Chapter 16

Hydroelectric Dam and Tidal Gates

Abstract

This example provides a Safety Integrity Level (SIL) assessment of the proposed flood gate control system (FGCS) at a hydro-electric dam, demonstrating that it meets the identified hardware reliability and minimum configuration requirements in accordance with IEC 61508. In order to identify the SIL requirements, a Layer of Protection Analysis (LOPA) was conducted at a meeting of interested parties. The study considered the hydro-electric plant to determine potential risks associated with the specified hazards.

Keywords

Dam overtopping; Flood gate control system; Hydroelectric project; Locks; LOPA; SIL; Water surge

16.1. Flood Gate Control System

16.1.1. Targets

This example provides a Safety Integrity Level (SIL) assessment of the proposed flood gate control system (FGCS) at a hydro-electric dam, demonstrating that it meets the identified hardware reliability and minimum configuration requirements in accordance with IEC 61508.
In order to identify the SIL requirements, a Layer of Protection Analysis (LOPA) was conducted at a meeting of interested parties. The study considered the hydro-electric plant to determine potential risks associated with the specified hazards. See example in Section 13.6.
Table 16.1 summarizes the LOPA and the required Probability of Failure on Demand (PFD) values and corresponding SILs for each of the two hazards.
The FGCS was then analyzed to identify the Safety Instrumented Functions (SIFs) used to mitigate the specified hazards, as presented in Table 16.2.

16.1.2. Assessment

(a). Common cause failures (CCFs)

The β values used in the analysis were based on engineering judgment and are presented in Table 16.3.

Table 16.1

Summary of the LOPA.

Event (hazard) descriptionConsequenceSafety instrumented function (SIF) requirement (PFD)SIF requirement (SIL)
Dam overtopping due to gates failing to open on demand during a major storm (requiring the use of one gate), which spillways are unable to mitigateDeath of more than one person5.0 × 103SIL2
Water surge: gates open spuriously at full speed, causing a surge of water which could drown multiple fishermenDeath of more than one person2.3 × 103SIL2

image

Table 16.2

Summary of safety functions.

Loop ref.Input deviceInput configurationLogic deviceLogic configurationOutput deviceOutput configurationSafety function
ALevel transmitters microwave (2 off)/radar2oo3Safety PLC1oo1Two flood gate drives1oo2Detection of high loch level opens 1 out of 2 (1oo2) flood gates
BSafety timer relay1oo1N/AN/ALine contactor1oo1If the open contactor is closed for more than 50 s (i.e., the gate is opening too quickly), power is isolated from the motor by opening the line contactor

image

Table 16.3

CCF contributions.

Redundant configurationCCF β-factorJustification
Microwave/radar level transmitters5%Three devices are mounted with separation and utilize two dissimilar technologies
Flood gate operation mechanism2%The flood gates (and the associated lifting gear) are physically separated from one another
Power supplies10%The two supplies are of similar technology

(b). Assumptions

The following summarizes the general assumptions used in the assessment:
the FGCS is assumed to be a low-demand system and therefore the LOW-DEMAND PFD targets apply;
the analysis assumes that all failure modes that are not revealed by self test will be identified by the proof test, i.e., the proof test is 100% effective;
the calculation of PFD is based upon an assumed MTTR of 24 hrs;
if a failure occurs, it is assumed that on average it will occur at the midpoint of the test interval; in other words, the fault will remain undetected for 50% of the test period;
the analysis assumes constant failure rates and therefore the effects of early failures are expected to be removed by appropriate processes; it is also assumed that items are not operated beyond their useful life, thus ensuring that failures due to wearout mechanisms do not occur

(c). Failure rates of component parts

Table 16.4 summarizes the data sources.

(d). Results and conclusions

The results of the assessment (Table 16.5) demonstrate that, based on the assumptions, the specified SIFs meet the hardware reliability and architectural requirements of the targets identified by the LOPA.

Table 16.4

Failure rates and the calculation of SFF.

