Industry

Siemens AG, I IA AS PA EC C PS, Industriepark Höchst, Name Dr. Frank Westphal

65926 Frankfurt am Main
Department I IA AS PA EC C
Process Safety

Siemens AG Telefone +49 (69) 305-5777

Mr Michael Stay Telefax +49 (69) 305-25609
I IA AS SM MP 5 E-Mail frank.westphal@siemens.com
Östl. Rheinbrückenstraße 50
PS-20080302-Wes
76187 Karlsruhe Date 16.09.2009

Report-No. 20080302-Wes

y
Typical solutions for safeguarding equipment and plants in the chemical industry

l
on
Task
Safety concepts are established for typical applications frequently used in the chemical industry. These
safety concepts are subsequently realized with Siemens-components.
e
1. Protection of a distillation column against excessive overpressure
us

2. Exothermal dosing reaction: production of Grignard-reagents

3. Milling of a dust explosive product including pneumatic transportation
4. Safeguarding of a steam boiler
al

The following tasks should be discussed::

rn

- Generation of simplified P&I-diagrams

- Description of the process using typical properties
te

- Process safety analysis in tabular form

- Highlight of alternative safety measures
In

- SIL classification of safety instrumented systems

The process safety analysis and the classification of the SIS is carried out according to the so-called
‚Hoechst Hazard Analysis’, which is described in a brochure from January 2004 by the german federal
agency of occupational health and safety.

Siemens AG Briefadresse: Hausadresse:

Industry Sector Siemens AG Industriepark Höchst
Leitung: Heinrich Hiesinger I IA AS PA EC C PS 65926 Frankfurt am Main
Industriepark Höchst Tel.: +49 (69) 305 0
65926 Frankfurt am Main
Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme
Vorstand: Peter Löscher, Vorsitzender; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Erich R. Reinhardt,
Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen
Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684
WEEE-Reg.-Nr. DE 23691322

20080302_usecases_report.doc Seite 1 von 10

 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

1. Protection of a distillation column against excessive overpressure

A chemical reaction produces only in very seldom cases clean, pure products. More often a mixture of
products, solvents and side-products is generated. The treatment of liquid mixtures in distillation or
rectification columns is therefore a widely used unit operation in a chemical plant. With the exception of
the special case of reactive columns, the distillation is a purely physical process. Heat is supplied in a
bottom heater and removed in a top condenser.
Irrespectively, if the column is filled with packings or trays, the safety concept for preventing an
excessive pressure increase is always based on switching off the heat supply by closing a valve in the
bottom heater. If thermally instable substances are handled, it can be necessary to install an additional
temperature control and switch.

_ In the present example a low-boiling product is separated from a high-boiling product in a continuously
operating distillation column. The mixture is charged in the middle of the column.
The heat is supplied to the bottom of the column via a circulation boiler, which operates with steam. The

y
top product is condensed in a heat exchanger with cooling water and routed back into the column via a

l
collecting vessel. Figure 1 is a sketch of the column and the relevant measuring devices and controls for

on
the pressure protection.
In Enclosure 1 a tabular process safety analysis according to the ‚Hoechst Hazard Analysis’ is given.
For the hazard analysis it is assumed, that the composition of the feed flow into the column lies within
e
the given specifications. Furthermore, chemical reactions between the substances are not considered,
except the decomposition of the thermally unstable bottom product.
us

The pressure control PRCA+ZA++110 and the temperature control TIRCS-ZA-106 are identified as
safety relevant. For the classification of the pressure control it is essential, whether a safety valve
(pressure relief device) is available on the column or not. Both alternatives are discussed.
al

The classification of the safety instrumented systems according to IEC61511 result in the following:
rn

(see enclosed data sheets for SIL-classification):

PRCA+ZA++110 PRCA+ZA++110 TIRCS-ZA-106

te

with safety valve without safety valve

In

Consequence level S2 S3 S3

Frequency of presence in A2 A1 A1
the hazardous zone

Possibility of avoiding the G1 (G1) (G1)

consequences

Probability of the incident W2 W2 W1

Safety Integrity Level SIL 2 SIL 3 SIL 2

20080302_usecases_report.doc page 2 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

2. Exothermal semi-batch reactions: production of Grignard-reagents

Grignard-reactions appear frequently in the organic chemistry und are used for industrial production of
active pharmaceutical ingredients, food additives and fine chemicals. In the reaction organometallic
magnesium compounds, so-called Grignard-reagents1, are used to produce complex molecular struc-
tures by addition of a defined side chain to a certain place in the molecule.

While the hazard potential of Grignard-reactions is well known for a long time, the high heat of reaction
(about 400 J/g) and the high reactivity cause from time to time again major incidents, which result in the
emissions of hazardous chemicals. Especially the scale-up to the production scale is a reason for
hazard.

