SH5202 QUANTIFIED RISK ANALYSIS

(AY2019/2020 Semester 1)

QRA Study on

Carbonization Furnace in Carbon/Carbon Composite Production

Group 4

1|Page
Executive summary

In this project, a Quantitative Risk Analysis (QRA) study was performed on the Reinjection
(RI) Gas Compression System, which is one of the process modules on a Floating Production
Storage and Offloading (FPSO). The objective is to determine the fatality risk due to the RI
Gas Compression System. The inherent process hazard of this system is the compression of
highly flammable natural gas to a high discharge pressure of 382 barg before reinjection into
the subsea well.

HAZOP Study was first conducted to identify all credible accidents scenarios by using a
systematic approach. Loss of containment was determined to be the most severe consequence
from the HAZOP study.

Fault Tree Analysis (FTA) was then carried out which defines the loss of containment as the
top event in the Fault Tree. Fault tree was constructed based on the causes, consequences and
safeguards identified in the HAZOP study.

2|Page
Contents

Executive summary 2
1. Overview 5
1.1 Selected Process – RI Gas Compression System 6
1.2 Process Fluid 6
1.3 Equipment Description 6
1.4 Safety Systems 7
1.4.1 Emergency Shutdown System (ESD) 7
1.4.2 Blowdown System 8
1.4.3 Fire and Gas System (FGS) 8
1.4.4 Fire Fighting System 9
2 Hazard and Operability Study (HAZOP) 11
2.1 Objective 11
2.2 Methodology 12
2.3 HAZOP Results and Discussions 14
3. Analysis conducted 16
3.1 Fault Tree Analysis (FTA) 16
3.1.1 Fault Tree 16
3.1.2 Fault Tree MCS 19
3.1.3 Quantitative Analysis on Fault Tree 19
3.1.4 Qualitative Analysis on Fault Tree 22
3.2 Event Tree Analysis 24
4. Bow Tie Diagram 28
5. Consequence Modelling 30
5.1 Harm footprints and IR Modifiers 30
5.2 Impact Criteria 31
5.2.1 Impacts from Jet Fires 31
5.2.2 Impacts from Flash Fires 32
5.2.3 Impacts from Vapour Cloud Explosions (VCE) 32
5.3 Modelling assumptions 32
5.4 Case A: Isolation success and Blowdown Failure 33
3|Page
 5.4.1 Jet Fire Modelling 33
5.4.2 Vapour Cloud Explosion Modelling 37
5.4.3 Vapour Cloud Flashfire Modelling 38
5.5 Case B - Isolation and Blowdown Failure 41
5.5.1 Jet Fire Modelling 41
5.5.2 Vapour Cloud Explosion Modelling 45
5.5.3 Vapour Cloud Flashfire Modelling 46
6. Risk Determination 49
7. Discussion and Conclusion 51
7.1 Comparing with NEA Criteria 51
7.2 Conclusion 51
References 52
Appendix A 53
Appendix B 56

4|Page
1. Overview

A Floating Production Storage and Offloading (FPSO) receives production from subsea oil
wells and is provided with facilities to process the fluids in order to meet the product
specifications.

The produced oil is separated from associated gas and water, stabilized and stored in hull
storage tanks prior to be metered and offloaded to shuttle tankers.

Produced water is separated and treated in the produced water treatment unit in order to
comply with the water specification for injection in the reservoir.

Produced gas is collected from oil treatment section and compressed and dehydrated in order
to be used as fuel gas and for gas lift purposes. The excess produced gas is re-injected in the
subsea injection wells.

For this project, we will be focusing on the Reinjection (RI) Gas Compression system, which
compresses the produced gas to high pressure for reinjection into the subsea well.

The RI Compressor schematic is shown in the below figure.

Figure 1.1: Selected Process Unit PFD

1.1 Selected Process – RI Gas Compression System

Gas from High Pressure (HP) compressor discharge header is routed to RI compressor via RI
compressor suction scrubber. The RI compressor suction scrubber is used to knock down any
liquid which will be sent back to HP Compressor suction scrubber. The RI compressor
compresses the gas from 169 barg to 382 barg. The discharge gas from is then cooled via RI
compressor discharge cooler by cooling water before it is routed for reinjection into the well.

The RI compression train is 2x100% configuration. Each train consists of the following
equipment:

• 1x100% RI compressor

• 1x100% RI compressor suction scrubber

• 1x100% RI compressor discharge cooler (PCHE type)

5|Page
1.2 Process Fluid

The process stream at the inlet to RI Compressor Suction Scrubber is of vapour phase and
contains 74% mole of methane. It has a design flowrate of 79300 kg/hr, with operating
pressure of 168 barg and operating temperature of 35 deg. C.

1.3 Equipment Description

The P&IDs for the selected process unit are attached in Appendix A of the report. The main
equipment description for the RI Gas Compression System are described in Table 1.1 below.

P&ID Equipment Description

P&ID #1 RI Compressor The RI Compressor Suction Scrubber is a vertical two

Suction Scrubber phase separator which knocks out the liquid/condensate
of the gas before compression. Liquid from RI
Compressor Suction Scrubber will be sent to HP
Compressor Suction Scrubber.

P&ID #2 RI Compressor The RI compressor compresses the gas to the battery

limit pressure for reinjection and then the gas is cooled
by a Discharge Cooler (PCHE).

P&ID #3 RI Compressor RI Compressor Discharge Cooler is a printed circuit

Discharge Cooler heat exchanger. The hot side of this cooler will be the
compressed gas from Compressor. The cooler will cool
the gas from 124°C to 60°C.

Table 1.1: Equipment description

1.4 Safety Systems

1.4.1 Emergency Shutdown System (ESD)

The goal for the ESD system is to respond rapidly to process upset conditions, initiating
appropriate shutdown actions which isolate hydrocarbon inventories thereby preventing a
Major Accident Event from occurring or escalating. ESD initiates closure of Shutdown
Valves (SDVs) by various initiators, such as process instruments indicating unsafe process
operating conditions, or by operator manual bush button activation.

In the event of hydrocarbon release, ESD is provided to isolate segments of the process, and
thereby limit the inflow of hydrocarbons to the leaking sections.

The ESD System is organized in hierarchical shutdown levels and will initiate the following
levels of shutdown in the event of process upset or manual initiation.

6|Page
  Level 0 – Abandon Shutdown (ASD)

o Highest level of shutdown

o Actuation shall only be by manual pushbutton, immediately prior to

evacuation of the FPSO

o All ESD valves are closed and all gas inventories vented to flare

 Level 1 – Emergency Shutdown for Confirmed Fire (ESD-1) and Gas (ESD-2)

o Activated either by fire or gas detectors

o Initiate complete shutdown with depressurisation of process units

 Level 2 – Process Shutdown (PSD)

o Automatically initiated during critical process upset or key equipment

o Shutdown production processes

 Level 3 – Unit Shutdown (USD) or Local Shutdown

o Isolating parts of the process in a controlled sequence

o Preventing abnormal conditions developing into a hazardous situation.

The emergency shutdown with depressurisation can be activated by confirmed gas and fire in
process area and some critical utilities, or manual activation by local panel. ESD will initiate
complete FPSO shutdown with depressurisation of process units.

1.4.2 Blowdown System

The blowdown system is an integral part of the ESD system, which enables safe emergency
depressurisation, once the process has been successfully isolated. Emergency
depressurisation will be initiated automatically by ESD after a short time delay to first allow
for isolation by the SDVs. The blowdown system will be sized for the worst credible
blowdown scenario. Automatic blowdown facilities are provided on all isolated sections of
hydrocarbon gas or mixed gas and liquid with a design pressure above 5 barg or with a
geometric volume higher than 10 m3, provided the system is located such that it may be
exposed to accidental heat sources.

The blowdown system routes hydrocarbon fluids to flare which serves as a preventive
measure for the uncontrolled release of hydrocarbon from an equipment or piping failure.
Flaring will be done during emergencies, startup and post startup commissioning and restart
after planned or unplanned shutdown.

7|Page
1.4.3 Fire and Gas System (FGS)
The function of the FGS shall be to provide a fast and automatic means of detecting,
alarming, indicating the presence of a fire and combustible gas hazard and upon confirmed
detection of fire or gas, initiate the ESD to automatically isolate and depressurise process and
utility equipment, initiate appropriate firefighting measures and also isolate ignition sources
in the hazardous area.

The detection of fire and dangerous accumulations of combustible gases shall be achieved by
various types of Fire & Gas detection equipment whose selection and location shall be based
on the following criteria and shall be segregated by fire areas or zones:

 Nature and quantity of flammable materials in the area;

 Hydrocarbon inventory and hazardous area classification;

 Likelihood of the accumulation of combustible gas in the area;

 Migration of gases to adjacent and unclassified areas;

 Prevailing wind conditions and natural ventilation characteristics;

 Potential sources of ignition; and

 Adjacent area protection.

A confirmed fire and gas incident (involving an actual fire or gas detection) in sufficient
quantities and concentrations shall typically initiate ESD-1 and ESD-2 respectively. Fire &
Gas related process shutdown (ESD-1 & 2) actions shall be executed by ESD based on the
Process Cause & Effect matrix.

