Paper PS5-6
DESIGNING SAFETY INTO LNG EXPORT / IMPORT PLANTS INCORPORATION INCORPORATION DE LA SÉCURITÉ DANS LA CONCEPTION DES USINES D’EXPORTATION / IMPORTATION DE GNL Felix F. de la Vega Senior Consultant, LNG and Gas Processing Charles Durr Technology Vice President, LNG, GTL and Gas Processing Kellogg Brown & Root (KBR). Houston, Texas, U.S.A. Principal Contact: Felix de la Vega
[email protected]
ABSTRACT Safety is of paramount importance in the design of any process plant and in particular of LNG liquefaction as well as regasification r egasification plants. In principle, an LNG plant should be in compliance with the safety requirements, norms, policies and guidelines issued by local and international authorities. How to comply with these standards, in a logical and systematic way during engineering design, to ensure the integrity of an LNG plant under all foreseeable ways of operation is discussed in this paper. Similarly, it emphasizes the need to discuss hazardous situations and incidents that could happen and that have to be resolved quickly to minimize uncontrolled loss of containment and how operational risks have to be assessed for acceptability in order to deliver a cost effective design. The use of standards such as the National Fire Protection Association (NFPA- 59A), its provisions and alternatives are discussed in determining the hazard footprint of a facility. This includes the evaluation of risks to facilities inside and outside the plant (thermal radiation and vapor dispersion calculations) due to possible spill scenarios and in the possible event of a terrorist attack on storage tanks, ships, etc. with the corresponding release of LNG. The paper illustrates the application, to LNG plants, of the International Electrotechnical Commission (IEC-61508/61511) procedures to determine that the safety level of the instrumentation system is consistent with the risk acceptance criteria of the project. The importance of using HAZID and HAZOP procedures at different points in the design, as well as several 3D model reviews of the plant by an audit team are described.
RESUME La sécurité est d’importance capitale dans la conception de toute usine de procédé et en particulier dans celle des usines de liquéfaction et de regaséification de GNL. En principe, une usine de GNL doit être conforme aux exigences, normes, politiques et directives de sécurité émises par les l es autorités locales et internationales.
PS5-6.1 SESSIONS
CONTENTS
Paper PS5-6
Cet article discute des méthodes permettant d’assurer la conformité à ces normes, de manière logique et systématique au cours de la conception technique, pour assurer l’intégrité de l’usine de GNL dans toutes les conditions opératoires prévisibles. De même, cet article souligne la nécessité de discuter des incidents et des situations dangereuses potentielles qui doivent être résolues rapidement pour minimiser les libérations noncontrôlées; il discute également de la nécessité de déterminer l’acceptabilité des risques opératoires pour aboutir à une conception économique. L’utilisation de normes d’organismes tels que la National Fire Protection Association (NFPA-59A), ses préconisations et ses variantes sont discutées pour déterminer le danger inhérent à une installation donnée. Ceci comprend l’évaluation des risques posés par les installations situées à l’intérieur et à l’extérieur de l’usine (calcul des radiations thermiques et des dispersions de vapeurs) en fonction de divers scénarios de déversement et dans l’éventualité d’une attaque terroriste des réservoirs de stockage, des méthaniers, etc., avec les libérations de GNL associées. Cet article illustre l’application aux usines de GNL des procédures de la Commission électrotechnique internationale (IEC-61508/61511) pour déterminer que le niveau de sécurité du système d’instrumentation est compatible avec les critères d’acceptabilité du project. L’importance de l’utilisation des procédures HAZID et HAZOP en différents points de la conception ainsi que de plusieurs études des modèles 3D de l’usine par une équipe d’audit est également décrite.