The main risk potential is the spontaneous start of the reaction, which is not exactly predictable, if a
critical amount of organic halogen is already accumulated. In this case a runaway reaction may occur,
_ which causes a sharpcut pressure increase and will result in an emission of reactants via the activated
pressure relief device (mostly bursting discs).

y
The example described here concerns the reaction of magnesium (Mg) and a chlorine aromatic

l
hydrocarbon (CA) in the solvent tetrahydrofuran (THF) in a semi-batch reactor. For this Mg and THF are

on
charged into the reactor and heated up to the boiling temperature of THF of 66 °C with a hot water
heater. The reaction is started by adding a portion of CA. The total amount of CA is then dosed over
several hours.
e
An exemplaric sketch of the reactor set up is given in Figure 2.
us

The operation procedure of the reaction in detail is as follows:

1. Inertisation of the reactor with nitrogen with a slight overpressure of 20 mbar g.

al

2. Adding of Mg from drums via a nitrogen-inertised lock

rn

3. Adding of THF from a receiver vessel or directly from a tank farm

4. Switching on the stirrer and the overhead condenser

te

5. Heating up the reactor to the boiling temperature of THF of 66° C with the hot water heater (max.
In

100 °C) via the jacket

6. Check, if the reflux flow from the overhead condenser (FQIZA+-203) is in a predefined range

7. Adding the 1. portion of CA (5% of total amount) from a receiver vessel

8. Check, if the reflux from the overhead condenser rises to a predefined value

9. Adding the 2. portion of CA (5% of total amount) from a receiver vessel

10. Check, if the reflux from the overhead condenser rises to a predefined value

1
Grignard-reagents are discovered in the year 1900 from Viktor Grignard. The Grignard-reagents are organometallic
compounds, thus hydrocarbons which have undergo a reaction with a metal - in this case magnesium, which furthermore has to
be connected to a halogen. Their structure is not fully known till this day, for simplicity the notation RMgX is commonly used.
Herein R is a alkyl-rest, X a halogen, whereby most often bromine and chlorine compounds are used for organic synthesis. The
reason for the universalism of their applicability is the strong polarised carbon-magnesium bond, which give Grignard-reagents a
very high reactivity. Grignard-reagants are very popular in organic synthesis, since an almost full conversion of educts to a
exactly pre-defined product is guaranteed.

20080302_usecases_report.doc page 3 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes
11. Starting the dosing of the remained main mass of CA over several hours

12. Draining the reactor at the end of the reaction via the bottom valve

During the reaction, pressure and temperature in the reactor have to be supervised and the feed flow of
CA has to be stopped in case of deviations from their scheduled value.

In Enclosure 2 a tabular process safety analysis according to the ‚Hoechst Hazard Analysis’ is given.

The pressure control PRCA+ZA++110 and the temperature control TIRCS-ZA-106 are identified as
safety relevant. For the classification of the pressure control it is essential, whether a safety valve
(pressure relief device) is available on the column or not. Both alternatives are discussed.

The following switch functions are identified as safety relevant:

_
Stirrer power control EIZA-211
Reflux flow control FQIZA+-203

y
The classification of the safety instrumented systems according to IEC61511 gives the following results:

l
on
(see enclosed data sheets for SIL-classification):

Consequence level: S2
Frequency of presence in the hazardous zone: A2
e
Possibility of avoiding the consequences: G2
Probability of the incident: W2
us

⇒ Safety Integrity Level SIL 2

The justification is described in the data sheets for the SIL-classification of the reflux flow measurement
al

FQIZA+-203.and the stirrer power control EIZA-211.

rn
te
In

20080302_usecases_report.doc page 4 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

3. Milling of a dust explosive product including during pneumatic transportation

Products, which have the potential for a dust explosion, are handled at many places in the chemical
industry, e.g. dye powders or polymer granulates. Possible ignition sources for an explosion are
- mechanical sparks which can be generated by rotating equipment
- smouldering nest in case of thermally sensible products or
- electrostatic discharges.
Ignition sources are difficult to avoid during customizing or crushing of products in mills. The explosion
protection concept of this kind of plants is based regularly on the exclusion of oxygen by inertisation or
on an explosion pressure resistant design of the plant.
In the actual example (see Figure 3) the product a coarse material is charged into a mill via a rotary
feeder. After grinding, the fine product is transported into a cyclone separator with an attached filter via a
_
pneumatic transportation line. The product is then routed to a treatment or filling station via a second
rotary feeder. The pneumatic transport is realized with nitrogen, which by this way assures the inertising

y
of the whole plant.

l
The product dust is explosive and electrically non-conductive. The plant is not designed for the maximum

on
explosion pressure. Potential ignition sources are sparks which can be generated in the rotary feeder or
in the mill. Also electrostatical discharges (brush or cone discharges) can be assumed as ignition source,
if fine powder is accumulated in the bottom part of the filter.
e
From a safety analysis the oxygen measurement device QIRSA+ZA++302 in the exhaust pipe is
identified as essential safeguard. By this all relevant failure scenarios, which can result in an ignition
us

source, like failures of the electrical grounding, a brush discharge in the bottom part of the filter or
mechanical sparks in the mill are covered.
The classification of the safety instrumented systems according to IEC61511 gives the following results:
(see enclosed data sheets for SIL-classification):
al

Consequence level: S2
rn

Frequency of presence in the hazardous zone: A1

Possibility of avoiding the consequences: G2
te

Probability of the incident: W2

⇒ Safety Integrity Level SIL 1

In

The justification is described in the data sheet for the SIL-classification of QIRSA+ZA++302.

