Assessment of the Likelihood of Exceeding the
Flare Capacity of Multiple LNG Processing Trains
Ricardo A. Lopez, Yaneira Saud, and Najmeh Vaez
Global Risk Practice, CityCentre Four, 840 West Sam Houston Parkway North, Suite 600, Houston, TX 77024;
Ricardo.Lopez@erm.com (for correspondence)
Published online 28 October 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11719
Flare systems are typically designed to meet recognized
and generally accepted good engineering practice for foresee-
able vent and relief scenarios. API 521 [American Petroleum
Institute, ANSI/API Standard 521 Guide for Pressure-
Relieving and Depressuring Systems: Petroleum Petrochemi-
cal and Natural Gas Industries, Fifth Edition, American
Petroleum Institute, 2007] allows for multitrain units to be
protected by the same flare system. Therefore, these systems
must be reliable, available, auditable, and maintainable.
However, any designer’s concern should be the possibility of
a common-cause failure (CCF) that impairs several safe-
guards or causes a plant-wide failure. A shutdown incident
can result in flare relief demands that are higher than the
designed capacity. CCF is defined as a failure of more than
one device, function, or system due to the same cause. Exam-
ples of common causes are errors in design, installation,
maintenance, or operation of redundant components. To
ensure that the designed flare capacity for a Liquefied Natu-
ral Gas (LNG) facility is appropriate, it is necessary to assess
the frequency of relieving combinations that have the poten-
tial of exceeding flare capacity during a shutdown which is
the result from a CCF. A common practice for this purpose is
to perform probabilistic risk assessment using fault tree anal-
ysis (FTA) techniques during the front-end engineering
design stage. However, CCFs are rarely or not commonly
considered in the analysis. CCFs might have a significant
impact on the final calculations, resulting in probabilities of
overloading the flare system by one or more orders of magni-
tude greater, with the potential of not meeting the project’s
tolerability threshold. The analysis starts with the identifica-
tion of CCF scenarios resulting in relief loads from one and
multiple trains. Following the identification of these scenar-
ios, the frequency of such events is quantified and compared
with each facility’s tolerability threshold. Historical data from
published sources were used to calculate the likelihood for
both CCFs and their impacts. A FTA was used to illustrate the
various outcomes that may arise from a CCF producing
simultaneous reliefs. The scope of each analysis included a
facility in multitrain operation with common infrastructure
and supporting utility systems. A one train (initial startup
case) analysis was done for a baseline comparison, and dif-
ferent scenarios were then analyzed for potential flare over-
This article was originally presented at the 10th Global Congress
on Process Safety, New Orleans, LA, March 31–April 2, 2014.
C 2014 American Institute of Chemical Engineers
V design issues, and/or software failures and bugs
Process Safety Progress (Vol.34, No.3)
load (e.g., gas compressors from two or more trains failing to
stop on demand once blowdown has started, coupled with
feed gas valves failing to close). Finally, the probability of
exceeding the flare capacity and the associated consequences
were compared against the project’s qualitative risk assess-
ment matrix to determine if the probability of flare exceed-
ance was tolerable. V C 2014 American Institute of Chemical
Engineers Process Saf Prog 34: 250–258, 2015
Keywords: fault tree analysis; liquefied natural gas; flare;
common cause failure; as low as reasonably practicable
INTRODUCTION
There are several approaches that can be used to trans-
port natural gas from its source to market. One of these
methods involves liquefaction of the natural gas at just above
atmospheric pressure and the resultant cryogenic tempera-
ture. The industry refers to these units as Liquefied Natural
Gas (LNG) plants. LNG plants consist of either single or
multigas independent liquefaction units called “LNG trains.”
Multitrain LNG plants are more common simply because
they increase the production availability. Shutting down a
single train in a multitrain unit will not result in an interrup-
tion in production because the plant will continue to pro-
duce with other (redundant) trains.
Single or multiple train emergency shutdown (ESD) inci-
dents can occur due to fault(s) in the system [1]. When a sin-
gle failure or condition affects the operation of multiple
devices that would otherwise be considered independent, a
common-cause failure (CCF) occurs. CCFs are dangerous
because they have the potential to impair multiple safe-
guards, leading to plant-wide failures and forcing a possible
plant shutdown. This can result in flare relief demands
higher than the designed capacity.
Flare systems are typically designed to meet recognized
and generally accepted good engineering practice for fore-
seeable vent and relief scenarios. They are able to handle a
predefined number of failures and credible combinations of
relief events. This is referred as normal flaring. When
multitrain units are protected by the same flare system, flare
overloading is most likely to occur, because of the possibility
of a CCF impairing multiple safeguards, or causing a plant-
wide shutdown. As such, CCFs must be identified during the
design process and the potential impact on the flare relief
functionality must be understood. Some examples of CCFs
include [2]:
 Errors in design: This commonly refers to hardware
September 2015 250

