Safety study of an LNG regasification plant using an FMECA and HAZOP integrated methodology

Safety study of an LNG regasification plant using an FMECA and HAZOP integrated methodology

Journal of Loss Prevention in the Process Industries 35 (2015) 35e45 Contents lists available at ScienceDirect Journal of Loss Prevention in the Pro...
Download PDF
1MB Sizes 2 Downloads 87 Views
Report

Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp

Safety study of an LNG regasification plant using an FMECA and HAZOP integrated methodology M. Giardina*, M. Morale Department of Energy, Information Engineering and Mathematical Models (DEIM), University of Palermo, Viale delle Scienze, 90128 Palermo, Italy

a r t i c l e i n f o

a b s t r a c t

Article history: Received 22 May 2014 Received in revised form 29 January 2015 Accepted 5 March 2015 Available online 13 March 2015

A safety analysis was performed to determine possible accidental events in the storage system used in the liquefied natural gas regasification plant using the integrated application of failure modes, effects and criticality analysis (FMECA) and hazard and operability analysis (HAZOP) methodologies. The goal of the FMECA technique is the estimation of component failure modes and their major effects, whereas HAZOP is a structured and systematic technique that provides an identification of the hazards and the operability problems using logical sequences of cause-deviation-consequence of process parameters. The proposed FMECA and HAZOP integrated analysis (FHIA) has been designed as a tool for the development of specific criteria for reliability and risk data organisation and to gain more recommendations than those typically provided by the application of a single methodology. This approach has been applied to the risk analysis of the LNG storage systems under construction in Porto Empedocle, Italy. The results showed that FHIA is a useful technique to better and more consistently identify the potential sources of human errors, causal factors in faults, multiple or common cause failures and correlation of cause-consequence of hazards during the various steps of the process. © 2015 Elsevier Ltd. All rights reserved.

Keywords: LNG Regasification terminals Risk analysis HAZOP FMECA Human errors Risk priority number

1. Introduction By 2020, natural gas (NG) consumption in Europe will increase 22% to 26.5 trillion cubic feet per year (Licari and Weimer, 2011). At present 13 liquefied natural gas (LNG) receiving terminals are operational, and approximately 20 more are currently planned or under construction. However, the societal acceptability of LNG regasification facilities largely depends on safety standards which should result in low risk for both the population and the environment. For this purpose, appropriate and in-depth safety analyses should be perform taking into account the risks connected to new technologies used in these facilities (Bernatik et al., 2011; Pitblado and Woodward, 2011; Rathnayaka et al., 2012). Many techniques have been developed for hazard identification in the processing industry, but no single technique can identify all of the safety concerns. However, the process of risk assessment can be best achieved through a systematic approach using a combination of different techniques (Casamirra et al., 2009).

* Corresponding author. E-mail address: [email protected] (M. Giardina). http://dx.doi.org/10.1016/j.jlp.2015.03.013 0950-4230/© 2015 Elsevier Ltd. All rights reserved.

Detailed descriptions of the possible accident scenarios and component failures can be attained by applying well-known methods hazard and operability analysis (HAZOP) or failure modes, effects and criticality analysis (FMECA). A typical HAZOP provides an identification of accidental events (top events, TEs) and operability problems by using logical sequences of cause-deviation-consequence of process parameters. However, it doesn't lend itself to quantitative analysis, to rank the effects of failures and to study the relative effectiveness of the proposed corrective actions. The FMECA method focuses on individual components and their failure modes. Thus, each failure mode is only considered once, and all of its effects and controls are listed together. The criticality analysis is based on the risk priority number (RPN), a useful method for ranking the importance of each potential failure according to the failure rate, the severity of the failure consequence and the detection, which defines if the failure can be detected by the design controls or inspection procedures. However, it can be difficult for this technique to identify accident sequences and dependencies between equipment and human actions (Giardina et al., 2014). Taking into account these considerations, the proposed FMECA and HAZOP integrated analysis (FHIA) has been designed as a tool to develop specific criteria for reliability and risk data organisation

36

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

and to gain additional recommendations, beyond those typically provided by applications of a single method. First, the proposed approach allows to give more logical reasons for component failures and undesirable consequences (TE). This is done under different operating conditions and during the various steps of the examined process, a very difficult task, especially in those technologies characterised by a large number of processes for the same subsystem. Another improvement is that FHIA provides an exhaustive list of events or combinations of events that affect the same or different TEs. This allows to focus on the critical points of a hazard before making a quantitative assessment of the occurrence probability. For example, these data can be very useful if risk assessments are performed by using layers of protection analysis (LOPA) method (CCPS, 2001), a powerful analytical tool for assessing the adequacy of protection layers used to mitigate process risk. Finally, because human errors are the most commonly identified causes of accidents, evaluation of the RPN index is proposed to rank both the component failures and the human errors. To show the efficacy of the proposed approach, FHIA has been applied to the risk analysis of the LNG storage systems under construction in Porto Empedocle, Italy. The analysis was supported using the new risk analysis database (RAD) software, developed at the Department of Energy, Information Engineering and Mathematical Models (DEIM), University of Palermo, Italy, with the objective to standardise the application of FHIA. The results allow for the collection of a significant amount of information regarding the LNG storage process, which can be useful in the planning of the maintenance procedures or the design of appropriate safety controls for the process. 2. Overview of the hazard identification techniques for LNG facilities To help identify the hazards, there are several techniques employed in the LNG industry, and Hazard Identification (HAZID) is widely used during the early stages of design (Aronsson, 2012). The strengths of HAZID are flexibility (applicable to any type of installation or process), the use of the experience of the operating personnel as part of the team, and no repetitive consideration of deviations. The weaknesses are guide words require development at each installation, may omit some hazards and its benefits depend on the experience and knowledge of the team. Moreover, the accident scenarios defined as “atypical” (Paltrinieri et al., 2015) are not captured by conventional HAZID techniques because they deviate from normal expectations of unwanted events or worstcase reference scenarios. For these reasons, several European Directives have pushed the industry towards the development and extended use of the structured HAZID techniques, such as HAZOP analysis. Several extensive reviews of the available HAZID techniques have been conducted and can be found in the literature. For example, the review carried out by Glossop et al. (2000) describes more than 40 HAZID methods, but none of them appear to cover the issue of accident scenarios occurring outside the normal range of expectations of unwanted events in the HAZID process. A technique that is being increasingly used in the last 15 years is the LOPA methodology. It allows to evaluate the risk of individual hazard scenarios by combining initiating event frequencies with failure probabilities of protection layers. Commonly, it is used after process hazard analysis (e.g. HAZOP) which should provide the LOPA team a listing of hazard scenarios with associated consequence description and potential safeguards for consideration (Dowell and Williams, 2005, Baybutt, 2012a). The data needed to perform LOPA include information as follow: initiating events in

enough detail to assess its frequency of occurrence; scenario consequence description and type in enough detail to assign an impact level; risk rankings that can be used in screening scenarios for LOPA (Baybutt, 2014). However, process hazard analysis studies often provide insufficient detail to be able to perform LOPA studies properly (e.g., failure modes, equipment failures, human errors, personnel competency, etc.) (Baybutt, 2012a). In the following section, some recent works on new safety methodologies that provide an appropriate approach for the safety design of LNG plants are examined. 2.1. Existing literature related to the recent safety studies of LNG technologies Tugnoli et al. (2010) examined potential hazards associated with the new technologies used in LNG on-shore and off-shore terminals by identifying each possible system failure and the consequence chain. The preliminary application to the reference LNG schemes suggested that different tools are required to compare the expected safety performance of LNG technologies. The authors reported that the identification of expected accident scenarios achieved using a methodology for the identification of major accident hazards (MIMAH), a procedure based on the bow-tie approach that generates a draft list of critical events for each hazard (Delvosalle et al., 2006), yielded similar final outcomes among the different technologies because the regasification process, the material and the operative conditions are similar for all set-ups. To overcome this weakness, the assessment of key performance indicators (KPIs) allowed for evaluation of the alternative technologies, yielding a comparison of the possible loss of containment events or critical events. Subsequently, Tugnoli et al. (2011) used a modified MIMAH procedure to obtain a preliminary set of reference LNG accident scenarios, and the results were then revised and integrated with those obtained from other identification techniques (e.g., HAZOP, past accident analysis). This improved version of the MIMAH methodology was used by Paltrinieri et al. (2013a, 2013b) who proposed a dynamic procedure for atypical scenarios identification (DyPASI) method aimed at the systematisation of the information obtained from risks related to past accident events, near misses and risk studies. The DyPASI methodology was utilised to mitigate the deficiencies of the current HAZID techniques in the identification of unexpected potential hazards related to atypical scenarios and the integration of the recommendations from past atypical accidents. Rathnayaka et al. (2011a, 2011b) developed the new safety assessment methodology system hazard identification, prediction and prevention (SHIPP) to provide a guide for possible improvements at every step of the accident sequence process. Hazards related to LNG properties and processing were identified and analysed to investigate possible accident scenarios, causes and their consequences. In the SHIPP methodology, the process accident model is based on the conceptual offshore accident model of Kujath et al. (2010). The model has been set up by placing five successive safety barriers in sequential order together with two additional safety barriers that are common to all barriers. The five safety barriers are release prevention, dispersion prevention, ignition prevention, escalation prevention, damage control and emergency management. To depict human management, two additional safety barriers have been kept: the human factor and management and the organisational factor. Accident analysis techniques, such as fault tree (FT) and event tree (ET), have been used to obtain predictive capabilities.

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

37

To perform FT and ET analyses, the basic event failure data are adopted from reliability databases, literature, or expert judgement. Therefore, the quantification includes uncertainties. However, the authors introduced a Bayesian updating mechanism to minimise the uncertainty in the quantitative analysis (Rathnayaka et al., 2011a, 2011b).

particular accidental event will occur; severity index (S), which is a measure of the severity of consequences resulting from the undetected failure mode; and detection index (D), which describes the probability that the failure will be detected before the failure occurs. The product of these three numbers yields the RPN as follows:

2.2. Observation and shortcomings

RPN ¼ O  S  D

The methodologies under review identify very important efforts and results in the development of guidelines for the assessment of accidents. Moreover, progress has been made in the development of specific hazard identification techniques. Nevertheless, some potential concerns are: - lack of a methodology that has been proven to be simple and versatile to support safety professionals in all steps of the risk assessment (often the choice of a particular hazard identification technique depends on the purpose for which the study is performed), - development of analysis techniques that more consistently assess the critical safety points, such as human error (Castiglia et al., 2008; Casamirra et al., 2009; Castiglia et al., 2014), failure modes, multiple or common cause failures, and correlation of the causes and consequences for each process unit and operation mode. These data are necessary for quantitative assessments of the occurrence probability of hazards, the characterisation of their consequences and the inclusion of these consequences in other units, - provide safety management tools that help the operators to plan safety and maintenance procedures, - if some processes are improved or equipment is replaced in a system, it is very important to ensure that the previously identified possible faults are still valid. This consists in applying, for example, “ad hoc” management of change (MOC) procedures that need of complete and accurate written information and data concerning process technology and process equipment. 3. Description of the proposed safety methodology To enhance the distinctive features of HAZOP and FMECA methodologies, the FHIA approach has been divided into three main steps, as shown in Fig. 1. In the first step, the safety analysts and design experts must have an accurate description of the facility and the process (Baybutt, 2012b): process flow diagrams; piping and instrumentation diagrams (P&IDs); components reliability data; safety instrumented systems; operating instructions; safety shutdown procedures; process limits. The operational tasks (operating and maintenance procedures, inspection, etc.) that meet the operating goals and subgoals should also be examined. This scheme should allow the team to break up the system into a number of subsystems and to describe the various operational conditions for each subsystem. In the second step, the team compiles the FMECA worksheets for the components installed in each subsystem. This task should take into account the different operating conditions of the subsystem, which was previously examined in step 1. The team may also rank each failure according to the criticality of the failure effect and its probability of occurring using risk priority number (RPN). This amount of work isn't a long-term commitment, but an initial workload that should to be revised only if system repairs, equipment installations or changes are performed. RPN uses three numerical values to describe each failure mode: occurrence index (O), which describes the probability that a

