at SciVerse ScienceDirect

Journal of Loss Prevention in the Process Industries 25 (2012) 809e819

Contents lists available

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier .com/locate/ j lp

Approach enhancing inherent safety application in onshore LNG plant design

Masayuki Tanabe a,*, Atsumi Miyake b,1

a Engineering HSE Group, HSE Systems Department, Engineering Division, JGC Corporation, 2-3-1, Minato Mirai, Nishi-ku, Yokohama 220-6001, Japanb Laboratory for Safety Engineering and Risk Management, Yokohama National University, Hodogaya-ku, Yokohama 240-8501, Japan

a r t i c l e i n f o

Article history:Received 10 February 2012Received in revised form12 April 2012Accepted 15 April 2012

Keywords:Inherent safetyLNGModule

* Corresponding author. Tel.: þ81 45 682 8505; faxE-mail addresses: tanabe.masayuki@jgc.co.jp (M

(A. Miyake).1 Tel.: þ81 45 339 3993; fax: þ81 45 339 4011.

0950-4230/$ e see front matter � 2012 Elsevier Ltd.doi:10.1016/j.jlp.2012.04.005

a b s t r a c t

This study aims to provide the approach for inherent safety design of onshore LNG plants to be applied atthe very early stages (concept definition phase) of the project development. Onshore LNG plant devel-opment project starts from the “Concept Definition” phase, where financial feasibility is estimated andmajor conditions, such as site location and plant foot print, are set.

The inherent safety design basic criteria and design measures should be identified and selected whensetting the basic conditions during the Concept Definition phase of the project development, such as thesite location (relative location from populated areas), site condition (prevailing wind direction) and plantproduction capacity (number of process train, number of product tanks). The safety measures, which areusually not fully developed at the project early stages in the current design execution practices, are theemergency systems, which mitigate an accident escalation, the modularized plant and layout, and thetank selection.

The inherent safety design measures discusses in this paper were identified based on the categories ofplot plan, emergency system, and module plant application.

The proposed approach will contribute to improve inherent safety design of onshore LNG plants and itwill also yield schedule and cost benefits.

� 2012 Elsevier Ltd. All rights reserved.

1. Introduction

Since the incidents following the Tohoku (East Japan) Earth-quake in March 2011, i.e., the incident at the Nuclear Power Plant inFukushima and the BLEVE incident in the Refinery Plant in Chiba, ithas been widely recognized that there is a very high hazard/potential risk in energy plants. These incidents were caused bysevere natural event (i.e., common cause event) and the actualincident escalation scenario had shown that the multiple layers ofprotection did not work as the designer intended, and the hazardshad not been properly managed. For example, the incident at theNuclear Power Plant showed that the facility layout considerationfor the Emergency Diesel Engine Generators was not appropriatefor external events (i.e., tsunami in this case) and the BLEVE inci-dent showed that the facility layout consideration to preventa domino event was not appropriate. One observation from theseincidents is the importance of enhancing the inherent safety inplant design, e.g., layout and separation distances.

: þ81 45 682 8850.. Tanabe), atsumi@ynu.ac.jp

All rights reserved.

It is common practice to select inherent safety design measure,e.g., separation distance, rather than active system (fire watersystem), in order to prevent accident escalation. However, in thedevelopment of oil and gas facilities, the requirements whichgreatly influence the separation distance, such as site location andplant foot print, are decided at the concept definition phase whichmainly focuses on financial considerations. Since this early phasediscusses only conceptual design conditions and does not definedetailed design, safety aspects evaluated in this phase are normallylimited to coarse QRA (Quantitative Risk Assessment) and HAZID inorder to confirm the order of magnitude of process risk (Kletz,2003, 2005, 2006).

This paper discusses the approach for enhancing the inherentsafety design application to Onshore LNG plants at the conceptdefinition phase.

2. Onshore LNG plant development project

2.1. LNG plant

An LNG plant is categorized as midstream in the businessdomain. It is built near shore (onshore) to receive natural gas fromwell heads (majority of the times fromoffshore) and export the LNGproduct by sea carrier (Fig. 1).

Well Head Subsea Pipeline Sea Transportation

To EndUsers

Fig. 1. LNG supply chain.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819810

Recently, the number of LNG plant development projects isincreasing. The development costs for LNG plant project are higherthan the one for oil and refinery plant project (e.g., typically up toseveral billion for oil and refinery project and more than 10 billionfor LNG). However, due to the reduction of crude oil reserves andenvironmental aspects (lower impurity in natural gas), natural gashas been recognized as cleaner energy. Further, the natural gas/LNGis now very attractive as alternative energy source to nuclear powerin Japan.

