SPC-0804.02-60.07 Rev D2 Safety Requirement Specification.pdf

PREPARED

BY Exida

PTT PUBLIC COMPANY LIMITED

CHECKED

BY Teerasak

ONSHORE COMPRESSOR STATION 4 PROJECT

APPROVED BY

(PTT) Naret

CERTIFIED

(PTT) NA

REV.NO.

DATE

REVISED

BY

APPROVED

BY

DESCRIPTION

D1 18-Jul-08 ISSUED FOR ITB

D2 21-Jul-08 REVISION ISSUED FOR ITB

SAFETY REQUIREMENT SPECIFICATION

SPC-0804.02-60.07 REV D2

TOTAL 46 PAGES

AREA CODE OF SITE LOCATION

GENERAL AREA: 010

.

PTT PLC. CONTRACT NO.

PTT PLC. PROJECT NO.

0804.02

COPYRIGHT RESERVED

The information and design details in this document are the property of exida Pty Limited, and/or its associates. Except as provided below the document is issued on the strict condition that except with the written permission of exida Pty Ltd it must not be reproduced, copied or communicated to any third party, nor be used for any purpose other than that stated in the particular enquiry, order or contract with which it is issued. The reservation of copyright in this document extends from each date appearing thereon and in respect of the subject matter as it appeared at that relevant date.

Copyright © exida Pty Ltd 2008 ACN 116 918 999

AUSTRALIA

PTT PUBLIC COMPANY LIMITED

Safety Requirement Specification PTT OCS4 Project

July 2008

CONFIDENTIAL INFORMATION

Safety Requirements Specification

Safety Requirement Specification of 46

Table of Contents

1 Introduction..................................................................................................................................................... 5 1.1 General Project Information................................................................................................................ 5 1.2 Background ............................................................................................................................................ 5 1.3 Purpose and Scope .............................................................................................................................. 5 1.4 Methodology.......................................................................................................................................... 5 1.5 Regulations and Standards Used ....................................................................................................... 6 1.6 Supporting Documents ........................................................................................................................ 6

2 General Requirements for the Safety Instrumented System ................................................................. 7 2.1 Definition ................................................................................................................................................. 7 2.2 Design Requirements ............................................................................................................................ 7 2.3 Requirement for Review....................................................................................................................... 7 2.4 Response to SIS Logic Solver Failures ................................................................................................. 7 2.5 Interfaces ................................................................................................................................................ 7 2.6 Sequence of Events Recording (SER) ................................................................................................ 8 2.7 Environmental Conditions.................................................................................................................... 8 2.8 Electrical Power ..................................................................................................................................... 8 2.9 Loss of Energy Sources.......................................................................................................................... 8 2.10 SIS Software Requirements................................................................................................................... 8

3 General Requirements for the Safety Instrumented Functions ............................................................. 9 3.1 Spurious Trip Rate................................................................................................................................... 9 3.2 Demand Mode of Operation ............................................................................................................. 9 3.3 Protection Mode.................................................................................................................................... 9 3.4 Manual Shutdown ................................................................................................................................. 9 3.5 Pre-Alarms ............................................................................................................................................... 9 3.6 Maintenance Overrides ....................................................................................................................... 9 3.7 Operating Modes ................................................................................................................................10 3.8 Trip Reset ...............................................................................................................................................10 3.9 Mission Time ..........................................................................................................................................10 3.10 Response Time......................................................................................................................................10 3.11 Test Interval ...........................................................................................................................................10 3.12 Common Cause Sources...................................................................................................................11 3.13 Interfaces ..............................................................................................................................................11 3.14 Regulations & Standards....................................................................................................................11 3.15 Failure Modes .......................................................................................................................................11 3.16 Diagnostics............................................................................................................................................12 3.17 Gas Over Oil Valves ............................................................................................................................12 3.18 Application Software..........................................................................................................................12 3.19 Proof Test Procedures .........................................................................................................................12

4 List of Safety Instrumented Functions .......................................................................................................13 5 Details of Safety Instrumented Functions ................................................................................................14

5.1 PSD-103 ..................................................................................................................................................14 5.2 PSD-101A ...............................................................................................................................................16 5.3 PSD-102A ...............................................................................................................................................18



5.4 USD-104.1A............................................................................................................................................20 5.5 USD-104.2A............................................................................................................................................22 5.6 USD-104.3A............................................................................................................................................24 5.7 USD-101A...............................................................................................................................................26 5.8 ESD-101 ..................................................................................................................................................28

6 Abbreviations and Definitions ...................................................................................................................30 7 Disclaimer and Assumptions ......................................................................................................................31

7.1 Disclaimer..............................................................................................................................................31 7.2 Assumptions for Safety Requirements Specification.....................................................................31

Appendix A - List of Safety Functions Evaluated............................................................................................32 Appendix B – SIL Determination Workshop Minutes ......................................................................................33

Revision History

REV DATE COMMENTS AUTHOR CHECKED APPROVED

A 17 July 2008 Incorporates comments from review RW MS



1 Introduction

1.1 General Project Information

Project Information Project Details

Project Identification : 0804.02

Project Name : Onshore Compressor Station 4

Company : PTT Public Company Limited

Project Leader : Mr Naret Visesvongsa

Project Initiated On : March 2008

Project Description : Identify and specify SIF to IEC 61511 requirements

1.2 Background PTT intends to install a new Onshore Compressor Station No. 4 (OCS4) located at Map Ta Phut, Rayong, adjacent to PTT LNG terminal, to boost the pressure of the incoming gas from PTT Gas Separation Plant Dew Point Control Unit (GSP DPCU) in order to mix it with gas from the LNG terminal at the Fourth Transmission Pipeline (FTP) header. The mixed gas will be distributed via the Fourth Transmission Pipeline.

PTT has decided that the OCS4 project will follow the functional safety requirements of IEC 61511 safety lifecycle activities to ensure that potential incidents that could affect safety, the environment, or cause asset loss at the facility, have been identified, and risk management of these incidents can be demonstrated.

1.3 Purpose and Scope The purpose of this document is to provide details of the functional requirements that are common to the Safety Instrumented System (SIS), the functional requirements that are common to all identified Safety Instrumented Functions (SIF), and the functional and integrity requirements that are unique to each SIF. In this way repetition, conflicting or missing requirements are reduced. The intent is that the information required by the organization responsible for the design of the SIS is presented as clearly, completely and accurately as possible to enable the organization to design the SIS and each SIF to meet the functional requirements.

The scope of the document follows the boundaries of the OCS4 project.

1.4 Methodology As an initial step in the process of compliance with IEC 61511, PTT has drawn on experience from designing and implementing similar facilities, and used this in conjunction with a HAZOP workshop to identify potential incidents, their causes and consequences, and the preventative and mitigative safeguards already in place. Where the HAZOP team felt it was necessary, additional safeguards were recommended.

This initial step was followed by a SIL determination workshop held at the Foster Wheeler Thailand office in Sri racha on 14 July 2008. The SIL determination workshop used the results of the HAZOP to evaluate the performance requirements of the identified SIF. A risk graph approach, as detailed in the Foster Wheeler SIL Review Procedure, was used to evaluate the performance requirements of each SIF, and The results of the SIL determination workshop are located in Appendix B..

Essentially, the risk graph approach is a team-based evaluation of the severity of the consequence of each incident scenario the frequency each scenario would occur, the likelihood that a person or persons would be in the area, and possibility that the person or persons would have adequate warning prior to the incident occurring to enable them to avoid the incident. Separate risk graphs were used for environmental impact and potential financial loss.

These parameters were then plotted on the appropriate risk graph to produce a Safety Integrity Level for each individual the SIF, for each of the three types of consequence considered – safety,



environmental impact, and potential financial loss. The highest SIL rating from the three consequence types considered was chosen as the performance requirement of the SIF. As this approach resulted in a SIL for each SIF, it was felt necessary to refine this requirement with the inclusion of a Risk Reduction Factor (RRF). The following table maps the required RRF to the SIL value:

SIL RRF

1 30

2 500

1.5 Regulations and Standards Used This SRS is based on the following standards:

Standard Number

IEC 61511

Parts 1-3

Functional Safety: Safety Instrumented Systems for the Process Industry Sector

IEC 61508 Parts 1 to 7

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

1.6 Supporting Documents

This SRS drew on information from, or references the following documents:

Document Description

E17-08 Foster Wheeler SIL Review Procedure

PR-0804.02-90.03 Rev A1 HAZOP Study - 3 July 2008

- SIL Determination Workshop Results – 14 July 2008

15-3-0804.02-6000-001 to

15-3-0804.02-6000-029 Rev D1

Piping & Instrument Drawings (P&IDs )

14-3-0804.02-6000-001 Rev D2 ESD Hierarchy Diagrams

SPC0804.02-60.02 SIS Specification

SPC0804.02-99.90 Basic Engineering Design Document (BEDD)



2 General Requirements for the Safety Instrumented System This section describes the common functional requirements that apply to the Safety Instrumented System used in the Onshore Compressor Station 4 project.

2.1 Definition The Safety Instrumented System is defined as the total system and includes all sensor, logic solver and final element subsystems, power supplies and communication networks.

2.2 Design Requirements The SIS shall be designed in accordance with the manufacturer’s requirements to meet the required safety performance level. Where equipment is certified for safety use, all of the design requirements of the equipment safety manual (whether referenced on the safety certificate or not) shall be implemented, and evidence of this shall be provided.

A copy of the safety manual for each certified device shall be provided.

2.3 Requirement for Review This Safety Requirement Specification (SRS) was written based on the latest revisions of documentation available at the time. Prior to the design of the SIS, the responsible contractor shall review the SRS against the latest revisions of all applicable documents and to modify the SRS if and where required.

2.4 Response to SIS Logic Solver Failures In the event of partial or complete failure of the SIS, the following provisions must be made.

a) A continuous diagnostic program shall detect the discrepancies and shall take timely action (initiation of the respective function or of the complete ESD). This action shall be visible from the operation station and recorded, and at no time it will imply any loss in process safety.

b) In the case of system failure, the outputs will be driven to take the plant to a safe position and the operator shall be warned.

c) The failure modes and response of the SIS on the detection of faults should be defined. For example, a transmitter can be designed to fail toward a trip condition or away from a trip condition. If it is designed to fail away from the trip condition, then it is important that the operator gets an alarm on the transmitter failure and is trained to take the necessary corrective action to get the transmitter repaired as quickly as possible. See also IEC 61511-1, clause 11.3 relating to requirements on detection of a fault.

2.5 Interfaces The SIS must interface to the following systems:

2.5.1 Distributed Control System (DCS) The interface between the SIS and the DCS shall be provided using redundant V-NET.

It must be possible for the SIS to write information to the DCS.

It must not be possible for the DCS to write information, settings or actions to the SIS. The SIS will be able to read information from the DCS to perform external sensor comparison, if required. An alarm shall be provided in the SIS and communicated to the operator should the read communications fail.

In the case of 2oo3 transmitter voting, the SIS will write the transmitter values to the DCS; the DCS will perform a measurement validation comparison and raise an alarm if discrepancy is detected.



2.5.2 Operator Workstations Operating stations must be provided in accordance with PTT specifications and philosophy documents.

2.6 Sequence of Events Recording (SER) Sequence of Event (SOE) recording is required for this project:

System timing in the SIS shall be synchronized from the DCS. The DCS shall be synchronized from a GPS.

The SIS shall write event data to the DCS complete with time stamp.

System timing shall be provided in accordance with DCS specification SPC0804.02-60.05 Section 7.8.

2.7 Environmental Conditions The SIS must be suitably designed, built and installed to operate in the environmental conditions specified in the SIS Specification (SPC0804.02-60.02) and Basic Engineering Design Document (SPC0804.02-99.90).

2.7.1 Interior Equipment The logic solver and associated interface equipment will be mounted in a controlled environment in accordance with SIS Specification (SPC0804.02-60.02).

2.7.2 Exterior Equipment Field equipment (sensors & final elements) will be supplied by others to meet the environmental requirements as detailed in Basic Engineering Design Document (SPC0804.02-99.90) and process requirements as detailed in the individual instrument data sheets.

2.8 Electrical Power Electrical power is provided to the SIS via two independently fused power feeds providing power to two independent UPS systems.

The UPS systems shall be sized to provide sufficient power to continue full operation of the SIS, including field devices, for 2 hours after which there will still be sufficient power for a controlled shutdown of the compressor station. Contractor to provide calculations to verify this capability

2.9 Loss of Energy Sources The complete SIS system shall be designed to go to its safe state on total loss of electrical power, or on total loss of instrument air/nitrogen.

2.10 SIS Software Requirements All configuration and programming requirements specified by IEC 61511-1 clause 12 shall be followed.

a) SIF threshold set points shall be able to be changed without having to re-flash EPROMs. The SIF threshold set points shall be protected via software access security.

b) Use IEC 61508 safety assessed logic blocks (safety PLCs)

c) Have cycle times that will allow overall performance as stated in the following general and specific SIF requirements

d) Be functionally tested as stated in each SIF specific requirement

e) Follow functional safety management and safety lifecycle practices similar to SIS hardware (especially MOC Management of Changes).



3 General Requirements for the Safety Instrumented Functions This section describes the common functional requirements that apply to all Safety Instrumented Functions in the Onshore Compressor Station 4 project. In some cases, a Safety Instrumented Function will have additional or different requirements; these will be identified in the appropriate SIF subsection of this document.

3.1 Spurious Trip Rate All Safety Instrumented Functions shall be designed to fail spurious (safe) no more than once every 15 years (i.e. 0.066 per year)

3.2 Demand Mode of Operation All Safety Instrumented Functions shall be designed to operate in low demand mode.

3.3 Protection Mode All Safety Instrumented Functions shall be designed such that movement of the final element to the safe position will be performed by removing power from the element (i.e. de-energize-to-trip).

3.4 Manual Shutdown A pushbutton will be provided in the control room to manually initiate a shutdown if required.

A pushbutton will be provided in the field to manually initiate a shutdown as specified in the individual SIF specification sheets.

Control room and field pushbuttons are 1 button with 3 contact sets. Each contact set connects to a different digital input card, and is voted 2oo3.

3.5 Pre-Alarms All process SIF have a requirement for a pre-alarm signal. The pre-alarm signal shall be generated in the DCS as a median of the transmitter measured values written from the SIS to the DCS.

3.6 Maintenance Overrides Maintenance overrides (MOR) shall be applied to PSD-103 only.

A master key switch in the DCS console shall enable an individual soft switch override of PT-111-1; PT-111-2 and PT-111-3 from the DCS. The DCS shall be programmed to ensure that only one maintenance override per voting group shall be permitted at any one time.

Maintenance overrides will degrade the redundant voting elements as follows:

Original Voting 2oo3

Degraded Voting 2oo2

The MOR column in the sensor data tables is interpreted as follows; Yes = Maintenance Override is permitted or No = Maintenance Override is NOT permitted (or not applicable).

Maintenance overrides will operate as follows:

I. The SIS shall be configured so that overrides are implemented using a two-step process that includes activation of a unit-specific Bypass Enable switch and activation of a SIF input-specific override.

II. Only when both of these items are activated will the system be in override. When a system is placed in override, the logic solver will hold the input of the element in overide in the non-shutdown state.