(1)

Generally, the parameters O, S, and D are estimated by expert judgement. The specific rating descriptions and criteria can be defined by the organization or the analysis team to fit the products or processes that are being analysed (Stamatis, 1995a,b). The failures modes with higher RPN should be corrected with a higher priority than those with lower RPN. The O, S, and D used in the FHIA analysis are based on the ranking scales presented in Tables 1e3, which summarise some evaluation criteria used in many hazardous industrial processes (Stamatis, 1995a,b; McDermott et al., 1996; Dieter, 2000; Press, 2003; Davie, 2008; Giardina et al., 2014). The RPN rank is between 1 and 1000, and some users define priorities in the FMECA procedure as follows:  Very low if RPN < 5 (almost unnecessary to take the follow-up actions),  Low if 5 < RPN < 20 (minor priority to take the follow-up actions),  Medium if 20 < RPN < 200 (moderately priority to take the follow-up actions),  High if 200 < RPN < 500 (high priority to take the follow-up actions),  Very high if RPN > 500 (absolute necessary to take the follow-up actions, unacceptable). Obviously, the threshold value at which the risk is acceptable can be modified taking into account the assigning value by experts on the basis of criticism collected against the severity levels. It should be noted that, in traditional FMECA applications, the RPN is unable to address human errors; therefore, this paper proposed the incorporation of human error into the occurrence parameter, O. The values reported in Table 1 are the occurrence rankings for the component failures and the human errors used in our analysis. In the third step, the team focuses on the specific points of each subsystem, called internal and external nodes. At each of these nodes, deviations in the process parameters are examined using the  et al., 2011a, 2011b). To perform this task, the guide words (Dunjo main causes that produce the performance deviations (i.e., failures or human errors), identified in step 2, can be easily used and added to the HAZOP worksheets (Fig. 1). For each TE, identified via the HAZOP procedure, the critical causes can be ranked using the RPN index. Obviously, the team can decide to set a cut-off value also for O and D indexes in order to improve knowledge-base of specific safety aspects. 3.1. Advantages of the proposed methodology The proposed approach can significantly reduce the subjective factors that arise from a lack of information that forces analysts to make many simplifications. Moreover, it becomes possible:  to count how many times the failure modes (cause of deviation), examined using the FMECA method, can produce accidental

38

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

Fig. 1. How to build the FHIA analysis.

events (consequence) identified using the HAZOP analysis. This can be done for each operational condition (e.g., the internal or external recirculation processes examined in Section 5);  to identify multiple failures affecting each system or neighbouring systems;  to rank the critical failure modes for each TE;  to group the worksheets for each node, physical parameter (e.g. flow, pressure, temperature, level, etc.), type of deviation (e.g. “more than”, “less than”, etc.), cause of deviation (failure modes or human errors) and TEs;

Table 1 FMECA scale for the probabilities of component failures and human errors, O. Component failure occurrence probability (operating day) Unlikely, unreasonable to expect failure to occur, Low failure rate, Occasional failures,

Repeated failures, Inevitable failure, almost certain to cause problems

Human error occurrence probability

<1:20,000

Less than every 5 years

1:20,000 1:10,000 1:2000 1:1000 1:200 1:100 1:20 1:10 1:2

In 3e5 years, In 1e3 years Per year In 6 months In 3 months Per month Per week Every few days Per day

Rank 1 2 3 4 5 6 7 8 9 10

 to support the analysts in the revision and revalidation of the safety analysis (for example, to study different nodes for similar processes in different subsystems, to upload safety data for same components used in different configurations, to perform MOC procedure), and to help the decision makers in choosing appropriate safety controls and plan maintenance procedures;  to collect a significant amount of information regarding the processes and safety data. The software package RAD was designed to standardise the above procedure. It allows, for example, the use of graphical interfaces to retrieve tables or to store data relevant to the component failures modes, to compile FMECA or HAZOP worksheets, to evaluate the RPN index, to choose the nodes in the P&ID of the system and to classify the TEs.

4. The Porto Empedocle regasification terminal FHIA has been applied to the risk analysis of storage systems in a LNG regasification terminal, which is being constructed in an area located to the east of the existing port at Porto Empedocle on the Mediterranean Sea. A schematic of the process is represented in Fig. 2. It is well known that the most economical way to transport natural gas over long distances is through liquefaction of the gas

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

39

Table 2 FMECA scale for the severity, S. Severity of each effect of failure or error

Effect

No reason to expect failure to have any effect on safety, health, environment or mission Very minor effect on product or system performance to have any effect on safety or health. The system does not require repair. Minor effect on product or system performance to have any effect on safety or health. The system can require repair. Very low effect on system performance. A failure is not serious enough to cause injury, property damage, or system damage, but can result in unscheduled maintenance or repair. Moderate effect on system performance. The system requires repair. A failure which may cause moderate injury, moderate property damage, or moderate system damage which will result in delay or loss of system availability or mission degradation. 100% of mission may need to be reworked or process delayed. System performance is degraded. Some safety functions may not operate. A failure causes injury, property damage, or system damage. Some portion of mission is lost. High delay in restoring function. System performance is severely affected but functions (reduced level of safety performance). The system may not operate. Failure does not involve noncompliance with government regulations or standards. System is inoperable with loss of primary function. Failure can involve hazardous outcomes and/or noncompliance with government regulations or standards. Failure involves hazardous outcomes and/or noncompliance with government regulations or standards. Potential safety, health or environmental issue. Failure will occur with warning. Failure is hazardous and occurs without warning. It affects safe operation. A failure is serious enough to cause injury, property damage, or system damage. Failure will occur without warning.

