Overspeed occurs when the rotational speed of a rotating machine, such as a steam or gas turbine, exceeds its design limits. The consequences of an overspeed event vary per type of machine and per model. The time that the overspeed event lasts and the degree of overspeed relative to the design limit are also decisive for the consequences.
Index
What is overspeed protection?
To prevent dangerous situations and serious machine damage during an overspeed situation, an overspeed detection system (ODS) is installed. Based on IEC guidelines, API guidelines and the machine specifications provided by the OEM, the reliability, reaction time, and limit values are defined in the system logic. These settings ensure that the system can trip/shutdown the machine in time when it is running faster than allowed by the design specifications. The ODS will send an alarm and initiate a trip that will cause the machine to be shut down by the emergency shutdown system (ESD).
The potential effects of an overspeed situation can be catastrophic; the financial consequences can add up to millions of dollars as a result of damage, production loss and unplanned standstill. In addition, the potential consequences for the environment and operational safety are enormous. Therefore, having an ODS installed is mandatory.
Even though safety has the highest priority, machine uptime is of great importance too. It is therefore crucial that the ODS only intervenes when it is necessary, as a machine trip leads to costly downtime. A proper hardware setup is essential, but just the beginning. Overspeed detection systems require proper engineering, commissioning and maintenance throughout their life to ensure machine safety and availability.
What causes overspeed?
Overspeed situations on rotating machinery should be prevented at all costs. Even the slightest overspeed could lead to mechanical stress that causes rotating machine parts to deform. More severe overspeed situations can cause the blade ends to rub against the housing. In the most severe overspeed situation, blades can come loose which results in machine parts penetrating the housing.
Broken shaft
When a drive shaft breaks, the motor will suddenly experience minimal resistance. With the driving force (fuel or steam) remaining, the rotor will be able to accelerate rapidly and exceed the machine’s mechanical limits. An advanced overspeed detection system will detect when a rotating machine exceeds the maximum tolerable acceleration threshold, trigger an alarm and initiate a trip function even before an actual overspeed situation occurs. However, it will take some time for the driving force to disappear, during which the machine could still reach a dangerous speed level. Therefore, it is essential to have in-depth knowledge of your machine and know which accelerations are acceptable at every speed.
Valve malfunctioning
Control valves / safety valves are mechanical parts of a machine which are vulnerable to malfunctions. Stuck control valves could lead to unexpected situations; when a control valve of a steam turbine is stuck or when one of its pressure valves remains opened, it could lead to excessive driving force on the shaft. Just as with a broken shaft, this could cause excessive acceleration and overspeed.
Testing mechanical overspeed devices
Mechanical / hydraulic overspeed protection can fail during an overspeed test. These systems have failure modes which can only be tested when performing an actual over speed trip. When the system is stuck due to varnish or dirt the overspeed detection system will not shut down the machinery when required. I additional the back-up system. Mostly the control systems also do not react the turbine can go into overspeed.
Human error
Even though most systems are automated, there is still room for human actions and interference. For example: during maintenance activities, leaving an override in place after a maintenance stop. Another example is an operator error. This has become less and less likely due to technological developments that require minimal human input, but it remains one of the overspeed causes for rotating machinery.
Incorrect sensor input
A sensor that is incorrectly mounted or adjusted, and system configuration errors, could corrupt the speed signal which causes an incorrect input in the system logic. This leaves the rotating machine vulnerable to undetected overspeed situations.
Control system failure
A failure of the speed control system can lead to an overspeed situation. A speed control system is used to regulate the speed of the rotating machine. An invalid input signal of programming error could set a failure of the speed control system in motion, which could subsequently cause overspeed.
4 reasons why overspeed protection systems should not be overly complex
Overspeed protection systems have one of the most important functions regarding safety measures for rotating machinery. As such, these systems require advanced safety functions to detect overspeed and excessive acceleration situations, and act accordingly to prevent damage and downtime. However, advanced should not be mistaken for complex, as complexity does not necessarily mean that the system is “better”. The more functions an overspeed protection system has, the more complex it becomes, yet not necessarily more advanced.
Core of overspeed protection
Leading machine standards such as the API 670 and the IEC 61508 have one main requirement for rotating machinery: to be equipped with a state-of-the-art overspeed protection system. The core of overspeed protection is to detect overspeed and excessive acceleration situations and initiate a trip relay when required. Any other functions are classified as add-ons and are not a requirement to adhere to machine safety guidelines.
Costs
Complex systems with more functions are more expensive. First of all because of the costs of secondary functions, such as monitoring functions, that do not directly contribute to the core function: overspeed protection. More functions require more hardware, which increases the costs of the system itself as well as the installation costs (i.e. wiring, instrumentation cabinets, etc.). Hardware requires periodic maintenance; the more hardware the more maintenance-intensive the system becomes.
These systems are often overkill for smaller and/or less critical rotating equipment that requires simple overspeed protection. This leaves operators with the choice to either implement a system that is hardly financially justifiable for its application, or to leave the machine unprotected.
Complexity and expertise
With complexity comes a more demanding requirement for extensive know-how regarding the operation and maintenance of the overspeed protection system. The systems are usually only checked during turnarounds, making their reliability of utmost importance. As overspeed protection systems do not require daily attention, it is generally not a dedicated expertise but part of a larger job description. As such, it is important that these systems are as straightforward as possible, and not dependent of a diminishing expertise. The more complex the system, the bigger the chance of human errors. This is especially the case with overspeed protection systems, as nobody really gets the opportunity to gain experience due to the long maintenance intervals.
Verification and testing
The more complex a safety system, the more demanding its testing and verification requirements are. To test and verify a safety system the process is interrupted; a long proof test interval negates the need to interrupt the process regularly. A system that is focussed on solely the core of overspeed protection can reach test intervals of above 10 years, to a point where it does not have to be tested before reaching end-of-life. It is important to note that the more functions an overspeed protection system has, the smaller the test interval becomes, and the more the process is interrupted. It is therefore important to have a suitable system for your specific application, rather than implementing a system that is “overkill” for the application.
