workshop on the prevention of water pollution …
TRANSCRIPT
ULTN E
WORKSHOP ON THEPREVENTION OF WATER POLLUTION
DUE TO PIPELINE ACCIDENTS
ULTN E
International standards and recommended practices for the safety and environmental integrity level of
international oil pipeline systems
Mr. Lars Bangert, Head of Unit "Pipeline Systems", ILF Consulting Engineers, Germany
Thursday, 9 June 2005
UN
AGENDAAGENDA
1. Overview and Terminology
2. Functional Design Criteria for the SCADA SystemProcess requirementsPipeline integrity requirementsOperational requirements
3. Functional Design Criteria for the Telecom SystemProcess requirementsOperational requirements Pipeline integrity requirements
UN
AGENDAAGENDA
4. Pipeline IntegrityDesign and Review of Safety Integrity LevelSCADA built in (internal) control mechanismoperational (external) control mechanism
5. SCADA Design Implementation
6. Telecom Design Implementation
UN
1. Overview and Terminology1. Overview and Terminology
a) Automation & Control TerminologySCADA Supervisory Control and Data Acquisition
ICSS Integrated Control and Safety System
DCS Distributed Control System
PLC Programmable Logic Controller
FSC Fail Safe Controller
UN
1. Overview and Terminology1. Overview and Terminology
b) Purpose of (Pipeline) SCADA systemsIntegration of field equipment (e.g. actuator, sensor or pump) and small scale (unit) automation systems to the control centre computer system
Transparent view for an operator on a complex process environment
Efficient management/control of a remote process
Support of pipeline integrity (for safety, environmental and commercial aspects)
UN
1. Overview and Terminology1. Overview and Terminology
c) Purpose of (Pipeline) Telecom Systemsdata channels for the SCADA systemvoice channels for Operator instruction (control centre – local control room) Data channels for business WAN application (e.g. facility management, GIS-data warehouse, e-mail, etc.)
UN
2.2. Functional Design Criteria for the SCADA SystemFunctional Design Criteria for the SCADA System
a) Process requirementsprevent critical process conditions
Pump Station control (suction-/discharge-pressure control including overrides)
(open) flow path monitoring
slack line control
b) Pipeline Integrity requirementsIntegrated control and safety system (e.g. PSHH interlocks)SCADA built in monitoring mechanism (e.g. LDS, PCM)Programmed automatic ESD-Sequences(e.g. ESD-Pushbutton, Shut-Down due to Communication Failure)
UN
2.2. Functional Design Criteria for the SCADA SystemFunctional Design Criteria for the SCADA System
c) Operational requirementsRemote Control via Control Centre
Point-of-control (transfer procedures)
simplified and summarized process information for the Operator
Process Visualisation and Reporting (Process Displays and Alarm Handling)
Integration of third party equipment
Executive Control Sequences to support operator action
UN
3.3. Functional Design Criteria for the Functional Design Criteria for the TelecomTelecom SystemSystem
a) Process requirementsredundant communication channels for SCADA system
b) Operational requirementshigh system availability ( “no comms, no operation”)
Voice channels for operator communication
Data channels for business applications
Video conference facilities
c) Pipeline Integrity requirementsReliable communication necessary for critical process data exchange ( Back-up communication link via satellite)
Hotline functionality between operator control rooms
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Plant Area
Gas
OilWater
Well Fluids
ESD Valve
HighPressureSensor
MechanicalRelief Valve
to Flare
Shutdown SystemLogic Solver
Control Room
Operator Interface
Separator
Example for a safety instrumented function
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Various Reasons for SIL Assessment:1. How much reliance do we need to place on the protective
system to address the process safety concerns for a given application?orWhat integrity does it need to have?What is its required performance standard?