Figure 1. Probabilistic assessment method.
simultaneously affecting both the process control system
and the safety instrumented system (SIS)
 Errors during installation: Redundant components
installed in close proximity, sharing the same physical
space, and subject to fire, explosion, or flooding events
 Incorrect maintenance or no maintenance: This is likely to
happen when the same operator, for some reason, makes
the same mistake when calibrating a set of redundant
sensors.
Finally, to ensure that the designed capacity is appropriate,
it is necessary to estimate the likelihood of exceeding the flare
capacity, and compare this probability with a tolerability
threshold. The tolerability in this context refers to the willing-
ness by society as a whole to live with a risk in order to
secure certain benefits in the confidence that the risk is one
that is worth taking and that it is being properly controlled.
PROBABILITY OF EXCEEDING FLARE CAPACITY
With regard to multitrain LNG units and potential simulta-
neous reliefs from more than one train scenario at a time,
API 521 [3] addresses the dynamics of multiple system reliefs
when sizing flare systems. Not all relieving loads for an event
will peak at the same moment; rather, individual loads will
start, peak, and degrade at various times during the event.
Thus, API 521 states that “double jeopardy” occurrences are
excluded (e.g., two or more unrelated causes of overpres-
sure, such as operator error that leads to a blocked outlet
coincident with a power failure).
In sizing certain components of the relief system, such as
the blowdown header and the flare itself, credit may be
given for instrumented protective systems. Credit may also
be taken for operator intervention if certain criteria are met,
as defined in API 521; however, a conservative approach is
Process Safety Progress (Vol.34, No.3) Published on behalf of the AIChE
used because of inherent uncertainties associated with
human factors and published failure data.
Therefore, it is important to demonstrate that the risk of
simultaneous relief events with the potential of exceeding
flare capacity is tolerable and has been reduced to as low as
reasonably practicable. This article focuses on understanding
a typical multitrain LNG facility configuration and proposes a
probabilistic risk assessment approach which determines the
likelihood of flare overload as a result of combined flaring
scenarios.
Risk has been defined as the combination of the conse-
quence and likelihood of an undesired event. Excess flare
reliefs may lead to various consequences of concern,
including:
 Liquid carryover and flame rain out
 Excessive thermal radiation
 Noise
 Highly visible flame or smoke
 Mechanical integrity issues due to back pressure and
vibration
 Nuisance reports from neighboring communities affecting
company reputation
The consequences may be difficult to quantify, and in
some cases a qualitative matrix can be used to assess the
severity of the event consequences. This article only focuses
on calculating the probability of exceeding the flare capacity
of a single or multiple train plant and does not address conse-
quence analysis associated with exceeding the flare capacity.
METHOD
Overview
The method used to conduct the probabilistic assessment
can be summarized in three basic steps: problem modeling
(including the graphical representation of the relief scenarios
and preparation of input data), probability calculations, and
comparison with tolerability criteria. The detailed method is
illustrated in Figure 1 and described in subsections below:
Understand Process Design and Identify Flare Overloading Scenarios
Project documentation, including process flow diagrams
(PFDs) and piping and instrumentation diagrams, is reviewed
in order to understand the process, its safeguards, the shut-
down philosophy, and to identify the major flare overloading
scenarios. Under the assumptions for this work, a flare relief
event might occur when a total power loss incident or a
plant-wide failure happen, forcing a plant shutdown. An
excess flare relief event is then likely to occur if some critical
components fail causing the impairment of safeguards and
protective functions.
Identify Initiating Events and CCFs for Simultaneous Relief Events
The identified flare overloading scenarios are then ana-
lyzed against the design intent and the degree of integration
with power generation and other utilities to determine the
possible initiating events and CCFs leading to potential flare
overload. In general, these flare relief systems are designed
to safely handle a wide range of relief loads, but specific
combination of component faults (probably caused by
CCFs), either in one train or mixing components from differ-
ent trains have the potential to trigger an excess flare relief
event.
Identify Failure Frequencies
Historical data from published sources are used to calcu-
late the likelihood for the basic events and CCFs. Generic
data from public domain databases can be found in the Off-
shore Reliability Data (OREDA) [2], Institute of Electrical and
DOI 10.1002/prs September 2015 251
Electronics Engineers (IEEE) [4], Stiftelsen for Industriell og
Teknisk Forskning (SINTEF) [5], Centre for Marine and Petro-
leum Engineering (CMPT) [6], and International Association
of Oil and Gas Producers (OGP) [7].
Model the Causes of Each Simultaneous Relief Scenario
