According to the API standard 670 for Machinery Protection Systems, an electronic overspeed detection system (ODS) consists of speed sensors, power supplies, output relays, signal processing, and alarm/shutdown/integrity logic. Its function is to continuously measure shaft rotational speed and activate its output relays when an overspeed condition is detected.
API 670 defines multiple requirements in order for an ODS to be compliant to the standard. Six of the most important are discussed in this article.
The required system accuracy for an ODS is ±0.1% of shutdown set point or ±1 rpm, whichever is less. This is typically a more demanding requirement compared to parameters such as speed, vibration and temperature that are typically monitored by a machinery protection system (MPS).
The speed sensors used as inputs to an ODS shall not be shared with any other system. More specifically, electronic overspeed detection shall be separate and distinct from the speed control system, with the exception of final control elements. If specified, a surge detection system and/or emergency shutdown system (ESD) may be combined with the overspeed detection functions in a single system but a failure of these other functions shall not affect the overspeed system.
Combining an ODS with any other machinery control, protection and/or monitoring systems – except an ESD – shall not be allowed. Complete system segregation is strongly recommended in order that the ODS is an isolated layer of protection. This is because combining an ODS with other systems may degrade the overall system response time, impact ease of serviceability or otherwise interfere with overspeed integrity.
API 670 requires that an ODS is able to detect an overspeed event and change the state of its output relays within 40 ms when provided with an input signal frequency of at least 300 Hz. However, the response time of an electronic overspeed detection system (ODS) alone does not guarantee that the complete overspeed protection system will be suitable for an application. Other system dynamics need to be considered. Proper engineering judgment and system design shall be used to ensure that the complete system functions properly and responds fast enough to prevent the rotor speed from exceeding the maximum allowable limit.
For example, the use of safety barriers to meet hazardous area requirements may introduce signal delays that prevent the complete overspeed protection system from meeting acceptable response time criteria. Care should be taken to consider these and other effects when selecting an electronic ODS and other system components, such as external voting logic and final control elements. Alternative methods should be considered as required to meet hazardous area requirements.
Depending on the application, a complete overspeed protection system shall use multiple independent measuring circuits and voting logic for each shaft. For example, critical applications such as power plant turbomachinery require three independent measuring circuits and two-out-of-three (2oo3) voting logic for a suitable solution, that is, a SIL 3 ODS. Less critical applications may use two independent measuring circuits and one-out-of-two (1oo2) voting logic for each shaft, or even one independent measuring circuit with no voting logic.
A SIL 3 ODS solution with a two-out-of-three (2oo3) voting logic configuration enhances reliability, provides more convenient system verification and reduces the likelihood of spurious shutdowns.
If specified, the requirements of a safety instrumented system (SIS), dedicated to stopping the machine under abnormal conditions, shall apply to some or all of the machinery protection systems (ODS, ESD and/or MPS). The machinery protection system supplier shall provide their reliability/performance documentation to allow the SIS supplier to determine the SIL (safety integrity level) of the SIS, in accordance with the IEC 61508 functional safety standard.
It is recommended that the response time of the ODS and complete overspeed protection system is periodically measured and logged as proof that the system continues to meet the required response time. Routine test intervals, known as proof test intervals, are determined by the responsible party, unless the system is an IEC 61508 or IEC 61511 certified system where it is dictated by the certification report. However, for IEC 61508 certified systems, proper care should be taken to maintain the SIL rating as per supplier recommendations.