2. Engineer and maintain the system to - achieve the required integrity or - performance standard during its life
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
3. national regulatory authorities expect it from us as prudent operators
4. Allows us to focus testing effort on the minority of safety systems which are critical for managing safety, environmental or commercial risks and spend less effort on the majority which are not critical
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Four Safety Integrity Levels are defined in IEC 61508 / IEC 61511
NR = Not Recommended
SafetyIntegrity
Level (SIL)
4 (NR)
Probability ofFailure on
Demand (PFD)
10-4 - 10-5
3
2
1
10-3 - 10-4
10-2 - 10-3
10-1 - 10-2
Probability ofSuccess on
Demand
90 - 99%
99 - 99.9%
99.9 - 99.99%
99.99 - 99.999%
RiskReduction
Factor (RRF)
10 - 100
100 - 1,000
10,000 - 100,000
1,000 - 10,000
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
How to determine SIL?None of the standards recommend a particular qualitative or (semi-) quantitative method
The standards suggest several methods in informative guidance as examples only
No standard calibrates any of the suggested methods i.e. sets a tolerable risk level. This is up to the end user organizations.
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Team approach, similar to HazopSafety Engineer
Process/Pipeline Engineer
Operations Representative
Instrument/Control Engineer
Bring in other skills as required e.g. machinery
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Risk Graph from IEC 61508 / 61511
a = No special safety requirementsb = A single E/E/PES is not sufficient
ConsequenceSeverity
Frequency &Exposure
Time
AlternativesTo Avoid
Danger
Demand Rate
Very Low
a
1
2
a
1 a
3 2 1
4 3 2
b 4 3
Minor Injury
Not Likely
Possible
Serious Injuriesor 1 DeathDeath toseveral people
Very manypeople killed
Rare
Frequent
RF
LowRelatively High
Safety Integrity Level (SIL)
- -
-
P
P
PN L
N L
N LF
R
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Environmental Risk Graph adapted from Safety Risk Graph
Very LowLow
Relatively High
ConsequenceSeverity –
Environmental Damage
AlternativesTo Avoid
Damage
Demand Rate
1
2
a
1 a
3 2 1
4 3 2
b 4 3Not Likely
Possible
Environmental Integrity Level (EIL)
-
P
P
PN L
N L
N LCa - minor
Cb – local outrage
Cc – national outrage
Cd – multinational outrage
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Commercial Risk Graph adapted from Safety Risk Graph
Very Low Low
Relatively High
ConsequenceSeverity –
Commercial Impact
AlternativesTo Avoid
Impact
Demand Rate
a
1
-
a -
2 1 a
3 2 1
4 3 2Not Likely
Possible
Commercial Integrity Level (CIL)
-
P
P
PN L
N L
N LCa - $50k - $500k
Cb – >$500k - $5m
Cc – >$5m - $50m
Cd – >$50 million
Calibrated to be risk neutral
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Required Information for SIL determinationP&IDs
Design information on plant, PSV pressure ratings, pipeline hydraulic analysis, dynamic response to disturbances
Cause and Effect Diagrams
Setpoints of trips and margin from alarm levels
UN4. 4. Pipeline IntegrityPipeline Integrity--Design and Review of Design and Review of
Safety Integrity Level (SIL)Safety Integrity Level (SIL)
Required Information for SIL determinationHazop reports
QRAs – assumptions on event sizes and frequencies
Personnel distribution and occupancy at the sites
Proximity of the public to the sites
Environmental impacts of loss of containment
