7s92 06011 0000 SHR 004a r3 - Sil Classification Report

PMC
Safety Integrity Level (SIL)

Classification Report
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
2 of 74
CONTENTS
EXECUTIVE SUMMARY ....................................................................................... 4
1.
INTRODUCTION AND SCOPE OF WORK ................................................... 5

1.1
1.2
2.
SIL STUDY BASIS AND DEFINITIONS ........................................................ 6

2.1
2.2
2.3
3.
Basis .................................................................................................................6
Definition of SIL ................................................................................................6
Background to Risk Based Approach Adopted for SIL Selection .....................7
SIL METHODOLOGY .................................................................................... 9

3.1
3.2
3.3
3.4
3.5
3.6
3.7
4.
Introduction .......................................................................................................5
Objectives of the Study .....................................................................................5
Overview ...........................................................................................................9
Identification of SIFs .........................................................................................9
Description of Function, Initiators and Final Elements ....................................10
Causes of SIF Demand and Consequences of SIF Failure ............................10
Further Elaboration on the Approach Adopted ...............................................12
Worksheets .....................................................................................................14
Assumptions ...................................................................................................15
SIL SESSIONS............................................................................................. 16
4.1
4.2
Study Period ...................................................................................................16

Study Team ....................................................................................................16
5.
FINDINGS .................................................................................................... 16
6.
RECOMMENDATIONS ................................................................................ 19
7.
CONCLUSIONS ........................................................................................... 21
8.
REFERENCES ............................................................................................. 21
Annex A ATTENDANCE LIST ......................................................................... 22

Annex B SIL CLASSIFICATION CHART ........................................................ 24
Annex C RISK DIAGRAMS ............................................................................. 26
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
3 of 74
Annex D FUNCTION LIST ............................................................................... 31

Annex E SIL WORK SHEETS ......................................................................... 39
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
4 of 74
EXECUTIVE SUMMARY
A Safety Integrity Level (SIL) classification study was carried out as part of the detailed
design phase for the PTT LNG Receiving Terminal at Map Ta Phut, Thailand. The objective
of the SIL classification study was to determine the required SIL of the Safety Instrumented
Functions (SIF), based on an assessment of the risk of injury to people and damage to the
environment. The SIL defines the minimum level of the safety integrity (or reliability)
required to be implemented for each specific SIF application. The SIL could range from SIL
1 to SIL 3 (highest level of safety integrity required). SIL - has also been used for SIF not
requiring a specific level of safety integrity.
The SIL Classification study was carried out following the completion of the HAZOP
(Hazard and Operability) study. The SIL study sessions were held in TF office in Seoul,
Korea over a period of three days in July 2008, and involved representatives from PTT LNG
(Owner), Fluor (PMC), SPAN, GS Engineering & Construction (GS E&C), KOGAS-Tech.
and Daewoo Engineering Company (DEC).
The SIL Study covered all the Safety Instrumented Functions (SIFs) listed in the Cause &
Effect Diagrams/Tables (CED) and was conducted in accordance with the Safety Study
Procedure [2] by ERM. The study covered SIFs provided on both new facilities and existing
facilities.
During the sessions, 27 out of 31 Safety Instrumented Functions (SIFs) were classified, of
which 4 were classified SIL 3, 5 were classified SIL 2, 14 were classified as SIL 1, 4 did not
require a specific level of safety integrity (i.e. classified as SIL -).
As part of the SIL classification sessions, a number of recommendations were made to
advice on the proposed implementation, or record comments relating to system
design/hazards that arose from the discussions during the SIL Classification Study.
While this study has determined the target SIL for the various safety instrumented functions,
the system configuration is assessed separately to confirm whether the target SIL can be
achieved or further mitigation is required. The results of this assessment are presented in
the SIL Verification Report.
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
5 of 74
1. INTRODUCTION AND SCOPE OF WORK

1.1
Introduction
The LNG receiving terminal at Map Ta Phut, Thailand, is designed to receive and store LNG
from LNG carrier, vaporize the LNG at high pressure, and deliver the gas to pipeline. The
terminal will be developed in two phases. The terminal is designed to deliver 5 MTPA of
LNG of regasified product in Phase I and provisions will be made to allow expansion to 10
MTPA in Phase II. A 15% design margin for the LNG send out system are considered in the
design for both phases.
Two options are additionally considered as part of the LNG receiving terminal. Option 1 is for
the LNG truck loading, and Option 3 is for the design of under-structure for a small berth
designated to handle small ships.
The LNG receiving terminal is owned and operated by PTT LNG Company Limited. The
Consortium of GS Engineering & Construction, Korea Gas Corporation, Hanyang
Corporation and Daewoo Engineering Company is responsible for the detailed engineering
and construction of the Phase 1 of LNG receiving terminal.
Environmental Resources Management (ERM), an independent HSE consultancy was
commissioned to carry out a Safety Integrity Level (SIL) review for the above facilities. The
study was carried out following the completion of the HAZOP study. The study sessions
were held in TF office in Seoul, Korea over a period of three days in July of 2008. It involved
representatives from PTT LNG (Owner), Fluor (PMC), SPAN, GS Engineering &
Construction (GS E&C), KOGAS-Tech and Daewoo Engineering Company (DEC).
1.2
Objectives of the Study
The objectives of the Safety Integrity Level (SIL) classification study was to assess the SIL
of the Safety Instrumented Functions (SIF), based on an assessment of the risk of injury to
people (operators or public) and the risk of damage to the environment. This involves
evaluating the following:
Elements forming the SIF;
SIF Design Intent;
SIF demand scenarios and frequency of demand;
PMC

Potential consequences if the SIF is not implemented; and
Effectiveness of Independent Protective Layers (IPL).
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
6 of 74
The SIL defines the level of the safety integrity (or reliability) required to be implemented for
each specific SIF application, such that the residual risk due to each hazardous event in the
plant is broadly acceptable. The SIL could range from SIL 1 to SIL 3 (highest level of safety
integrity required). SIL - may be used for SIF not requiring a specific level of safety integrity.
For SIL 4, a requirement to redesign the system to achieve an inherently safer design is
recommended.
2. SIL STUDY BASIS AND DEFINITIONS

2.1
Basis
The study was based on:
Cause & Effect Chart for Interlock & ESD System [1], (hereafter referred as CED);
Piping & Instrument Diagrams (P&IDs);
HAZOP Reports [3] ; and
Input from the SIL study team.
The basis for the SIL study was primarily the P&IDs and CED.
2.2
Definition of SIL
The SIF will be operated on demand. It will act upon a process upset leading to a
hazardous situation is detected and revert the hazardous event to a safe status. The SIL
defining a minimum level of reliability in terms of Probability of Failure on Demand (PFD), as
shown in Table 2.1 is applied for this project.
Table 2.1
SIL
1
2
3
4
Probability of Failure on Demand for SIL

PFD
10-2 to < 10-1
10-3 to < 10-2
10-4 to < 10-3
10-5 to < 10-4
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
7 of 74
SIL 4 is considered extremely rare in the process industry. If a classification leads to SIL 4,
further study should be performed including a review of the design.
The safety functionality that calls for integrity level below SIL 1 may be implemented in the
Basic Process Control System(BPCS) or retained in the ESD system as provided now.
The safety functionality that calls for integrity levels SIL 1, 2 and 3 will be implemented in the
ESD system.
Definitions of terminology are referred to Safety Study Procedure [2].
2.3
Background to Risk Based Approach Adopted for SIL Selection

Safety instrumented functions (SIF), such as high level trip, high temperature trip, high
pressure trip, etc. are widely used in the process industry to protect against hazards of
overfilling, design temperature being exceeded or overpressure respectively. These are
safeguards implemented using instrumentation, and comprise one or more sensors, a logic
solver and one or more final elements. However, they do not provide absolute protection as
it may fail to perform its desired function when required due to various reasons including
failure of the various components that make up the system which is designed to implement
the function.
The probability of failure of a SIF depends on the configuration of the system, i.e. the level of
redundancy, testing/maintenance frequency, etc. For example, a system with two
independent level sensors (1 out of 2 (1oo2) configuration) is less likely to fail as compared
to a system with only one sensor. Similarly, a system with two shutdown valves in series
(1oo2 configuration) is less likely to fail to perform as compared to a system with only one
shutdown valve. Redundant systems for all applications are however, not cost effective and
may not provide any significant additional safety benefit for all cases. Hence, a risk based
approach is adopted to determine the level of reliability required for the particular SIF.
Risk is a function of likelihood and consequence, as follows:
Risk (inherent or unmitigated risk) =
Likelihood of an unwanted event x Consequence (in

terms of fatality or environmental damages)
A SIF reduces the risk, as follows:

