workshop on the prevention of water pollution …

ULTN E

WORKSHOP ON THEPREVENTION OF WATER POLLUTION

DUE TO PIPELINE ACCIDENTS

ULTN E

International standards and recommended practices for the safety and environmental integrity level of

international oil pipeline systems

Mr. Lars Bangert, Head of Unit "Pipeline Systems", ILF Consulting Engineers, Germany

Thursday, 9 June 2005

UN

AGENDAAGENDA

1. Overview and Terminology

2. Functional Design Criteria for the SCADA SystemProcess requirementsPipeline integrity requirementsOperational requirements

3. Functional Design Criteria for the Telecom SystemProcess requirementsOperational requirements Pipeline integrity requirements

UN

AGENDAAGENDA

4. Pipeline IntegrityDesign and Review of Safety Integrity LevelSCADA built in (internal) control mechanismoperational (external) control mechanism

5. SCADA Design Implementation

6. Telecom Design Implementation

UN

1. Overview and Terminology1. Overview and Terminology

a) Automation & Control TerminologySCADA Supervisory Control and Data Acquisition

ICSS Integrated Control and Safety System

DCS Distributed Control System

PLC Programmable Logic Controller

FSC Fail Safe Controller

UN


b) Purpose of (Pipeline) SCADA systemsIntegration of field equipment (e.g. actuator, sensor or pump) and small scale (unit) automation systems to the control centre computer system

Transparent view for an operator on a complex process environment

Efficient management/control of a remote process

Support of pipeline integrity (for safety, environmental and commercial aspects)

UN


c) Purpose of (Pipeline) Telecom Systemsdata channels for the SCADA systemvoice channels for Operator instruction (control centre – local control room) Data channels for business WAN application (e.g. facility management, GIS-data warehouse, e-mail, etc.)

UN

2.2. Functional Design Criteria for the SCADA SystemFunctional Design Criteria for the SCADA System

a) Process requirementsprevent critical process conditions

Pump Station control (suction-/discharge-pressure control including overrides)

(open) flow path monitoring

slack line control

b) Pipeline Integrity requirementsIntegrated control and safety system (e.g. PSHH interlocks)SCADA built in monitoring mechanism (e.g. LDS, PCM)Programmed automatic ESD-Sequences(e.g. ESD-Pushbutton, Shut-Down due to Communication Failure)

UN

2.2. Functional Design Criteria for the SCADA SystemFunctional Design Criteria for the SCADA System

c) Operational requirementsRemote Control via Control Centre

Point-of-control (transfer procedures)

simplified and summarized process information for the Operator

Process Visualisation and Reporting (Process Displays and Alarm Handling)

Integration of third party equipment

Executive Control Sequences to support operator action

UN

3.3. Functional Design Criteria for the Functional Design Criteria for the TelecomTelecom SystemSystem

a) Process requirementsredundant communication channels for SCADA system

b) Operational requirementshigh system availability ( “no comms, no operation”)

Voice channels for operator communication

Data channels for business applications

Video conference facilities

c) Pipeline Integrity requirementsReliable communication necessary for critical process data exchange ( Back-up communication link via satellite)

Hotline functionality between operator control rooms

UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of

Safety Integrity Level (SIL)Safety Integrity Level (SIL)

Plant Area

Gas

OilWater

Well Fluids

ESD Valve

HighPressureSensor

MechanicalRelief Valve

to Flare

Shutdown SystemLogic Solver

Control Room

Operator Interface

Separator

Example for a safety instrumented function



Various Reasons for SIL Assessment:1. How much reliance do we need to place on the protective

system to address the process safety concerns for a given application?orWhat integrity does it need to have?What is its required performance standard?

