Search
-
Recent Posts
Recent Comments
- Gabi Spencer on The importance of Process Hazard Analysis studies
- Ephraim Gasitene Phonela on The importance of Process Hazard Analysis studies
- Gabi Spencer on ESC’s TÜV Rheinland Cyber Security Training Program
- David Dewdney on ESC’s TÜV Rheinland Cyber Security Training Program
- David Balfour on Functional Safety (FS) for Technicians – Proposed CompEx modules
Archives
- May 2022
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- January 2020
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- November 2018
- August 2018
- April 2018
- March 2018
- February 2018
- November 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- August 2015
- June 2015
- May 2015
- February 2015
- November 2014
- September 2014
- July 2014
- April 2014
Categories
Applying IEC 61508 to Hydroelectric Power Station Flood Gate Control
by Ken Simpson, Managing Director, Engineering Safety Consultants Ltd, discussing how to apply IEC 61508 to Hydroelectric Power Station Flood Gate Control and the challenges and solutions when engineering solutions to the major hazards.
A number of years ago, Engineering Safety Consultants Ltd. were approached by a major Hydroelectric Power provider in the UK to give a short presentation on what safety standards to apply in order to demonstrate the required level of reliability and integrity for flood gate control systems.
Following this presentation, ESC were engaged to provide a full Functional Safety assessment to IEC 61058 (see our FAQs on the topic).
What is Functional Safety?
According to IEC 61508-4 (IEC 61508 is the international standard that applies to ‘safety-related control systems’), Functional safety is ‘part of the overall safety relating to the Equipment Under Control (EUC) which depends on the correct functioning of the Electrical / Electronic /Programmable Electronic safety-related systems, other technology safety-related systems and external risk reduction facilities.’
So how does this apply to Hydro-Power Station Flood Gate control?
It was identified that a failure of the Floodgate control system could result in one or more of the following major hazards:

Water Surge
Water Surge
If the flood gates open too quickly they could cause a sudden large surge down the river which could cause a fatality of the river users (typically fishermen). This is protected by basic robust design with dual dissimilar watchdogs.

Dam over-topping
Dam Over-Topping
If, after the initial build-up of a flood, the gate opening speed has to be sufficient to beat the flood (which could be higher than the speed that could cause 1) otherwise the Dam could be over-topped and cause major damage to the power station and possible loss of life. This is protected by redundant gates with automatic control and remote manual control.

River allowed to run dry
River Allowed to Run Dry
The power station when operating will be passing water down the river. A trip on the output lines, say lightning strike, turbines have to shut down and water flow stops, river could dry up causing significant loss of the fish stock. Operators would be fined and also pay for re-stocking of fish, hence on loss of power, flood gate have to open to maintain river flow. This is protected by automatic system and remote manual control.
The Engineering Challenges
Engineering a solution to address each of these scenarios presents several challenges. Here’s a selection of the main ones:
1. What’s the ‘safe state’?
There isn’t one! For both the ‘Dam over-topping’ and ‘River allowed to dry out’ scenarios, the system is required to open the gates on demand, whereas for the ‘Water surge’ the system is required to stop rapid gate movement during the initial gate opening period, thus there’s no fundamental safe state.
2. Complexity
The Floodgate control is not simple shutdown logic and does require relatively complex analogue variable calculations to determine the:
- Actual mean loch level
- The required water discharge through the flood gates based on current and predicted loch levels, loch physical profile etc.
- Prevention of gate control hunting
3. Communications
The Dam and power station can normally be unmanned, and plant is normally controlled / managed from a remote central control centre, hence the system needs to be able to communicate via (typically) DNP3 protocol (one of the power industry standards).
Non-Traditional Solution?
A traditional SIL 2 / SIL 3 safety PLC typically initiates a shutdown on detection of a fault or multiple faults (issue 1) and has restricted software functionality (issue 2 and 3). Clearly, given the issues discussed above, this type of solution would not be ideal for this type of application.
In addition, site operating history showed a demand rate for each of the three key hazards ranged from 10 per year to 1 in 50 years which raised the question of the most suitable mode to apply (high/continuous or low demand). This will be discussed in detail in a future blog.
The Conclusion
In the most simplistic terms, the following requirements were established for the design of the Floodgate control system:
- The System needs to be fault tolerant and, for some failure modes, hold the last state
- Automatic Control: Use of a standard PLC prior-use assessed by an external body, to be suitable for a SIL 2 application
- Remote Manual Control: Use of a standard power industry RTU prior-use assessed, along with remote operator to be SIL 2 capable (look out for a future blog on SIL-rated operators!)
- Use of multiple sensors, with a high degree of checking and averaging within the PLC and control of multiple flood gates
If you’d like to know more, why not check out our events page and book on to one of our FREE seminars. If that doesn’t fully quench your thirst for Functional Safety, maybe try one of our training courses (including the prestigious TÜV Rheinland Functional Safety Program), led by our own industry-renowned Functional Safety experts.
At ESC, our expert consultants are unashamed Functional Safety geeks and are always keen to help, so if you have a problem or query and are drowning in a sea of acronyms (SIL, SIF, SRS, SIS, SAR etc.), drop us a line. It’s what we do.
2 Responses to Applying IEC 61508 to Hydroelectric Power Station Flood Gate Control