Risk (mitigated risk) =
Likelihood of an unwanted event x Consequence x

Probability of failure of SIF on demand (expressed
as SIL)
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
8 of 74
This study assesses the risk posed by each hazardous event in the plant which is resulted
from SIF failure and determines the level of reliability of the SIF to meet a target risk level or
broadly acceptable risk level. A qualitative (or a semi-quantitative approach) is adopted to
determine the risk using the Risk Graphs.
Probability of failure on demand of SIF (PFD), i.e. the reliability of the SIF is thus derived as
follows:
Target risk level (ie acceptable risk after mitigation)
PFD = Likelihood of an unwanted event x Consequence
Using safety classification as illustration, and assuming that the target risk level is 10-4 per
year, the likelihood of an unwanted event is 10-1 per year and Consequence is 1 fatality,
then
PFD = 10-4/( 10-1 x 1) = 10-3
The required SIL based on safety classification is therefore 3 for this SIF.
If the likelihood of an unwanted event is 10-1 per year and the Consequence is 0.1 fatality
(i.e. injury), then
PFD = 10-4/(10-1 x 0.1) = 10-2
The required SIL is 2.
The system configuration is then determined based on the SIL level derived above.
It may be noted that where a SIF is classified as SIL 3 or SIL 2, it means that the inherent
risk is high and hence a higher level of reliability is required for the instrumented function.
Inherent risk may be high due to the system design or the hazard presented by the system.
Similarly, where a SIF is classified as SIL 1, it means that the inherent risk is low.
The above approach ensures that a consistent basis (i.e. a risk based approach) is adopted
in determining the configuration of the instrumented system, while avoiding over engineering,
where not necessary.
The assessment is however, qualitative and is based on guidelines, experience and
judgement. A more detailed quantitative approach may be adopted but is time consuming.
The above approach is therefore considered reasonable and fit for purpose.
A conservative approach to system design may still be adopted for various reasons, such as
Licensors past experience or other factors which may not be quantifiable easily. In such
cases, although the SIL derived from above may be lower (say SIL - or SIL 1), a more
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
9 of 74
conservative SIL may be assigned, say SIL 1 or SIL 2 respectively. This study seeks to set
the minimum requirements, which however, may be exceeded if required.
3. SIL METHODOLOGY
3.1
Overview
The methodology defined in the Safety Study Procedure [2] was adopted for the SIL
Classification Study. The SIF was first defined with a function description, design intent, one
or more initiator(s) (i.e. instrument(s) to detect a hazardous situation) and one or more final
element(s) (i.e. elements that act to mitigate the hazardous situation). The study team then
described the demand scenario and consequence(s) of failure on demand (CoFoD) and
numerical frequency and consequence ratings were assigned.
The consequence ratings were based on:
potential extent of human injury; and
potential extent of environmental damage.
The assessment takes account of the possibility to avert the hazard and the probability of
personnel being in the vicinity of the defined consequence.
A flow chart presenting the steps to assign the SIL classification is shown in Annex B.
Following identification of damage level and likelihood by the team, the SIL of the function
was classified according to Risk Diagrams as shown in Annex C.
3.2
Identification of SIFs
The CEDs were first reviewed to identify the SIFs that required SIL classification. These
were also confirmed by reviewing the P&IDs and the HAZOP sheets. Only those functions
within the ESD system and initiated by the process to prevent a specific hazardous situation
were selected for classification, thus, the following types of functions listed in the CED were
not classified:
Hand-switch operated functions (operator activated). A default value of SIL 1 may be

assumed;
Control function (FIC, TIC reset etc);
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
10 of 74
Functions related to normal process control (eg auto start/stop of pumps as a means of
normal level control);
Proposed or indicative machine related protection functions such as those relating to

lube oil systems; and
Emergency equipment isolation functions. A default value of SIL 1 may be assumed.
A complete list of SIFs is presented in Annex D. Whether the SIF relates to the new facilities
or existing facilities is also identified (e.g. SIFs relating to existing unloading arms). Some
SIFs may include both new and existing facilities (e.g. high pressure trip of sendout). This is
indicated as shared SIF.
The assessment is carried out for one set of SIF. For parallel equipments/systems with
similar SIFs, cross-reference is made to the SIF that is already classified. For example, SIFs
for P-105A HP pump are classified. For all other new and existing HP pumps, reference is
made to P-105A.
Some of the SIFs are not shown in CED but shown on the P&IDs. A note has been added in
the comment column of the Function List (Annex D), to revise the CED accordingly.
3.3
Description of Function, Initiators and Final Elements

The SIFs were defined with a function description, design intent, one or more initiator(s) (i.e.
instrument(s) to detect a hazardous situation) and one or more final element(s) (i.e.
elements that act to mitigate the hazardous situation).
The final element(s) of the SIF were chosen as those which directly meet their design intent.
Thus, only one or two final elements were usually defined for any function, and where more
than one was selected, a success criterion was defined for these final elements. The other
elements acted upon by the initiators were left unclassified (they may however, be retained
for implementation in the ESD system). Some of these unclassified elements may act as a
primary final element for another SIF and assigned appropriate SIL classification. Those final
elements not covered under any other SIF as primary final element were checked, where
required, to ensure no separate classification was required.
3.4
Causes of SIF Demand and Consequences of SIF Failure

The study team then described the demand scenario and consequence(s) of failure on
demand (CoFoD) and the numerical frequency and consequence ratings were then
assigned according to Risk Diagrams as shown in Annex C.
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
11 of 74
A demand on a SIF may be caused by instrument malfunction, operator error, or equipment

failure to operate such as pump or compressor trip. The frequency of demand is then
assessed, i.e. how often the SIF is likely to be activated (Frequency of Demand, W
classification).
The following aspects were investigated for the consequence of SIF failure:
potential extent of human injury (S classification); and
potential extent of environmental damage (E classification).
Different categories of W, S and E are defined and presented in Annex C.

Consequence for personnel safety was assessed assuming operator present in the vicinity,
and exposed to a loss of containment scenario leading to fire and/or explosion.
The consequence assessment assumes default values for the possibility to avert the hazard
and the probability of personnel being in the vicinity of the defined consequence. These
parameters are included in the Risk Graphs in IEC 61511. If the default value is selected,
the risk diagram defined in the procedure will result.
All consequences were classified and the most stringent SIL was selected for that function. If
the demand has different causes, the consequences of failure on demand were usually
different as well, requiring a classification for all causes and consequences.
It is noted that the potential consequences may not result in each demand case. The
procedure adopted in the SIL study takes some credit for the intermediate probabilities such
as loss of containment or ignition and explosion probability. For example, if design
temperature is exceeded, metallurgy may fail leading to loss of containment, and potential
ignition and fire/explosion. It is likely that the potential consequences (i.e. fatality) may result
in less than one in ten demand cases, due to the intermediate event probabilities and hence
this may be reflected, where applicable, by a one order of magnitude reduction in the
demand rate for the SIL. Such assumptions are included in the relevant worksheets. For
overpressure scenarios, however, no reduction factor may be considered due to the likely
speed of the event occurrence.
As part of the frequency of demand analysis or following the consequence assessment, the
provision of other safeguards for the specific demand/ consequence scenario was also
reviewed.
For each such safeguard identified, also called Independent Protection Layer (IPL), a risk
reduction factor was determined. This risk reduction factor may be applied to the originally
identified frequency of demand. The study takes credit for the independent protection
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
12 of 74
layers (IPL) that mitigate the likelihood or consequence. A reduction factor of 10 will reduce
SIL by one level while a reduction factor of 100 will reduce SIL by two levels.
The term independent protection layer has been applied to a safeguard which is capable of
preventing a scenario from proceeding to its undesired consequence independent of the
initiating event or the action of any other layer of protection associated with the scenario.
There is a slight distinction however, in IEC 61511, between the terms protection layer and
independent protection layer. Although both need to meet the criteria mentioned above, a
safeguard may qualify as a Protection layer, if at least a factor of 10 risk reduction can be
achieved while to qualify as an independent protection layer, a higher degree of reliability is
required (i.e. reduces the identified risk by a minimum of 100 fold). While this study report
has used the term IPL for all protection layers, a 100-fold risk reduction is applied only to
those protection layers such as PSVs which meet the criteria of IPL as defined in IEC 61511.
3.5
Further Elaboration on the Approach Adopted
3.5.1 Multiple Sensors

Where multiple sensors are provided, success criterion is defined if they detect the same
hazard. For example, two sensors, FALL-1611 and FALL-1612 are provided on the sea
water line to the vaporiser. Similarly two or more sensors provided on each LNG tank for
level detection and pressure detection. Since they detect the same hazard, success criterion
may be defined as 1oo2 (i.e. if 1 out of the 2 sensors is able to detect the hazard, it will be
able to perform the desired function).
3.5.2 Multiple Final Elements
In the case of most of the trip functions in this plant, as can be seen from the Cause & Effect
drawings, multiple actions are being taken, i.e. several final elements are acted upon
simultaneously. Not all these actions however, may be required or important enough to
protect against the particular hazard, some may be secondary in nature, i.e. to prevent
collateral hazards or for operator assistance in restarting the unit quickly.
For example, on low level in LNG tank, the in-tank pumps are stopped and the discharge
valve is closed. The primary final element is defined as stopping the pump. Closing the
discharge valve may prevent potential reverse flow but this is a collateral hazard (i.e. a
hazard resulting from the primary action but of different kind) and hence classified separately.
Even where multiple actions protect against the same hazard, the actions that have the most
significant mitigating effect are selected as primary final elements. For example, in the case
of low pressure in LNG tank, all BOG compressors are stopped, all in tank LNG pumps are
stopped and discharge valve of each pump is closed. Stopping of BOG compressor is
considered as the primary final element. Stopping of in-tank LNG pump would also help to
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
13 of 74
mitigate but the mitigating effect is not significant as compared to stopping of BOG
compressor. This distinction is made for the purpose of the SIL implementation only but all
the final elements as identified in the CED will be retained in the interlock and implemented
in the SIS.
3.5.3 Multiple SIFs for the Same Hazard
In some cases, multiple SIFs are provided against the same hazard. For example, sea water
low flow acts to prevent vaporiser outlet LNG low temperature although an independent low
temperature trip is provided. The former may be regarded as a layer of protection (as it takes
advance action) or may be regarded as a demand reducing function (as it reduces demand
on the LNG low temperature sensor). [Note that there are other cases for LNG low
temperature in addition to loss of sea water flow; however, for the case of low LNG
temperature due to loss of sea water flow, the low low sea water flow and low LNG
temperature may be considered together in the same function.]
In such cases, the functions may be combined, but this may present some complication in
the assessment, in terms of evaluating the percentage contribution due to the various
causes and accordingly the various sensors. To simplify the analysis, each function may be
treated separately. However, this also presents some constraint in defining the design intent,
as to whether the function is deemed to protect against an intermediate consequence or the
ultimate consequence. As a further simplification, default SIL 1 may be assigned for such
demand reducing functions or functions providing the first layers of protection.
3.5.4 Sensors with Different Set Points
In the case of low level in LNG tank, two set points are provided for each sensor. The low
set point initiates a set of action (i.e. stops BOG compressor), while the low low set point
initiates a different set of action (i.e. stops in-tank pumps).
As explained earlier, stopping BOG compressor is considered as the primary final element
and hence the SIF is defined accordingly.
3.5.5 Consideration of PZV (Safety Valves)
Where a SIF is provided in addition to a PZV (assuming the safety valve is adequately sized
for the required case), PZV has been considered as an IPL with a risk reduction factor of
100, although it could be argued that no SIF is probably required or no classification is
required.
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
14 of 74
3.5.6 Push Button Functions