Not part of workshop IEC 61511 - practical use

20080302_usecases_report.doc page 5 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

4. Safeguarding of a steam boiler

In many industrial areas the energy stored in hot flue gases is used to generate steam. For this purpose,
the hot gas is routed through a tube bundle in a heat exchanger (steam boiler), which is filled with water.
Typical examples from the chemical industry are waste gas combustion units (thermal purification units)
or the energy recovery from high temperature processes like steam reforming („HyCO-Plants“).
The safeguards for steam boilers and their firing systems are well described in several guidelines and
technical standards, e.g. in the german TRD – „Technische Regeln Dampfkessel“. These appropriate
standards have to be considered for a detailed safety analysis. The following example includes only a
part of the whole system.
In the example (see Figure 4) the hot flue gases coming from the fire box are cooled down in a heat
exchanger (steam boiler) using water as cooling fluid. Usually this steam boiler is a pressure vessel, in
which the pressure is generated by the produced steam, which is controlled by a steam control valve.
_ The temperature on the water side of the boiler is limited by the boiling temperature of water
corresponding to the actual pressure as long as enough water is available and as the steam outflow is
ensured.

y
The essential safety concept for a steam boiler is generally based on the prevention of an overheating of

l
on
the pipes in the boiler. In case of a loss of coolant the boiler may be damaged due to the high flue gas
temperatures, which are usually higher than the design temperature of the material. Once the integrity of
the boiler is lost, hot steam and flue gas can be discharged into the environment and persons in the
vicinity of the apparatus may be jeopardized. In the actual example it is assumed, that the steam boiler is
e
located near to a traffic area so that a harm of several persons is possible. In contrast to many
installations in the industry, it is assumed here, that there is only a single boiler feed water pump and a
us

redundant spare pump is not available.

Another safety relevant deviation is the overfilling of the steam boiler with water. This may cause water
hammering in the pipes and downstream apparatuses like steam superheater. This pressure surges may
also cause damages or an integrity loss of the boiler.
al

In Enclosure 4 a tabular process safety analysis according to the ‚Hoechst Hazard Analysis’ is given.
rn

From a safety analysis the pressure control PAZ+403, the fill level control LA+Z++401 and the minimum
level interlock LA-Z--402 are identified as essential safeguards. In the following only both fill level
te

monitors are discussed.

The classification of the safety instrumented systems according to IEC61511 results in the following:
In

(see enclosed data sheets for SIL-classification):

LA+Z++401 LA-Z--402

Consequence level S2 S2

Frequency of presence in A2 A2
the hazardous zone

Possibility of avoiding the G2 G2

consequences

Probability of the incident W2 W3

Safety Integrity Level SIL 2 SIL 3

20080302_usecases_report.doc page 6 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

l y
on
e
us
al
rn
te
In

20080302_usecases_report.doc page 7 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

l y
on
e
us
al
rn
te
In

20080302_usecases_report.doc page 8 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

l y
on
e
us
al
rn
te
In

Not part of workshop IEC 61511 - practical use

20080302_usecases_report.doc page 9 of 10
 Report from 16.09.2009

To Mr Michael Stay
Report PS-20080302-Wes

l y
on
e
us
al
rn
te
In

20080302_usecases_report.doc page 10 of 10
 Siemens AG
Process Hazard Analysis Process Safety
PS 20080302
Participants:

Date: written by checked by

Project:
Column for separation of low and high boiling liquids 27.06.2008

Apparatuses / unit operations investigated: P&I diagram: Revision:

Separation column K100 with bottom steam heater W101 and top condenser W102 incl.
condensate collection vessel B100

ly
Deviation at...

on
1.1 Specification 1.2 Presence of raw materials 1.3 Dosing 1.4 Reaction conditions 1.5 Mixing
2.1 Auxiliary energy 2.2 Heating-/cooling 2.3 Control devices 2.4 Flow rates 2.5 Level 2.6 Stirring 2.7 Integrity of components

e
No. Deviation Cause Consequences Safety Measures

us
1 Wrong or Change in mixture composition of the Temperature and pressure increase in • Changes in the feed composition will usually not
contaminated feed feed flow from other parts of the plants column K100 occur suddenly but slowly and will be detected
products into column during regular quality analysis of the feed stream
K100

al
2 Total loss of electrical Local or factory-wide electrical failure Loss of cooling and heating, stop of • All valves go into their safe position
power pumps, possible pressure and temperature
rn increase • Column K100 goes automatically in a safe condi-
tion, if the heat supply is switched off and the
feed valve Y106 is closed
te
3 Overfilling of the co- Failure of level control LIRCA+-SA+- Flooding of the lower column trays with the • Level high switch LSA+105 closes steam and
lumn bottom 104 risc of an internal mechanical damage feed valves Y104 and Y106
In

4 Overfilling of conden- Failure of level control LICS-S--SA+107 Flooding of the condenser W102 and loss • See temperature too high
sate collection vessel of cooling capacity, temperature increase
B100 in column K100

Siemens AG Industry Sector page 1 of 2 Enclosure_1_process hazard analysis_column.doc

Process Safety PS 200800302 27.06.2008
 No. Deviation Cause Consequences Safety Measures