LNG plants are commonly designed based on onshore safetydesign practices, but as the LNG process mainly consists of highpressure gas handling units (Fig. 2), the safety features are similarto the offshore plants, i.e., major hazard is gas jet fire. However, thedeterministic approach for conventional onshore plants, which isapplied to LNG plants, is generally based on pool fire. The safetydesign approach for onshore LNG plant should consider its specifichazards, such as gas jet fire, cryogenic spill, large vapor cloud, andexplosion hazard.

2.2. Development schedule

Fig. 3 shows the typical schedule of an onshore LNG plantdevelopment from confirmation of reservoir gas to starting plantoperation. The schedule can be divided in four major phases whichare Concept Definition, Pre-FEED, FEED and EPC (Fig. 3).

� Concept Definition

Based on location of well and feed gas characteristics, the overalldevelopment concept, such as product, capacity, onshore oroffshore, location of the onshore plant, and its economic feasibilityare studied and defined in this phase.

Gas

Purification

Unit

Feed Gas

Typical OP: 6000~ 20000kPaA 2000kPaA

LNG Tra

6000kPaA

LPG Reco

Refriger

Slug

Catcher

Typical OT: 25~75 degC 25 degC -60 degC

Typical

Composition:

C1 85~90%

CO2 5~10%

Others (C2+,

H2S, H2O,

Condensate)

Gas stream:

C1, C2+, CO2,

H2S, H2O

Liquid stream:

H2O, Condensate

Main stream:

C1, C2+

Removed:

CO2, H2S, H2O

Main stream:

C1

Removed:

C2+

Fig. 2. Simplified LN

� Pre-FEED (Pre-Front End Engineering Design)

The basic design data (Basis of Design e BOD) and the designphilosophies are established in this phase.

� FEED (Front End Engineering Design)

The design philosophies are finalized, the design data is estab-lished and the total investment cost is estimated for the FinalInvestment Decision (FID).

� EPC (Engineering, Procurement and Construction)

The detailed design is developed, equipment is purchased, andthe plant is constructed and commissioned.

3. Safety design approach for oil & gas industries

3.1. Onshore and offshore safety design approach

There are two different safety design approaches in currentprocess plant industry (Table 1). One is applied to onshore plantsand the other is applied to offshore plants.

The onshore safety in design is based on a deterministicapproach, while the offshore safety design is a risk based approachconsidering all possible scenarios. Hereafter we call these twoapproaches “onshore approach” and “offshore approach”,respectively.

The onshore approach identifies and selects accident scenariosfor the design basis; normally pool fire is used, and consequently jetfire scenario is considered as residual risk. Contrarily, the offshoreapproach considers all possible scenarios, but the application to the

Liquefaction

LNG

6000 kPaA

in

very

ation Circuit

LNG

Product

Tank

Atm.

-150 degC -162 degC

Main stream:

C1

Main stream:

C1 (LNG)

G process flow.

Fig. 3. Typical schedule of onshore LNG plant development.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819 811

design is not straight forward as it requires a large number ofstudies and data in order to establish firm design basis, such aslayouts, ESD, isolation philosophy, and module structure framing.Further, these studies require a certain degree of engineering andthe preparation of the 3D model.

3.2. Inherent safety design

The major inherent safety aspects are (CCPS, 1993):

� Intensification (such as maximize the yield the process andminimize inventory of hazardous material)

� Substitution (such as selection of less hazardous material)� Attenuation (such as using the hazardous material in the leasthazardous form, lower temperature/pressure, dilution)

� Limitation (such as limiting/reducing the effect of hazard bysiting/location)

� Simplification (such as eliminating unnecessary complexityand reducing the opportunity for error)

The inherent safety design measures treated in this paper arerelated to Limitation.

3.3. Safety design approach in concept/feasibility study phase

Since the inherent safety design measures using Limitation, i.e.,site location, unit location and orientation and separationdistances, increase the development costs, it is difficult to decide ontheir implementation unless the extent of their application isclearly defined. Further, a late definition of these measures con-ducted in the following phases of the project would also greatlyimpact the schedule. The identification of the appropriate inherentsafety for Limitation and the setting of the criteria for its imple-mentation should be done during this phase.

However, at this phase, due to the unavailability of detailedinformation, safety aspects are only considered at high level based

Table 1Classification of safety design approach.

Safety design approach Remarks

Deterministic e Onshore Onshore upstream plants and downstream plantsRisk based e Offshore Offshore plants, such as offshore platform and FPSO

on the results of a Coarse QRA (order of magnitude of risk) andHAZID, and the safety design measures are not fully evaluated.

3.4. Safety design approach in FEED and EPC phases

The onshore and offshore approaches are applied during theFEED and EPC Phases as part of the design development. The safetydesign measures are mostly detailed specifications; studies, (suchas HAZID and detailed QRA); and design reviews, such as extent offireproofing, number and locations of gas detectors, HAZOP, andModel Review.

At the FEED phase, the safety philosophies are developed todefine the detailed specifications and the investment costs for theFID are estimated. However, at this stage the inherent safety designmeasures by Limitation, in particular greater safety distances, andsite location, are not fully taken into account, because they conflictwith the need to reduce the plant foot print for environmentalreasons and the investment costs.

At EPC, detailed specifications, such as fireproofing, numberand locations of gas detectors, are finalized and implemented,based on the FEED design package and the project budgetestimated at FID. The implementation of the inherent safetydesign measures by Limitation during EPC, such as greaterseparation distance, is very difficult and it has cost and scheduleimpacts, since the design package, the plant boundaries, and theoverall plot plan have already been defined in the previousphase.

3.5. Proposed inherent safety design approach

The identification of the appropriate inherent safety and thesetting of the criteria for its implementation should be done bya combined approach of deterministic/risk based safety designapproaches during the early phase of the project.

The safety design concept (Table 2) to be applied in the concept/feasibility study phase is discussed in Section 4.

4. Inherent safety design options

4.1. Emergency system considering external event

Process plant safety systems are designed based on the philos-ophy of multiple protections layers. The protection layers arecategorized in two types of protections based on their function:Prevention System (such as Pressure Relief Valve (PRV) and Safety

Table 2Proposed inherent safety design measures.

Inherent safety measures Category Project phase foreffective implementation

Section Remarks

Separation distance Limitation Feasibility study Ref. Section 4.1/4.2/4.3 Reduction of failure modeis also considered (Simplification)

Geographical redundancy Limitation Feasibility study Ref. Section 4.1Improvement of ventilation (Layout) Limitation FEED Ref. Section 4.2Spill control Limitation FEED/EPC Ref. Section 4.1

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819812

Instrumented System (SIS)) and Emergency System (such as Fireand Gas System (F&G), Emergency Shutdown System (ESD) andEmergency Depressuring System (EDP)).

The protection layers should consider both, internal systemfailure and external failure events. For example, the EDG (Emer-gency Diesel engine Generator) at the Fukushima Nuclear PowerPlant was provided for the cooling water circulation pump in caseof black out which would have stopped the water cooling systemresulting in the melt-down of the nuclear reactors. This measure isappropriate to provide sufficient redundancy for the system in viewof internal failure event. However, due to the tsunami (14 mwaves)the EDGwas put out of service. Therefore, for external failure event,geographical redundancy should also be considered for the essen-tial components of the emergency system, e.g., in this particularcase to locate the EDG on higher ground. This study discusses theapproach including the consideration for external events foremergency system in the Concept Definition Phase.

Table 3Example of safety critical design basis matrix.

Essentialemergency system

Critical event Vulnerability

Physical separation/segregation

Blast resistant design

Flare System External eventleading CCF

Common mainheader shall notbe routed withinhigh risk area(process unitblock piperack)to avoid commoncause failure.

No blast resistant desapplied to flare systemand its supporting str

Componentfailure leadingCME

e e

ActiveFire Protection

External eventleading CCF

Fire water source(Tank/Pump)shall be locatedin low risk area.

e

Componentfailure leading CME

e e

ESD System External eventleading CCF

ESD zone shallbe larger than orequal to fire waterzone anddepressuring zone.

Not considered for eqand piping, but consimeasure to enhance nventilation in module

Component failureleading CME

e e

EDP System External eventleading CCF

Redundant cableshall berouted separately.