The identified flare overloading scenarios, including their
initiating events and CCFs (called basic events) can be mod-
eled by using a fault tree analysis (FTA) approach. FTA is a
tool for systematically identifying root causes of an undesired
event (top event), by graphically representing their basic
events and interdependencies, and by calculating the proba-
bility of the top event occurring, in this case the flare over-
loading event.
Determine the Probability of Exceeding Flare Capacity for Each
Simultaneous Relief Scenario
Fault trees are typically quantified by first calculating the
probability of basic events (initiating events, failure of pro-
duction train safeguards, CCFs, etc.) as seen in Table 1, and
then combining the different outcomes of these basic events
through logic gates (AND, OR) into one single top event, in
this case the probability of exceeding flare capacity.
Failure of basic events can further be classified as either
“detected” or “undetected.” Undetected failures are usually
evaluated as “probability of failure on demand” (PFD). The
probability of failure on demand quantifies the likelihood
that a system will fail to perform as designed due to danger-
ous undetected failures (with rate k failures per year) during
the period when it is not known that the function is unavail-
able [8]. The average duration of this period is T/2, where T
5 test period. For small values of k
T (less than 0.02),
PFD 5 k
T/2.
The probability calculation for multiple redundant compo-
nents assumes a repairable system with unrevealed failures
where function tests are carried out simultaneously [5]. A SIS
with M out of N (MooN) voting scheme will achieve its func-
tion if at least MooN components execute the system com-
mand upon signal (in this case to stop on demand). In other
words, the system can tolerate N 2 M failures, but not more.
For example, for a system where 17 out of 18 units are
required to operate (17oo18 voting) then “18 2 17 1 1 5 2”
must fail for the system to fail.
The modeling of CCFs can be performed by using the
multiple beta factor model described in the SINTEF method
[5]. The multiple beta factor model also considers common
cause factors (b) as the standard beta model but introduces
a correction factor C(MooN) that modifies the contribution
of CCFs for different voting configurations (See Table 2).
This common cause factor varies with the number of com-
ponents involved.
Figure 2. Simplified block flow diagram (one LNG train—typical).
252 September 2015 Published on behalf of the AIChE
Compare Probability against Project Tolerability Criteria
Once the probability of exceeding flare capacity is deter-
mined by analyzing foreseeable combinations of multitrain
scenarios, the risk can be qualitatively or semiquantitatively
assessed using a risk assessment matrix. Applicable company
or regulatory standards in risk assessment can and should be
applied to compare the risk to the appropriate tolerability
criteria. Risk tolerance (project’s tolerability threshold) is typi-
cally defined based on common practice or client’s input,
and it is not part of the scope of this article. For this study,
the results were compared to an assumed tolerability thresh-
old of 1.00 E 207 in 1 year.
It should be noted, though, that for typical onshore facili-
ties, this threshold could range between 1.00 E 204 and 1.00
E 207 in 1 year, depending on land use around industrial
facilities and other factors. For example, the Major Industrial
Accidents Council of Canada [9] sets acceptability levels of
1.00 E 205 to 1.00 E 206 in 1 year for “. . .uses involving con-
tinuous access but easy evacuation, e.g., commercial uses, low
density residential areas, offices” and beyond 1.00 E 206 in 1
year for “. . .all other land uses without restriction including
institutional uses, high density residential areas, etc.”
CASE STUDY
The case study presented in this section illustrates the
effect of considering CCFs in the risk analysis of the flare
overloading scenarios, compared with the same case without
the consideration of CCFs. In this case study, it is assumed
that an excess flare relief event might occur in a typical
multitrain LNG plant when an initiating event and a defined
set of equipment components simultaneously fail due to a
CCF. Figure 2 shows a block flow diagram depicting a simpli-
fied version of the liquefaction subsystem of one LNG train. It
uses a typical cascade liquefaction process with the usual heat
exchangers, refrigeration loops, and emergency shutdown
valves (SDVs) for the inlet feed gas (the high integrity pres-
sure protection system [HIPPS] valves shown in the figure).
This simplified plant can operate under two configura-
tions: one train or two parallel trains. The one-train scenario
is powered by four active electrical generators, one spare
generator, six refrigeration compressors, and three SDVs for
the feed gas. The number of components for the two-train
scenario is almost doubled, except that the power generation
unit only adds two extra active generators. By design, the
power generation system is common to both trains.
One-Train Scenario
Initiating Event (OR gate)
 Local power loss, assumed to occur when 2oo4 gas
turbine generators (GTG have a critical failure AND
DOI 10.1002/prs Process Safety Progress (Vol.34, No.3)
Table 1. Failure frequencies and probabilities.