III. In the Normal position, the contacts are open, indicating that the SIS cannot be used to override inputs in that Plant Unit.

IV. In the Enable position, the contacts are closed, indicating that the SIS can be used to override inputs in that Plant Unit.

V. Activation of the Override Enable switch shall be communicated to the DCS. Upon detection of a transition to the override-enabled state, the DCS shall generate an alarm and log the action.

VI. The SIS shall be configured so that it will only allow overriding if the associated Plant Unit Override Enable switch is in the enable position.

VII. The SIS shall be configured so that it will only allow one element of the voting group to be in override at any one time.

VIII. An attempt to override without the Override Enable switch in the enable position will generate an alarm.

IX. SIF input override ON command is initiated from the DCS as a pulse signal, the SIS reads this pulse and latches the override. SIF override OFF command is initiated from the DCS as a pulse, the SIS reads this pulse and unlatches the override. This is to ensure that override remains enabled in the event of loss of communications between DCS and SIS.

X. If a SIF input override is enabled for 90 minutes the SIS shall alarm to the DCS that override is still enabled. This alarm will be repeated every 90 minutes until the SIF input override is disabled.

XI. Once all SIS override switches are in the normal position for that Plant, the Plant Unit Override Enable switch can be set back to the normal position.

XII. If the Override Enable switch is set to the normal position while a SIS override switch is still in the override position, the SIS override will be forced to the normal position. If the override input has not returned to a non-trip reading the SIF will be activated and the associated automatic shutdown will occur.

XIII. To minimize this potential a lamp shall be provided, immediately adjacent to each Plant Unit Override Enable switch. The lamp will be lit when the Override Enable switch is in the enable position and all shutdown trips in that Plant Unit have not cleared.

3.7 Operating Modes The following operating modes are identified for each Safety Instrumented Function: demand/continuous. This shall be stated in each individual SIF specification sheet.

3.8 Trip Reset Trip reset requirements will be stated in the individual SIF specification sheets.

A trip cannot be manually reset until all initiators are in their healthy (normal operation) condition.

3.9 Mission Time The mission time (or system lifetime) shall be 15 years.

3.10 Response Time The response time of the complete SIF will be from detection at the sensor to completion of final element action and shall not exceed half of the process safety time for the specific incident scenario the SIF is guarding against.

3.11 Test Interval Each component of the SIF may be tested separately according to its proof test interval.



The proof test interval for the complete SIF will be the interval for which all SIF components are tested together.

3.12 Common Cause Sources Good engineering practice should be used to minimize common cause failure sources. Sources of common cause failure for SIF components must be identified and considered when estimating the Beta factor.

Factors associated with common cause failure are typically:

Chemical

Devices are exposed to same or similar internal or external environments which may include freezing, plugging etc

Mechanical

Devices are exposed to same or similar mechanical stress such as vibration etc.

Devices are identical or use same or similar technology

Electrical

Devices share common electrical supply or instrument routes & marshalling equipment

Devices are exposed to same or similar electrical stress such as lightning, RFI etc.

Systematic

Devices are designed, installed, maintained and tested by same or similar personnel and therefore subject to human error.

3.13 Interfaces The process connection for sensors must be defined, for example:

Clean Service, Remote Seal or Impulse Line with Low, Medium or High potential for blockage.

Thermocouple or RTD

The interface for sensors must be defined, for example:

IS barriers or other isolation/interface/signal conversion devices

The process connections for final elements must be defined, for example;

Tight shut-off or severe service

The interface for final elements must be defined, for example:

Solenoids, barriers or other devices

3.14 Regulations & Standards All Safety Instrumented Functions shall be designed in accordance with the requirements detailed in IEC 61511and the PTT OCS4 project documentation.

The Hardware Fault Tolerance of all SIF must be evaluated against the Architectural Constraints as stated in IEC 61508.

3.15 Failure Modes Every SIF in this project has 2oo3 voting of sensors. On detection of failure, a transmitter shall be configured to fail away from the trip condition.

As each SIF is designed to fail away from the trip condition, then it is important that the operator gets an alarm on the transmitter failure and is trained to take the necessary corrective action to get



the transmitter repaired as quickly as possible. See also IEC 61511-1, 11.3 relating to requirements on detection of a fault.

3.16 Diagnostics Every SIF in this project has 2oo3 voting of sensors. Detected failures will degrade the voting of groups as follows;


Voting (1 Fail) 2oo2

Voting (2 Fail) Trip

Voting (3 Fail) Trip

The SIS logic solver shall be programmed to utilize all its diagnostic capabilities.

The results of all diagnostics on all SIS and SIF subsystems shall be communicated to the DCS.

Digital outputs to SOVs shall be line monitored.

3.17 Gas Over Oil Valves Where Gas over Oil valves are used in the final element subsystem of a SIF it should be noted that accumulators are used, and that this should be accounted for in SIL Verification calculations.

3.18 Application Software Application software shall be developed and tested in accordance with IEC 61511-1 clause 12.

A certified Limited Variability Language (LVL) will be utilized for the SIS application program.

3.19 Proof Test Procedures A detailed proof test procedure shall be provided for each SIF. Each proof test shall effectively evaluate the performance of the associated SIF from the process connection for sensor(s) to the process connection for the final element(s). Each test procedure shall contain a detailed test of effectiveness with measurable pass/fail criteria documented.

Where sensor and/or final element subsystems of a SIF are to be tested separately, a detailed proof test procedure shall be provided for each subsystem. Each sensor subsystem proof test shall effectively evaluate the performance of the subsystem from the process connection for sensor(s) to the associated logic in the logic solver. Each final element subsystem proof test shall effectively evaluate the performance of the subsystem from the associated logic in the logic solver to the process connection for final element(s).

Each proof test shall incorporate the manufacturers’ requirements for testing specific devices within each SIF or SIF subsystem.

A detailed list of equipment required to effectively carry out any test procedure shall be documented within the test procedure.



4 List of Safety Instrumented Functions The functional and integrity requirements unique to each SIF are detailed in separate subsequent sections.

SIF Name Initiating Tag SIF Description SIL

PSD-103 PT-111A/B/C (2oo3) PT-111A/B/C detects low pressure indicating major leak or rupture downstream of inlet isolation valve SDV-101; and closes shutdown valve SDV-101 and closes pressurisation valve XV-101.

SIL 1 RRF 30

SE

PALL-321 PT-321A/B/C (2oo3)

PT-321A/B/C detects low pressure instrument air indicating a total loss of instrument air, and switches to nitrogen. Implement in the DCS

NSR

PSD-101A/B/C LT-102A1/A2/A3 (2oo3)

LT-102A/B/C detect LL level in separator S-101A/B/C and closes SDV-103A/B/C and LV-101A/B/C to prevent gas going to slops drum and potential drum rupture.

SIL2 RRF 500

SEL

PSD-102A/B/C LT-102A1/A2/A3 (2oo3)

LT-102A detects HH level in separator S-101A and close SDV-102A to prevent liquid carry over to compressor C-101A/B/C inlet.

SIL2 RRF 500

L

PSD-105.1/105.1R

LT-103 LT-101 / PT101 LT-101R / PT101R

LT-103 detects low level in flare blow down drum D-101 and stops slop pumps P-101/101R to prevent cavitation. LT-101 / PT101 detects pump seal leakage on pump P-101 and stops pump P-101 to prevent damage. LT-101 R/ PT101R detects pump seal leakage on pump P-101R and stops pump P-101 to prevent damage. Implement in the DCS

NSR

PSD-106 F101-XT-101

F101 -XT-101 detects vibration (minor mechanical damage) in fan and stops flare blower to prevent major mechanical damage. Implement in the Bentley Nevada/MCC

NSR

USD-104.1A/B/C TT-106A1/A2/A3 (2oo3) TT-106A detects high temperature downstream of the gas cooler E-101A and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.