2. Engineer and maintain the system to - achieve the required integrity or - performance standard during its life



3. national regulatory authorities expect it from us as prudent operators

4. Allows us to focus testing effort on the minority of safety systems which are critical for managing safety, environmental or commercial risks and spend less effort on the majority which are not critical



Four Safety Integrity Levels are defined in IEC 61508 / IEC 61511

NR = Not Recommended

SafetyIntegrity

Level (SIL)

4 (NR)

Probability ofFailure on

Demand (PFD)

10-4 - 10-5

3

2

1

10-3 - 10-4

10-2 - 10-3

10-1 - 10-2

Probability ofSuccess on

Demand

90 - 99%

99 - 99.9%

99.9 - 99.99%

99.99 - 99.999%

RiskReduction

Factor (RRF)

10 - 100

100 - 1,000

10,000 - 100,000

1,000 - 10,000



How to determine SIL?None of the standards recommend a particular qualitative or (semi-) quantitative method

The standards suggest several methods in informative guidance as examples only

No standard calibrates any of the suggested methods i.e. sets a tolerable risk level. This is up to the end user organizations.



Team approach, similar to HazopSafety Engineer

Process/Pipeline Engineer

Operations Representative

Instrument/Control Engineer

Bring in other skills as required e.g. machinery



Risk Graph from IEC 61508 / 61511

a = No special safety requirementsb = A single E/E/PES is not sufficient

ConsequenceSeverity

Frequency &Exposure

Time

AlternativesTo Avoid

Danger

Demand Rate

Very Low

a

1

2

a

1 a

3 2 1

4 3 2

b 4 3

Minor Injury

Not Likely

Possible

Serious Injuriesor 1 DeathDeath toseveral people

Very manypeople killed

Rare

Frequent

RF

LowRelatively High

Safety Integrity Level (SIL)

- -

-

P

P

PN L

N L

N LF

R



Environmental Risk Graph adapted from Safety Risk Graph

Very LowLow

Relatively High

ConsequenceSeverity –

Environmental Damage


Damage

Demand Rate

1

2

a

1 a

3 2 1

4 3 2

b 4 3Not Likely

Possible

Environmental Integrity Level (EIL)

-

P

P

PN L

N L

N LCa - minor

Cb – local outrage

Cc – national outrage

Cd – multinational outrage



Commercial Risk Graph adapted from Safety Risk Graph

Very Low Low

Relatively High

ConsequenceSeverity –

Commercial Impact


Impact

Demand Rate

a

1

-

a -

2 1 a

3 2 1

4 3 2Not Likely

Possible

Commercial Integrity Level (CIL)

-

P

P

PN L

N L

N LCa - $50k - $500k

Cb – >$500k - $5m

Cc – >$5m - $50m

Cd – >$50 million

Calibrated to be risk neutral



Required Information for SIL determinationP&IDs

Design information on plant, PSV pressure ratings, pipeline hydraulic analysis, dynamic response to disturbances

Cause and Effect Diagrams

Setpoints of trips and margin from alarm levels



Required Information for SIL determinationHazop reports

QRAs – assumptions on event sizes and frequencies

Personnel distribution and occupancy at the sites

Proximity of the public to the sites

Environmental impacts of loss of containment

Value of partial and full pipeline shutdown per day

UN4. 4. Pipeline IntegrityPipeline Integrity--special SCADA applications tospecial SCADA applications to

monitor Pipeline Integritymonitor Pipeline Integrity

a) Leak Detection System (LDS)Conventional Detection and Location Methods

Mass BalancePressure Drop(negative) pressure wave

Dynamic Model of the pipeline system

b) Pressure Cycle Monitoring System (PCM-System)Calculation of the remaining Pipeline system lifetime, based onmonitored and classified pressure cycles

UN

4. Pipeline Integrity4. Pipeline Integrity--operational control mechanismoperational control mechanism

a) Intelligent pig runsMonitoring of internal pipe corrosionDetection of very small leakage

b) Flight surveysMonitoring of activities across the Pipeline Right-of-Way(e.g. construction work, erosion, any changes)

