Safety Instrumented Systemsin Regulator Station Design
SIL Verification of Standard Design
Alan Burt
APA Group Presentation 2
Presentation Overview
Safety standards
Victorian gas transmission network – Melbourne supply
History of Dandenong City Gate and design issues
Project concept and objectives
AS2885 requirements for pipeline pressure control
Safety targets and standardised components (SIL)
Achieving both safety and high availability
Layers of Protection Analysis of alternate designs
Conclusions
APA Group Presentation 3
Definitions
BLP – Brooklyn Lara Pipeline
City Gate – gas pressure regulating facility feeding a city
LOPA – Layer Of Protection Analysis
MAOP – Maximum Allowable Operating Pressure
PES – Programmable Electronic Systems
PLC – Programmable Logic Controller
PSV – Pressure Safety Valve
RTU – Remote Terminal Unit
SIF – Safety Instrumented Function
SIL –Safety Integrity Level
SSV – Slamshut valve
TMR PLC – Triple Mode Redundant PLC
APA Group Presentation 4
Acknowledgement and Disclaimer
The author wishes to acknowledge the technical information provided by Invensys – Premier Consulting Services in their report “SIL Assignment and Verification Report” prepared for GasNet for the Brooklyn Lara City Gate.
The concepts provided herein should not be taken to be endorsement of specific products or design implementation for pressure reduction stations. Designers should assess their specific designs to ensure safety critical and functional control meets the owner’s and technical regulators’ requirements.
APA Group Presentation 5
Victorian Natural Gas System
APA Group Presentation 6
Safety Standards – AS/NZS 61508
AS 61508.1-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—General requirements
AS 61508.2-2001 Functional safety of electrical/electronic/programmable electronic safety-related systems—Requirements for electrical/electronic/programmable electronic safety-related systems
AS 61508.3-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—Software requirements
AS 61508.4-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—Definition and abbreviations
AS 61508.5-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—Examples of methods for the determination of safety integrity levels
AS 61508.6-2001 Functional safety of electrical/electronic/programmable electronic safety-related systems—Guidelines on the application of AS 61508.2 and AS 61508.3
AS 61508.7-2001 Functional safety of electrical/electronic/programmable electronic safety-related systems—Overview of techniques and measures
APA Group Presentation 7
Safety Standards - AS/NZS 61511, AS 3814
AS IEC 61511.1 Functional safety - Safety instrumented systems for the process industry sector - Framework, definitions, systems, hardware and software requirements
AS IEC 61511.2 Functional safety - Safety instrumented systems for the process industry sector - Guidelines for the application of AS IEC 61511-1
AS IEC 61511.3 Functional safety - Safety instrumented systems for the process industry sector - Guidance for the determination of the required safety integrity levels
AS 3814-2005 Industrial and Commercial Gas Fired Appliances
APA Group Presentation 8
Safety Instrumented Systems
Safety systems have been used for many years in process industries to perform safety instrumented functions. If instrumentation is to be effectively used for safety, it is essential that this instrumentation achieve certain minimum standards and performance levels.
AS NZS 61508 addresses Safety Instrumented Systems for all types of industrial applications. A Safety Instrumented System includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s). IEC61511 addresses Safety Instrumented Systems applicable theProcess Industries only.
AS NZS 61511 applies to Safety Instrumented Systems for the Process Industry that is based on electrical / electronic / programmable electronic technology. Where other technologies are used for logic solvers, the basic principles of this standard should be applied. This standard also addresses the Safety Instrumented System’s sensors and final elements regardless of the applied technology.
IEC61508 and IEC61511 were recognized by the Australian Standards in the year 2000
APA Group Presentation 9
AS/NZS 2885.1
AS NZS 2885 does NOT currently call up AS NZS 61508 nor AS NZS 61511. However, specific levels of control for pressure reduction stations are mandated in AS/NZS 2885.1 clauses 7.2.1 and 7.2.3
Safety systems are now commonly used in the gas industry for safety functions in compressor stations, LNG facilities and processing plant, as well as certain ‘Type B’appliances:
AS/NZS 3814 requires compliance to AS/NZS 61508 and 61511 for “Type B” fuel-fired appliances controlled by programmable electronic systems. This applies to the following appliances
– Gas turbine engines (eg Solar Saturns, Centaurs, Taurus, Mars)
– Standby generators
– Waterbath heaters
For gas pipeline operators, assessment of compliance to engineering principles in AS/NZS 3814, as with other aspects of design for the gas pipeline control, is managed under the Pipeline Safety Case
APA Group Presentation 10
Large multi-run pressure reduction stations
Overpressure protection of pipelines at pressure reduction stations using pressure relief valves may not be acceptable due to offsite hazards.
Functional requirements for large multi-run pressure reduction stations in Victoria are becoming more demanding due to
– 4-hourly gas market demands, including frequent remote pressure setpoint control, stop/start operation and interaction with gas compressors
– Increased pipeline operating pressure, leading to higher pressure drops and potential low temperatures due to Joule-Thompson cooling
APA Group Presentation 11
Multi-run stations
Major Victorian multi-run stations (planned capacity)
– Dandenong City Gate (7 runs)
– Wollert City Gate (4 runs)
– Brooklyn Corio Pipeline (BCP) City Gate (5 runs)
– Brooklyn Lara Pipeline (BLP) City Gate (5 runs)
– Lara SWP City Gate (5 runs)
Wollert and Brooklyn projects are currently under construction
Design is complete for Dandenong and Lara projects
APA Group Presentation 12
APA Group Presentation 13
APA Group Presentation 14
APA Group Presentation 15
APA Group Presentation 16
APA Group Presentation 17
Brooklyn Lara Pipeline (BLP CG)
Brooklyn Corio Pipeline (BCP CG)(previously BCG)
Future Brooklyn Ballan Pipeline (BBP CG)(currently Brooklyn PL)
APA Group Presentation 18
APA Group Presentation 19
Dandenong City Gate
Commissioned in 1969
Initially 2 regulator runs, each with active and monitor regulators and station PSVs
Growth led to current 7 regulator runs
RTU to monitor and control pressure
PSVs replaced with electrical relay over-pressure trip of run inlet valves circa 1979 (ie PSHH trips the station)
PSVs removed due to proximity of flare
Slamshut controller replaced with separate RTU circa 1985
Approximately 65% of Melbourne’s daily gas flows through the station (about 80% annually). The station operates continuously.
APA Group Presentation 20
Design Issues
Regulators ‘fail-open’ design
Inlet valves ‘fail-last’ design
Common mode failure concern
Undetected regulator failure
Operator should not have to open/close runs to avoid overpressure
Additional heater differential pressure losses affect capacity
Control algorithms different at other sites
AS2885.1 requires max MAOP tolerance 1%
Flow imbalance between runs may lead to noise, erosion and filter failure
APA Group Presentation 21
Design Concept
Maintain multi-run station concept (ie retain headers)
Single active regulator, “fail-closed”
Upstream slamshut valve (SSV), “fail-closed”
Standardised control algorithm
Standardised test program (routine run safety verification tests)
Remote outlet pressure setpoint control
Provide improved operator interface (HMI) for maintenance
APA Group Presentation 22
Project Objectives
Meet safety objectives per AS61511
Minimise capital expense
Pressure control per AS2885.1:2007
High station availability 99.99%
Retain contract station differential pressure and peak flowrate design basis
Maintainability using common sub-components
APA Group Presentation 23
AS2885.1:2007 Clause 7.2.1Pipeline Pressure Control
The following requirements shall be implemented in design and operation of the pipeline pressure control.
MAOP under steady state conditions For pipelines intended to be operated at a set point equal to MAOP, the control system shall control the maximum pressure within a tolerance of 1%.
Pressure control and a second pressure limiting system are mandatory. The second (pressure limiting) system may be a secondpressure control or an overpressure shut-off system or pressure relief.
Pressure control system performance Pressure control and overpressure protection systems and their components shall have performance characteristics and properties necessary for their reliable and adequate operation during the design life of the pipeline.
APA Group Presentation 24
AS2885.1:2007 Clause 7.2.3Pipeline Facility Control
Most facilities are remote from their point of operation and generally designed for unattended operation. Each facility shall be designed with a local control system to manage the safe operation of the facility.
The local control system shall.
(a) Continue to operate in the event of a communications failure;(b) If electric powered, be provided with an uninterruptible power supply with
sufficient capacity to ensure continuous operation through a reasonable power outage;
(c) Use reliable technology;(d) Be designed to fail in a safe manner; and(e) Be designed with appropriate security.
Each facility may also be configured to enable remote monitoring or control of the facility.
APA Group Presentation 25
SIL Assignment and Verification
Analyse SIF “overpressure downstream pipeline”
Determine SIL achieved using current design with the existing RTUsand regulators
Determine SIL achievable using proposed design with single FC regulator, SSV and TMR PLC
Identify required maintenance regime
Select current BLP project as test case
Use standard GasNet panels
Use BLP regulator PID design
APA Group Presentation 26
Control Schematic for Regulator
APA Group Presentation 27
PID for Regulator Run
APA Group Presentation 28
Active Regulator
APA Group Presentation 29
Regulator characteristics
Fail closed valve
Electronic and pneumatic positioner (fails to pneumatic on loss of PES)
Common station backup pneumatic controller (balances load across runs)
Diagnostic inputs include closed limit switch and position feedback
Level 1 fault - valve detected faulty (eg sticky) with persistent control position discrepancy. Run inlet valve closes.
Level 2 fault – high outlet pressure and control valve not fully closed. Run inlet valve closes.
Level 3 fault – high outlet pressure. Close all run inlet valves.
Level 4 fault – high high outlet pressure. Inlet valve closes under pneumatic control.
APA Group Presentation 30
Fault Tree Models – Pressure Control
SIF-10
6.571E-4
FPCY-62154
4.257E-2
RTU2 3
GATE-6-12
GATE-6-13
1.095E-3
IMPULSE-LINE-(CLEAN)-PTA
2.625E-3
PT-62755A
GATE-6-14
1.095E-3
IMPULSE-LINE-(CLEAN)-PTB
2.625E-3
PT-62755B
GATE-6-15
1.095E-3
IMPULSE-LINE-(CLEAN)-PTC
2.625E-3
PT-62755C
Electronic PressureControl
Impulse Line- Clean Service
(exida)
Generic PressureTransmitter (exida)
Impulse Line- Clean Service
(exida)
Generic PressureTransmitter (exida)
Impulse Line- Clean Service
(exida)
Generic PressureTransmitter (exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Bristol ControlWave (Definedby AS61508)
SIF-10 - Electronic Pressure Control 2007/02/21 Page 6
APA Group Presentation 31
Fault Tree Model – TMR Based Control
RF-24A
3.520E-7
TRICON2 3
GATE-32-0
GATE-27-1
2.500E-7
IMPULSE-LINE-(R)-PTA
9.500E-7
PT-62755A(R)
GATE-27-2
2.500E-7
IMPULSE-LINE-(R)-PTB
9.500E-7
PT-62755B(R)
GATE-27-3
2.500E-7
IMPULSE-LINE-(R)-PTC
9.500E-7
PT-62755C(R)
Site Wide PressureControl (Tricon)
Generic PressureTransmitter (exida)
Generic PressureTransmitter (exida)
Generic PressureTransmitter (exida)
Impulse Line- Clean Service
(exida)
Impulse Line- Clean Service
(exida)
Impulse Line- Clean Service
(exida)
Triconex Tricon
RF-24A - Site Wide Pressure Control (Tricon) 2007/02/20 Page 33
APA Group Presentation 32
Slamshut valve
APA Group Presentation 33
Slamshut valve characteristics
Fail closed valve
Independent pneumatic high high and low low pressure trip will close the valve
Electronic open (option) and close control:
– Open is conditional on outlet pressure
– Close on PSHH or manual command from DCS or HMI
Auto/Manual control on slamshut panel. Alarm active while in manual.
APA Group Presentation 34
Standard Panel for Slamshut
APA Group Presentation 35
Fault Tree – Slamshut system
RF-28
5.700E-6
PSH-62151
2.095E-6
PYH-62151A
2.095E-6
PYH-62151B
9.800E-7
UV-62151
1.630E-6
UZ-62151
GATE-37-0
Slam Shut
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Trunnion BallValve (Exida)
Bettis CB SeriesValve Actuator
(Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
RF-28 - Slam Shut 2007/02/21 Page 37
APA Group Presentation 36
Fault Tree Model – RTU Whole System
RF-26
GATE-31-0
GATE-31-5
GATE-31-10
5.700E-6
PSH-62151
2.095E-6
PYH-62151A
2.095E-6
PYH-62151B GATE-31-28
9.800E-7
UV-62151
1.630E-6
UZ-62151
GATE-31-11
1.981E-5
FPCV-62154A(R) GATE-31-27
GATE-31-29
9.150E-7
FPCY-62154(R)
32
RF-24
GATE-31-30
GATE-31-31
2.500E-7
IMPULSE-LINE-(CLEAN)-PCA
5.620E-7
PC-62154
2.390E-7
UY-62154-(FAIL-ON)
2.000E-5
UY-62154A-(FAIL-ON)
GATE-31-1
GATE-31-6
GATE-31-12
5.700E-6
PSH-62251
2.095E-6
PYH-62251A
2.095E-6
PYH-62251B GATE-31-26
9.800E-7
UV-62251
1.630E-6
UZ-62251
GATE-31-13
1.981E-5
FPCV-62254A(R) GATE-31-25
GATE-31-32
GATE-31-33
2.500E-7
IMPULSE-LINE-(CLEAN)-PCB
5.620E-7
PC-62254
2.390E-7
UY-62254-(FAIL-ON)
2.000E-5
UY-62254A-(FAIL-ON)
GATE-31-34
9.150E-7
FPCY-62254(R)
32
RF-24
GATE-31-2
GATE-31-7
GATE-31-14
5.700E-6
PSH-62351
2.095E-6
PYH-62351A
2.095E-6
PYH-62351B GATE-31-24
9.800E-7
UV-62351
1.630E-6
UZ-62351
GATE-31-15
1.981E-5
FPCV-62354A(R) GATE-31-23
GATE-31-35
GATE-31-36
2.500E-7
IMPULSE-LINE-(CLEAN)-PCC
5.620E-7
PC-62354
2.390E-7
UY-62354-(FAIL-ON)
2.000E-5
UY-62354A-(FAIL-ON)
GATE-31-37
9.150E-7
FPCY-62354(R)
32
RF-24
GATE-31-3
GATE-31-8
GATE-31-16
5.700E-6
PSH-62451
2.095E-6
PYH-62451A
2.095E-6
PYH-62451B GATE-31-39
9.800E-7
UV-62451
1.630E-6
UZ-62451
GATE-31-17
1.981E-5
FPCV-62454A(R) GATE-31-22
GATE-31-38
GATE-31-40
2.500E-7
IMPULSE-LINE-(CLEAN)-PCD
5.620E-7
PC-62454
2.390E-7
UY-62454-(FAIL-ON)
2.000E-5
UY-62454A-(FAIL-ON)
GATE-31-41
9.150E-7
FPCY-62454(R)
32
RF-24
GATE-31-4
GATE-31-9
GATE-31-18
5.700E-6
PSH-62551
2.095E-6
PYH-62551A
2.095E-6
PYH-62551B GATE-31-21
9.800E-7
UV-62551
1.630E-6
UZ-62551
GATE-31-19
1.981E-5
FPCV-62554A(R) GATE-31-20
GATE-31-42
GATE-31-43
2.500E-7
IMPULSE-LINE-(CLEAN)-PCE
5.620E-7
PC-62554
2.390E-7
UY-62554-(FAIL-ON)
2.000E-5
UY-62554A-(FAIL-ON)
GATE-31-44
9.150E-7
FPCY-62554(R)
32
RF-24
Site Wide PressureControl
Site Wide PressureControl
Site Wide PressureControl
Site Wide PressureControl
Site Wide PressureControl
Site Wide TrainControls (Single
Valve) TotalFailures
Bettis CB SeriesValve Actuator
(Exida)
Bettis CB SeriesValve Actuator
(Exida)
Bettis CB SeriesValve Actuator
(Exida)
Bettis CB SeriesValve Actuator
(Exida)
Trunnion BallValve (Exida)
Trunnion BallValve (Exida)
Trunnion BallValve (Exida)
Trunnion BallValve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Impulse Line- Clean Service
(exida)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Impulse Line- Clean Service
(exida)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Impulse Line- Clean Service
(exida)
Impulse Line- Clean Service
(exida)
Impulse Line- Clean Service
(exida)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Trunnion BallValve (Exida)
Bettis CB SeriesValve Actuator
(Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
RF-26 - Site Wide Train Controls (Single Valve) Total Failures 2007/02/20 Page 31
APA Group Presentation 37
Fault Tree Model – TMR Whole System
RF-26A
GATE-31-0
GATE-31-5
GATE-31-10
5.700E-6
PSH-62151
2.095E-6
PYH-62151A
2.095E-6
PYH-62151B GATE-31-28
9.800E-7
UV-62151
1.630E-6
UZ-62151
GATE-31-11
1.981E-5
FPCV-62154A(R) GATE-31-27
GATE-31-29
9.150E-7
FPCY-62154(R)
32
RF-24
GATE-31-30
GATE-31-31
2.500E-7
IMPULSE-LINE-(CLEAN)-PCA
5.620E-7
PC-62154
2.390E-7
UY-62154-(FAIL-ON)
2.000E-5
UY-62154A-(FAIL-ON)
GATE-31-1
GATE-31-6
GATE-31-12
5.700E-6
PSH-62251
2.095E-6
PYH-62251A
2.095E-6
PYH-62251B GATE-31-26
9.800E-7
UV-62251
1.630E-6
UZ-62251
GATE-31-13
1.981E-5
FPCV-62254A(R) GATE-31-25
GATE-31-32
GATE-31-33
2.500E-7
IMPULSE-LINE-(CLEAN)-PCB
5.620E-7
PC-62254
2.390E-7
UY-62254-(FAIL-ON)
2.000E-5
UY-62254A-(FAIL-ON)
GATE-31-34
9.150E-7
FPCY-62254(R)
32
RF-24
GATE-31-2
GATE-31-7
GATE-31-14
5.700E-6
PSH-62351
2.095E-6
PYH-62351A
2.095E-6
PYH-62351B GATE-31-24
9.800E-7
UV-62351
1.630E-6
UZ-62351
GATE-31-15
1.981E-5
FPCV-62354A(R) GATE-31-23
GATE-31-35
GATE-31-36
2.500E-7
IMPULSE-LINE-(CLEAN)-PCC
5.620E-7
PC-62354
2.390E-7
UY-62354-(FAIL-ON)
2.000E-5
UY-62354A-(FAIL-ON)
GATE-31-37
9.150E-7
FPCY-62354(R)
32
RF-24
GATE-31-3
GATE-31-8
GATE-31-16
5.700E-6
PSH-62451
2.095E-6
PYH-62451A
2.095E-6
PYH-62451B GATE-31-39
9.800E-7
UV-62451
1.630E-6
UZ-62451
GATE-31-17
1.981E-5
FPCV-62454A(R) GATE-31-22
GATE-31-38
GATE-31-40
2.500E-7
IMPULSE-LINE-(CLEAN)-PCD
5.620E-7
PC-62454
2.390E-7
UY-62454-(FAIL-ON)
2.000E-5
UY-62454A-(FAIL-ON)
GATE-31-41
9.150E-7
FPCY-62454(R)
32
RF-24
GATE-31-4
GATE-31-9
GATE-31-18
5.700E-6
PSH-62551
2.095E-6
PYH-62551A
2.095E-6
PYH-62551B GATE-31-21
9.800E-7
UV-62551
1.630E-6
UZ-62551
GATE-31-19
1.981E-5
FPCV-62554A(R) GATE-31-20
GATE-31-42
GATE-31-43
2.500E-7
IMPULSE-LINE-(CLEAN)-PCE
5.620E-7
PC-62554
2.390E-7
UY-62554-(FAIL-ON)
2.000E-5
UY-62554A-(FAIL-ON)
GATE-31-44
9.150E-7
FPCY-62554(R)
32
RF-24
Site Wide TrainControls (Single
Valve) TotalFailures (Tricon)
Site Wide PressureControl
Site Wide PressureControl
Site Wide PressureControl
Site Wide PressureControl
Site Wide PressureControl
Bettis CB SeriesValve Actuator
(Exida)
Bettis CB SeriesValve Actuator
(Exida)
Bettis CB SeriesValve Actuator
(Exida)
Bettis CB SeriesValve Actuator
(Exida)
Trunnion BallValve (Exida)
Trunnion BallValve (Exida)
Trunnion BallValve (Exida)
Trunnion BallValve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Fisher DVC6000(4-20mA) Positioner
(exida)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pressure ReducingValve (Oreda2002 pp 757)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
Impulse Line- Clean Service
(exida)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Impulse Line- Clean Service
(exida)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Impulse Line- Clean Service
(exida)
Impulse Line- Clean Service
(exida)
Impulse Line- Clean Service
(exida)
Fisher 4660Pressure Switch
Pneumatic (OREDA84)
Trunnion BallValve (Exida)
Bettis CB SeriesValve Actuator
(Exida)
(Valve Actuator)Generic 2/3 Way
Valve (Exida)
(Pilot Booster)Generic 2/3 Way
Valve (Exida)
Foxboro 43APGPneumatic Controller
(Foxboro Data)
Pneumatic Relay(US DOE)
Burkert 6014Solenoid (Failed
Energised) (Burkert/ exida)
RF-26A - Site Wide Train Controls (Single Valve) Total Failures (Tricon) 2007/02/20 Page 34
APA Group Presentation 38
Layers Of Protection AnalysisProject: Gasnet Brooklyn Control System RebuildSIF Identifier: SIF-001SIF DescriptionAreaP& ID
7a 7b 7c 7d 7e 8 10 11 12
Impact Event Description
InitiatingCause
InitiatingLikelihood
Safety Category
and Target Risk
Envir.Category and Target Risk
Econ.Category
and Target Risk
GeneralProcessDesign
Basic Process Control System
Alarms& Operator Response
Additionalmitigation, restricted
access
IPL additional mitigation,
dikes, pressure relief
EIL Environmental AIL Economical
Actual PFD of the SIF
MitigatedSafety EventLikelihood
/Year A$ Occupancy Ignition Fatality Factor Factor 1
1Regulation Train Over Pressure
Supply Regulator Valve Mechanical
Failure0.0133152 10 Fatalities Minor 10,000,000
Not Designed to Contain
Pressure Off Site (GPU Gasnet)
No Protection Possible from
Redundant Pneumatic Controls
AlarmsDownstream Slam Shut
Pressure Relief Capacity
Inadequate
Target Target Target 0.1 0.3 1 1 1
1.3E-02 1.0E-06 1.0E-02 1.0E-05 0 0.0E+00 1.0E-01 8.3E-03 0.0E+00 1.1E-05 9.1E+02 9.1E-01EIL 0 AIL 0 8.3E-03 2.73E-09
2Regulation Train Over Pressure
Supply Regulator Electronic Control
System Failure0.0876 10 Fatalities Minor 10,000,000
Not Designed to Contain
Pressure Off Site (GPU Gasnet)
Protection Possible from
Redundant Pneumatic Controls
AlarmsDownstream Slam Shut
Pressure Relief Capacity
Inadequate
Target Target Target 0.1 0.3 18.8E-02 1.0E-06 1.0E-02 1.0E-05 0 4.5E-02 1.0E-01 8.3E-03 0.0E+00 3.3E-06 3.1E+03 3.1E+00
EIL 0 AIL 0 8.3E-03 8.10E-10
3Regulation Train Over Pressure
Process Back Pressure 0.2 10 Fatalities Minor 10,000,000
Not Designed to Contain
Pressure Off Site (GPU Gasnet)
Yes AlarmsDownstream Slam Shut
Pressure Relief Capacity
Inadequate
Target Target Target 0.1 0.3 12.0E-01 1.0E-06 1.0E-02 1.0E-05 0 4.5E-02 1.0E-01 8.3E-03 0.0E+00 7.5E-06 1.3E+03 1.3E+00
EIL 0 AIL 0 8.3E-03 1.85E-09
Prepared by: Reviewed by: EIL AIL
Title Name Signature Date Title Name Signature Date 4.6E+02 4.6E-01FS Engineer Allan Gibson 16-Mar-07 Process
ManagerAlan Burt
EIL 0 AIL 0 YesTitle Name Signature DateProcess Engineer
David Little
ConclusionSIL
3.0E+00SIL 0
SIF Integrity Level
Occupancy assumed to be less than 876 man hours per year. Ignition
data from Oreda Fire and Gas Study
Compliance
5.383E-09
SIL 0Less than target
SIL Total Mitigated Safety Event Likelihood
SIF-0011.53E+00
Summary
Occupancy assumed to be less than 876 man hours per year. Ignition
data from Oreda Fire and Gas Study
Gas High Pressure
95 6
Layers of Protection11
Intermediate
eventLikelihood
1 2 3 7
4.5E+00SIL 0
1.0E+01SIL 0
Occupancy assumed to be less than 876 man hours per year. Ignition
data from Oreda Fire and Gas Study
APA Group Presentation 39
Safety
The safety system for these valves is primarily pneumatic, with the ability to be remotely operated from the network control room and as such is subject to the failure rates of these components and the low accuracy of switching compared to the electronic equivalents.
Adding the electronic diagnostics reduces the failure rate for the pneumatic safety system from 3.6E-2 to 1.05E-2 for the RTU based solution improving slightly to 9.3E-003 for a TMR based solution by bypassing some of the pneumatic logic and providing a parallel trip path. These are however again limited by the reliability of the safety system valves which places a floor under the possible shutdown system performance.
The actual experienced failure rate for the slam shut system has been in excess of 8.26E-3 based on ‘proven in use’ data received from GasNet and this has been used in the above event trees.
APA Group Presentation 40
Control system implementation
Assuming the reliability of the Bristol RTU is inline with industrial standards a spurious trip can be expected due to a control system failure at approximately 11.5 year intervals. This means that a failure will probably occur during the life of the plant due to this cause.
Replacing the Bristol RTU with a typical TMR based system will raise this to the 300 to 3000 year range.
The probability of a failure of a 2oo3 voting system for the pressure transmitters used in control of either system is so low as to be irrelevant, at 10-12 per year unless a common cause is considered such as a lighting strike or miss-calibration. These causes are still far less likely than an RTU failure which dominates the probability of failure.
APA Group Presentation 41
Control and Slamshut Valve Reliability
Single Control Valve:
– The Single Control Valve control implementation will result in a failure requiring unscheduled maintenance about every 0.7 years for a station with 5 trains, primarily driven by control valve failures.
– Installing a TMR based control system will raise this to 0.8 years.
Dual Control Valve
– The Dual Control Valve control implementation will result in a failure requiring unscheduled maintenance about every 0.41 years for a station with 5 trains, again primary driven by control valve failures (ie about double the rate for single control valve installation).
– Installing a TMR based control system will raise this to 0.42 years, a barely noticeable change.
Slam Shut Valve
– It is estimated that an individual slam shut valve will close spuriously about every 10 years
APA Group Presentation 42
Conclusions
Safety target is met with one regulator per run provided a TMR PLC is used
– TMR + Reg + SSV = 2*RTU + 2*Reg + SSV
For multi-run stations, use of the TMR is more economic because of the cost savings of the regulators. For the same station capacity:
– Dandenong single regulator solution requires 7 regulators and 7 SSVs
– Dandenong dual regulator solution requires 20 regulators and 10 SSVs
For dual run (primary and standby runs) a simpler instrumented design is likely to be more economic.
Diagnostic systems are required to detect failed/faulty regulator
Records of failure data or SIL rating are required for all components in the safety system
APA Group Presentation 43
Program Rollout
Tricon selected for initial city gate sites at Brooklyn and Wollert
2*Trident selected for 4 ea Brooklyn heater BMS
Interface via TUV serial link to Compressor Station Tricons at Brooklyn and Wollert
Standard function blocks
Standard field devices
APA Group Presentation 44
We Deliver Energywww.pipelinetrust.com.au
Top Related