LIR shall be blast resiallow safe depressuribelonging zones (to asimultaneous openingEDPVs leading to flarecapacity overloading)

Componentfailure leadingCME

e e

4.1.1. Emergency system malfunction due to external eventTo establish the scenarios for the emergency system design, the

Safety Critical Design Basis Matrix is proposed (See Table 3).Although the matrix uses the same logic flow as the EmergencySystem Survivability Analysis (ESSA), typical of offshore safetystudies (i.e., vulnerability, fail-safe, and redundancy), the emer-gency systems will be evaluated based on the critical events, whichresult in the unavailability of the emergency system during emer-gency conditions, instead of Major Accident Event (MAE), which isnormally used for ESSA. This allows the use of the matrix at thebeginning of the design phasewithout waiting for the study results,e.g., HAZID (Hazard Identification), FERA (Fire and Explosion RiskAnalysis) and QRA (Quantitative Risk Assessment).

The typical cause of a critical event is identified as follows:

� Common mode event (CME) by internal failure mode� External event leading to common cause failure (CCF).

Fail-safe Redundancy

Fire resistant design

ign

ucture.

No fire resistant designapplied to piping, butfor supporting structurewhere within firescenario envelope.

No fail-safe. No redundancy.

e e Spare flare stackRedundant fuelgas supply for burner.

Design basis: Pool fire. e Seawater backupis available.

e e Backup pump bydiesel engineSeawater backup.

uipmentderatural.

e ESD system isdesigned asfail-safe.

e

e ESD system isdesigned asfail-safe.

Power supply forESD shall be fullyredundant.

stant tong ofvoidof

.

Depressuring rate basis:Pool fire LIR shall be fireresistant to allow safedepressuring ofbelonging zones.

Not fail-safeif flare capacitydesigned againstsimultaneous EDPzone depressuring.

e

e EDP shall havesecured air vesselfor IA supply.

Power supply forEDP shall be fullyredundant.

Fig. 4. Generic risk reduction concept of actual SIL study for prevention systems.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819 813

Onshore safety design takes into account CME by internal failuremode, but not CCF due to external events, as external events arenormally covered by active protection systems, such as fire-fightingsystem. If an external specific event is to be considered in thedesign, it is difficult to properly define the design basis, e.g., whichcomponent shall withstand that particular external event, forexample all piping and valves.

The proposed Safety Design Approach for Onshore LNG Plantrequires that the main component in an emergency system, whichmay result in common cause failure, be evaluated based on theexternal event and that the design criteria are set accordingly inorder to ensure survivability of the system. Same considerationsapply to other systems. For example, sufficient protection of firewater tanks and pumps shall be considered to avoid CCF due toexternal events. However, in the case of onshore plant, this does notnecessarily mean that blast or fire resistant design shall be applied.The system components (e.g., fire water tanks and pumps) should beinstalled at sufficient distance from the hazardous areas, consideringoverall plot plan and sufficient space betweenmodules to reduce gasaccumulation due to confined space (van den Berg & Versloot, 2003).

4.1.2. Overall emergency system design concept preventing accidentescalation scenario

The BLEVE incident at the Refinery Plant in Chiba after theTohoku earthquake was the typical domino event after the collapseof one sphere. One of the important measures to avoid dominoevent is separation distances which are difficult to implement inthe EPC phase after the site area has been defined.

Fig. 5. Proposed risk r

Although the generic risk reduction concept in the IEC (Fig. 4)allows risk reduction by the emergency system, its detailed appli-cation (i.e., quantify how much the risk can be reduced by theemergency system as escalation prevention) is not specified. Inother words, there is no specific risk reduction requirement for theEmergency System and no standardized method to quantify its riskreduction level. The actual risk reduction (Fig. 4) is simply equal tothe reliability of the Prevention System (PRV and SIS), which isverified by conducting SIL study. Therefore, risk reduction can onlybe quantified for the Prevention System.

This section proposes to apply the SIL concept to the EmergencySystem, same as for the Prevention System, in order to provide therisk reduction criteria and to establish the design requirements forthe Emergency System (such as automatic ESD/EDP by F&G system,separation distance) based on these reduction criteria.

In order to provide clear criteria for the Emergency System, theuse of SIL is considered in this paper. However, to set the SIL for theEmergency System is not simple due to the large number ofpossible escalation scenarios. Therefore, in order to properly set theSIL for the Emergency System, the risk reduction concept shall beintegrated with the public’s perception of acceptable risk criteria asshown in Fig. 5.

Furthermore, the Emergency System works properly bya combination of the several systems (such as F&G, ESD and EDP).Therefore, from the SIL verification view point, the overall Emer-gency System shall be evaluated based on the overall systemconsidering the interaction between the individual systems.

