Example: LPG Storage System
Consider the LPG storage system shown in the Figure. In the event of failure of the level control system (LT, LIC, LCV) the inflow is assumed always to exceed the outflow. Hence the level in the LPG storage tank will rise. An independent high level alarm system (LSH, LAH) is provided to warn the operator of a rise in level. Another independent high-high level trip system (LSHH, LXV) is provided to shut-off the LPG flow when the level in the storage tank is too high. As a last resort, a pressure safety valve (PSV) is provided to relief the excess LPG to the flare header, although this is not desirable as there is the danger that the line could block due to presence of water. The cold LPG could also cause the line to fail due to brittle fracture, releasing LPG to the atmosphere.
The acceptable criteria for the top event “LPG Tank Overfill” is set at 0.0015 occ/yr.
Based on the given information (see Table), determine if the existing safety measures are adequate to meet the required acceptable risk criteria. Also assume a 3-month test interval for both level alarm system and level trip system. Both systems are disarmed for 30 minutes during testing, and the probability of inadvertent isolation after testing is 0.005 for both systems. Also given the probability of operator failure as 0.048.
Given: The following failure rates (occ/yr):
Solution
The fault tree for the top event “LPG tank overflows, LPG enters flare header” is shown in the Figure.
The failure rate for each system is calculated from their component failure rates, as shown below.
For the level control system: from above, failure rate = 0.55 occ/yr
We need to compute the total failure probability of the level alarm system and level trip system. Note that human reliability has been included, in terms of inadvertent isolation after testing, as well as operator failure to take action despite the alarm.
For the level alarm system:
Fractional dead time, 
Unavailability of system due to disarm
Unavailability of system due to inadvertent isolation = 0.005
Total fractional dead time = 0.03375 + 0.000228 + 0.005 = 0.038978
For the level trip system:
Fractional dead time, 
Unavailability of system due to disarm
Unavailability of system due to inadvertent isolation = 0.005
Total fractional dead time = 0.04375 + 0.000228 + 0.005 = 0.048978
These numbers are entered into the fault tree as shown:
The frequency of the top event is 0.002293 occ/yr, which is unacceptable as it is greater than the acceptable criteria of 0.0015 occ/yr.
It is therefore decided that a duplicate trip system should be provided, identical in all aspect to the original system. With a failure probability of 0.0118 (taken as given without calculations), it can be seen that the top frequency is now within the specified criteria.
