2oo3plus – A New Design of Electro-hydraulic In power

The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany

In power generation processes, risk is mainly caused by high energies being handled (e.g. potentially producing turbine overspeed), whereas in process industry, it can also be caused by the chemical aggressiveness of fluids conveyed. When corresponding protective measures are developed, a prime focus is on the fluid control valves and how they are utilised in the execution of safety functions. Common safety functions include the fast shut-off of supply lines or opening of bypass or relief lines, using electro-hydraulic actuators as shown in Figure 1. Actuator systems of this type act on the stem of a process seat valve and are equipped with a fail-safe energy storage element, such as a stack of disc springs or a hydraulic accumulator. The system hydraulically operates by means of a directional valve against the spring when the trip valve is closed. In the event of an emergency, the safety function (‘trip’) is executed by opening the trip valve and thus releasing the spring, which brings the system into safe state (cylinder extended, process valve closed). The trip is initiated by discharging port X to the reservoir – governed by the voting logic implemented in the safety manifold.

Figure 2: Example of common hydraulic 2oo3 voting using three 4/2-way spool valves /2/

Figure 3: Corresponding schematic diagram

The most common voting architectures are considered in /1/, where M-out-of-N, or MooN, means that of a total of N elements, at least M are required to function in order to perform the safety function. The 2oo3 voting architecture common in many SIL-3 systems connects three equal elements such that any two of them can together initiate the safety action, which means that one single failure is tolerated (Hardware Fault Tolerance HFT = 1). The hydraulic implementation commonly involves three hydraulic channels and three 4/2-way spool valves A..C (see Figure 2, Figure 3, and e.g. /2/, /3/). These are arranged in such a fashion that each hydraulic flow path used to depressurise the connected actuator will sequentially pass through two different valves. At the same time, each channel uses only one of the two internal flow paths (P→A or B→T) opened by the valve spool, so each valve synchronously controls two separate hydraulic connections. Six controlled openings are therefore required to realise the 2oo3 function, mechanically coupled, however, in pairs via the valve spools. The control elements (openings) in one hydraulic channel are not independent. Hence, the failure of one valve results in the failure of two hydraulic channels, leaving a 2oo2 voting architecture.


2oo3plus – A New Design of Electro-hydraulic Safety Controls for Critical Applications

Kristof Schlemmer**, Jörg Ebersohl* and Edgar Weishaupt*

* HYDAC Systems & Services GmbH, Sonnenallee 1, D-66287 Quierschied-Göttelborn, Germany ** formerly: as above (*); now: Moog Luxembourg S.à r.l.

E-Mail: [email protected]

This paper presents an alternative design approach of electrohydraulic safety manifolds for use in quick-closing actuators. Setting off from the common 2oo3 voting architecture, a separation of flow paths produces a new solution employing six solenoid-operated 2/2-way poppet valves with electrical coupling. The technical discussion exhibits various advantages, such as improved reliability, both from a systematic and from a probabilistic point of view. It is shown that the new 2oo3plus system beats common other structures with regard to the safety metrics according to IEC 61508.

Keywords: IEC 61508, SIL, 2-out-of-3 voting, Functional Safety, valve actuator, turbine trip Target audience: Functional Safety, Process Technology, Reliability & Robustness

1 Introduction

Process plants e.g. in the water/steam circuit of thermal power plants need to be operated safely, as they pose an increased hazard risk for humans and the environment and can cause damage in the event of a fault. The field of Functional Safety deals with the assessment, reduction and control of such risks with the aim of achieving a tolerable risk level. For process industry applications in low demand mode, appropriate approaches and methods are set down in IEC 61508 /1/ and IEC 61511, including the Safety Integrity Level (SIL) as a measure of risk reduction and possible architectures of system redundancy.

Figure 1: Valve operation set-up with spring-loaded electro-hydraulic valve actuator (fail-safe close)

449

GR

OU

P 1

6 -

3


• Wide ambient temperature range (-20..60 °C, with special measures up to 80 °C); suitable for demanding applications such as power plants or process plants.

• Robust against oil contamination, moderate cleanliness requirements (20/18/15 acc. to ISO 4406).

• No requirements on installation position/orientation.

2.2 Diagnostic Valve Test

Cyclical diagnostic testing of the channels is a prerequisite of redundant architectures and helps to guarantee safety integrity. The 2oo3plus safety control makes it possible to reliably check that a valve is functioning correctly in a live system by either position monitoring or pressure monitoring.