INTRODUCTION Many books and papers have been written on safety in process plants including LNG facilities. Therefore, in a short paper we are not going to go into very much details of the safety features required in an LNG plant but rather we will go through the procedure KBR normally follows during the design phases of an LNG facility. The existing literature defines the physical properties of all the components used in liquefaction and regasification facilities including their flammability ranges, toxicity, auto ignition temperature, etc. thus, they will not be presented or discussed here. The main design goal is always to develop an intrinsically safe plant or as is now referred to - an inherently safe and friendly one, be it a liquefaction or a regasification facility. Experience teaches that absolute safety and security is neither attainable nor affordable because of the inevitability of the law of unexpected consequences. However, there is an intrinsic ethical code in engineering and society in general that drives us to always strive to minimize all accidents, injuries, lost time incidents and material losses. Safety and risk are so intimately connected that one can not be defined without the other. In the context of LNG plant design or any other process plant it is considered that any unit, equipment, instrument systems, etc. is safe if the risk that it presents to bodily harm, economic loss or the environment are judged acceptable in light of well established moral values and principles. In this respect, risk is defined as the potential that something unwanted and harmful may occur. Risks are acceptable once those that could be affected [1] are no longer apprehensive about its consequences . This is normally achieved when the risks have been reduced to or below the ALARP (as low as reasonable practical) region. The LNG industry has a very good track record of safety even though sometimes the public perception does not match the reality. That misleading perception is many times
PS5-6.2 SESSIONS
CONTENTS
Paper PS5-6
due to the association of LNG with LPG or other very reactive chemicals whose consequences are seen quite often in the media. How safety is presently designed into LNG plants is described in this paper.
Safety Requirements To ensure the safety design of an LNG plant it is necessary to comply with all national and internationally accepted codes and standards such as the National Fire Protection Association (NFPA)-59A, “Production, Storage and Handling of Liquefied Natural Gas (LNG)”, the U.S Department of Transportation “Liquefied Natural Gas Facilities, Federal Safety Standards” 49-CFR-193, the World Bank’s Safety Guidelines, the Occupational Safety & Health Administration (OSHA), “Process Safety Management of Highly Hazardous Chemicals” 29 CFR 1910.119, European Standards for LNG installations prEU 1473 and other international agreements to which the operating companies may belong to as well as country and company specific guidelines on safety, health and environment. At the same time, engineering programs which incorporate safety check lists should be used to ensure awareness of the safety issues associated with the LNG project before work is started and which will be used as a quality control to verify that all safety issues are properly addressed by the design team. A series of technical review meetings are included during the project execution phase. These are: •
•
•
•
Process Hazard Review – Initiated in the early stages of Piping and Instrumentation Diagrams development to identify process material hazards to personnel, equipment mechanical hazards and operational and maintenance hazards. Internal P & ID Review – A review carried out before releasing the P & ID’s to the client for their review and approval. Technical Review – This is done before production issue of the P & ID’s when there is sufficient definition of the equipment to make the review meaningful, yet enough schedule time remains to accommodate potential changes. Design Hazard Review – This is carried out later in the project schedule when there is high confidence in the details of the design and there is vendor documentation of the equipment. This is the most intensive safety review performed during the engineering phase. It is carried out by experienced technical personnel independent of the design team, in what is called “cold eye review”.
LNG plants are designed with a proactive approach for loss prevention which requires a determination of the hazards associated with every process unit and development of ways to avoid, control or mitigate any hazardous event. With the trend in complexity and larger train capacity of LNG plants it is increasingly important to accurately determine process hazards. To this effect many tools are being used to study the performance of the plant under all foreseeable operating conditions such as start up, shutdown, abnormal and normal conditions. Some of these Process Hazard Analyses (PHA) which are used in the technical reviews mentioned above include safety surveys, what-if analysis, check lists, Hazard and Operability (HAZOP) studies, Failure Modes and Effect Analysis (FMEA), Fault and Event Tree Analysis (FETA), inherent safety designs methods, etc. In order to reduce the magnitude or severity of possible hazardous situations, protective measures are provided in the design including, spray water cooling, deluge PS5-6.3 SESSIONS
CONTENTS
Paper PS5-6
systems, fire fighting facilities, structural fireproofing, containment areas, separation of equipment through proper layout studies, high and low expansion foams, low temperature detectors, smoke detectors, flammable gas detectors, etc. At the same time, Consequence Modeling is carried out to simulate potential accident scenarios and determine their effects. These models include discharge, dispersion and impact simulations to help in evaluating the cost and effectiveness of the mitigation measures to be incorporated in the design. However, the opportunity to develop a safe plant cannot be left entirely to the performance of hazard reviews mentioned above. We believe that the development of a safe plant should start at the conceptual stage and continue through the process flow diagram and be integrated into the P & ID development.