The verification model for Emergency System is based ona consequence escalation scenario when Loss of Containment (LOC)occurs. The conventional protection layer concept consists ofseveral protection layers (Emergency Systems) to prevent escala-tion as shown in Fig. 6 (CCPS, 1993).

However, considering the actual design conditions of the OverallEmergency Systems, the several Emergency Systems (e.g., F&G,ESD/EDP) need to work properly to achieve the Overall EmergencySystem’s goal (to limit escalation) as a combination of their func-tion. Only a single system function is not enough to limit theescalation as shown in Fig. 7.

Further, in this model, it was assumed that the Public Unac-ceptable Event (PUE) is a major single event (e.g., explosion, toxicrelease) or a domino event (i.e., chain of events, such as fire-explosion-fire), which result in loss of reputation of the plantoperator/owner, regardless of the severity of the event, i.e., safety orfinancial losses.

Normally, the plant layout consists of several zones to allowisolation, safety distances, and easyaccess (operations,maintenance

eduction concept.

Fig. 6. General protection layer concept for emergency systems.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819814

and fire-fighting). The access also works as a fire break to preventa fire escalation to the adjacent zone. The Emergency Systems (e.g.,F&G, ESD/EDP) are also designed for each individual zone to preventescalation to the adjacent zone. Considering this design condition,domino initiator is set as the eventwhich escalates to adjacent zonesof the plant as shown in Fig. 8.

If the plant design incorporates proper spill control (e.g., slope,catchment) and the fire water spray system is designed (waterdemand) based on the pool fire engulfment scenario (API RP 2510A,1996), the domino event by a pool fire spreading to adjacent zonesis unlikely. However, if a jet fire points to and reaches an adjacentzone, the domino event may be triggered, since effective designmeasures to fully protect all equipment and structures from a jetfire is not feasible.

4.1.3. Proposed inherent safety design for emergency systemsThe approach identifying required designmeasures, especially for

geographical redundancy, against external events and the conceptproviding criteria for emergency systems considering accident esca-lation scenario have been proposed. The case study, based on actualplant design data, has been done to show the applicability of theproposed approach (Tanabe and Miyake, 2010; Tanabe and Miyake,2011). The following points have been identified as possibleinherent safety design improvements of the Emergency System:

� Overall emergency system design instead of individual emer-gency system design.

� Backup system geographical redundancy for power supplysource (e.g., EDG) considering common cause failure due toexternal event.

� Geographical redundancy for fire water supply source (e.g., firewater tank and pump) considering common cause failure dueto external event.

Fig. 7. Proposed escalation scenario and

� Consistency of process functional segregation and geographicallayout blocks (e.g., units, sub-units, areas) in order to isolate theaccident area to prevent escalation (i.e., domino event) due toexternal event, such as fire and natural event.

� Greater separation distance between zones can reduce chancesof domino event by jet fires.

� Route/Location of flare header line on interconnecting piperackshould be considered to minimize direct fire impingementfrom process equipment (Note: flare header normally lies onthe highest layer of piperack due to free drain requirementtoward the knock-out drum and this may help avoiding directimpingement of fire).

� Proper spill control/drainage system reduce chances of poolfire spreading to adjacent zones.

4.2. Reduction of explosion possibility in modularized plant

The layout consideration to enhance ventilation is important inorder to reduce potential of flammable gas accumulation andsubsequent explosion, e.g., facility orientation and separation. Theexplosion hazard becomes higher when modularized concept isapplied, due to themodule structure elements andbracing and largevoids under module deck. The facility/equipment orientation andseparation for better ventilation should be identified in the earlystage of the project, as changes in layout become difficult in the laterstage. This study identifies the measures to enhance ventilation inmodularized LNG plants and sets the application criteria.

Many onshore base load LNG plants apply Air-Fin-Cooler (AFC) toprovide required duty for refrigerant cooling in LNGprocess. In recentbase load LNG plants, number of AFCs is huge (e.g., approx. 300 fansfor 4e5 MTPA(Metric Ton Per Annum) production LNG plant) andmounted on the center piperack in the process train. Because AFCsare process equipment (not safety system), they are tripped inemergency conditions, such as fire and gas leak. However, since airflow rate through AFC is not negligible, e.g., over 20000m3/s for4e5 MTPA production LNG plant, the forced ventilation effect insidetrain, which reduces the amount of gas accumulation, is expected.The effect has not quantified to use it effectively before. This studyquantifies the ventilation effect by AFC using CFD analysis andevaluate design measures to enhance the effect (Tanabe & Miyake,submitted for publication e Under Review for PSEP).

