Power plants in a new safety perspective

Paul Boughton

New techniques reduce the environmental burden of coal fired power plants and allow higher efficiencies with a better conversion of heat to electrical energy.

In the discussion concerning available energy carriers this is interesting to notice, since coal reserves can provide enough energy for another estimated 150-200 years. This is a much longer period than is calculated for the proven oil and gas reserves and is a factor that cannot be ignored in global energy discussions.

The new techniques make power plants more complex and therefore safety should get extra attention in design and construction. Conventional power plants are designed conform standard guidelines developed in close harmony between companies, notified bodies and authorities. Safety has always been an implicit component of design and standard routines. With the introduction of extra complexity this is no longer sufficient and other methods that are already common practice in the petrochemical industry should be and are already introduced to secure overall safety.

In this article the application of these safety studies in the development of coal fired power plants is discussed with special focus on the European energy market.

Energy market

In Europe the energy market is in motion in all areas of the business. Mergers and take-overs are discussed regularly. Depletion of existing oil and gas wells and the necessity to attain secured and continuous supply of energy sources from other, sometimes politically less stable, countries are high on the agenda. Sustainable power generation by solar en wind energy and from biomass, to mention some of the more prominent fields of interest, are coming up. Measures for energy conservation by companies as well as by households are encouraged, stimulated and eagerly followed. Also the question whether or not nuclear plants should be built is actual again with the Fukushima disaster, and will be answered differently in various countries.

In the meantime the developments in the design of coal fired power plants is continuing. Higher efficiencies are reached with new construction materials that are resistant against supercritical operational conditions and add-on applications reduce emissions of SO2, NOx and dust in flue gases. Also further developments in combined cycle gas turbine (CCGT) units are witnessed, especially in case natural gas is replaced as the energy source by gas from coal and biomass gasification processes. These techniques are coming up and have left the experimental and pilot plant stage. Gasification gives the opportunity to limit NOx formation and to clean the fuel before combustion especially with respect to CO2. This gas is easier to wash out before combustion than by means of post combustion techniques. This is especially advantageous to meet the demands to reduce CO2 emissions.

The developments result at present in what can be called a MegaWatt race of power generating companies to get licenses for building their new plants. These plants are required not only to replace the existing, less profitable power plants with new high efficiency plants. It is noted that energy consumption is still increasing despite energy reduction measures, which puts an extra demand on power generating companies to extend their capacity. Sustainability and higher efficiency are the key words in these developments.

In the design of conventional coal power plants safety measures have since long been incorporated implicitly in design and construction. The required measures have been agreed between the companies and so-called notified bodies and are laid down in codes such as ASME and German TÜV regulations.

The developments in higher efficiencies and the requirements to limit the environmental burden make these plants more complex and operational conditions more critical. Coal gasification for example is a relatively new and complex process and comparable with a process installation as applied in the oil refining industry. With this increasing complexity, the importance of application of modern safety techniques and study methods became evident, since this extra complexity has not yet been incorporated completely in the design and construction standards. To achieve this goal the coal fired power plants will or have already adopted the modern methods to investigate safety integrity of complex installations that are common practice in the petrochemical industry. The petrochemical industry was confronted with the need for these study methods long before because of the particular dangers related to oil, gas and toxic components they use and produce, and the interwoven complexity of the processes taking place. Learning from the petrochemical industry these techniques and methods are now applied in the design and construction of new power plants as well.
Methods that are frequently applied are HAZOP, HAZard and OPerability study, and SIL studies to determine the Safety Integrity Level of instrumental control functions.


HAZOP is a proven method to examine what can go wrong in an installation if deviations arise in process conditions, eg excursions of pressure, temperature and loss of, excess or misdirected flow. Also special operation conditions are reviewed such as start up, shut-down, regeneration or special maintenance activities. In a HAZOP study an installation is systematically examined by a team of experts line by line, including the various pieces of equipment, so called ‘nodes’. A list of guidewords helps to determine what the causes of deviations are. The consequences of deviations are investigated and whether or not sufficient safety measures have been taken to cope with the possible impacts. Also typical plant philosophies not covered in standards, eg whether shut-down should be followed by depressurising, installation of emergency valves in pump suction lines, how to deal with possible damage by thermal expansion in pipelines with trapped liquid, how to deal with valves that should be made inoperative during normal operation (system of locked valves), can be discussed.

