Safety Instrumented System in Regulator Station Design Burt - Safety... · Safety Instrumented...

Safety Instrumented Systemsin Regulator Station Design

SIL Verification of Standard Design

Alan Burt

APA Group Presentation 2

Presentation Overview

Safety standards

Victorian gas transmission network – Melbourne supply

History of Dandenong City Gate and design issues

Project concept and objectives

AS2885 requirements for pipeline pressure control

Safety targets and standardised components (SIL)

Achieving both safety and high availability

Layers of Protection Analysis of alternate designs

Conclusions


Definitions

BLP – Brooklyn Lara Pipeline

City Gate – gas pressure regulating facility feeding a city

LOPA – Layer Of Protection Analysis

MAOP – Maximum Allowable Operating Pressure

PES – Programmable Electronic Systems

PLC – Programmable Logic Controller

PSV – Pressure Safety Valve

RTU – Remote Terminal Unit

SIF – Safety Instrumented Function

SIL –Safety Integrity Level

SSV – Slamshut valve

TMR PLC – Triple Mode Redundant PLC


Acknowledgement and Disclaimer

The author wishes to acknowledge the technical information provided by Invensys – Premier Consulting Services in their report “SIL Assignment and Verification Report” prepared for GasNet for the Brooklyn Lara City Gate.

The concepts provided herein should not be taken to be endorsement of specific products or design implementation for pressure reduction stations. Designers should assess their specific designs to ensure safety critical and functional control meets the owner’s and technical regulators’ requirements.


Victorian Natural Gas System


Safety Standards – AS/NZS 61508

AS 61508.1-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—General requirements

AS 61508.2-2001 Functional safety of electrical/electronic/programmable electronic safety-related systems—Requirements for electrical/electronic/programmable electronic safety-related systems

AS 61508.3-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—Software requirements

AS 61508.4-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—Definition and abbreviations

AS 61508.5-1999 Functional safety of electrical/electronic/programmable electronic safety-related systems—Examples of methods for the determination of safety integrity levels

AS 61508.6-2001 Functional safety of electrical/electronic/programmable electronic safety-related systems—Guidelines on the application of AS 61508.2 and AS 61508.3

AS 61508.7-2001 Functional safety of electrical/electronic/programmable electronic safety-related systems—Overview of techniques and measures


Safety Standards - AS/NZS 61511, AS 3814

AS IEC 61511.1 Functional safety - Safety instrumented systems for the process industry sector - Framework, definitions, systems, hardware and software requirements

AS IEC 61511.2 Functional safety - Safety instrumented systems for the process industry sector - Guidelines for the application of AS IEC 61511-1

AS IEC 61511.3 Functional safety - Safety instrumented systems for the process industry sector - Guidance for the determination of the required safety integrity levels

AS 3814-2005 Industrial and Commercial Gas Fired Appliances


Safety Instrumented Systems

Safety systems have been used for many years in process industries to perform safety instrumented functions. If instrumentation is to be effectively used for safety, it is essential that this instrumentation achieve certain minimum standards and performance levels.

AS NZS 61508 addresses Safety Instrumented Systems for all types of industrial applications. A Safety Instrumented System includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s). IEC61511 addresses Safety Instrumented Systems applicable theProcess Industries only.

AS NZS 61511 applies to Safety Instrumented Systems for the Process Industry that is based on electrical / electronic / programmable electronic technology. Where other technologies are used for logic solvers, the basic principles of this standard should be applied. This standard also addresses the Safety Instrumented System’s sensors and final elements regardless of the applied technology.

IEC61508 and IEC61511 were recognized by the Australian Standards in the year 2000


AS/NZS 2885.1

AS NZS 2885 does NOT currently call up AS NZS 61508 nor AS NZS 61511. However, specific levels of control for pressure reduction stations are mandated in AS/NZS 2885.1 clauses 7.2.1 and 7.2.3

Safety systems are now commonly used in the gas industry for safety functions in compressor stations, LNG facilities and processing plant, as well as certain ‘Type B’appliances:

AS/NZS 3814 requires compliance to AS/NZS 61508 and 61511 for “Type B” fuel-fired appliances controlled by programmable electronic systems. This applies to the following appliances

– Gas turbine engines (eg Solar Saturns, Centaurs, Taurus, Mars)

– Standby generators

– Waterbath heaters

For gas pipeline operators, assessment of compliance to engineering principles in AS/NZS 3814, as with other aspects of design for the gas pipeline control, is managed under the Pipeline Safety Case


Large multi-run pressure reduction stations

Overpressure protection of pipelines at pressure reduction stations using pressure relief valves may not be acceptable due to offsite hazards.

