You are on page 1of 82

A Presentation on

ESD System And Interlocks On


Turbines & Compressors

G . SRIDHAR
INSTRUMENTATION
NFCL
NAGARJUNA FERTILIZERS AND CHEMICALS LIMITED
WHAT IS ESD
Emergency Shutdown System
What is Safety?
“The condition or state of being safe”

When are you Safe?


“Free from harm, injury, or (intolerable) risk”
How to achieve Safety?

Safety is achieved by using Safety System in the Plant.

What is a safety system?


A safety system is a system that provides an independent and
predetermined emergency shutdown path in case a process
runs out of control
When a process runs out of control it can cause
• Damage to people ( Inside & Outside )
• Damage to environment
• Loss of equipment
• Loss of production (‘i-e ) loss of money
Safety Instrumented System
Safety Instrumented System (SIS)

A Safety Instrumented System SIS is a new term used in


standards like IEC 61511 or IEC 61508 for what used to be
called Emergency Shutdown System ESD, Safety Shutdown
System, Interlock System.
A Safety Instrumented System SIS consists of one or more
Safety Instrumented Functions SIF.

Function of a Safety Instrumented System.


SIS keeps the process from not crossing the safety limits.
As the process becomes more unstable and approaches the
high alarm level, the BPCS may or may not be able to regain
control of the process value in time to prevent an unsafe
condition. If the process value continues in a unsafe direction,
the trip level is reached. The SIS executes an emergency
shutdown action, preventing the process from exceeding the
safe levels.
Safety Instrumented Function
A Safety Instrumented Function SIF is defined as a „Function to be
implemented by a SIS, which is intended to achieve or maintain a
safety state for the process with respect to a specific hazardous
event“.
Function of Safety Instrumented System
Difference Between DCS & SIS
DCS SIS

Highly Flexible Fixed functionality


Configuration changes can be Complex procedures are
done online. involved in making any change.
Variety of online modifications The possibility to repair the
can be done without much hardware is limited while the
complicacy plant is running
During the failure of the control Output state is predictable
system, state of outputs are during the functional failure of a
unpredictable system.
Regular testing of control system Explicit procedures are followed
is not required. to test the system hardware.
Scan time of the DCS is 1 SEC Scan time of the SIS is in msec
DCS Vs SIS
DCS is not used for Safety Application because of some practical
problems:

•1st of all is the reliability. Safety Valves are critical. If you fail to
shutdown that will cause serious asset, environmental or human
life damage.

•You have to use a certified safety system and do the SIL


evaluation to confirm the loop configuration. There is another
point to consider i.e. safety system should not use the same
sensors and final elements as the DCS to make control decisions.
There are safety system vendors who have SIL 3, TUV certified
Safety Systems.
DCS Vs SIS
Difference Between a PLC & Safety System
Safety PLC Conventional System

safety PLC is typically certified by Conventional PLC’s are not


third parties to meet rigid safety certified by any Third parties.
and reliability requirements of
international standards.

Tough international standards for No such standard is


software apply to safety PLCs. applicable for the
conventional PLC
A safety PLC was specifically PLC was not initially designed
designed to accomplish two to be fault tolerant and fail-
important objectives: safe.
(1) do not fail (redundancy that
works well) but if that cannot be
avoided,
(2) fail only in a predictable, safe
way.
Components of Safety Instrumented System
Components of Safety Instrumented Systems
•Typically, Safety Instrumented Systems consist of three
elements: A Sensor, a Logic Solver and a Final Control Element.
Components of Safety Instrumented System
Sensors:
Field sensors are used to collect information necessary to
determine if an emergency situation exists.
The purpose of these sensors is to measure process parameters
(e.g. temperature, pressure, flow, etc.).
Used to determine if the equipment or process is in a safe state.
Components of Safety Instrumented System
Logic Solver:
The purpose of this component of Safety Instrumented Systems
SIS is to determine what action is to be taken based on the
information gathered. Highly reliable logic solvers are used which
provide both fail-safe and fault-tolerant operation. It is typically a
controller that reads signals from the sensors and executes pre-
programmed actions to prevent a hazard by providing output to
final control elements.
Components of Safety Instrumented System
Final Control Element:
It implements the action determined by the logic system. This
final control element is typically a pneumatically actuated On-Off
valve operated by Solenoid Valves.
SIS Architecture
1oo1D
Single-channel system, consisting of a single input, single
controller, and single output.
“D” stands for diagnostic function. It diagnoses the input through
output. It also controls the output individually by “fail on” and “fail
off” diagnostic functions.
2oo3D
TMR stands for “triple modular redundant”. It is a “majority
voting” system with three identical units. Two units out of three
are required for the system to operate and shutdown.
QMR
QMR is a new term.
The system consists four
processors only and the
rest is all dual.
Only the processors are
QMR. I/O and other
circuits are still dual.
VMR
Advantages :
It is Single !! Still SIL3 because of high SFF
No degradation
Extreme modularity
VMR
• ProSafe-RS providing the “high availability” by using
“redundant” modules, meaning the redundancy is for availability,
not for safety.
• No crippled or degraded mode.
• The system remains at SIL 3 even if the redundant module has
failed.
•Using the “Pair and Spare” Redundancy of modules provides a
much higher “Availability” for reliability.
Applications
Some of the applications of the safety system are

•Emergency shutdown.
•Burner management.
•Fire and gas detection.
PROSAFE-RS HARDWARE OVERVIEW
Introduction 
• Prosafe-RS is a microprocessor based Safety System
designed specifically for critical applications such as: emergency
shutdown systems, Burner management systems, fire and gas
detection systems and high availability process control.