Process Hazard Analysis In order to design safety into the LNG plants it is necessary that the process engineer, the process control engineer, the safety advisor and the layout and operation groups be involved from the very beginning in the design and be consulted as much as possible by the process engineers. The lead process engineer has to have a good background in safety and be aware of the lessons learnt from previous plant design and operation. It is always easier and less costly (by several order of magnitude) to fix a problem at the conceptual design stage than at the detail design or during/after construction. For instance, a reduction in size of the flare header and flare system should be kept in mind during design to minimize the number of relief valves by using higher pressure design vessels and compressors. Further reduction in size can be achieved by dynamic simulation of failure scenarios, which usually demonstrates that actual relief rates are normally much less than the conservative rates used in typical plant designs. This is because a dynamic simulation takes into account all secondary interactive effects in an upset condition. For instance, in a power outage air cooling will be reduced but heating media will also be discontinued and the time lag between them will determine the peak relief flowrate as well as the relief flow as a function of time including volumetric effects and transport time. The process hazard studies carried out during the initial stages of design are different from the conventional HAZOP studies. In the latter we need to maintain normal operating design conditions while in the former we look for alternatives to avoid or prevent unsafe situations. For instance, what inventories of flammable liquids should be reduced to minimize the possibility of fire and an explosion in case of leak of a flashing liquid or what if glycol/water, thermal oil or any other kind of heat transfer fluids in a regasification or liquefaction plant respectively, should be eliminated in favor of an all water circulating media which is more environmentally sound. The principles of an inherent safety plant should always be the focal point of any [2] design. These principles are: •
•
Minimization – Maintain low inventory of hazardous material. Inventories can always be reduced in almost all unit operations including storage. Substitution – Use a safer material in place of a hazardous one i.e. water instead of thermal heating oil.
PS5-6.4 SESSIONS
CONTENTS
Paper PS5-6
•
•
Attenuation – Use hazardous materials under the least hazardous conditions i.e. store refrigerated liquids at atmospheric pressure instead of under pressure at ambient temperatures. Simplification – Minimizing equipment provides less opportunity for error and less chance of something going wrong i.e. less installed spares, less cross over to provide flexibility, etc. In summary, rather than adding protective equipment to reduce [3] hazards, avoid hazards by reducing equipment
It is true that once the liquefaction process selection is made we are constrained to the type of refrigeration medium used but we can always reduce its inventory which will result in an inherently safer plant. We could say that for same capacity plants the design that results in minimum inventory of flammable compounds is the safer and more environmentally friendly. The main purpose of any hazard review analysis is to identify and communicate to the engineers any potential hazards that have not been considered in the conceptual and initial plant design. It is carried out by a review team including Process, Systems, Control Systems, Health, Safety and Environmental Engineering as well as Operations and Maintenance personnel. Other design team members are consulted as required. All identified process hazards and recommended mitigation measures are documented in a report which also includes a list of follow up action items generated during the review. A description of each scenario considered includes the cause, its consequences, the safeguards mechanisms available and the action items to follow if needed. At least two hazard reviews are executed during the design of an LNG facility - one at an intermediate time of the design activity and one at the end of the design to ensure all items considered have been incorporated in the design.