Test Failure Probability

Equipment/Initiating Interval Failure Rate/Year of Failure
Event Failure Mode (year) Rate/106 h (k) (in 1 year) Source/Comment
Gas Turbine (Generator Critical failure excluding 242 2.12 E 100 8.80 E 201 OREDA 2002, p.153 [2]
driver) - GTG (1) failure to start or stop (Excludes failure to
on demand start or stop on
demand)
2oo4 Gas Turbine (Gen- Critical failure excluding 1.35 E 203 Probability calculation is
erator driver) - GTG failure to start or stop explained in Appen-
(3oo4 Voting) (2) on demand dix (2)
2oo4 Gas Turbine (Gen- Common Cause Failure 2.55 E 201 CCF factor 5 0.1 3 2.9
erator driver) - GTG - (Table 2). Probability
CCF(3oo4 voting) (3) calculation is
explained in Appen-
dix (3)
Electric Generator (Gas Failure to ramp-up elec- 1.44 1.26 E 202 1.25 E 202 OREDA 2002, p.325 [2]
turbine driven) trical load (failure to start on
demand, assumed to
be equivalent to fail-
ure to ramp-up elec-
trical load on
demand)
Emergency shutdown Gas release event 3.50 E 204 3.50 E 204 OGP - Process Release
(gas release >50 mm) Frequencies [7]
- one compressor (4)
Emergency shutdown Gas release event 2.10 E 203 Large gas release event
(gas release >50 mm) probability calculation
- 1oo6 compressors uses frequency values
taken from OGP -
Process Release Fre-
quencies [7] as
explained in Appen-
dix (5)
Inadvertent trigger of Manual shutdown 2.00 E 100 8.65 E 201 Operational experience
manual ESD (taken from similar
studies)
Gas Turbine (Compres- Failure to stop on 1 0.97 8.50 E 203 4.25 E 203 OREDA 2002, p.153 [2]
sor driver) - GTC (6) demand
2oo6 Gas Turbine Failure to stop on 2.71 E 204 Probability calculation is
(Compressor driver) - demand explained in Appen-
(GTC) dix (7)
Feed valve - High Integ- Failure to close on 1 7.96 6.97 E 202 3.49 E 202 OREDA 2002, p. 685 [2]
rity Pressure Protec- demand Failure rate for Shut-
tion System (HIPPS) down Valve (SDV)
(8) reduced by half to
reflect highly reliable
HIPPS valve
Common Cause Failure Failure to close on 1 7.96 6.97 E 202 5.23 E 204 CCF factor 5 0.03 3 0.5
(CCF) of three feed demand (Table 2). Probability
valves (HIPPS) calculation is
explained in Appen-
dix (3)

