An Overspeed Detection System (ODS) has one job and one job only – detect an overspeed event and initiate an emergency trip sequence. This system should be considered an independent layer of protection which falls into the classification of Safety Instrumented System (SIS).
An SIS is defined by IEC 61508/ISA S84 and IEC 61511 as a system dedicated to stopping the machine under abnormal conditions. It is fair to say that an overspeed event is definitely an abnormal condition.
Safety Instrumented Systems are the opposite of process or machine control systems. They are dormant and passive. They monitor the process and hopefully will never be called into action. For example, an ODS constantly “watches” the speed of a machine, but only takes action when a predetermined speed setpoint is exceeded. If the speed of the machine never exceeds that value, the relays in the ODS system never change state.
Control systems on the other hand are constantly measuring a process and making necessary adjustments. Hopefully, this includes never allowing a machine to exceed its overspeed setting. However, if an overspeed event does occur, the control system will be quite busy managing the machine and process in order to bring the machine back to a safe state – opening/closing valves, alerting operators, dumping steam or gas, turning off fuel, etc. For this reason, relying on the control system to put the detection of an overspeed event as a top priority is not recommended. It will just be too busy performing other tasks.
It is important to realize that since the ODS “just sits there”, it is challenging to determine if it is functioning properly. Therefore, proof tests need to be performed periodically to reveal any covert faults. How often a system needs to be tested depends on how it is designed, and its capability to reveal or detect covert faults. Manufacturers of ODS’s commonly provide a proof test interval that recommends how often an ODS should be taken out of service and tested. The longer the proof test interval, the longer the time between these tests.
It is highly recommended that these test intervals are longer than the maintenance interval for the process where the machine is used. For example, the catalyst in an FCC unit needs to be replaced every 36 months. The FCC process includes a large (hp) main air blower machine train. Therefore, the test interval for the ODS used on the main air blower should be longer than 36 months. Shutting down the FCC unit just to perform a proof test on the ODS would be time consuming and costly.
Another thing to consider is to keep the ODS as simple as possible in order to ensure it is always capable of performing its primary function. As mentioned previously, there is a need for extensive diagnostics in dormant/passive safety-related systems. Safety systems should be incorruptible. They need to be limited to a fixed set of rules and access to changing these rules must be carefully restricted. The more complex the system, the more difficult it will be to test for all potential faults.
The old KISS principle “Keep it Simple Stupid” applies here. An ODS should be put in place to detect an overspeed event only. Yes, its outputs can be used by other devices, but its primary and only function is to stop a machine from tearing itself apart. Or else it may end up like this...