Instrument Safety Integrity Levels To ensure that safety related instrumentation systems in an LNG plant achieve the levels of reliability consistent with international standards the methodology of the [4] International Electrotechnical Commission (IEC-61508/61511) is applied. In the USA compliance with ISA/ANSI SP84.01 is required by the regulatory authorities. Committees are currently working to configure the two documents. In particular, the recently drafted publication of IEC standards as mentioned above provides a systematic method for the evaluation of risk at all stages of the Safety Instrumented System (SIS) life cycle. The above standard applies only to instrumentation for which the primary function is safety related. It does not apply to basic control systems even though their failure could have safety consequences. It requires a process hazard and risk assessment study to determine the risk and consequences of a given process and to determine ways to reduce it to safety levels acceptable to the company and the communities. In applying the IEC-61508/61511 standard the first stage is to establish the acceptable risk for the plant. The next step is to work back to determine what the reliability of the SIS must be to meet the overall plant risk criteria. Once this is established, the IEC methodology together with a process hazard analysis is used for identifying and designing the safety instrument functions (SIF) to achieve the required safety standard. The basic steps to establish the safety integrity levels (SIL) for the SIF specified during the design phase are:
PS5-6.5 SESSIONS
CONTENTS
Paper PS5-6
1- Identify safety critical control/instrument systems for which SILs are to be assigned. This step will consider the following questions: a) Are there hazards on the plant that could kill or seriously injure employees and/or other people, impact the environment, result in loss of containment, etc.?, b) Are these hazards likely to occur at an unacceptable frequency?, and c) Are design features or safety dedicated control loops required to reduce the risk to an acceptable level? If the answer to all these questions is yes then SIL assessment is required. At KBR the assessment or hazard identification method is carried out by the Process Hazard Review at the start of the design and the HAZOP later in the design. However, since the HAZOP is normally done towards the end of the design phase the need to identify the safety dedicated equipment needed to mitigate the identified hazards is carried out early in the design by a committee including Process Engineers, Process Control Engineers and the Safety Engineer and result in the development of the Cause and Effect Matrices and the Safeguarding narrative. This committee evaluates the independent protection layers required to mitigate the hazard (see Appendix I). Then design the SIF to take the remaining risk to a level such that the overall risk is at an acceptable level. This level should be as a minimum at the ALARP region. Even at the ALARP region there is a requirement to reduce risk unless costs are disproportionate to the benefits that could be achieved. A Safety Requirements Specification (SRS) must be written to completely define the requirements of a SIS. A Quantitative Risk Assessment (QRA) must also be carried out to verify the assigned SILs. The risk assessment may indicate that the best way to improve the SIL is not to provide more instrumentation but to improve the reliability or robustness of the plant. 2- The major steps to evaluate the SIL level based on above identified critical systems follows the steps given below : •
Establish the risk acceptability criteria.
•
From the severity of the consequences establish the target risk.
•
Estimate the failure frequencies of impact on people, environment, etc.
•
Estimate likelihood of other systems mitigating the accident sequence.
•
Calculate what the SIL of the safety related instrument system must be if the accident sequence is to be considered as an acceptable risk.
To ensure safety is optimized at minimum cost, attention should be paid to the higher SIL systems, in order to confirm that the use of high SIL systems is justified. Use of high category SIL levels may be detrimental to the operation of the plant due to the high number of systems requiring high level of testing. Appendix II shows some example calculations of the reliability of systems with SIL 1, 2 and 3. 3- Allocate safety requirements to equipment. This recognizes the need to allocate reliability targets to the plant in a balanced way. For instance, a given ESD system may not be allocated a SIL of 4 when it could be possible to add an additional protection layer i.e. a PSV which would reduce the demand rate on the ESD and therefore decrease the probability of failure on demand and thus its SIL level. In many occasions such a high SIL level is not acceptable and a redesign of the system is required to reduce its level. 4- Design or specify instrument systems to meet the required SIL.
PS5-6.6 SESSIONS
CONTENTS
Paper PS5-6
•
•
Establish system configuration and develop an operations and maintenance strategy to check the feasibility of the design. Calculate the protection level for the SIL rating.
In an LNG plant SIS are provided in the natural gas circuit to prevent vapor breakthrough, LPG backflow and damages to the LNG run down pumps, main cryogenic heat exchangers, end flash gas compressor, scrub column and LNG expanders if included. It is also provided in the mixed refrigerant circuit to prevent make up components backflow as well as damages to the mixed refrigerant compressors and expanders if included. In the single refrigerant circuit they are provided to prevent damage to the compressors and to isolate condensate refrigerant receiver and high pressure vapor systems. Similarly, the defrost system is also provided with SIS to prevent damage to its heater and to prevent the compressors’ seal gas temperatures to drop too low. During the procurement phase it is necessary to ensure that the suppliers meet the required SIL. The suppliers should guarantee reliability targets and specify the operations and maintenance regimes required. Verification and validation procedures should confirm the specified SIL level. During the construction phase an installation and commissioning plan should be developed to ensure that the safety integrity functions (SIF) perform at the required SIL when in operation. The operating and maintenance procedure should be provided to the owner to be incorporated in their own procedures.
Ultimate Level of Protection LNG plants are designed for protection against uncontrolled loss of containment due to process variables (pressure and temperature) exceeding their design values or due to equipment ruptures such as exchanger tubes and failures of pumps or compressors’ seals. Each equipment or system protected by a relief valve or rupture disk is analyzed for all possible failure scenarios. These are: Utilities: •
Electrical power failure
•
Cooling water failure
•
Instrument air failure
•
Steam failure
Others: •
Unintended valve opening (control valve failure)
•
Blocked outlet
•
Fire
•
Thermal expansion
•
Other possible failures such as tube rupture, pumps and compressor trips, vacuum protection on compressor suction circuits with fixed speed drivers, etc.