5 Temperature in col- Loss of cooling water at top condenser Pressure increase in the column K100 and • Safety relevant pressure high interlock
umn K100 too high W102 breakthrough of top product into waste air PRCA+ZA++110 closes steam and feed valves
Y104 and Y106 and stops feed-pump P101
Case A) with safety valve: activation of
safety valve and emission of substances • Columns are usually equipped with many tem-
into the environment perature sensors for control purposes, so that the
Case B) without safety valve: Pressure plant personell will notice an abnormal tempera-
increase above design pressure of the ture increase and can interact before the switch
column, loss of integrity point of the SIS is reached

ly
6 Temperature too high Control failure in the steam supply to Overheating of the bottom product above • Safety relevant temperature high interlock

on
in bottom of column W101 the maximum allowable temperature, de- TIRCS-ZA+106 closes steam valve Y104
K100 composition reaction with gas production,
pressure increase above design pressure,
loss of integrity

e
7 Temperature too low Control failure in the steam supply to No safety relevant consequences

us
in column K100 W101
8 Pressure too high in Temperature too high in column K100
column K100 see No. 5

al
9 Pressure too low in Loss of steam at W101 while con- Negative pressure (vacuum) in column • Vacuum breaker (breather valve) or
column K100 denser W102 is still running rn K100 and loss of integrity
• Column K100 is designed for full vacuum
10 Failure of pump P102 Several causes, e.g. motor failure Overheating of bottom product, see tem-
te
in bottom circulation perature too high
loop of K100
In

11 Failure of pump P103 Several causes, e.g. motor failure No reflux flow into the column, no safety
in reflux pipe relevant consequences, only loss of prod-
uct quality

Siemens AG Industry Sector page 2 of 2 Enclosure_1_process hazard analysis_column.doc

Process Safety PS 200800302 27.06.2008
 Siemens AG
Process Hazard Analysis Process Safety
PS 20080302
Participants:

Date: written by checked by

Project:
Production of Grignard-reagents 26.08.2008

Apparatuses / unit operations investigated: P&I diagram: Revision:

Reactor R200 and connected dosing vessels B201, B202 and cooler W100

ly
Deviation at...

1.1 Specification 1.2 Presence of raw materials 1.3 Dosing 1.4 Reaction conditions 1.5 Mixing

on
2.1 Auxiliary energy 2.2 Heating-/cooling 2.3 Control devices 2.4 Flow rates 2.5 Level 2.6 Stirring 2.7 Integrity of components

No. Deviation Cause Consequences Safety Measures

e
Feed of wrong or Mix-up of chemicals during supply Possible interactions of materials and/or • Quality control for all products at plant entry

us
1
contaminated uncontrolled exothermic reactions, • THF (tetrahydrofuran) and CA (chlorine aromatic
products into the temperature and pressure increase hydrocarbon) supply from tank farm via
process stationary mounted pipes
2 Total loss of electrical Local or factory-wide electrical failure Loss of stirring and cooling, possible • All valves go into their safe position, e.g. CA-feed

al
power pressure and temperature increase is stopped via closing Y202
rn • Reactor R200 goes in a safe condition automati-
cally
te
3 Overfilling of reactor Failure of flow controls FQIS+201 and Flooding of the reactor and overflow of • Level high switch and alarm LSA+204 closes
R200 FQIS+202 reaction mixture into the waste gas system feed valves Y201 and Y202
In

4 No or delayed start of Temperature too low or stirrer failure in Accumulation of CA and subsequent vio- • Start of reaction with a maximum amount of
the initial reaction R200 lent reaction with temperature and pres- 2 x 5% of total amount of CA
sure increase, rupture of bursting disc and
discharge of reaction mixture into the envi- • Safety relevant flow rate interlock in the conden-
ronment sate reflux pipe FQIZA+- (see SIL-classification)

Siemens AG Industry Sector page 1 of 4 Enclosure_2_process hazard analysis_reactor.doc

Process Safety PS 200800302 27.06.2008
 No. Deviation Cause Consequences Safety Measures

5 CA start mass too Failure in CA mass flow control Accumulation of CA and subsequent vio- • Safety relevant step sequence in PCS with time
high FQIS+202, monitoring of flow rate in lent reaction with temperature and pres- relay limits the dosable CA-mass (see SIL-
the condensate reflux pipe FQIZ-A+- sure increase, rupture of bursting disc and classification)
203 is inactive during the start phase discharge of reaction mixture into the envi-
(see SIL-classification) ronment • Alternative: receiver vessel with limited amount
of compounds

