Safety Instrumented Systems in Regulator Station Design. SIL Verification of Standard Design Alan Burt

Transcription

1 Safety Instrumented Systems in Regulator Station Design SIL Verification of Standard Design Alan Burt

2 Presentation Overview Safety standards Victorian gas transmission network Melbourne supply History of Dandenong City Gate and design issues Project concept and objectives AS2885 requirements for pipeline pressure control Safety targets and standardised components (SIL) Achieving both safety and high availability Layers of Protection Analysis of alternate designs Conclusions APA Group Presentation 2

3 Definitions BLP Brooklyn Lara Pipeline City Gate gas pressure regulating facility feeding a city LOPA Layer Of Protection Analysis MAOP Maximum Allowable Operating Pressure PES Programmable Electronic Systems PLC Programmable Logic Controller PSV Pressure Safety Valve RTU Remote Terminal Unit SIF Safety Instrumented Function SIL Safety Integrity Level SSV Slamshut valve TMR PLC Triple Mode Redundant PLC APA Group Presentation 3

4 Acknowledgement and Disclaimer The author wishes to acknowledge the technical information provided by Invensys Premier Consulting Services in their report SIL Assignment and Verification Report prepared for GasNet for the Brooklyn Lara City Gate. The concepts provided herein should not be taken to be endorsement of specific products or design implementation for pressure reduction stations. Designers should assess their specific designs to ensure safety critical and functional control meets the owner s and technical regulators requirements. APA Group Presentation 4

5 Victorian Natural Gas System APA Group Presentation 5

6 Safety Standards AS/NZS AS Functional safety of electrical/electronic/programmable electronic safety-related systems General requirements AS Functional safety of electrical/electronic/programmable electronic safety-related systems Requirements for electrical/electronic/programmable electronic safety-related systems AS Functional safety of electrical/electronic/programmable electronic safety-related systems Software requirements AS Functional safety of electrical/electronic/programmable electronic safety-related systems Definition and abbreviations AS Functional safety of electrical/electronic/programmable electronic safety-related systems Examples of methods for the determination of safety integrity levels AS Functional safety of electrical/electronic/programmable electronic safety-related systems Guidelines on the application of AS and AS AS Functional safety of electrical/electronic/programmable electronic safety-related systems Overview of techniques and measures APA Group Presentation 6

7 Safety Standards - AS/NZS 61511, AS 3814 AS IEC Functional safety - Safety instrumented systems for the process industry sector - Framework, definitions, systems, hardware and software requirements AS IEC Functional safety - Safety instrumented systems for the process industry sector - Guidelines for the application of AS IEC AS IEC Functional safety - Safety instrumented systems for the process industry sector - Guidance for the determination of the required safety integrity levels AS Appliances Industrial and Commercial Gas Fired APA Group Presentation 7

8 Safety Instrumented Systems Safety systems have been used for many years in process industries to perform safety instrumented functions. If instrumentation is to be effectively used for safety, it is essential that this instrumentation achieve certain minimum standards and performance levels. AS NZS addresses Safety Instrumented Systems for all types of industrial applications. A Safety Instrumented System includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s). IEC61511 addresses Safety Instrumented Systems applicable the Process Industries only. AS NZS applies to Safety Instrumented Systems for the Process Industry that is based on electrical / electronic / programmable electronic technology. Where other technologies are used for logic solvers, the basic principles of this standard should be applied. This standard also addresses the Safety Instrumented System s sensors and final elements regardless of the applied technology. IEC61508 and IEC61511 were recognized by the Australian Standards in the year 2000 APA Group Presentation 8