SIL 2 RRF 500

SEL

USD-104.2A/B/C PT-107A1/A2/A3 (2oo3) PT-107A detects high pressure between compressor C-101A and isolation valve SDV-106 and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.

SIL 2 RRF 500

SEL

USD-104.3A/B/C PDT-105A1/A2/A3 (2oo3) PDT-105 detects high differential pressure across strainer STR-101A/B/C; closes SDV-104A and SDV-105A, and shuts down compressor C-101A.

SIL 1 RRF 30

L

PSD-104A/B/C XT-10N-A1 / A2 (1oo2)

XT1-N detect vibration in individual finfans, XT2-N detect vibration in individual finfan motors and stops finfan to prevent major mechanical damage. N = 1-9 depending on the fin fan in question Implement in the Bentley Nevada/MCC

NSR

ESD-101 HS-101 HS-101 Initiates Total Plant Shutdown via all USD and PSD in ESD hierarchy

NOTE USD-104.1, USD-104.2 and USD-104.3 are three separate scenarios that initiate SIF USD-104

Legend: S – Safety; E – Environment; L – Financial Loss; NSR - No Special Safety Requirements

:



5 Details of Safety Instrumented Functions 5.1 PSD-103

SIF Safety Requirement Specification

SIF initiating devices PT-111-1; PT-111-2; PT-111-3 (2oo3)

Hazard Rupture of pipeline downstream of SDV-101

Consequence Gas leakage, potential fire and explosion

Safe State SDV-101 closed

Required SIF Action PALL-111 detects low pressure at station inlet; to close main inlet shutdown valve SDV-101

Proof Test Interval 60 months full proof test; 6 months for partial stroke test; 12 months for transmitters

Response Time 10 sec

Target SIL / RRF SIL 1 / RRF 30

Demand Rate (Source) Less than 1/30 yrs

Mode of Operation Low demand

Manual Shutdown No

Trip Mode De-energise to trip

MTTR 8 hrs

Document References HAZOP : PR-0404.02-90.03 Rev A1: Action Item 1.03 P&ID : 15-3-0804.02-6000-002 Rev D1 ESD : 14-3-0804.02-6000-001 Rev D2 C&E :

Notes:



Logic Relation & Loop Components

Sensor Part & Voting Logic Solver Part Final Element Part & Voting

Pressure transmitters PT-111-1; PT-111-2; PT-111-3 (voted 2oo3) detect low pressure at station inlet.

SDV-101 gas over oil actuator. Valve to close.

Intermediate Devices Intermediate Devices

IS barrier; surge arrester

Yokogawa ProSafe RS (Redundant)

Redundant 3-way solenoid valves voted 1oo2. Accumulator tanks for SDV.

Process & Operational Requirements

Normal operating range 34 bar Operator Interface Requirements

Sensor trip point 25 bar

Maintenance Override Yes. Master key switch in DCS console to enable individual soft switch override of PT-111-1; PT-111-2 and PT-111-3 from DCS, but only allows override on one transmitter at a time.

The maintenance overrides will degrade the redundant voting elements as follows:


Degraded Voting 2oo2

Requirements for maintenance and testing Follow prescribed maintenance procedures at defined proof test interval. Contractor to develop the specific test procedure.

Reset Requirements Soft manual reset implemented in the DCS (HS-203) Manual reset on SDV-101 in the field

Pressure value and trending on DCS SDV-101 position indication on DCS Specific indication for the SIF on a stand-alone

alarm anunciator panel dedicated to SIS Diagnostics to be shown on operator station:

- Line monitoring on the solenoid valves associated with the final element

- Any transmitter failure - Logic solver diagnostics - MVC discrepancy alarm



5.2 PSD-101A


SIF initiating devices LT-102A1; LT-102A2; LT-102A3 (2oo3)

Hazard LL level LALL-102A in separator S-101A shuts SDV-103A and LV-101A

Consequence Gas blow through to slops

Safe State SDV-103A and LV-101A closed

Required SIF Action LALL-102A detects low low level in Separator S-101A to close SDV-103A and LV-101A

Proof Test Interval 12 months

Response Time 3 sec


Demand Rate (Source) Between 1/yr and 1/30 yrs


Manual Shutdown No


MTTR 8 hrs


Notes: Repeat for PSD-101B and PSD-101C replacing suffix A with B and C respectively as shown on P&ID 004 and 005.





LL level in S-101A detected by LT-102A1; LT-102A2; LT-102A3 (2oo3)

SDV-103A and LV-101A closed




Redundant 3-way solenoid valves voted 1oo2 for SDV-103A. Single 3-way solenoid valve for LV-101A.


Normal operating range To be specified by the main contractor Operator Interface Requirements

Sensor trip point To be specified by the main contractor ensuring that no gas blow through can occur within specified response time.

Maintenance Override No


Reset Requirements Soft manual reset implemented in the DCS (HS-102A)

Level value and trending on DCS SDV-103A and LV-101A position indication on

DCS Specific indication for the SIF on a stand-alone






5.3 PSD-102A


SIF initiating devices LT-102A1; LT-102A2; LT-102A3 (2oo3)

Hazard HH level LAHH-102A in separator S-101A shuts SDV-102A

Consequence Liquid carry over to compressor inlet

Safe State SDV-102A closed

Required SIF Action LAHH-102A detects high high level in Separator S-101A to close SDV-102A


Response Time 30 sec




Manual Shutdown No


MTTR 8 hrs


Notes: Repeat for PSD-102B and PSD-102C replacing suffix A with B and C respectively as shown on P&ID 004 and 005.





HH level in S-101A detected by LT-102A1; LT-102A2; LT-102A3 (2oo3)

SDV-102A closed




Redundant 3-way solenoid valves voted 1oo2


Normal operating range To be specified by the main contractor Operator Interface Requirements

Sensor trip point To be specified by the main contractor ensuring that no liquid carry over to compressor inlet can occur within specified response time.



Reset Requirements Soft manual reset implemented in the DCS (HS-103A)

Level value and trending on DCS SDV-102A position indication on DCS Specific indication for the SIF on a stand-alone






5.4 USD-104.1A


SIF initiating devices TT-106A1; TT-106A2; TT-106A3 (2oo3)

Hazard Downstream temperature higher than piping specification

Consequence Potential for pipe degradation over time

Safe State SDV-104A closed; SDV-105A closed and shutdown compressor C-101A

Required SIF Action TAHH-106A detects high temperature downstream of the gas cooler E-101A and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.


Response Time 20 sec based on stroke time of the largest valve

Target SIL / RRF SIL 2 / RRF 500 (SEL)



Manual Shutdown No


MTTR 8 hrs

Document References HAZOP : PR-0404.02-90.03 Rev A1: Action Item 2.05 P&ID : 15-3-0804.02-6000-006/007 Rev D1 ESD : 14-3-0804.02-6000-001 Rev D2 C&E :

Notes: Repeat for USD-104.1B and USD-104.1C replacing suffix A with B and C respectively as shown on P&ID 008/009 and 010/011.





High high temperature in pipe downstream of gas cooler E-101A detected by TT-106A1; TT-106A2; TT-106A3 (2oo3)

SDV-104A closed; SDV-105A closed and shutdown compressor C-101A




Redundant 3-way solenoid valves voted 1oo2 for SDV-104A and SDV-105A


Normal operating range 45-55 deg C (operator selectable) Operator Interface Requirements

Sensor trip point 65 deg C



Reset Requirements Soft manual reset implemented in the DCS (HS-204A). Push button (tag to be allocated by compressor vendor) at compressor UCP.