Each one of these scenarios must consider the ultimate consequences, usually including other independent failures at the same time. For instance, what will happen following a compressor trip if the liquefaction exchanger fails to trip and its valves remain in their normal position or if any of the mixed refrigerant make up valves are inadvertently opened with the compressor down and the liquefaction exchanger down.
PS5-6.7 SESSIONS
CONTENTS
Paper PS5-6
Similarly, remote operating valves (ROV) are installed to mitigate the loss of hydrocarbons in the event of seal failures of pumps, expanders and large hydrocarbon receivers or to isolate critical sections of the process. Non return valves are also installed in the discharge lines of pumps and compressors to minimize the hydrocarbon losses in case of pumps and compressors seal failures.
Emergency Shutdown (ESD) and Emergency Depressurization Systems (EDS) The safety of personnel, plant equipment and environment is achieved in part by the implementation of an emergency isolation system and an emergency depressurization system which is activated in case of fire, potentially dangerous process upsets or hydrocarbon leakages. The process plant area is divided into possible fire zones with sectional plot areas containing equipment with a given maximum hydrocarbon inventory. Proper arrangement of the process equipment should be considered during the plot plan design that could result in comparable volumes of hydrocarbon C 4 or lighter liquids per each fire zone. Each zone can be isolated at its boundaries by the emergency shutdown valves before proceeding to depressurization. Depressurization is the rapid reduction of process equipment pressure by relieving its inventory to flare or vent. This is particularly important for a vessel exposed to fire. Relief valves are designed to keep vessels below their design pressure, not to reduce the pressure. As fire increases the metal temperature thus reducing the material strength, lowering the vessel pressure reduces the stress on the metal, which reduces the risk of the vessel bursting therefore, reducing or preventing further damage to the plant. Depressuring rates are proposed in API-521. There are other potentially dangerous situations where it is desirable to remove the process fluid inventory from the process equipment to a safe destination, for instance, equipment close to an area on fire. In such cases the plant may be blown down through either vapor or liquid depressuring valves to suitable flare or vent facilities. The depressuring process results in a rapid isentropic expansion of the vessel content as it performs work on the relieved fluid. This will cause drastic reduction on the temperature of the fluid in the vessel particularly when depressuring mixtures of low boiling point hydrocarbons. Since, heat transfer between the vessel and its contents can reduce the vessel metal temperature to below the ductile/brittle transition temperature it severely reduces the stress on the equipment. Therefore, the depressuring scenario often determines the minimum design temperature of the process equipment. The depressurization philosophy adopted in the design is a critical factor pertaining to metallurgy selection in an LNG liquefaction plant. The main criteria is whether the repressurization is allowed while cold or not. If an immediate repressurization is possible, impact test qualified low temperature and cryogenic grade materials will be required in most portions of the liquefaction and fractionation trains. If controlled repressurization is adopted, not allowing repressurization while the equipment or piping is at cold liquid temperature, the use of fine carbon or low alloy steels will predominate in the plant design. In the former case the cost of the plant increases significantly but it provides additional safety in case an operator does, in fact, repressure the plant after a plant upset that resulted in depressurization. In the latter case the cost of the plant is reduced, but the operator is not allowed to restart for an immediate repressurization while the plant equipment or piping is at cold liquid temperature, thus reducing plant availability. However, it is important to have adequate temperature measurements to ensure safe repressurization. PS5-6.8 SESSIONS
CONTENTS
Paper PS5-6
While emergency shutdown systems are required by NFPA-59A and prEN 1473 4.5.6, emergency depressurization systems are not required by either one of them. They are only a recommended option. However, all recent LNG liquefaction plants designed and/or constructed by KBR have a plant design basis that included an EDS. This of course affects the equipment and piping system metallurgy selection regardless of the depressurization philosophy adopted.
