3443-SZ-RT-101 Attachment 15

FLARE RISK AND SIL ASSESSMENT REPORT

FLARE SYSTEM UNIT 6800 – HDPE 320 KT/Y MUNCHSMUNSTER – GERMANY

Reference Standard: CEI EN 61508:2002 – EN 62061:2005 – EN ISO 13849-1:2006 – CEI EN 50156-1:2006

A qualitative method of risk and SIL assessment was used, according to the following risk graph and risk classification Table (taken from CEI EN 61508:2002)

Risk graph

document.doc Page 1 of 8

Table of risk classification and assessment

document.doc Page 2 of 8

Notes:1) Formation of vacuum in the Flare Stack is not considered in the analysis below.

Information about the measures provided in order to prevent vacuum formation are provided in a separate document.

2) Logic solver of all the loop listed below is the Flare ignition control panel, PLC Not safety related.

Smokeless Steam Supply Loop – 5FIC 68142Item Possible fault Fault consequence and comments Item

SILC F P W Required

SIL5FT-68142Steam flow transmitterModel: ABB – 2006T 264 DS FS

Missed operation or wrong flow data transmission

Excessive or insufficient steam delivery. The rated steam flow shall remain in the range of 15 % of total flare gas flow. Lower flow may generate unwanted smoke. Excessive flow means lost of money.

Not needed

C1 F2 P1 W2 a

5FT-68135Flare gas flow transmitterModel: FCI - ST98 – 25NNOWDDWCA

Missed operation or wrong flow data transmission

Not needed

5PT-68133Flare gas pressure transmitterModel: ABB – 2006T 264 HS GS

Missed operation or wrong pressure data transmission

Not needed

5TT/TE-68135Flare gas temperature transmitterModel: ABB - TTF300

Missed operation or wrong temperature data measurement/transmission

Not needed

5FV-68142Steam flow adjusting valveModel: FISHER ROSEMOUNT – GX DVC 2000 HC AFC type

Mechanical fault to both valve and actuator or electric fault to solenoid valve or pneumatic fault to actuator; possible lack of compressed air

Not needed

document.doc Page 3 of 8

K.O. Drum Heating Loop – 5TIC-68132 & 5I-68101Item Possible fault Fault consequence and comments Item

SILC F P W Required

SIL5TV-68132Heating steam control valveModel: FISHER ROSEMOUNT GX DVC 2000 HCAFO type

Mechanical fault to both valve and actuator or electric fault to solenoid valve or pneumatic fault to actuator; possible lack of compressed air

Increase of liquid level inside the drum. Overfilling of the KO Drum is prevented by starting of the pump caused by LSH68136. Furthermore liquid accumulated in the drum will be removed by evaporation and carry over of condensate to the water seal.High level may determine water dragging into the stack and consequent smoke generation.

Not needed

C1 F2 P1 W2 a

5TT-68132K.O. Drum liquid temperature transmitterModel: ABB – TTF 300

Missed operation or wrong temperature data measurement/transmission

Ice formation on drainage with condensate level increase inside the K.O. drum.Ice formation in the flare stack is prevented by independent temperature control 5TIC 68170.High level may determine water dragging into the stack and consequent smoke generation.

Not needed

5LSL-681375LSH-681365LSLL-681405LSHH-68139Model: OFFICINE OROBICHE - 72-LF2.2.M2.WP.R1.XX

Missed alarm generation Decrease/increase of liquid level inside the K.O. Drum.Very high level and very low level in the drum are prevented by independent temperature control 5TIC68132.

Not needed

C1 F2 P1 W2 a

document.doc Page 4 of 8

Continuous Pilot Fuel Gas Supply Loop – 5IS-68110Item Possible fault Fault consequence and comments Item

SILC F P W Required

SIL5PSL-68111Low Pressure SwitchModel: UEC - 12SHSN9C

Missed or bad signal If the signal is not issued in case of low flow, the impossibility exists to command the opening of bottle gas shut off valve. Possible extinction of one or all pilots, but pilot OFF status will be indicated within short time by the relevant alarm to DCS. All pilots extinguished could determine flare gas emission into the atmosphere.

Not avail-able

C3 F2 P1 W2 25XV-68122Bottle gas shut off valveModel: ALFA VALVOLE - GT-SE-75AFC type Solenoid valve 5XY-68122-SMod.: ASCO JUCOMATIC 327-B-111

Mechanical fault to both valve and actuator or electric fault to solenoid valve or pneumatic fault to actuator; possible lack of compressed air

A fault could bring to lack of fuel gas from bottles in case of normal fuel gas flow reduction or missing.

Independent low pressure alarm 5PAL68129 is a safeguard against lack of fuel gas.

