnostic analysis must be used to validate that the embedded
turbine control functions do not reduce the safety integrity level of the related turbine safety
instrumented functions.
American Petroleum Institute Standard API670 now recommends physical separation between
turbine control and turbine safety functions to reduce system complexity, reduce the cost of

Integrated vs. Dedicated Turbine Safety Systems

Page 16

expensive analysis and reduce the risk of accidents where the turbine controller functions could
accidently be applied or changed to inhibit a turbine safety function.

Bibliography
[1] IEC 61511 (all parts), Functional safety Safety instrumented systems for the process industry sector
[2] IEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
[3] IEC 61508-6:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
[4] ANSI/ISA S84:1996, Application of safety Instrumented Systems for the Process Industries
[5] Control Systems Safety Evaluation and Reliability-Third Edition; William M. Goble
th

[6] American Petroleum Institute Standard API670 5 Edition

Integrated vs. Dedicated Turbine Safety Systems

Page 17