Pipeline Integrity Ensures Continuous Flow
Author : Andy Tonge
19 July 2011
Andy Tonge, Hima-Sella’s Sales Manager, explains how pipeline protection comes down to the application of fundamental safety logic.
A pipeline is an efficient means of transferring liquids and gases between locations. However, whether land-based or subsea, it must be protected along its length to prevent - or worst case - limit the environmental damages and financial losses/fines that would arise from escaping product. As for what might cause such an escape, the possibilities include process/control problems, accidental damage and acts of terrorism.
Most pipelines have valves (within valve stations) along their length for the express purpose of being able to isolate sections, which of course also prevents flow from source to destination, and it is here that local, automated safety protection is best implemented.
For example, Hima-Sella has just provided safety solutions at all 20 valve stations along the length of the Wilton-Grangemouth Ethylene Pipeline (WGEP), one of a number of pipelines used to link ethylene production plants in the UK. The pipeline is 250km long and entered service in 1979. In 1985 it was converted to bi-directional flow.
At the valve stations, which are in remote locations, a number of parameters are monitored including valve positions, upstream and downstream pressures, temperatures, cathodic protection, battery charger status and product flows.
Data used to be collected via Remote Terminal Units (RTUs) and transmitted to the WGEP SCADA (for control purposes) via BT KiloStream communications links. However in 2010 the pipeline operator, SABIC UK Petrochemicals, identified the SCADA system obsolete, the BT KiloStream links in need of update and the RTUs and valve hardwired valve interlocks in need of replacement (by a SIL-rated safety systems).
Logical Safety
Hima-Sella’s solution for localised safety within each valve station was the HIMA HIMatrix F35 Programmable Electronic System (PES), which has 8 analogue inputs, 24 digital inputs, eight digital outputs, three Fieldbus ports and four configurable Ethernet ports.
The WGEP’s valve stations typically fall into two configurations, standard and non-standard. In the case of the former, the F35’s Inputs and Outputs (I/O) were assigned thus. Analogue inputs were assigned to monitor Up- and Down-stream Pressures (0 to 100bar), Valve Temperature (-10 to 40oC) and Cathodic Protection (where fitted, as -3 to 0V), leaving four inputs free for future use.
Digital inputs were assigned to Valve Open, Valve Closed, Valve Sequence Failure and 3-phase Power Failure; leaving 19 spare (but three of these are ear-marked for Actuator Supply Failure, Intruder Alert and Intruder Override). Only two of the unit’s eight outputs were required for valve operation – Valve Open and Valve Close – leaving six spare.
For those interested in why two input and two output channels are required for per valve this is really where safety comes right down to pure logic levels. On the face of things you could argue that a valve is either open or closed - so could be represented by logic 1 (open) and logic 0 (closed) on a single channel.
However, confidence in reading the valve’s condition is best achieved through ‘complementary pairs’. Therefore, within any of the WGEP’s valve stations, a valve can only be recognised as truly open if its Open signal is logic 1 and its Closed signal is 0 (i.e. Not Closed).
What recognises these hardware conditions is the software residing in each PES. All 20 PESs for the WGEP upgrade were programmed by Hima-Sella, using HIMA’s IEC 61131-3-compliant ELOP II software tool; which is used in a variety of industries for safety-planning.
ELOP II is essentially a software development tool that allows safety systems to be ‘built’ through the placement and connection (on screen) of functional blocks. The finished design (schematic of functional blocks) is then compiled into a program code. Here it is worth noting that as part of that compilation the design is not only checked for errors but its intended operation is verified as being within pre-defined safety parameters.
‘Fail safe’ operation is therefore intrinsic to both the hardware and the software protecting the WGEP’s valves.
Other Examples
Similar PES units are also currently protecting the crude oil Baku-Tbilisi-Ceyhan (BTC) Pipeline, which became operational in 2006.
Starting at the Sangachal terminal near Baku - which receives oil from the Azeri, Chirag and Gunashli (ACG) offshore fields in the Caspian – the pipeline is 1,768km long and passes through Azerbaijan, Georgia and Turkey in order to reach the Mediterranean.
An alternative to using tanker transportation along the Black Sea and highly congested Bosporus, it takes oil some six months to traverse the length of the pipe. There are eight pumping stations along the route and more than 100 block valve stations; which enable the pipeline to be isolated into sections in the event of an emergency.
Again, protection is afforded through the combination of fail-safe hardware and software; as the case with a dual-purpose pipeline in Thailand. It runs from the refinery at Sriracha and supplies (standard) fuel to receiving areas in Saraburi and Lamlukka, and aviation fuel to Bangkok Airport. Within control stations at the refinery and each of the three receiving areas a PES provides an Emergency Shutdown (ESD) function.
There are 20 valve stations along the length of this dual-fuel pipeline and within each a PES provides an ESD function. In addition, and independent to the ESD, the valves are also protected by a High Integrity Pressure Protection Solution that is implemented in HIMA’s Planar F solid state logic server (i.e. no software, as the safety function is effectively realised in hardwired circuitry).
Conclusion
In the above examples all three pipelines have automated and independent protection at critical points (i.e. the valve stations), and we have described how safety is effectively determined right down at the binary level.
Once done, system- and network-level forms of protection can be layered on top, safe in the knowledge that the hardware at the safety-critical asset cannot be compromised; and this is something we intend to discuss in detail in a later issue of HazardEx.
Contact Details and Archive...