The basic design data of an LNG plant of 4 MTPA capacity (recenttypical base load LNG single train capacity) is used in this studyidentifying inherent safety design options:

� AFC mounted height on the center piperack: 15 m� Total induced air flow rate by AFCs: 22620 m3/s

overall emergency system concept.

Fig. 8. Example of plant zoning.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819 815

� Size of LNG process train: 400 m(L) � 250 m(W)� Size of module: 50 m(W) � 40 m(L) � 15 m(H) includingmodule deck height of 4 m (below deck).

� Size of AFCmounted piperack: 336m(L)� 32m(W)� 15m(H).

4.2.1. Air change per hourThe increase in ventilation due to the AFC forced air flow is

evaluated based on ACH increase over natural ventilation in orderto provide the baseline.

The Air Change per Hour (ACH) is calculated based on thefollowing formula:

Qa ¼ Vmod$R=3600 (1)

where

Qa: Air flow rate (m3/s)

Fig. 9. AFC-on air flo

Vmod: Free module volume (m3)R: Air change rate per hour

Since the ACH calculation is simply related to free volume in thearea and air flow rate passing through the area, it is important tocorrectly identify the detailed air flow inside the area (Deru &Burns, 2003; Horan & Finn, 2008; Matsuura and Nakano, 2010).Therefore, CFD analysis has been used (Figs. 9and 10).

The air flow passing through the “target” volume (i.e., under the1st floor deck, above 1st floor deck and gap between modules) ismeasured for each face of the volume under consideration, whichmeans that the ACH is calculated based on the air flow through eachface in order to simulate the detailed air flow streams.

4.2.2. Proposed inherent safety design for natural ventilationBased on the CFD analysis results, the following design

approaches are recommended to optimize the use of AFC-onventilation for onshore modularized LNG plant.

w streamlines.

Fig. 10. AFC-off air flow streamlines.

Inner Wall (9% Nickel)Outer Wall(Carbon Steel)

Insulation

Fig. 11. Single containment tank.

Fig. 12. Full containment tank.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819816

� The AFC fans should be kept running even in emergencyconditions to reduce the amount of flammable gas accumula-tion. Since the boil off gas of LNG is denser than air due to itscryogenic temperature, methane gas cloud will be formed atground level and trapped for a sufficient length of time incongested areas, e.g., equipment and piping. Therefore,although normally AFC fan motors are stopped upon emer-gency shutdown condition, to ensure a higher degree of safety,e.g., better ventilation, the AFC should be kept running evenafter a leak has been detected. This recommendation is basedon the fact that the fan motors are normally explosion prooftype suitable for the hazardous area classification Zone-2operation to minimize the ignition probability. In order tofurther reduce the ignition probability, it is also worthwhile toconsider application of Zone-1 operation certified motor.

� In the case the LNG plant has a single process train, the LNGtrain axis should be perpendicular to the prevailing wind

Table 4Difference of full containment tank and single containment tank.

Single containment Full containment

Metal roof Concrete roof

Specification Inner wall: 9% NiOuter wall: CSDikeSteel roof

Inner wall: 9%NiOuter wall: Concrete (as dike)Steel roof

Inner wall: 9% Ni

Design Accident Scenario Dike fire Tank top fire NoneSafety Distance Heat radiation

exclusion zonefrom dike fire

Heat radiation exclusionzone from tank top fire

No specific requirement fromdesign accident scenario

Table 5Impact distance by LNG tank failure.

Flammable cloud downwind distanceat 1.5F wind condition [m]

Pool fire downwind radiationimpact distance at pool elevation at 5D [m]

1/2 LFL LFL UFL 4 kW/m2 12.5 kW/m2 37.5 kW/m2

Full containment tank (Tank top fire) 1956.9 933.5 93.4 346.7 222.1 139.2Full containment tank (Rupture) 6765.5 2553.7 1935.1 4067.2 2719.1 1723.6Single containment tank

(Rupture ¼ dike fire)6861.6 1567.3 398.7 1253.6 854.6 595.6

LNG run down line (1800 Rupture) 1757.4 319.3 207.9 434.7 289.5 192.3

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819 817

direction to increase ACH in the gaps and below deck. If theprobability of the prevailing wind direction is very high, it isworthwhile to consider using shorter separation distancebetween modules to further increase the ACH. However, thehazards of shorter separation distance should be considered inthe design.