Functional requirements for large multi-run pressure reduction stations in Victoria are becoming more demanding due to

– 4-hourly gas market demands, including frequent remote pressure setpoint control, stop/start operation and interaction with gas compressors

– Increased pipeline operating pressure, leading to higher pressure drops and potential low temperatures due to Joule-Thompson cooling


Multi-run stations

Major Victorian multi-run stations (planned capacity)

– Dandenong City Gate (7 runs)

– Wollert City Gate (4 runs)

– Brooklyn Corio Pipeline (BCP) City Gate (5 runs)

– Brooklyn Lara Pipeline (BLP) City Gate (5 runs)

– Lara SWP City Gate (5 runs)

Wollert and Brooklyn projects are currently under construction

Design is complete for Dandenong and Lara projects


Brooklyn Lara Pipeline (BLP CG)

Brooklyn Corio Pipeline (BCP CG)(previously BCG)

Future Brooklyn Ballan Pipeline (BBP CG)(currently Brooklyn PL)


Dandenong City Gate

Commissioned in 1969

Initially 2 regulator runs, each with active and monitor regulators and station PSVs

Growth led to current 7 regulator runs

RTU to monitor and control pressure

PSVs replaced with electrical relay over-pressure trip of run inlet valves circa 1979 (ie PSHH trips the station)

PSVs removed due to proximity of flare

Slamshut controller replaced with separate RTU circa 1985

Approximately 65% of Melbourne’s daily gas flows through the station (about 80% annually). The station operates continuously.


Design Issues

Regulators ‘fail-open’ design

Inlet valves ‘fail-last’ design

Common mode failure concern

Undetected regulator failure

Operator should not have to open/close runs to avoid overpressure

Additional heater differential pressure losses affect capacity

Control algorithms different at other sites

AS2885.1 requires max MAOP tolerance 1%

Flow imbalance between runs may lead to noise, erosion and filter failure


Design Concept

Maintain multi-run station concept (ie retain headers)

Single active regulator, “fail-closed”

Upstream slamshut valve (SSV), “fail-closed”

Standardised control algorithm

Standardised test program (routine run safety verification tests)

Remote outlet pressure setpoint control

Provide improved operator interface (HMI) for maintenance


Project Objectives

Meet safety objectives per AS61511

Minimise capital expense

Pressure control per AS2885.1:2007

High station availability 99.99%

Retain contract station differential pressure and peak flowrate design basis

Maintainability using common sub-components


AS2885.1:2007 Clause 7.2.1Pipeline Pressure Control

The following requirements shall be implemented in design and operation of the pipeline pressure control.

MAOP under steady state conditions For pipelines intended to be operated at a set point equal to MAOP, the control system shall control the maximum pressure within a tolerance of 1%.

Pressure control and a second pressure limiting system are mandatory. The second (pressure limiting) system may be a secondpressure control or an overpressure shut-off system or pressure relief.

Pressure control system performance Pressure control and overpressure protection systems and their components shall have performance characteristics and properties necessary for their reliable and adequate operation during the design life of the pipeline.


AS2885.1:2007 Clause 7.2.3Pipeline Facility Control

Most facilities are remote from their point of operation and generally designed for unattended operation. Each facility shall be designed with a local control system to manage the safe operation of the facility.

The local control system shall.

(a) Continue to operate in the event of a communications failure;(b) If electric powered, be provided with an uninterruptible power supply with

sufficient capacity to ensure continuous operation through a reasonable power outage;

(c) Use reliable technology;(d) Be designed to fail in a safe manner; and(e) Be designed with appropriate security.

Each facility may also be configured to enable remote monitoring or control of the facility.


SIL Assignment and Verification

Analyse SIF “overpressure downstream pipeline”

Determine SIL achieved using current design with the existing RTUsand regulators

Determine SIL achievable using proposed design with single FC regulator, SSV and TMR PLC

Identify required maintenance regime

Select current BLP project as test case

Use standard GasNet panels

Use BLP regulator PID design


Control Schematic for Regulator


PID for Regulator Run


Active Regulator


Regulator characteristics

Fail closed valve

Electronic and pneumatic positioner (fails to pneumatic on loss of PES)

Common station backup pneumatic controller (balances load across runs)

Diagnostic inputs include closed limit switch and position feedback

Level 1 fault - valve detected faulty (eg sticky) with persistent control position discrepancy. Run inlet valve closes.

