Functional Safety found its application during a sailing trip in the Adriatic.

IEC 61508 is the umbrella standard for Functional Safety, from which industry-specific standards including IEC 61511 (process) and IEC 62061 (machinery) are derived. The main phases of the Functional Safety Life Cycle are: analysis, implementation, and operation. As the term “cycle” indicates, there are feedback loops at each phase which allow to review and confirm previous assumptions. Hazardous events and ‚near misses‘ during the operation phase are opportunities to confirm that functional safety goals are being met.

A “real world” opportunity to apply functional safety operational lessons learned occurred during a recent sailing trip in the Adriatic aboard a Sun Odyssey 45-ft sloop, powered by a Yanmar Marine 4JH4-TE 56kW turbocharged marine diesel engine. While motoring in the marina, the motor panel warning annunciator sounded and thick white smoke discharged from the side exhaust. The boat was immediately docked and initial observations indicated absence of seawater in the secondary cooling loop, probably due to blockage of the underwater intake. Subsequent overheating of the primary coolant had caused the temperature switch (#33 in schematic) to activate. As per Yanmar specifications, the switch setpoint is 95°C (initiating motor panel warning light and alarm tone). The optional coolant temperature sensor (#37 in schematic) was not installed on the B-type instrument panel, therefore it was not possible to independently confirm at what temperature the coolant switch had activated. Further investigation showed that the sea water cooling pump impeller (#29 in schematic) was destroyed, presumably as a result of extended dry running. Parts of the impeller were found in the downstream heat exchanger (#22 in schematic) – see photo.

The sea water pump impeller was replaced and the system flushed and refilled. There appeared to be no damage to the primary cooling circuit, clutch lube oil cooler or engine block. Repair time was approximately 2 hours, the cost of new sea water pump impeller repair kit ca. 60 Euro. In summary, the coolant high temperature alarm allowed sufficient time for operator action (manual engine shutdown) to avoid damage to main engine components, but did not prevent destruction of the sea water cooling pump. Although the replacement parts were not expensive, the repair time could be critical, especially if such a failure occurred in an emergency situation in rough seas. The question that therefore posed itself was if there was a possible cost-effective configuration that would allow enough reaction time to prevent damage to the sea water cooling pump as well as protecting the engine.

Possible alternatives could be:

  1. Adjust coolant temperature switch setpoint to a lower value, which would also allow to protect sea water cooling circuit components from damage. Setpoint would have to be sufficiently far above thermostat switch point (including dead-band) to avoid nuisance alarms.
  2. Provide a flow switch in the sea water line to indicate correct flow conditions. This solution is not considered to be feasible, due to flow fluctuations likely leading to spurious alarms
  3. Provide a high temperature pre-alarm. The optional primary coolant sensor (#37) provided as standard with the C-type instrument panel could potentially fulfil this role, although it is questionable whether a simple gauge indicator would be actively monitored during motoring. In a HAZOP, such a local indicator without alarm would not be considered as a valid independent protection layer (IPL).

Of the above options, 3) is considered to be most practical and cost effective (ALARP). Although not strictly an IPL as defined by IEC 61511, the independent gauge provides at least the opportunity for crew to monitor and register high coolant temperatures prior to initiation of the panel warning alarm, thereby potentially avoiding component damage and time-consuming repairs. Other options, such as reducing alarm setpoint or providing an additional flow switch would likely generate nuisance alarms and therefore be impractical in the long-term.

Although a HAZOP of such a marine diesel auxiliary system would be clearly overkill, this practical example nevertheless demonstrates “real world” application of the IEC 61511 safety life cycle, including consideration of “lessons learned”, IPLs and ALARP principles.

PSC covers the whole Safety Life Cycle, from the initial hazard and risk assessment through detailed design, implementation, commissioning and operation up to decommissioning. PSC safety experts are IChemE and CFSE certified.

Please download our HAZOP-SIL-LOPA-References, or contact us for a quote for your workshop requirements.