� In the case the plant has multiple LNG process trains, the trainaxis may have to be set parallel to the prevailing winddirection in order to avoid hot air circulation from the AFC ofone train to the AFC of the next train (reduced AFC duty by hotair). In this case, the separation distance should be as great aspossible.

� The grating deck floor has no major effect on the ACH.However, it is worthwhile to consider use of grating deck floorin order to reduce the amount of gas accumulation betweendecks (by the increase of vertical component of the air flow inmodules).

4.3. Selection of offsite facility from inherent safety aspects

4.3.1. LNG tank type and design accident scenarioThe LNG product tank is the largest equipment containing LNG

in the plant. The type of tank affects the overall plot plan due to therequired exclusion zone established by design accident scenarios.This section discusses the criteria for the selection of the tank typeconsidering their inherent safety.

The type of tanks most commonly used in recent LNG projectsare the Single Containment Tank (Fig. 11) and the Full ContainmentTank (Fig. 12). The differences in design criteria between these twotypes are summarized in Table 4. The major difference is theassumed design accident scenario (worst case). For singlecontainment tank, it is a dike fire, since a single failure of this type

Table 6LNG tank failure frequency.

Tank type Event

Full containment with concrete roof Tank catastrophic ruptureFull containment with metal roof Tank top fireSingle containment Tank catastrophic rupture (dike fire)

may cause the loss of containment of the tank (i.e., leaked cryogenicfluid due to inner wall failure will not be contained by outer tankwall which is made of carbon steel). For the full containment tankwith metal roof, it is the roof failure (i.e., cryogenic fluid containedby the outer wall in case of a failure of inner wall). For the fullcontainment tank with concrete roof, there is no design accidentleak scenario (i.e., no failure mode for roof by cryogenic spill at tanktop platform).

4.3.2. Evaluation for consequence and frequency of tank failureThe consequence and frequency of the LNG tank failure are

evaluated for each tank type (Tables 5and 6). The impact distanceshave been calculated by PHAST ver6.54 (DNV). As shown, theimpact area by the tank failure is very large, and therefore, theoccurrence of tank failure is considered a PUE (Section 4.1.2). Thefrequency of tank failure event is evaluated based on the latestfailure frequency research provided by UK HSE LUP Failure RateData and GL Industrial Services, Risk from Large LNG Releases,FABIG Technical Meeting (FABIG TMR-65), and evaluated against1E-6/yr risk criteria for public. The research suggests using 1E-07/yrfor the Full Containment Tank and 1E-06 for the Single Contain-ment Tank. Further in this study, 5E-7/yr frequency is proposed forthe Full Containment Tank with metal roof.

4.3.3. Proposed inherent safety design for LNG tank typeThe design considerations derived from this evaluation are as

follows:

� Single containment tank can be selected only for developmentof sites in remote areas. This is based on the assumption thatremote areas may have lower public acceptance risk criteria,such as 1E-5/yr.

Failure rate No. of tanks Probability of U/A event on LOC

1.00E-07 2 2.00E-075.00E-07 2 1.00E-061.00E-06 2 2.00E-06

Table 7Possible design implementation measures.

No. Category Implementation measures Remarks

1 Overall plot plan Train orientation against prevailing wind direction in order to preventgenerating larger flammable gas cloud (e.g., single train: perpendicularto the wind direction, multiple trains: parallel to the wind direction)

Ref. Section 4.2.2

2 Overall plot plan Separation distance between process unit blocks in order to avoid a jetfire impingement from small leak hole, which has higher leak frequency

Ref. Section 4.1.3

3 Overall plot plan Consistency of process functional segregation and geographical layoutblocks in order to isolate the accident area to prevent escalation (i.e.,domino event) due to external events, such as fire and natural event

Ref. Section 4.1.3

6 Overall plot plan LNG production tank type selection and separation distances, takinginto account the plant boundaries and populated areas

Ref. Section 4.3.3

7 Emergency system design Design concept based on single layer of overall emergency system,taking into account for combination of each individual emergencysystem, instead of multiple layer of individual emergency systems

Ref. Section 4.1.3

8 Emergency system design Geographical redundancy for electrical power supply system backup(i.e., EDG) considering common cause failure due to external event

Ref. Section 4.1.3

9 Emergency system design Geographical redundancy for fire water supply system (e.g., fire watertank and pump) considering common cause failure due to externalevent

