Proceedings of

2000 International Joint Power Generation Conference

Miami Beach, Florida, July 23-26, 2000

IJPGC2000-15006

Put Paper Number Here

ELECTRONIC OVERSPEED TURBINE PROTECTION WITHOUT REAL
OVERSPEED TEST VALVE TEST WITH SINGLE VALVE ARRANGEMENT
Gerhard J. Weiss, ABB Alstom Power Generation Ltd, Baden Switzerland

TURBINE SAFETY PHILOSOPHY

Design of the Turbine Control System
The steam turbine has to be protected against inadmissible
conditions (too high speed, pressures, temperatures, etc). This is
realized with the turbine control system. The design of this
system is according to the one failure criteria. This means, if
one failure occurs, the steam turbine has still to be protected
and it must be possible to safely shut down the turbine.
Therefore the steam turbine must be equipped with two
independent systems, the control and the safety system.
The tasks of the control system are:
o Closed loop control for speed, load, etc.
o First line of defense against inadmissible conditions
o Operation of the control valves
The tasks of the safety system are:
o Second line of defense against inadmissible conditions
o Operation of the stop and control valves
All steam turbine admissions, capable of admitting such a
high amount of steam to the turbine that a danger according to
failure category 1 could exist, must be equipped with two
independent, quick-closing valves, connected in series. In
accordance with this definition the control valve is regarded as
a first shutoff element, while the stop valve is a second element.
The design of the control system is based of the availability
criteria and the fail safe rules. The design of the safety system is
based on the fault categories and the fail safe rules.
All safety related components and systems must allow online testing for detecting of imminent faults. Thus, avoiding
inability to interrupt steam supply in dangerous conditions.

ABSTRACT
The control and safety systems control and protect the
steam turbine. In the past these systems were from the
mechanical type. In course of time there was a change to
hydraulic systems and today we have pure electro-hydraulic
systems with microprocessor based closed loop and protection
circuits. No additional mechanical back up devices are installed.
The overspeed protection is the most important concern on
a steam turbine which drives an generator. If this protection
fails, human lives are endangered and very large damages with
following long-term outages can occur.
The safety system is of the binary type: The associated
valves and components stay open during normal operation and
will be closed by springs when the turbine is tripped. Therefore
the whole safety system - including the valves - have to be
tested periodically.
Trip devices and valves should be tested every 2 to 4
weeks, but the mechanical overspeed protection must be tested
at least once per year by increasing the turbine rotor to 112% of
the nominal speed. This real overspeed test increases centrifugal
forces to the rotors and bladings and therefore it causes an
additional life time consumption.
With the microprocessor based overspeed protection which fulfils international safety specifications - no real
overspeed tests are necessary. This results in no additional life
time consumption, especially on the older turbines.
The control and stop valves have also to be tested. Usually
a full stroke test is performed. For a steam turbine with one stop
and one control valve, a combination of partial stroke and full
stroke testing is allowed, if the design of these valves and
actuators fulfil minimum requirements.

Fault Categories
Faults, which might occur in the steam turbine operation, are
divided into fault categories. In an optimally designed plant
several parameters are considered in the evaluation of the fault
categories:
o Hazard to human life
o Release of energy when the incident occurs
o Direct annual costs of the system
o Annual costs due to the incident under consideration

Copyright 2000 by ASME

Based on the turbine safety philosophy, the following

principles are used for the todays installed modern electronic
control and safety systems (see Fig.2):
Control system:
o 1 out of 2 electronic control system
o 1 electro-hydraulic converter per valve or valve group
o Control valve actuators with hydraulic force to open - spring
force to close

o Annual costs due to false trips in the system under consideration

o Evaluated change in efficiency
o Chronological sequence of the incident
o Probability of occurrence of the incident causing the failure
Based on the evaluation of the above mentioned parameters
and the international standards, the ABB Alstom Power fault
categories are defined as follows:
Cat Dangers
Outage Execution
Examples
1
Loss of life Years
3-channel,
Speed
Enormous
normally
Condenser
damage
energized
pressure
Reverse
2
Serious
Months 2-channel,
power
damage
normally
de-energized protection
Bearing
3
Damage
Weeks
1-channel,
metal
normally
de-energized temperature
4
Minor
Days
1-channel,
Differential
damage
only alarm
expansions

Safety system:
o 2 out of 3 electronic protection system with fault tolerant
protection circuits; i.e. single component failure will not
cause a turbine trip
o 1 common electro-hydraulic trip block in 2 out of 3,
normally energized
o Acquisition and processing of the operating values according
to the fault categories
o Stop valve actuators with hydraulic force to open - spring
force to close

Given by this definition it is necessary to install three

process sensors for the fault category 1. For the categories 2, 3
and 4, respectively two or one field sensors are used. This is
within the allowance of the safety requirements. A failure of one
of the sensors in fault categories 2,3 and 4 would only result in
an alarm.