Dynamic Simulation and Operator Training With the use of dynamic process simulation softwares which allow real time studies of the operating units under their different modes of operation from start up to shutdown as well as understanding of the plant performance under disturbances and malfunctions, verification of the process and control design can be validated during the engineering phase. However, this tool should be used not only to validate a design but during basic engineering design in order to minimize cost while developing a safe and friendly plant. Typical examples include design of flare headers using calculated relief rates profiles under hazardous conditions i.e. loss of power or cooling water, blocked outlets, etc. Similarly, the dynamic behavior of the compressors and their drivers together with the refrigerant exchangers can be evaluated under upset conditions to confirm performance of the protective systems under activation in case of emergency and to identify any under or over size of the design such that they can be rectified long before the detail design of the plant. The dynamic simulation program developed during design can then be used for training the process operators since they will have the day to day responsibility of operating the plant in a safe and reliable way. The program can be used to make the operators familiar with the process and its control system and to practice operating the [5] plant in a safe and efficient manner under normal and emergency conditions . During the design process the construction, operations and maintenance groups work together with the process and control groups to produce a safe plant by determining the potential hazard that could happen during operation. Then the training simulator will train the actual plant operators in the procedures needed to accomplish that task.
Plant Layout Overall layout of the plant i.e. location of the storage area, the process area, utility area, loading area, flares, control room, etc. have to take into consideration not only the units inside the battery limits but also the communities outside the plant boundaries. Separations between above areas should allow for effective fire fighting and to avoid fire from one area to propagate to others. Each area should have access from at least two different ways. Equipment with high inventory of flammable material which could develop large vapor clouds in case of leakages should be located downwind of the prevalent wind direction away from community areas, control rooms, warehouses, etc. Electric power to the plant should be provided through two separate feeder circuits and the fire water system should be looped around the entire plants such that any fire water unit can be supplied from either direction. In developing this overall layout, calculations of the thermal radiant profile and vapor dispersion contours produced by code specified spill rates have to be checked to ensure compliance with the codes. As an example, when following the NFPA 59A code “provisions shall be made to minimize the possibility of the damaging effects of fire or a
PS5-6.9 SESSIONS
CONTENTS
Paper PS5-6
flammable cloud of vapors from such a design spill to reach beyond a property line that [6] can be built upon and that would result in a distinct hazard” . Therefore, the battery limits of the LNG facility may be set by the above calculated vapor and thermal radiant contours. Today, the possibility of a hostile attack on an LNG facility is of concern and a generic assessment of the worse case consequences resulting from a deliberate action against the facilities should be considered. Of course, the risk of such an event must be weighed in terms of the severity of the consequences as well as the probability of occurrence. The assessments of the consequences have to be backed by an evaluation of historical, experimental and theoretical evidence. The results of the consequences analysis can then be included in the hazard footprint to identify those areas at risk from gas cloud dispersion or radiated heat from fire. Similarly, ground level concentration of gases released from vent and/or flare have to be calculated in order to ensure proper concentration levels beyond the plant boundary limits. At the same time, process area layout of equipment is arranged to minimize piping between equipment, to provide heat exchangers lay-down area for cleaning and maintenance and to provide depressurization in case of fire or to protect nearby equipment from an existing fire. Different areas within a unit should be properly curbed and drained to avoid pools of flammable material under equipment and to direct spills to impounding areas. All in all, personnel safety, process safety as well as accessibility, operability and maintainability have to be considered carefully because these issues are inter-related and the best arrangement has to be a compromise among them. The best way to achieve a safe and economic layout is by studying different layouts using 3D software and estimating the thermal and vapor dispersion profile on each one of them. This can be done quite fast if variations of the layout are carried out by simple replotting of the main equipment which is then followed by computer re-running of the piperacks and production of a cost estimate for the new piping arrangement.
CONCLUSIONS Today, in order to continue taking advantage of the economy of scale, the production capacity of proposed new LNG projects has doubled the capacity of existing plants. Liquefaction trains with a capacity of 8 millions tons/yr and regasification terminals of over 2 BSCFD are considered feasible as the next generation of LNG export/import 3 terminals. Similarly, the LNG shipping industry is proposing up to 250,000 m capacity 3 ships compared to existing maximum ship of 145,000 m . At the same time, it is of paramount importance to maintain the outstanding safety and reliability record of the industry. The execution of those projects will require experienced personnel with good background in safety, health, environment, reliability, operability and maintainability of LNG plants and who should have a track record of lessons learned issues specific to these facilities. The guidelines presented in this paper if applied to the design of any LNG facility (export or import terminal) will meet regulatory requirements, result in a plant inherently safer, environmentally friendly and easier to operate and maintain. Ultimately, it will result in minimization of injuries to the personnel, less potential health risks, prevention of uncontrolled losses and therefore will avoid future liabilities. Finally, it will contribute to maintain the outstanding level of safety that the LNG industry has demonstrated during the last thirty years.