Ref. Section 4.1.3

11 Emergency system design Route/location of flare header line on interconnecting piperack shouldbe considered to minimize direct fire impingement from processequipment

Ref. Section 4.1.3

12 Emergency system design Proper spill control/drainage system reduce chances of pool firespreading to adjacent zones

Ref. Section 4.1.3

13 Emergency system design Application of automatic initiation of ESD upon gas detection (beneficialin case of the plant located near populated area)

Ref. Section 4.2.2 To reduce humanerror rate

14 Application of modularized concept Continuous AFC fan operation in order to reduce quantity of flammablegas accumulation (i.e., better ventilation) in and around the piperack

Ref. Section 4.2.2 Application of Zone-1motor can further reduce the ignitionprobability

15 Application of modularized concept Separation distance between modules in order to reduce the possibilityto create larger flammable gas cloud covering several modules (trainaxis perpendicular to prevailing wind for single train case, and parallelfor multiple train case)

Ref. Section 4.2.2

16 Application of modularized concept Application of grating material for module deck in order to reducequantity of flammable gas accumulation under deck

Ref. Section 4.2.2

Fig. 13. Application timing of the proposed approach.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819818

� Full containment tank with metal roof can be selected in thedevelopment of sites close to populated area in the case ofsingle LNG production tank.

� Full containment tank with concrete roof should be selected inthe development of sites close to populated area in the case ofmultiple LNG production tanks.

These criteria should be applied in the feasibility study phasebased on site location, population, and number of tanks.

5. Conclusion

This paper proposes the approach for enhancing inherentsafety design in onshore LNG plant project by defining therequired inherent safety design measures in the project conceptdefinition phase. The inherent safety design measures presentedin this paper were established based on the proposed safetyconcepts and case study results using actual LNG plant designdata.

M. Tanabe, A. Miyake / Journal of Loss Prevention in the Process Industries 25 (2012) 809e819 819

As the proposed approach is a combined “deterministic/riskbased” approach based on the conceptual information, such as sitelocation, distance from populated areas, size of plant area, plantproduction capacity, number of trains, number of product tanksand prevailing wind direction, it can be applied in the early phasesof the project because the combined approach can overcome thedifficulties and restriction due to the limited information availablein the early phase of a project, i.e., a better and thorough use ofthe limited information. The identified measures are summarizedin Table 7 and Fig. 13. Enhancing this combined approach willcontribute to the improvement of the design safety in onshoreLNG plant projects.

References

API Publication 2510A. (1996). Fire-protection consideration for the design andoperation of liquefied petroleum gas (LPG) storage facilities. Washington, DC:American Petroleum Institute.

van den Berg, A. C., & Versloot, N. H. A. (2003). The multi-energy critical separationdistance. Journal of Loss Prevention in the Process Industries, 16, 111e120.

CCPS. (1993). Guidelines for engineering design for process safety. New York: Centerfor Chemical Process Safety.

Deru, M., & Burns, P. (2003). Infiltration and natural ventilation model for whole-building energy simulation of residential buildings. National Renewable EnergyLaboratory.

Horan, J. M., & Finn, D. P. (2008). Sensitivity of air change rates in a naturallyventilated atrium space subject to variations in external wind speed anddirection. Energy and Buildings, 40, 1577e1585.

Kletz, T. A. (2003). Inherently safer design e its scope and future. TransactionsIChemE, 81, Part B.

Kletz, T. A. (2005). Looking beyond ALARP e overcoming its limitations. ProcessSafety and Environmental Protection, 83(B2), 81e84.

Kletz, T. A. (2006). Accident investigation: keep asking “why?”. Journal of HazardousMaterials, 130, 69e75.

Matsuura, K., Nakano, M., & Ishimoto, J. (2010). Forced ventilation for sensing-basedrisk mitigation of leaking hydrogen in a partially open space. InternationalJournal of Hydrogen Energy, 35, 4776e4786.

Tanabe, M., & Miyake, A. (2010). Safety design approach for onshore modularizedLNG liquefaction plant. Journal of Loss Prevention in the Process Industries, 23,507e514.

Tanabe, M., & Miyake, A. (2011). Risk reduction concept to provide design criteriafor emergency systems for onshore LNG plants. Journal of Loss Prevention in theProcess Industries, 24, 383e390.

Tanabe, M., & Miyake, A. Forced ventilation effect by air-fin-cooler in modularizedonshore LNG plant, process safety and environmental protection, submitted forpublication.