2.2.1 Position monitoring

All six valves are equipped with an inductive position switch to detect whether the valves are in open or closed state.

2.2.2 Pressure monitoring

Each of the three hydraulic channels is equipped with an electronic pressure switch located in the intermediate section between the two poppet valves, see Figure 6. The pressure switches feature two threshold set-points and digital outputs, in combination defining three pressure bands (high/neutral/low). Each valve is bypassed by an orifice (not shown) establishing a restricted connection between the pressure switch and high pressure pX in X or tank pressure pT in T, respectively. The orifices are dimensioned to produce equal pressure drops, hence creating an intermediate pressure pM of approximately half the system pressure in standby state. A seated test activation valve on the high-pressure side can be used to isolate the diagnostic test set-up and ensure zero leakage during normal operation. Alternatively, if leakage is not an issue, this valve can be omitted, and a permanent simple online monitoring of the main valves is possible. Information about the states of the valves can then be derived from the pressure ratios measured in the hydraulic channels when a logical valve pair is de-energised.

Figure 6: Testing set-up of the 2oo3plus system (simplified).


2 Enhanced Concept with an Alternative Voting Architecture – 2oo3plus

2.1 Separation of Flow Paths

The new HYDAC EHC-S 2oo3plus safety control now aims to eliminate the mechanical coupling of the control openings and to replace it with an electrical coupling of six individual valves, distributed in pairs across the three hydraulic channels (see Figure 5 and Figure 5). This innovative layout increases the hardware fault tolerance to at least HFT = 2, as only two out of six valves are needed in the best case, and four in the worst case. A single valve failure results in the failure of only one hydraulic channel. As the six valves are electrically controlled in pairs (e.g. A1/A2) such that the valves actuated by a single electrical signal are located in different hydraulic channels, the system behaves like a 2oo3 voting logic towards the supervisory process controller.

Figure 4: Concept of 2oo3plus voting using six 2/2-way poppet valves. Coloured lines depict control links.

Figure 5: Corresponding schematic diagram

The 2oo3plus system employs six 2/2-way poppet valves which are solenoid operated and internally piloted. These components are well-tried in large numbers and highly reliable due to their design. Field experience and scientific investigations (e.g. /4/) have shown that this type of valve is less susceptible to oil contamination, silting, hydraulic lock and varnishing effects than spool valves. Particularly with regard to blocking in closed state (non-opening), they can be considered superior for use in this application.

Further advantages include (/5/):

• Fast switching times support rapid actuator discharging.

• Poppet design effectively prevents leakage during normal operation; suitable for accumulator-based applications.

• Increased range of flow rates combined with solenoid operation; may eliminate the need for piloted slip-in cartridge valves in some cases.

• Compact and light-weight manifold design; allows flange-mounting on the actuator.

• Reduced component costs due to large-batch standard valves.

• Minimised internal cavity volume prevents pressure collapse; suitable for large operating pressure range from as low as 6 bar up to 250 bar.

451

GR

OU

P 1

6 -

3


Figure 8: The 2oo3plus Interface Box adapts the manifold to standard 2oo3 controllers. Legend: SV – solenoid valve, FB – feedback, PS – pressure switch

2.3 Partial-stroke Test

Besides the diagnostic valve test, a partial stroke test of a connected actuator can be realised by means of an additional flange-mounted module (see Chapter 3.1). This is particularly useful in actuators that permanently maintain one constant position over long periods of operation (‘dormant mode’). The integrity of the entire safety chain can thus be checked by means of a controlled partial release of oil that lets the cylinder extend over a minor limited distance. The expected piston travel is monitored through limit switches or a position transducer, delivering feedback on the proper functioning of the actuator.

3 Hardware Implementation

3.1 Modularity

Each of the three hydraulic channels is realised within a modular valve plate element. These valve plates are mounted on a base plate that contains the connections between the channels and to the port plate, see Figure 9 and Figure 10. The variable port plate in turn provides an interface to actuator, pressure supply and reservoir and can be adapted to specific installation requirements (e.g. direct flange-mounting on the actuator, piping connection). Furthermore, it can carry additional functional modules as described in Chapter 3.2.