the running spare GTG fails to ramp-up electrical load
on demand.
 ESD, prompted by operator action in case of a signifi-
cant (>50-mm hole) hydrocarbon release in 1oo6
compressors.
 Inadvertent manual shutdown.
Equipment Failure
 2oo6 compressors fail to stop on demand AND feed
valves fail to close on demand in a single train.
Two-Train Scenario
Initiating Event (OR gate)
 Local power loss, assumed to occur when 3oo6 GTG
have a critical failure AND the running spare GTG fails
to ramp-up electrical load on demand.
 ESD, prompted by operator action in case of a signifi-
cant (>50-mm hole) hydrocarbon release in 1oo12
compressors.
 Inadvertent manual shutdown (1oo2 trains).

Process Safety Progress (Vol.34, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2015 253
Table 2. Common cause factors.

Failure Voting Configuration Modification Factor Common

Component b* Configuration (MooN) C(MooN)** Cause Factor†
Gas Turbine (Gener- 0.1 2oo4 3oo4 2.9 0.29
ator driver)—GTG
Feed Valve (HIPPS) 0.03 3oo3 1oo3 0.5 0.02

*b Factor ranges between 0.01 for highly diverse components to 0.1 for similar components or systems [8].
**C(MooN) means modification factor for MooN success (voting) configuration.
†
Common cause factor 5 b 3 C(MooN).

Figure 3. Fault tree for one-train scenario—includes CCF events. [Color figure can be viewed in the online issue, which is
available at wileyonlinelibrary.com.]

Equipment Failure The basic configuration presented in Figure 2 was used

 2oo6 compressors fail to stop on demand AND feed
valves fail to close on demand, in one of the trains
(1oo2 trains) OR
 2oo6 compressors fail to stop on demand in one train
AND feed valves fail to close on demand in the second
train. The frequency analysis also includes the possibil-
ity that the feed valves fail to close on demand in the
first train, AND 2oo6 compressors fail to stop on
demand in the second train.
for all scenarios in this case study.
The equipment components described here are the only
ones involved in the calculations, and their failure is consid-
ered either an initiating event or a trigger of a relief event.
Under the assumptions for this work, a flare relief event
might occur when a total power loss incident or a plant-
wide failure happen, forcing a plant shutdown. These
would be called initiating events. However, if all related
protective functions and safeguards work as expected