None Very Minor

1 2

Minor

3

Low

4

Moderate

5

Significant

6

Major

7

Extreme

8

Very extreme

9

and shipment in special LNG tankers. During the liquefaction process, NG composed of mainly methane is cooled to approximately 160  C at atmospheric pressure. The transfer of heat from the surroundings to the cryogenic LNG causes vaporisation, generating boil-off gas (BOG) in the LNG storage tanks and in the pipelines. The LNG is transferred to two cryogenic storage tanks using two unloading arms that connect the terminal piping system to the tanker ships. Each storage tank consists of an inner and outer tank. The inner tank is constructed of carbon steel and has a flat bottom, dome roof, and cylindrical shell. The outer tank is designed to contain product vapours and to protect the insulated systems from moisture and other conditions. The tank design allows for both top and bottom filling to prevent stratification of the tank's inventory. Temperature and density measurement devices are located in the LNG storage tanks to provide the plant operator with a means to

Rank

Serious

10

detect LNG stratification. Moreover, level measurements are carried out for the execution of automated level control using a tank-totank transfer system. The LNG is stored at the same cryogenic conditions as the LNG carrier, and the pressure is slightly above atmospheric pressure. Each tank is provided with six cryogenic compressors (including one as a reserve) to supply the LNG to the BOG condensers. The condensed LNG is pumped at gas pipeline pressure by the highpressure send-out pumps and is then heated by the LNG vaporisers for pipeline gas distribution. The vapours generated from the LNG ship unloading system and during normal operation are compressed by the boil-off gas compressors and are then recondensed by mixing with the subcooled LNG send-out. A portion of the LNG vapour is sent to the LNG ship tanks to avoid vacuum depressurisation of the carrier tanks. If the tank pressure exceeds the maximum operating limit, the

Table 3 FMECA scale for detection, D. Likelihood of detection of failure or error

Degree of importance

Probability of failure detection %

Rank

Current control(s) almost certainly will detect a potential failure mode/task error. Reliable controls are known with similar process. Very likelihood current control(s) will detect failure modes/task error. Controls are able to detect within the same machine/module (almost always preceded by a warning). High chance the design control(s) will almost certainly detect a potential failure mode/task error. Controls are able to detect within the same function area. Moderately high likelihood current control(s) will detect failure modes/task error. Moderate chance that the design control will detect a potential failure mode/task error, or the defect will remain undetected until the system performance is affected. Low likelihood current control(s) will detect failure modes/task error (program or operator is not likely to detect a potential design weakness). Very low likelihood current control(s) will detect failure modes/task error (program or operator will not to detect a potential design weakness). Remote chance that the design control will detect a potential failure mode/task error, or the defect will remain undetected until an inspection or test is carried out. Defect most likely remains undetected (very remote chance that the design control will detect a potential cause/mechanism and subsequent failure modes) or the task will be performed in the presence of the defect. System failures are not detect (design control will not and/or cannot detect a potential cause/mechanism and subsequent failure modes) or there is no design verification or the task will certainly be performed in the presence of the defect.

Almost certain

0e5

1

Very high

5e15

2

High

15e25

3

Moderately high Moderately

25e35 35e45

4 5

Low

45e55

6

Very low

55e65

7

Remote

75e85

8

Very remote

85e95

9

Almost impossible

90e100

10

40

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

Fig. 2. A schematic of the process used in the LNG regasification terminal under construction at Porto Empedocle, Italy.

Fig. 3. A schematic of the pipeline subsystems and a representation of the control and safety devices of the storage system.

pressure control valves automatically relieve the excess vapour using blowdown systems. The system is designed to identify gas release (F&G, fire and gas detection system) and to help pinpoint its source so that the operator can initiate the emergency shutdown using an emergency shutdown and detection system (ESD). This system can initiate automatic transfer shutdown actions in case of a significant LNG leak. 4.1. LNG storage process The safety and control devices of the storage system are represented in Fig. 3. Table 4 reports the acronyms and the line shapes used to describe the various components and the pipeline subsystems shown in Fig. 3.

For the safety analysis, the storage system has been divided into five subsystems (Fig. 3):     

transfer pipelines (LT), hot gas pipelines (ST), boil-off vapours pipelines (BO), extraction pipelines (LE), recirculation pipelines (RI).