6 CA start mass too low Failure in CA mass flow control Possibility of no or delayed start of reac-
FQIS+202 tion, see No. 4

ly
7 Dosing of CA too fast Failure in CA mass flow control Increase in reaction rate and THF vapour • Safety relevant flow rate interlock in the conden-
FQIS+202 flow rate, possible breakthrough of THF- sate reflux pipe FQIZA+-203 closes of CA feed

on
vapour into waste gas and from there into valve Y202
environment in case of overloading the
waste gas system • Temperature high switch and alarm in waste gas
pipe TISA+206 closes CA feed valve Y202

e
8 Dosing of CA too slow Failure in CA mass flow control In cases where the reaction has started no

us
FQIS+202 safety relevant consequences, extreme
case of no or delayed reaction is described
in No. 4
9 Temperature too high Dosing of CA too fast, see. No. 7 Pressure increase and breakthrough of • Maximum pressure is limited to 1.7 bar g. by the

al
THF-vapour into waste gas vapour pressure of THF at maximum heating
Reaction of accumulated CA, see No. 4
temperature of 100 °C (water heater), so that set
Control failure in heater/cooler loop
rn pressure of the rupture disc is not reached
• Temperature control, high switch and alarm
TIRCA+SA-207
te
• Safety relevant flow rate interlock in the conden-
sate reflux pipe FQIZA+-203 closes of CA feed
In

valve Y202
10 Temperature too low Dosing of CA too slow, see No. 8 Decrease in reaction rate and risk of ac- • Temperature low switch and alarm TIRCA+SA-
cumulation of CA and subsequent violent 207 closes CA feed valve Y202
Control failure in heater/cooler loop
reaction with pressure and temperature
increase, rupture of bursting disc and dis- • Safety relevant flow rate interlock in the conden-
charge of reaction mixture into the envi- sate reflux pipe FQIZA+-203 closes of CA feed
ronment valve Y202

Siemens AG Industry Sector page 2 of 4 Enclosure_2_process hazard analysis_reactor.doc

Process Safety PS 200800302 27.06.2008
 No. Deviation Cause Consequences Safety Measures

11 Pressure too high Delayed start of reaction of accumu-

lated CA, see No. 4, 8 and 10
12 Dosing failure: THF- Failure in THF mass flow control Increased hazard potential, which will be • Level high switch and alarm LISA+- 205
mass too low (total FQIS+201 effective only in case of a second indepen-
amount) dent error, e.g. loss of cooling
13 Dosing failure: THF- Failure in THF mass flow control Overfilling, see No. 3
mass too high (total FQIS+201
Possibly no or delayed start of reaction,
amount)
see No. 4

ly
14 Dosing failure: Mg- Operator failure during charging of Incomplete conversion, not safety relevant, • Standard operation procedure for filling operation
mass too low (total drums only quality problems with double-check

on
amount)
Possibly no or delayed start of reaction, • Quality control of product
see No. 4
15 Dosing failure: Mg- Operator failure during charging of Mg is not consumed totally by the reaction, • Standard operation procedure for filling operation

e
mass too high (total drums possibly safety relevant consequences in with double-check

us
amount) subsequent production steps, quality prob-
lem • Quality control of product

16 Dosing failure: CA- Failure in CA mass flow control Mg is not consumed totally by the reaction, • Quality control of product
mass too low (total FQIS+202 possibly safety relevant consequences in
amount) subsequent production steps, quality prob-

al
lem
17 Dosing failure: CA-
mass too high (total
Failure in CA mass flow control
FQIS+202
rn Overfilling, see No. 3
Incomplete conversion, not safety relevant,
• Quality control of product

amount)
only quality problems
te
18 Wrong sequence of CA is dosed instead of THF and then Reaction starts during heat up without • Safety relevant step sequence with interlocking
In

dosing heated up to the reaction temperature effective cooling by boiling, violent reaction the order of reactant dosing (see SIL-
with pressure and temperature increase, classification)
rupture of bursting disc and discharge of
reaction mixture into environment
19 Failure of stirrer Mechanical or electrical damage, op- Decrease in reaction rate due to insuffi- • Safety relevant flow rate interlock in the conden-
erator error cient mixing, possibly accumulation of CA sate reflux pipe FQIZA+-203 closes of CA feed
and subsequent violent reaction with pres- valve Y202
sure- and temperature increase, rupture of
bursting disc and discharge of reaction • Stirrer power low switch EIZA-211 (analog cur-
mixture into environment rent measurement) closes CA feed valve Y202)

Siemens AG Industry Sector page 3 of 4 Enclosure_2_process hazard analysis_reactor.doc

Process Safety PS 200800302 27.06.2008
 No. Deviation Cause Consequences Safety Measures

20 Loss of cooling Mechanical or electrical damage, op- Pressure increase and breakthrough of • Cooling water flow low switch FISA-208 closes CA
erator error THF-vapour into waste gas system feed valve Y202
• Maximum pressure is limited to 1.7 bar g. by the va-
pour pressure of THF at maximum heating tempera-
ture of 100 °C (water heater), so that set pressure of
the rupture disc is not reached
• Temperature control, high switch and alarm
TIRCA+SA-207

ly
• Safety relevant flow rate interlock in the condensate
reflux pipe FQIZA+-203 closes of CA feed valve

on
Y202
21 Formation of explo- Ingress of air, not described in detail Not discussed here • Permanent inertising with slight nitrogen overpres-
sive atmosphere since focus is on safe reaction sure (e.g. 20 mbar g.)

e
• Dosing of Mg via intertised sluice

us
al
rn
te
In

Siemens AG Industry Sector page 4 of 4 Enclosure_2_process hazard analysis_reactor.doc

Process Safety PS 200800302 27.06.2008
 Siemens AG
Process Hazard Analysis Process Safety
PS 20080302
Participants:

Date: written by checked by

Project:
Steam boiler in a thermal purification unit 26.08.2008

Apparatuses / unit operations investigated: P&I diagram: Revision:

Steam boiler B400, fire box B401 and boiler feed water pump P400

ly
Deviation at...

