Experts’ approach to turbine safety
Jim Jacoby, Tri-Sen’s Vice-President of Marketing, shares about turbine safety, the technical improvements that need to be considered, and what can be done to maximise safety benefits.
Turbine overspeed events can be extremely destructive if the speed excursion is sufficient to cause the turbine rotor to burst. If the integrity of the steam casing is compromised, damage will not be isolated to the turbine.
In a paper presented at the Texas A&M University Turbomachinery Symposium, Edward E. Clark of The Hartford Steam Boiler Inspection and Insurance Company stated that “One insurance company’s experience has been that, when losses for all industries are ranked by the size of an average loss paid, rotating equipment accounts for seven of the ten largest averages.”
Clark also stated that “A large percentage of steam turbine overspeed wrecks occur during uncoupled/low load overspeed trip testing. In the author’s opinion, this single advantage should be sufficient to justify upgrading to electronic overspeed trip systems.”
When implementing a retrofit project for a turbine shutdown system, a number of issues need to be considered. Are there any governmental regulations that must be considered? Should a safety integrity level determination be performed? What are the performance requirements of the new shutdown system? Besides the safety functions, what other equipment protection functions can be combined into the new shutdown system? What features need to be included in the new system such as testing that will allow the system to comply with the required safety integrity level?
Inputs
A turbine safety system will need application-specific inputs for measuring the process parameters that indicate a dangerous condition. For some inputs such as pressure, transmitters are adequate. For other inputs where response time and loop integrity are critical, the turbine safety system logic solver should include I/O that can directly interface with the sensors.
Execution speed
There are a number of factors that will determine how fast the logic solver must execute the safety process. In general, a faster logic solver execution time is better.
The trip system must be designed for the worst case safety condition. For execution speed, the most challenging event is usually an overspeed due to a total loss of driven load.
The resulting maximum excursion speed will depend on how quickly the energy input to the turbine (fuel or steam) can be halted.
There are several factors that will influence the time required to curtail the energy input that cannot be easily modified with a new trip system. The execution speed of the trip system logic solver is generally the most predictable time interval in the system. The mechanical components in the system can experience wear and fouling that will deteriorate their reaction times.
Any improvements that can be made in the speed of the logic solver will provide additional safety margin for the unpredictability of the mechanical components.
Fault detection
Since a safety system is usually only activated by an unsafe event, it can be difficult to know if the system will be ready when a demand is placed on it. Modern safety systems have internal testing that takes place to find covert faults so they can be identified before an event occurs. This generally means that the system must include extensive feedback data for outputs, reference levels for inputs and diagnostic routines for system software.
Fault tolerance
One requirement of a modern safety system is that it must fail to a safe state. In general, this will also require that the loss of power to the system cause the process to trip. But tripping most turbines in a power plant is considered undesirable. To avoid nuisance trips due to a single component failure, an electronic trip system should include sufficient redundancy to allow the system to tolerate a single fault. This typically means redundancy.
Additionally, the redundancy should be sufficient to minimize “tie” votes. If a failed component cannot be repaired online, the amount of redundancy might need to be expanded to assure that the turbine can be operated for the desired length of time without a spurious trip.
Input and output devices need to be redundant as well to assure that a failed instrument is not the cause of a nuisance trip or an incorrect action of the logic solver.
Component testing
Any safety system must be tested to prove its performance. Well designed safety systems allow all components or subsystems to be tested online. The system must include not only the redundancy and facilities to allow the test, there must be sufficient feedback from each component or subsystem to validate the test.
These testing requirements extend throughout the entire system from input sensors to the final solenoids and even the stop valves. Switches can be difficult to test and provide no information about their health when their state is static. For this reason, switches should be eliminated or at least minimized as primary process inputs to a safety system.
Upgrading a turbine trip system can improve the safety and availability of a turbine installation. To get the most benefit from a turbine safety system upgrade and to assure the new system provides the required safety benefits, the system requirements should be evaluated by turbomachinery safety experts. The upgrade solution, installation and commissioning is equally important and should be handled by experts as well.