Overview of ProSafe-RS
• The ProSafe-RS is the safety system that consist of the
safety controller, SCS, and an engineering and maintenance PC,
SENG. The minimum configuration includes one SCS and one
SENG.
PROSAFE-RS HARDWARE OVERVIEW
ProSafe-RS Basic Configuration
ProSafe-RS consists of Safety Control Station (SCS) and
Safety Engineering PC (SENG). Moreover, ProSafe-RS can build the
system connected with CS 3000 and the system connected with
other systems than CS 3000 via Modbus. The basic configuration
of ProSafe-RS consists of SENG and SCS.
PROSAFE-RS HARDWARE OVERVIEW
ProSafe-RS/CENTUM CS 3000 Integration Structure
The structure that connects ProSafe-RS with CENTUM VP
projects is called ProSafe-RS/CENTUM VP Integration
Configuration.

For CENTUM VP Integration Structure,

•Both FCS and SCS can be operated and monitored from HIS.FCS
can communicate with SCS via Vnet/IP. The communication has no
impact on the safety functions running on SCS.
•  The SENG is a general-purpose PC on which the engineering
functions to build SCS applications are installed.
•The ENG is a general-purpose PC on which the CENTUM VP
system generation function is installed. Each CENTUM VP
application generated on the ENG is managed as part of the
CENTUM VP project.
• The HIS is a general-purpose PC on which the CENTUM VP
operation function is installed.
PROSAFE-RS HARDWARE OVERVIEW
Components of a Safety Control Station
A basic system is called safety control station. A SCS can
communicate with the other stations via Vnet/Vnet/IP. SCS
consists of a Safety Control Unit (CPU node) and several Safety
Node Unit (I/O nodes). Up to nine I/O nodes can be connected.
PROSAFE-RS HARDWARE OVERVIEW
Safety Control Units (for Vnet/IP)
Standard Type Safety Control Unit for Vnet/IP (Model: SSC60S-S)
Wide Range Temperature Type Safety Control Unit for Vnet/IP
(Model: SSC60S-F)
Duplexed Standard Type Safety Control Unit for Vnet/IP (Model:
SSC60D-S)
Duplexed Wide Range Temperature Type Safety Control Unit for
Vnet/IP (Model:SSC60D-F)
SCS60D(High Performance & Large Capacity
Controller

Vnet/IP only
(No Vnet)

SCP461

SSC60
PROSAFE-RS HARDWARE OVERVIEW

Processor module
Control algorithm
calculations are
performed in the
processor modules.
Three types of
processor modules
are available: one for
V net (Model:
SCP401) and for
Vnet/IP (Model:
SCP451, SCP461 ).
SCP461 (High performance CPU module)
PROSAFE-RS HARDWARE OVERVIEW
Battery
In order to protect the processor module management
information (in the storage memory) during power failure, the
Li batteries are used. Since the application program
information is stored in the non-volatile memories, thus battery
backup is not required.

 Battery Back-up Specifications


Battery life Changes according to the ambient temperature.
PROSAFE-RS HARDWARE OVERVIEW
LED display on processor module
• HRDY
• SND
• CTRL
• COPY
• RCV
• RDY
• SYNC
• SCTY
Setting switches on processor module
• START/STOP
• Battery ON/OFF switch
• Front setting switch (6-bit DIP switch)
Status of LEDS on CPU
The following information is displayed in the LEDs of the CPU
module (SCP451/461) installed in the SSC50S/D – SSC60S/D.

*1: The RCV and SND LED blink. (see the table on the next page)
*2: Whether or not an SNTP server is connected to the network
does not affect the LED On condition.
*3: Security level 0 corresponds to offline level and security levels
1 and 2 correspond to online level.
Status of LEDS on CPU
The following communication statuses are indicated by
combinations of RCV and SND statuses
(blinking or off). If a communication error has occurred, the
network location where the error occurred can be identified
easily using the Network Status Display dialog box on the CS
3000 HIS.
Status of LEDS on CPU
The STATUS LEDs 1 to 8 can display either the SCS status
information or the Vnet station address or the Domain address,
depending on the display setting switch.
The meaning of each LED when the status information of the SCS
is displayed is summarized in
the table below. The SCS can be judged as operating normally if
all the LEDs from 1 to 8 are lit.
PROSAFE-RS HARDWARE OVERVIEW