PS5-6.10 SESSIONS
CONTENTS
Paper PS5-6
APPENDIX I
BPCS = Basic Process Control System PCS = Process Control System
PS5-6.11 SESSIONS
CONTENTS
Paper PS5-6
APPENDIX II Example - Calculation of reliability systems with SIL 1, 2, and 3.
(Failure rate data source is OREDA Offshore Reliability Data, SINTEF, 1997 and 2002 Edition) Summary of the reliability of a SIL 1 system with one sensor and one control valve
Item
PFD *
Sensor Logic Solver/PSD * Final Element (CV) * System PFD Target PFD
4.68x10 -4 5.0x10 -2 5.21x10 9.94x10 -2 -1 1.0x10 ~1.0x10
-2
Test Internal (TI) Full (TIFS) * Partial (TIPS) * 3 year 1 year 5 years **
-2
Configuration 1oo1 1oo1
* PFD = Probability of failure on demand * TIFS = Test Internal Full Stroke * TIPS = Test Internal Partial Stroke * PSD = Process Shutdown programmable logic solver * CV = Control Valve
** Note that control valves are actuated frequently and this may increase the risk of failure on demand, due to wear on the valve.
Summary of the reliability of a SIL 2 system with one sensor and one valve (with high diagnostic coverage (DC) on the sensor)
Item
PFD
Sensor
2.34x10
Logic Solver/ESD * Final Element (XV) * System PFD Target PFD
5.0x10 -3 5.57x10 4.31x10 -3 -2 1.0x10 ~1.0x10
-3
-4
Test Internal (TI) Full (TIFS) Partial (TIPS) 3 years 1 year 3 years
1 year
Configuration 1oo1 (DC - 95%) 1oo1
-3
* XV = Unclassified valve * ESD = Emergency Shutdown
Summary of the reliability of a SIL 3 system with a 1oo2 sensor subsystem and 1oo2 trip valve subsystem Item PFD Test Internal (TI) Configuration Full (TIFS) Partial (TIPS) -5 Sensor 0.25 year 1oo2 9.82x10 -4 Logic Solver/ESD 5.0x10 1 year -4 Final Element (XV) 1.01x10 1 year 1oo2 System PFD 6.99x10 -4 -3 Target PFD 1.0x10 ~1.0x10 -4
PS5-6.12 SESSIONS
CONTENTS
Paper PS5-6
REFERENCES CITED 1. Martin, M.W. and Schinzinger, R., “Ethics in Engineering”, McGraw-Hill Book Co. 1989. 2. Kletz, T.A., “Plant Design for Safety”, Hemisphere Publishing Corp. 1991. 3. Kletz, T.A., “Improving Chemical Engineering Practices”, Hemisphere Publishing Corp. 1990. 4. International Electrotechnical Commission, “Functional Safety of Electrical/Electronic/Programmable electronic safety-related systems”, 1998. 5. Tanh, A.T.C. and Stephenson, G., “LNG Plant Operator Training”, Petroleum Technology Quarterly, Autumn 1997, pg. 141 – 143. 6. NFPA 59A Standard for the Production, Storage and Handling of Liquefied Natural Gas (LNG), 2001 Edition. 7. American Institute of Chemical Engineers, “Guidelines for Safe Process Operations and Maintenance”, 1995. 8. Lees, F.P., “Loss Prevention in the Process Industries”, Butterworth-Heinemann, 1996, Vol.1,2,3. 9. KBR in-house Report, “Instrument Safety Integrity Levels”, May 2002. 10. KBR in-house Report, “Design Philosophy for Emergency Shutdown System (ESD)”, March 1996. 11. KBR in-house Report, “Emergency Depressurization Philosophy (EDP)”, January 2003. 12. KBR in-house Report, “Safety Management Systems”, 2002.
PS5-6.13 SESSIONS
CONTENTS