Any SIF associated with the operation of a push button (i.e. involving the operators
intervention) may be classified SIL 1 by default as the operators intervention limits the SIL
implementation to SIL 1.
3.5.7 SIL Study Guidelines
In order to ensure consistency in the assessment, rule sets for assessing independent
protection layer, frequency of demand, presence in danger area and possibility to avert
hazard in Table 3.1 to Table 3.3, these rule sets serve as an aid for assigning the levels for
the various parameters shown in the Risk Graphs in Annex C.
Table 3.1
Rule Set for Independent Protective Layer
Protective Measures
Operator Intervention (independent alarm and
possibility for operator intervention in about five
minutes)
Trip/ Independent SIF
Check valve
Relief Valve (PZV)
Independent Protective Layers (IPL)

10
10
10
100
Note: where more than one protective measure exists, the highest IPL value assumed, without taking
credit for all, as a conservative measure
Table 3.2
Rule Set for Frequency of Demand
Frequency of Demand (W)

W2
W3 or W2
Scenario
Control Loop Failure
Pump Trip/ Compressor Trip
Table 3.3 Rule Set for Presence in Danger Area & Possibility to Avert Hazard
3.6
Presence in Danger Zone at the Time

of Demand
A1
Default
G1
A2
G2
Assumed when hazard results

from manual operations
Possibility of Advert Hazard

Assumed when hazard results from manual
operations
Default
Worksheets
The session proceedings were recorded using PHA-Pro 7 [4]. The records were projected
on a screen for comment and agreement by the team members during the sessions.
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
15 of 74
Preparation for the study was conducted prior to the commencement of the classification
sessions. This comprised input of the study SIF into the PHA software, based on the
information in CED. In addition, the functions were also verified and revised, as necessary,
by the facilitator.
The completed SIL worksheets are included in Annex E.
3.7
Assumptions
Several assumptions were made regarding the basis of the design during the course of the
SIL study. The main items are:
In case of multiple equipments (with duty and standby/spare equipment) inside a unit,
the study was conducted for one set of equipment. The recommendations from this
study will therefore apply for such similar systems as well. The study has however,
considered the impact of simultaneous operation of systems in parallel or series
including the control requirements and the effect of trip of one system on the other.
The CEDs were reviewed to identify the SIFs that required SIL classification. Only those
functions within the ESD system and initiated by the process to prevent a specific
hazardous situation were chosen for classification, thus, the following types of functions
listed in the CED were not classified:
Hand-switch operated functions (operator activated);
Control function (FIC, TIC reset etc);
Functions related to normal process control (eg auto start/stop of pumps as a

means of normal level control); and
Proposed or indicative machine related protection functions such as those relating

to lube oil systems. These will be more fully considered if required when vendor
information is available.
The final element(s) of the SIF were chosen as those which directly meet their design
intent. Thus, only one or two final elements were usually defined for any function. The
other elements acted upon by the initiators were left unclassified (they may however, be
retained for implementation). However, these unclassified elements may act as a
primary final element for another SIF and assigned appropriate SIL classification. Those
final elements not covered under any other SIF as primary final element were checked,
where required, to ensure no separate classification was required
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
16 of 74
4. SIL SESSIONS
4.1
Study Period
The SIL Study for the PTT LNG Receiving Terminal was conducted between 14th and 16th
July 2008 at TF Office in Seoul, Korea.
4.2
Study Team
The SIL study team comprised a multidisciplinary team of personnel involved with the
Project and having adequate experience of design, instrumentation, operations,
maintenance, safety and loss prevention. Representatives from PTT LNG (Owner), Fluor
(PMC), SPAN, GS Engineering & Construction (GS E&C), KOGAS-Tech and Daewoo
Engineering Company (DEC) participated in the SIL sessions, which were chaired by an
independent consultant from ERM. Services of other specialists were called upon as
required.
The details (names, company and discipline) of the SIL team members who attended the
sessions are presented in Annex A.
5. FINDINGS
A list of the classified functions is shown in Table 5.1.
Table 5.1
Function Studied and the Target SIL
Function Name
Initiators
Primary Final Element
Target
SIL
1. On low low LNG drain pot from LNG

unloading line level, shutdown XA076 (LNG drain pot pump P-006)
LT-085 (1oo1)
Shutdown XA-076 (LNG drain pot

pump P-006) (1oo1)
SIL 1
2. On high unloading arm position

sensor slew angle, close ERC
isolation valves for ARM L-001A
ZS-020A (1oo1)
Close ERC isolation valves for arm

L-001A (1oo1)
SIL 2
ZS-020A/B/C
(2oo3)
Disconnect quick release coupling

for L-001A (1oo1)
default
SIL 1
PT-210A/B/C
(2oo3)
Close SDV-080/082 (2oo2)
SIL 1
3. On high high unloading arm position

sensor slew angle (operational
interlock to protect the unloading
arm), disconnect quick release
coupling for L-001A (1oo1)
4. On high high LNG tank T-001

pressure PT-210A/B/C during
unloading, shutdown unloading line
Close SDV-045/025/055 (3oo3)

(these valves are provided with a
bypass used for initial cooldown.)
PMC

Function Name
Initiators
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
17 of 74
Target
SIL
Close SDV-225 (no credit can be

given since all the tanks will be
pressure balanced)
Overall 1oo3
holding, shutdown makeup line
PT-210A/B/C
(2oo3)
Close SDV-291(1oo1)
SIL 1

unloading, shutdown cooling line
return to the tank
PT-210A/B/C
(2oo3)
Close SDV-238 (2oo2 for Phase 1

and 3oo3 for Phase 2 as all tanks
will be pressure balanced)
SIL 3
(SIL 1
when
credit
taken)
7. On high high LNG tank T-001 level

LT-202/203/204, shutdown unloading
line (unloading mode)
LT-202/203/204
Close SDV-080/082 (2oo2)
SIL 2
(2oo3)
Close SDV-045/025/055 (3oo3)

(these valves are provided with a
bypass used for initial cooldown.)
Close SDV-225 (1oo1)
Overall 1oo3
8. On high high LNG tank T-001 level

LT-202/203/204, shutdown unloading
line (transfer mode)
LT-202/203/204
SIL 1
9. On low low LNG tank T-001 level LT204, shutdown in-tank LNG pumps
LT-204(1oo1)
Shutdown XA-227A (in-tank LNG

pump P-001A) (typical) (1oo1)
SIL 1
10. On low low LNG tank T-001 level

LT-204, shutdown all the dedicated
in-tank LNG pumps (synergetic
case)
LT-204(1oo1)
(not applicable, synergetic case)
SIL 1
11. On low low LNG tank T-001

pressure PT-210A/B/C, shutdown
BOD compressor
PT210A/B/C(2oo3)
Shutdown BOG compressor (C001A/B) (most of the time 1oo1

during Phase 1 during the holding
mode, only one compressor will be
running, and no auto-start). During
Phase 2 success criteria will be
2oo2.
SIL 3
(SIL 2
with
recomme
ndations)
(2oo3)
Vacuum is unlikely during unloading

12. On high high intank LNG pump P001A discharge pressure, stop intank LNG pump
PT-228A (1oo1)
Stop XA-227A (shutdown in-tank

LNG pump P-001A) (1oo1)
SIL 1
PMC

Function Name
Initiators
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
18 of 74
Target
SIL
13. On low low intank LNG pump P001A discharge pressure, stop intank LNG pump
PT-228A (1oo1)
Stop XA-227A (shutdown in-tank

LNG pump P-001A) (1oo1)
14. On high high level BOG compressor

suction drum LT-307A/B/C,
shutdown BOG compressor
LT-307A/B/C
UA-325/355 (shutdown BOG

compressor C-001A/B) (1oo1)
SIL -
15. On high high level BOG compressor

suction drum LT-307A/B/C
(synergetic case)
LT-307A/B/C
(synergetic case)
SIL 2
16. On high high BOG compressor C001A discharge temperature,

[Revalidated]
TT-337 (1oo1)
Stop UA-325 (shutdown BOG

compressor C-001A) (1oo1)
17. On low low LNG recondenser V-002

liquid level, stop HP LNG pump
LT-0397A/B/C
(2oo3)
Stop XA-406/407/408/409/410 (shut

down HP LNG pump P005A/B/C/D/E) (1oo1)
SIL 1
18. On low low LNG recondenser V-002

liquid level (synergetic case)
LT-0397A/B/C
(2oo3)
(synergetic case)
SIL 3
19. On ESD activation, Close individual

HP pump discharge
(secondary
function)
Close vaporizer E-001A-E inlet

isolation valve (5oo5)
SIL -
20. On high high LNG recondenser

level (overfilling case)
LT-0398 (1oo1)
Close SDV-379/383 (2oo2 for

holding mode and 1oo1 for
unloading mode). However, SDV383 is only required to be closed in
case of multiple HP pump trip, which
is less likely.
SIL 2
(SIL 1
with
recomme
ndation)
(2oo3)
(2oo3)
Credit can also be given to shutting

down the LP pumps (flow from one
LP pump is equivalent to 3 HP
pump).

level (backflow to compressor case),
close SDV-379/383
LT-0398 (1oo1)
Close SDV-379/383 (2oo2 for

holding mode and 1oo1 for
unloading mode). However, SDV383 is only required to be closed in
case of multiple HP pump trip, which
is less likely.
SIL 2
Credit can also be given to shutting

down the LP pumps (flow from one
LP pump is equivalent to 3 HP
pump).