Temperature value and trending on DCS SDV-104A and SDV-105A position indication on

DCS C-101A stop status on DCS Specific indication for the SIF on a stand-alone






5.5 USD-104.2A


SIF initiating devices PT-107A1; PT-107A2; PT-107A3 (2oo3)

Hazard Downstream pressure higher than piping specification

Consequence Potential for pipe overpressure and weakening of pipe over time.


Required SIF Action PAHH-107A detects high pressure between compressor C-101A and the gas cooler E-101A and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.


Response Time 20 sec based on stroke time of the largest valve

Target SIL / RRF SIL 2 / RRF 500 (SEL)

Demand Rate (Source) Between 1/yr and 1/30 yrs . Compensated for by MPC but still likely to fail within 30yrs.


Manual Shutdown No


MTTR 8 hrs

Document References HAZOP : PR-0404.02-90.03 Rev A1: Action Item not identified. From ESD hierarchy. P&ID : 15-3-0804.02-6000-006/007/012 Rev D1 ESD : 14-3-0804.02-6000-001 Rev D2 C&E :

Notes: Repeat for USD-104.2B and USD-104.2C replacing suffix A with B and C respectively as shown on P&ID 008/009/012 and 010/011/012.





High high pressure in pipe between compressor C-101A and gas cooler E-101A detected by PT-107A1; PT-107A2; PT-107A3 (2oo3)







Normal operating range 50-91 bar Operator Interface Requirements

Sensor trip point To be determined by contractor




Pressure value and trending on DCS SDV-104A and SDV-105A position indication on

DCS Recycle valve FV-101A position discrepancy

alarm from CCC to indicate that the recycle valve fails to respond on DCS

C-101A stop status on DCS Specific indication for the SIF on a stand-alone


- Line monitoring on the solenoid valves associated with the final elements




5.6 USD-104.3A


SIF initiating devices PDT-105A1; PDT-105A2; PDT-105A3

Hazard Strainer STR-101A failure leading to strainer particles in the compressor C-101A suction

Consequence Compressor damage


Required SIF Action PDAHH-105A detects high differential pressure across strainer STR-101A and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.


Response Time 20 sec based on the stroke time of the largest valve


Demand Rate (Source) < 1/30yrs


Manual Shutdown No


MTTR 8 hrs

Document References HAZOP : PR-0404.02-90.03 Rev A1: Action Item not identified. From ESD hierarchy. P&ID : 15-3-0804.02-6000-006 Rev D1 ESD : 14-3-0804.02-6000-001 Rev D2 C&E :

Notes: Repeat for USD-104.3B and USD-104.3C replacing suffix A with B and C respectively as shown on P&ID 008 and 010.





High differential pressure across strainer STR-101A detected by PDT-105A1; PDT-105A2; PDT-105A3 (2oo3)







Normal operating range 250 mbar Operator Interface Requirements

Sensor trip point To be determined by contractor




Differential pressure value and trending on DCS

SDV-104A and SDV-105A position indication on DCS

C-101A stop status on DCS Specific indication for the SIF on a stand-alone






5.7 USD-101A


SIF initiating devices HS-002A (control room); HS-020A (UCP); HS-011A (field)

Hazard Emergency requirement to � depressurize single compressor train

Consequence No specific safety requirement. This is an operability requirement

Safe State Blow down valve BDV-103A opens and initiate USD-104A

Required SIF Action Manual initiation of HS-002A (control room); HS-020A (UCP); HS-011A (field) to achieve the safe state.

Proof Test Interval On demand (test with USD-104.1A, USD-104.2A, USD-104.3A every 12 months even though not a requirement under IEC 61511)

Response Time Refer to USD-104.1A, USD-104.2A, USD-104.3A

Target SIL / RRF Not applicable

Demand Rate (Source) On demand

Mode of Operation Not applicable

Manual Shutdown Initiating devices HS-002A (control room); HS-020A (UCP); HS-011A (field)


MTTR Not applicable

Document References HAZOP : PR-0404.02-90.03 Rev A1: Action Item not identified P&ID : 15-3-0804.02-6000-006/007 Rev D1 ESD : 14-3-0804.02-6000-001 Rev D2 C&E :

Notes: Repeat for USD-101B and USD-101C replacing suffix A with B and C respectively as shown on P&ID 008/009 and 010/011.





Initiating devices HS-002A (control room); HS-020A (UCP); HS-011A (field). HS-002A, HS-020A and HS-011A will each initiate USD-101A (voted 1oo3); but each HS has 3 contacts voted 2oo3

Blow down valve BDV-103A open. Initiates USD-104A


IS barrier; surge arrester on HS-011A


Redundant 3-way solenoid valves voted 1oo2 for BDV-103A


Normal operating range Not applicable Operator Interface Requirements

Sensor trip point On demand

Operational Override A key-operated master BDV override in CCR to enable manual activation of BDV-103A via hard-wired switch on the DCS console.


Requirements for maintenance and testing No

Reset Requirements Push button reset HS-201A on DCS console to close BDV-103A and release USD-104A.

BDV-103A, SDV-104A and SDV-105A position indication on DCS

C-101A stop status on DCS HS-002A , HS-020A and HS-011A will be

guarded push buttons to prevent inadvertent actuation

Specific indication for the SIF on a stand-alone alarm anunciator panel dedicated to SIS

Diagnostics to be shown on operator station: - Line monitoring on the solenoid valves

associated with the final element - Logic solver diagnostics



5.8 ESD-101


SIF initiating devices HS-101 (DCS console)

Hazard Emergency requirement to � depressurize compressor station

Consequence No specific safety requirement. This is an operability requirement

Safe State BDV-101 open; BDV-102A open; BDV-102B open; BDV-102C open; BDV-104 open; BDV-105 open; BDV-106 open; SDV-106 closed. Initiate USD-101A; USD-101B and USD-101C; PSD-101A; PSD-101B; PSD-101C; PSD-102A; PSD-102B; PSD-102C; PSD-103.

Required SIF Action Manual initiation of HS-101 (DCS console) to achieve the safe state

Proof Test Interval On demand

Response Time Refer to all USD and PSD for longest time

Target SIL / RRF Not applicable

Demand Rate (Source) On demand

Mode of Operation Low

Manual Shutdown Initiating devices HS-101 (DCS console)


MTTR 8 hrs

Document References HAZOP : PR-0404.02-90.03 Rev A1: Action Item not identified P&ID : 15-3-0804.02-6000-001 to 012 Rev D1 ESD : 14-3-0804.02-6000-001 Rev D2 C&E :

Notes:





HS-101 (DCS console) (1oo1). HS has 3 contacts voted 2oo3

BDV-101 open; BDV-102A open; BDV-102B open; BDV-102C open; BDV-104 open; BDV-105 open; BDV-106 open; SDV-106 closed. Initiates USD-101A; USD-101B and USD-101C; PSD-101A; PSD-101B; PSD-101C; PSD-102A; PSD-102B; PSD-102C; PSD-103..


None


Redundant 3-way solenoid valves voted 1oo2 for all BDV and SDV-106.


Normal operating range Not applicable Operator Interface Requirements

Sensor trip point On demand

Operational Override A key-operated master BDV override on DCS console to enable manual activation of BDVs via individual hard-wired switches on the DCS console.