UN5. SCADA Design Implementation (Typical System Architecture)5. SCADA Design Implementation (Typical System Architecture)

UN5. SCADA Design Implementation (Key Data)5. SCADA Design Implementation (Key Data)

UN5. SCADA Design Implementation (Factory Acceptance Test)5. SCADA Design Implementation (Factory Acceptance Test)

UN6. 6. TelecomTelecom Design ImplementationDesign Implementation

(Transmission System Architecture)(Transmission System Architecture)

UN

6. 6. TelecomTelecom Design Implementation (System Key Data)Design Implementation (System Key Data)

Medium: Fibre Optic Cable with G.652 fibres

Transmission System: SDH STM-16 with

- 1 SDH Terminal Multiplexes- 60 SDH Add/Drop Multiplexes- 5 red. SDH Cross-Connector- 1 Network Management System

Backup System: VSAT (DAMA) system for theconnection of the two controlcentres at Sangachal and Ceyhanin case of a primary telecomsystem failure

Communication system: 14 PABX

UN

6. 6. TelecomTelecom Design Implementation (System Overview)Design Implementation (System Overview)

Back

-up

NM

S D

ata

32kb

it/s

V.35

VSAT Terminal (BTC)VSAT Terminal (BOTAS) 512 (448) kbit/s VSAT leased circuit

BOTASRouter

Non-COE

SwitchNMS

COERouter

VC

PABX

H.320

H.323

HotlinePDHMux

ICSS

Clie

nt/S

erve

r Dat

a25

6kbi

t/s V

.35

Mas

terB

usD

ata

64 k

bit/s

V.3

5

Back

-up

Hot

line

64kb

it/s

V.11

Back

-up

PABX

Tie

-line

s4W

E&M

SagemSDHNode

SagemSDHNode

Sangachal CCB

SiemensSDHNode

ControlNet A 10BaseT RJ45ControlNet B 10BaseT RJ45

Client/Server A 100BaseT RJ45Client/Server B 100BaseT RJ45

MasterBus A 10BaseT RJ45MasterBus B 10BaseT RJ45

CCTVServer

CCTV from cameras8 x VC-3

COERouter/Firewal

l

Omnibus HotlineE1 G.703 120Ω

Inter-PABXE1 G.703 120Ω

COE WAN/LAN 10BaseTE1 G.703 120Ω

VC-12

Non-COE WAN/LAN10/100BaseT RJ45

10BaseT

64kbit/sV.11

E1

E1VC-12

VC-12

VC-3

VC-12BOTAS WAN/LAN 10BaseTE1 G.703 120Ω

VC-3VC-3VC-3VC-3VC-3VC-3

GB26

Georgia / AzerbaijanTurkey

SiemensSDHNode

ICSS

PDHMux

COERouter

Non-COE

Switch

Hotline

PABX

VC

NMS

LAN

FutureCCTV

LANBOTASRouter

LAN

LAN

Clie

nt/S

erve

r Dat

a25

6kbi

t/s V

.35

Mas

terB

usD

ata

64kb

it/s

V.35

Back

-up

Hot

line

64kb

it/s

V.11

Back

-up

PABX

Tie

-line

s4W

E&M

Back

-up

NM

S D

ata

32kb

it/s

V.35

VC-3VC-3VC-3VC-3VC-3VC-3

VC-12

VC-12

VC-12

VC-3

VC-12

Ceyhan

10BaseT

H.323

H.320

ICSSHirschmann

Switches

VC-3Allowance for future CCTV

100BaseT RJ45VC-3

E164kbit/sV.11 Other Hotline Units in

Turkey by BOTAS

E1

Sangachal is Masterfor E1 Synchronisation

LocalABBNode

Non-COE* Router

Non-COE* Router

VC-12 VC-12Non-COE WAN/LAN E1 G.703 120Ω

* For traffic managemen

t

* For traffic management

ULTN E

Thank you for your attention

[email protected]

workshop on the prevention of water pollution …

Documents