Tubomachinery functional safety also leads to plant performance and profitability, says Andy Tonge, Hima-Sella’s Sales Manager
The safety of turbomachinery is receiving increased levels of attention in light of accidents in recent years. Catastrophic failures, for example turbine over-speeding, can result in physical injuries and fatalities. Also, the loss of any turbine on which industrial processes depend, equates to lost revenue. Plus, there is the repair or replacement of the failed turbine to consider.
Thankfully, many operators have begun to apply functional safety methodologies to their turbomachinery, and general safety standards - like IEC 61511, IEC 61508 and ISA84.00.01-2004 - are now being used to assist with reducing the risk of catastrophic accidents. The integration of dedicated safety functions within turbomachinery control systems is seen as a way of not only meeting the above standards but also achieving higher plant productivity.
However, care needs to be taken when engineering such integration. A turbo machine is often controlled by many individual components, made by several manufacturers, all within a complex system. The consequences are elaborate wiring, different communication protocols and greater engineering costs. It is therefore tempting to share hardware, such as sensors, and even software code between multiple functions. Whilst acceptable for non-safety-critical functions, safety-critical functions must be controlled and monitored by independent hardware and software.
For example, safety-critical control functions might include speed control, load sharing and steam distribution. Protection might come through an Overspeed Trip (OST) and vibration, axial shaft, temperature and pressure monitoring – functions which should be implemented independently of control circuitry by one or more systems with its/their own Safety Integrity Level (SIL) rating(s) under IEC61508.
Importantly, the control system should be architected to depend on the presence of ‘healthy’ signals from the monitoring systems in order to operate. This is a fundamental aspect of the functional safety methodology, which Hima-Sella implements as what it calls ‘hierarchical’ or ‘layered’ protection. Also worthy of note is that the risk of inadequate segmentation between process control and safety instrumented systems was the subject of a report published in 2010 by the research organisation SINTEF.
Point in Case
A safety-focussed turbomachinery control (TMC) system was recently installed at the Daqing Petrochemical Company, a regional branch of China National Petroleum Corp. (CNPC), China‘s largest oil and gas producer and supplier. In addition to chemicals and fertilizers, the company produces refined products such as petrol, kerosene, diesel, lube oil, chemical light oil, fuel oil and solvent oil.
A new desulphurisation plant at the Daqing Petrochemical Company is part of China’s efforts to improve its air quality by reducing the amount of sulphur in fuels for road vehicles, and thus reduce tailpipe emissions.
To achieve compressor and turbomachinery control for its desulphurisation plant, the Daqing Petrochemical selected an integrated HIMA FlexSILon TMC solution based on a fully redundant HIMA HIMax platform. In addition to achieving SIL 3, in accordance with IEC 61508 and IEC 61511, and meeting API 670 standards, the company also wanted hardware that would increase plant availability and remain operational during online module replacement and online extensions; which HIMax accommodates.
As mentioned earlier, whilst ‘integrated’ the monitoring for safety purposes needs to be independent. In this respect, FlexSILon TMC employs third party condition monitoring hardware and software for OST and compressor protection. Also, HIMax’s architecture eases the integration of safety and non-safety critical control functions, plus self-contained backplane modules (the X-MIO 7/6 O1, for example) can perform standalone functional safety functions. For instance, OST can be implemented to IEC 61508 SIL 3 and in accordance with API 670 independently of the other safety functions residing on HIMax’s internal CPUs and using its I/O.
In conclusion, integrated turbomachinery control and monitoring can meet the requirements of functional safety standards and produce greater operational efficiencies without the complexity (and high cost) of multiple disparate and hard-to-wire solutions. Where the control of safety-critical functions is concerned the goal is without doubt ‘partitioned integration’, which is achievable by architecting the system using independent functional safety building blocks with dedicated hardware and software elements as appropriate.