254 September 2015 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.34, No.3)
Figure 4. Fault tree for two-train scenario—includes CCF events. [Color figure can be viewed in the online issue, which is
available at wileyonlinelibrary.com.]
following the plant shutdown, an excess flare relief event is
not likely to occur.
Now, an excess flare relief event is possible if some criti-
cal components fail causing the impairment of safeguards
and protective functions. In general, these flare relief sys-
tems are designed to safely handle a wide range of relief
loads, but specific combination of component failures,
either in one train or mixing components from different
trains have the potential to trigger an excess flare relief
event.
RESULTS
Input Data
The failure data and probabilities used were generic data
from published sources such as OREDA [2], SINTEF [5],
CMPT [6], etc. The same values were used when analyzing
all train configurations. Values of the common cause factor
“b” and modification factors used in this analysis are shown
in Table 2 [5]. Failure frequencies and probability calculations
for the basic events in the fault tree diagrams are listed in
Table 1. More detailed information regarding the values in
Table 1 is provided in Appendix.
Fault Tree Modeling
Fault tree diagrams were developed for all scenarios as
follows:
 Figure 3: Fault tree diagram for the one-train scenario,
including CCF events. For the no CCF case, it is assumed
that CCF in the model is zero.
Process Safety Progress (Vol.34, No.3) Published on behalf of the AIChE
 Figure 4: Fault tree diagram for the two-train scenario
including CCF events. For the no CCF case, it is assumed
that CCF in the model is zero.
FTA Results
The results of the analyses (probability of overloading
the flare system in 1 year) are presented separately in
Table 3 (one-train scenario) and Table 4 (two-train sce-
nario). Values in bold represent the calculated probabilities
for the the main gates of each fault tree (Top event, initiat-
ing events, and relief events).
CONCLUSIONS AND RECOMMENDATIONS
The results from the FTA indicate that the probability of
overloading the flare system in 1 year falls below the proj-
ect’s tolerability threshold of 1.00 E 207 in 1 year, for both
scenarios, when CCFs are not taken into account. However,
when CCFs are included in the analysis, the flare relief prob-
abilities of both scenarios clearly fall above the project’s tol-
erability threshold of 1.00 E 207 in 1 year.
As shown in Tables 3 and 4, the main contributor to the
overall probability of overloading the flare system in 1 year,
regardless of CCFs, is clearly human factors (Risk driver 1).
However, when CCFs are considered in the analysis, the
main driver for the difference in probability of overloading
the flare system in 1 year is the adjusted reliability of the
HIPPS system (Risk driver 2).
Incorporating CCFs to the calculations resulted in prob-
abilities of overloading the flare system almost two orders
of magnitude greater. This allowed for timely project
DOI 10.1002/prs September 2015 255
Figure 4. (Continued)
adjustments to bring flare exceedance to tolerable levels,
and iteration of the fault trees until the tolerability
threshold was met. Had the impact of CCFs been
neglected, the resulting probability would have been
deemed satisfactory which would have potentially yielded
misleading conclusions.
Since the risk did not meet the tolerability criterion, the
project team made the following recommendations:
 Risk driver 1: Perform a detailed human factors reliabil-
ity study to improve operational procedures, examine
256 September 2015 Published on behalf of the AIChE
and possibly redesign the ESD control panel, and
increase the quality of operators training and aware-
ness to minimize the possibility of human error result-
ing in inadvertent shutdown.
 Risk driver 2: Increase the testing frequency of
components used on demand to increase their reliability
(e.g., fuel gas valves used to stop the gas turbines
driving the refrigeration compressors, feed gas HIPPS
valves).
 Perform additional evaluations to evaluate further risk
reduction.
DOI 10.1002/prs Process Safety Progress (Vol.34, No.3)
Table 3. Fault tree analysis results (one-train scenario).

Probability without Probability with

Event CCF (in 1 year) CCF (in 1 year)
Top Event 9.97 E 209 1.33 E 207
Initiating Events (OR): 8.65 E 201 8.66 E 201
General power loss (2oo4 active 1.69 E 205 3.20 E 203
GTGs 1 1 spare GTG fail)
Manual emergency shutdown (gas 2.10 E 203 2.10 E 203
release >50 mm in 1oo6 compressors)
Inadvertent manual shutdown (two 8.65 E 201 8.65 E 201
times per year)
Relief Events (AND): 1.15 E 208 1.53 E 207
2oo6 refrigeration compressors fail to 2.71 E 204 2.71 E 204
stop on demand
Three Feed valves (HIPPS) fail to close 4.25 E 205 5.65 E 204
on demand

Table 4. Fault tree analysis results two-train scenario.