As described below, several operating conditions can be carried out in the same system and sub-system. Barrel cryogenic pumps (B) are installed within the LNG tanks and can be removed for maintenance, as required. The suction pot of the pump must be liquid filled prior to starting the pump. Moreover, cool down of the pump is a delicate procedure that must

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45 Table 4 Acronyms and the line shape used to describe the components and pipeline subsystems in the safety analysis. Acronyms

Description Transfer pipeline subsystem (LT) Hot gas pipeline subsystem (ST) Boil-off gas pipeline subsystem (BO) Recirculation pipelines subsystem (RI) Extraction pipelines subsystem (LE) Serial connection

B DIC FIC HE HEM I ITO IGI LAH LAL N1 ÷ N5 PC PIC PSV TI TK VFIC VPC VPIC XA

Barrel cryogenic pump Density indication and control Flow indication and control Human error (carelessness, forgetfulness, inattention, etc.) Human error in maintenance Check valve Inadequately trained operator Improper guidelines and instruction High level alarm Low level alarm HAZOP nodes Pressure control Pressure indication and control Pressure safety valve Temperature indication Storage tank Valve controlled by FIC Valve controlled by PC Valve controlled by PIC Roll-over alarm

be performed slowly to prevent excessive thermal stresses and damage to the pump. The LT subsystem consists of two pipelines, which allow the transfer of LNG from the ships to the storage tanks during the operating phase of “ship unloading”. Internal and external recirculation processes are foreseen in the storage tanks to avoid LNG height difference in the vessels, and LNG stratification or rollover. Rollover can occur as the consequence of a lack of LNG mixing or poor mixing with the LNG unloaded from the ships. The “layers,” with different densities, could mix as a result of: heat and LNG input from the outside; transfer of mass and heat between contiguous layers; and evaporation at the liquid surface. If the layers have different saturation temperatures, spontaneous mixing is accompanied by a significant uncontrolled increase in LNG evaporation, which can develop into a hazardous situation phenomena (Bates and Morrison, 1997; Wang et al., 2006; SIGTTO, 2012). For this reason, the system is provided with safety devices, and various alarms are located in the storage tanks. There are (Fig. 3):

41

by extracting a small amount of send-out LNG, which is sent to the BOG compressors using the pipeline subsystem BO. The pipelines from the BOG compressors or from the fuel gas distribution system (hot gas pipeline subsystem, ST) allow the LNG flow into the storage tank in order to quickly raise the pressure to the operating value. This safety system operates independently for each storage tank using pressure transducers (PICa and PICb), located on the dome roof. These pressure transducers allow the valves VPICa and VPICb of the pipeline subsystem ST to open. After temporary storage, the LNG is transferred from the tanks and pumped through the LE subsystem to the next stage in the process. Finally, out of the various management procedures and emergency plans, the operator can activate the following devices:    

Recirculation processes using barrel cryogenic pumps, Pressure-relief system, Emergency shutdown system, Blow-down system.

5. Safety analysis of LNG storage systems and results To classify the components in the RAD software, the name assigned to each component consists of three parts: the first is literal and allows us to define the type of component; the second is a numerical progression sequence to differentiate the components of the same type; the third part is the letter “a”, “b” or “c,” depending on whether the component belongs to tank TKa, tank TKb, or both, respectively (Fig. 3). Human error occurrence probabilities have been calculated using the fuzzy HEART (Human Error Reduction and Assessment Technique) methodology, a versatile tool to support safety studies in various industrial fields characterised by innovative systems (Castiglia and Giardina, 2011, 2013). The calculation has been performed taking into account the conditions that increase the errors, such as “shortage of time for error detection or correction”, “information overload”, and “transfer knowledge from one task to another”. Moreover, complex tasks that require a high level of comprehension and skill have been hypothesised in the management of the safety procedures. To be conservative, the highest probability values of the human error fuzzy intervals are used to rank the parameter O (Table 1), necessary for calculating the RPN by Eq. (1). 5.1. Safety analysis of LNG storage systems The FMECA study of the devices operating in the storage system has led to the development of approximately 195 worksheets. The worksheets are divided into three categories to take into account whether the failure mode occurs during one or more of operating conditions, i.e.:

 rollover alarms (XA1a and XA1b),  level alarms (LALa and LALb for low level measure; LAHa and LAHb for high level measure),  specific measuring devices that detect the values of the LNG pressure (PICa and PICb), temperature (TI1a and TI1b), and density (DICa and DICb).

 “ship unloading” defined as “nominal phase”,  recirculation process activated to avoid stratification or high level problems, defined as “recirculation phase”,  additional operating phases (“ship unloading” and “recirculation phase”), defined as “more phases”.

The external recirculation process involves both storage tanks by using part of the transport pipelines LT (Fig. 3). This procedure is used during both “ship unloading” and non “ship unloading” operating conditions. The reduction of the BOG inflow into the storage tanks is performed by keeping the unloading pipes at cryogenic conditions and

For example, the alarm devices LALa and LALb, used to report low levels in the storage tanks (Fig. 3), operate during the “ship unloading” and “recirculation phase” (that is “more phases”), whereas the high level alarm devices, LAHa and LAHb, operate only during the “ship unloading” step (that is “nominal phase”). To perform the HAZOP analysis, five nodes were selected (Fig. 3):

42

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

5.2. Results

Table 5 Critical failure modes with RPN > 40 for the LT pipeline subsystem. Component

Failure mode

Operating phase

O

S

D

RPN

I8a, I9a, I8b, I9b I8a HEM1a, HEM1b

Leakage Failure to open Human error in pump maintenance

Recirculation phase Recirculation phase Nominal phase Recirculation phase

2 3 2

7 7 7

3 4 5

42 84 70

Table 6 Critical failure modes with RPN > 40 for the pipeline subsystem LE. Component

Failure mode

Operating phase

O

S

D

RPN

I6b I1a e I5a, I1b e I5b I1a e I5a, I1b e I5b I1a e I6a, I1b e I6b

Failure to open Failure to open Failure to open Leakage

Recirculation phase Nominal phase Recirculation phase More phases

3 3 3 2

5 4 6 7

4 4 4 3

60 48 72 42

    

From the unloading arms (N1), From/to the unloading arms (N2), Storage tank TKa (N3), To the boil-off compressors (N4), The vapour pipeline from/to the unloading arms (N5).

The process parameters are the LNG flow rate and pressure, which are examined at all nodes (N1 through N5); the deviation of the level was also analysed at internal node N3. The study led to the development of approximately 275 HAZOP worksheets and the identification of the following hazards (TEs), which include:    

Overpressure in the LNG storage tank (TE1), Roll-over in the LNG storage tank (TE2), LNG storage tank overfilling (TE3), LNG leakage in the environment (TE4).