Figure 9: Modular manifold design (simplified)


2.2.3 Testing Procedure

With either of the two monitoring methods, the following procedure is carried out. It is identical with the one applied in standard 2oo3 systems.

1. If applicable, enable testing set-up by opening test activation valve T.

2. Check standby state (all channels energised), see Figure 7 on the left.

3. De-energise one single logical channel (e.g. valve pair A1/A2) and check corresponding valve states, see Figure 7 centre and right.

4. Re-energise that channel and check standby state again.

5. Repeat steps 3 and 4 with the other two channels.

6. If applicable, disable test set-up by closing test activation valve T.

If at any point a check returns a negative result, the procedure is to be interrupted until the fault has been localised and removed, in order to circumvent the risk of a spurious trip.

Figure 7: Expected pressure levels within valve checks. (Solenoid highlighted means energised)

2.2.4 Compatibility with Conventional Control Systems

The 2oo3plus approach differs from conventional 2oo3 systems in the number of solenoids to be controlled and in the number of feedback signals to be evaluated (6 instead of 3). Moreover, the evaluation of the six feedback signals implies some Boolean logic to extract the desired information on the functioning of valve pairs and single valves by means of truth tables. In the simplest case, the supervisory process controller can provide the additional inputs and outputs as well as a program to run the evaluation procedure. However, if these resources are not available on the master PLC side, the EHC-S 2oo3plus can be supplemented by an interface box that includes the evaluation logic, and adapts inputs and outputs to match the conventional 2oo3 set-up.

As illustrated in Figure 8, the interface box is comprised of an all-electrical connection module and a non-programmable electronic diagnostics module. Due to its simplicity and robustness, the connection module does not introduce additional risks or failure rates. Similarly, the diagnostics module has been optimised for maximum reliability and contains no software or other programmable or complex elements. Furthermore, in case of an internal electronics failure, it can be exchanged without affecting system operation or availability of the safety function.

453

GR

OU

P 1

6 -

3


3.2 Additional Functionality

Optionally, the EHC-S 2oo3plus safety manifold can be extended to provide additional features. These are added by functional modules mounted on the port plate.

3.2.1 Partial Stroke Test

The partial stroke test described in Chapter 2.3 is realised in a combination of two sandwich plates and a recirculation plate, as shown in Figure 12. Depending on the focus of the testing philosophy, activation of the cylinder extension can be controlled by one or two normally closed 2/2-way poppet-type solenoid valves in the upper sandwich plate, the valves being linked in series through the recirculation plate. Valve redundancy will improve the system availability, as it prevents unwanted transition into safe state in case of a valve failure. The lower sandwich plate contains a variable flow restrictor used for tuning the cylinder extension speed when discharging the pressurised cylinder volume connected to port E. Port A may be used to supply oil to the cylinder in order to bring it into standby position (spring loaded).

Figure 12: Partial stroke test module

3.2.2 Directional Control

If it is desired to directly control the actuator movement, a directional valve – on/off or proportional/servo, NG06 or NG10 – may be mounted on the port plate, see Figure 13. This function cannot be combined with other functions.

Figure 13: Directional control module


Figure 10: Samples of 2oo3plus safety manifolds in nominal sizes 6, 10, and 16 (left to right)

Apart from direct physical benefits, the modular design of the EHC-S 2oo3plus manifold allows not only for 2-out-of-3 voting, but also for the implementation of various different M-out-of-N architectures, incl. enhanced (‘plus’) functionalities not available in common standard approaches. The following Figure 11 gives an overview of all the possible configurations. The ones denominated as MooNplus consist of an MooN structure, where each channel itself contains a 2oo2 redundancy. As an additional feature, this provides the capability of testing the channels during operation without compromising the main function and safety, while at the same time increasing availability.

