OR WAIT null SECS
Sometimes in my early adolescence after a girlfriend had just broken up with me, I (Brun) would innocently ask her the rather stupid question, “Why?” Thus I learned one of life’s important lessons the hard way . . . and one that is of utmost importance in personnel management: if you don’t want to know the answer to a question, don’t ask. As strange as this may sound, this lesson can similarly be applicable to turbomachinery instrumentation. Sometimes the measurement is not worth the added cost and effort.
Modern gas turbines and compressors have a huge array of sensors, transmitters, and other instrumentation that is used to monitor the operation of the equipment, and to protect machinery from failures and damaging events. Most packages have well in excess of 100, and some as many as 300, instruments whose signals are read and transmitted into the unit control panel.
These instruments measure parameters, such as temperatures, pressures, flows and vibration levels. For a single set of gas turbine bearings, for example, the two lube oil temperatures, two lube oil pressures, two bearing pad temperatures and three shaft x, y, and z positions may be measured. Similar sensors are installed throughout the gas path and on most package equipment such as starter motors, lube oil pumps, seal systems, inlet filtration, and so forth.
API 616, 617, and 670 are the primary references for minimum instrumentation requirements on gas turbine driven compressor packages but many operators have their own specifications that far exceed API instrumentation requirements. I recently saw a purchase specification from a major oil & gas company that required six temperature, four pressure and two flow measurements in a simple lube oil cooler alone.
Depending on the potential safety issues, the readings from these sensors may trigger alarms, shut downs or emergency shutdowns (ESDs). Not surprisingly, instrument failure and spurious sensor readings are the most common cause for machinery shutdowns which can upset processes or limit plant productivity.
Additionally, ESDs put extra strain on machinery. On most machines, it is effectively a fast and unconditional safety shutdown where the energy source, combustor fuel or motor electric power is instantly cut off without any control system delays. Fast gas turbine shutdowns are not just an operational nuisance, but are often costly events that interrupt production and may even result in heightened degradation of the machinery.
However, in many cases when an instrument fails, immediate shutdowns are not necessary as long as other instrumentation monitors the continued operation of the equipment. An obvious example would be the failure of a single exhaust temperature thermocouple on a gas turbine. In this case, one does not need to shut down the gas turbine since there are multiple other thermocouples that measure the temperature of the exhaust gas spread.
On the other hand, if a lube oil pressure sensor fails or shows significant aberrant reading, it would be prudent to shut down the gas turbine quickly to avoid the potential of a catastrophic lube oil starvation event. But, even in this case, the shutdown does not necessarily have to be a fast ESD if other sensors on the bearings and in the lube oil system show normal readings. A gradual shutdown with all necessary cool down and run down delays will be much less detrimental to a machine than an ESD.
Thus, it is important to determine which instruments should be able to trigger an alarm, a regular shutdown or an emergency shutdown. Clearly, certain single instrument failures or high-level readings should cause an immediate machinery shutdown sequence for safety reasons (e.g., high vibration and overspeed). And with modern control systems, one has the ability to develop a more comprehensive and intelligent approach to avoid unnecessary shutdowns.
For example, by implementing control logic that relies on multiple related sensor readings rather than a single fault to determine whether a shutdown is necessary, one can significantly reduce the number of nuisance shutdowns and improve overall package reliability. Further, by carefully determining the most appropriate alarm and shutdown levels for each individual sensor — as appropriate for the application, online criticality, and failure risk cost-reward function — one can further mitigate unnecessary shutdowns.
But there are obvious issues that need to be addressed: who determines which signal or combination of signals cause what type of shutdown. Traditionally, the manufacturer makes this decision or at least provides guidance. But in recent years we have seen machinery operators develop their own, often fairly sophisticated, processes to determine this logic.
But there are obvious risk, liability and warranty implications if an operator decides to alter the package shutdown control logic, and one should carefully analyze cause-and-effect diagrams when developing machine- and application-specific shutdown logic.
Yet another element to consider is that API requires physically separate alarm and shutdown sensors. This is not always practical for cost and installation reasons. For example, while it is easy to have separate alarms and shutdown sensors for most temperature and pressure measurements, this would be hard to implement for almost all vibration and flow measurements due to lack of space.
However, it is important to note that true sensor redundancy can only be realized with three parallel sensors and 2:1 voting logic. Specifically, if one sensor fails while the others show normal readings, an ESD may not be necessary and a controlled shutdown could be more appropriate.
On the other hand, three times the amount of sensors (which would be necessary for true redundancy), also increases the probability that one or more of the sensors fail, and cause spurious alarms. In general, any additional sensor becomes a maintenance item.
Thus, when installing a new machine or reviewing the operation of an existing machine and the associated control systems, it is worthwhile thinking about what sensor signals or combinations should trigger alarms, regular shutdowns and ESDs. By optimizing these systems, the rate of sensorrelated spurious shutdowns and the associated unit availability can be significantly improved. Or, as my ex-girlfriend replied: “Think before you ask.”