1.1 Specification 1.2 Presence of raw materials 1.3 Dosing 1.4 Reaction conditions 1.5 Mixing

on
2.1 Auxiliary energy 2.2 Heating-/cooling 2.3 Control devices 2.4 Flow rates 2.5 Level 2.6 Stirring 2.7 Integrity of components

No. Deviation Cause Consequences Safety Measures

e
Water level too high in Failure of level control, e.g. fully Overfilling of boiler and flooding of connected • Safety relevant level high switch LA+Z++401

us
1
steam boiler B400 opened feed valve Y407 apparatuses, pressure increase and possibly - closes feed valve Y407 and
integrity loss by water hammering (pressure - switch off boiler feed water pump P400
surges)
2 Water level too low in Failure of level control, e.g. fully Loss of cooling by boiling, overheating of the • Safety relevant level low switch LA-Z--402

al
steam boiler B400 closed feed valve Y407 boiler pipes and loss of integrity of steam boiler, - closes fuel gas control valve Y403
Failure of boiler feed water pump discharge of flammable gas, risk of secondary - stops burner by actuating double-block-and-
rn explosion in the plant bleed valves Y404, Y405, Y406
- closes fast acting butterfly valve Y401 in
offgas pipe
te
- opens bypass-valve Y410 to emergency vent
- opens combustion air butterfly valve Y402
In

3 Pressure too high in Closing of steam valve Y409 Pressure increase in steam boiler above design • Pressure high switch PAZ+403 with same ac-
steam boiler pressure, loss of integrity of boiler drum and tions as for No. 2
Overfiring of burner, e.g. by failure in
discharge of steam into environment
burner control • Safety valve relief the pressure
4 Temperature too high See ‘pressure too high’, since pres-
in steam boiler sure and temperature are coupled
due to phase equilibrium
Water level too low, see No. 2

Siemens AG Industry Sector page 1 of 2 Enclosure_4_process hazard analysis_steamboiler.doc

Process Safety PS 200800302 27.06.2008
 No. Deviation Cause Consequences Safety Measures

5 Insufficient ground- E.g. corrosion of grounding cable Risk of electrostatic discharges, not safety rele- • Regular inspection of grounding/earthing
ing/earthing of appa- vant, since explosive atmosphere is excluded
ratuses by monitoring the oxygen content
6 Formation of Mechanical defect, which results in Ignition of product and formation of smouldering • Slow rotation speed of rotary feeder (< 1 m/s)
mechancial sparks in internal friction of metal parts nests
mill M300 or in a ro- • Mill has sufficient large gaps and possibly a vi-
Explosions are excluded due to absence of bration monitor
tary feeder
oxygen

ly
on
e
us
al
rn
te
In

Siemens AG Industry Sector page 2 of 2 Enclosure_4_process hazard analysis_steamboiler.doc

Process Safety PS 200800302 27.06.2008
 SIL Classsification
according to VDI/VDE 2180-1 or IEC 61511 - 3, annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Separation column
Tag Description Tag - No.

Temperature measurement TIRCS-ZA+106

Risk Evaluation
Description of risk to be covered

An overheating of the bottom product in the column by a failure of the steam control can result in a decomposition reaction.

The fast reaction produces gas, which cannot be removed via the safety valve, so that the pressure increases above the design

pressure of the column. A larger leak occurs, the content of the column is discharged into the environment.

In case of flammable substances, a secondary vapor explosion may occur.

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons or S1 no safety requirements

small pollution of environment 11

G1 2 1
S2 Severe injury to one or several persons, death to one SIL 1
person or temporary serious damage of environment A1 G2 3 2 1
4 3 2
S2 A2 G1
S3 Several fatalities, serious long-term damage of X
5 4 3
environment G2
SIL 2
S4 Catastrophe with many fatalities, impact outside plot A1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
A2 77 6 5
A1 Rare to more often exposure in the hazardous zone X
A2 Frequent to permanent exposure in the hazardous zone

Possibility of avoiding the consequences (G)

S4 8 777
6 SIL 3
G1 Possible under certain conditions
G2 Almost impossible (X)

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past X
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happend in plant SIS is not sufficient

Short statement to selection of risk parameters

Consequence (S)
The huge emission of substances into the environment can result in a secondary explosion with many fatalities.

Frequency of presence in the hazardous zone (A)

In highly automated plants usually only a few people are present. The plants are supervised from well protected control rooms.

Possibility of avoiding the consequences (G)

Once the decomposition is initiated, it is difficult or impossible to stop it.

Probability of the incident (ignoring the safety system) (W)

The probability that a failure of the steam control will result in a temperature increase above the decomposition temperature
of the bottom product is assumed to be relatively small.
 SIL Classsification
according to VDI/VDE 2180-1 or IEC 61511 - 3, annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Separation column
Tag Description Tag - No.

Temperature measurement TIRCS-ZA+106

Limit values Action 1 Action 2

prewarning main alarm limit value interlocks limit value interlocks

min.

xx °C xx °C Close steam supply valve Y104

max.