Level 2 fault – high outlet pressure and control valve not fully closed. Run inlet valve closes.

Level 3 fault – high outlet pressure. Close all run inlet valves.

Level 4 fault – high high outlet pressure. Inlet valve closes under pneumatic control.


Fault Tree Models – Pressure Control

SIF-10

6.571E-4

FPCY-62154

4.257E-2

RTU2 3

GATE-6-12

GATE-6-13

1.095E-3

IMPULSE-LINE-(CLEAN)-PTA

2.625E-3

PT-62755A

GATE-6-14

1.095E-3

IMPULSE-LINE-(CLEAN)-PTB

2.625E-3

PT-62755B

GATE-6-15

1.095E-3

IMPULSE-LINE-(CLEAN)-PTC

2.625E-3

PT-62755C

Electronic PressureControl

Impulse Line- Clean Service

(exida)

Generic PressureTransmitter (exida)


(exida)



(exida)


Fisher DVC6000(4-20mA) Positioner

(exida)

Bristol ControlWave (Definedby AS61508)

SIF-10 - Electronic Pressure Control 2007/02/21 Page 6


Fault Tree Model – TMR Based Control

RF-24A

3.520E-7

TRICON2 3

GATE-32-0

GATE-27-1

2.500E-7

IMPULSE-LINE-(R)-PTA

9.500E-7

PT-62755A(R)

GATE-27-2

2.500E-7

IMPULSE-LINE-(R)-PTB

9.500E-7

PT-62755B(R)

GATE-27-3

2.500E-7

IMPULSE-LINE-(R)-PTC

9.500E-7

PT-62755C(R)

Site Wide PressureControl (Tricon)





(exida)


(exida)


(exida)

Triconex Tricon

RF-24A - Site Wide Pressure Control (Tricon) 2007/02/20 Page 33


Slamshut valve


Slamshut valve characteristics

Fail closed valve

Independent pneumatic high high and low low pressure trip will close the valve

Electronic open (option) and close control:

– Open is conditional on outlet pressure

– Close on PSHH or manual command from DCS or HMI

Auto/Manual control on slamshut panel. Alarm active while in manual.


Standard Panel for Slamshut


Fault Tree – Slamshut system

RF-28

5.700E-6

PSH-62151

2.095E-6

PYH-62151A

2.095E-6

PYH-62151B

9.800E-7

UV-62151

1.630E-6

UZ-62151

GATE-37-0

Slam Shut

Fisher 4660Pressure Switch

Pneumatic (OREDA84)

Trunnion BallValve (Exida)

Bettis CB SeriesValve Actuator

(Exida)

(Valve Actuator)Generic 2/3 Way

Valve (Exida)

(Pilot Booster)Generic 2/3 Way

Valve (Exida)

RF-28 - Slam Shut 2007/02/21 Page 37


Fault Tree Model – RTU Whole System

RF-26

GATE-31-0

GATE-31-5

GATE-31-10

5.700E-6

PSH-62151

2.095E-6

PYH-62151A

2.095E-6

PYH-62151B GATE-31-28

9.800E-7

UV-62151

1.630E-6

UZ-62151

GATE-31-11

1.981E-5

FPCV-62154A(R) GATE-31-27

GATE-31-29

9.150E-7

FPCY-62154(R)

32

RF-24

GATE-31-30

GATE-31-31

2.500E-7

IMPULSE-LINE-(CLEAN)-PCA

5.620E-7

PC-62154

2.390E-7

UY-62154-(FAIL-ON)

2.000E-5

UY-62154A-(FAIL-ON)

GATE-31-1

GATE-31-6

GATE-31-12

5.700E-6

PSH-62251

2.095E-6

PYH-62251A

2.095E-6

PYH-62251B GATE-31-26

9.800E-7

UV-62251

1.630E-6

UZ-62251

GATE-31-13

1.981E-5


GATE-31-32

GATE-31-33

2.500E-7

IMPULSE-LINE-(CLEAN)-PCB

5.620E-7

PC-62254

2.390E-7

UY-62254-(FAIL-ON)

2.000E-5

UY-62254A-(FAIL-ON)

GATE-31-34

9.150E-7

FPCY-62254(R)

