OR WAIT null SECS
© 2024 MJH Life Sciences™ and Turbomachinery Magazine. All rights reserved.
Overspeed Protection System Design, Verification and Testing
STANDARD OVERSPEED PROTECTION SYSTEMS CANNOT ALWAYS CATCH OVERSPEED EVENTS BEFORE THEY HAPPEN. AN EMERGENCY SYSTEM OFFERS AN EXTRA LAYER OF PROTECTION
Turbomachinery overspeed protection is not just about safely shutting down a system when it is being stressed beyond its recommended limits. It begins with a thorough understanding of the physical design limits of each turbine system and ends with the design of a complete control system capable of preventing a catastrophic overspeed event.
Figure 1: Integrated control system design for optimized safety, reliability and performance[/caption]
The primary control system is the first line of defense against overspeed, typically referred to as Normal Overspeed (NOS) protection (Figure 1). It is an essential element in ensuring safety of the machinery . The primary controller regulates machine speed and load output by controlling the fuel delivery that powers it.
Furthermore, it regulates the amount of energy input to the rotating machinery that drives speed and load output for either electrical power generation or mechanical work performed through pumps, compressors and blowers. As increasing power output is required for higher loads on driven machinery such as generators or compressors, the risk of machine overspeed upon sudden loss of load increases proportionally.
Figure 2: The dashed line represents turbine acceleration if Normal Overspeed protection doesn't work as designed. The solid line is the expected acceleration curve if Normal Overspeed protection works properly upon loss of full load[/caption]
Theoretically, the NOS protection system should prevent any overspeed events. But, in reality the system can not always catch overspeed events before they happen (Figure 2). The Emergency Overspeed (EOS) protection system (Figure 3) is an extra layer of protection that operates independently from the primary control system. It acts as a second line of defense and has the independent ability to determine if the machinery is headed for catastrophic overspeed.
Figure 3: Diagram for emergency overspeed of a “slowly accelerating” unit on loss of full turbine load with the first line of defense not working properly[/caption]
EOS protection systems for older turbomachinery are typically mechanical emergency governors, more commonly known as mechanical bolts, installed directly on the main turbine shaft. More modern control systems incorporate various forms of electronic overspeed protection systems. These emergency systems are designed to respond when NOS protection systems fail to prevent the equipment from operating at rotational speeds exceeding about 110% allowed in maximum design.
Although primary control and emergency overspeed protection systems must work independently, they also must be designed to work together effectively as a total protection system (Figure 4).
Figure 4: Diagram of emergency overspeed of a “fast accelerating” unit with trip anticipator function (typical) on loss of full turbine load with all controls working properly (solid line) and without trip anticipation (dashed line)[/caption]
System level approach
Overspeed protection failures are usually the result of controllers designed with inadequate responsiveness, and inadequate periodic maintenance and testing of the systems, or both. Sometimes, the primary control system responds well within normal speeds, where it performs fine control. However, it is not sufficiently equipped to handle large system transients such as rapid loss of load.
The most effective controllers are designed to perform well with fine controlling ability and respond quickly enough to catch a rapidly accelerating piece of highenergy machinery. Older Mechanical Hydraulic Control (MHC) systems ha ve fixed-speed regulation that provides for fine speed control, but is not ideal for large system transients and does not have the ability to anticipate a potential trip condition lik e their modern counterparts.
More modern digital Electro-Hydraulic Controls (EHC) can be designed for greater fault tolerance and trip anticipation without sacrificing frequency response and fine control. However, control systems are only as strong as their weakest links.
The importance of effective design of mechanical control system elements such as hydraulic-powered fuel control and safety valves, speed sensing assemblies, turbine sensory instrumentation, trip manifold assemblies, levers and linkages, and hydraulic power units are often overlooked or underestimated in relation to overall control system performance.
Regardless of the control elements in place, it is essential to perform manufacturer specified periodic testing of key control elements to verify proper function. Testing is crucial to ensure that any latent failures of essential control elements are detected and repaired before safety is compromised. The reliability of overspeed protection systems depends on confirmation, through regular testing, that all critical system components work properly.
A robust control system should anticipate trip conditions and control the safety valves without tripping the turbine in a rapid loss of load event. A well-designed primary control system should anticipate trip or loss of load events, giving itself valuable additional milliseconds to respond before an actual unit trip must take place.
It is important, then, to avoid unnecessary trip events through effective turbomachinery control without sacrificing robust machine protection. Once an a voidable trip event occurs, the cost of lost production can be high.
Emergency systems must be fast, reliable, and have online maintainability of components most likely to fail more frequently. Testing primary and emer gency overspeed protection elements online ensures they are working properly without sacrificing unit a vailability. This requires a certain amount of fault tolerance in system components, such as that provided by Triple Modular Redundant (TMR) systems.
Also, an overspeed analysis is needed to account for element lag times in trip systems to determine the amount of entrained energy (the amount of high-pressure and temperature energy that has already passed your safety and control valves) that will continue to accelerate a machine after an emergency trip event is activated.
Controller selection
Ideally, the primary control system and the emergency overspeed protection system are designed as a complete system, while maintaining key elements of independence.
- The following physics-based limiting factors should be consulted by those designing a primary control system and an EOS:
- The mass and total inertia of the turbine and driven equipment rotating elements
- The amount of work performed at maximum load by driven equipment
- The amount and condition (pressure and temperature) of entrained (stored) energy already past controlling and safety valves
- How much additional entrained energy is expected to enter the machine postemergency trip based on how long it takes to close the valves.
On the surface, turbomachinery overspeed protection upgrades may seem simple or straight forward. However, it is critical for safety to ensure that controls take these limiting factors into account.