In the event of detection of confirmed FIRE or confirmed GAS leading to actuation of ESD-1
and ESD-2 respectively, shutdown of all process and utilities within that particular fire zone
and automatic emergency depressurisation will take place.

1.4.4 Fire Fighting System

The FPSO is provided with active firefighting systems as recovery measures to mitigate the
consequences of the event by extinguishing or limiting the spread of fire to minimize the risk
to personnel, assets and the environment to ALARP. It is one aspect of the overall approach
to loss prevention works in conjunction with passive system such as layout, separation, fire
barrier etc. while ESD system isolates and depressurises the hydrocarbon inventories and
personnel escape and evacuate to safe location.

Components of the firefighting systems include (but not limited to):

1. Firewater and Foam Ring Main

8|Page
 The firewater supply from the duty and standby fire pumps are connected to the
header of firewater and foam ring main laid around the perimeter of main deck at
distance from process areas to maximize survivability from fire and explosion events.
The ring mains are designed to ensure operability in the event of damage to any one
part of the ring mains. The ring mains are size based on the maximum required
discharge from the fire pumps and adequate to meet the largest design firewater
demand.

2. Deluge system

Fixed deluge water system and foam deluge system are provided to protect specific
topsides equipment or to provide a general area coverage. The purpose of the water
deluge is to provide some cooling effects for equipment in fire events, and therefore
prevent or reduce the chance of escalation to another vessel or module. The purpose
of the foam deluge is to control the escalation for large hydrocarbon inventories and
to reduce radiation for personnel escape.

3. Foam system

Foam monitors are used to control or extinguish liquid pool fires in areas where a
fixed system cannot be fitted, such as open areas, or areas with no structure to support
a deluge system. Fixed foam systems are provided to protect the cargo tank storage
where hydrocarbons may accumulate, ignite and form a pool fire.

4. Automatic Gaseous Fire Suppression System

The automatic gaseous fire suppression system provides automated firefighting

protection which uses gaseous fire suppression agent to extinguish fires within
enclosed areas/rooms.

9|Page
10 | P a g e
2 Hazard and Operability Study (HAZOP)

2.1 Objective

The objective of Hazard and Operability Study (HAZOP) study is to identify all Hazards and
Operability issues that could have a significant impact on the design and operation of the
process system, if there is a process deviation away from the safe operating envelope. These
issues can be broadly classified into two categories which are Safety and Operability.

A few key objectives are listed as below:

 To identify/ analyse potential hazards and operability issues due to deviations from
normal process or operating conditions or intended design
 To evaluate the adequacy of the existing safeguards with respect to safety and
operations
 To identify additional safeguards required for the system under study to address the
causes and minimise the consequences of deviation.

11 | P a g e
2.2 Methodology

The steps involved in the HAZOP are illustrated in the below flowchart.

Figure 2.1: HAZOP Flow Chart

12 | P a g e
Guidewords combined with the process Parameters generates a list of Deviations that are
utilized for HAZOP analysis. These guidewords and parameters are listed in Table 2.1 below.
Applicable deviations were applied on each node to identify any safety or operability issues
associated with the process. Where a deviation leads to “no hazards identified” or “no
credible scenarios”, further analysis for that particular entry is not carried out.

Parameter Guide Word Deviations

Flow No/Low No/Low Flow
Flow More/High More/High Flow
Flow Reverse Reverse/Misdirected Flow
Pressure More/High More/High Pressure
Pressure Low Low Pressure
Temperature More/High More/High Temperature
Temperature Low Low Temperature
Level High High Level
Level Low Low Level
Composition As well as/Other Composition Change/Contamination/Additional
than Phase/Loss of Phase
Utility Failure
Others Start-up/Shutdown/Maintenance
Others Others
Table 2.1: HAZOP deviation

13 | P a g e
2.3 HAZOP Results and Discussions

The HAZOP worksheet for RI Gas Compression system is attached in Appendix B of the
report. A total of 10 relevant process deviations were identified during the HAZOP. The
HAZOP study generated 17 recommendations/action items. The recommendations raised
include items for further review discussions and/or changes to the current design, which will
improve the safety or the operability of the facility.

From the HAZOP study, the most hazardous consequence has been identified to be loss of
containment. The causes for loss of containment and existing safeguards in place are
presented in Table 2.2 below.

Consequence: Loss of containment

Deviation Cause Consequence Safeguards

1. No/Low Flow 1.6. (S) RI Compressor 1.6.7. (A) Potential
Trips (All three overpressure of RI Compressor
compressors upstream suction due to reverse flow
(MP and HP) will also from the downstream discharge
trip as they are on header/ gas reinjection header
common shaft)
Potential overpressure of
upstream HP Compressor
discharge piping.
1.6.7.1. (K) Single check valve at discharge Cooler
outlet.
1.6.7.2. (L) SDV3803A/B at discharge Cooler
outlet will close on Compressor trip.
1.6.7.3. Single check valve provided at Suction
Scrubber inlet

1.6.7.4. SDV3802A/B at Suction Scrubber inlet

will close on Compressor trip.

1.7. (B) Strainer at 1.7.1. Loss of flow through 1.7.1.1. (N) PDI3832 with high alarm across
inlet of discharge Compressor leading to surge. strainer
Cooler plugged Anti-surge control will not
safeguard against this scenario.

1.8. (C) Discharge 1.8.1. Loss of flow through 1.8.1.1. (U) Strainer provided at inlet
Cooler plugged (This Compressor leading to surge.
is PCHE type with Anti-surge control will not
1.8.1.2. PDI3833 with high alarm across PCHE on
small diameter flow safeguard against this scenario.
gas side
path)

1.9. (D) SDV3803A at 1.9.2. Potential overpressure. 1.9.2.1. (P) PZAHH3814 at Compressor suction
discharge gets closed will trip the Compressor
or any downstream
blocked condition on 1.9.2.2. (Q) PZAHH3818 at compressor discharge
gas injection line. will trip the Compressor.

1.9.2.3. (R) PSV3811 at Compressor discharge is

sized for blocked outlet.

4. More/High 4.1. External Fire 4.1.1. Potential overpressure 4.1.1.1. (M) PSV3801 on suction Scrubber sized
Pressure around Suction for fire case.
Scrubber

4.2. (G) FCV3802 on 4.2.1. RI Suction pressure will

recycle line (for increase, leading to increase in
capacity control) open HP Compressor discharge
when not required (Fail pressure. Potential surge in HP
open type) Compressor. Potential increase
in upstream pressures. System
upset.

14 | P a g e
 4.3 (H) FCV3801 on 4.3.1. RI Suction pressure will
anti-surge open when increase, leading to increase in
not required (Fail open HP Compressor discharge
type) pressure. Potential surge in HP
Compressor. Potential increase
in upstream pressures. System
upset.

13. Others 13.2.(I) Seal failure 13.2.1. Potential Hydrocarbon 13.2.1.1. Provision for isolation and blow down of
leak to atmosphere Compressor. Single BDV3801 provided at the
discharge for the entire compressor loop including
the Scrubber.

13.5. Blockage in RI 13.5.1. (J) Since piping is

Compressor Suction derated downstream of
Scrubber liquid outlet LV3802, plugging in the piping
piping downstream of can lead to overpressure and
LV3802. This may can cause loss of containment
occur in case of
hydrate formation,
particularly during
start-up or upset
condition when gas
may be wet.

Table 2.2 Causes for loss of containment and existing safeguards in place

15 | P a g e
3. Analysis conducted

3.1 Fault Tree Analysis (FTA)

Based on the HAZOP study, Loss of Containment was identified as the most severe of the
listed consequences. In this section, qualitative and quantitative analysis were conducted on
the Fault Tree with the top event: Loss of Containment. The Fault Tree was constructed from
the identified causes and safeguards in the HAZOP, with reference to the P&IDs in Appendix
A. The Fault Tree Analysis (FTA) methodology is summarized below

1. Construct Fault Tree with the top event: Loss of Containment, with the
causes/safeguards identified from HAZOP and P&ID.

2. Derive the Minimum Cut Sets (MCS) from the Fault Tree. The MCS is the smallest
number of cut set which represent the system failure mode. Failure of all the
components and its safeguard in the cut sets permits the occurrence of the top event.

3. Obtain the failure rates for the component and the probability of failure on demand for
the safeguard.

4. Calculate the failure probability for each of the MCS to determine the Safety Critical
Events (SCEs)

5. Determine the top event: Loss of Containment outcome frequency of occurrence

SCEs are determined by sorting the MCS failure probabilities and identifying the highest
failure frequencies that contributed to the occurrence of the top event. The reliability of the
system would improve significantly if additional safeguards were implemented on the MCS
of the SCEs. The top event: Loss of Containment outcome frequency is required for the
initiating event for Event Tree to be discussed in the next section of the report.

3.1.1 Fault Tree

The Fault Tree (Loss of Containment) was constructed based on the causes and safeguards
identified in HAZOP in Table 2.2. The causes and safeguards are alphabetically numbered
and indicated in the Fault Tree as shown in Figure 3.1. From the top event: Loss of
Containment, OR gate is used as there are 4 contributing events that leads to the top event.
The contributing events are the intermediate events Loss of Containment from Scrubber and
compressor high pressure discharge, and the initiating events of compressor seal failure (I)
and pipe rupture (J). These initiating events are also called Single Point of Failure (SPF)s.

