The operation of gas turbine plants is subject to high safety requirements, which are specified in international standards, such as e.g. the IEC 61508 set of standards, in which the functional safety of safety-related electronic systems is specified and the application of functional safety methods for preventing systematic faults and for safe control of system failures or system faults is described in detail. An auxiliary standard IEC 61511 building on the above standard is concerned with the functional safety of technical safety systems for the process industry, which also includes the operation of gas turbine plants.
A significant aspect of functional safety during the operation of safety-relevant process industry plants, which is primarily raised below in relation to the operation of gas turbine plants, relates to the strict separation between technical process control aspects, which relate to the smooth operation of all components of the gas turbine plant, and safety monitoring tasks, which ensure that the gas turbine plant is subjected to an emergency switch-off in the event of technical faults within the gas turbine plant prevailing upon exceeding a significant hazard potential for the gas turbine plant and especially for its surroundings. The relevant set of standards for the safe operation of process plants requires complete functional independence between the protection unit carrying out the protective function and a process controller carrying out the process control tasks of a gas turbine plant. Therefore the process controller of a gas turbine plant may not prevent the protection unit from fulfilling its protective function in any case. This especially applies to human interventions in the process control, which may have no influence on the functionality of the protection unit during the commercial operation of a gas turbine.
Where e.g. protecting the gas turbine plant against excessive shaft rotation speeds is concerned, this only requires monitoring of the shaft rotation speed and the specification of a maximum permissible limit value for the shaft rotation speed, which, on being exceeded, results in a potential hazard for the surroundings of the gas turbine plant. In such a case the protection unit provides an emergency switch-off of the gas turbine plant without the interposition of and interrogation of other system components, in order to protect said plant and the surroundings against damage.
However, said normative independence requirements for the operation of gas turbine plants especially conflicts with typical conditions for gas turbine plant construction. On the one hand, the safety criteria that can be pre-set in the protection unit do not generally apply to every protective function, but can depend on each individual gas turbine plant. This means, however, that access to the computer-based protection unit has to be provided at least during the commissioning of gas turbine plants, in order to be able to set up and adjust the functionality of the protection unit individually in this way, e.g. by suitably qualified personnel.
Moreover, during the operation of gas turbine plants, particular operating states occur in which e.g. controlling valve positions must be assessed as being entirely correct, which would, however, immediately result in an increased hazard potential in a different operating situation. Such operating states primarily relate to so-called transient operating states, in which the gas turbine plant is changed from a first operating state into a second operating state. Transient operating states occur e.g. when starting or changing the load of the gas turbine plant, during which e.g. changes in the fuel supply are carried out. In order to also correctly represent such operating states and operating state changes and to positively detect a potential hazard using a protection unit, a number of items of status information are required that can be detected by sensors from the gas turbine plant, which can also require complex evaluation logic. However, such an approach conflicts with the desire for very simple evaluation logic and monitoring capability of the protection unit. Moreover, for competition reasons, the necessary costs for the protection function tasks should also be kept very low.