32

RF-24

GATE-31-2

GATE-31-7

GATE-31-14

5.700E-6

PSH-62351

2.095E-6

PYH-62351A

2.095E-6

PYH-62351B GATE-31-24

9.800E-7

UV-62351

1.630E-6

UZ-62351

GATE-31-15

1.981E-5


GATE-31-35

GATE-31-36

2.500E-7

IMPULSE-LINE-(CLEAN)-PCC

5.620E-7

PC-62354

2.390E-7

UY-62354-(FAIL-ON)

2.000E-5

UY-62354A-(FAIL-ON)

GATE-31-37

9.150E-7

FPCY-62354(R)

32

RF-24

GATE-31-3

GATE-31-8

GATE-31-16

5.700E-6

PSH-62451

2.095E-6

PYH-62451A

2.095E-6

PYH-62451B GATE-31-39

9.800E-7

UV-62451

1.630E-6

UZ-62451

GATE-31-17

1.981E-5


GATE-31-38

GATE-31-40

2.500E-7

IMPULSE-LINE-(CLEAN)-PCD

5.620E-7

PC-62454

2.390E-7

UY-62454-(FAIL-ON)

2.000E-5

UY-62454A-(FAIL-ON)

GATE-31-41

9.150E-7

FPCY-62454(R)

32

RF-24

GATE-31-4

GATE-31-9

GATE-31-18

5.700E-6

PSH-62551

2.095E-6

PYH-62551A

2.095E-6

PYH-62551B GATE-31-21

9.800E-7

UV-62551

1.630E-6

UZ-62551

GATE-31-19

1.981E-5


GATE-31-42

GATE-31-43

2.500E-7

IMPULSE-LINE-(CLEAN)-PCE

5.620E-7

PC-62554

2.390E-7

UY-62554-(FAIL-ON)

2.000E-5

UY-62554A-(FAIL-ON)

GATE-31-44

9.150E-7

FPCY-62554(R)

32

RF-24

Site Wide PressureControl





Site Wide TrainControls (Single

Valve) TotalFailures


(Exida)


(Exida)


(Exida)


(Exida)






Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Pneumatic (OREDA84)


Pneumatic (OREDA84)


Pneumatic (OREDA84)


Pneumatic (OREDA84)


(exida)


(exida)


(exida)


(exida)


(exida)

Pressure ReducingValve (Oreda2002 pp 757)





Pneumatic Relay(US DOE)

Burkert 6014Solenoid (Failed

Energised) (Burkert/ exida)











(exida)

Foxboro 43APGPneumatic Controller

(Foxboro Data)


(Foxboro Data)


(Foxboro Data)


(exida)


(Foxboro Data)


(exida)


(exida)


(exida)


Pneumatic (OREDA84)



(Exida)


Valve (Exida)


Valve (Exida)


(Foxboro Data)




RF-26 - Site Wide Train Controls (Single Valve) Total Failures 2007/02/20 Page 31


Fault Tree Model – TMR Whole System

RF-26A

GATE-31-0

GATE-31-5

GATE-31-10

5.700E-6

PSH-62151

2.095E-6

PYH-62151A

2.095E-6

PYH-62151B GATE-31-28

9.800E-7

UV-62151

1.630E-6

UZ-62151

GATE-31-11

1.981E-5


GATE-31-29

9.150E-7

FPCY-62154(R)

32

RF-24

GATE-31-30

GATE-31-31

2.500E-7

IMPULSE-LINE-(CLEAN)-PCA

5.620E-7

PC-62154

2.390E-7

UY-62154-(FAIL-ON)

2.000E-5

UY-62154A-(FAIL-ON)

GATE-31-1

GATE-31-6

GATE-31-12

5.700E-6

PSH-62251

2.095E-6

PYH-62251A

2.095E-6

PYH-62251B GATE-31-26

9.800E-7

UV-62251

1.630E-6

UZ-62251

GATE-31-13

1.981E-5


GATE-31-32

GATE-31-33

2.500E-7

IMPULSE-LINE-(CLEAN)-PCB

5.620E-7

PC-62254

2.390E-7

UY-62254-(FAIL-ON)

2.000E-5

UY-62254A-(FAIL-ON)

GATE-31-34

9.150E-7

FPCY-62254(R)