The loss of containment from scrubber is caused by the failure of the protection of PSV-3801
(M) AND the intermediate event of reverse flow from compressor trip and the events of
FCV-3802 (G) and FCV-3801 (H) fail open. The reverse flow from compressor trip is caused
16 | P a g e
by the compressor tripping (S) AND the protection failure of check valve (K) and SDV-3803
fails to close (L).

The loss of containment from compressor high pressure discharge is caused by the protection
failure of Pressure HH alarm PZAHH-3814 (P) and PZAHH-3818 (Q), and the failure of
PSV-3811 (R) AND the intermediate events of block outlet due to Strainer plugged,
discharge cooler plugged and event of block outlet due to SDV-3803A fails shut (D). The
intermediate event block outlet due to strainer plug is due to compressor discharge strainer
plugged (T) AND Pressure differential HH alarm PDI-3832 fails (N). The intermediate event
block outlet due to discharge cooler plugged is due to compressor discharge strainer fails (U)
AND Pressure differential HH alarm PDI-3832 fails (O).

17 | P a g e
 Figure 3.1: Fault Tree
Loss of Containment

Loss of containment from Scrubber Loss of containment from compressor high

Com- Pipe
pressor seal Rupture (J) pressure discharge
PSV-3801 fails (M) failure (I)

Protection fails
Scrubber Overpressure
Compressor discharge line
overpressure

Reverse Flow from compressor trip FCV-3802 FCV-3801 PZAHH- PZAHH- PSV-
(A) 3814 3818 3811 (R)
fails open fails open
fails (P) fails (Q) fails
(G) (H)

Protection fails

Blocked outlet Discharge cooler

Blocked
Com- (Strainer plug) plugged (C) outlet
pressor trip (SDV3803A
PDI-3832 alarm fails (N) PDI-3833 alarm fails (O) shuts) (D)
(S)

Check SDV-3803
valve fails fails to
Strainer Strainer
(K) close (L)
plugged fails (U)
(T)

18 | P a g e
3.1.2 Fault Tree MCS
The Fault Tree MCS were derived from the Fault Tree shown in Figure 3.1. The cut sets are
first defined as shown below:

Cut Set = (S (K L) + G + H) M + I + J + (T N + U O + D) (P Q R)

Highlighted Blue is the safeguard or the protection for the component in black.

The cut set are then expanded out and rearranged to form the MCS as shown below:

MCS = S K L M + G M + H M + I + J + T N P Q R + U O P Q R + D P Q R = 8

There are 8 MCS, with each MCS consisting of failure components and their protections as
indicated in Blue. Failure of both the component and protection will result in the top event of
loss of containment. It is noted there are no protection for MCS = I and MCS = J. They are
the SPF of the compressor seal failure and pipe rupture as shown in the Fault Tree.

3.1.3 Quantitative Analysis on Fault Tree

Quantitative analysis was carried out first by obtaining the failure rates and is tabulated in
Table 3.1 below.

The assumptions for the failure rates are:

 The hierarchy of obtaining the failure rates is first from UK HSE failure rates; Failure
Rate and Event Data for use within Risk assessment (28/05/2012); as indicated in the
NEA QRA Technical Guidance document.

 OREA (1997) data is used as the failure rates are more accurate for offshore
equipment. FPSO are located offshore.

 The rest of failures rates are obtained from UKAEA and CCPS.

 The failure rates for per hour are converted to per year. It is assumed that the FPSO is
operated 365 days a year and 12 hours a day.

 Mean failure rate is chosen.

 Failure per demand is calculated from the mean failure rate x repair time.

Failure Failure Remarks

SPF Description
(per year) (per demand)

S Compressor Trip 21.46 Reference 1 data given by OREDA (1997)

TABLE A14.26 Data on the Failure Rates of
Offshore Compressors
Offshore Compressor; Centrifugal turbine
19 | P a g e
 driven ; mean failure rate

Reference 2
K Check valve fails 0.0022 3.5.1.2 Check valve (Fails to Check); mean
failure rate

SDV-3803 fails to Reference 3

L 0.03
close FR 1.2.1 Valves (Failure to close); ASOV

Reference 3 A review of instrument failure

FCV-3802 fails
G 0.5 data (F P Lees)
open
FR 1.2.1 Valves; Control valve fail open

Reference 3 A review of instrument failure

FCV-3801 fails
H 0.5 data (F P Lees)
open
FR 1.2.1 Valves; Control valve fail open

Reference 2
M PSV-3801 fails 0.000212 4.3.3.2 Safety relief valve (Fails to Open on
Demand); mean failure rate

Reference 3
Compressor seal
I 0.00027 FR 3.1.3 Compressors; Small Hole (>25 mm –
failure
75 mm diameter)

Reference 3
FR 3.1.2 Above Ground Pipelines; Rupture
J Pipe Rupture 0.0000065
(>110 mm diameter)
Assumption of 1000 m of pipeline

Reference 1 data published by UKAEA

TABLE A14.6 Some data on equipment
T Strainer plugged 0.00876
failure rates published by the UKAEA
Filters: Blockage

Reference 1 data given by OREDA (1997)

TABLE A14.53 Data on Process Sensors
PDI-3832 alarm
N 0.000187817 Used in Offshore Operations
fails
Pressure Sensor; mean failure rate and repair
time

Reference 1 data published by UKAEA

TABLE A14.6 Some data on equipment
U Strainer fails 0.00876
failure rates published by the UKAEA
Filters: leakage

Reference 1 data given by OREDA (1997)

TABLE A14.53 Data on Process Sensors
PDI-3833 alarm
O 0.000187817 Used in Offshore Operations
fails
Pressure Sensor; mean failure rate and repair
time

Blocked outlet Reference 3 A review of instrument failure

D (SDV3803A 0.2 data (F P Lees)
shuts) FR 1.2.1 Valves; Control valve fail shut

P PZAHH-3814 0.000187817 Reference 1 data given by OREDA (1997)

fails TABLE A14.53 Data on Process Sensors

20 | P a g e
 Used in Offshore Operations
Pressure Sensor; mean failure rate and repair
time

Reference 1 data given by OREDA (1997)

TABLE A14.53 Data on Process Sensors
PZAHH-3818
Q 0.000187817 Used in Offshore Operations
fails
Pressure Sensor; mean failure rate and repair
time

Reference 2
R PSV-3811 fails 0.000212 4.3.3.2 Safety relief valve (Fails to Open on
Demand); mean failure rate

Table 3.1: Failure rates of instruments and equipment

The MCS failure rate is calculated from the failure rates shown below:

l S K L M = lS x FDTK x FDTL x FDTM = 21.46 x 0.0022 x 0.03 x 0.000212 = 3.003 x 10-7/ year

From the MCS failure rate, the failure probability for this particular cut set can be calculated
as shown below:

MCS failure probability P S K L M = 1 – exp -l S K L M x T (1 year) = 3.003 x 10-7/ year

The MCS failure rates and failure probabilities are calculated and then tabulated in Table 3.2
below:

Failure rate lMCS (yr-1) Failure probability (yr-1)

3.003E-07 3.003E-07
MCS S K L M
1.060E-04 1.060E-04
MCS G M
1.060E-04 1.060E-04
MCS H M
2.700E-04 2.700E-04
MCS I
6.500E-06 6.500E-06
MCS J

MCS T N P Q R 1.230E-17 0.000E+00

MCS U O P Q R 1.230E-17 0.000E+00

1.496E-12 1.496E-12
MCS D P Q R
Total 4.888E-04

Table 3.2: MCS failure rates and failure probabilities

21 | P a g e
From the table, the top event: Loss of Containment hazard probability is summed up from all
the MCS failure probabilities calculated. The loss of Containment hazard probability of
occurrence is 4.888 x 10-4/year

3.1.4 Qualitative Analysis on Fault Tree

Qualitative analysis is performed by determining the critical MCSs that would eventually
cause Safety Critical Events. Critical MCSs have higher likelihood for top event to occur.
Based on the failure probabilities in Table 3.2, the critical MCSs identified were MCS G M,
MCS H M and MCS I which the critical components are G = FCV-3802, H = FCV-3801, M =
PSV-3801 and I = Compressor Seal. See Figure 3.2. The likelihood for loss of containment
would be reduced by improving the reliability of these critical components. Increasing the
order of these critical MCS, i.e. increasing components (redundancy components) or
safeguards (increase protection layer) to the cut set would prevent the cut set from failing. It
would increase the overall system reliability to prevent the Loss of Containment from
occurring.

Figure 3.2: Critical MCS in Fault Tree

3.2 Event Tree Analysis

Undesired outcome event frequencies can be derived using Event Tree Analysis (ETA). ETA
allows the identification and quantification of possible event outcomes in a systematic,
logical way following the initiating event. An ‘event tree’ graphically illustrates all possible
outcomes following realisation of the initiating event; it depicts the chronological sequence of
events that could occur following the initiating event, including escalation and mitigation.

22 | P a g e
Various flammable event outcomes may arise depending on each release conditions as well
as the timing, location and type of ignition (e.g. immediate or delayed). The Event Tree
Analysis provides a list of undesired outcome event and its probability of occurrence.

The probabilities used in the event trees are based on the relevant guidelines as reference
from recognized standards and guides. Based on the event tree analysis, all event outcome
frequencies are derived and summarised in the later section of the report.

Toxicity Probability

Toxicity can be categorised into IDLH (Immediately Dangerous to Life and Health) and
EPRG1, EPRG2 and EPRG3.

Ignition Probability

Ignition can be categorised into immediate or delayed ignition. Immediate ignition occurs
near the release point before the gas cloud disperses due to presence of ignition sources such
as sparks/static. Delayed ignition considers the drifting of gas cloud into an ignition source.
In this Event tree analysis, it is considered that an immediate ignition of the released gas can
result in a jet fire (for immediate ignition) and vapour cloud explosion or vapour cloud flash
fire (VCE, for delayed ignition).

Jet fire – a burning jet of gas or spray of atomised liquid release from high-pressure
equipment. This may be very damaging to equipment within the fire and lethal to personnel at
some distance from it.

Vapour Cloud Explosion – a burning gas cloud that develops high overpressures. This is
likely to kill anyone within it and may also severely damage high steel structures.

Vapour Cloud Flash Fire – a fire that propagates through a cloud of gas. This may be lethal
for anyone within it, but is unlikely to damage steel structures.

Each hydrocarbon leakage initiating event is developed into credible accident scenarios for
consequence analysis using Event Tree Analysis. The branches considered in developing the
final hazard scenarios are as follow:

- Immediate ignition

- Delayed ignition

- Explosion probability

- Gas detection success

- Isolation success

Mitigating System: Gas Detection and Isolation

23 | P a g e
As described in Section 1.3 of the report, the gas detection and isolation system are part of
the ESD system that mitigates the consequences in the event of loss of containment of the gas
mixture.

The term Isolation in the event tree refers to the activation of the ESD, which isolate the
compressor system, activate the ESD valves (Compressor inlet and discharge isolation
valves) and trip the compressor. The term Blowdown refers to the safe emergency
depressurisation after isolation of the system. Note that the blowdown valve is located at the
compressor discharge and it is able to depressurise the compressor inlet (Scrubber equipment)
through either the compressor surge valve and compressor recycle valve) per the line-up. See
Appendix A for the P&IDs.

Event Tree

The event tree is illustrated in Figure 3.3 and Figure 3.4 below for the release of hydrocarbon
due to the main causes of loss of containment as indicated in the earlier sections of the report:

(1) Flange leakage

(2) Valve packing leak
(3) Furnace wall weld seam leak during overpressure scenario <121% MAWP
(4) Pipeline leak

Safety protection systems such as early detection, fire and gas detectors were not considered
in the calculation of event frequency, as it is conservatively judged that the delay before these
emergency intervention action can be taken is sufficient for the hazardous scenario to occur
(based on the calculated probabilities).

Based on the 3 cases of events, outcomes resulting from liquid hydrocarbon were not
considered due to single gaseous phase. Hence, events such as pool fire, BLEVE, fireball etc.
were not considered in this consequence analysis. Events from the release of gas such as jet
fire, vapour cloud explosion, vapour cloud flash fire, and toxic vapour cloud were considered
to be a probable and realistic approach for this section of analysis.

24 | P a g e
 From the fault tree table, the top event: Loss of Containment hazard probability is summed up
from all the MCS failure probabilities calculated. The loss of Containment hazard probability
of occurrence is 4.888 x 10-4/year

Frequency of Probability Detection Isolation Probability Probability of Outcome Description of end event
Gas Mixture of Immediate Success Success of Delayed Explosion Per Year
release Ignition Ignition

Top Event Y Y Y Jet Fire, Fire Detection and

25 | P a g e
 Isolation Success
Jet Fire, Fire Detection
N Success and Isolation Fail
Jet Fire, Fire Detection and
N No Isolation

VCE, Gas Detection and

N Y Y Y Y Isolation Success
VC Flash Fire, Gas Detection
N and Isolation Success
Toxic disperse, Gas Detection
N and Isolation Success

VCE, Gas Detection Success,

N Y Y Isolation Fail
VC Flash Fire, Gas Detection
N Success, Isolation Fail
Toxic disperse, Gas Detection
N Success, Isolation Fail

VCE, Gas Detection Fail and

N Y Y No Isolation
VC Flash Fire, Gas Detection
N Fail and No Isolation
Toxic disperse, Gas Detection
N Fail and No Isolation

Figure 3.3: Template for Event Tree for the Largest Possible Release of Gas Mixture

Frequency of Probability Detection Isolation Probability Probability of Outcome Description of end event
Gas Mixture of Immediate Success Success of Delayed Explosion Per Year
release Ignition Ignition

Jet Fire, Fire Detection and

2.27E-08
2.31x10-5 0.001 0.9942 0.99 Isolation Success
2.30E-10 Jet Fire, Fire Detection
0.01 Success and Isolation Fail

26 | P a g e
 1.34E-10 Jet Fire, Fire Detection and
0.0058 No Isolation

6.11E-09 VCE, Gas Detection and

0.999 0.9907 0.99 0.0009 0.3 Isolation Success
1.43E-08 VC Flash Fire, Gas Detection
0.7 and Isolation Success
2.26E-05 Toxic disperse, Gas Detection
0.9991 and Isolation Success

6.17E-11 VCE, Gas Detection Success,

0.01 0.0009 0.3 Isolation Fail
1.44E-10 VC Flash Fire, Gas Detection
0.7 Success, Isolation Fail
2.28E-07 Toxic disperse, Gas Detection
0.9991 Success, Isolation Fail

5.79E-11 VCE, Gas Detection Fail and

0.0093 0.0009 0.3 No Isolation
1.35E-10 VC Flash Fire, Gas Detection
0.7 Fail and No Isolation
2.14E-07 Toxic disperse, Gas Detection
0.9991 Fail and No Isolation

Figure 3.4 Probabilities Event Tree for the Largest Possible Release of Gas Mixture

The gas ignition probabilities which is used to calculate the frequency of a jet fire
(immediately ignited) or vapour cloud explosion/vapour cloud explosion (delayed ignition)
are obtained from A Guide to Quantitative Risk Assessment for Offshore Installations, Centre
of Marine and Petroleum Technology (CMPT). Probabilities of isolation and blowdown
success are also referred from CMPT based on historical data. The probability of delayed
ignition leading to explosion is conservatively prescribed at 0.3. Summary on the initial
release rates for ignition is as shown in Table 3.3 below.

Release Rate Immediate Ignition Delayed Ignition Probability

Probability (Gas) (Gas)
Minor (<1kg/s) 0.001 0.009
Major (1-50kg/s) 0.007 0.063
Massive (>50kg/s) 0.03 0.27
Table 3.3: Initial release rates and corresponding ignition probabilities

The Toxic Vapour Cloud probabilities to calculate the frequency of reaching IDLH or PEL
are obtained from… Probabilities of flange leakage, pipeline leak, and valve packing leak are
referred from ODECO/CMPT based on historical data. The probability of reaching IDLH is
conservatively prescribed at 0.3. Summary as shown below.

Release Rate Immediate Toxic Delayed Toxic Probability

Probability (Gas) (Gas)
Minor (<1kg/s) 0.001 0.009
27 | P a g e
 Major (1-50kg/s) 0.007 0.063
Massive (>50kg/s) 0.03 0.27
Table 3.3: Initial release rates and corresponding ignition probabilities

Event Tree Summary

From the event tree, we have identified catastrophic events as events resulting from isolation
success and blowdown failure, and events resulting from isolation and blowdown failure.
From the quantitative analysis of the event tree, we have identified vapour cloud flash fire
due to isolation success and blowdown failure to have the highest probability of occurrence
of 3.99x10-6 /year. This result will be used in our risk assessment.

Catastrophic Events Probability of occurrence (yr-1)

Toxic Vapour Cloud

Jet Fire 6.52x10-7

Vapour Cloud Flash Fire 3.99x10-6

Vapour Cloud Explosion 1.71x10-6

Table 3.4: Summary of catastrophic events and corresponding probabilities of occurrence

28 | P a g e
4. Bow Tie Diagram

The bow tie software that we have used for this project is Thesis, ABS Consulting software.
The software allows a graphical representation of threats which can cause a top event to
happen, leading to possible consequences. Barriers in between are the prevention and
mitigation controls which relates to each threat and consequence. It can also be used as a tool
to assist in the quantitative risk management of safety critical systems.

In this bow tie diagram, it is recognised that the threats highlighted in blue are relevant to the
minimum cut sets as determined in the previous part of the report. Further, early detection
and fire and gas detectors are also added into the mitigation layers.

29 | P a g e
 Figure 4.1: Bow Tie Diagram

30 | P a g e
5. Consequence Modelling

From the results of the frequency analysis, the following fire and explosion scenarios were
deemed to be credible, and will be further analysed through consequence modelling in
ALOHA:

- Jet Fire
- Vapour Cloud Explosion (VCE)
- Vapour Cloud Flash Fire

5.1 Harm footprints and IR Modifiers

Harm footprints are required to calculate IR (Fatality), IR (Injury) and Cumulative

Escalation, for checking if QRA criteria thresholds are met. In this report, cumulative
escalation is omitted as there would not be an occurrence of various overlapping events due
to the loss of containment from the compressed gas system.