Figure 11: Possible MooN voting configurations utilising the modular structure

MooN voting

¹ Hardware Fault Tolerance of hydraulic part towards dangerous (d) or safe (s) failures, respectively² if valves are operated accordingly during test, deviating from normal operation

No. of slabs x valves

Valve set-up HFT (d)¹

HFT (s)¹

Valve diagnostic test

Annotations on valve diagnostic testSlab

1 2 31oo1 1 x 1 0 0 no not available

A1

1oo1plus (1oo1 x 2oo2)

1 x 2 0 1 yes² deenergising of single valves for test onlyA1

A2

1oo2 2 x 1 1 0 no not availableA1 B1


2 x 2 1..2 1..2 yes² deenergising of single valves for test onlyA1 B1

A2 B2

2oo2 1 x 2 0 1 yes deenergising of single valvesA1

B1


2 x 2 1..2 1..2 yes deenergising of valve pairsA1 B1

B2 A2

1oo3 3 x 1 2 0 no not availableA1 B1 C1


3 x 2 2..4 2..4 yes² deenergising of single valves for test onlyA1 B1 C1

A2 B2 C2

2oo3plus 3 x 2 2..4 2..4 yes deenergising of valve pairsA1 B1 C1

C2 A2 B2

455

GR

OU

P 1

6 -

3


oil units); waste energy dissipated through the flow resistance. For dimensioning purposes, only the characteristic of one single hydraulic channel is relevant, since the safety manifold is required to deliver its rated performance in case of failure of one logical channel (i.e. two hydraulic channels). Figure 16 plots the pressure drop characteristic of the current EHC-S 2oo3plus series. In comparison with conventional direct operated 2oo3 manifolds, the range of flow rates covered is positively extensive, and will be extended further by the future NG20 member of the series.

Figure 16: Pressure drop characteristics of the 2oo3plus series. One hydraulic channel, HLP 46 @ 30 °C.

2. The dynamic discharge characteristic of the safety manifold has an important impact on the total closing time of the actuator. It is difficult to quantify separately from the actuator, and finally, it is always the dynamic performance of the entire trip system that counts. However, in order to specify and compare safety manifold performance independently, the manifold discharge behaviour with the smallest pos-sible hydraulic capacity gives a meaningful indication as well, as the overall closing process can never be faster than this. The discharge behaviour is governed firstly by the delay between de-energisation of the solenoids and beginning of the pressure relief, and secondly by the discharge time measured from the beginning of relief until the mean pressure curve has decreased to 10 % above the stationary pressure level. The exemplary diagram in Figure 17 proves fairly fast responses of the NG16 manifold.

Figure 17: Pressure discharge characteristic of NG16. One hydraulic channel, HLP 46 @ 48 °C.


3.2.3 Pressure Supply Shut-off

Figure 14: Pressure supply shut-off module

When the actuator trips, the supply port P is connected via orifice BP and the two open main valves to the reservoir. This implies a small permanent idling flow that can be undesirable in cases of limited oil supply, e.g. in accumulator-backed systems. To eliminate this effect, the shut-off module from Figure 14 is used to isolate the pressure supply port P. The valve solenoid should be powered synchronously with the main valve solenoids, so the normally closed valve will perform its function automatically in case of a trip. The shut-off module can be combined with the partial stroke test module.

3.2.4 Explosion Protection

Throughout the design of the EHC-S 2oo3plus manifold, its potential suitability for applications in explosive atmospheres has been considered. Through the use of appropriate electrical components, the system can be upgraded to comply with the Atex Directive 2014/34/EU in explosion protection class Ex II 2G IIC T4. Figure 15 shows the explosion-proof version of the safety control.

Figure 15: 2oo3plus manifold in explosion-proof configuration

4 System Performance

The performance of hydraulic safety controls mainly relates to two aspects:

1. Flow capacity is measured and described by the characteristic of pressure drop against flow rate. Small pressure drops are desirable for a variety of reasons: a large backpressure level will compromise the actuator closing force by a parasitic counterforce; severely reduce the available utilisable differential pressure in applications with limited supply pressure (such as safety systems supplied from lubrication

457

GR

OU

P 1

6 -

3


Figure 20: Comparison of safety and availability in terms of corresponding HFT for various MooN structures.

6 Summary and Conclusion

Thanks to its innovative system architecture and highly reliable components by design, the 2oo3plus solution not only has a higher tolerance to dangerous faults, but also to safe faults. The probability of failure of the safety function is reduced, and the safety as well as the availability of the plant under protection are effectively enhanced. Being extremely scalable, compact, and light at the same time, the solution provides economic and reliable protection for critical applications for rapid discharging of pressurised volumes or spring-loaded actuators, e.g. in power plants and process technology. It is suitable and certified for use up to SIL 3. Moreover, the incorporated modular design allows not only for 2-out-of-3, but for the implementation of various different M-out-of-N voting architectures, incl. enhanced functionalities not available in common standard approaches.