pressure, close SDV-378 (HP cap
gas to recondenser)
PT-0375 (1oo1)
Close SDV-378 (HP cap gas to

recondenser) (1oo1)
SIL 1
23. On low low LNG vaporizer E-001A

temperature, close SDV-506
TT-502 (1oo1)
Close SDV-506 (LNG vaporizer E001A inlet isolation valve) (1oo1)
SIL 1
PMC

Function Name
Initiators
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
19 of 74
Target
SIL
24. On high high LNG vaporizer E-001A

pressure, close SDV-506
PT-501 (1oo1)
SIL 1
25. On low low LNG vaporizer E-001A

PT-501 (1oo1)
SIL -
26. On low low fuel gas temperature

from vaporizer fuel gas heater E001A/B, close SDV-018
TT-003 (1oo1)
Close SDV-018 (fuel gas from

natural gas header) (1oo1)
27. On high high fuel gas heater E001A temperature, isolate E-001A
TT-006 (1oo1)
Isolate E-001A (shutdown fuel gas

heater E-001A) (1oo1)
SIL 1
28. On high high fuel gas heater inlet

pressure, close SDV-018 fuel gas
from natural gas header
PT-019 (1oo1)
Close SDV-018 (fuel gas from

natural gas header) (1oo1)
SIL -
29. On high high truck loading header

PT-1004 (1oo1)
Close SDV-1003 (LP LNG header to

truck loading stations) (1oo1)
SIL 3
(SIL 1
with
recomme
ndation
No. 10)
30. On high high NG to general user

pipeline pressure, close SDV-820
PT-813A/B/C
(2oo3)
Close SDV-820 (NG sendout

pipeline isolation) (1oo1)
31. On low low NG to general user

pipeline pressure, close SDV-820
PT-813A/B/C
(2oo3)
Close SDV-820 (NG sendout

pipeline isolation) (1oo1)
SIL 1
During the sessions a total of 27 SIF were classified. A summary of the results is provided in
Table 5.2.
Table 5.2
SIF Classification
Safety Integrity Level

1
2
3
4
Total
Number
4
14
5
4
0
27
%
15%
52%
18%
15%
0%
100%
6. RECOMMENDATIONS
6.1
Summary of Recommendations
In total, 13 actions were recommended for resolution or further investigation during the SIL
study, to advise on the proposed implementation, or record comments generated during the
sessions. The list of recommendations is included in Table 6.1.
PMC

Table 6.1
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
20 of 74
List of Recommendations
Recommendations
Place(s) Used
1. Review the requirement to stop the in-tank pumps on low pressure since in the case of
PC-292 malfunctions, this interlock is expected to shutdown all the in-tank LNG pumps
and therefore gas injection through PV-290 cannot be relied on. Shutting down the BOG
compressors may be sufficient. Consider keeping at least one LP pump running. This will
reduce SIL by one level.
11.1.1
2. Review the requirement for this interlock (PALL from PT-228A).
13.1.1
3. Review whether additional SDV could be implemented on the common drain line as SIL
1 may be difficult to be achieved during Phase 2.
6.1.1
4. Check sizing of PSVs for backflow case from the HP header. This can reduce SIL level
to SIL 1 if credit can be taken for the PSVs.
6.1.1
5. Confirm whether underload protection is provided for the HP pumps.
17.1.1
6. Review set point of PSV-033/034 to prevent unnecessary discharge to the flare, this will
reduce SIL by one level.
20.1.2
7. Check the high high level trip configuration on the recondensor (check actions on LT397/398)
21.1.1
8. Review requirement for this interlock TT-003LL (fuel gas temperature low low).
26.1.1
9. Consider not shutting down all of the HP pumps from this interlock PT-813A/B/C, or
shutting down HP pumps in stages to prevent backflow situation at the pumps.
30.1.1, 31.1.1
10. Refer to HAZOP recommendation 91. This will eliminate the hazard.
29.1.1
11. Review the high pressure protection system for the LNG truck during vendor package
review.
29.2.1
12. Shutdown logic for the unloading arms is not clear. (mismatch between P&ID, cause
and effect diagram and operating and control philosophy). This needs to be reviewed.
2.1.1
13. Review requirement for having a balance line between individual storage tanks as these
create a potential common mode of failure for all the three tanks in Phase 2 due to
overpressure scenario.
4.1.1
Note: Place(s) Used 11.1.1 means Function 11, Design Intent 1, Demand Scenario 1.
6.2
Follow - up Actions
Proper follow-up and close-out of all recommendations are monitored through the SIL
Review Action Sheet (7S92-06011-0000-SHR-004C) which has been issued as a separate
report.
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
21 of 74
7. CONCLUSIONS
A SIL classification study has been performed on all SIFs concerning new facilities, and
target SIL determined. Based on the results of this classification, the safety instrumented
system configuration will be checked to determine if the target SILs can be achieved.
Mitigation measures will be recommended where necessary to achieve the target SIL. The
results of reliability study associated with this task will be presented in the SIL Verification
report.
8.
REFERENCES
The following documents were referenced during the preparation of this report:
[1]
Cause & Effect Diagram(Document No. :7S92-06011-PC-DS-204 Rev 3);
[2]
Safety Study Procedure(Document No. : 7S92-06011-SH-TP-001 Rev 1)
[3]
HAZOP Report (Document No. : 7S92-06011-0000-SHR-005 Rev 4); and,
[4]
Dyadem International Ltd PHA-Pro 7
PMC

ANNEX A ATTENDANCE LIST
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
22 of 74
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
23 of 74
PMC

Team Members
Name
Sessions
Company
1. 14-07-2008
2. 15-07-2008
3. 16-07-2008
Herve Bonnel
ERM HK
Present
Present
Present
Sunny Cao
ERM HK
Present
Present
Present
Heung-Sik Yoo
DEC
Present
Present
Present
Tae-Soon Yong
DEC
Present
Present
Present
Jee-Hwan Cho
DEC
Present
Present
Joseph P. Mac Inerney
FLUOR
Present
Present
Eui Chul Jung
DEC
Present
Jun Gon Choi
DEC
Present
Present
Corazon Almirez
FLUOR
Present
Present
Present
Norman Tseng
FLUOR
Present
Ceyhan Aydogan
FLUOR
Present
Present
Present
Chang-Mun Bae
DEC
Present
Thanisorn Ounharoj
PTT LNG
Present
Present
Present
Tanate Areephitak
SPAN
Present
Present
Present
K.A. Baek
GS E&C
Present
Present
Jae-Sik Kim
GS E&C
Present
Present
Ki Taek Yow
GS E&C
Present
Jee Hwan Cho
DEC
Present
J.T. Choi
KOGAS-Tech
Wi-Tawit Piyaponsate
PTT LNG
Present
Present
Present
Present
PMC

ANNEX B SIL CLASSIFICATION CHART
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
24 of 74
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
25 of 74
CAUSE&EFFECT DIAGRAMS
START ANALYSIS
INITIATOR and
FINAL ELEMENT
IDENTIFICATION
SCENARIO IDENTIFICATION
CAUSES of SIF Demand
CONSEQUENCE of
SIF Failure
NEXT SIF
FREQUENCY of DEMAND (W)
EVALUATION of:
- Personnel Safety
- Production and Equipment Loss
- Environmental Damage
ASSESSMENT of Independent Protection Layer (IPL)
SIL for SIF
Consider if SIL is necessary for all final elements
All SIF Classified

NO
YES
STOP ANALYSIS
PMC

ANNEX C RISK DIAGRAMS
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
26 of 74
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
27 of 74
Personal Safety
(W) Frequency of demand
W1 = Low (demand less than 0.1 per years)
W2 = Moderate (demand between 1 and 0.1 per years)
W3 = High (demand between 10 and 1 per years)
(S) Potential extent of human injury per demand if ESD system fails on demand
S0 = No injury
S1 = Slight injury, non-permanent
S2 = Severe injury, death of 1 person
S3 = Death of several persons
S4 = Catastrophe, many casualties
(A) Presence in danger zone at time of demand
A1 = Seldom to frequently
A2 = Frequently to continuously
(G) Possibility to avert hazard
G1 = Under certain conditions
G2 = Hardly possible
IPL0
S0
S1
G1
A1
G2
S2
G1
A2
G2
A1
S3
A2
S4
W3
W2
W1
PMC

IPL10
S0
S1
G1
A1
G2
S2
G1
A2
G2
A1
S3
A2
S4
W3
W2
W1
W3
W2
W1
IPL100
S0
S1
G1
A1
G2
S2
G1
A2
G2
A1
S3
A2
S4
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
28 of 74
PMC

Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
29 of 74
Environmental Damage
(W) Frequency of demand
W1 = Low (demand less than 0.1 per years)
W2 = Moderate (demand between 1 and 0.1 per years)
W3 = High (demand between 10 and 1 per years)
(E) Environmental damage per demand if ESD system fails on demand
E0 = No release or release with negligible damage to the environment
E1 = Release with minor damage to the environment that should be reported (e.g., moderate
leak from a flange or a valve, small scale liquid spill)
E2 = Release within fence with significant damage to the environment (e.g., a cloud of
obnoxious vapour travelling beyond the unit following flange gasket blow-out or compressor
seal failure)
E3 = Release outside fence with temporary major damage to the environment (e.g., a
vapour or aerosol release with or without liquid fallout that causes temporary damage to
plants or fauna)
E4 = Release outside fence with permanent major damage to the environment (e.g., liquid
spill into a river or sea, a vapour or aerosol release with or without liquid fallout that causes
lasting damage to plants or fauna, solids fallout, liquid release that could affect groundwater)
(G) Possibility to avert hazard and to intervene
G1 = Under certain conditions
G2 = Hardly possible
IPL0
W3
W2
W1
G2
G2
E0
E1
G1
E2
G1
E3
G1
G2
E4
G1
G2
PMC