Requirements for maintenance and testing No

Reset Requirements Push button reset HS-200 on DCS console to close all BDVs and release all USD and PSD; and release ESD solenoids associated with SDV-106

All BDVs and SDV-106 position indication on DCS

HS-101 will be guarded push button to prevent inadvertent actuation

Specific indication for the SIF on a stand-alone alarm anunciator panel dedicated to SIS

Diagnostics to be shown on operator station: - Line monitoring on the solenoid valves

associated with the final elements - Logic solver diagnostics



6 Abbreviations and Definitions

Abbreviation Definition

BPCS Basic Process Control System

DCS Distributed Control System

ESD Emergency Shutdown

HFT Hardware Fault Tolerance

MCC Motor Control Centre

MOC Management of Change

MOR Maintenance Override

MTTFS Mean Time To Fail Spurious

MTTR Mean Time To Repair

N/A Not Applicable

NSR No special safety requirement

PFDavg Average Probability of Failure on Demand (1/RRF)

PFH Probability of a Dangerous Failure per Hour

PM Project Manager

PTC Proof Test Coverage

PTI Proof Test Interval

RRF Risk Reduction Factor (1/PFDavg)

S / E / L Consequence category: Safety / Environment / Financial Loss

SERH Safety Equipment Reliability Handbook

SFF Safe Failure Fraction

SIS Safety Instrumented System (including sensor, logic solver & final element subsystems)

SIF Safety Instrumented Function

SIL Safety Integrity Level

SLC Safety Life Cycle

SRS Safety Requirements Specification

Low Demand Mode The demand is infrequent and the demand frequency is less than half the proof test frequencies, i.e. proof tests are accounted for.

High Demand Mode The demand is somewhat frequent, the demand frequency is greater than half the proof test frequency, and the worst case diagnostic time interval is an order of magnitude smaller than the demand interval, e.g. proof tests are not accounted for, diagnostics are accounted for.

Continuous Demand Mode The demand is frequent, the demand frequency is greater than half the proof test frequency, and the worst case diagnostic time interval is not an order of magnitude smaller than the demand interval, e.g. proof tests are not accounted for, diagnostics are not accounted for.



7 Disclaimer and Assumptions

7.1 Disclaimer

This document was written in accordance with the guidelines in applicable international standards. Exida Pty Ltd accepts no responsibility for the correctness of the regulations or standards on which this document is based. In particular, Exida Pty Ltd accepts no liability for decisions based on the results recorded in this document. The Exida Pty Ltd guarantee is restricted to the correction of errors or deficiencies within a reasonable period when such errors or deficiencies are brought to our attention in writing. Exida Pty Ltd accepts no responsibility for adjustments made to this report made by the user.

7.2 Assumptions for Safety Requirements Specification This safety requirements specification document is generated based on the selections the user made during the SIL determination activities in combination with specific safety requirements specification entries on both project and SIF level.

The position of this safety requirements specification document within the overall safety lifecycle lies between the SIL Determination and SIS Conceptual Design activities. However, this document should be revised to reflect additional or changed requirements that become apparent as a result of the SIS Conceptual Design and SIL Verification activities.

For example specific application level diagnostic requirements like external comparison of analog signals or the implementation of partial valve stroke testing may only become a requirement based on the results of SIL verification; but these also need to be documented in the safety requirements specification.



Appendix A - List of Safety Functions Evaluated

SIF Name Initiating Tag SIF Description SIL

PSD-103 PT-111A/B/C (2oo3) PT-111A/B/C detects low pressure indicating major leak or rupture downstream of inlet isolation valve SDV-101; and closes shutdown valve SDV-101 and closes pressurisation valve XV-101.

SIL 1 RRF 30

SE

PALL-321 PT-321A/B/C (2oo3)

PT-321A/B/C detects low pressure instrument air indicating a total loss of instrument air, and switches to nitrogen. Implement in the DCS

NSR

PSD-101A/B/C LT-102A1/A2/A3 (2oo3)

LT-102A/B/C detect LL level in separator S-101A/B/C and closes SDV-103A/B/C and LV-101A/B/C to prevent gas going to slops drum and potential drum rupture.

SIL2 RRF 500

SEL

PSD-102A/B/C LT-102A1/A2/A3 (2oo3)

LT-102A detects HH level in separator S-101A and close SDV-102A to prevent liquid carry over to compressor C-101A/B/C inlet.

SIL2 RRF 500

L

PSD-105.1/105.1R

LT-103 LT-101 / PT101 LT-101R / PT101R

LT-103 detects low level in flare blow down drum D-101 and stops slop pumps P-101/101R to prevent cavitation. LT-101 / PT101 detects pump seal leakage on pump P-101 and stops pump P-101 to prevent damage. LT-101 R/ PT101R detects pump seal leakage on pump P-101R and stops pump P-101 to prevent damage. Implement in the DCS

NSR

PSD-106 F101-XT-101

F101 -XT-101 detects vibration (minor mechanical damage) in fan and stops flare blower to prevent major mechanical damage. Implement in the Bentley Nevada/MCC

NSR

USD-104.1A/B/C TT-106A1/A2/A3 (2oo3) TT-106A detects high temperature downstream of the gas cooler E-101A and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.

SIL 2 RRF 500

SEL

USD-104.2A/B/C PT-107A1/A2/A3 (2oo3) PT-107A detects high pressure between compressor C-101A and isolation valve SDV-106 and closes SDV-104A and SDV-105A, and shuts down compressor C-101A.

SIL 2 RRF 500

SEL

USD-104.3A/B/C PDT-105A1/A2/A3 (2oo3) PDT-105 detects high differential pressure across strainer STR-101A/B/C; closes SDV-104A and SDV-105A, and shuts down compressor C-101A.

SIL 1 RRF 30

L

PSD-104A/B/C XT-10N-A1 / A2 (1oo2)

XT1-N detect vibration in individual finfans, XT2-N detect vibration in individual finfan motors and stops finfan to prevent major mechanical damage. N = 1-9 depending on the fin fan in question Implement in the Bentley Nevada/MCC

NSR

ESD-101 HS-101 HS-101 Initiates Total Plant Shutdown via all USD and PSD in ESD hierarchy



Appendix B – SIL Determination Workshop Minutes

DAY 1 Job No.: Meeting No: 01 Job Title: PTT OCS 4 SIL Target Selection Workshop Meeting held at: Foster Wheeler - Sriracha Thailand Date of Meeting: 14-18 July 2008 Subject: Safety function definition and SIL target selection Company: Foster Wheeler Thailand Present: Refer table below

Recorded by: Ray Wright Signed: Date: 14 July 2008

Accepted by: Signed: Date:

Distribution: Refer table below

Item Action by Complete by

1 The agenda and general purpose of the workshop was confirmed. Note that these minutes are to be considered in conjunction with the FW HAZOP results and SIL Review procedure.

The agreed scope of work for this workshop is to:

1. Confirm the proposed list of safety instrumented functions

and the form of the FW tolerable risk guidelines used as input to the workshop.

2. Use the qualitative risk graph to analyse the risk associated with the critical hazards of the compressor station.

3. Explore additional means of risk reduction as appropriate, including both new layers of protection and safety instrumented functions (SIFs) to reduce the risk to within FW/PTT tolerable risk guidelines.

4. This workshop will be conducted in general accordance with IEC 61511.

2 Participants:

Mr Ray Wright –Facilitator & Scribe Mr Alan Wang (FW) - Risk Engineer (Part time) Mr Mark Stubbs (FW) - I/E Engineer Mr Narong S (FW) – I/E Engineer Mr Teerasak (FW) - Projects Engineer Mr Naret (PTT) – Projects Engineer Mr Pat (PTT) – Project Engineer Ms Piyasuda (FW) - Process Engineer Ms Waleeros (FW) – Process Engineer




Mr Pakorn (FW) – Process Engineer Mr Wattana (PTT) - Operations Mr Chakrit (PTT) – Operations Mr Patsin (PTT) – I/C Engineer Mr Teerachai (PTT) – I/C Engineer Miss Tipakorn (PTT) – Mechanical Engineer Mr Saran (PTT) – Pipeline Operations

3 Ray Wright gave a discussion on the safety lifecycle context for the workshop and the specific inputs, actions and outcomes from the workshop

4 Tolerable Risk Level

Basis will be the FW risk graph.