9 AS/NZS AS NZS 2885 does NOT currently call up AS NZS nor AS NZS However, specific levels of control for pressure reduction stations are mandated in AS/NZS clauses and Safety systems are now commonly used in the gas industry for safety functions in compressor stations, LNG facilities and processing plant, as well as certain Type B appliances: AS/NZS 3814 requires compliance to AS/NZS and for Type B fuel-fired appliances controlled by programmable electronic systems. This applies to the following appliances Gas turbine engines (eg Solar Saturns, Centaurs, Taurus, Mars) Standby generators Waterbath heaters For gas pipeline operators, assessment of compliance to engineering principles in AS/NZS 3814, as with other aspects of design for the gas pipeline control, is managed under the Pipeline Safety Case APA Group Presentation 9

10 Large multi-run pressure reduction stations Overpressure protection of pipelines at pressure reduction stations using pressure relief valves may not be acceptable due to offsite hazards. Functional requirements for large multi-run pressure reduction stations in Victoria are becoming more demanding due to 4-hourly gas market demands, including frequent remote pressure setpoint control, stop/start operation and interaction with gas compressors Increased pipeline operating pressure, leading to higher pressure drops and potential low temperatures due to Joule-Thompson cooling APA Group Presentation 10

11 Multi-run stations Major Victorian multi-run stations (planned capacity) Dandenong City Gate (7 runs) Wollert City Gate (4 runs) Brooklyn Corio Pipeline (BCP) City Gate (5 runs) Brooklyn Lara Pipeline (BLP) City Gate (5 runs) Lara SWP City Gate (5 runs) Wollert and Brooklyn projects are currently under construction Design is complete for Dandenong and Lara projects APA Group Presentation 11

12 APA Group Presentation 12

13 APA Group Presentation 13

14 APA Group Presentation 14

15 APA Group Presentation 15

16 APA Group Presentation 16

17 Future Brooklyn Ballan Pipeline (BBP CG) (currently Brooklyn PL) Brooklyn Lara Pipeline (BLP CG) Brooklyn Corio Pipeline (BCP CG) (previously BCG) APA Group Presentation 17

18 APA Group Presentation 18

19 Dandenong City Gate Commissioned in 1969 Initially 2 regulator runs, each with active and monitor regulators and station PSVs Growth led to current 7 regulator runs RTU to monitor and control pressure PSVs replaced with electrical relay over-pressure trip of run inlet valves circa 1979 (ie PSHH trips the station) PSVs removed due to proximity of flare Slamshut controller replaced with separate RTU circa 1985 Approximately 65% of Melbourne s daily gas flows through the station (about 80% annually). The station operates continuously. APA Group Presentation 19

20 Design Issues Regulators fail-open design Inlet valves fail-last design Common mode failure concern Undetected regulator failure Operator should not have to open/close runs to avoid overpressure Additional heater differential pressure losses affect capacity Control algorithms different at other sites AS requires max MAOP tolerance 1% Flow imbalance between runs may lead to noise, erosion and filter failure APA Group Presentation 20

21 Design Concept Maintain multi-run station concept (ie retain headers) Single active regulator, fail-closed Upstream slamshut valve (SSV), fail-closed Standardised control algorithm Standardised test program (routine run safety verification tests) Remote outlet pressure setpoint control Provide improved operator interface (HMI) for maintenance APA Group Presentation 21

22 Project Objectives Meet safety objectives per AS61511 Minimise capital expense Pressure control per AS2885.1:2007 High station availability 99.99% Retain contract station differential pressure and peak flowrate design basis Maintainability using common sub-components APA Group Presentation 22

23 AS2885.1:2007 Clause Pipeline Pressure Control The following requirements shall be implemented in design and operation of the pipeline pressure control. MAOP under steady state conditions For pipelines intended to be operated at a set point equal to MAOP, the control system shall control the maximum pressure within a tolerance of 1%. Pressure control and a second pressure limiting system are mandatory. The second (pressure limiting) system may be a second pressure control or an overpressure shut-off system or pressure relief. Pressure control system performance Pressure control and overpressure protection systems and their components shall have performance characteristics and properties necessary for their reliable and adequate operation during the design life of the pipeline. APA Group Presentation 23