IPL10
W3
W2
W1
W3
W2
W1
G2
G2
G2
G2
E0
E1
G1
E2
G1
G2
G2
E3
G1
G2
E4
G1
G2
IPL100
E0
E1
G1
E2
G1
E3
G1
E4
G1
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
30 of 74
PMC

ANNEX D FUNCTION LIST
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 05 Feb 2010
Page
:
31 of 74
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
32 of 74
PMC
Safety Integrity Level (SIL) Classification Report
Function Name
Initiators
Primary final element
1. On low low LNG drain pot

from LNG unloading line level,
shutdown XA-076 (LNG drain
pot pump P-006)
LT-085
(1oo1)
Shutdown XA-076 (LNG

drain pot pump P-006)
(1oo1)
2. On high unloading arm

position sensor slew angle,
close ERC isolation valves for
ARM L-001A
ZS-020A
(1oo1)
Close ERC isolation

valves for ARM L-001A
(1oo1)
Secondary final element
Target SIL
SIL 1
Disconnect quick release coupling

for L-001A
SIL 2
Activate lock unloading arm slew

movement
Activate ESD LNG unloading

system
ZS020A/B/C
(2oo3)

unloading, shutdown
unloading line
PT210A/B/C
(2oo3)
Disconnect quick release

coupling for L-001A
(1oo1)
Activate lock unloading arm slew

movement
Credit can be taken

for shutting down the
LNG pumps on the
cargo side.
Interlock
ID
P&ID
I-001
0100-PC005
L-001A
0100-PC003
The same
classification applies
to the apex angle and
other unloading arms.
Activate lock unloading arms

hydraulic controls
3. On high high unloading arm

position sensor slew angle
(operational interlock to
protect the unloading arm),
disconnect quick release
coupling for L-001A (1oo1)
Comment
default SIL
1
The same
to the apex angle and
other unloading arms.
L-001A
0100-PC003
SIL 1
The same
to other LNG tanks.
I-003
I-001
0100-PC007
Activate lock unloading arms

hydraulic controls
Activate ESD LNG unloading
system
Close SDV-080/082
(2oo2)
Close MOV-223/224
Close SDV-045/025/055
(3oo3) (these valves are
provided with a bypass
used for initial cooldown.)
Close SDV026/056/033/034/046/291
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
33 of 74
PMC
Function Name
Initiators
Close SDV-225 (no credit

can be given since all the
tanks will be pressure
balanced)
Shutdown cargo pumps for LNG

unloading
Overall 1oo2
Close all cargo ESD valves
Target SIL
Comment
Interlock
ID
P&ID
Activate ESD stop ships unloading

system
Activate open ship recycle valves
holding, shutdown makeup
line
PT210A/B/C
(2oo3)
Close SDV-291(1oo1)

unloading, shutdown cooling
line return to the tank
PT210A/B/C
(2oo3)
Close SDV-238 (2oo2 for

Phase 1 and 3oo3 for
Phase 2 as all tanks will
be pressure balanced)
Close MOV-223/224
SIL 1
The same
to other LNG tanks.
I-003
0100-PC007
SIL 3 (SIL
1 when
credit
taken)
The same
to other LNG tanks.
I-003
I-001
0100-PC007
SIL 2
The same
I-003
I-001
0100-PC007
Close SDV-225
Close MOV-223/224
Close SDV025/026/055/056/033/034/045/046
/080/082 /225/291
unloading
system

level LT-202/203/204,
LT202/203/204
Close SDV-080/082
(2oo2)
Close MOV-223/224
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
34 of 74
PMC
Function Name
shutdown unloading line
(unloading mode)
Initiators
(2oo3)
Close SDV-045/025/055
(3oo3) (these valves are
provided with a bypass
used for initial cooldown.)
Close SDV026/056/033/034/046/291

unloading
Overall 1oo3
Target SIL
Comment
Interlock
ID
P&ID
to other LNG tanks.

system
level LT-202/203/204,
shutdown unloading line
(transfer mode)
LT202/203/204
(2oo3)

level LT-204, shutdown intank LNG pumps
LT204(1oo1)
Shutdown XA-227A (intank LNG pump P-001A)

(typical) (1oo1)
Close MOV-223/224
SIL 1
The same
to other LNG tanks.
I-003
0100-PC007
SIL 1
The same
to other LNG tanks.
I-003
I-014
0100-PC007
SIL 1
refer to the previous

function
I-003
I-014
0100-PC007
SIL 3 (SIL
2 with
In the case of more

LNG pumps running
I-003
I-007
0100-PC007
Close SDV-291
Close SDV-1005/1020/1030/1040
Close SDV-1003
Shutdown truck loading station
A/B/C/D

level LT-204, shutdown all
the dedicated in-tank LNG
pumps (synergetic case)
LT204(1oo1)
(not applicable,
synergetic case)

pressure PT-210A/B/C,
PT210A/B/C(2o
Shutdown BOG
compressor (C-001A/B)
Shutdown XA-227A/B
Close SDV-1003
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
35 of 74
PMC
Function Name
shutdown BOD compressor
Initiators
o3)

(most of the time 1oo1
during Phase 1 during the
holding mode, only one
compressor will be
running, and no autostart). During Phase 2
success criteria will be
2oo2.
Target SIL
Shutdown truck loading station

A/B/C/D
recommen
dations)
Comment
than required,
shutting down the
LNG pumps may be
considered as the
redudant final
element action.
Interlock
ID
P&ID
I-009
I-014
The same
to other LNG tanks.
Vacuum is unlikely during

unloading
12. On high high intank LNG
pump P-001A discharge
pressure, stop in-tank LNG
pump
PT-228A
(1oo1)
Stop XA-227A (shutdown

in-tank LNG pump P001A) (1oo1)
SIL 1
13. On low low intank LNG

pump P-001A discharge
pressure, stop in-tank LNG
pump
PT-228A
(1oo1)
Stop XA-227A (shutdown

in-tank LNG pump P001A) (1oo1)
14. On high high level BOG

compressor suction drum LT307A/B/C, shutdown BOG
compressor
LT307A/B/C(2o
o3)
UA-325/355 (shutdown
BOG compressor C001A/B) (1oo1)
SIL -
15. On high high level BOG

compressor suction drum LT307A/B/C (synergetic case)
LT307A/B/C(2o
o3)
(synergetic case)
SIL 2
16. On high high BOG

compressor C-001A
discharge temperature,
[Revalidated]
TT-337
(1oo1)
Stop UA-325 (shutdown

BOG compressor C001A) (1oo1)
The same
to other intank LNG
pumps.
I-004
0100-PC006
The same
to other intank LNG
pumps.
I-004
0100-PC006
SDV-300 can be
considered as
redudant final
element
0100-PC010
0100-PC010
The same
to other BOG
compressors.
I-007
0100-PC011
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
36 of 74
PMC
Function Name
Initiators
17. On low low LNG

recondenser V-002 liquid
level, stop HP LNG pump
LT0397A/B/C
(2oo3)
Stop XA406/407/408/409/410
(shut down HP LNG
pump P-005A/B/C/D/E)
(1oo1)
18. On low low LNG

recondenser V-002 liquid
level (synergetic case)
LT0397A/B/C
(2oo3)
19. On ESD activation, close

individual HP pump
discharge
20. On high high LNG

recondenser level (overfilling
case) , close SDV-379/383

Shutdown vaporizer E001A/B/C/D/E
Target SIL
Comment
Interlock
ID
P&ID
SIL 1
I-011
I-013
0100-PC013
(synergetic case)
SIL 3
I-011
I-013
0100-PC013
(secondary
function)
Close vaporizer E-001AE inlet isolation valve

(5oo5)
SIL -
LT-0398
(1oo1)
Close SDV-379/383
(2oo2 for holding mode
and 1oo1 for unloading
mode). However, SDV383 is only required to be
closed in case of multiple
HP pump trip, which is
less likely.
Shutdown in-tank LNG pumps P001A/B, P-002A/B
Credit can also be given

to shutting down the LP
pumps (flow from one LP
pump is equivalent to 3
HP pump).
Shutdown BOG compressor C001A/B
Close SDV-506/526/546/566/586
Open SDV-225/275
Open HV-223/273
SIL 2 (SIL
1 with
recommen
dation)
0100-PC017
0100-PC018
0100-PC019
0100-PC020
0100-PC021
I-011
I-004
I-006
I-007
I-009
0100-PC013
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
37 of 74
PMC
Function Name
recondenser level (backflow
to compressor case), close
SDV-379/383
Initiators
LT-0398
(1oo1)
Close SDV-379/383
(2oo2 for holding mode
and 1oo1 for unloading
mode). However, SDV383 is only required to be
closed in case of multiple
HP pump trip, which is
less likely.
Shutdown in-tank LNG pumps P001A/B, P-002A/B
Credit can also be given

to shutting down the LP
pumps (flow from one LP
pump is equivalent to 3
HP pump).
Shutdown BOG compressor C001A/B
Target SIL
Comment
Interlock
ID
P&ID
SIL 2
I-011
I-004
I-006
I-007
I-009
0100-PC013
SIL 1
I-011
0100-PC013
Open SDV-225/275
Open HV-223/273

recondenser pressure, close
SDV-378 (HP cap gas to
recondenser)
PT-0375
(1oo1)
Close SDV-378 (HP cap

gas to recondenser)
(1oo1)
23. On low low LNG vaporizer

E-001A temperature, close
SDV-506
TT-502
(1oo1)
Close SDV-506 (LNG

vaporizer E-001A inlet
isolation valve) (1oo1)
Shutdown LNG vaporizer E-001A
SIL 1
The same
to other LNG
vaporizers.
I-013
0100-PC017
24. On high high LNG vaporizer

E-001A pressure, close
SDV-506
PT-501
(1oo1)
Close SDV-506 (LNG

SIL 1
The same
to other LNG
vaporizers.
I-013
0100-PC017
25. On low low LNG vaporizer