Nomenclature

Variable Description Unit

𝑝𝑝M Intermediate pressure between the two valves of a hydraulic channel [bar]

𝑝𝑝T Pressure at tank port T [bar]

𝑝𝑝X Pressure at control port X [bar]

𝑇𝑇1 Proof test interval [a]

𝑇𝑇D Diagnostic test interval [d]

𝜆𝜆 Failure rate [FIT = 10-9/h]

References

/1/ IEC 61508-1..7:2010. Functional safety of electrical/electronic/programmable electronic safety-related systems, Ed. 2.0, 2010.

/2/ Brändli, M. et al., Hydraulic release unit for a valve unit in a power machine assembly, in particular for a quick-closing valve of a turbine assembly, European Patent EP2172656B1, 2013.

/3/ Schmieding, M., Safety circuit for a fluid actuated actuator and method for using the same, European Patent EP1630425B1, 2012.

/4/ Schumacher, Jan. Entwicklung eines Zeitraffertests für Hydraulikventile zur Ermittlung von Zuverlässigkeitswerten. Abschlussbericht 78 Hy 66, Institut für fluidtechnische Antriebe und Steuerungen (IFAS), RWTH Aachen, 2011.

/5/ HYDAC System GmbH, Electrohydraulic safety control EHC-S 2oo3plus, Datasheet E 2.804.0/03.17, Sulzbach/Saar, 2017.


5 Evaluation of Functional Safety

The EHC-S 2oo3plus safety control has been certified SIL-3 capable in compliance with IEC 61508 by TÜV Rheinland. The underlying assessment of Functional Safety includes evaluations of systematic and hardware capabilities and of quantitative key parameters. First of all, the different nature of the 2oo3plus concept needs to be recognised, as IEC 61508 does not provide standard procedures and calculations for this architecture. A tempting, but incorrect approach would be to consider it as (2oo3 x 2oo2), i.e. 2oo3 with serial redundancy per channel. This is not appropriate, because a single valve failure does not corrupt the entire logical channel; the second valve can still fulfil its function within its own hydraulic channel. More appropriately, the 2oo3plus structure can be considered as (2oo6..4oo6), i.e. it varies depending on the position of failures within the structure. Figure 18 illustrates this relation in the style of IEC 61508 block diagrams.

Figure 18: Block diagram of 2oo3plus.

Although IEC 61508 does not give explicit guidance in this case, the employed probabilistic calculation methods can be transferred; missing data can be extrapolated or estimated conservatively. In this fashion, corresponding formulae can be obtained for the probability of failure on demand of the group of channels (PFDG) – comprised of a term PFDI related to independent failures and a term PFDCCF related to common cause failures (CCF) – and the ratio of CCFs. To compare the probabilistic performances, a fictitious exemplary case is examined, using identical input parameters: failure rate = 1000 FIT, dangerous failure rate D = 0.5 , proof test interval T1 = 5 a, diagnostic test interval TD = 7 d, CCF base ratio int = 0.05, mean repair time MRT = 72 h, diagnostic coverage with diagnostic test DCD = 90 %. The result is lined up in Figure 19. In all cases, the contribution of CCF to the PFD is dominant, because it is fairly unlikely that two valves independently fail at the same time. At first sight, the 1oo3 structure might be expected to deliver the lowest PFDI value, which without any cyclic diagnostic testing would actually be true; however, the diagnostic test strongly acts in favour of architectures with HFT > 0. Since the 2oo3plus concept unites the advantages of diagnostic testing and increased HFT, its probabilistic safety performance exceeds both 1oo3 and 2oo3, in spite of its greater parts count. Furthermore, this consideration does not yet account for any improvements in valve reliability due to more suitable design (cf. Chapter 2.1).

Figure 19: Comparison of PFD values for various MooN structures.

As mentioned before, the hardware fault tolerance of the 2oo3plus voting is always at least HFT = 2. However, depending on which valves actually fail, up to four failures can be tolerable without affecting the safety function. Figure 20 (left) relates this to other common voting architectures, particularly standard 2oo3. Similarly, when safe failures as a potential cause of spurious trips are regarded, the HFT is in the range of 1..3 (Figure 20, right).

459

GR

OU

P 1

6 -

3

Documents

2oo3plus – A New Design of Electro-hydraulic In power