For the purpose of this report, footprint boundary dimensions (isotherms) are determined as
per table indicated below (reference from Table 6 of NEA Technical Guidance).

Hazard Harm Level

Thermal Radiation 4kW/m2 ~ 3%

from fire (Jet Fire)
15.3kW/m2 ~ 10%

37.5kW/m2 ~ 100%

Flash Fire LFL 20000ppm

Overpressure from 5psi

Vapour Cloud
Explosion 7psi

10psi

Table 5.1: Harm Footprints required for IR (Fatality)

For the fire and gas dispersion modelling, the weather conditions that are considered are,

 Wind speed 1m/s, Stability Class F,

 Wind speed 2m/s, Stability Class B,

 Wind speed 3m/s, Stability Class C,

31 | P a g e
as per 6.2.2 of NEA Technical Guidance.

The severity determined by the hole size of the release, and the following representative hole
size used in this QRA (as per 4.1.1.1 of NEA Technical Guidance) is presented in table
below:

Hole Size Range of hole size (mm) Representative size used

(mm)

Small <10 10

Medium 10-22 25

Large 22-75 75

Major >75 Full Bore

Table 5.2: Representative hole sizes used in consequence modelling

The consequence modelling is categorised into 2 cases – A and B. Case A where we consider
the consequences are due to isolation success and blowdown failure and Case B where the
consequences are due to isolation and blowdown failure.

Probability of failure of Flanges in the inlet and outlet piping of Scrubber are high so when
there is a successful isolation, the Impact due to fires and explosions are less.

5.2 Impact Criteria

For each of the fire and explosion scenarios modelled, the physical effects arising from fires
are analysed with respect to thermal radiation loads. For vapour cloud explosion scenarios,
blast overpressure loads are considered.

5.2.1 Impacts from Jet Fires

The following thermal impact criteria are adopted

 4 kW/m2 – no effects, provided personnel can take normal escape action. The thermal
radiation level of 5.0 kW/m2 is sufficient to cause pain to personnel if unable to reach
cover within 30 seconds; however, blistering of the skin (second degree burns) is
likely; 0% fatality.

 15.3 kW/m2 – escape routes are treated as ‘impaired’, meaning that personnel will not
enter this zone. personnel in this zone may use escape routes, providing this allows
them to leave the area within a few seconds, find safe refuge, or jump into the sea, but
they suffer second degree burn injuries. Otherwise they must take emergency action,
such as seeking safe refuge or jump into the sea.

32 | P a g e
  37.5 kW/m2 – immediate fatality for all personnel and sufficient to cause damage to
structures and process equipment.

5.2.2 Impacts from Flash Fires

Due to its high intensity in a short duration a flash fire thermal radiation effects will be
limited to the size of the flammable gas cloud that accumulated prior to ignition. The area
from the source of release to the 100% Lower Flammable Limit – 1.0.LFL will be equal to
the flash fire thermal radiation impact.

Personnel being exposed to the flammable cloud, i.e., within the LFL, in the instant of a
delayed ignition of the flammable cloud would have a 100% probability fatality either by the
inhalation of hot combustion gases or from severe burns.

Flash Fires do not generate severe structural or equipment damage, and only superficial
damage to insulation and cables.

5.2.3 Impacts from Vapour Cloud Explosions (VCE)

The effects related to VCEs are related to delayed ignition of the flammable cloud within a
relatively congested area of the platform. The following explosion overpressure impact
criteria have been adopted to evaluate the effects from VCE scenarios:

 5 psi: Most buildings collapse and Serious injuries are common, fatalities may occur.

 7 psi: Loaded train cars overturned. More possible for fatality to occur.

 10 psi: Reinforced concrete buildings are severely damaged or demolished. Most

people are killed.

5.3 Modelling assumptions

The following assumptions were taken:

 As the process stream is mainly Methane, the chemical modelled is Methane in

ALOHA

 The weather conditions follows NEA conditions per guidelines, and is located in open
water.

 Release due to overpressure from Scrubber is modeled as a pipe release, as the release
is likely from the vessel connecting flanges. The representing hole sizes for pressure
vessel release per section 4.1.1.1 of the QRA Technical Guidance document is used.

 The modeling is based on the source term: Gas pipe

33 | P a g e
  For Case A: Isolation success and Blowdown failure, the source term is based on
isolated inventory of 4400 kg (Calculated based on the volume of the vessels and
interconnecting pipelines) and the settle out pressure of 251.5 atm. The unbroken end
of the pipe is closed off and the pipe length is iterated to obtain 4400 kg.

 For Case B: Isolation failure and Blowdown failure, the source term is based on the
unbroken end connected to infinite source and assumed worst case at compressor
discharge pressure of 376.2 atm.

 For Jet Fire: Gas escapes from Piping is Burning (jet fire)

 For Flash Fire: Gas Escapes from Piping is Not Burning

 For VCE: Hazard analyzed was Blast Area of vapour pressure with LOC as
Congested and Ignited by Spark or flame

5.4 Case A: Isolation success and Blowdown Failure

5.4.1 Jet Fire Modelling

An ignited high-pressure release of gas or atomised liquid will result in jet fire. A jet fire is a
turbulent diffusion flame produced by the continuous combustion of a fuel at a rate directly
related to the mass release rate.

The length of a jet flame is primarily a function of the mass release rate of the fuel. When
ESD is successfully initiated, the jet flame lengths will decay with time as the system
pressure decreases and the flammable inventory is depleted.

The initial and maximum jet flame lengths obtained from ALOHA are summarised in the
table below for various hole size.

34 | P a g e
 Event Weather Initial Jet Flame Length 4kW/m2 Contour Distance
Conditio (m)
n
10mm 25mm 75mm Full Bore

Loss of F1 0 22 83 337
Containment of
Hydrocarbons B2 0 22 83 337

C3 0 22 83 337

Table 5.3: Jet Fire Thermal Radiation Distance (4kW/m 2 )

Event Weather Initial Jet Flame Length 15.3W/m2 Contour Distance

Conditio (m)
n
10mm 25mm 75mm Full Bore

Loss of F1 0 12 44 178
Containment of
Hydrocarbons B2 0 12 44 178

C3 0 12 44 178

Table 5.4: Jet Fire Thermal Radiation Distance (15.3 kW/m2 )

Event Weather Initial Jet Flame Length 37.5kW/m2 Contour

Conditio Distance (m)
n
10mm 25mm 75mm Full Bore

Loss of F1 0 0 28 116
Containment of
Hydrocarbons B2 0 0 28 116

C3 0 0 29 116

Table 5.5: Jet Fire Thermal Radiation Distance (37.5 kW/m2 )

Distance to Impact Criteria

The maximum distances along the axis of the frustum to thermal radiation levels of 37.5,
15.3, and 4 kW/m2 are determined by relation with the fractions of the flame lengths for
different hole size and wind speed. Calculation of the thermal radiation contours was done
using the ALOHA software.

10 mm 25 mm

35 | P a g e
 F1

B2

C3

Figure 5.1: Jet Fire contour for hole sizes 10 mm and 25 mm

75mm Full Bore

36 | P a g e
 F1

B2

C3

Figure 5.2: Jet Fire contour for hole sizes 75 mm and full bore

5.4.2 Vapour Cloud Explosion Modelling

Delayed ignition of a flammable cloud within a confined and/or congested area will most
likely result in significant overpressures. It would then be termed as a Vapour Cloud
Explosion (VCE). In order to generate a significant explosion load, the flame-front of the
flammable cloud is required to transition from laminar to turbulent flow. This is typically

37 | P a g e
achieved through the acceleration and non-linear deceleration of the flame front as it passes
over and around obstacles such as adjacent piping, equipment and structures.

Event Pressure (psi) Explosion Distance (m)

Loss of Containment of 10 806

Hydrocarbons
7 813

5 821

Table 5.6: Distances to overpressures for VCEs

VCE

Figure 5.3: Vapour Cloud Explosion Contour

38 | P a g e
5.4.3 Vapour Cloud Flashfire Modelling
Gaseous or liquid hydrocarbon discharged into atmosphere can lead to the formation of a
flammable gas cloud. The size of the gas cloud is influenced by the properties of the
gas/vapour and the prevailing wind conditions. Flash fires can occur due to a delayed ignition
of the flammable gas cloud at unconfined/uncongested areas.

Flash fires are characterized by transient front of flames travelling through the cloud
generating a potentially intense flame causing serious effects on people engulfed by the
flammable cloud. However, with a short duration, it would not cause any structural or
equipment damage, and only superficial damage to insulation and cables.

Event Weather Max. Flash Fire Distance (100% LFL)

Condition (m)

10 mm 25 mm 75 mm Full Bore

Loss of Containment of F1 307 619 782 786

Hydrocarbons
B2 38 93 185 194

C3 45 113 226 237

Table 5.7: Maximum Flash Fire (LFL) Distances at different wind speed

39 | P a g e
 10 mm 25 mm

F1

B2

C3

Figure 5.4: Vapour cloud Flash Fire Contour for hole sizes 10 mm and 25 mm

40 | P a g e
 75 mm Full Bore

F1

B2

C3

Figure 5.5: Vapour cloud Flash Fire Contour for hole sizes 75 mm and full bore

41 | P a g e
5.5 Case B - Isolation and Blowdown Failure

5.5.1 Jet Fire Modelling

An ignited high-pressure release of gas or atomised liquid will result in jet fire. A jet fire is a
turbulent diffusion flame produced by the continuous combustion of a fuel at a rate directly
related to the mass release rate.

