It used to be that a pump would operate at a single speed dictated by a motor, thus fixing the pump curve. As the discharge flow decreased due to a restriction downstream, the pump outlet pressure would increase reaching its deadhead pressure. If the downstream piping and vessels were designed to withstand this deadhead pressure, an inherently safer design would be achieved.
Today, flow is increasingly controlled via variable frequency drives (VFD). Let’s consider two cases:
• Motor matched closely to the load
• Oversized motor relative to the load
In both cases, there is the potential for the VFD controller to fail dangerously, resulting in maximum speed of the pump. In the first case, the pump curve would not yield a deadhead pressure greater than the case where a single speed pump design was employed. If the downstream piping and vessels were designed to withstand this deadhead pressure, an inherently safer design would still be achieved and the VFD would not be a SIS.
However, if the motor horsepower was excessive, then the potential for two different pump curves would exist.
The first would assume that the control of the speed was not compromised and this would result in a maximum deadhead pressure the same as in the first case. Should the VFD fail dangerously, an over speed would occur with the input of much greater energy into the process resulting in a different pump curve and a higher deadhead pressure. If that overpressure was sufficient enough to cause a process safety hazard, then the VFD failure would either be an initiating event on subsequent layers of protection or it would be a SIS if no other layers of protection existed to prevent the overpressure. In this case, some VFD designs would represent a continuous demand SIS, that is, when the dangerous failure occurred, the hazard would manifest itself. Other more robust designs include independent protective circuitry and diagnostics. The independent protection overrides the control failure and de-energizes the motor. The diagnostics allow failures to be identified and repaired.
Not all VFD applications require the VFD to be considered a SIS. In those cases where dangerous VFD failure can result in a hazard and there are insufficient independent layers of protection to achieve the desired risk reduction, it should be considered a SIS. In those cases, the VFD should be designed, implemented, and maintained in accordance with IEC-61508 in such a way as to achieve the desired risk reduction.
Tagged as: vfd controller sis risk reduction independent layers of protection IEC 61508 hal thomas