Applying IEC 61508 to Hydroelectric Power Station Flood Gate Control

by Ken Simpson, Managing Director, Engineering Safety Consultants Ltd, discussing how to apply IEC 61508 to Hydroelectric Power Station Flood Gate Control and the challenges and solutions when engineering solutions to the major hazards.

A number of years ago, Engineering Safety Consultants Ltd. were approached by a major Hydroelectric Power provider in the UK to give a short presentation on what safety standards to apply in order to demonstrate the required level of reliability and integrity for flood gate control systems.

Following this presentation, ESC were engaged to provide a full Functional Safety assessment to IEC 61058 (see our FAQs on the topic).

What is Functional Safety?

What is functional safety - Equipment Under Control - Safety Related SystemAccording to IEC 61508-4 (IEC 61508 is the international standard that applies to ‘safety-related control systems’), Functional safety is ‘part of the overall safety relating to the Equipment Under Control (EUC) which depends on the correct functioning of the Electrical / Electronic /Programmable Electronic safety-related systems, other technology safety-related systems and external risk reduction facilities.’

So how does this apply to Hydro-Power Station Flood Gate control?

It was identified that a failure of the Floodgate control system could result in one or more of the following major hazards:

Water Surge - Applying IEC 61508 to Hydro Power Station Flood Gate Control

Water Surge

Water Surge

If the flood gates open too quickly they could cause a sudden large surge down the river which could cause a fatality of the river users (typically fishermen). This is protected by basic robust design with dual dissimilar watchdogs.

Dam over-topping - Applying IEC 61508 to Hydro Power Station Flood Gate Control

Dam over-topping

Dam Over-Topping

If, after the initial build-up of a flood, the gate opening speed has to be sufficient to beat the flood (which could be higher than the speed that could cause 1) otherwise the Dam could be over-topped and cause major damage to the power station and possible loss of life. This is protected by redundant gates with automatic control and remote manual control.

River allowed to run dry - Applying IEC 61508 to Hydro Power Station Flood Gate Control

River allowed to run dry

River Allowed to Run Dry

The power station when operating will be passing water down the river. A trip on the output lines, say lightning strike, turbines have to shut down and water flow stops, river could dry up causing significant loss of the fish stock. Operators would be fined and also pay for re-stocking of fish, hence on loss of power, flood gate have to open to maintain river flow. This is protected by automatic system and remote manual control.

The Engineering Challenges

Engineering a solution to address each of these scenarios presents several challenges. Here’s a selection of the main ones:

1. What’s the ‘safe state’?

There isn’t one! For both the ‘Dam over-topping’ and ‘River allowed to dry out’ scenarios, the system is required to open the gates on demand, whereas for the ‘Water surge’ the system is required to stop rapid gate movement during the initial gate opening period, thus there’s no fundamental safe state.

2. Complexity

The Floodgate control is not simple shutdown logic and does require relatively complex analogue variable calculations to determine the:

  • Actual mean loch level
  • The required water discharge through the flood gates based on current and predicted loch levels, loch physical profile etc.
  • Prevention of gate control hunting

3. Communications

The Dam and power station can normally be unmanned, and plant is normally controlled / managed from a remote central control centre, hence the system needs to be able to communicate via (typically) DNP3 protocol (one of the power industry standards).

Non-Traditional Solution?

A traditional SIL 2 / SIL 3 safety PLC typically initiates a shutdown on detection of a fault or multiple faults (issue 1) and has restricted software functionality (issue 2 and 3). Clearly, given the issues discussed above, this type of solution would not be ideal for this type of application.

In addition, site operating history showed a demand rate for each of the three key hazards ranged from 10 per year to 1 in 50 years which raised the question of the most suitable mode to apply (high/continuous or low demand). This will be discussed in detail in a future blog.

The Conclusion

In the most simplistic terms, the following requirements were established for the design of the Floodgate control system:

  • The System needs to be fault tolerant and, for some failure modes, hold the last state
  • Automatic Control: Use of a standard PLC prior-use assessed by an external body, to be suitable for a SIL 2 application
  • Remote Manual Control: Use of a standard power industry RTU prior-use assessed, along with remote operator to be SIL 2 capable (look out for a future blog on SIL-rated operators!)
  • Use of multiple sensors, with a high degree of checking and averaging within the PLC and control of multiple flood gates

If you’d like to know more, why not check out our events page and book on to one of our FREE seminars. If that doesn’t fully quench your thirst for Functional Safety, maybe try one of our training courses (including the prestigious TÜV Rheinland Functional Safety Program), led by our own industry-renowned Functional Safety experts.

At ESC, our expert consultants are unashamed Functional Safety geeks and are always keen to help, so if you have a problem or query and are drowning in a sea of acronyms (SIL, SIF, SRS, SIS, SAR etc.), drop us a line. It’s what we do.