The length of a jet flame is primarily a function of the mass release rate of the fuel. When
ESD is successfully initiated, the jet flame lengths will decay with time as the system
pressure decreases and the flammable inventory is depleted.

The initial and maximum jet flame lengths obtained from ALOHA are summarised in the
table below for various hole size.

Event Weather Initial Jet Flame Length 4kW/m2 Contour Distance

Conditio (m)
n
10mm 25mm 75mm Full Bore

Loss of F1 0 22 83 337
Containment of
Hydrocarbons B2 0 22 83 337

C3 0 22 83 337

Table 5.8: Jet Fire Thermal Radiation Distance (4kW/m 2 )

Event Weather Initial Jet Flame Length 15.3W/m2 Contour Distance

Conditio (m)
n
10mm 25mm 75mm Full Bore

Loss of F1 0 12 44 178
Containment of
Hydrocarbons B2 0 12 44 178

C3 0 12 44 178

Table 5.9: Jet Fire Thermal Radiation Distance (15.3 kW/m2 )

42 | P a g e
 Event Weather Initial Jet Flame Length 37.5kW/m2 Contour
Conditio Distance (m)
n
10mm 25mm 75mm Full Bore

Loss of F1 0 0 28 116
Containment of
Hydrocarbons B2 0 0 28 116

C3 0 0 29 116

Table 5.10: Jet Fire Thermal Radiation Distance (37.5 kW/m2 )

Distance to Impact Criteria

The maximum distances along the axis of the frustum to thermal radiation levels of 37.5,
15.3, and 4 kW/m2 are determined by relation with the fractions of the flame lengths for
different hole size and wind speed. Calculation of the thermal radiation contours was done
using the ALOHA software.

43 | P a g e
 10mm 25mm

F1

B2

C3

Figure 5.5: Jet Fire contour for hole sizes 10 mm and 25 mm

75mm Full Bore

44 | P a g e
 F1

B2

C3

Figure 5.6: Jet Fire contour for hole sizes 75 mm and full bore

45 | P a g e
5.5.2 Vapour Cloud Explosion Modelling
Delayed ignition of a flammable cloud within a confined and/or congested area will most
likely result in significant overpressures. It would then be termed as a Vapour Cloud
Explosion (VCE). In order to generate a significant explosion load, the flame-front of the
flammable cloud is required to transition from laminar to turbulent flow. This is typically
achieved through the acceleration and non-linear deceleration of the flame front as it passes
over and around obstacles such as adjacent piping, equipment and structures.

Event Pressure (psi) Explosion Distance (m)

Loss of Containment of 10 342

Hydrocarbons
7 406

5 487

Table 5.11: Distances to overpressures for VCEs

VCE

Figure 5.7: Vapour Cloud Explosion Contour

46 | P a g e
5.5.3 Vapour Cloud Flashfire Modelling
Gaseous or liquid hydrocarbon discharged into atmosphere can lead to the formation of a
flammable gas cloud. The size of the gas cloud is influenced by the properties of the
gas/vapour and the prevailing wind conditions. Flash fires can occur due to a delayed ignition
of the flammable gas cloud at unconfined/uncongested areas.

Flash fires are characterized by transient front of flames travelling through the cloud
generating a potentially intense flame causing serious effects on people engulfed by the
flammable cloud. However, with a short duration, it would not cause any structural or
equipment damage, and only superficial damage to insulation and cables.

For this study, the flash fire is assumed to cover the distance reached by the 100% Lower
Flammable Limit (1.0 LFL).

Event Weather Max. Flash Fire Distance (100% LFL)

Condition (m)

10mm 25mm 75mm* Full Bore*

Loss of Containment of F1 124 432 56 147

Hydrocarbons
B2 16 52 87 206

C3 19 63 115 225

Table 5.12: Maximum Flash Fire (LFL) Distances at different wind speed

47 | P a g e
 10mm 25mm

F1

B2

C3

Figure 5.8 Vapour Cloud Flash Fire Contour for hole sizes 10 mm and 25 mm

75mm Full Bore

48 | P a g e
 F1

B2

C3

Figure 5.9: Vapour Cloud Flash Fire Contour for hole sizes 75 mm and full bore

49 | P a g e
6. Risk Determination

For the purpose of this project, we have limited the QRA study to the RI gas compression
system only, hence limited data are available for an overview calculation of the risk. In this
regard, the conservative approach that we have adopted in determining the Individual Risk
(IR) Fatality is based on the below equation:

IR fatality = Probability of hazardous event x Probability of death

Where

 the probability of hazardous event is selected from the catastrophic events which have
the highest probability of occurrence;

 worst case scenario and the probability of death is assumed to be 1 by considering the
harm level which gives 100% fatality i.e. thermal radiation of 37.5 kW/m2 for jet fire
case, and 100% LFL for flash fire case.

The table below shows the IR (fatality) calculated for the different catastrophic events and
their corresponding contour distance.

Catastrophic Events Probability IR (fatality) Contour

Distance (m)
Jet Fire, -7 -7 42
6.52x10 6.52x10
Isolation success &
blowdown fail
Vapour Cloud Flash -6 -6 786
3.99x10 3.99x10
Fire,
Isolation success &
blowdown fail
VCE -6 0* 0
1.71x10
Table 6.1: IR (fatality) and corresponding contour distance

*Based on Modelling results, overpressure of 5 psi and above is not exceeded.

50 | P a g e
From Table 6.1, it can be shown that it is lethal being at a distance of 42m from the point of
ignition in an event of a jet fire, with a probability of 6.52x10-7/year and a distance of 786m
from the point of ignition in an event of a vapour cloud flash fire, with a probability of
3.99x10-6/year. These risk figures are acceptable based on recognized offshore standard from
UK HSE where the tolerable range is greater than 1x10-4/year. As for an event of vapour
cloud explosion, even though there is a probability of occurrence of the event as indicated
from the event tree analysis. However, based on consequence modelling where actual
inventory of the process were factored into, it proves that on a realistic point of view, there
will not be any fatality for an event of explosion as it is negligible for a pressure of greater
than 5psi.

51 | P a g e
7. Discussion and Conclusion

7.1 Comparing with NEA Criteria

From the QRA study, we note that the IR (fatality) calculated is considered low. NEA criteria
for IR (fatality) in fixed installation within the boundary is 5x10 -5. We have assumed that the
IR (fatality) on FPSO which is out in the sea is limited to the boundary of the FPSO only.
Based on Table 6.1, we note that the highest IR (fatality) calculated in our facility is 3.99x10 -
6
, which is tolerable and within NEA criteria.

7.2 Conclusion

As this QRA study is restricted to only IR compression study, the IR is considered low. A full
scale QRA on the FPSO which considers all the hazards present (process related hazards
from other modules on the FPSO and non-process related hazards such as Ship Collision
Analysis, Non Flammable Hazard Analysis and Dropped Object Study) will give a more
representative value on the IR (fatality).

To acquire an even representative value on individual risk, it is recommended that the risk
figures due to the hazard for various consequences can be calculated by considering different
groups of personnel on board the vessel, amount of time spent by each personnel at location
of concern. The formula is as follows:
IRPA= IR x Manning Factor

52 | P a g e
References

1. Mannan Sam; Lees’ Loss Prevention in the Process Industries; Hazard Identification,
Assessment and Control – Appendix 14 Failure and Event Data
2. Center for Chemical Process Safety; Guidelines for Process Equipment Reliability
Data with Data Tables – Chapter 5 CCPS Generic Failure Rate Data Base
3. UK Failure Rates – Failure Rate and Event Data for use within Risk Assessments
(28/06/2012)
4. NEA QRA Technical Guidance
5. NEA QRA Criteria Guidelines
6. A Guide to Quantitative Risk Assessment for Offshore Installations, Centre of Marine
and Petroleum Technology (CMPT)

53 | P a g e
Appendix A

54 | P a g e
55 | P a g e
Appendix B

HAZOP Analysis Worksheet

Process section: Reinjection Compressor including inlet and outlet Study Date: 01 / 10 / 2017

Gas from HP Compressor discharge Cooler is routed to RI Compressor suction Scrubber to knock down any liquid. The Gas is then routed to the RI Compressor
Design intent
suction where it is Compressed and routed for reinjection into the well.

Deviation Cause Consequence Safeguards Actions

1. No/Low Flow 1.1. Loss of flow to Compressor 1.1.1. Less flow to Compressor leading to 1.1.1.1. Capacity control provided through FCV3802.
due to upset upstream. potential surge. Potential damage to
Compressor. 1.1.1.2. Compressor anti-surge control will open the recycle valve
FCV3801 across Compressor.