Value of partial and full pipeline shutdown per day
UN4. 4. Pipeline IntegrityPipeline Integrity--special SCADA applications tospecial SCADA applications to
monitor Pipeline Integritymonitor Pipeline Integrity
a) Leak Detection System (LDS)Conventional Detection and Location Methods
Mass BalancePressure Drop(negative) pressure wave
Dynamic Model of the pipeline system
b) Pressure Cycle Monitoring System (PCM-System)Calculation of the remaining Pipeline system lifetime, based onmonitored and classified pressure cycles
UN
4. Pipeline Integrity4. Pipeline Integrity--operational control mechanismoperational control mechanism
a) Intelligent pig runsMonitoring of internal pipe corrosionDetection of very small leakage
b) Flight surveysMonitoring of activities across the Pipeline Right-of-Way(e.g. construction work, erosion, any changes)
UN5. SCADA Design Implementation (Typical System Architecture)5. SCADA Design Implementation (Typical System Architecture)
UN5. SCADA Design Implementation (Key Data)5. SCADA Design Implementation (Key Data)
UN5. SCADA Design Implementation (Factory Acceptance Test)5. SCADA Design Implementation (Factory Acceptance Test)
UN6. 6. TelecomTelecom Design ImplementationDesign Implementation
(Transmission System Architecture)(Transmission System Architecture)
UN
6. 6. TelecomTelecom Design Implementation (System Key Data)Design Implementation (System Key Data)
Medium: Fibre Optic Cable with G.652 fibres
Transmission System: SDH STM-16 with
- 1 SDH Terminal Multiplexes- 60 SDH Add/Drop Multiplexes- 5 red. SDH Cross-Connector- 1 Network Management System
Backup System: VSAT (DAMA) system for theconnection of the two controlcentres at Sangachal and Ceyhanin case of a primary telecomsystem failure
Communication system: 14 PABX
UN
6. 6. TelecomTelecom Design Implementation (System Overview)Design Implementation (System Overview)
Back
-up
NM
S D
ata
32kb
it/s
V.35
VSAT Terminal (BTC)VSAT Terminal (BOTAS) 512 (448) kbit/s VSAT leased circuit
BOTASRouter
Non-COE
SwitchNMS
COERouter
VC
PABX
H.320
H.323
HotlinePDHMux
ICSS
Clie
nt/S
erve
r Dat
a25
6kbi
t/s V
.35
Mas
terB
usD
ata
64 k
bit/s
V.3
5
Back
-up
Hot
line
64kb
it/s
V.11
Back
-up
PABX
Tie
-line
s4W
E&M
SagemSDHNode
SagemSDHNode
Sangachal CCB
SiemensSDHNode
ControlNet A 10BaseT RJ45ControlNet B 10BaseT RJ45
Client/Server A 100BaseT RJ45Client/Server B 100BaseT RJ45
MasterBus A 10BaseT RJ45MasterBus B 10BaseT RJ45
CCTVServer
CCTV from cameras8 x VC-3
COERouter/Firewal
l
Omnibus HotlineE1 G.703 120Ω
Inter-PABXE1 G.703 120Ω
COE WAN/LAN 10BaseTE1 G.703 120Ω
VC-12
Non-COE WAN/LAN10/100BaseT RJ45
10BaseT
64kbit/sV.11
E1
E1VC-12
VC-12
VC-3
VC-12BOTAS WAN/LAN 10BaseTE1 G.703 120Ω
VC-3VC-3VC-3VC-3VC-3VC-3
GB26
Georgia / AzerbaijanTurkey
SiemensSDHNode
ICSS
PDHMux
COERouter
Non-COE
Switch
Hotline
PABX
VC
NMS
LAN
FutureCCTV
LANBOTASRouter
LAN
LAN
Clie
nt/S
erve
r Dat
a25
6kbi
t/s V
.35
Mas
terB
usD
ata
64kb
it/s
V.35
Back
-up
Hot
line
64kb
it/s
V.11
Back
-up
PABX
Tie
-line
s4W
E&M
Back
-up
NM
S D
ata
32kb
it/s
V.35
VC-3VC-3VC-3VC-3VC-3VC-3
VC-12
VC-12
VC-12
VC-3
VC-12
Ceyhan
10BaseT
H.323
H.320
ICSSHirschmann
Switches
VC-3Allowance for future CCTV
100BaseT RJ45VC-3
E164kbit/sV.11 Other Hotline Units in
Turkey by BOTAS
E1
Sangachal is Masterfor E1 Synchronisation
LocalABBNode
Non-COE* Router
Non-COE* Router
VC-12 VC-12Non-COE WAN/LAN E1 G.703 120Ω
* For traffic managemen
t
* For traffic management