Technical desing of tag

Description: Temperature measurement in column K100 with pre-alarm and interlock on Y104

Parameter: SIL 2
Safe process condition: Steam Closed
SIF-reaction time: see SRS-general
Reset demand: see SRS-general
MTTR see SRS-general
Other criteria no

Limits for re-iterative functional tests

annually quarterly weekly

bi-annually monthly x tri-annually

Remarks

Signatures /Date

Plant manager: Date Safety / Facilitator Date

Plant engineer: Date Process (engineering) Date

E, I & A (plant) Date E, I & A (engineering) Date

Mechanical (engineering) Date

 SIL Classification
according to VDI/VDE 2180-1 or IEC 61511-3 annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Grignard-Reactor
Tag Description Tag No.

Flow Measurement FQIZA+-203

Risk Evaluation
Description of risk to be covered

Accumulation of chlorinated aromatic hydrocarbons and subsequent runaway reaction with pressure and temperature increase,

rupture of bursting disc and release of reaction mixture into environment

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons, S1 no safety requirements

small pollution of environment 11

P1 2 1
S2 Severe injury to one or several persons, SIL 1
death of one person F1 P2 3 2 1
temporary serious damage of environment
4 3 2
S2 F2 P1
S3 Several fatalities, serious long term damage
5 4 3
of environment P2
SIL 2
S4 Catastrophy with many fatalities, impact outside plot F1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
F2 77 6 5
F1 Rare or more often exposure in the hazardous zone
F2 Frequent to permanent exposure

Possibility of avoiding the consequences (P)

S4 8 777
6 SIL 3
P1 Possible under certain conditions
P2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happened in plant SIS is not
sufficient
Short statement to the selection of risk parameters
Consequences (S)

Frequency of presence in the hazardous zone (F)

Possibility of avoiding consequences (P)

Probability of the incident (ignoring the protection of the safety system) (W)
 SIL Classification
according to VDI/VDE 2180-1 or IEC 61511-3 annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Grignard-Reactor
Tag Description Tag No.

Stirrer power control EIZA+-211

Risk Evaluation
Description of risk to be covered

Stand of stirrer caused by electrical or mechanical failure, no mixing in the reactor due to broken impeller,

accumulation of chlorinated aromatic hydrocarbons and subsequent runaway reaction with pressure and temperature increase,

rupture of bursting disc and release of reaction mixture into environment

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons, S1 no safety requirements

small pollution of environment 11

P1 2 1
S2 Severe injury to one or several persons, SIL 1
death of one person F1 P2 3 2 1
temporary serious damage of environment
4 3 2
S2 F2 P1
S3 Several fatalities, serious long term damage
5 4 3
of environment P2
SIL 2
S4 Catastrophy with many fatalities, impact outside plot F1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
F2 77 6 5
F1 Rare or more often exposure in the hazardous zone
F2 Frequent to permanent exposure

Possibility of avoiding the consequences (P)

S4 8 777
6 SIL 3
P1 Possible under certain conditions
P2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happened in plant SIS is not
sufficient
Short statement to the selection of risk parameters
Consequences (S)

Frequency of presence in the hazardous zone (F)

Possibility of avoiding consequences (P)

Probability of the incident (ignoring the protection of the safety system) (W)
 SIL Classsification
according to VDI/VDE 2180-1 or IEC 61511 - 3, annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Separation column
Tag Description Tag - No.

Pressure measurement PRCA+ZA++110

Risk Evaluation
Description of risk to be covered

In case of a failure of the top condenser, the temperature and pressure in column K100 will rise.

Case A: the safety valve is actuated, the contents is discharged into the atmosphere in a free jet, an explosive atmosphere

will not be formed inside the plant, the hazard is releated to the toxic effects of the gases in larger distances from the column.

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons or S1 no safety requirements

small pollution of environment 11

G1 2 1
S2 Severe injury to one or several persons, death to one SIL 1
person or temporary serious damage of environment A1 G2 3 2 1
4 3 2
S2 A2 G1
S3 Several fatalities, serious long-trem damage of
5 4 3
environment G2
SIL 2
S4 Catastrophe with many fatalities, impact outside plot A1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
A2 77 6 5
A1 Rare to more often exposure in the hazardous zone
A2 Frequent to permanent exposure in the hazardous zone

Possibility of avoiding the consequences (G)

S4 8 777
6 SIL 3
G1 Possible under certain conditions
G2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happend in plant SIS is not sufficient

Short statement to selection of risk parameters

Consequence (S)

Frequency of presence in the hazardous zone (A)

Possibility of avoiding the consequences (G)

Probability of the incident (ignoring the safety system) (W)

 SIL Classsification
according to VDI/VDE 2180-1 or IEC 61511 - 3, annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Separation column
Tag Description Tag - No.

Pressure measurement PRCA+ZA++110

Risk Evaluation
Description of risk to be covered

In case of a failure of the top condenser, the temperature and pressure in column K100 will rise.

Case B: the pressure increases above the design pressure of the column, a larger leak occurs, the content of the column is

discharged into the environment. In case of flammable substances, a secondary vapour explosion may occur.