1.1.1.3. PZALL3814 at suction will trip Compressor turbine.

1.2. Less flow to Compressor
due to turndown operation or
during later years when overall
gas flow may be less. Low flow
case may also occur if only
heavy oil is flowing without
light oil.
1.2.1. Less flow to Compressor leading to
potential surge. Potential damage to
Compressor.
1.2.1.1. Capacity control provided through FCV3802.
1.2.1.2. Compressor anti-surge control will open the recycle valve
FCV3801 across Compressor.
1.2.1.3. PZALL3814 at suction will trip Compressor turbine.

1.3. Less flow during heavy oil
only operation.
1.3.1. At this flow rate, there may not be
any gas flow to HP & RI section while MP
may continue to run and supply to fuel
gas.
1.3.1.1. Capacity control provided through FCV3802. 1. Check for heavy oil operation
only, whether MP Compressor
can be operated o either consume
the gas or reinject the gas without
need for flaring. Also check HP
1.3.1.2. Compressor anti-surge control will open the recycle valve & RI Compressor operation for
FCV3801 across Compressor. this case.

56 | P a g e
 1.4. SDV3802A at suction gets
closed
1.5. Compressor suction
strainer plugged
1.6. RI Compressor Trips (All
three compressors upstream
(MP and HP) will also trip as
they are on common shaft)
57 | P a g e
1.4.1. Loss of flow to Compressor leading
to potential surge. Potential damage to
Compressor.
1.5.1. Potential loss of flow to Compressor
leading to surge. Loss of anti-surge
protection.
1.6.1. Pressure build up in upstream
vessels leading to upset.
1.6.2. Loss of HP fuel gas to power
turbine.
1.6.3. Potential loss of LP fuel gas for flare
purge and pilots.
1.6.4. Potential reverse flow from Gas
Injection Header leading to damage
1.6.5. Potential surge during coast down
1.4.1.1. Compressor anti-surge control will open the recycle valve
FCV3801 across Compressor. This recycles downstream of the
suction SDV.
1.4.1.2. PZALL3814 at suction will trip Compressor turbine.
1.5.1.1. PDI3816 with high alarm across strainer
1.5.1.2. Low low pressure trip downstream of strainer at compressor
suction nozzle (PZALL3814)
1.6.1.1. PC3729 on MP Compressor suction header will relieve to
HP Flare. This is sized for full flow of MP Compressor.
1.6.1.2. Upstream vessels have individual relief to flare for blocked
condition.
1.6.2.1. Provision for switch over to diesel
1.6.3.1. Gas may be routed directly to low pressure fuel gas users
from MP Compressor suction cooler outlet to Fuel Gas Scrubber.
This line remains open and will flow when Fuel Gas Scrubber
pressure falls.
1.6.3.2. Back-up Flare Header purge using Nitrogen which will
come online automatically.
1.6.3.3. Back-up fuel gas supply to Flare pilots using Propane
bottles which will come online automatically.
1.6.4.1. Single check valve provided at Compressor discharge
nozzle.
1.6.4.2. Second check valve at discharge Cooler outlet downstream
of anti-surge flow tapping.
1.6.4.3. SDV3803A/B at discharge Cooler outlet will close on
compressor trip.
1.6.5.1. Anti-surge safeguard for Compressor.

1.7. Strainer at inlet of
discharge Cooler plugged
58 | P a g e
1.6.6. Potential increase in Compressor
suction pressure due to settle out condition
1.6.7. Potential overpressure of RI
Compressor suction due to reverse flow
from the downstream discharge header/
gas reinjection header
Potential overpressure of upstream HP
Compressor discharge piping.
1.6.8. Loss of gas lift during Heavy oil
production. Potential reduction or loss of
heavy oil flow from the wells. Process
upset topside.
1.6.9. On loss of gas lift, heavy oil flow
lines may stop flowing leading to stagnant
condition. Potential plugging.
1.6.10. Loss of gas injection to the well.
No significant issue in short term.
1.7.1. Loss of flow through Compressor
leading to surge. Anti-surge control will
not safeguard against this scenario.
1.6.6.1. Compressor suction designed higher than settle out
pressure.
1.6.6.2. Single check valve provided at Suction Scrubber inlet
1.6.6.3. SDV3802A/B at Suction Scrubber inlet will close on
Compressor trip.
1.6.7.1. Single check valve at discharge Cooler outlet. 2. Review the overpressure
safeguards for the RI Compressor
1.6.7.2. SDV3803A/B at discharge Cooler outlet will close on suction against discharge check
Compressor trip. valve leakage case. Similarly
review the overpressure
safeguard for the HP Compressor
1.6.7.3. Single check valve provided at Suction Scrubber inlet discharge piping against
downstream check valve leakage
1.6.7.4. SDV3802A/B at Suction Scrubber inlet will close on case. The requirement for double
Compressor trip. check valve and PSV sizing for
check valve leakage case to be
reviewed in addition to closure of
SDVs.
1.6.9.1. Preservation procedure in case of Heavy oil line shut off.
1.7.1.1. PDI3832 with high alarm across strainer 3. Review the requirement for hot
bypass across the Compressor
nozzles, considering the potential
for blockage in discharge cooler
and consequent loss of anti-surge
flow. This is to be checked with
vendor. This action is applicable
for MP, HP and RI Compressor.

1.8. Discharge Cooler plugged
(This is PCHE type with small
diameter flow path)
1.9. SDV3803A at discharge
gets closed or any downstream
blocked condition on gas
injection line.
2. More/High Flow 2.1. No issue.
59 | P a g e
1.7.2. Potential damage to strainer leading
to debris carryover to Cooler.
1.7.3. Potential overpressure at
Compressor discharge.
1.8.1. Loss of flow through Compressor
leading to surge. Anti-surge control will
not safeguard against this scenario.
1.9.1. Loss of flow through Compressor
leading to surge.
1.9.2. Potential overpressure.
1.7.2.1. PDI3832 with high alarm across strainer 4. Provide trip of Compressor on
high differential pressure across
strainer at the inlet of MP
Compressor discharge cooler.
Since this is PCHE type, blocking
of strainer and consequent
damage to strainer can result in
plugging of strainer. This is a
general action applicable for
PCHE coolers in HP and
Reinjection Compressor
discharge.
1.7.3.1. PZAHH3818 at compressor discharge will trip the
Compressor.
1.7.3.2. PSV3811 at Compressor discharge is sized for blocked
outlet.
1.8.1.1. Strainer provided at inlet 5. Review the requirement for hot
bypass across the Compressor
nozzles, considering the potential
1.8.1.2. PDI3833 with high alarm across PCHE on gas side for blockage in discharge cooler
and consequent loss of anti-surge
flow. This is to be checked with
vendor. This action is applicable
for MP, HP and RI Compressor.
1.9.1.1. Anti-surge safeguard for Compressor.
1.9.2.1. PZAHH3814 at Compressor suction will trip the
Compressor
1.9.2.2. PZAHH3818 at compressor discharge will trip the
Compressor.
1.9.2.3. PSV3811 at Compressor discharge is sized for blocked
outlet.
 3. Reverse/ 3.1. No issue
Misdirected Flow

4. More/High Pressure 4.1. External Fire around 4.1.1. Potential overpressure 4.1.1.1. PSV3801 on suction Scrubber sized for fire case.
Suction Scrubber

4.2. FCV3802 on recycle line 4.2.1. RI Suction pressure will increase,

(for capacity control) open leading to increase in HP Compressor
when not required (Fail open discharge pressure. Potential surge in HP
type) Compressor. Potential increase in
upstream pressures. System upset.

4.3 FCV3801 on anti-surge line 4.3.1. RI Suction pressure will increase,

open when not required (Fail leading to increase in HP Compressor
open type) discharge pressure. Potential surge in HP
Compressor. Potential increase in
upstream pressures. System upset.

5. Low Pressure 5.1. Compressor turbine speed
control malfunctions and
increases the speed.
5.1.1. Suction pressure will fall. Potential 5.1.1.1. Compressor anti-surge control will open.
surge due to high head across the
Compressor although surge point may
move due to higher flow. Potential stone 5.1.1.2. Over speed safeguard for the turbine.
wall condition at high flow if delta P does
not increase.

5.2. BDV3801 at Discharge 5.2.1. Some increase in flow through

Scrubber open compressor but not considered significant.
System Upset.

5.3. HP Compressor recycle 5.3.1. Less flow to RI Compressor leading 5.3.1.1. Compressor anti-surge control will open.
valve opens. to surge.

6. More/High 6.1. Loss of Cooling Water to 6.1.1. Potential high temperature gas to RI 6.1.1.1. TC3809 with high alarm. Credit for this taken where any
Discharge Cooler due to supply compressor suction when operating on element of this loop is not the cause of malfunction.
Temperature failure recycle mode. Potential increase in
Compressor discharge temperature leading 6.1.1.2. TZAHH3808 at Cooler outlet will trip the Compressor
to damage.
6.1.1.3. TZAHH3804 at RI Compressor discharge will trip the
Compressor.

6.1.2. High temperature gas will flow to 6.1.2.1. TC3809 with high alarm. Credit for this taken where any
gas injection system. Potential damage to element of this loop is not the cause of malfunction.
gas injection piping, swivel joint and risers

60 | P a g e
 due to exceedance of design temperature. 6.1.2.2. TZAHH3808 at Cooler outlet will trip the Compressor

6.2. Loss of Cooling or less 6.2.1. Same as consequences 6.1.1 to 6.1.2

cooling due to TC3809
malfunction in Discharge cooler
(Fail open type)
6.2.2. Water temperature can increase 6.2.2.1. PSV3831 on water side can handle this case.
leading to potential overpressure due to
thermal expansion, although gas side flow
would have stopped due to high
temperature trip. Also water inlet side is
open.