In the HAZOP study realistic scenario’s for possible deviations and incidents are established. Very improbable or simultaneous incidents that have no relation to each other are normally not considered. It should be noted however that major incidents have taken place by combination of very remote and at first sight independent causes. Some types of failures should therefore be considered together as a common cause failure. This pertains for example to not self-revealing failures such as valves that are in a wrong position or to situations where repair of essential components was postponed.
To control hazards in a professional way by taking technical or organizational measures, the following approach is normally adopted. First try to find an intrinsic safe design to eliminate the hazards or make scenario’s very unrealistic to happen in practice. Examples are application of less hazardous solvents or mechanical safe machinery that can withstand high temperatures and pressures. If this is not practicable, a second type of measures can applied. These are mostly found with special control functions, trip actions, shut-ins, etc. which bring the installation into a safe status in case of failure. Other measures in this class are safety valves, rupture discs to release pressure if design pressures or temperatures are approached or surpassed. In these cases flare systems to deal with hydrocarbon releases from safety valves are provided as part of the safety system. On a third level, improvements for safer operation of plants can be promoted and laid down in procedures. However, they have the lowest preference as a protection layer because of the uncertain human factor. This can become manifest if there is a tendency in a plant not to adhere to time consuming procedures.

It should be noted that despite the various layers of defence, training, attitude and behaviour are of prime importance to keep a safe environment.

Just like for the petrochemical industry, various instrument systems or loops to control the processes are present in power plants. These include control of process parameters like flows, pressure, temperature and composition. Special safety systems are normally already present for the burning processes, so-called burner management systems, and systems to protect the highly vulnerable turbines against for example over speed. Also the electricity generators, the utilities and special provisions like cooling water system and lube/seal oil systems are of particular importance and require a high level of safeguarding.

It is not uncommon in power plants that the requirement to install a safety relief valve is overruled by standards that allow high integrity blow down valves that will close if a too high downstream pressure is measured. They have the advantage that unwanted opening of safety valves is avoided because these are simply not installed. It is evident that such high integrity pressure protection systems should be very reliable and thorough investigation is required of all connected piping systems having a lower design grade than upstream high pressure/ temperature systems. It is also common practice for power plants to allow for exceeding design pressures in pipelines for a short period of time taking into account effects on lifetime of the piping.
The typical build-up of an instrument loop consists of three elements. First a transmitter that measures data such as pressure, temperature and flow. Secondly a logic element like a PLC where the signals of the transmitter are combined, processed and from where commands are sent out. Thirdly the actuator that receives the command and performs an action like closing/opening of valves and start/ stop of pumps. An integrated system Distributed Control System generally executes the overall control functions. Operators in a central control room can monitor the processes and interfere if necessary.

By means of a SIL study the level of instrumental protection can be determined. The SIL study focuses on safety impacts (employees and neighbours), impact to the environment and asset impact, which is normally a matter of costs. Thus economic damage is also considered but a high SIL caused by economic parameters may be outweighed against certain financial criteria in a different discussion. This is because incidents leading to loss of production immediately result in extensive claims by customers and this consequence would normally bring any safety loop leading to power interruption to a very high SIL. This may be regarded as unrealistic and special criteria are required to determine the chances of occurrence.

For every SIL certain types of instrumental measures are prescribed; generally the higher the level, the higher the complexity and cost of the measures. Determination of SIL means that the complete safety control loop should fulfil the demands belonging to the SIL. It is sometimes overlooked  that the level is not the required level for the individual parts of the loop like transmitters, actuators, logic solver and final element; they should have at least the same or a higher level to meet the overall SIL.

