Ten questions to ask when considering your next overspeed system

A machine’s overspeed protection system is one of the single most important pieces of instrumentation in terms of the consequences when it fails to act properly. Whether you are an OEM looking to replace your incumbent supplier, or an end user looking to upgrade your current system, here are ten questions to consider as part of your evaluation process.protection overspeedThe Bently Nevada 3500/53 (left), Jaquet FT3000 (middle) and Woodward ProTech 203 (right) are all examples of electronic overspeed systems which the manufacturer has formally announced as obsolete.

1. Does my existing system really need to be replaced?

In our article “The Great Bolt Revolt,” we explored the shortcomings of overspeed protection systems based on mechanical bolts as well as industry’s ensuing migration away from such systems. If you are still using a mechanical system, then yes – you should plan to upgrade that system at the next available opportunity such as a planned plant maintenance outage. And, we encourage you to read that article which details why replacing your older, bolt-based system is such a good idea.

But what if you find yourself among the tens of thousands of customers that have already replaced their mechanical protection with an electronic system, or what if your turbine or other prime mover came from the OEM with an overspeed system as part of the controls package? It may seem like just yesterday that the instrumentation still had that “new car smell” but most manufacturers assume a lifecycle for critical protective instrumentation of no more than 15-20 years, meaning that if your turbines were supplied prior to the early 2000s and have not had an instrument and controls upgrade, your overspeed system is definitely in need of review. Or perhaps your machine is even older, but you upgraded the controls yourself. Check the calendar. If the upgrade was done before 2010, its time to start asking questions about the supplier’s lifecycle planning for that platform and their support policies. Or perhaps you are an OEM and your incumbent provider’s platform is aging. Before you automatically migrate to their newest platform, you are encouraged to survey the marketplace and see what has changed in the intervening decades. It may well be that a competitive review is in order to ensure you are getting the best value and the best technology for your needs.

2. Is my system truly independent?

One of the reasons that overspeed should not be integrated with the turbine / machinery control system or governor is that a failure of that system could very well be what leads to the overspeed event in the first place. If the two systems are combined, you could find yourself with no protection whatsoever. In fact, industry standards such as API 670 and generally accepted good engineering practices do not even permit the speed sensors to be shared between the two systems – only the final control elements and the speed sensing surface itself are common to the speed control and speed protection systems.

Some platforms allow the overspeed functionality to be combined with other functionality such as surge detection and emergency shutdown logic1Although API 670 provides an option for overspeed to be combined with surge detection and overspeed protection, it does not permit it to be combined with vibration protection., but even though allowed by API 670 as an “if specified” option, there can be reasons to avoid this approach. One compelling reason is that it can be difficult for a user to understand how servicing or altering one system might affect the other if they are not physically separate systems – even if there are different modules used for overspeed versus other functions. Several years ago, we actually witnessed a customer that had overspeed modules integrated in the same chassis with their vibration modules embark on a project to purchase separate racks for the overspeed modules and move the modules out of the vibration rack. When asked why, the customer gave the exact reason cited above: so that they could be certain that working on one system would not affect the other.

Also, when two systems share the same rack chassis, there will usually be certain components in common – such as power supplies, backplanes, and relays. This can lead to common-cause failures. This can be avoided by insisting that the overspeed system be independent of any other system – not just vibration and control systems.

3. Can the system accept the best sensor for my application, or does it limit me?


An MPU(left), eddy-current probe system(middle), and Hall-effect sensor(right).
MPU image courtesy of magsensors.com, HE image courtesy of rheintacho.de

The default speed sensor for many overspeed systems is the magnetic pickup (MPU), a variable reluctance sensor that generates its own output when there is relative motion between the probe and a ferrous material such as a toothed speed sensing wheel on a shaft. This is not necessarily because it is the ideal sensor but simply because it is inexpensive and self-powered. In fact, MPUs have many drawbacks as noted in our companion article on overspeed sensor considerations(coming soon). In many cases, an eddy-current proximity probe or a Hall-effect sensor may be a better choice for reasons discussed in the aforementioned article. However, not all overspeed platforms accept all sensor types, forcing the user to select a non-optimal sensing element simply because it is compatible – not because it is ideal. This can be particularly true of platforms that support only eddy-current proximity probe systems with a voltage output instead of a current output. A proximity probe with a current output can be ideal because the signal is much less prone to electromagnetic interference and is able to run far longer distances (up to 1000m as compared to 30m for an MPU or 300m for a Hall-effect sensor) without loss of signal fidelity due to high-frequency attenuation introduced by the wire itself. It also allows superior OK checks because it is a voltage-biased sensor that is designed to distinguish between an open circuit and simply no signal, as well as other checks that can better validate sensor health.
1Although API 670 provides an option for overspeed to be combined with surge detection and overspeed protection, it does not permit it to be combined with vibration protection.

4. Does the system require external barriers for sensors installed in a hazardous area?

A common method of addressing sensors that are mounted in a hazardous area is to use external Intrinsically Safe (I.S.) barriers between the overspeed system and each connected sensor. This introduced added cost and space requirements for mounting the devices. Also, systems relying on I.S. barriers require a high level of integrity in the grounding of the system and this can be difficult in environments such as offshore platforms or on marine vessels where maintaining a good ground with very little resistance is fraught with difficulties due to humidity and weather conditions where high saline content is present in the moisture. Galvanic separation is the preferred means of intrinsic safety in such environments, and it is suitable for other environments as well.

Regardless of whose external Zener barriers or isolators are used, they represent added cost, reduced diagnostic coverage, and the burden of maintaining a pristine ground with very low resistance compared to a system with internal galvanic isolation.

In addition, internal galvanic isolation allows a level of diagnostic coverage (see question #7) that cannot be addressed when an external barrier or isolator is used. This means that systems using external barriers or isolators will be inherently less able to identify faults in the instrumentation than systems using internal isolators.