2*

*) Solenoid valve SIL 3, Shut-off valve actuator SIL2, shut-off valve under test (SIL 2 to be achieved)

Actions to be taken:

1) Replacement of 5PSL-68111 with equivalent Pressure Transmitter at least SIL 2 certified.2) Replacement of the ignition control panel relay with at least SIL 2 certified threshold.3) Provision of SIL 2 certification for the valve 5XV-68122.

document.doc Page 5 of 8

Continuous Pilot Status Detection AlarmItem Possible fault Fault consequence and comments Remarks

5TE-68160A/B5TE-68162A/B5TE-68164A/BThermocouples

Model: EUROMISURE – TCKD 3900

Thermocouple tip burning. Pilot status not detected.Flare gas could be emitted into the atmosphere only if all three pilots would be extinguished at the same time which is almost impossible. A single lighted pilot is usually sufficient to generate the ignition of flare gas flow.In case of each thermocouple failure a warning signal would be issued to DCS, shutdown console and local panel.

Hardwired signal to shutdown console is provided. No further action are required

O2 Analyzer AlarmItem Possible fault Fault consequence and comments Remarks

5FI-68168A/BO2 analyzerModel DRAGER - POLYTRON 7000

Wrong measurement of O2

content in stack

Lack of carrier gas (Nitrogen)

Potential explosive atmosphere inside the stack.This scenario is prevented by the purge gas loop the switch automatically to fuel gas as soon as the PSL is activated (PSL is set in order to guarantee a minimum to the purging system).

No safety relevant scenarios have been considered as credible.

document.doc Page 6 of 8

Water Seal Loop – 5I-68111 & 5TIC68170Item Possible fault Fault consequence and comments Item

SILC F P W Required

SIL5LSL-68174

Model: OFFICINE OROBICHE – 72-LF2.2.M2.WP.R1.XX

Missed alarm generation and wrong command of shut off valve

If water level decreases below bottom edge of inlet flare gas pipe, sealing action does not exist any longer and a back firing could continue along flare gas header. Prevention against the back firing is continuous purging with Nitrogen.

Not Needed

C1 F1 P1 W2 -5XV-68171Water shut off valveModel: ALFA VALVOLE - GT-93-K3Solenoid valve Mod.: ASCO JUCOMATIC 327-B-111

Mechanical fault to both valve and actuator or electric fault to solenoid valve or pneumatic fault to actuator; possible lack of compressed air.

Not Needed

5LSH-681775SLHH-68176Model: OFFICINE OROBICHE – 72-LF2.2.M2.WP.R1.XX

Missed alarm generation In case of very high level, water could enter flare gas header. Not credible scenario, a lot of safeguard prevent this scenario.The main safeguard is the provision of an open overflow which send back water to the discharge pit. Furthermore, independent high level alarm 5LAHH-68176 is provided.

Not Needed C1 F1 P1 W2 -

5TE/TI-68170Temperature switchModel: ABB – TTF 300

Missed operation or wrong generation of signal to TIC that controls the 5TV-68170

Missed supply of heating steam. Possible formation of too high or too low level.Independent TAL and TAH 68171 provided.Independent switch opening/closing the water seal feeding valve is provided.Electrical tracing is provided to prevent any freezing in the water seal

Not Needed

C1 F1 P1 W2 -5TV-68170Control valveModel: FISHER ROSEMOUNT – GX DVC 2000 HCAFO type

Mechanical fault to both valve and actuator or electric fault to solenoid valve or pneumatic fault to actuator; possible lack of compressed air

Not Needed

document.doc Page 7 of 8

Fuel Gas Purge Loop – 5I 68126Item Possible fault Fault consequence and comments Item

SILC F P W Required

SIL5PSL-68126Pressure switchModel: UEC - 12SHSN98

Missed alarm generation of low Nitrogen pressure.

The normal Nitrogen purge does not exist, the risk of explosion is present, which could happen in case of back firing.

Not avail-able

C3 F2 P1 W1 1

5XV-68127Fuel gas shut off valveModel: ALFA VALVOLE - GT-SE-75AFO type

Solenoid valve 5XY-68127-S Mod.: ASCO JUCOMATIC 327-B-111

Mechanical fault to both valve and actuator or electric fault to solenoid valve or pneumatic fault to actuator; possible lack of compressed air

The level of O2 increases beyond the maximum allowed threshold, which means that normal Nitrogen flow does not exist or it is insufficient. Therefore the supply of fuel gas must start. If this does not happen, as a consequence of a fault to the control valve, the risk of explosion is present, which could happen in case of back firing.W1 is selected because the Nitrogen supply is quite reliable.

A by-pass with manual valve and the Oxygen analyzer alarm 5AAH68167 act as safeguard.

2*

*) Solenoid valve SIL 3, Shut-off valve actuator SIL2, shut-off valve under test (SIL 2 to be achieved)

Actions to be taken:

1) Replacement of 5PSL-68126 with equivalent Pressure Transmitter at least SIL 1 certified.2) Replacement of the ignition control panel relay with at least SIL 1 certified threshold.3) Provision of SIL 2 certification for the valve 5XV-68127.

document.doc Page 8 of 8