To highlight the more critical failure modes, faults with RPN 40 have been collected for each subsystem.

Some main results are reported in Tables 5e9. Several remarks can be highlighted by summarising the critical failure modes and their consequences as shown in Fig. 4, where the results are presented in terms of the percentage of faults occurring in each pipeline subsystem: - A significant number of failures in the ST pipeline subsystem involve “more phases” of the process; - A significant number of the operating faults of the components in the RI pipeline subsystem affect the “recirculation phase”; - Many failures that are relevant to components operating in the LT and LE pipeline subsystems involve the “recirculation phase”. Based on these outcomes, the failures have been classified according to the severity (S), and examined for each pipeline subsystem (see Fig. 5 for the ST pipeline subsystem). This analysis allows to highlight more than 40 failures characterized by serious hazards in the ST pipeline subsystem. Some failure modes are related to alarm devices and inadequately trained operator (Table 7). Moreover these faults involve low probability of failure detection. In Fig. 6 the number of faults causing the TEs in each node is reported. All TEs have many failures associated with N3 (storage tank Tka); therefore, as expected, this node is a crucial point in terms of safety. These results highlight the following concerns: - In the LT subsystem, the critical failure modes involve the valve I8a (RPN ¼ 84) during the recirculation phase process. This failure grows worse with the occurrence of accidental events that are related to overpressure in the storage tank (TE1), rollover (TE2), or storage tank overfilling (TE3). Human error in pump maintenance HEM1a and HEM1b can involve malfunctions of the pumps. These events can involve different TEs (TE1, TE2 and TE3);

Table 7 Critical failure modes with RPN > 40 for the pipeline subsystem ST. Component

Failure mode

Operating phase

O

S

D

RPN

IGI1c ITO1c ITO2c VPICa, VPICb VPICa, VPICb LAHa, LAHb XA1a, XA1b LALa, LALb

Improper guidelines and instruction Inadequately trained operator for safety procedures in high level signal Inadequately trained operator for safety procedures in roll-over phenomena Failure to open Leakage No signal No signal No signal

More phases Nominal phase More phases Recirculation phase More phases Nominal phase Nominal phase More phases

2 3 3 3 2 2 2 2

7 7 7 4 7 7 7 7

6 7 7 4 3 4 4 4

84 147 147 48 42 56 56 56

Table 8 Critical failure modes with RPN > 40 for the pipeline subsystem RI. Component

Failure mode

Operating phase

O

S

D

RPN

Ic Ic Ic IGI2c ITO2c ITO3c VFICa, VFICb VFICa, VFICb VFICc FICc

Failure to open Failure to open Leakage Improper guidelines and instruction Inadequately trained operator for safety procedures in rollover phenomena Inadequately trained operator for safety procedures in stratification signal Leakage Failure to open Failure to open Measurement error

Recirculation Recirculation More phases More phases More phases More phases More phases Recirculation Recirculation Recirculation

3 3 2 2 3 3 2 3 3 1

7 5 7 7 7 7 7 4 7 7

4 4 3 6 7 7 3 4 4 6

84 60 42 84 147 147 42 48 84 42

phase (High level, stratification, roll-over) phase (Low level)

phase (stratification) phase (High level, stratification, rollover) phase

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45 Table 9 Critical failure modes with RPN > 40 for the pipeline subsystem BO. Component

Failure mode

Operating phase

O

S

D

RPN

I10a, I10b IGI3c

Leakage Improper guidelines and instruction Inadequately trained operator for blowdown safety procedures Leakage Failure to open Leakage Delay in opening Delay in opening

More phases More phases

2 2

7 7

3 6

42 98

More phases

3

7

7

147

More phases Nominal phase Nominal phase Nominal phase Nominal phase

2 3 2 1 1

7 4 7 8 8

3 4 4 5 5

42 48 56 40 40

ITO4c

VPCc VPCc I1c, I2c PSV1a, PSV1b PSVa, PSVb

- In the LE subsystem, the critical failure modes involve the valve I6b located in TKb (RPN ¼ 60), and the valves I1a through I5a or the valves I1b through I5b located in the storage tanks (RPN ¼ 72) during the recirculation phase process. These failures grow worse with the occurrence of accidental events that are related to overpressure in the storage tank (TE1) or the rollover (TE2). Moreover, these failures can cause LNG flow rate

Fig. 4. The percentage of failure modes obtained in the FHIA analysis for each pipeline subsystem.

43

reductions downstream of the storage tanks and problems in the next steps in the regasification process; - In the ST subsystem, the critical failure modes concern the lack of an alarm signal from LALa, LALb, LAHa, LAHb, XA1a, or XA1b (RPN ¼ 56). These failures do not allow an operator to intervene in the cases of overpressure in the LNG storage tank (TE1), rollover (TE2), or LNG storage tank overfilling (TE3). Improper guidelines and instruction (IGIc) or an inadequately trained operator performing the safety procedures (ITOc) can involve multiple or common failures and cause the worst critical conditions in different processes. These events can involve different TEs (TE1, TE2 and TE3); - In the RI subsystem, the critical failure modes involve Ic (RPN ¼ 84) and VFICc (RPN ¼ 84). It is worth noting that the failures of Ic can occur during the recirculation phase, which starts to mitigate certain phenomena, such as stratification and high or low level control in the storage tanks. Therefore, this component is a very important safety concern; - In the BO subsystem, the critical failure modes are LNG leakage from I1c or I2c (RPN ¼ 56). These failures contribute to the occurrence of TE4; An important aspect is that the workers should be certified before being allowed to operate control and safety systems. The certification should require that the individuals attain a passing score on an examination that tests the individual's knowledge of the topics, such as knowledge of the safety procedures for each process, troubleshooting, maintenance and repair, etc. The examinations can consist of multiple-choice questions and written problems that test the candidate's ability to apply the knowledge and skills required for each subject. Moreover, redundant supervisory control of the various tasks performed by an operator or a check-list for the maintenance procedure can be provided or revised. Obviously, LNG installations are the object of comprehensive and rigorous safety integrity level (SIL) review (i.e., IEC 61511-1 and 61511-2) and asset integrity management planning, so the above results must be observed as warnings that highlight the importance of each component and determine if it is necessary to review and establish more suitable controls that are in compliance with the  et al. (2010) experience confirms that detailed regulations. Dunjo

Fig. 5. Number of failures classified according to the severity (S) of components and human errors in the ST pipeline subsystem.