All SIF recommendations will include SIL target based Safety/Environment/Financial Loss.

Participants to consider consequence and likelihood, accounting for existing safeguards, then determine the SIL level needed (if any) for the proposed safety function to achieve tolerable risk.

5 Documentation used in the Workshop –

FW SIL Review Procedure

6th Gas Separation Plant Project Invitation to Bid

Part C Section II Appendix H Rev D1

HAZOP results

PR-0404.02-90.03 Rev A1 (44 pages)

ESD Hierarchy Diagrams

14-3-0804.02-6000-001 Sht 1 Rev D2

14-3-0804.02-6000-001 Sht 2 Rev D2

P&IDs

15-3-0804.02-6000-002 Sht 1 Rev D1

15-3-0804.02-6000-003 Sht 1 Rev D1

15-3-0804.02-6000-004 Sht 1 Rev 01 (D1?)

15-3-0804.02-6000-005 Sht 1 Rev D1

15-3-0804.02-6000-006 Sht 1 Rev D1

15-3-0804.02-6000-007 Sht 1 Rev D1

15-3-0804.02-6000-008 Sht 1 Rev D1

15-3-0804.02-6000-009 Sht 1 Rev D1

15-3-0804.02-6000-010 Sht 1 Rev D1

15-3-0804.02-6000-011 Sht 1 Rev D1

15-3-0804.02-6000-012 Sht 1 Rev D1

15-3-0804.02-6000-013 Sht 1 Rev D1

RW




15-3-0804.02-6000-014 Sht 1 Rev D1

15-3-0804.02-6000-015 Sht 1 Rev D1

15-3-0804.02-6000-016 Sht 1 Rev D1

15-3-0804.02-6000-017 Sht 1 Rev D1

15-3-0804.02-6000-018 Sht 1 Rev D1

15-3-0804.02-6000-019 Sht 1 Rev D1

15-3-0804.02-6000-020 Sht 1 Rev D1

15-3-0804.02-6000-021 Sht 1 Rev D1

15-3-0804.02-6000-022 Sht 1 Rev D1

15-3-0804.02-6000-023 Sht 1 Rev D1

15-3-0804.02-6000-024 Sht 1 Rev D1

15-3-0804.02-6000-025 Sht 1 Rev D1

15-3-0804.02-6000-026 Sht 1 Rev D1

15-3-0804.02-6000-027 Sht 1 Rev D1

15-3-0804.02-6000-028 Sht 1 Rev D1

15-3-0804.02-6000-028 Sht 2 Rev D1

15-3-0804.02-6000-029 Sht 1 Rev D1

6 The plant currently has 3 compressors planned but may be expanded to 5. This workshop will note that but focus on specific design requirements for 3 compressors.

7 HAZOP Action 1.03 PSD-103 PT-111A/B/C located at end side of inlet header to provide PALL-111 to close shutdown valve SDV-101 and close pressurisation valve XV-101. Already documented on ESD hierarchy drawings. Target SIL SIL 1 / RRF 30 (SE) Cause Major leak or rupture downstream of inlet isolation valve SDV-101 Consequence Gas leakage, potential fire and explosion. Frequency Less frequent than 1/30yrs (W1) Safety Low potential of finding an ignition source – open area, or protected hazardous areas. Flare stack 500m away. Consequence: Serious injury or single fatality (Cb) (to be confirmed by FW Process).

FW Process




Exposure: <50% (Fa) Possible awareness: No prior notice (Pb) Risk Graph: SIL 1 Environment Gas dispersion outside fence (likely to be at high altitude) (Ec) Risk Graph: SIL 1 Financial Time to detect leak and shutdown. Minimal loss. Financial loss due to lost production and repair not considered as the SIF designed to reduce consequences, not prevent the incident. Risk Graph: No special safety requirements

8 HAZOP Action 8.03 PALL-321 (high availability loop) Backup nitrogen supply sized appropriately will be available, and will be introduced on detection of low instrument air pressure. This is an operability issue (rather than safety) and as such MTTFs (availability) is the parameter of concern. MTTFs value confirmed as 15 years. PT-321A/B/C to provide PALL-321A/B/C (2oo3) to introduce nitrogen. Remainder of loop to be defined. Target SIL No special safety requirements. To be implemented in the DCS. Cause Air compressor trip Consequence Loss of instrument air to the system. Frequency Between 1/yr and 1/30yrs (W2) Safety Potential for inlet valves to stay open (gas over oil) and vent valve fail open on loss of instrument air – therefore all gas to flare. Flare designed to handle this scenario safely. Consequence: No harm to personnel (Ca) No need to consider F or P parameters Risk Graph: No special safety requirements Environment Minimal impact (Ea)

FW/PTT




Risk Graph: No special safety requirements Financial Loss related to time to restore instrument air. Estimated time: time to manually introduce nitrogen Estimated cost: < 50k GBP Risk Graph: No special safety requirements

9 HAZOP Action items 1.18, 5.01 and 5.03 To be reviewed as part of the ESD hierarchy review.

10 ESD Hierarchy sheet 2 PSD-101A/B/C LL level LALL-102A/B/C in separator S-101A/B/C shuts SDV-103A/B/C and LV-101A/B/C to prevent gas going to slops. Target SIL SIL 2 / RRF 500 (SEL) Cause Failure of level control loop LIC-101A/B/C. Consequence Slops drum ruptures Frequency Between 1/yr and 1/30 yrs (W2) Safety Consequence: Possibly > 1 fatality (Cc) Exposure: <50% (Fa) Possible awareness: No warning (Pb) Risk Graph: SIL 2 Environment Potential gas dispersion outside fence (Ec) Risk Graph: SIL 2 Financial Based on production loss – single slops drum common to OCS 4 and FTPP. Time to procure and install slops drum. (Ld) Risk Graph: SIL 2 This addresses Action Item 5.01 from HAZOP SIF: PSD-101A/B/C LT-102A1/A2/A3 (2oo3) for PSD-101A LT-102B1/B2/B3 (2oo3) for PSD-101B LT-102C1/C2/C3 (2oo3) for PSD-101C




Shuts SDV-103A/B/C and LV-101A/B/C Respectively

11 ESD Hierarchy sheet 2 PSD-102A/B/C HH level LAHH-102A in separator S-101A shuts SDV-102A to prevent liquid carry over to compressor C-101A/B/C inlet. Target SIL SIL 2 / RRF 500 (L) Cause 1 - First of two potential causes Failure of level control loop LIC-101A/B/C. Cause 2 - second of two potential causes Operation of PSD-102A/B/C prevents drain to slops drum, and level in separator rises. Rate of level rising very slow – operator always in attendance, clear indication to operator and enough time for operator to respond and rectify the situation. No need to explore further. Consequence High level in separator S-101A/B/C with liquid carry over to compressor and consequent compressor damage. Frequency Between 1/yr and 1/30 yrs (W2) Safety Consequence: Minor (Ca) No need to consider F or P parameters Risk Graph: No special safety requirements Environment Minimal impact (Ea) Risk Graph: No special safety requirements Financial Based on equipment damage – time to procure and install compressor. (Ld) Risk Graph: SIL 2

12 ESD hierarchy sheet 2 PSD-105.1/105.1R To detect low level in flare blow down drum D-101 and stop pump to prevent cavitation. Target SIL No special safety requirements. To be implemented in the DCS.