24 AS2885.1:2007 Clause Pipeline Facility Control Most facilities are remote from their point of operation and generally designed for unattended operation. Each facility shall be designed with a local control system to manage the safe operation of the facility. The local control system shall. (a) Continue to operate in the event of a communications failure; (b) If electric powered, be provided with an uninterruptible power supply with sufficient capacity to ensure continuous operation through a reasonable power outage; (c) Use reliable technology; (d) Be designed to fail in a safe manner; and (e) Be designed with appropriate security. Each facility may also be configured to enable remote monitoring or control of the facility. APA Group Presentation 24

25 SIL Assignment and Verification Analyse SIF overpressure downstream pipeline Determine SIL achieved using current design with the existing RTUs and regulators Determine SIL achievable using proposed design with single FC regulator, SSV and TMR PLC Identify required maintenance regime Select current BLP project as test case Use standard GasNet panels Use BLP regulator PID design APA Group Presentation 25

26 Control Schematic for Regulator APA Group Presentation 26

27 PID for Regulator Run APA Group Presentation 27

28 Active Regulator APA Group Presentation 28

29 Regulator characteristics Fail closed valve Electronic and pneumatic positioner (fails to pneumatic on loss of PES) Common station backup pneumatic controller (balances load across runs) Diagnostic inputs include closed limit switch and position feedback Level 1 fault - valve detected faulty (eg sticky) with persistent control position discrepancy. Run inlet valve closes. Level 2 fault high outlet pressure and control valve not fully closed. Run inlet valve closes. Level 3 fault high outlet pressure. Close all run inlet valves. Level 4 fault high high outlet pressure. Inlet valve closes under pneumatic control. APA Group Presentation 29

30 Fault Tree Models Pressure Control Electronic Pressure Control SIF-10 Fisher DVC6000 (4-20mA) Positioner Bristol Control Wave (Defined by AS61508) FPCY E-4 RTU 4.257E GATE-6-12 GATE-6-13 GATE-6-14 GATE-6-15 Impulse Line - Clean Service Generic Pressure Transmitter Impulse Line - Clean Service Generic Pressure Transmitter Impulse Line - Clean Service Generic Pressure Transmitter 1.095E E E E E E-3 IMPULSE-LINE-(CLEAN)-PTA PT-62755A IMPULSE-LINE-(CLEAN)-PTB PT-62755B IMPULSE-LINE-(CLEAN)-PTC PT-62755C SIF-10 - Electronic Pressure Control APA 2007/02/21 Group Presentation Page 6 30

31 Fault Tree Model TMR Based Control Site Wide Pressure Control (Tricon) RF-24A Triconex Tricon TRICON 3.520E GATE-32-0 GATE-27-1 GATE-27-2 GATE-27-3 Impulse Line - Clean Service Generic Pressure Transmitter Impulse Line - Clean Service Generic Pressure Transmitter Impulse Line - Clean Service Generic Pressure Transmitter 2.500E E E E E E-7 IMPULSE-LINE-(R)-PTA PT-62755A(R) IMPULSE-LINE-(R)-PTB PT-62755B(R) IMPULSE-LINE-(R)-PTC PT-62755C(R) RF-24A - Site Wide Pressure Control (Tricon) APA 2007/02/20 Group Presentation Page 33 31

32 Slamshut valve APA Group Presentation 32

33 Slamshut valve characteristics Fail closed valve Independent pneumatic high high and low low pressure trip will close the valve Electronic open (option) and close control: Open is conditional on outlet pressure Close on PSHH or manual command from DCS or HMI Auto/Manual control on slamshut panel. Alarm active while in manual. APA Group Presentation 33