Item/functionDangerous failure modeλddλduλsSFFSource
DC motorFails to start on demand0.0E+001.8E-063.3E-0665%Faradip v.6.1
Motor brakeFails on0.0E+008.4E-083.6E-0830%NRPD-85
Chain driveBreaks0.0E+002.7E-063.0E-0710%Faradip v.6.1
Redundant power supplyLoss of power5.5E-050.0E+000.0E+00100%Faradip v.6.1
Microwave level transmitterFails to detect high loch level9.9E-072.0E-073.4E-0787%Manufacturer's data adjusted
FG PLC AI moduleFails to interpret high loch level5.6E-072.1E-074.2E-0782%ESC Failure Rate Database
Radar level transmitterFails to detect high loch level1.1E-063.6E-074.7E-0782%Manufacturer's data adjusted
ResolverErroneously detects gate in open position1.4E-061.5E-071.5E-0695%Faradip v.6.1
FG PLC AI moduleErroneously detects gate in open position5.6E-072.1E-074.2E-0782%ESC Failure Rate Database
FG PLC CPUFails to interpret high level or gate closed on demand2.7E-073.0E-082.6E-0699%ESC Failure Rate Database
FG PLC DO (NDE) moduleFail to energize on demand1.2E-077.4E-073.5E-0739%ESC Failure Rate Database
Line contactor (NDE)Fails to close contacts on demand0.0E+002.1E-079.0E-0830%Technis report T219
Safety timer relayContacts fail to open on demand0.0E+001.5E-081.5E-0699%Technis report T219
Line contactor (NE)Contacts fail to open on demand0.0E+009.0E-082.1E-0770%Technis report T219

image

Table 16.5

Results.

HazardTarget PFDSILPTI hrsPFD assessedSIL from SFFOverall SIL
Dam overtopping5 × 103287604 × 10322
Water surge2.3 × 103287604.6 × 10422

image

Reliability block diagram, dam overtopping.
image
Reliability block diagram, water surge.
image

16.2. Spurious Opening of Either of Two Tidal Lock Gates Involving a Trapped Vessel

The scenario involves either of a pair of lock gates moving despite no scheduled opening. This leads to a vessel becoming trapped and either sinking or causing harm to a person on board. A two-fatality scenario is perceived.
The following estimates of frequencies and propagations are credible:
Boat movements through the lock12/dayAssume a half minute per passage
Boat situated such as to be trapped17%Based on an assumed 10 ft vessel in a 60 ft lock
Skipper fails to take avoiding action10%Judgment (noting 2 min closure time)
Entrapment causes damage to vessel90%Judged likely
Fatality ensues50%Judgment
The combination of the above factors, together with failures and incidents, is shown in Figure 16.1. The fault tree logic was analyzed using the TECHNIS fault tree package TTREE, which is reproduced at the end of this chapter. The probability of the top event is 3.1 × 105.
image
Figure 16.1 Fault tree (entrapment).
Assuming a maximum tolerable risk of 105 pa for this involuntary public risk, the maximum tolerable failure rate for the mitigating effect of the Junction Gates is:

105pa/3.1×105=3.2×101pa.

image

The fault tree logic (Figure 16.2) was constructed as a result of studying the scenario. The frequency of the top event is 3.1 × 101 pa per gate, which meets the requirement.
image
Figure 16.2 Fault tree (spurious gate movement).
The target (being greater than 101) implies a target <SIL 1.
As can be seen from the fault tree output data shown at the end of this section, human error dominates the contributions to the top event (>95%).

We shall now address ALARP

A failure rate of 3.1 × 101 pa maps to a fatality risk of 105 pa × 3.1 × 101/3.2 × 101 = 9.7 × 106 pa
Thus, assuming a “cost per life saved” criterion of £4,000,000, any proposal which might reduce the risk to the Broadly Acceptable limit of 106 pa might be tested as follows.

£4,000,000=£proposal/(9.7×106106)×30yrs×2fatalities

image

Thus any proposal costing less than £2300 should be considered. It is unlikely that any further risk reduction can be implemented within this sum; thus it might be argued that ALARP is satisfied.
However, it should be noted that:
• the predicted frequency is close to the target and reliability prediction is not a precise statistic;
• the domination of human error suggests further investigation.
image
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset