ULT NE WORKSHOP ON THE PREVENTION OF WATER POLLUTION DUE TO PIPELINE ACCIDENTS
ULT NE International standards and recommended practices for the safety and environmental integrity level of international oil pipeline systems Mr. Lars Bangert, Head of Unit "Pipeline Systems", ILF Consulting Engineers, Germany Thursday, 9 June 2005
AGENDA 1. Overview and Terminology 2. Functional Design Criteria for the SCADA System Process requirements Pipeline integrity requirements Operational requirements 3. Functional Design Criteria for the Telecom System Process requirements Operational requirements Pipeline integrity requirements
AGENDA 4. Pipeline Integrity Design and Review of Safety Integrity Level SCADA built in (internal) control mechanism operational (external) control mechanism 5. SCADA Design Implementation 6. Telecom Design Implementation
1. Overview and Terminology a) Automation & Control Terminology SCADA Supervisory Control and Data Acquisition ICSS Integrated Control and Safety System DCS Distributed Control System PLC Programmable Logic Controller FSC Fail Safe Controller
1. Overview and Terminology b) Purpose of (Pipeline) SCADA systems Integration of field equipment (e.g. actuator, sensor or pump) and small scale (unit) automation systems to the control centre computer system Transparent view for an operator on a complex process environment Efficient management/control of a remote process Support of pipeline integrity (for safety, environmental and commercial aspects)
1. Overview and Terminology c) Purpose of (Pipeline) Telecom Systems data channels for the SCADA system voice channels for Operator instruction (control centre local control room) Data channels for business WAN application (e.g. facility management, GIS-data warehouse, e-mail, etc.)
2. Functional Design Criteria for the SCADA System a) Process requirements prevent critical process conditions Pump Station control (suction-/discharge-pressure control including overrides) (open) flow path monitoring slack line control b) Pipeline Integrity requirements Integrated control and safety system (e.g. PSHH interlocks) SCADA built in monitoring mechanism (e.g. LDS, PCM) Programmed automatic ESD-Sequences (e.g. ESD-Pushbutton, Shut-Down due to Communication Failure)
2. Functional Design Criteria for the SCADA System c) Operational requirements Remote Control via Control Centre Point-of-control (transfer procedures) simplified and summarized process information for the Operator Process Visualisation and Reporting (Process Displays and Alarm Handling) Integration of third party equipment Executive Control Sequences to support operator action
3. Functional Design Criteria for the Telecom System a) Process requirements redundant communication channels for SCADA system b) Operational requirements high system availability ( no comms, no operation ) Voice channels for operator communication Data channels for business applications Video conference facilities c) Pipeline Integrity requirements Reliable communication necessary for critical process data exchange ( Back-up communication link via satellite) Hotline functionality between operator control rooms
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Example for a safety instrumented function Control Room ESD Valve Plant Area High Pressure Sensor Mechanical Relief Valve to Flare Gas Well Fluids Separator Operator Interface Shutdown System Logic Solver Water Oil
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Various Reasons for SIL Assessment: 1. How much reliance do we need to place on the protective system to address the process safety concerns for a given application? or What integrity does it need to have? What is its required performance standard? 2. Engineer and maintain the system to - achieve the required integrity or - performance standard during its life
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) 3. national regulatory authorities expect it from us as prudent operators 4. Allows us to focus testing effort on the minority of safety systems which are critical for managing safety, environmental or commercial risks and spend less effort on the majority which are not critical
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Four Safety Integrity Levels are defined in IEC 61508 / IEC 61511 Safety Integrity Level (SIL) Probability of Failure on Demand (PFD) Probability of Success on Demand Risk Reduction Factor (RRF) 4 (NR) 10-4 -10-5 99.99-99.999% 10,000-100,000 3 10-3 -10-4 99.9-99.99% 1,000-10,000 2 10-2 -10-3 99-99.9% 100-1,000 1 10-1 -10-2 90-99% 10-100 NR = Not Recommended
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) How to determine SIL? None of the standards recommend a particular qualitative or (semi-) quantitative method The standards suggest several methods in informative guidance as examples only No standard calibrates any of the suggested methods i.e. sets a tolerable risk level. This is up to the end user organizations.
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Team approach, similar to Hazop Safety Engineer Process/Pipeline Engineer Operations Representative Instrument/Control Engineer Bring in other skills as required e.g. machinery
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Risk Graph from IEC 61508 / 61511 Consequence Severity Minor Injury Serious Injuries or 1 Death Death to several people Very many people killed Frequency & Exposure Time Rare a = No special safety requirements b = A single E/E/PES is not sufficient F R F R Frequent Alternatives To Avoid Danger Possible N L P N L P N L P Not Likely Demand Rate Relatively High Low Very Low a 1 2 - - a 1 a 3 2 1 4 3 2 b 4 3 Safety Integrity Level (SIL) -
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Environmental Risk Graph adapted from Safety Risk Graph Consequence Severity Environmental Damage Ca - minor Cb local outrage Cc national outrage Cd multinational outrage Alternatives To Avoid Damage Possible N L P N L P N L P Not Likely Demand Rate Relatively High Low Very Low 1 2 a 1 - a 3 2 1 4 3 2 b 4 3 Environmental Integrity Level (EIL)
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Commercial Risk Graph adapted from Safety Risk Graph Consequence Severity Commercial Impact Ca - $50k - $500k Cb >$500k - $5m Cc >$5m - $50m Cd >$50 million Alternatives To Avoid Impact Possible N L P N L P N L P Not Likely Demand Rate Relatively High Low Very Low a 1 - a - - 2 1 a 3 2 1 4 3 2 Calibrated to be risk neutral Commercial Integrity Level (CIL)
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Required Information for SIL determination P&IDs Design information on plant, PSV pressure ratings, pipeline hydraulic analysis, dynamic response to disturbances Cause and Effect Diagrams Setpoints of trips and margin from alarm levels
4. Pipeline Integrity-Design and Review of Safety Integrity Level (SIL) Required Information for SIL determination Hazop reports QRAs assumptions on event sizes and frequencies Personnel distribution and occupancy at the sites Proximity of the public to the sites Environmental impacts of loss of containment Value of partial and full pipeline shutdown per day
4. Pipeline Integrity-special SCADA applications to monitor Pipeline Integrity a) Leak Detection System (LDS) Conventional Detection and Location Methods Mass Balance Pressure Drop (negative) pressure wave Dynamic Model of the pipeline system b) Pressure Cycle Monitoring System (PCM-System) Calculation of the remaining Pipeline system lifetime, based on monitored and classified pressure cycles
4. Pipeline Integrity-operational control mechanism a) Intelligent pig runs Monitoring of internal pipe corrosion Detection of very small leakage b) Flight surveys Monitoring of activities across the Pipeline Right-of- Way(e.g. construction work, erosion, any changes)
5. SCADA Design Implementation (Typical System Architecture)
5. SCADA Design Implementation (Key Data)
5. SCADA Design Implementation (Factory Acceptance Test)
6. Telecom Design Implementation (Transmission System Architecture)
6. Telecom Design Implementation (System Key Data) Medium: Transmission System: Fibre Optic Cable with G.652 fibres SDH STM-16 with - 1 SDH Terminal Multiplexes - 60 SDH Add/Drop Multiplexes - 5 red. SDH Cross-Connector - 1 Network Management System Backup System: Communication system: VSAT (DAMA) system for the connection of the two control centres at Sangachal and Ceyhan in case of a primary telecom system failure 14 PABX
6. Telecom Design Implementation (System Overview) Back-up NMS Data Back-up PABX Tie-lines 32kbit/s V.35 4W E&M VSAT Terminal (BOTAS) ICSS Siemens SDH Node Turkey Hotline 64kbit/s PDH E1 VC-12 V.11 Mux Other Hotline Units in Turkey by BOTAS H.320 Back-up Hotline 64kbit/s V.11 PABX VC NMS MasterBus Data 64kbit/s V.35 H.323 LAN 10BaseT Non-COE * Router * For traffic managemen t LAN E1 Client/Server Data 256kbit/s V.35 COE Router Non- 10BaseT COE NMS Switch Non-COE CCTV * Router Server * For traffic management Non- COE Switch Future CCTV BOTAS Router VC-12 VC-12 VC-12 VC-12 Georgia / Azerbaijan Siemens SDH Node Local ABB Node ControlNet A 10BaseT RJ45 ICSS ControlNet B 10BaseT RJ45 Hirschmann Switches Client/Server A 100BaseT RJ45 Client/Server B 100BaseT RJ45 MasterBus A 10BaseT RJ45 MasterBus B 10BaseT RJ45 Omnibus Hotline E1 G.703 120Ω Inter-PABX E1 G.703 120Ω COE WAN/LAN 10BaseT E1 G.703 120Ω Non-COE WAN/LAN 10/100BaseT RJ45 Non-COE WAN/LAN E1 G.703 120Ω Allowance for future CCTV 100BaseT RJ45 COE Router/Firewal l BOTAS WAN/LAN 10BaseT E1 G.703 120Ω 512 (448) kbit/s VSAT leased circuit Sagem SDH Node VC-12 VC-12 VC-12 VC-12 CCTV from cameras 8 x VC-12 Sangachal is Master for E1 Synchronisation Sagem SDH Node E1 VSAT Terminal (BTC) Client/Server Data 256kbit/s V.35 PDH Mux ICSS E1 LAN COE Router BOTAS Router MasterBus Data 64 kbit/s V.35 64kbit/s V.11 H.323 Hotline H.320 Back-up Hotline 64kbit/s V.11 Back-up PABX Tie-lines 4W E&M PABX VC LAN Back-up NMS Data 32kbit/s V.35 Ceyhan GB26 Sangachal CCB
ULT NE Thank you for your attention Lars.Bangert@muc.ilf.com