34 Standard Panel for Slamshut APA Group Presentation 34

35 Fault Tree Slamshut system Slam Shut RF-28 Fisher 4660 Pressure Switch Pneumatic (OREDA 84) (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way 5.700E E E-6 PSH PYH-62151A PYH-62151B GATE-37-0 Trunnion Ball UV E-7 Bettis CB Series Valve Actuator (Exida) UZ E-6 RF-28 - Slam Shut APA 2007/02/21 Group Presentation Page 37 35

36 Pneumatic (OREDA 84) PSH E-6 PYH-62151A 2.095E-6 GATE PYH-62151B 2.095E-6 UV E-7 GATE GATE-31-0 GATE-31-5 (Exida) UZ E-6 FPCY-62154(R) Pressure Reducing FPCV-62154A(R) 9.150E E-5 GATE GATE Site Wide Pressure Control 32 RF E-7 IMPULSE-LINE-(CLEAN)-PCA GATE (Foxboro Data) PC E-7 GATE GATE Pneumatic (OREDA 84) PSH E-6 Burkert 6014 / exida) 2.390E-7 UY (FAIL-ON) PYH-62251A 2.095E-6 Pneumatic Relay (US DOE) 2.000E-5 UY-62154A-(FAIL-ON) GATE PYH-62251B 2.095E-6 UV E-7 GATE GATE-31-1 GATE-31-6 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCB 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62254A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62254(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62254A-(FAIL-ON) Pneumatic (OREDA 84) PSH E-6 Site Wide Pressure Control 32 RF-24 PYH-62351A 2.095E-6 GATE PYH-62351B 2.095E-6 UV E-7 GATE Valve) Tot al Failures RF-26 GATE-31-2 GATE-31-7 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCC 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62354A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62354(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62354A-(FAIL-ON) Pneumatic (OREDA 84) PSH E-6 Site Wide Pressure Control 32 RF-24 PYH-62451A 2.095E-6 GATE PYH-62451B 2.095E-6 UV E-7 GATE GATE-31-3 GATE-31-8 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCD 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62454A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62454(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62454A-(FAIL-ON) Pneumatic (OREDA 84) PSH E-6 Site Wide Pressure Control 32 RF-24 PYH-62551A 2.095E-6 GATE PYH-62551B 2.095E-6 UV E-7 GATE GATE-31-4 GATE-31-9 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCE 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62554A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62554(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62554A-(FAIL-ON) Site Wide Pressure Control 32 RF-24 Fault Tree Model RTU Whole System Site Wide Train Controls (Single Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Trunnion Ball Bettis CB Series Valve Actuator Trunnion Ball Bettis CB Series Valve Actuator Trunnion Ball Bettis CB Series Valve Act uat or Trunnion Ball Bettis CB Series Valve Act uat or Trunnion Ball Bettis CB Series Valve Act uat or Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert RF-26 - Site Wide Train Controls (Single Valve) Total Failures 2007/02/20 Page 31 APA Group Presentation 36