SIL studies are often coupled to HAZOP-studies because hazardous scenario’s are already determined in the HAZOP which are thus the basis for the SIL study. To come from scenario’s to SIL a standard risk matrix is available and presented in standards for SIL determination (IEC61508/011) but many companies prefer a specially developed risk matrix for own use.
The so-called risk graph gives the required SIL for the different scenario’s.The highest risk scenario, either for people, environment or costs determines the ultimate SIL for the safeguarding loop.
A SIL A requires a safeguarding  with a simple provision. For example an ordinary case of liquid overfill of a vessel, being filled with a non hazardous component usually requires a SIL A. This means that an overfill protection should be present but it is left to good engineering practice how to design the protection system, with no special demands on reliability. At SIL 1 people, installations and environment are facing a higher risk and a more reliable protection system is required including a special type, safety PLC. At SIL 2 the risk is still larger and frequently a choice is made for implementation of double transmitters and actuators and a highly reliable ‘logic solver’ is required. Frequently triple implementation of transmitters to guarantee continuity of the process is preferred. They give trip signals only if two signals are coming in, so called two out of three (2oo3) systems. Similar configurations can be designed to avoid the so called spurious trips.

SIL 3 and 4 levels go some steps further and are required if incidents are possible with multiple deadly victims, long-term serious damage to the environment or an economic impact of millions of euros. SIL 4 is seldom required because before this level is concluded inherent safety provisions will normally be searched for to eliminate the hazards.


The combination HAZOP-SIL studies is even more evident in LOPA (Layer Of Protection Analysis) studies. The background causes of unwanted scenario’s are analyzed in more detail and a semi quantitative approach is taken to come to a highly reliable estimation of the risk. Also other independent safeguarding devices are taken into account and evaluated.The LOPA study can bring the qualitative SIL determination to a more specific and balanced outcome. Results are taken up in the actual design of the Safety Instrumented Function (SIF) or Safety Instrumented System (SIS).

Findings in practice

Tebodin has carried out HAZOP-SIL studies for a number of coal fired power plants in Europe. As a result of the executed HAZOP’s, advice was given where it is wise to enhance the safety level and where this has no or little effect. This comes down to for example:

* Extra instrument and safety loops for unwanted rising of temperatures and pressures;
* Measures against possible jamming of emergency shut-down valves;
* Complete separation of safety and operation control functions to be regarded as essential.

With respect to SIL it was concluded that safety related instrumentation was required up to SIL level 2 and in some rare cases SIL level 3 was necessary. Higher levels were not envisaged. The impact of incidents is rather limited caused by the fact that the effect of the incidents will not easily go out of the boundaries of the production location itself. The chance of victims in the surrounding neighbourhoods is therefore small.
One example is the Nuon Magnum power plant in the Eemshaven, in the north of the Netherlands. The power plant will have a capacity of 1,311 MW, enough energy for approximately 2 million households. This CCGT power plant will be fed with natural gas and consists of three gas turbines which are combined with three combined gas/steam turbines and three generators. At a later stage, the ambition is to apply the gasification of coal and biomass in combination with CO2 capture. Market conditions and a support base play a major role in the decision whether to invest in the development of the next phase.

The technology involved makes the new generation power plant more complex than a conventional coal-fired boiler. For that reason the design of the power plant has been subjected to a HAZOP and SIL analysis. A team of Nuon personnel, head assignee Mitsubishi and consultant Tebodin have carried out these analyses during a period of six weeks.

The HAZOP study resulted in 270 recommendations to improve the design, of which approximately 30 per cent were related to instrumentation. Examples of this concerns better separation of control and safety functions and the application of double safety on some points. Also application of so-called locked valves, which should not be opened inadvertently was introduced. Furthermore special attention was paid to the possibilities of undesirable turbine trips by false signals or turbine overspeed cases that could result in exceeding the design parameters.

Eventually 81 control loops appeared to fall under SIL A, 77 under SIL 1 and 14 under SIL 2. SIL 3 and 4 did not prove to be necessary.


The HAZOP and SIL determination approach has shown to be very fruitful in the design of new to be build power plants. Because of the high technology level of power plants nowadays, no conclusions will normally be found that upset the design drastically. With respect to SIL determination it can be stated that generally speaking it appears that for power plants SIL 2 is usually the highest level that is reached; only in exceptional cases SIL 3 is required.
Piet Rieff and Rien Scholing are senior consultants at Tebodin Netherlands BV, Den Haag, The Netherlands. www.tebodin.com

Fig. 1. Gas fired CCGT under construction.

Recent Issues