During normal operation, a turbine’s own speed control system regulates the rotational speed of the machine. However, in the event of a problem with the turbine and/or its control system, an overspeed detection system (ODS) provides an isolated layer of protection that will automatically and immediately initiate a shutdown of the machine should this become necessary. In this way, the ODS increases safety, making it easier to meet regulatory requirements, while reducing operating costs such as maintenance and insurance.
Accordingly, owners and operators of large machinery like turbines both require and expect assurances that their equipment will operate safely under all conditions. Today, SIL certified overspeed detection systems are the best way to achieve such levels of integrity.
In safety-related applications such as overspeed protection, there is a legal obligation to implement a suitable and verifiable system. In addition to reducing risk and liability, such systems also increase user confidence in the safe operation of their machinery.
In the world of safety, a machinery protection system is known as a safety instrumented system (SIS). More specifically, it is an engineered set of hardware and software – typically a combination of sensors, logic solvers and actuators – that perform "specific control functions" to maintain safe operation of a machine when unacceptable or dangerous conditions occur.
A SIS can perform one or more safety instrumented functions (SIFs). Each SIF has an associated safety integrity level (SIL) which is related to the probability that the SIF will work as required when needed. The IEC 61508 “functional safety” standard defines four levels:
The overspeed protection of critical rotating machinery such as gas, steam or hydro turbines requires a SIL 3 solution using a redundant architecture consisting of three overspeed modules with 2oo3 voting logic.
It is also worth noting that the 5th edition of the API 670 “machinery protection systems” standard refers to safety integrity levels (and IEC 61508/61511) as the go-to method to comply with SIS requirements of machinery protection systems. (Refer to API 670 5th edition, Annex L.)
Another important consideration in SIL overspeed detection systems is the type of SIL certification, that is, how the SIL certification was obtained for the system.
SIL by design refers to systems that were designed in accordance with the IEC 61508 standard and have been verified and certified as SIL by an independent certification agency such as Exida or TÜV.
SIL by design systems have the following main advantages:
SIL proven-in-use refers to systems that were not designed in accordance with the IEC 61508 standard but rather have been verified and certified as SIL based on reliability (MTBF, MTTF) and failure mode (detected, undetected) data/statistics from systems operating in the field.
SIL proven-in-use certification is only suitable for systems that have a long track record of reliability in specific applications but does have the advantage of being more resource efficient and less expensive, at least in the short term.
In conclusion, a SIL certified overspeed detection and protection system helps to ensure safety integrity, that is, it increases the probability that the system will satisfactorily perform the required safety function when it is called upon to do so. However, it is important to understand safety integrity levels and the different types of SIL certification in order that the most suitable and cost-effective overspeed detection system (ODS) is selected for a particular application.