Cause Failure of LIC-102 Consequence Low level in flare blowdown drum D-101 starves the pump and causes cavitation. Frequency Between 1/yr and 1/30 yrs (W2) Safety Consequence: Minor (Ca) No need to consider F or P parameters Risk Graph: No special safety requirements Environment Minimal impact (Ea) Risk Graph: No special safety requirements Financial Based on equipment damage. Standby pump available. (La) Risk Graph: No special safety requirements Define as SIL a to be implemented in the DCS

13 ESD hierarchy sheet 2 PSD-105.2/105.2R To detect pump seal leak and minimise gas leak. Target SIL No special safety requirements. To be implemented in the DCS. Cause Failure of pump seal Consequence Potential liquid leak (contained in bund); Potential gas leak and flash (within hazardous area – ignition not likely) Frequency Between 1/yr and 1/30 yrs (W2) Safety Consequence: Minor (Ca) No need to consider F or P parameters Risk Graph: No special safety requirements Environment Minimal impact (Ea)




Risk Graph: No special safety requirements Financial Based on equipment damage. Standby pump available. (La) Risk Graph: No special safety requirements Define as SIL a to be implemented in the DCS

14 ESD hierarchy sheet 2 PSD-106 To detect vibration (minor mechanical damage) in fan and stop fan to prevent major mechanical damage. Target SIL No special safety requirements. To be implemented in the Bentley Nevada vibration monitoring unit to trip fan at MCC. Cause Minor mechanical damage to fan Consequence Minor mechanical damage to fan causes vibration and potential major damage to fan. Frequency Between 1/yr and 1/30 yrs (W2) Safety Consequence: Minor (Ca) No need to consider F or P parameters Risk Graph: No special safety requirements Environment Minimal impact (Ea) Some smoke, but spare fan available and switches in automatically. Risk Graph: No special safety requirements Financial Based on equipment damage. Spare fan available. (La) Risk Graph: No special safety requirements To be implemented in the Bentley Nevada vibration monitoring unit to trip fan at MCC

15 ESD hierarchy sheet 1 USD-104.1A/B/C TAHH-106A detects high temperature downstream of the gas cooler E-101A and closes SDV-104A and SDV-105A, and shuts




down compressor C-101A. Target SIL SIL 2 / RRF 500 (SEL) Cause 1 - first of two potential causes Failure of temperature control loop TIC-105A/B/C Cause 2 - second of two potential causes Loss of MCC Consequence Potential for pipe to degrade over time. No temperature excursion recording, no pipe monitoring program in place. Eventually pipe will rupture. Frequency between 1/yr and 1/30 yrs (W2) Safety Consequence: More than 1 fatality (Cc) Exposure: <50% (Fa) Possible awareness: No pre-warning (Pb) Risk Graph: SIL 2 Environment Gas dispersion outside fence (at high altitude) (Ec) Risk Graph: SIL 2 Financial Based on pipe damage (Ld) Risk Graph: SIL 2

16 ESD hierarchy sheet 1 USD-104.2A/B/C PAHH-107A detects high pressure between compressor C-101A and isolation valve SDV-106 and closes SDV-104A and SDV-105A, and shuts down compressor C-101A. Target SIL SIL 2 / RRF 500 (SEL) Cause 1 Station outlet valve SDV-106 fails closed. Cause 2 Recycle valve FV-101A/B/C fails to open. Consequence Potential for pipe to overpressure. Eventually pipe will rupture. Frequency




Compensated for by MPC but still likely to fail within 30yrs. (W2) Safety Consequence: More than 1 fatality (Cc) Exposure: <50% (Fa) Possible awareness: No pre-warning (Pb) Risk Graph: SIL 2 Environment Gas dispersion outside fence (at high altitude) (Ec) Risk Graph: SIL 2 Financial Based on pipe damage (Ld) Risk Graph: SIL 2

17 ESD hierarchy sheet 1 USD-104.3A/B/C Detect high differential pressure across strainer STR-101A/B/C and closes SDV-104A and SDV-105A, and shuts down compressor C-101A. Target SIL SIL 1 / RRF 30 (L) Cause Lack of maintenance cause strainer STR-101A/B/C to block and fail. Consequence Compressor damage. Frequency PDT-105A1/A2/A3 (PDT-105B1/B2/B3, PDT-105C1/C2/C3) provide DP alarm. DP trend monitoring by operators. Field monitoring via PDI-105A/B/C. Likelihood (W1) Safety Consequence: Minor (Ca) No need to consider F or P parameters Risk Graph: No special safety requirements Environment Minimal impact (Ea) Risk Graph: No special safety requirements Financial Based on compressor damage (Ld)




Risk Graph: SIL 1

18 ESD hierarchy sheet 1 PSD-104A/B/C Vibration monitoring of individual finfans Target SIL No special safety requirements. To be implemented in the Bentley Nevada vibration monitoring unit to trip finfan at MCC. Cause Minor mechanical damage to finfan causes vibration. Consequence Potential major damage to finfan if operation continued. Frequency Between 1/yr and 1/30 yrs (W2) Vibration monitoring and trending available. 9 finfans available – need only 8 to operate. Safety Consequence: Serious injury, potential fatality (Cb) Exposure: <50% (Fa) Possible awareness: Possible to anticipate event through vibration monitoring (Pa) Risk Graph: No special safety requirements Environment Minimal impact (Ea) Risk Graph: No special safety requirements Financial Based on equipment damage, and considering finfan redundancy. (La) Risk Graph: No special safety requirements To be implemented in the Bentley Nevada vibration monitoring unit to trip finfan at MCC

19 Meeting concluded with a review of activities.








1 Confirm minutes from previous day

2 SIL for each SIF to be at top with each SIF description RW

3 A typical SRS was described as comprising 3 parts – General SIS Requirements, General SIF Requirements, and Specific SIF Requirements.

4 The meeting will focus on the Safety Requirement Specification (SRS), and will take the form of a question & answer session using the SRS template as a guide to capture all relevant information.

5 Participants:

Mr Ray Wright –Facilitator & Scribe Mr Alan Wang (FW) - Risk Engineer (part time) Mr Mark Stubbs (FW) - I/E Engineer Mr Narong S (FW) – I/E Engineer Mr Naret (PTT) – Projects Engineer Mr Pat (PTT) – Project Engineer (part time) Mr Wattana (PTT) - Operations Mr Chakrit (PTT) – Operations Mr Patsin (PTT) – I/C Engineer Mr Teerachai (PTT) – I/C Engineer Miss Tipakorn (PTT) – Mechanical Engineer Mr Saran (PTT) – Pipeline Operations

6 To be reviewed:

2oo3 voting in SIS. Transmitter ‘out of calibration’ discrepancy comparison in DCS.

Sequence of Events written from SIS to DCS.

Set points/threshold values to be protected within application program.

Only operational override.

UPS requirements in General SIS Requirements section.

SRS Team




Gas over Oil valves use accumulator. Needs to be documented in SRS for use in SIL verification.

The need to review SRS against latest P&IDs to be written into General SIS Requirements section.

Pre-alarms to be taken from SIS transmitter to be written in General SIS Requirements section.

All BDV to be approved for use in SIL 2 applications via FMEDA values - to be written into SRS.

7 SIFs covered:

PSD-103

PSD-101A

PSD-102A

USD-104.1A









1 Confirm minutes from previous day

2 The meeting will continue from yesterday to complete the SRS for the remaining SIF.

3 Participants:

Mr Ray Wright –Facilitator & Scribe Mr Mark Stubbs (FW) - I/E Engineer Mr Narong S (FW) – I/E Engineer Mr Naret (PTT) – Projects Engineer Mr Wattana (PTT) - Operations Mr Chakrit (PTT) – Operations Mr Patsin (PTT) – I/C Engineer

4 SIFs covered:

USD-104.2A

USD-104.3A

USD-101A

ESD-101


SPC-0804.02-60.07 Rev D2 Safety Requirement Specification.pdf

Documents

Transcript of SPC-0804.02-60.07 Rev D2 Safety Requirement Specification.pdf