7. Low Temperature 7.1. More cooling due to 7.1.1. No significant drop in temperature is
TC3809 malfunction in expected. No significant issue.
Discharge cooler.

7.2. Blow down operation
7.2.1. Potential low temperature in the 6. To confirm based upon the
blow down valve outlet to flare. Potential Low temperature study the
Hydrate formation. Potential low requirement to connect BDV
temperature in the system due to blow discharge to Low Temperature
down. HP flare header, the material
suitability for the system (for
which blow down is provided) as
well as any requirement for
hydrate inhibitor.

7.3. Pressure let down across 7.3.1. Potential low temperature at the 7. Compressor capacity control
capacity control valve valve and downstream and antisurge control downstream
FCV3802 or anti-surge valve piping material to be checked for
FCV3801 lowest temperature expected due
to pressure let down. Currently
CS material is shown. This action
is applicable for both HP
Compressor and RI Compressor.

7.3.2. Potential hydrate formation 8. Anti-surge control valve and

Capacity control valve across HP
& RI Compressor to consider
impact of water content at inlet to
the valve for both the case of
normal water content and as well
as for the case of wet gas flow
due to upset in Dehydration
Column.

61 | P a g e
 8. High Level 8.1. SDV3801 at Suction
Scrubber liquid outlet gets
closed. Normally no liquid
expected.
8.2. LC3802 malfunctions and
closes liquid outlet of Suction
Scrubber
9. Low Level 9.1. LC3802 malfunctions
leading to wide opening of
LCV on liquid outlet of Suction
Scrubber.
10. Composition 10.1. H2S in Compressor feed
Change / gas stream. This may occur in
Contamination / later years and if H2S
Additional Phase / Scavenger is not effective or
Loss of Phase operational.
10.2. Compressor operates on
recycle mode
62 | P a g e
8.1.1. Level build-up in Scrubber. Possible
liquid carry-over leading to Compressor
damage.
8.2.1. Same as consequence 8.1.1
9.1.1. Gas blow-by to HP Suction
Scrubber. Under Compressor running
case, this will lead to gas being recycled.
No significant issue. Under Compressor
trip case, this may lead to overpressure of
HP Suction Scrubber.
10.1.1. No issue for Compressor operation
or metallurgy.
10.1.2. In case of seal failure, this can
result in H2S leak to atmosphere
10.2.1. Anti-surge control valve and
Capacity control valve inlet may have two
phase flow due to hydrocarbon
condensing. It may also contain water in
case of wet gas flow from Dehydration
Column. Potential impact on control valve.
8.1.1.1. LC3802 with high alarm. Credit for this taken where any
element of this loop is not the cause of malfunction.
8.1.1.2. LZAHH3804 on Scrubber will trip the Compressor.
9.1.1.1. LZALL3804 will close SDV3801 9. SDV3801 at RI Compressor
Suction Scrubber to close on
Compressor trip or stop signal.
9.1.1.2. On Compressor trip, RI Compressor suction Scrubber liquid 10. Check the requirement for
outlet SDV will close. sizing PSV3601 on HP
Compressor suction Scrubber for
the case of gas blow-by from RI
Compressor Suction Scrubber.
9.1.1.3. PSV3601 on HP Compressor Suction Scrubber. This is 11. Check if the medium is dense
designed for fire case. phase and whether level sensor
will act in dense phase and if
control need to be automatic.
10.1.2.1. Provision for isolation and blow down of Compressor.
10.1.2.2. H2S detectors will be installed in the field when H2S will
be detected in later years.
10.1.2.3. Training of the crew in H2S awareness to be carried out
onboard.
12. Anti-surge control valve and
Capacity control valve across HP
& RI Compressor to consider
impact of water content at inlet to
the valve for both the case of
normal water content and as well
as for the case of wet gas flow
due to upset in Dehydration

10.3. Wet gas from Dehydration
column outlet. This may occur
during start-up as well as during
any upset such as loss of TEG
flow.
11. Utility Failure 11.1. No issue.
12. Start-up Shutdown 12.1. Re-start of Compressor
/ Maintenance after settle out
13. Others 13.1. Tube rupture in Discharge
Cooler
63 | P a g e
10.3.1. Potential hydrate formation where
there is gas let down. Potential impact on
gas injection well. Also potential increased
corrosion in the piping as these are CS
material.
10.3.2. Potential impact on seal gas
system.
12.1.1. No issue since gas turbine can be
run at minimum speed.
13.1.1. Gas will leak into the Cooling
water system. Potential overpressure of the
cooling water side of exchanger .
13.1.2. Gas will leak into the Cooling
water system. Potential gas build-up in
Cooling Medium Vessel. Potential
overpressure.
Column.
10.3.1.1. Online Dew point Analyzer AI3201 at Dehydration 13. Review the impact of wet gas
Column outlet. However under the start-up and upset condition, wet flow to HP Compressor and
gas flow will continue. Reinjection Compressor and
downstream well injection,
including impact on BDV,
compressor recycle valves for
anti-surge etc. Review the
requirement for corrosion
inhibitor injection in Dehydration
Column overhead. Review the
requirement for Hydrate inhibitor.
Also review the requirement for
venting of gas to flare or
recycling if required.
13.1.1.1. PSV3831 on Cooling water side designed for plate leak
and will relieve to HP flare header.
13.1.2.1. Cooling Medium Vessel is designed for 18 barg while
PSV is set at 8 barg for fire case.
13.1.2.2. PZAHH6703 at Cooling Medium circulation pump
discharge will trip the pump.
13.1.2.3. PC6701 will open PCV6702 on Cooling Medium vessel to
LP flare (2")
13.1.2.4. PI6701 on Cooling Medium Vessel with high alarm.
13.1.2.5. AI6701 with high alarm for hydrocarbon in Cooling

13.2. Seal failure
13.3. Operation of SDV by-pass
across Compressor suction and
discharge SDV
13.4. Compressor suction and
discharge SDV opened under
high differential pressure
13.5. Blockage in RI
Compressor Suction Scrubber
64 | P a g e
13.1.3. High pressure gas leak into the low
pressure cooling medium may lead to
gradual drop in cooling medium
temperature. In the worst case, gas may
displace the liquid and vent through
PSV3831 which may get blocked due to
hydrate if temperature is lower than 0 deg
C.
. medium vessel (internal gas detection)
13.2.1. Potential Hydrocarbon leak to
atmosphere
13.3.1. Potential low temperature when
by-pass SDV is operated for pressure
equalization under high differential
pressure.
13.4.1. Potential damage due to sudden
high flows
13.5.1. Since piping is derated
downstream of LV3802, plugging in the
medium vessel (internal gas detection)
13.1.2.6. PSV3831 on Cooling water side designed for plate leak
and will relieve to HP flare header. This is set at 18 barg.
13.1.3.1. PI6701 on Cooling Medium Vessel with high alarm. 14. In case of any hydrocarbon
leak from PCHE in the
compressor circuit to the cooling
medium, action to be taken to
stop the Compressor and blow
down.
13.1.3.2. AI6701 with high alarm for hydrocarbon in Cooling 15. Consider PI with high alarm
on cooling water side at each
PCHE to alert operator in case of
any leakage. This action is
applicable for all PCHE in high
pressure gas system.
13.2.1.1. Provision for isolation and blow down of Compressor.
Single BDV3801 provided at the discharge for the entire
compressor loop including the Scrubber.
16. Check the low temperature
requirement for the by-pass SDV
and the downstream by-pass
piping at Compressor suction and
discharge where high differential
may occur resulting in low
temperatures when the by-pass is
operated for pressure
equalization. This is particularly
applicable for HP Compressor
discharge as well as RI
Compressor suction and
discharge.
13.4.1.1. PDI with inhibit signal to inhibit open of the main SDV on
high differential pressure
17. Review the design pressure
for the piping downstream of
 liquid outlet piping downstream
of LV3802. This may occur in
case of hydrate formation,
particularly during start-up or
upset condition when gas may
be wet.
13.6. Drain valve to Closed
drain system opened
inadvertently during normal
operation.
65 | P a g e
piping can lead to overpressure and can
cause loss of containment
13.6.1. Potential overpressure of the
Closed drain drum and the header.
LV3802 in RI Compressor
Suction Scrubber liquid outlet.
This action will also apply for the
piping downstream of the
LV3603 on HP Compressor
suction Scrubber liquid outlet and
for piping downstream of
LCV3705 on MP Compressor
discharge Scrubber liquid outlet.
These piping may be designed for
the same pressure as the LV
upstream pressure upto the return
nozzle of the downstream
equipment.
13.6.1.1. 6" vent to flare on Closed Drain Drum with Lock Open
(LO) valves but may not be sufficient. Also this will not protect the
header in case of any blockage.
13.6.1.2. Procedures to ensure drain valves to closed drain header
are closed and spaded closed during normal operation. They are to
be opened only after depressurisation of the equipment, for
maintenance.