32

RF-24

GATE-31-2

GATE-31-7

GATE-31-14

5.700E-6

PSH-62351

2.095E-6

PYH-62351A

2.095E-6

PYH-62351B GATE-31-24

9.800E-7

UV-62351

1.630E-6

UZ-62351

GATE-31-15

1.981E-5


GATE-31-35

GATE-31-36

2.500E-7

IMPULSE-LINE-(CLEAN)-PCC

5.620E-7

PC-62354

2.390E-7

UY-62354-(FAIL-ON)

2.000E-5

UY-62354A-(FAIL-ON)

GATE-31-37

9.150E-7

FPCY-62354(R)

32

RF-24

GATE-31-3

GATE-31-8

GATE-31-16

5.700E-6

PSH-62451

2.095E-6

PYH-62451A

2.095E-6

PYH-62451B GATE-31-39

9.800E-7

UV-62451

1.630E-6

UZ-62451

GATE-31-17

1.981E-5


GATE-31-38

GATE-31-40

2.500E-7

IMPULSE-LINE-(CLEAN)-PCD

5.620E-7

PC-62454

2.390E-7

UY-62454-(FAIL-ON)

2.000E-5

UY-62454A-(FAIL-ON)

GATE-31-41

9.150E-7

FPCY-62454(R)

32

RF-24

GATE-31-4

GATE-31-9

GATE-31-18

5.700E-6

PSH-62551

2.095E-6

PYH-62551A

2.095E-6

PYH-62551B GATE-31-21

9.800E-7

UV-62551

1.630E-6

UZ-62551

GATE-31-19

1.981E-5


GATE-31-42

GATE-31-43

2.500E-7

IMPULSE-LINE-(CLEAN)-PCE

5.620E-7

PC-62554

2.390E-7

UY-62554-(FAIL-ON)

2.000E-5

UY-62554A-(FAIL-ON)

GATE-31-44

9.150E-7

FPCY-62554(R)

32

RF-24

Site Wide TrainControls (Single

Valve) TotalFailures (Tricon)







(Exida)


(Exida)


(Exida)


(Exida)






Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Valve (Exida)


Pneumatic (OREDA84)


Pneumatic (OREDA84)


Pneumatic (OREDA84)


Pneumatic (OREDA84)


(exida)


(exida)


(exida)


(exida)


(exida)



















(exida)


(Foxboro Data)


(Foxboro Data)


(Foxboro Data)


(exida)


(Foxboro Data)


(exida)


(exida)


(exida)


Pneumatic (OREDA84)



(Exida)


Valve (Exida)


Valve (Exida)


(Foxboro Data)




RF-26A - Site Wide Train Controls (Single Valve) Total Failures (Tricon) 2007/02/20 Page 34


Layers Of Protection AnalysisProject: Gasnet Brooklyn Control System RebuildSIF Identifier: SIF-001SIF DescriptionAreaP& ID

7a 7b 7c 7d 7e 8 10 11 12

Impact Event Description

InitiatingCause

InitiatingLikelihood

Safety Category

and Target Risk

Envir.Category and Target Risk

Econ.Category

and Target Risk

GeneralProcessDesign

Basic Process Control System

Alarms& Operator Response

Additionalmitigation, restricted

access

IPL additional mitigation,

dikes, pressure relief

EIL Environmental AIL Economical

Actual PFD of the SIF

MitigatedSafety EventLikelihood

/Year A$ Occupancy Ignition Fatality Factor Factor 1

1Regulation Train Over Pressure

Supply Regulator Valve Mechanical

Failure0.0133152 10 Fatalities Minor 10,000,000

Not Designed to Contain

Pressure Off Site (GPU Gasnet)

No Protection Possible from

Redundant Pneumatic Controls

AlarmsDownstream Slam Shut

Pressure Relief Capacity

Inadequate

Target Target Target 0.1 0.3 1 1 1

1.3E-02 1.0E-06 1.0E-02 1.0E-05 0 0.0E+00 1.0E-01 8.3E-03 0.0E+00 1.1E-05 9.1E+02 9.1E-01EIL 0 AIL 0 8.3E-03 2.73E-09


Supply Regulator Electronic Control

System Failure0.0876 10 Fatalities Minor 10,000,000



Protection Possible from

Redundant Pneumatic Controls

AlarmsDownstream Slam Shut


Inadequate

Target Target Target 0.1 0.3 18.8E-02 1.0E-06 1.0E-02 1.0E-05 0 4.5E-02 1.0E-01 8.3E-03 0.0E+00 3.3E-06 3.1E+03 3.1E+00