44

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45

Fig. 6. The causes of failure identified by the TE at each node.

failure modes and an exhaustive list of initiating events can easier facilitate the subsequent analysis for SIL needs for risk reduction. 6. Conclusions As noted by Qi et al. (2012), although a large number of process industries have made progress in process safety, incidents continue to occur on a regular basis due to insufficient identification of hazards. It has been demonstrated that an extensive data collection scheme may be required to have a sufficient number of faults or human errors registered for the most reliable installations  et al. (2010) experience confirms (Vinnem, 2010). Moreover, Dunjo that detailed failure modes and an exhaustive list of initiating events can easier facilitate the subsequent analysis for SIL needs for risk reduction. Therefore, it is important to provide a method that is able to support data gathering and systematic and comprehensive identification of hazards under different operating conditions and during the various steps of the processes of the plant. This is a very difficult task, especially in systems characterised by a large number of processes for the same subsystem. In this field, the proposed FMECA and HAZOP integrated analysis (FHIA) has been designed as a tool to develop specific criteria for reliability and risk data organisation. It has various advantages, such as more consistent assessment of the critical safety points and correlation of cause-consequence for each process unit and operation mode, as well to aid safety professionals in all steps of the risk assessment, including the planning of safety and maintenance procedures. Additionally, it reduces the subjective factors that arise from the lack of information, which forces analysts to make many simplifications. Another advantage is the collection of a significant amount of information regarding processes particularly important when a company operates a similar process in several different locations and it is necessary to improve organisational memory, communication and exchange of useful safety data. To show the efficacy of the proposed approach, FHIA has been applied to the risk analysis of LNG storage systems, which have many operational and control management functions, subprocesses and safety issues. The analysis was supported using the new risk analysis database (RAD) software, developed at the Department of Energy, Information Engineering and Mathematical

Models (DEIM), University of Palermo, Italy. The results showed that FHIA is a useful technique to identify the potential sources of human errors, the causal factors in faults, the multiple or common cause failures and the correlation of cause-consequence of hazards during the various steps of the process. Further research will focus to verify the effectiveness of the proposed methodology by considering other case studies in different industrial systems. References Aronsson, E., 2012. FLNG Compared to LNG Carriers e Requirements and Recommendations for LNG Production Facilities and Re-gas Units (Master of Science thesis). Department of Shipping and Marine Technology Chalmers University of Technology, Gothenburg, Sweden. Bates, S., Morrison, D.S., 1997. Modeling the behavior of stratified liquid natural gas in storage tanks: a study of the rollover phenomenon. Int. J. Heat Mass Transf. 40, 1875e1884. Baybutt, P., 2012a. Conducting process hazard analysis to facilitate layers of protection analysis. Process Saf. Prog. 31 (3), 282e286. Baybutt, P., 2012b. Prework and precompletion of worksheets for process hazard analysis. Process Saf. Prog. 31 (3), 275e278. Baybutt, P., 2014. Requirements for improved process hazard analysis (PHA) methods. J. Loss Prev. Process Ind. 32, 182e191. Bernatik, A., Senovsky, P., Pitt, M., 2011. LNG as a potential alternative fuel - safety and security of storage facilities. J. Loss Prev. Process Ind. 24, 19e24. Casamirra, M., Castiglia, F., Giardina, M., Lombardo, C., 2009. Safety studies of a hydrogen refuelling station: determination of the occurrence frequency of the accidental scenarios. Int. J. Hydrog. Energy 34 (14), 5846e5854. Castiglia, F., Giardina, M., 2011. Fuzzy risk analysis of a modern gamma-ray industrial irradiator, Health Physics. Off. J. Health Phys. Soc. 100 (6), 622e631. Castiglia, F., Giardina, M., 2013. Analysis of operator human errors in hydrogen refuelling stations: comparison between human rate assessment techniques. Int. J. Hydrog. Energy 38, 1166e1176. CCPS, 2001. Layer of Protection Analysis: Simplified Process Risk Assessment. AIChE, Center for Chemical Process Safety (CCPS), Wiley, New York, New York. Castiglia, F., Giardina, M., Caravello, F.P., 2008. Fuzzy Fault Tree analysis in modern g-ray industrial irradiator: use of fuzzy version of HEART and CREAM techniques for human error evaluation. In: International Conference on Probabilistic Safety Assessment and Management, PSAM9, 18e23 May 2008, Hong Kong, China, ISBN 978-988-99791-5-7. Casamirra, M., Castiglia, F., Giardina, M., Tomarchio, E., 2009. A fuzzy modelling of HEART methodology: application in safety analyses of accidental exposures in irradiation plants. Radiat. Eff. Defects Solids 164, 291e296. http://dx.doi.org/ 10.1080/10420150902805153. Taylor & Francis. Castiglia, F., Giardina, M., Tomarchio, E., 2014. THERP and HEART integrated methodology for human error assessment. Radiat. Phys. Chem. (Available online 24 December 2014) in press. Davie, J.L., 2008. In: ProQuest (Ed.), An Analysis of Risk Perception and the RPN Index within Failure Modes and Effects Analysis. State University of New York at Buffalo, Industrial Engineering. Delvosalle, C., Fievez, C., Pipart, A., Debray, B., 2006. ARAMIS project: a comprehensive methodology for the identification of reference accident scenarios in

