The adoption of the functional safety standards continues to gain momentum in turbine applications. Both industrial and power turbine sites are now requiring compliance to IEC 61511. This blog will review both technical requirements and market trends related to functional safety system design. Market trends will cover which standards are required by region, turbine, size, and industry.

In Part 1, we discussed the application of IEC 61511 to Turbine Applications and how we demonstrate compliance.  In this blog we'll take a high-level look at the safety lifecycle, take a look at the IEC 61511 lifecycle, and discuss hazard matrixes, risk graphs, and LOPAs.

Functional Safety Lifecycle

Now we'll take a high-level look at the safety lifecycle. It starts with hazard identification -- figuring out what can go wrong with the process. Then a risk analysis and SIL selection is done, which essentially compares how bad the hazard could be to the tolerable risk. When that is done and you've identified safety instrumented functions, you create safety requirements specifications to document what needs to be achieved. Then you perform SIL verification to show that the system and the safety function can achieve those tasks. Finally, we have the operations and maintenance phase which tests and keeps the process running and performing its safety function. 

Typical SIFs in steam turbine application include emergency overspeed protection, axial position, loss of lube oil, vibration protection, and an e-stop function. In addition to the preceding list, gas turbine SIFs include excess startup fuel flow, exhaust purge timer, flame detection, and turbine compartment ventilation. These are examples only. The actual SIF list would be a function of the hazard analysis and SIL target. 

IEC 61511 Lifecycle

If we take a look at the IEC 61511 lifecycle, there are some activities that occur over the entire phase of a project, which are represented by the blue vertical columns. These are things like management of functional safety and functional safety assessment, safety lifecycle structure and planning, and verification. In the center of this graphic are the steps that need to happen as a project is done. These steps can be broken down into analysis, realization, and operation phases. The analysis phase includes identifying the hazards, determining how much risk reduction is needed, and running a SIS safety requirements specification. Realization includes SIS design and engineering, FAT, installation and commissioning, and SIS safety validation. Then the operational phase covers the operation of the system and equipment through its life, modifications, periodic proof testing and documentation, and decommissioning of the system. 

In IEC 61511, there is SIL 1 through SIL 3. SIL 4 is added in with 61508. The SIL level provides a measure and means to categorize risk reduction. It can be used in one of three ways: to establish risk reduction requirements, to set probabilistic limits for hardware random failure, or to establish engineering procedures to prevent systematic design errors. SIL will not only impact hardware design and reliability, but also engineering procedures. The higher your SIL level, the more risk reduction you will be able to claim, but also the more rigor in your process. 

SIL targeting is where we get the actual SIL level for the SIF. What needs to be done is identify how much risk reduction is needed to attain a tolerable risk. There are two methods for this, either qualitative or quantitative. The qualitative method will group numerical targets into more broad categories of risk reduction (e.g. SIL band only). Quantitative methods give specific numerical targets for risk (e.g. Risk Reduction Factor – RRF). It is important that a consistent method or set of methods is used.

Hazard Matrix 

Included in the quantitative methods is the hazard matrix. As you can see, it maps a frequency (y-axis) against the severity (x-axis). Depending on the severity and the frequency of an event, you'll need a certain risk reduction. For example, if we have an event that could result in a single fatality and model it so it happens every 50 years, we wind up with a SIL 2 requirement. This is only an example and each organization set its own tolerable risk guidelines. In this case, we can see that we don't get a numerical target, we just a SIL target. SIL 2 can have a risk reduction between 100 and 1000, so if you specify just SIL 2, that would mean a minimum risk reduction of at least 100 while also meeting the architectural and SIL capability requirements. 

Risk Graph

A risk graph is another qualitative method. It is kind of a guided method that asks questions like: What is the severity of the consequence? Is the area typically occupied? Is there any probability of avoiding the hazard? What is the demand rate or frequency with which this event is going to occur? Then you follow a path determined by the selected parameters to identify the required SIL. 

LOPA

A quantitative method is most often described as LOPA (Layer of Protection Analysis). LOPA provides the analyst with a method to reproducibly evaluate the risk of selected incident scenarios and identify additional risk reduction opportunities. You will start with an initiating event, specifically how often that initiating even will happen. Each LOPA scenario is limited to a single cause-consequence pair (path through an event tree).

One thing I would recommend is being very careful of is saying overspeed for turbines is always SIL 3. In a qualitative statement like that, it means you would design an overspeed function with a risk reduction factor of 1000. In my experience, we've seen very few things that when you target them quantitatively, overspeed is 1000. It is often SIL 2 somewhere between 100 and 1000. So I always tell people to be careful when taking a SIL target from an application standard or “industry practice.” This is because one of two things will likely happen: you are either going to have an expensive over design or have an unsafe under design. One thing to remember is that the siting is a key driver to the consequence part of SIL targeting. 

In the next part of this series, we will look at implications of IEC 61511 and effective implementation.