Probability without Probability with

Event CCF (in 1 year) CCF (in 1 year)
Top Event 2.24 E 208 9.33 E 206
Initiating Events (OR): 9.82 E 201 9.82 E 201
General power loss (3oo6 active 8.50 E 207 2.64 E 203
GTGs 1 1 spare GTG fail)
Manual emergency shutdown (gas 4.19 E 203 4.19 E 203
release>50 mm in 1oo12 Compressors)
Inadvertent manual shutdown of 1oo2 9.81 E 21 9.82 E 201
trains (two times per year)
Relief Events (OR): 2.28 E 208 9.51 E 206
2oo6 refrigeration compressors fail to 2.28 E 208 9.51 E 206
stop on demand AND feed valves fail to
close on demand (1oo2 trains)
1oo6 refrigeration compressors fail to 1.15 E 212 2.04 E 210
stop on demand AND feed valves fail to
close on demand (2oo2 trains)

FUTURE WORK given by the exponential distribution [8]: F(t) 5 1 2

Other risk reduction measures to be considered in future
work or applications:
 The impact of human factors to be studied in more detail
in future work on this topic. Human error is a common
initiating event that could potentially lead to future acci-
dental flare discharge.
 The efficiency of mechanical inspection and maintenance
can be improved to lower the probability of a major acci-
dental gas release which would require an emergency
plant shutdown.
 One suggested measure to decrease the probability of excess
flaring is to reduce the inspection and maintenance intervals.
This will likely result in less frequent mechanical and power
failure which in turn has the potential generate improved reli-
ability and availability of the equipment. A future study could
be carried out to compare the effect of maintenance at standard
intervals versus risk-based maintenance on the flare capacity
exceedance scenarios.
APPENDIX
1. Probability of failure of 1 Gas Turbine Generator
(GTG) 5 P(1 GTG) 5 1 2 Exp(22.12 E 100 3
1) 5 8.80 E 201 in 1 year. The probability of failure in
a time period t, assuming a constant failure rate k, is
exp(2kt).
2. Probability of failure of 2 out of 4 GTGs 5 P(2oo4
GTGs)(3oo4 Voting). A system with MooN voting will function
if at least M out of N components function. Or said another
way, the system can tolerate N 2 M failures, but not more.
This means that the system fails if N 2 M 1 1 or more com-
ponents fail. Thus, (MooN) refers to a system that fails by
failure of N 2 M 1 1 components or more. For example, for
a system where M units (3) are required to operate out of N
(4) then N 2 M 1 1 (4 2 3 1 1) must fail for the system to
fail (F 5 N 2 M 1 1 5 2). P(FooN GTGs)(MooN Voting) 5 N!/
[(M 2 1)!(N 2 M 1 1)!]
[k(N 2M 1 1)]
[MDT(N 2 M 1 1)] where
MDT 5 Unit downtime 5 Mean time to repair (MTTR) 1
Mean time to mobilize (MTTM). PFD (2oo4 GTGs)(3oo4
Voting) 5 4!/[(3 2 1)!(4 2 3 1 1)!]
[2.12 E 100(4 2 3 1 1)]
[(38
(4 2 3 1 1)
1 24)/8760] 5 1.35 E 203 in 1 year. The probability
calculation assumes a repairable system with revealed fail-
ures [8].
3. Common Cause Failure (CCF) of 2oo4 GTGs with 3oo4
voting 5 b
C(3oo4)
(Probability of failure of 1 GTG) 5 0.1
3 2.9 3 8.80 E 201 5 2.55 E 201 in 1 year. C(3oo4)
means correction factor for 3oo4 success (voting) config-
uration, or said another way, 2oo4 failure configuration
C(3oo4) 5 2.9.
4. Large gas release event frequency 5 3.50 E 204 in 1
year—Used to approximate the frequency of manually