E
H

2 out of 3
Trip Block

TURBINE CONTROL AND SAFETY SYSTEM

These systems were in the past from the mechanical type
(see Fig.1). In the course of time there was a change to
hydraulic systems and today we have pure electro-hydraulic
systems with microprocessor based closed loop and protection
circuits. No additional mechanical back up devices are installed.

Speed
controller

Electronic
control
system

Electronic
protection
system

Control valve

Stop
valve

Speed
probes

Control fluid supply

Figure 2 Electro-hydraulic control and safety system

OVERSPEED PROTECTION
The overspeed protection is the most important concern on
the steam turbine which drives a generator and it is related to
fault category 1. If this protection fails , human lives are
endangered and very large damages with following long-term
outages can occur.
Therefore a very high attention has to be given for the
design of this protection.

Turbine

Actuator
Condenser

MECHANICAL OVERSPEED TRIPS

In the past there were 2 mechanical overspeed trips which
were connected with 1 out of 2 hydraulic safety system, normally pressurized (see Fig.3). These trips have to be tested
regularly.

Steam
Valve

Figure 1 Mechanical control system

2

Copyright 2000 by ASME

High speed bus connections for signal transfer between the

protection channels are sufficient. A redundant power supply for
the protection channels is necessary.
The faultless of the protected software has to be verified by
a factory acceptance test, which is based on a comprehensive
checklist. Handling failures have to be limited by a reduced
authorization of access. Changes of the configuration have to be
carried out only by the turbine supplier. To prevent failures due
to operating and environment influences, the possible
conditions of disturbances at the plant side have to be
considered.

Reset Device
Mechanical Bolt

Tripping Device

TESTING OF THE SAFETY SYSTEM

It must be possible to test the functional readiness of the
safety system (including the valves, actuators and relays) which
is on standby during normal operation:
The associated components stay in the open position during
normal operation and they will be closed when the turbine is
tripped. Therefore the whole safety system including the
components have to be tested periodically. This test procedure
is also valid for the control system with the corresponding
valves.
A blocking failure of the steam carrying parts happens
more frequently than a failure of the electro-hydraulic control
and safety systems, because the first mentioned parts are
exposed to more severe operating conditions. The control
valves, for example, are often used for throttling over an
extended period of time. In this situation they may be subject to
strong vibrational excitations.
For this reason more frequent tests of the steam parts may
be necessary compared to control systems in order to attain an
adequately low failure probability.
The above mentioned facts are also confirmed by a failure
statistic in Europe which shows 24 damages between 1952 and
1993 in context with too high overspeed. The reasons are as
follows:
o 14 stop valve stems
o 6 slide valves
o 2 overspeed bolts
o 2 others
This confirms that at least the same attention has to be
given to the steam parts as on the components of the control and
safety system.
Not tested safety systems are NO safety systems.

Figure 3 Mechanical overspeed trips

ELECTRONIC OVERSPEED TRIPS
This is a pure microprocessor based electronic device,
which is built in 2 out of 3, normally energized principle (see
Fig.4). This is a fault tolerant protection system. The used
electronic hardware has to fulfil the standards DIN V VDE
0801/DIN 19250 which are recognized and accepted in Europe
and United States as well as in all other Countries.
&

Channel 1
&

Channel 2
&

Channel 3

>1
>1
>1

2o3
Tripping
Unit

Figure 4 Electronic overspeed protection

The protection functions are programmed in protected
software in the microprocessor based controllers. The DIN V
VDE 0801 covers measures of prevention and domination of
failures:
o Coincidence failure of the hardware
o Systematic failure of soft- and hardware
o Handling failure
o Failure due to operating and environment influences
The channels are self-monitored by comparing of the three
analog signals.
In the case of using the microprocessor also for non safety
related functions, it has to be strongly observed that the safety
related functions are not affected by the non safety related ones.
Only qualified systems can be used which are proof against
failures of hardware, frameware and software.

Testing of the Safety Devices

The test frequency is according to the fault categories for
ex-ABB turbines:
o Category 1
: 4 weeks
o Category 2 - 4 : 1 year
The tests in category 1 includes the testing of the trip
solenoid valves and the corresponding electrical relays.

Copyright 2000 by ASME

SINGLE VALVE ARRANGEMENT

Due to minimizing of the connections with the steam piping
system and a reduction in overhaul time as well as valve spare
parts a single valve arrangement on the steam turbine one stop
and one control valve in series was developed (see Fig.6). In
this case a full stroke test would result in a shutdown of the
turbine. Such a test procedure would reduce the availability of a
steam turbine and is not acceptable.
Therefore a combination of partial stroke and full stroke
test procedure was introduced.