ESB Bus Coupler Module


ESB bus coupler module (Model: SEC401) is installed in the
safety control unit for communicating with the ESB bus
interface module (Model: SSB401) installed in the safety node
unit.
  The ESB bus coupler module are always dual-redundantly
configured.
Turbine & Compressor Interlocks
Turbine & Compressor Interlocks mainly Contains
• Start Concerns
• Condenser Pumps Interlocks
• Barring Gear Logics
• Lube/Seal oil Pumps Interlocks
• Emergency Oil Pumps Interlocks
• Additional process/External System Interlocks
• Trip Interlocks
Start Concerns
Start Concerns are used as Check List for Starting the
Compressor/Turbines.
Examples:
• Antisurge Valves Open
• InterStage Valves Open
• ESV Limit Switch Close
• Lube Oil Tank Level Normal
• Lube Oil Pressure Normal
• Seal Oil Tank Level Normal
• Baring Gear Disengaged
Condenser Pump Interlocks
ondenser Pump Interlocks are used to Auto Start & Stop the
ondenser pumps and avoid the water into the Steam Turbine which
ll damage the Blades. To protect Pumps from Cavitations when there
low Level.
Condenser Pump Start Logic: Normally one pump (A) is in running
Condition by manually Starting the Pump. The Selector Switch for
Condenser pumps should be kept on Second Pump (B). When
high level Switch is Activated ,the Pump which is Selected by
Selector Switch will Start automatically.
Condenser Pump Stop Logic: When the Low Level Switch is
activated, the Pump which is selected by selector switch will stop
automatically If it is running. If the Low Low Level switch is activated
both A & B will Stops Automatically.
Lube Oil Pump Interlocks
ube Oil Pump Interlocks are used to Auto Start the Lube oil pumps
nd to avoid the trip of Compressor & Turbine. Emergency Oil pumps
re required to protect the Turbine & Compressor for cooling and
earing Gear logic .Emergency oil Pumps run on A.M.F/battery.
Lube Oil Pump Start Logic: Normally one pump (A) is in running
Condition by manually Starting the Pump. The Selector Switch for
Lube Oil pump should be kept on Second Pump (B). When the
lube oil Low Pressure switch or Lube oil Header Pressure Switch is
Activated ,the Pump which is Selected by selector Switch will Start
automatically.
If no Selector Switch is Provided, the Second oil Pump which is not
running will start Automatically.
Emergency Oil Pump Interlocks
Emergency Oil pumps are required to protect the Turbine &
Compressor for cooling and lubrication required for Bearing Gear
Rotation/logic .
• Emergency Oil Pump Start Logic: When the Lube oil Header Low Low
Pressure switch is Activated ,the Pump will Start automatically.
• Emergency oil Pumps run on A.M.F/battery
Barring Gear Logic(PAC & ARC)
arring Gear Interlocks are used to Start the Barring Gear and to rotate
e Steam Turbine at minimum speed after sudden stoppage and to
op the Barring Gear after running of the Turbine.

arring Gear Start Concern/Logic:


• Speed Comes to Nearly Zero
• Barring Gear Engaged.
• Lube oil Pressure normal

Barring Gear Stop Logic:


• Speed above 160(200) RPM
• Steam Valve Open
• Lube Oil Pressure
Barring Gear Logic( Syngas & CO2)
arring Gear Interlocks are used to Start the Barring Gear and to rotate
e Steam Turbine at minimum speed after sudden stoppage and to
op the Barring Gear after running of the Turbine.

arring Gear Start/Stop Logic:


• Speed Comes to Nearly Zero
• Barring Gear Key Switch
• Lube oil Pressure normal
• Control/Trip oil Pressure Low
• Bearing Gear Start and Stop PB (Syngas)

arring Gear Solenoid Operation:


• Above all Conditions should be satisfied, and
• Solenoid open for 6 Sec
• Solenoid Close for 12 Sec
Trip Interlocks
Trip Interlocks are required to trip the Turbine and Compressor in
predefined Conditions required for Process And Equipment Safety.
Equipment Safety Conditions/Cause:
• Low Steam Pressure To Turbine
• Live Steam Temperature Low
• Lube oil Pressure Low/Seal Oil DP low
• Control Oil/Trip oil Pressure Low
• Turbine Exhaust Pressure High
• Emergency trip from Control Room
• Emergency trip from Field LCP
• Condenser Level High
• Over Speed Trip
• High Axial & Radial Vibrations
• Mechanical Over Speed
• Separators Level High
Trip Interlocks
Process Conditions/Cause:
• Compressor Suction Pressure LO
• Compressor Discharge HI/LO
• K.O Drum Level HI
• Woodward/Governor Trip
• Extraction Steam Pressure HI/LO
• Other Process required Conditions
Turbine Protective Function
Process Conditions/Cause:
• Compressor Suction Pressure LO
• Compressor Discharge HI/LO
• K.O Drum Level HI
• Woodward/Governor Trip
• Extraction Steam Pressure HI/LO
• Other Process required Conditions
THANK
YOU
G . SRIDHAR
INSTRUMENTATION
NFCL

NAGARJUNA FERTILIZERS AND CHEMICALS LIMITED