Process Safety Progress (Vol.34, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2015 257
 initiated simultaneous shutdown events. Furthermore, the
rupture frequency data is dominated by compressor
releases. Source: Process Release Frequencies, OGP,
Report No. 434-1. March 2010, Section 2.0 – Equipment
Type: (9) Compressors Centrifugal – Hole
diameter > 50 mm – Limited Releases.
5. Large gas release event probability (1oo6
compressors) 5 1 2 (1 2 3.50 E 204)6 5 2.10 E 203 in 1
year. The calculation is based on the “addition rule” [8]
where the probability of one or more of n events occur-
ring is: 1 2 (1 2 Pa)(1 2 Pb),. . ..,(1 2 Pn). If all items
are the same, the formula reduces to 1 2 (1 2 Pa)n.
6. Probability of failure to stop one Gas Turbine Compressor
(GTC) on demand 5 PFD(1 GTC) 5 (8.50 E 203)
1/
2 5 4.25 E 203 in 1 year. The probability of failure on
demand for safety systems not used continuously or only
in emergencies, assuming a constant failure rate k and a
test interval T, can be approximated by the following
expression if kt is small: PFD5 k
T/2.
7. Probability of failure to stop 2oo6 Gas Turbine Compres-
sors (GTC) on demand 5 PFD(2oo6 GTC) 5 1 2 (1 2
[PFD(GTC1) 3 PFD(GTC2)]) 3 (1 2 [PFD(GTC1) 3
PFD(GTC3)]) 3 . . . 3 (1 2 [PFD(GTCn 2 1) 3
PFD(GTCn)]) 5 1 2 (1 2 [PFD(1 GTC) 3 PFD(1
GTC)])Comb(2oo6) 5 1 2 (1 2 [4.25 E 203 3 4.25 E
203])15 5 2.71 E 204 in 1 year. The calculation is based
on the “addition rule” [8] where the probability of one or
more of n events occurring is: 1 2 (1 2 Pa)(1 2
Pb),. . ..,(1 2 Pn). If all items are the same, the formula
reduces to 1 2 (1 2 Pa)n. In this case, “Pa” is the proba-
bility of two of the GTCs failing to stop, for example,
GTC1 and GTC2, joined by an AND gate.
Comb(2oo6) 5 15 means that we can arrange 15 combi-
nations of two elements out of six.
8. Probability of failure to close one feed valve (HIPPS) on
demand 5 PFD(1 feed valve) 5 (6.79 E 202)
1/2 5 3.49 E
202 in 1 year. The probability of failure on demand for
safety systems not used continuously or only in emergen-
cies, assuming a constant failure rate k and a test interval
T, can be approximated by the following expression if kt
is small: PFD 5 k
T/2.
258 September 2015 Published on behalf of the AIChE
LITERATURE CITED
1. NASA, Fault Tree Handbook with Aerospace Applica-
tions, NASA Office of Safety and Mission Assurance,
Washington, DC, 2002.
2. OREDA, Offshore Reliability Data Handbook, 4th ed.,
Prepared by SINTEF Technology and Society, Trondheim,
Norway, 2002.
3. American Petroleum Institute, ANSI/API Standard 521,
Pressure-relieving and Depressuring Systems, Fifth Edi-
tion, American Petroleum Institute, Washington, DC,
2007.
4. IEEE 493 - Recommended Practice for the “Design of
Reliable Industrial and Commercial Power Systems,” Insti-
tute of Electrical and Electronics Engineers, 2007, Avail-
able at http://standards.ieee.org/downloads/493/
493-2007/493-2007.AnnexQ.pdf [Accessed 14 October
2014].
5. SINTEF A17956, Reliability Prediction Method for Safety
Instrumented Systems – PDS Example Collection, SINTEF
Technology and Society, 2010 Edition, Available at http://
www.sintef.no/project/PDS/Reports/PDS%20example
%20collection%2024-01-11_open.pdf [Accessed 14 Octo-
ber 2014].
6. Centre for Marine and Petroleum Technology (CMPT), A
Guide to Quantitative Risk Assessment for Offshore
Installations, CMPT, Aberdeen, UK, 1999.
7. International Association of Oil & Gas Producers (OGP),
Process Release Frequencies, Report No. 434-1, March
2010, Available at http://www.ogp.org.uk/pubs/434-
01.pdf [Accessed 14 October 2014].
8. D.J. Smith, Reliability, Maintainability and Risk, 7th Edi-
tion, Elsevier, Oxford, UK, 2005.
9. Major Industrial Accidents Council of Canada (MIACC),
Risk-Based Land Use Planning Guidelines, First Edition,
1995, Available at http://www.cheminst.ca/sites/
default/files/pdfs/Connect/PMS/Risk-Based%20Land
%20Use%20Planning%20Guidelines.pdf [Accessed 14
October 2014].
DOI 10.1002/prs Process Safety Progress (Vol.34, No.3)