TESTING OF THE OVERSPEED PROTECTION

Mechanical Overspeed Trips:
The test of the mechanical overspeed trips are made by:
o Simulation of overspeed during normal operation
o Test with real overspeed at least once per year or after an
overhaul
This last test gives an increase of centrifugal forces to the
rotors and bladings and therefore additional lifetime
consumption. Also shaft vibrations may rapidly increase during
this test. There are documented incidents of blade failures of
aging turbines.
Electronic Overspeed Trips:
With the microprocessor based overspeed protection which fulfils international safety standards - no further tests
with real overspeed are necessary. This results in no additional
life time consumption, especially on older turbines.
The test is made by simulation of an overspeed which
results in a deenergizing of the corresponding turbine trip
solenoid valve via the trip channel and the electrical relays.

Stop Valve
Control Valve

TESTING OF THE CONTROL AND STOP VALVES

As already mentioned, the control and stop valves have
also to be tested. Normally a full stroke test will be made if
there are at least 2 valve combinations (one stop and one
control valve) in parallel (see Fig.5). Depending on the
arrangement of the steam paths into the turbine and the type of
turbine (HP or IP turbine) a load reduction during the valve test
can occur. Therefore - when the turbine is on full load the
turbine load has to be reduced to a certain level to prevent a
further load reduction during testing.

Figure 6 Single valve arrangement

Valve Test Procedure
Partial Stroke Testing:
There is an automatic test procedure via a logic with the
following test frequency:
o Stop valves
: 2 weeks
o Control valves : 4 weeks
Full Stroke Testing:
There is an automatic test procedure for the stop and
control valves via a logic with the following test frequency:
o After an overhaul
o Before startup with a standstill of more than 2 weeks
o After one year of continuos operation
Arguments for this Procedure
Design of the Valves:
Based on long-term experiences, the design of the steam
flow path within the valve was improved in such a way that
there are no possibilities of deposits for chemical or solid
particles between stem and bushings.
Operating Experiences on ex-ABB Turbines:
We get the following feedback from 1000 steam turbines
with an average of 50 000 operating hours each:
o Operating experiences of the valves:
Average: 8 x 1 000 x 50 000 = 400 000 000 hours
o Operating hours per year: 7 000 hours
o Incidents, which were found during a full stroke test and could
cause a damage: 49;
13 of these incidents couldnt be found with a partial stroke
test only

Control Valve

Stop Valve

Figure 5 Multiple valve arrangement

The test frequency is depending on the valve design. On
ex-ABB turbines this frequency is between 2 and 4 weeks.

Copyright 2000 by ASME

A special attention has to be given on the electronic

protection circuits design. The overspeed protection is the most
important concern on a steam turbine which drives an generator.
With the microprocessor based overspeed protection - which
fulfils international safety specifications - no further tests with
real overspeed test are necessary. This results in no additional
life time consumption, especially on older turbines.
The safety system is of the binary type: The associated
valves and components stay open during normal operation and
will be closed by springs when the turbine is tripped. Therefore
the whole safety system - including the valves - have to be
tested periodically.
Usually a full stroke test of the control and stop valves is
performed. In a case of having only one stop and one control
valve on a steam turbine, a combination of a partial stroke and a
full stroke testing is allowed, if the design of these valves and
actuators fulfil minimum requirements.
This paper shows that a special concern has to be given to
the reliability, availability and safety of the steam turbine by the
improvements of the safety system: No mechanical backup, no
real overspeed test and by the reduction of the number of steam
valves. It is also an optimum between performance and costs.

Based on these inputs, the following probability and MTBF

(Mean Time Between Failure) figures are given:
Event probability of failures on both valves (control and stop
valve), which are not detected with a partial stroke test within
one operating year (no closing of the valves would be possible
in case of a turbine trip or a load rejection): 7.56 x 10-8
--> Reliability of the test procedure for two valves = 99.9999%;
MTBF: 13 000 000 years
The mean non-availability of the protection function due to
failures on both valves within one year is 2.57x10-8. This value
has to be multiplied with the probability of a load rejection
which is normally less than 1 per year. There will be only a
damage of the turbine in case of a load rejection (opening of the
generator breaker) if both valves will not close. So it will
happen less than 1 time in 39 000 000 years on the average.
Systematic failures (e.g. blocking due to chemical or solid
particles) will be found during partial stroke testing. The largest
amount of the valves in the above mentioned statistic are of the
older design regarding flow path. The new design will shown
better results.
Conclusion:
The combination of a partial stroke and a full stroke testing
for a single valve arrangement is allowed.
The cycle of probability consideration starts after a full
stroke test procedure, which will be made at least once per year.

ACKNOWLEDGMENT
This article is based on the technical papers written by
Jerry Kopczynski of ABB Alstom Power Inc., Midlothian,
Heinz Frey, Franz Suter and Gerhard Weiss of ABB Alstom
Power Ltd Baden, Switzerland.
Special thanks to Jerry Kopczynski, Product Line Manager
of Control Systems, for his comments to this paper.

SUMMARY
The control and safety systems control and protect the
steam turbine. These systems are now pure electro-hydraulic
systems with microprocessor based closed loop and protection
circuits. No additional mechanical back up devices are required.

Copyright 2000 by ASME