E-001A pressure, close
SDV-506
PT-501
(1oo1)
Close SDV-506 (LNG

SIL -
The same
to other LNG
vaporizers.
I-013
0100-PC017
PMC

ANNEX E SIL WORK SHEETS
Doc. No. : 7S92-060110000-SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
39 of 74
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
40 of 74
PMC
Safety Integrity Level (SIL) Report
Function: 1. On low low LNG drain pot from LNG unloading line level
Initiator: LT-085 (1oo1)
Final Element: Shutdown XA-076 (LNG drain pot pump P-006) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent pump
running dry under
block suction
conditions
1. Drain pump operation : pump P006 provided to drain the

unloading line u/s and d/s of MOV072.
Operator error running the pump
longer than required.
Pump continues to run

even after system is
emptied. This will cause
damage to pump.
Potential seal leakage.
1. none
Risk Graph Parameters

Risk
Red.
Factor
0
Risk Graph Comments
S
/
E
S
2
SIL
A1
G2
IPL
0
W2
SIL
1
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
41 of 74
PMC
Function: 2. On high unloading arm position sensor slew angle

Function: 2. On high unloading arm position sensor slew angle
Initiator: ZS-020A (1oo1)
Final Element: Close ERC isolation valves for ARM L-001A (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent release of
LNG if the slew angle
exceeds the step 2
limit (disconnect)
1. Excessive movement of ship

due to adverse weather conditions
and the movement exceeds the
step 2 limit (disconnect)
2. Same as above
Release of LNG at cargo

pumping rate while the
unloading arm will be
disconnected.
1. position monitoring
sensors (PMS) and
supervised operation

Risk
Red.
Factor
10
Risk Graph Comments
W1 selected as weather
conditions continuously
monitored, before arrival
of the carrier and during
unloading
S
/
E
SIL
S
4
N/
A
N/
A
IPL
10
W1
SIL
2
E
3
N/
A
G2
IPL
10
W1
SIL
1
Required Actions
(SIL)
12. Shutdown logic

for the unloading
arms is not clear.
(mismatch between
P&ID, cause and
effect diagram and
operating and control
philosophy). This
needs to be
reviewed.
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
42 of 74
PMC
Function: 3. On high high unloading arm position sensor slew angle (operational interlock to protect the unloading arm)
Function: 3. On high high unloading arm position sensor slew angle (operational interlock to protect the unloading arm)
Initiator: ZS-020A/B/C (2oo3)
Final Element: Disconnect quick release coupling for L-001A (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
This function is provided for equipment protection. Hence, a default SIL1 has been assigned to this function.

Risk
Red.
Factor
Risk Graph Comments
S
/
E
SIL
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
43 of 74
PMC
Function: 4. On high high LNG tank T-001 pressure PT-210A/B/C during unloading, shutdown unloading line
Initiator: PT-210A/B/C (2oo3)
Final Element: Close SDV-080/082 (2oo2); Close SDV-045/025/055 (3oo3) (these valves are provided with a bypass used for initial cooldown.); Close SDV-225 (no credit can be given since all the tanks will be
pressure balanced); Overall 1oo2
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent
overpressure of LNG
tank T-001 (unloading
mode)
1. BOG compressor trip (2

compressors are required during
the unloading)
Pressure buildup leading

to overpressure.
Potential damage to tank
roof leading to LNG
vapors released to the
environment.
1. PCV-292 (design
cases: three
compressors not
running, and two ships
unloading).

Risk
Red.
Factor
100
Risk Graph Comments
IPL100 selected although

it might be conservative.
S
/
E
SIL
S
3
A1
N/
A
IPL
100
W3
SIL
1
E
2
N/
A
G2
IPL
100
W3
SIL
1
S
3
A1
N/
A
IPL
100
W3
SIL
1
Total unloading time is 14

hours per compressor
(W3 selected although it
might be conservative.)
2. PSV-017 (design
cases:3 percent of tank
inventory, which is the
governing case and
including the scenario)
A1 selected for seldom

presence of the operator
in this area.
S3 selected for breach in
the tank roof.
2. Same as above
2. To prevent
overpressure of LNG
tank T-001 (holding and
unloading mode)
1. XV-232 fails close (FO type)

to overpressure.
roof leading to LNG
environment.
1. PSV-017 (design
governing case and
100

in this area.
the tank roof.
Required Actions
(SIL)
13. Review
requirement for
having a balance line
between individual
storage tanks as
these create a
potential common
mode of failure for all
the three tanks in
Phase 2 due to
overpressure
scenario.
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
44 of 74
PMC
Final Element: Close SDV-080/082 (2oo2); Close SDV-045/025/055 (3oo3) (these valves are provided with a bypass used for initial cooldown.); Close SDV-225 (no credit can be given since all the tanks will be
pressure balanced); Overall 1oo2
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs

Risk
Red.
Factor
Risk Graph Comments
2. Same as above
3. To prevent venting of
natural gas to the
atmosphere (unloading
mode)
1. BOG compressor trip (2

compressors are required during
the unloading)
Pressure builtup in the

LNG tank leading to PSV
relieving to atmosphere.
1. PCV-292 (design
cases: three
compressors not
unloading).
10

S
/
E
SIL
E
2
N/
A
G2
IPL
100
W3
SIL
1
S
2
A1
G2
IPL
10
W3
SIL
1
E
1
N/
A
G2
IPL
10
W3
SIL
1

in this area.
S2 selected for
conservatism (most likely
no impact on safety).
2. Same as above
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
45 of 74
PMC
Function: 5. On high high LNG tank T-001 pressure PT-210A/B/C during holding, shutdown makeup line
Function: 5. On high high LNG tank T-001 pressure PT-210A/B/C during holding, shutdown makeup line
Final Element: Close SDV-291(1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent
overpressure of LNG
tank T-001 (unloading
mode)
1. PCV-290 fails open

to overpressure.
roof leading to LNG
environment.
1. PCV-292 (design
cases: three
compressors not
unloading).
2. PSV-017 (design
governing case and

Risk
Red.
Factor
100
Risk Graph Comments

S
/
E
SIL
S
3
A1
N/
A
IPL
100
W2
SIL
1
E
2
N/
A
G2
IPL
100
W2
SIL
-

in this area.
the tank roof.
2. Same as above
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
46 of 74
PMC
Function: 6. On high high LNG tank T-001 pressure PT-210A/B/C during unloading, shutdown cooling line return to the tank
Final Element: Close SDV-238 (2oo2 for Phase 1 and 3oo3 for Phase 2 as all tanks will be pressure balanced)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent
overpressure of LNG
tank T-001 (HP pump
trip case)
1. HP pump trips (eg. global power

failure)
On power failure, all HP

pumps will be stopped.
Backflow will occur from
the send-out pipeline to
the tank. Pressure
buildup leading to
overpressure. Potential
damage to tank roof
leading to LNG vapors
released to the
environment. Since the
tanks are pressure
balanced, Potential
damage to all 3 tanks.
1. PCV-292 (design
cases: three
compressors not
unloading). (no credit
taken as it is not a
design for this case)

Risk
Red.
Factor
Risk Graph Comments

in this area.
1. HP pump trips (eg. global power

failure)
Pressure buildup in the

LNG tank leading to PSV
relieving to atmosphere.
S
3
SIL
A1
N/
A
IPL
0
W2
SIL
3

the tank roof.
2. PSV-017 (design
governing case and
(no credit taken as it is
not a design for this
case)
1. PCV-292 (design
cases: three
compressors not
unloading).(no credit
taken as it is not a
design for this case)
Required Actions
(SIL)
3. Review whether
additional SDV could
be implemented on
the common drain
line as SIL 1 may be
difficult to be
achieved during
Phase 2.
4. Check sizing of
PSVs for backflow
case from the HP
header. This can
reduce SIL level to
SIL 1 if credit can be
taken for the PSVs.
2. Same as above
2. To prevent venting of
natural gas to the
atmosphere (HP pump
trip case)
S
/
E

in this area.
S2 selected for
conservatism (most likely
no impact on safety).
E
2
N/
A
G2
IPL
0
W2
SIL
2
S
2
A1
G2
IPL
0
W2
SIL
1
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
47 of 74
PMC
Final Element: Close SDV-238 (2oo2 for Phase 1 and 3oo3 for Phase 2 as all tanks will be pressure balanced)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs

Risk
Red.
Factor
Risk Graph Comments
S
/
E
SIL
E
1
N/
A
G2
IPL
0
W2
SIL
1
2. PSV-017 (design
governing case and
(no credit taken as it is
not a design for this
case)
2. Same as above
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
48 of 74
PMC
Function: 7. On high high LNG tank T-001 level LT-202/203/204, shutdown unloading line (unloading mode)
Function: 7. On high high LNG tank T-001 level LT-202/203/204, shutdown unloading line (unloading mode)
Initiator: LT-202/203/204(2oo3)
Final Element: Close SDV-080/082 (2oo2); Close SDV-045/025/055 (3oo3) (these valves are provided with a bypass used for initial cooldown.); Close SDV-225 (1oo1); Overall 1oo3
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent overfilling
of LNG tank T-001
(unloading mode)
1. Filling the wrong tank with

higher initial level
2. Same as above
Liquid buildup leading to

overflow of cold LNG into
the annular space.
Contact with warm
surfaces can lead to
sudden vaporisation of
cold LNG and cause
possible overpressure of
the tank. Possible failure
of the tank roof (ie part of
the roof may get opened
up) leading to gas release
to atmosphere.
1. High level alarm.

Operator will check for
increase in level
periodically during the
unloading process and
identify any fault in level
indication. Sufficient
time available for filling
the tank and for
operator intervention.
Transfer from ships can
be stopped or transfer
routed to another tank.