37 Pneumatic (OREDA 84) PSH E-6 PYH-62151A 2.095E-6 GATE PYH-62151B 2.095E-6 UV E-7 GATE GATE-31-0 GATE-31-5 (Exida) UZ E-6 FPCY-62154(R) Pressure Reducing FPCV-62154A(R) 9.150E E-5 GATE GATE Site Wide Pressure Control 32 RF E-7 IMPULSE-LINE-(CLEAN)-PCA GATE (Foxboro Data) PC E-7 GATE GATE Pneumatic (OREDA 84) PSH E-6 Burkert 6014 / exida) 2.390E-7 UY (FAIL-ON) PYH-62251A 2.095E-6 Pneumatic Relay (US DOE) 2.000E-5 UY-62154A-(FAIL-ON) GATE PYH-62251B 2.095E-6 UV E-7 GATE GATE-31-1 GATE-31-6 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCB 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62254A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62254(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62254A-(FAIL-ON) Pneumatic (OREDA 84) PSH E-6 Site Wide Pressure Control 32 RF-24 PYH-62351A 2.095E-6 GATE PYH-62351B 2.095E-6 UV E-7 GATE RF-26A GATE-31-2 GATE-31-7 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCC 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62354A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62354(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62354A-(FAIL-ON) Pneumatic (OREDA 84) PSH E-6 Site Wide Pressure Control 32 RF-24 PYH-62451A 2.095E-6 GATE PYH-62451B 2.095E-6 UV E-7 GATE GATE-31-3 GATE-31-8 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCD 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62454A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62454(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62454A-(FAIL-ON) Pneumatic (OREDA 84) PSH E-6 Site Wide Pressure Control 32 RF-24 PYH-62551A 2.095E-6 GATE PYH-62551B 2.095E-6 UV E-7 GATE GATE-31-4 GATE-31-9 (Exida) UZ E-7 IMPULSE-LINE-(CLEAN)-PCE 1.630E-6 (Foxboro Data) PC Pressure Reducing FPCV-62554A(R) 5.620E E-5 GATE GATE GATE Burkert 6014 / exida) GATE E-7 UY (FAIL-ON) FPCY-62554(R) 9.150E-7 GATE Pneumatic Relay (US DOE) 2.000E-5 UY-62554A-(FAIL-ON) Site Wide Pressure Control 32 RF-24 Fault Tree Model TMR Whole System Site Wide Train Controls (Single Valve) Total Failures (Tricon) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Fisher 4660 Pressure Switch (Pilot Booster) Generic 2/3 Way (Valve Actuator) Generic 2/3 Way Valve (Oreda 2002 pp 757) Trunnion Ball Bettis CB Series Valve Actuator Trunnion Ball Bettis CB Series Valve Actuator Trunnion Ball Bettis CB Series Valve Act uat or Trunnion Ball Bettis CB Series Valve Act uat or Trunnion Ball Bettis CB Series Valve Act uat or Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Fisher DVC6000 (4-20mA) Positioner Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert Impulse Line - Clean Service Foxboro 43APG Pneumatic Controller Solenoid (Failed Energised) (Burkert RF-26A - Site Wide Train Controls (Single Valve) Total Failures (Tricon) 2007/02/20 Page 34 APA Group Presentation 37

38 Layers Of Protection Analysis Project: Gasnet Brooklyn Control System Rebuild SIF Identifier: SIF-001 SIF Gas High Pressure Description Area P& ID Safety Econ. Impact Event Initiating Initiating Category Envir. Category Description Cause Likelihood and Target Category and and Target Target Risk Risk Risk 7a 7b 7c 7d 7e Layers of Protection SIF Integrity Level Compliance Inter Additional IPL additional General Basic Process Alarms mediate SIL Mitigated EIL Actual PFD of Conclusion Economical Safety Event Envir onm e ntal the SIF mitigation, mitigation, event Process Control & Operator restricted dikes, pressure Likelihood Design System Response Likelihood access relief /Year A$ Occupancy Ignition Fatality Factor Factor 1 1 Regulation Train Over Pressure Supply Regulator Valve Mechanical Failure Fatalities Minor 10,000,000 Not Designed to No Protection Contain Possible from Pressure Off Redundant Site (GPU Pneumatic Gasnet) Controls Alarms Downstream Slam Shut Pressure Relief Capacity Inadequate Occupancy assumed to be less than 876 man hours per year. Ignition data from Oreda Fire and Gas Study Target Target Target E E E E E E E E E E E E-01 SIL 0 EIL 0 AIL 0 8.3E E-09 2 Regulation Train Over Pressure Supply Regulator Electronic Control System Failure Fatalities Minor 10,000,000 Not Designed to Protection Contain Possible from Pressure Off Redundant Site (GPU Pneumatic Gasnet) Controls Alarms Downstream Slam Shut Pressure Relief Capacity Inadequate Occupancy assumed to be less than 876 man hours per year. Ignition data from Oreda Fire and Gas Study Target Target Target E E E E E E E E E E E E+00 SIL 0 EIL 0 AIL 0 8.3E E-10 3 Regulation Train Over Pressure Process Back Pressure Fatalities Minor 10,000,000 Not Designed to Contain Pressure Off Site (GPU Gasnet) Yes Alarms Downstream Slam Shut Pressure Relief Capacity Inadequate Occupancy assumed to be less than 876 man hours per year. Ignition data from Oreda Fire and Gas Study Target Target Target E E E E E E E E E E E E+00 SIL 0 EIL 0 AIL 0 8.3E E-09 Prepared by: Reviewed Summary SIL EIL AIL by: 1.53E+00 Title Name Signature Date Title Name Signature Date 4.6E E-01 SIF-001 FS Engineer Allan Gibson 16-Mar-07 Process Alan Burt SIL 0 EIL 0 AIL 0 Manager Title Name Signature Date Process David Little Engineer Total Mitigated Safety Event Likelihood 5.383E-09 Less than target Yes APA Group Presentation 38

