API Standard 670 describes the minimum requirements for a machine protection system (MPS). This includes measuring radial shaft vibration, casing vibration, axial shaft position, shaft rotational speed, piston rod drop, phase reference, overspeed and critical machine temperatures.
The standard includes requirements related to hardware (sensors and systems), installation, documentation and testing. This article focuses solely on the part that describes overspeed. The main elements are described.
The API Standard 670 only describes the requirements of electronic detection systems, defining them as follows: “An electronic overspeed detection system consists of speed sensors, power supplies, output relays, signal processing, and alarm/shutdown/integrity logic. Its function is to continuously measure shaft rotational speed and activate its output relays when an overspeed condition is detected.”
API Standard 670 describes how an electronic overspeed detection system must be exclusively dedicated to overspeed detection. The system must be isolated from other monitoring and protection systems and is not allowed to share components (with, for example, the control system). This ensures that the functioning of the system is verifiable and not dependent on other systems.
An electronic overspeed detection system, for those machines to which the API Standard 670 applies, must consist of three independent measuring circuits. To maximise the safety and availability of the machine, a two-out-of-three voting (2oo3) is used to activate the trip function. In other words, when at least two of the three sensors detect overspeed, the trip function will be activated.
It goes without saying that the response time during an overspeed event is of great importance. The API Standard 670 states that the system may take up to 40 milliseconds to detect overspeed and have the relay outputs switch. It should be noted that 40 milliseconds is not always fast enough to prevent the rotor from reaching a rotational speed that exceeds its design specifications due to the ramp-up.
The following actions must take place within these 40 milliseconds:
Voting structures
Voting, regarding overspeed protection systems, can be defined by the number of safety loops that should switch to the safe state when an overspeed situation is detected. The desirable voting structure depends on the application. For highly critical machinery, a 2oo3 voting structure is widely adopted and required by the API Standard 670, but for less-critical machinery a 1oo1 voting structure may suffice. The reasoning behind this is the increased availability and safety that more complex voting structures provide.
The meaning of different voting structures is often misunderstood. This is due to the fact that the impact of a voting structure differs depending whether you look at from an availability perspective or a safety perspective.
Two different situations should be considered; the situation from a safety perspective and the situation from an availability perspective. In the first case, a machine remains protected when one or multiple safety units in the voting structure fail. The availability perspective focuses on whether a machine remains available if one or multiple safety units in the voting structure fail.
To determine the appropriate voting structure, answer the questions below.
The table above shows that the voting structure differs depending on the perspective. Taking the second row as an example, it would be a 1oo2 voting structure from a safety perspective; only one of the safety units must function for the machine to remain safe. However, from an availability perspective, if one unit fails the machine will not be available as both devices need to function properly.
Note: The open relays depicted in the table may cause confusion as they are closed during normal operation. However, schematics are generally illustrated in this way for clarity.
CAUSES OF OVERSPEED – ISTEC'S TOP SIX SUSPECTS
Broken shaft. When a drive shaft breaks, the turbine will suddenly experience minimal resistance. With the remaining driving force (fuel or steam), the rotor will be able to accelerate rapidly and exceed the machine’s mechanical limits.
Valve malfunctioning. When a control valve of a steam turbine is stuck or when one of its pressure valves remains opened, it could lead to excessive driving force on the shaft. Just as with a broken shaft, this could cause excessive acceleration and overspeed.
Testing mechanical overspeed devices. Mechanical/hydraulic overspeed protection systems have failure modes which can only be tested when performing an actual overspeed trip. However, during such a test, if the system is stuck due to varnish or dirt, the mechanical overspeed device will not be able to shut down the machinery when required.
Human error. Even though most systems are automated, there is still room for human actions and interference. An example is leaving an override in place after a maintenance stop.
Incorrect sensor input. The speed signal could be corrupted by an incorrectly-mounted or -adjusted sensor, or system configuration errors, which cause an incorrect input in the system logic. An incorrect sensor input could also affect the control system.
Control system failure. An invalid input signal or programming error could set a failure of the speed control system in motion, which could subsequently cause overspeed.
This article is an edited extract from Speed: the protection of rotating machinery using speed measurements, a compilation of articles on the subject published by Istec International. Istec is an expert in the field of speed and vibration measurements and (SIL-rated) overspeed protection on rotating machinery. Istec is also a manufacturer of overspeed detection systems including SpeedSys.