Risk
Red.
Factor
10
Risk Graph Comments
IPL10 selected although it

might be conservative.
S
/
E
SIL
S
3
A1
N/
A
IPL
10
W2
SIL
2
E
2
N/
A
G2
IPL
10
W2
SIL
1

in this area.
the tank roof.
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
49 of 74
PMC
Function: 8. On high high LNG tank T-001 level LT-202/203/204, shutdown unloading line (transfer mode)
Function: 8. On high high LNG tank T-001 level LT-202/203/204, shutdown unloading line (transfer mode)
Initiator: LT-202/203/204(2oo3)
Final Element: Close SDV-225 (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
of LNG tank T-001
(transfer mode)
1. Transferring LNG to a tank

already full (infrequent operation)
2. Same as above
Liquid buildup leading to

overflow of cold LNG into
the annular space.
Contact with warm
surfaces can lead to
sudden vaporisation of
cold LNG and cause
possible overpressure of
the tank. Possible failure
of the tank roof (i.e. part
of the roof may get
opened up) leading to
gas release to
atmosphere.
1. High level alarm.

Operator will check for
increase in level
unloading process and
identify any fault in level
time available for filling
the tank and for
Transfer from ships can
be stopped or transfer
routed to another tank.

Risk
Red.
Factor
10
Risk Graph Comments
IPL10 selected although it

might be conservative.
S
/
E
SIL
S
3
A1
N/
A
IPL
10
W1
SIL
1
E
2
N/
A
G2
IPL
10
W1
SIL
-
Base frequency is W2
reduced by one level to
account for infrequent
operations.
in this area.
the tank roof.
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
50 of 74
PMC
Function: 9. On low low LNG tank T-001 level LT-204, shutdown in-tank LNG pumps
Function: 9. On low low LNG tank T-001 level LT-204, shutdown in-tank LNG pumps
Initiator: LT-204(1oo1)
Final Element: Shutdown XA-227A (in-tank LNG pump P-001A) (typical) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent in-tank
pumps running dry
1. Operator error, tank not filled

when required.
The operator forgets to shutdown
the LNG pump.
Level indication fails and LNG
continues to get transferred from
the tank to send-out
Cavitation leading to
vibration and damage to
the pump. Since pump is
mounted inside the tank,
no hazard impact outside.
Default SIL1 is assigned
to protect the pump.
1. Operator will check

for decrease in level
sendout process and
identify and fault in level
time available for

Risk
Red.
Factor
10
Risk Graph Comments
S
/
E
SIL
Since this function is

provided for
equipment
protection, a default
SIL1 is taken.
SIL
1
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
51 of 74
PMC
Function: 10. On low low LNG tank T-001 level LT-204, shutdown all the dedicated in-tank LNG pumps (synergetic case)
Function: 10. On low low LNG tank T-001 level LT-204, shutdown all the dedicated in-tank LNG pumps (synergetic case)
Initiator: LT-204(1oo1)
Final Element: (not applicable, synergetic case)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
Since this function is provided for equipment protection, a default SIL1 is taken. Also, refer to Function 9.

Risk
Red.
Factor
Risk Graph Comments
S
/
E
SIL
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
52 of 74
PMC
Function: 11. On low low LNG tank T-001 pressure PT-210A/B/C

Function: 11. On low low LNG tank T-001 pressure PT-210A/B/C
Initiator: PT-210A/B/C(2oo3)
Final Element: Shutdown BOG compressor (C-001A/B) (most of the time 1oo1 during Phase 1 during the holding mode, only one compressor will be running, and no auto-start). During Phase 2 success criteria will
be 2oo2.
Vacuum is unlikely during unloading
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent the
vacuum in the LNG tank
from damaging the tank
1. Tank pressure control (PC-292)

malfunction
Compressor loading malfunction
More in-tank LNG pumps running
than required (less critical case)
Vacuum in the LNG tank

leading to potential tank
collapse
1. Tank pressure
control valve (PV-290)
(size for this scenario,
Phase 2, 54t/hr) (no
credit taken)
2. Vacuum breaker
provided (PSV-018A-F)
only one credit give
conservatively as
during Phase 2 vacuum
breakers are designed
for 2 compressors
running and assuming
all tanks are in
operation. There are
maybe some scenarios
during Phase 2 where
only one tank is in
operation.

Risk
Red.
Factor
10
Risk Graph Comments
S4 selected to the
potential collapse of the
shell side.
S
/
E
SIL
S
4
N/
A
N/
A
IPL
10
W2
SIL
3
Required Actions
(SIL)
1. Review the
requirement to stop
the in-tank pumps on
low pressure since in
the case of PC-292
malfuntions, this
interlock is expected
to shutdown all the
in-tank LNG pumps
and therefore gas
injection through PV290 cannot be relied
on. Shutting down
the BOG ompressors
may be sufficient.
Consider keeping at
least one LP pump
running. This will
reduce SIL by one
level.
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
53 of 74
PMC
Function: 12. On high high intank LNG pump P-001A discharge pressure
Function: 12. On high high intank LNG pump P-001A discharge pressure
Initiator: PT-228A (1oo1)
Final Element: Stop XA-227A (shutdown in-tank LNG pump P-001A) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent the pump

running dead-end,
shutdown in-tank LNG
pump P-001A
1. MOV-233 driven close in error
Pump running under

block condition leading to
potential damage to the
pump. (only commercial
consequence default SIL
1 selected).
1. Minimum flow
protection
2. Overload protection
for the pump
3. CPMS

Risk
Red.
Factor
100
Risk Graph Comments
S
/
E
SIL
Since this function

relates to equipment
protection, a default
SIL1 is taken.
SIL
1
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
54 of 74
PMC
Function: 13. On low low intank LNG pump P-001A discharge pressure,
Function: 13. On low low intank LNG pump P-001A discharge pressure,
Initiator: PT-228A (1oo1)
Final Element: Stop XA-227A (shutdown in-tank LNG pump P-001A) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. Design intent for this function is not clear, hence, no classification was undertaken. See recommendation 2

Risk
Red.
Factor
Risk Graph Comments
S
/
E
SIL
Required Actions
(SIL)
2. Review the
requirement for this
interlock (PALL from
PT-228A).
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
55 of 74
PMC
Function: 14. On high high level BOG compressor suction drum LT-307A/B/C
Function: 14. On high high level BOG compressor suction drum LT-307A/B/C
Initiator: LT-307A/B/C(2oo3)
Final Element: UA-325/355 (shutdown BOG compressor C-001A/B) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent the liquid

carry over to the BOG
compressor
1. TCV-309 malfunction
2. Same as above
Liquid will build up in the

compressors KO drum
with eventual liquid carry
over to the compressor.
This will lead to
compressor damage,
potential seal damage
and release of natural
gas to the atmosphere.
1. High level alarm with

operator intervention (it
would take more than
10 min for overfilling the
KO drum)

Risk
Red.
Factor
10
Risk Graph Comments
S
/
E
SIL
S
2
A1
G2
IPL
10
W2
SIL
-
E
1
N/
A
G2
IPL
10
W2
SIL
-
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
56 of 74
PMC
Function: 15. On high high level BOG compressor suction drum LT-307A/B/C (synergetic case)
Function: 15. On high high level BOG compressor suction drum LT-307A/B/C (synergetic case)
Initiator: LT-307A/B/C(2oo3)
Final Element: (synergetic case)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent the liquid

carry over to the BOG
compressor
1. TCV-309 malfunction
Liquid will build up in the

compressors KO drum
with eventual liquid carry
over to all the
compressors.
2. Same as above
This will lead to

compressor damage,
potential seal damage
and release of natural
gas to the atmosphere.
1. High level alarm with

operator intervention (it
would take more than
10 min for overfilling the
KO drum)

Risk
Red.
Factor
10
Risk Graph Comments
S3 selected for the

consequence effects at all
the compressors.
S
/
E
SIL
S
3
A1
N/
A
IPL
10
W2
SIL
2
E
1
N/
A
G2
IPL
10
W2
SIL
-
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
57 of 74
PMC
Function: 16. On high high BOG compressor C-001A discharge temperature, shutdown BOG compressor C-001A
Initiator: TT-337 (1oo1)
Final Element: Stop UA-325 (shutdown BOG compressor C-001A) (1oo1)
Existing Safeguards
Design Intent
1. To protect against
damage to compressor
Demand Scenario
1. High temp. at BOG suction :

SDV-300 gets closed on LNG line
to desuperheater (desuperheating
is required in the case of recycle
valve PV-301A/B operation or vent
from
recondenser
PV-376
operation. Desuperheating will
also be required during start of
compressor)
[Recommendation : Compressor
discharge design temperature
to be confirmed based on
vendor design and
recommendation]
CoFoD
High temp. at compressor
discharge leading to
potential damage to
compressor
IPLs
1. TC-309 at suction
drum / TI-328 at
compressor suction

Risk
Red.
Factor
Risk Graph Comments
S
/
E
Not classified. (Commercial

loss is not classified in this
study)
2. High temp. alarm at

discharge, TI-336
3. Suction piping from
the point of connection
with recycle from
discharge, including
suction drum and
compressor inlet
designed for same
temp. as compressor
discharge design temp.
4. Compressor
discharge designed for
120 degC subject to
vendor design and
recommendation

TV-309 malfunctions and gets
closed on LNG line to
desuperheater (desuperheating is
required in the case of recycle
valve PV-301A/B operation or vent
drum / TI-328 at
compressor suction
discharge, TI-336
SIL
See comment above
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
58 of 74
PMC
Existing Safeguards
Design Intent
Demand Scenario
from recondenser PV-376

operation)
CoFoD
IPLs

Risk
Red.
Factor
Risk Graph Comments
S
/
E

with recycle from
suction drum and
compressor inlet
designed for same
temp. as compressor
4. Compressor
120 degC subject to
vendor design and
recommendation

loss of LP LNG flow due to trip of
all pumps
drum / TI-328 at
compressor suction
discharge, TI-336
See comment above
SIL
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
59 of 74
PMC
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs

Risk
Red.
Factor
Risk Graph Comments
S
/
E

with recycle from
suction drum and
compressor inlet
designed for same
temp. as compressor
4. Compressor
120 degC subject to
vendor design and
recommendation
4. High temp. at compressor
discharge due to internal valve
problems

discharge, TI-336
See comment above
5. High temp. in compressor

discharge due to increase in N2
content

discharge, TI-336
See comment above
SIL
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
60 of 74
PMC
Function: 17. On low low LNG recondenser V-002 liquid level

