When designing safety-critical equipment, functional safety is very important. SpeedSys ODS is an overspeed detection system that exemplifies a modern approach to achieving safety without compromising system availability. Unlike many overspeed detection systems, SpeedSys does not rely on a built-in frequency generator for proof-testing. This article explains why.
Proof-testing and functional safety
Safety systems are assigned a Safety Integrity Level (SIL) based on their reliability. SIL is determined by calculating the probability of failure on demand (PFD), or in words: the chance of the system not responding correctly when it should. Over time, the PFD increases as electrical components age and wear. The most reliable way to ensure ongoing functionality is through proof testing. The frequency of these proof tests depend on the reliability of the individual components.
Overspeed detection systems and built-in frequency generators
Older overspeed detection systems were often not designed to be SIL-rated during their initial development. Many of these systems obtained SIL certification at a later stage through a proven in use process, which required collecting sufficient reliability data. To ensure that these systems would perform during overspeed events, frequent proof tests were necessary.
Given the impracticality of manual proof testing at such intervals, these systems were redesigned to include onboard frequency generators. These generators automatically interrupted measurement channels one-by-one and confirm their proper functioning. This approach has a drawback: while a channel is being tested, the availability of the system is compromised as it temporarily shifts from higher-redundancy configurations (e.g., 2oo2, 2oo3) to lower-redundancy configurations (e.g., 1oo1, 1oo2), posing a temporary threat to safety of the machine.
For older systems, having an onboard frequency generator is the best achievable option for proof testing. It is a tradeoff caused by the necessity of high-frequency proof-testing. For this reason even the API 670 standard has included the essence of having a built-in frequency generator for overspeed detection systems.
Read more about the difference between SIL by design and proven in use »
SpeedSys ODS
SpeedSys was designed to meet SIL requirements without the need for a built-in frequency generator, by incorporating continuous diagnostic checks and internal verifications. In other words: SpeedSys no longer needs a built-in frequency generator to fix the impracticality of frequent manual proof-testing, as due to its certification by design as opposed to proven in use it no longer requires frequent manual proof-tests.
This system continuously runs internal safety tests while the device is operational, eliminating the need to interrupt measurement channels. These checks are integrated into the design and include features like:
Duotec™: A proprietary redundant signal processing concept that checks for discrepancies between two channels.
Hardware checks: Advanced self-check sequencies to check every critical component in the loop, ensuring operational integrity.
Because of its continuous self-testing, SpeedSys has an exceptionally long proof-test interval of 10 years or more. Under ideal temperature conditions, it can even reach 20 years, matching the lifetime of the product. This long interval gives users the flexibility to schedule proof tests during scheduled maintenance, reducing operational disruptions.
Manual testing for tailing equipment
While SpeedSys doesn’t need a built-in frequency generator for proof testing, it supports manual testing for tailing equipment that requires more frequent testing. The system uses a binary input to trigger relay switching to trigger tailing equipment proof testing and an open collector binary output to signal alarm or error events. This setup ensures tests are only initiated in safe, low-demand conditions, avoiding accidental shutdowns due to overlapping tests or ongoing alarms.
Measuring the final element feedback (FEF)
For users who need to measure the response time of the entire protection system, SpeedSys supports final element feedback (FEF) testing. Using the binary input, the system can test the trip chain, including final elements like valves, without stopping machine operations. For example, a quad voter system can test multiple valves simultaneously, while the DCS or PLC tracks response times, ensuring continuous operation during testing.
SpeedSys demonstrates that modern safety systems do not need built-in frequency generators to ensure reliability. By utilizing continuous self-checks and advanced diagnostic features, SpeedSys maintains system integrity without interrupting measurement channels. This design not only extends the proof test interval but also enhances system availability, offering significant advantages over older systems.