39 Safety The safety system for these valves is primarily pneumatic, with the ability to be remotely operated from the network control room and as such is subject to the failure rates of these components and the low accuracy of switching compared to the electronic equivalents. Adding the electronic diagnostics reduces the failure rate for the pneumatic safety system from 3.6E-2 to 1.05E-2 for the RTU based solution improving slightly to 9.3E- 003 for a TMR based solution by bypassing some of the pneumatic logic and providing a parallel trip path. These are however again limited by the reliability of the safety system valves which places a floor under the possible shutdown system performance. The actual experienced failure rate for the slam shut system has been in excess of 8.26E-3 based on proven in use data received from GasNet and this has been used in the above event trees. APA Group Presentation 39

40 Control system implementation Assuming the reliability of the Bristol RTU is inline with industrial standards a spurious trip can be expected due to a control system failure at approximately 11.5 year intervals. This means that a failure will probably occur during the life of the plant due to this cause. Replacing the Bristol RTU with a typical TMR based system will raise this to the 300 to 3000 year range. The probability of a failure of a 2oo3 voting system for the pressure transmitters used in control of either system is so low as to be irrelevant, at per year unless a common cause is considered such as a lighting strike or miss-calibration. These causes are still far less likely than an RTU failure which dominates the probability of failure. APA Group Presentation 40

41 Control and Slamshut Valve Reliability Single Control Valve: The Single Control Valve control implementation will result in a failure requiring unscheduled maintenance about every 0.7 years for a station with 5 trains, primarily driven by control valve failures. Installing a TMR based control system will raise this to 0.8 years. Dual Control Valve The Dual Control Valve control implementation will result in a failure requiring unscheduled maintenance about every 0.41 years for a station with 5 trains, again primary driven by control valve failures (ie about double the rate for single control valve installation). Installing a TMR based control system will raise this to 0.42 years, a barely noticeable change. Slam Shut Valve It is estimated that an individual slam shut valve will close spuriously about every 10 years APA Group Presentation 41

42 Conclusions Safety target is met with one regulator per run provided a TMR PLC is used TMR + Reg + SSV = 2*RTU + 2*Reg + SSV For multi-run stations, use of the TMR is more economic because of the cost savings of the regulators. For the same station capacity: Dandenong single regulator solution requires 7 regulators and 7 SSVs Dandenong dual regulator solution requires 20 regulators and 10 SSVs For dual run (primary and standby runs) a simpler instrumented design is likely to be more economic. Diagnostic systems are required to detect failed/faulty regulator Records of failure data or SIL rating are required for all components in the safety system APA Group Presentation 42

43 Program Rollout Tricon selected for initial city gate sites at Brooklyn and Wollert 2*Trident selected for 4 ea Brooklyn heater BMS Interface via TUV serial link to Compressor Station Tricons at Brooklyn and Wollert Standard function blocks Standard field devices APA Group Presentation 43

44 We Deliver Energy APA Group Presentation 44