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons or S1 no safety requirements

small pollution of environment 11

G1 2 1
S2 Severe injury to one or several persons, death to one SIL 1
person or temporary serious damage of environment A1 G2 3 2 1
4 3 2
S2 A2 G1
S3 Several fatalities, serious long-term damage of
5 4 3
environment G2
SIL 2
S4 Catastrophe with many fatalities, impact outside plot A1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
A2 77 6 5
A1 Rare to more often exposure in the hazardous zone
A2 Frequent to permanent exposure in the hazardous zone

Possibility of avoiding the consequences (G)

S4 8 777
6 SIL 3
G1 Possible under certain conditions
G2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happend in plant SIS is not sufficient

Short statement to selection of risk parameters

Consequence (S)
The huge emission of substances into the environment can result in a secondary explosion with many fatalities.

Frequency of presence in the hazardous zone (A)

In highly automated plants usually only a few people are present. The plants are supervised from well protected control rooms.

Possibility of avoiding the consequences (G)

The temperature and pressure increase in case of a loss of cooling is a slow process (few minutes up to 1 hour)
so that normally enough time is available to shut-off the heat supply manually and stop the pressure increase.

Probability of the incident (ignoring the safety system) (W)

The probability that the loss of cooling water will result in a pressure increase above the design pressure is assumed to be
relatively small.
 SIL Classification
according to VDI/VDE 2180-1 or IEC 61511-3 annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Pneumatic
transportation
Tag Description Tag No.

Oxygen measurement QIRSA+ZA++ 302

Risk Evaluation
Description of risk to be covered

Risk of initiating an explosion by mechanical sparks or electrostatic discharges,

a local explosion will damage the plant partly,

severe injury of several persons

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons, S1 no safety requirements

small pollution of environment 11

P1 2 1
S2 Severe injury to one or several persons, SIL 1
death of one person F1 P2 3 2 1
temporary serious damage of environment
4 3 2
S2 F2 P1
S3 Several fatalities, serious long term damage
5 4 3
of environment P2
SIL 2
S4 Catastrophy with many fatalities, impact outside plot F1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
F2 77 6 5
F1 Rare or more often exposure in the hazardous zone
F2 Frequent to permanent exposure

Possibility of avoiding the consequences (P)

S4 8 777
6 SIL 3
P1 Possible under certain conditions
P2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happened in plant SIS is not
sufficient
Short statement to the selection of risk parameters
Consequences (S)

Frequency of presence in the hazardous zone (F)

Possibility of avoiding consequences (P)

Probability of the incident (ignoring the protection of the safety system) (W)
 SIL Classification
according to VDI/VDE 2180-1 or IEC 61511-3 annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Steam boiler
Tag Description Tag No.

High level switch LA+Z++401

Risk Evaluation
Description of risk to be covered

Overfilling of steam boiler and loss of integrity by water hammering in the system. Escape of steam into the environment.

Severe injuries of persons are possible.

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons, S1 no safety requirements

small pollution of environment 11

P1 2 1
S2 Severe injury to one or several persons, SIL 1
death of one person F1 P2 3 2 1
temporary serious damage of environment
4 3 2
S2 F2 P1
S3 Several fatalities, serious long term damage
5 4 3
of environment P2
SIL 2
S4 Catastrophy with many fatalities, impact outside plot F1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
F2 77 6 5
F1 Rare or more often exposure in the hazardous zone
F2 Frequent to permanent exposure

Possibility of avoiding the consequences (P)

S4 8 777
6 SIL 3
P1 Possible under certain conditions
P2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happened in plant SIS is not
sufficient
Short statement to the selection of risk parameters
Consequences (S)

Frequency of presence in the hazardous zone (F)

Possibility of avoiding consequences (P)

Probability of the incident (ignoring the protection of the safety system) (W)
 SIL Classification
according to VDI/VDE 2180-1 or IEC 61511-3 annex E
Date:

Project Site Factory Plant Department P&I Diagram No.

Steam boiler
Tag Description Tag No.

Low level switch LA-Z--402

Risk Evaluation
Description of risk to be covered

In case of emptying the steam boiler an overheating of the tubes will occur with loss of integrity.

Severe injuries of persons are possible.

SIL
Consequence of dangerous event (S) W3 W2 W1 Classification

S1 Small injuries to persons, S1 no safety requirements

small pollution of environment 11

P1 2 1
S2 Severe injury to one or several persons, SIL 1
death of one person F1 P2 3 2 1
temporary serious damage of environment
4 3 2
S2 F2 P1
S3 Several fatalities, serious long term damage
5 4 3
of environment P2
SIL 2
S4 Catastrophy with many fatalities, impact outside plot F1 6 5 44
S3
Frequency of presence in the hazardous zone (F)
F2 77 6 5
F1 Rare or more often exposure in the hazardous zone
F2 Frequent to permanent exposure

Possibility of avoiding the consequences (P)

S4 8 777
6 SIL 3
P1 Possible under certain conditions
P2 Almost impossible

Probability of the incident (W)

(höheres Risiko)
W1 Minor, never happened in past
SIL 4
W2 Low chance, has happened
W3 High chance, sometime happened in plant SIS is not
sufficient
Short statement to the selection of risk parameters
Consequences (S)

Frequency of presence in the hazardous zone (F)

Possibility of avoiding consequences (P)

Probability of the incident (ignoring the protection of the safety system) (W)