Ask your potential supplier whether their system has internal, galvanic isolation for sensors or if external devices are required. Systems that provide this internally are preferred because it reduces the total cost of ownership, increases diagnostic coverage, and eliminates the need for separate devices to maintain as well as the space to accommodate them.

5. Is the system scalable to fit multiple different criticalities of machines in my operations?

Many customers have operations that reflect machines with a mix of criticalities. For example, a plant may have smaller, single-stage steam turbines used for mechanical drive of pumps along with larger multistage gas or steam turbines that warrant the most sophisticated overspeed protection with multiple layers of redundancy. Many times, the differences between these low-tier overspeed offerings, mid-tier offerings, and highest-tier offerings are substantial and rely on entirely different platforms with different components, different configuration environment, different spare parts, and different training requirements due to differences in operation and functionality. In contrast, some systems use the same components across all levels of the application and sophistication spectrum, simply using different configurations and interconnections between the same basic building blocks. This approach has numerous advantages in commonality of spare parts and commonality of training.

6. How old is the platform?

Even if a manufacturer still fully supports a system, ask when it was designed. This is important because in spite of a supplier’s best intentions to maintain the availability of a product, the component parts themselves often become obsolete through no fault of the manufacturer who then ends up needing to redesign the system, submit it again for various certifications and approvals by the agencies, and ensure full backwards compatibility. Do you really want to replace an overspeed system with a platform that was designed 20 years ago (or more) and which the manufacturer may be forced to obsolete before it reaches its full 15-20 year lifecycle expected by most users? While important for all users, it can be especially frustrating when the system is supplied on a new machine and the end user is told just a few years later that part of the controls and instrumentation is going obsolete on an otherwise “new” machine.

7. Is the SIL rating “proven in use” or is it “by design”?

To be SIL certified, a product must fulfil certain requirements that will allow you to answer three very important questions:

1.Were systematic faults mitigated as much as possible? In other words, was the product designed and tested properly by competent persons with state-of-the-art design processes?

2.Were random faults mitigated as much as possible? In other terms, is the circuit resilient enough to random faults?

3.Are the conditions of utilization and integration in the overall system well defined and taken into account?

For many previous and current generations of instrumentation that were not designed in accordance with IEC61508, certification had to be achieved through “proven in use” (PiU) means – demonstrating failure and reliability rates for the instrument based on customer return data. While this is OK for simpler devices that are always used in the same way and under the same conditions, for more technologically advanced products such assessment can be difficult and finally tied up to very specific conditions of utilization.

This is in contrast to “certified by design” (CbD) where the instrument was designed from its inception to have a particular SIL rating. This method does not rely on compilation of historical data to prove that systematic faults are limited – it relies on review of not only the design itself but also the design processes. In the PiU approach, SIL is essentially an afterthought that is retrofit to the product after it has been designed and released to the market. In the CbD approach, the manufacturer has far more flexibility to continue enhancing the product over time, since the design is properly documented and any change impact analysis can therefore be conducted with confidence. In contrast, with PiU-based certification, you may not be sure about the overall impact of a change. For example, if the manufacturer changes a PiU design, the failure data collected up to that point may become invalid and the manufacturer has to start collecting data all over again based on the new design because its failures may now be unique and different than the prior design. This can result in a situation where the manufacturer cannot justify maintaining the certification, therefore discontinuing the product.

On a platform such as overspeed, where the ability to maintain SIL certification is vital, a PiU-based approach is far more vulnerable to rapid or even immediate obsolescence.

While both methods of certification can result in a SIL certificate, check the certificate carefully to better understand the basis used for the SIL marking and give preference to products that use a CbD basis rather than a PiU basis.

8. How much real estate will the system require?

For retrofit applications, the most important criteria are often a system that simply fits the same mounting footprint as the old system and permits the reuse of existing wires for sensor inputs and outputs, and for things like Modbus maps. For OEMs, however, the situation may be different as the concerns are often related to the amount of space required and whether the system can be mounted near the machine to save on wiring costs and to allow an integrated package consisting of the machine and its controls all on the same frame or skid. Smaller packages are preferred – particularly those that can be mounted on a DIN rail along with the associated apparatus such as power supplies.

9. What is the total cost of ownership?

A system that requires a diverse set of spares – some of which may even be unique to each OEM – should be factored into your evaluation, along with training requirements. Can the system be easily mounted wherever it needs to be deployed to reduce wiring costs or is it constrained to only certain locations for environmental, hazardous area, or other concerns? If it must be mounted in an enclosure, how large is the enclosure and what special environment controls are required for heating, cooling, purging, and ventilation? What is the supplier’s track record for supporting the system throughout its full lifecycle and in providing support and training? What level of embedded diagnostics are present versus the need for manual testing and the intervals between such tests to maintain SIL certifications? All of these factors combine to influence the total cost of ownership.

10. Is the system simple or complex – and why does this matter?


Within reason, the simpler a system is, the less there is to go wrong and the less need for frequent proof-testing. Many overspeed systems on the market are overly complex and burden the user with complexity and functionality that they do not need. In general, this level of complexity comes at the cost of additional components which then require more frequent proof-testing. Many systems on the market require annual or more frequent proof-testing. Others require such testing only once or twice during the instrument’s entire lifespan. Ask your prospective supplier how often their system must undergo proof-testing in order to maintain its SIL rating. Consider also the documentation and retention requirements each time such testing is done. Lastly, the complexity of the system once again translates into increased spare parts requirements and increased training requirements.


  • 1
    Although API 670 provides an option for overspeed to be combined with surge detection and overspeed protection, it does not permit it to be combined with vibration protection.

Back to blog list

Learn more