M. Giardina, M. Morale / Journal of Loss Prevention in the Process Industries 35 (2015) 35e45 process industries. J. Hazard. Mater. 130, 200e219. Dieter, G.E., 2000. Engineering Design, third ed. McGraw-Hill, New York, ISBN 0-07366136-8. Dowell, A., Williams, T., 2005. Layer of Protection analysis: generating scenarios automatically from HAZOP data. Process Saf. Prog. 24 (1), 38e44. , J., Fthenakis, V., Vílchez, J.A., Arnaldos, J., 2010. Hazard and operability Dunjo (HAZOP) analysis. A literature review. J. Hazard. Mater. 173 (1e3), 19e32. , J., Fthenakis, V.M., Darbra, R.M., Vílchez, J.A., Arnaldos, J., 2011a. Conducting Dunjo HAZOPs in continuous chemical processes: Part I. Criteria, tools and guidelines for selecting nodes. Process Saf. Environ. Prot. 89 (4), 214e222. , J., Fthenakis, V.M., Darbra, R.M., Vílchez, J.A., Arnaldos, J., 2011b. Conducting Dunjo HAZOPs in continuous chemical processes: Part II. A new model for estimating HAZOP time and a standardized approach for examining nodes (Review). Process Saf. Environ. Prot. 89 (4), 224e233. Giardina, M., Castiglia, F., Tomarchio, E., 2014. Risk assessment of component failure modes and human errors using a new FMECA approach: application in the safety analysis of HDR brachytherapy. J. Radiol. Prot. 34, 891e914. Glossop, M., Ioannides, A., Gould, J., 2000. Review of Hazard Identification Techniques. Sheffield: Health and Safety Laboratory, Buxton, United Kingdom. Kujath, M.F., Amyotte, P.R., Khan, F.I., 2010. A conceptual offshore oil and gas process accident model. J. Loss Prev. Process Ind. 23, 323e330. Licari, F.A., Weimer, C.D., 2011. Risk-based siting considerations for LNG terminals e comparative perspectives of United States & Europe. J. Loss Prev. Process Ind. 24, 736e752. McDermott, R.E., Mikulak, R.J., Beauregard, M.R., 1996. The Basics of FMEA. Productivity, Portland, OR, ISBN 0-527-76320-9. Paltrinieri, N., Tugnoli, A., Buston, J., Wardman, M., Cozzani, V., 2013a. Dynamic procedure for atypical scenarios identification (DyPASI): a new systematic HAZID tool. J. Loss Prev. Process Ind. 26 (5), 879e948. Paltrinieri, N., Tugnoli, A., Bustonc, J., Wardmanc, M., Cozzania, V., 2013b. DyPASI Methodology: from Information Retrieval to Integration of HAZID Process. In: Chemical Engineering Transactions, AIDIC, vol. 32. Paltrinieri, N., Tugnoli, A., Cozzani, V., 2015. Hazard identification for innovative LNG regasification technologies. Reliab. Eng. Syst. Saf. 137, 18e28.

45

Pitblado, R.M., Woodward, J.L., 2011. Highlights of LNG risk technology. J. Loss Prev. Process Ind. 24, 827e836. Press, D., 2003. Guidelines for Failure Mode and Effects Analysis (FMEA), for Automotive, Aerospace, and General Manufacturing Industries. CRC Press. Qi, R., Prem, K.P., Ng, D., Rana, M.A., Yun, G., Mannan, M.S., 2012. Challenges and needs for process safety in the new millennium. Process Saf. Environ. Prot. 90 (2), 91e100. Rathnayaka, S., Khana, F., Amyotte, P., 2011a. SHIPP methodology: predictive accident modeling approach. Part I: methodology and model description. Process Saf. Environ. Prot. 89, 151e164. Rathnayaka, S., Khan, F.I., Amyotte, P., 2011b. SHIPP methodology: predictive accident modeling approach. Part II: validation with case study. Process Saf. Environ. Prot. 89, 75e88. Rathnayaka, S., Khan, F., Amyotte, P., 2012. Accident modeling approach for safety assessment in an LNG processing facility. J. Loss Prev. Process Ind. 25, 414e423. SIGTTO, 2012. Guidance for the Prevention of Rollover in LNG Ships. Witherby Publishing Group Ltd. Stamatis, D.H., 1995a. Failure Mode and Effects Analysis-fmea from Theory to Execution. ASQC Quality Press, New York. Stamatis, D.H., 1995b. Failure Mode and Effects Analysis-fmea from Theory to Execution. ASQC Quality Press, New York. Tugnoli, A., Paltrinieri, N., Landucci, G., Cozzani, V., 2010. LNG regasification terminals: comparing the inherent safety performance of innovative technologies. In: Chem. Eng. Trans., Milano, AIDIC, pp. 391e396. Tugnoli, A., Paltrinieri, N., Antonioni, G., Bonvicini, S., Spadoni, G., Cozzani, V., 2011. Safety assessment in LNG terminals: identification of accident scenarios by an improved identification technique. In: Chemical Engineering Greetings, Milan, AIDIC, pp. 287e296. Vinnem, J.E., 2010. Risk indicators for major hazards on offshore installations. Saf. Sci. 48 (6), 770e787. Wang, Y., Cormier, B., West, H., 2006. LNG rollover: converting a safety problem to tank loading operational asset. In: AIChE Spring National Meeting, Conference Proceedings, Orlando, FL, United States.