Chapter 11

Pressure Control System (Exercise)

Abstract

This exercise on Pressure Control System is based on the real scenario. Spaces have been left for the reader to attempt the calculations, for which answers are provided in Appendix 5.

Keywords

CCF; Life cycle; MTD; Proposed design; Reliability model assumptions; Safety system
 
This exercise is based on a real scenario. Spaces have been left for the reader to attempt the calculations. The answers are provided in Appendix 5.

11.1. The Unprotected System

Consider a plant supplying gas to offsite via a twin stream pressure control station. Each stream is regulated by two valves (top of Figure 11.1). Each valve is under the control of its downstream pressure. Each valve is closed by the upstream gas pressure via its pilot valve, J, but only when its pilot valve, K1, is closed. Opening pilot valve K1 relieves the pressure on the diaphragm of valve V, allowing it to open. Assume that a HAZOP (HAZard and OPerability) study of this system establishes that downstream overpressure, whereby the valves fail to control the downstream pressure, is an event which could lead to one or more fatalities.
Since the risk is offsite, and a two-fatality scenario assumed, a target maximum tolerable risk of 105 per annum has been proposed.
Assume that a quantified risk assessment has predicted a probability of 20% that failure, involving overpressure, will lead to subsequent pipe rupture and ignition. Furthermore it is predicted that, due to the high population density, fatality is 50% likely.
Assume also that the plant offers approximately 10 risks in total to the same population.
It follows that the target failure rate for overpressure of the twin stream subsystem is

[105/[10risks×0.2×0.5]=10−5pa].

image

Assume, however, that field experience of a significant number of these twin stream systems shows that the frequency of overpressure is dominated by the pilots and is 2.5 × 103 pa.

11.2. Protection System

Since 2.5 × 103 is greater than 105, a design modification is proposed whereby a programmable electronic system (PES) closes a valve in each stream, based on an independent measure of the downstream pressure. The valves consist of actuated ball valves (sprung to close). This is illustrated at the bottom of Figure 11.1.
image
Figure 11.1 The system, with and without backup protection.
The target Unavailability for this “add-on” safety system is therefore ………………?
which indicates a SIL of …………?

11.3. Assumptions

The following assumptions are made in order to construct and quantify the reliability model:
(a) Failure rates (symbol λ), for the purpose of this prediction, are assumed to be constant with time. Both early and wearout-related failures are assumed to be removed by burn-in and preventive replacement, respectively.
(b) The MTTR (mean time to repair) of a revealed failure is 4 hrs.
(c) The auto-test coverage of the PLC is 90% and occurs at just under 5 min intervals. The MDT (mean down time) for failures revealed by this PES auto test is taken to be the same as the MTTR (mean time to repair) because the MTTR >> the auto test period. The MDT is thus assumed to be 4 hrs. Neither the pressure transmitter nor the valve is assumed to have any self diagnostics.
(d) The manual proof test is assumed to be 100% effective and to occur annually (ca. 8000 hrs).
(e) One maintenance crew is assumed to be available for each of the three equipment types (PES, Instrumentation, Pneumatics).
(f) The detailed design assumptions needed for an assessment of the common cause failure (CCF) BETA factor (see modified proposal) are summarized in Section 11.8.

11.4. Reliability Block Diagram

Figure 11.2 is the reliability block diagram for the add-on safety system. Note that the PES will occur twice in the diagram. This is because the model needs to address those failures revealed by auto-test separately from those revealed by the longer manual proof test due to their different MDTs (explained more fully in Section 6.3).

11.5. Failure Rate Data

The following failure rate data will have been chosen for the protection system components, shown in Figure 11.1. These are the component level failure modes which lead to the hazard under consideration (i.e., downstream overpressure). FARADIP.THREE has been used to obtain the failure rates.
image
Figure 11.2 Reliability block diagram.
ItemFailure modeFailure rates 106 per hr
TotalMode
PESPES low or zeroa50.25
Pressure transmitterFail low20.5 (25% has been assumed)
Actuated ball valve (sprung to close)Fail to close80.8b

image

a This represents any failure of the PES i/p, CPU or o/p causing the low condition.

b 10% has been used based on the fact that the most likely failure mode is fail closed.

