There are several overspeed detection systems (ODS) on the market that are equipped with an on-board function generator for online test purposes, and this feature is frequently found in ODS requirement specifications. Where does this feature originate from, and is it still required?
Test and retest
Every hardware has a certain reliability value, which degrades over time. To validate the reliability of a safety system, initial commissioning tests and periodic proof tests are common practice in the industry. To follow the increasing demands for verifiable safety, more reliable hardware or more frequent testing was required. But building more reliable hardware is not always achievable, and more frequent testing disrupts the process. A method for online testing with built-in the test equipment and test procedures offered a way out.
The requirement for an on-board function generator has made its way to the API 670. The first requirement in the API 670 originates from 2001, when the ODS was introduced in the 4th edition of this standard. Although the first edition of the IEC 61508 functional safety guideline was already released, the specification, design and internal monitoring of an ODS was left to the system manufacturer. It made a lot of sense for the API to specify a test procedure for end-users; it allowed for a high test coverage of the ODS including the logic solver and final element.
Today the 5th edition of the API standard still contains wording about on-board function generating, but it is also referring to the IEC 61508 as a method to design functional safety systems. However, the IEC 61508 does not identify specific functions or methods for safety systems – the requirement in the IEC 61508 is limited to designing and building an inherent safe system, suited for the application.
In new ODS hardware generations, verifiable safety can be achieved in different ways. Think of parallel function monitoring circuits, internal redundancies and fail-safe hardware designs which enable the creation of certified functional safety systems with long proof test intervals. Further improvement can be achieved by designing hardware specifically for functional safety and keeping the product small and focussed to its core: safety. Because the less features and elements you have in your safety chain, the less you have to test. This also applies to the on-board function generator.
The end of online proof testing
This does not mean that online diagnostic proof tests are no longer required. The main requirement for a shorter proof test interval is often in the tailing equipment, such as the control system, emergency shutdown system (ESD) or the final element (FE). It just means that if the ODS is safe by design, the system is suitable for long proof test intervals, and does not have to be included the online diagnostic tests. Just like the sensors are not included in those tests. It negates the need for an on-board function generator and the procedures that come with it.
The SpeedSys 300 overspeed detection system has a typical proof test interval of >10 years, certified according to IEC 61508. Therefore, a SpeedSys 300 generally does not require any online testing during that period. To allow for shorter proof test intervals for tailing equipment, the SpeedSys 300 features an automated proof test function, controlled through the digital in- and output. This test switches the output relays of the SpeedSys 300, but does not include a function generator or any temporary overrides of the system logics.
The main advantage of this proof test approach is that it is controlled by an external control system, like DCS or PLC. It allows for external monitoring and registration of the proof test and supports smarter proof test planning to suit specific process conditions. Moreover, testing during process conditions during which the availability of the machinery is critical can be avoided.
About the standards
Both the API 670 and the IEC 61508 are considered guidelines and do not impose direct legal obligations. They provide a structure for machine safety and good practices. The IEC 61508 is focussed on functional safety and consisting of methods on how to apply, design, deploy and maintain automatic protection systems. The API 670 is a leading standard for machine protection systems on rotating equipment by the American Petroleum Institute.