EIL 0 AIL 0 8.3E-03 8.10E-10


Process Back Pressure 0.2 10 Fatalities Minor 10,000,000



Yes AlarmsDownstream Slam Shut


Inadequate

Target Target Target 0.1 0.3 12.0E-01 1.0E-06 1.0E-02 1.0E-05 0 4.5E-02 1.0E-01 8.3E-03 0.0E+00 7.5E-06 1.3E+03 1.3E+00

EIL 0 AIL 0 8.3E-03 1.85E-09

Prepared by: Reviewed by: EIL AIL

Title Name Signature Date Title Name Signature Date 4.6E+02 4.6E-01FS Engineer Allan Gibson 16-Mar-07 Process

ManagerAlan Burt

EIL 0 AIL 0 YesTitle Name Signature DateProcess Engineer

David Little

ConclusionSIL

3.0E+00SIL 0

SIF Integrity Level

Occupancy assumed to be less than 876 man hours per year. Ignition

data from Oreda Fire and Gas Study

Compliance

5.383E-09

SIL 0Less than target

SIL Total Mitigated Safety Event Likelihood

SIF-0011.53E+00

Summary



Gas High Pressure

95 6

Layers of Protection11

Intermediate

eventLikelihood

1 2 3 7

4.5E+00SIL 0

1.0E+01SIL 0




Safety

The safety system for these valves is primarily pneumatic, with the ability to be remotely operated from the network control room and as such is subject to the failure rates of these components and the low accuracy of switching compared to the electronic equivalents.

Adding the electronic diagnostics reduces the failure rate for the pneumatic safety system from 3.6E-2 to 1.05E-2 for the RTU based solution improving slightly to 9.3E-003 for a TMR based solution by bypassing some of the pneumatic logic and providing a parallel trip path. These are however again limited by the reliability of the safety system valves which places a floor under the possible shutdown system performance.

The actual experienced failure rate for the slam shut system has been in excess of 8.26E-3 based on ‘proven in use’ data received from GasNet and this has been used in the above event trees.


Control system implementation

Assuming the reliability of the Bristol RTU is inline with industrial standards a spurious trip can be expected due to a control system failure at approximately 11.5 year intervals. This means that a failure will probably occur during the life of the plant due to this cause.

Replacing the Bristol RTU with a typical TMR based system will raise this to the 300 to 3000 year range.

The probability of a failure of a 2oo3 voting system for the pressure transmitters used in control of either system is so low as to be irrelevant, at 10-12 per year unless a common cause is considered such as a lighting strike or miss-calibration. These causes are still far less likely than an RTU failure which dominates the probability of failure.


Control and Slamshut Valve Reliability

Single Control Valve:

– The Single Control Valve control implementation will result in a failure requiring unscheduled maintenance about every 0.7 years for a station with 5 trains, primarily driven by control valve failures.

– Installing a TMR based control system will raise this to 0.8 years.

Dual Control Valve

– The Dual Control Valve control implementation will result in a failure requiring unscheduled maintenance about every 0.41 years for a station with 5 trains, again primary driven by control valve failures (ie about double the rate for single control valve installation).

– Installing a TMR based control system will raise this to 0.42 years, a barely noticeable change.

Slam Shut Valve

– It is estimated that an individual slam shut valve will close spuriously about every 10 years


Conclusions

Safety target is met with one regulator per run provided a TMR PLC is used

– TMR + Reg + SSV = 2*RTU + 2*Reg + SSV

For multi-run stations, use of the TMR is more economic because of the cost savings of the regulators. For the same station capacity:

– Dandenong single regulator solution requires 7 regulators and 7 SSVs

– Dandenong dual regulator solution requires 20 regulators and 10 SSVs

For dual run (primary and standby runs) a simpler instrumented design is likely to be more economic.

Diagnostic systems are required to detect failed/faulty regulator

Records of failure data or SIL rating are required for all components in the safety system


Program Rollout

Tricon selected for initial city gate sites at Brooklyn and Wollert

2*Trident selected for 4 ea Brooklyn heater BMS

Interface via TUV serial link to Compressor Station Tricons at Brooklyn and Wollert

Standard function blocks

Standard field devices


We Deliver Energywww.pipelinetrust.com.au

Safety Instrumented System in Regulator Station Design Burt - Safety... · Safety Instrumented...

Documents

Transcript of Safety Instrumented System in Regulator Station Design Burt - Safety... · Safety Instrumented...