Function: 17. On low low LNG recondenser V-002 liquid level
Initiator: LT-0397A/B/C (2oo3)
Final Element: Stop XA-406/407/408/409/410 (shut down HP LNG pump P-005A/B/C/D/E) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent HP pumps
running dry
1. LV386 malfunction and FV383

malfunction
2. Same as above
Liquid will drop in the

recondensor leading to
HP pump running dry.
This will lead to pump /
seal damage and
potential gas leak.
1. none

Risk
Red.
Factor
0
Risk Graph Comments
S
/
E
SIL
S
2
A1
G2
IPL
0
W2
SIL
1
E
1
N/
A
G2
IPL
0
W2
SIL
1
Required Actions
(SIL)
5. Confirm whether
underload protection
is provided for the
HP pumps.
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
61 of 74
PMC
Function: 18. On low low LNG recondenser V-002 liquid level (synergetic case)
Function: 18. On low low LNG recondenser V-002 liquid level (synergetic case)
Initiator: LT-0397A/B/C (2oo3)
Final Element: (synergetic case)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent HP pumps
running dry
1. LV386 malfunction and FV383

malfunction
Liquid will drop in the

recondensor leading to
HP pump running dry.
2. Same as above
This will lead to pump /

seal damage and
potential gas leak.
The severity is increased
by 1 level for the
synergetic case.
1. none

Risk
Red.
Factor
0
Risk Graph Comments
S
/
E
SIL
S
3
A1
N/
A
IPL
0
W2
SIL
3
E
1
N/
A
G2
IPL
0
W2
SIL
1
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
62 of 74
PMC
Function: 19. On ESD activation, Close individual HP pump discharge

Function: 19. On ESD activation, Close individual HP pump discharge
Initiator: (secondary function)
Final Element: Close vaporizer E-001A-E inlet isolation valve (5oo5)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent backflow
through the HP pumps
1. Pump trip case (ESD activation

/ power failure)
Backflow from the HP

systems through the HP
pumps.
LP system will gradually
pressurize. Potential
overpressure leading to
some flange leak.
2. Same as above
1. One check valve

provided at each pump
discharge (no credit
given)

Risk
Red.
Factor
10
Risk Graph Comments
S
/
E
SIL
S
2
A1
G2
IPL
10
W2
SIL
-
E
1
N/
A
G2
IPL
10
W2
SIL
-
2. Operator
interventions can
prevent ultimate
consequences by
closing the isolation
valves
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
63 of 74
PMC
Function: 20. On high high LNG recondenser level (overfilling case)

Function: 20. On high high LNG recondenser level (overfilling case)
Final Element: Close SDV-379/383 (2oo2 for holding mode and 1oo1 for unloading mode). However, SDV-383 is only required to be closed in case of multiple HP pump trip, which is less likely.; Credit can also be
given to shutting down the LP pumps (flow from one LP pump is equivalent to 3 HP pump).
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent LNG to be
sent to flare
1. FV-383 malfunction, LV-386

malfunction, SDV-384 malfunction
or HP pump trip
2. Same as above
of the recondenser

or HP pump trip
2. Same as above
Level
build-up
in
recondenser could lead to
high pressure due to
blocked condition (as
BOG compressor and Intank pump go to shut-off
condition). Recondenser
designed for 19barg but
PSV set at 14.3barg.
LNG may get released
through PSV to flare
1. none
Level build-up in
recondenser could lead to
LNG going to warm areas
of piping, potential
thermal shock and
release of gas through
flange.
1. piping integrity (same

piping classification)

Risk
Red.
Factor
10
Risk Graph Comments
S
/
E
SIL
S
2
A1
G2
IPL
0
W3
SIL
1
E
1
N/
A
G2
IPL
0
W3
SIL
2
S
2
A1
G2
IPL
10
W3
SIL
1
E
1
N/
A
G2
IPL
10
W3
SIL
1
Required Actions
(SIL)
6. Review set point

of PSV-033/034 to
prevent unnecessary
discharge to the
flare, this will reduce
SIL by one level.
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
64 of 74
PMC
Function: 21. On high high LNG recondenser level (backflow to compressor case)
Function: 21. On high high LNG recondenser level (backflow to compressor case)
Final Element: Close SDV-379/383 (2oo2 for holding mode and 1oo1 for unloading mode). However, SDV-383 is only required to be closed in case of multiple HP pump trip, which is less likely.; Credit can also be
given to shutting down the LP pumps (flow from one LP pump is equivalent to 3 HP pump).
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
of the recondenser

or HP pump trip
2. Same as above
Level build-up in
recondenser will lead to
pressure balance
between LP pumps and
compressor discharge
with eventual LNG
carryover to recirculation
line.
Potential overpressure of
the compressor suction.
1. High level alarm in

the compressor KO
drum

Risk
Red.
Factor
10
Risk Graph Comments
S
/
E
SIL
S
3
A1
N/
A
IPL
10
W3
SIL
2
E
2
N/
A
G2
IPL
10
W3
SIL
2
Required Actions
(SIL)
7. Check the high

high level trip
configuration on the
recondensor (check
actions on LT397/398)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
65 of 74
PMC
Function: 22. On high high LNG recondenser pressure

Function: 22. On high high LNG recondenser pressure
Initiator: PT-0375 (1oo1)
Final Element: Close SDV-378 (HP cap gas to recondenser) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent
overpressure of
recondenser
1. High pressure in recondenser

due to PC-384 malfunction (since
it is split range control, both PV384A on BOG bypass to
recondenser outlet and PV-384B
on make-up gas line will open).
Potential overpressure of
recondenser since sendout gas header pressure
is 86 barg while
recondenser is only
design for 19 barg
1. PC-376 will open to

BOG suction header
(sized for 29 T/hr)
Risk
Red.
Factor
100
Risk Graph Comments
S
/
E
SIL
S
3
A1
N/
A
IPL
100
W2
SIL
1
E
2
N/
A
G2
IPL
100
W2
SIL
-
S
3
A1
N/
A
IPL
100
W2
SIL
1
E
2
N/
A
G2
IPL
100
W2
SIL
-
2. PSV-034 set at 14.3

barg to flare designed
for this case which is
governing (22T/hr)
2. Same as above
3. High pressure in recondenser.

LNG flow through FV-383 fails due
to trip of all in-tank pumps
1. PC-376 will open to

BOG suction header
(sized for 29 T/hr)
2. PSV-034 set at 14.3
barg to flare designed
for this case which is
governing (22T/hr)
4. Same as above
Required Actions
(SIL)
Doc. No. : 7S92-06011-0000SHR-004A

Rev.
:
3
Date
: 03 Apr 2009
Page
:
74 of 74
PMC
Function: 31. On low low NG to general user pipeline pressure

Function: 31. On low low NG to general user pipeline pressure
Final Element: Close SDV-820 (NG sendout pipeline isolation) (1oo1)
Existing Safeguards
Design Intent
Demand Scenario
CoFoD
IPLs
1. To prevent backflow
1. multiple HP pumps trip
Backflow from the HP

systems through the HP
pumps.
1. none

Risk
Red.
Factor
Risk Graph Comments
S
/
E
SIL
S
2
A1
G2
IPL
0
W2
SIL
1
E
1
N/
A
G2
IPL
0
W2
SIL
1
LP system will gradually

pressurize. Potential
overpressure leading to
some flange leak.
2. Same as above
Required Actions
(SIL)
9. Consider not
shutting down all of
the HP pumps from
this interlock PT813A/B/C, or shutting
down HP pumps in
stages to prevent
backflow situation at
the pumps.

7s92 06011 0000 SHR 004a r3 - Sil Classification Report

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

7s92 06011 0000 SHR 004a r3 - Sil Classification Report

Transféré par

Droits d'auteur :

Formats disponibles

PMC

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

INTRODUCTION AND SCOPE OF WORK ................................................... 5

SIL STUDY BASIS AND DEFINITIONS ........................................................ 6

SIL METHODOLOGY .................................................................................... 9

Study Period ...................................................................................................16

Annex A ATTENDANCE LIST ......................................................................... 22

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Annex D FUNCTION LIST ............................................................................... 31

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

1. INTRODUCTION AND SCOPE OF WORK

Objectives of the Study

Elements forming the SIF;

SIF Design Intent;

SIF demand scenarios and frequency of demand;

Safety Integrity Level (SIL)

Potential consequences if the SIF is not implemented; and

Effectiveness of Independent Protective Layers (IPL).

Doc. No. : 7S92-060110000-SHR-004A

2. SIL STUDY BASIS AND DEFINITIONS

Piping & Instrument Diagrams (P&IDs);

HAZOP Reports [3] ; and

Input from the SIL study team.

Probability of Failure on Demand for SIL

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Background to Risk Based Approach Adopted for SIL Selection

Likelihood of an unwanted event x Consequence (in

A SIF reduces the risk, as follows:

Likelihood of an unwanted event x Consequence x

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

potential extent of human injury; and

potential extent of environmental damage.

Hand-switch operated functions (operator activated). A default value of SIL 1 may be

Control function (FIC, TIC reset etc);

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Proposed or indicative machine related protection functions such as those relating to

Emergency equipment isolation functions. A default value of SIL 1 may be assumed.

Description of Function, Initiators and Final Elements

Causes of SIF Demand and Consequences of SIF Failure

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

A demand on a SIF may be caused by instrument malfunction, operator error, or equipment

potential extent of human injury (S classification); and

potential extent of environmental damage (E classification).

Different categories of W, S and E are defined and presented in Annex C.

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Further Elaboration on the Approach Adopted

3.5.1 Multiple Sensors

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A

Safety Integrity Level (SIL)

Doc. No. : 7S92-060110000-SHR-004A