11.6. Quantifying the Model

The following Unavailability calculations address each of the groups (left to right) in Figure 11.2 (see Appendix 5):
(a) Ball valve 1 - unrevealed failures
    Unavailability = ………………………….
    = ………………………….
(b) Ball valve 2 - unrevealed failures
    Unavailability = ………………………….
    = ………………………….
(c) PES output 1 failures revealed by auto-test
    Unavailability = ………………………….
    = ………………………….
(d) PES output 1 failures not revealed by auto-test
    Unavailability = ………………………….
    = ………………………….
(e) PES output 2 failures revealed by auto-test
    Unavailability = ………………………….
    = ………………………….
(f) PES 2 output failures not revealed by auto-test
    Unavailability = ………………………….
    = ………………………….
(g) Pressure Transmitter - unrevealed failures
    Unavailability = ………………………….
    = ………………………….
    The predicted Unavailability is obtained from the sum of the unavailabilities in (a) to (e)
    = ………………………….?

11.7. Proposed Design and Maintenance Modifications

The proposed system is not acceptable (as can be seen in Appendix 5) and modifications are required.
Before making modification proposals, it is helpful to examine the relative contributions to system failure of the various elements in Figure 11.2.
??% from items (a) and (b) Ball Valve.
??% from items (c) to (f) the PES.
??% from item (g) the Pressure Transmitter.
It was decided to duplicate the Pressure Transmitter and vote the pair (1 out of 2). It was also decided to reduce the proof test interval to 6 months (ca. 4000 hrs).

11.8. Modeling CCF (Pressure Transmitters)

The BETAPLUS method provides a method for assessing the percentage of CCFs. The scoring for the method was carried out assuming:
• Written procedures for system operation and maintenance are evident but not extensive;
• There is some training of all staff in CCF awareness;
• Extensive environmental testing was conducted;
• Identical (i.e., nondiverse) redundancy;
image
Figure 11.3 Revised reliability block diagram (or fault tree).
• Basic top level FMEA (failure mode effect analysis) had been carried out;
• There is some limited field failure data collection;
• Simple, well-proven, pressure transmitters half metre apart with cables routed together;
• Good electrical protection;
• Annual proof test.
The BETAPLUS software package performs the calculations and was used to calculate a BETA value of 9%.

11.9. Quantifying the Revised Model

The following takes account of the pressure transmitter redundancy, common cause failure and the revised proof test interval. Changed figures are shown in bold in Appendix 5.
Changed figures are shown in bold.
(a) Ball valve SS1 fails open.
    Unavailability = ………………………….
    = ………………………….
(b) Ball valve SS2 fails open.
    Unavailability = ………………………….
    = ………………………….
(c) PES output 1 fails to close valve (Undiagnosed Failure).
    Unavailability = ………………………….
    = …………………………….
(d) PES output 2 fails to close valve (Undiagnosed Failure).
    Unavailability = ………………………….
    = ………………………….
(e) PES output 1 fails to close valve (Diagnosed Failure).
    Unavailability = ………………………….
    = ………………………….
(f) PES output 2 fails to close valve (Diagnosed Failure).
    Unavailability = ………………………….
    = ………………………….
(g) Voted pair of pressure transmitters.
    Unavailability = ………………………….
    = ………………………….
(h) Common cause failure of pressure transmitters.
    Unavailability = ………………………….
    = ………………………….
    The predicted Unavailability is obtained from the sum of the unavailabilities in (a) to (h)
    = ………………………….?

11.10. ALARP

Assume that further improvements in CCF can be achieved for a total cost of £1000. Assume, also, that this results in an improvement in unavailability to 4 × 104. It is necessary to consider, applying the ALARP principle, whether this improvement should be implemented.
The cost per life saved over a 40-year life cycle of the equipment (without cost discounting) is calculated, assuming two fatalities, as explained in Appendix 5.

11.11. Architectural Constraints

Consider the architectural constraints imposed by IEC 61508 Part 2, outlined in Section 3.3.2.
Do the pressure transmitters and valves in the proposed system, meet the minimum architectural constraints assuming they are “TYPE A components”?
Does the PES, in the proposed system, meet the minimum architectural constraints assuming it is a “TYPE B component”?
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset