See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/229969886

A Case Study of Safety Integrity Level Assessment and Verification: Electronics

Division Product Line Evaluation and Analysis

Article in Process Safety Progress · September 2008

DOI: 10.1002/prs.10243

CITATION READS

1 3,489

3 authors, including:

James Vanommeren
Merck KGaA
20 PUBLICATIONS 14 CITATIONS

SEE PROFILE

All content following this page was uploaded by James Vanommeren on 10 December 2018.

The user has requested enhancement of the downloaded file.

 A Case Study of Safety Integrity Level (SIL) Assessment and
Verification at Air Products and Chemicals: Electronics Division
Product Line Evaluation and Analysis

John Day, Air Products and Chemicals, Allentown, PA

Hal Thomas, Air Products and Chemicals, Allentown, PA
James VanOmmeren, Air Products and Chemicals, Allentown, PA

ABSTRACT

With the adoption of IEC 61511 1 and ANSI/ISA-84.00.01-2004 2 standards, Air

Products and Chemicals has made a concerted effort to provide a standardized
approach to the design and implementation of Safety Instrumented Systems following
the safety lifecycle model. This presentation provides a Case Study describing the
methodology used during the Safety Integrity Level (SIL) Assessment and Verification
of existing Electronics Division product lines. SIL Assessment was accomplished through
the use of Hazard Identification; Likelihood, Consequence and Risk Analysis. Each of the
Electronics Division Product's Safety Instrumented Function (SIF) was identified during
SIL Assessment, making use of both layer of protection analysis (LOPA) and
consequence analysis. A target SIL was determined for each SIF through quantitative
and qualitative analysis. SIL Verification was accomplished using Fault Tree Analysis in
order to determine the average probability of failure on demand (PFDAVG) of each SIF.
This analysis was a joint collaboration between the Process Safety and Process Controls
Engineering teams.

COMPANY BACKGROUND

The Electronics Division of Air Products and Chemicals is a $2 billion (FY2006) in sales
global business focused on providing Specialty Gases and Chemicals, High Purity
Equipment and On Site Services to the Electronics market. Our customers include
manufacturers of Integrated Circuit, Memory Chips, Liquid Crystal Displays, and Light
Emitting Diodes.
BACKGROUND

In 2003, Air Products began a proactive approach to develop internal work processes,
tools, and training in anticipation of the pending adoption of ANSI/ISA-84.00.01-2004.
This included the development of the following aids for use in SIL Assessment and SIL
Verification:

1. Software tools
2. Global work processes
3. Global Engineering Standards and Procedures
4. Training materials
5. SIL application library
6. Standard templates for SIL documentation

Internally developed software tools have been deployed for use by Air Products Process
Safety and Engineering Personnel. Fault Tree Analysis software (APTree) and Layer of
Protection Analysis software (APLoPA) have been developed for quantifying risks,
performing frequency analysis, and for verification of safety instrumented system
performance. Failure rate data and frequency data for use by these programs was
obtained through industry generic failure rate data books, 3rd party consultants,
licensed databases, supplier safety manuals, supplier failure mode effects and
diagnostic analysis reports, and internal process plant operating experience.

Basic engineering policies (BEP) for use in the design and implementation of safety
instrumented systems were developed in order to establish and communicate the
company’s high level policy and strategy for the transition to the new industry standard.
The BEP provided guidance for more specific and detail oriented engineering
procedures and standards which were then developed.

Training materials were prepared using both internal and external Process Safety,
Process Control, and Instrumentation Design experts. These materials covered various
aspects of process safety analysis and were developed with specific Air Products
terminology and work processes in mind. This training was rolled out to the company in
a systematic approach.

An applications library was developed that contains typical instrumented protection

systems designs that have been pre-analyzed to support production engineering as well
as fundamental information such as FMEA reports, manufacturer safety manuals, etc.
After completion, SIL assessments were added to the library for future use to support
management of change or to serve as a starting point for similar applications. This
library has the benefit of helping to reduce engineering time and to facilitate consistent
implementations across multiple business units. Standard templates for SIL assessment
and verification reports were developed. These reports provide a consistent
presentation format that aids the ease of use and understanding of the material.

CASE STUDY SPECIFICS

This case study describes the work process followed in the SIL Assessment and
Verification of previously designed safety instrumented systems within our Electronics
Division equipment product lines. The analysis examples presented in this case study
are for illustrative purposes only.

Data Gathering

A summary of products for evaluation was prepared and grouped per application and
known hazards. A number of equipment offerings were evaluated using the work
process described in this case study. This includes equipment products listed in the
following product groups:
1. GasGuard® QMAC : Analytical Systems / Product Quality Monitoring Systems
2. GasGuard® Bulk Specialty Gas Systems (BSGS)
3. GasGuard® High Flow Systems, Gas Cabinets, Valve Manifold boxes
4. Isomodule/Y Cylinder Heater Control Systems
5. GGT® Subatmospheric Gas Generators
6. Nitrogen Purifiers

These product groups have been designed by Air Products over the past 10 years for
both internal use and for sale to outside customers. Hazard identification and
consequence analysis had been performed during the development of the individual
product lines. Instrumented protections were previously designed based on the hazard
and consequence analysis. This information was collected and used in the SIL
Assessment and Verification.

The steps outlined in the Safety Lifecycle3 (Figure 1) were used as the basis for the
evaluation. Some steps were bypassed as the products being evaluated were existing
designs. For this case study, the existing Process Hazard Analysis (PHA) and risk
assessment were examined and updated using layer of protection analysis4,5. A SIL
target was defined for each SIF by back-calculating the required risk reduction needed
to be achieved for that SIF in order to satisfy the Air Products’ Corporate risk target.
Each existing SIF was then evaluated to determine what performance could be achieved
given its design, architecture, configuration and mechanical integrity program.
Calculated performance was then compared to the SIL target (using maximum
allowable PFDAVG) to confirm that the safety instrumented function was adequate,
coupled with the other layers of protection to meet our corporate risk target.

SIS Installation,
Define Target Commissioning
Start & Validation
SIL
Establish
Operating,
Conceptual Operational Maintenance
Process Develop Readiness and
Design Safety Inspection Mechancal
Req’mts Spec. Integrity
Procedures
PHA & Risk
Assessment SIS Startup,
SIS
Conceptual Operation,
Design Maintenance &
Develop non-
Mechanical
SIS Layers of
Integrity
Protection
SIS Detailed Program
Design
SIS
STOP
Decommissioning

Modify/
SIS
Decommission Decommission
No Req'd? Yes
Modify

Figure 1: ISA 84.01 Safety Lifecycle

SIL Assessment

The goal of the SIL Assessment was to identify all Safety Instrumented Functions (SIF)
and to determine a required performance level for each SIF. Air Products classifies risks
into importance levels (L1 through L3). Only L3S safety instrumented functions were
evaluated during this case study. It is Air Products’ interpretation that the L3S
classification corresponds to a SIF as defined in IEC 61511. Table 1 describes the
importance level classifications used within Air Products.

Table 1: Importance Level Classification

Importance
Level Class Subcategory Application Examples Basis/Comments
L1 L1 • Regulatory Control • Maximum flexibility, minimum risk.
• Equipment Interlocks where loss of • Financial risk acceptable to the responsible
equipment is not considered business area.
significant
• Environmental Monitoring
• Equipment Monitoring
• Information/Status
• Shutdown Pre-alarms
• Shutdown associated with
acceptable risk involving equipment
damage, business interruption
L2 L2S • Emergency Response–Fire • Safety, health, and/or environmental
Detection Backing Up Automatic protection involving specific regulatory
Sprinklers requirements or providing protection against
• Protection Required to Comply with loss of process or energy containment.
Federal, State, or Local Regulations
• Safety, Health, and/or
environmental protection deemed
important, but not meeting the
definition of critical safety
protection
L2P • Loss Prevention For: • Financial risk or asset protection that is
---Major Equipment Damage unacceptable to the responsible business area.
---Significant Business Interruption
---Significant Environmental Risk
L3 L3S • Critical Safety Protection • Considered a safety instrumented function
--- Protection that is designed to (SIF) per IEC 61511
prevent an immediate, life-
threatening process safety incident
when a demand occurs.

L3P • Critical Product Protection • Critical product protection as defined by

internal company work process.

At Air Products, the importance level helps classify the level of security, administrative
controls and mechanical integrity requirements. The importance level also provides
guidance and requirements for the level of segregation and independence required
between the safety instrumented system (SIS) and basic process control system
(BPCS).
Process hazard analysis information that was prepared during the design phase was
reviewed to identify instrumented safeguards. Air Products typically employs the HAZOP
methodology for process hazard identification analysis. An example of a typical PHA
HAZOP worksheet is listed in Table 2. The PHA report details the possible hazards, the
consequence of the hazard, and any safeguards that may exist. Note the safeguards
may include equipment and process design, mechanical protection systems,
instrumented protection systems and administrative controls.

Table 2: Typical Process Hazards Analysis HAZOP Worksheet

DEVIATION CAUSES CONSEQUENCES SAFEGUARDS Class RECOMMENDATIONS

High Column Column Mechanical L1 Install SIF within the SIS to stop
pressure steam overpressure and design of reboiler steam flow upon high
reboiler potential vessel. column pressure.
pressure mechanical failure High pressure L1
control of the vessel and alarms with
failure, release of its operator
causing contents. intervention
excessive
heat input. Pressure relief L3
valve
High Steam Column High pressure L1 See previous item.
Pressure reboiler Overpressure and alarms with
tube leak potential operator
causing mechanical failure intervention.
high of the vessel and
pressure release of its Pressure relief L3
steam to contents. valve.
enter
vessel.

Air Products’ developed layer of protection analysis (APLoPA) and fault tree analysis
(APTree) software programs were used during the SIL Assessment and Verification
work process. APTree was used to determine initiating cause frequencies for the layer
of protection analysis when needed and the PFDAVG for identified SIF’s. Layer of
protection analysis accounts for multiple layers of independent protection that are
typically part of a process design.

Typical layers of protection may include:

1. Basic Process Control System (BPCS) – Regulatory control
 2. Alarms that provide enough time for knowledgeable operators to recover from
initial upsets prior to the hazardous event
3. Safety Instrumented Functions
4. Inherent pressure containing strength
5. Pressure Relief Devices
6. Secondary containment
7. Barricades
8. Administrative controls
9. Exposure probability

The LOPA results are reported in a table format from the APLoPA software. Figures 2
and 3 illustrate an example (developed for training purposes) that demonstrates the
execution and methodology used during the SIL Assessment portion of the case study.

Please note that it is not appropriate to reference the data in this paper as it
was developed for illustration purposes only. Actual analyses require data
references and risk targets that are both auditable and defensible by the
company performing the analysis.

Figure 2 shows a representation of a typical control and safety instrument system used
for overpressure protection of a pressure vessel. Figure 3 details the APLoPA report for
the example in Figure 2.
 Figure 2: Overpressure Protection Diagram

Layer of Protection Analysis Report - Generated 09-Feb-2007 15:04:58

Scenario: pressure vessel rupture due to overpressure (No SIF Credit)
Calculation References
Complete Complete
Target Frequency: 5.0E-06 Calculated Frequency: 1.8077E-04 Required Performance: 2.766E-02

Intermediate Initiating Cause Initiation Alarm PIC vent 1oo2 HP SIF 1oo1 HP SIF Spring Probability Prob Prob of
Event Frequency Protection control fail fail to fail to Operated Vessel Person Fatality if
Frequency (1/yr) Layer Fails to to vent function function Relief Valve Ruptures Present Person
Protect Fails to Open Present
1.63E-04 Pressure letdown PIC 0.1 1 0.1 1 1 0.0163 1 1 1
(loop) fails dangerous
8.15E-06 Common Mode BPCS 5.00E-04 1 1 1 1 0.0163 1 1 1
dangerous output
9.62E-06 Control valve spuriosusly 5.90E-03 1 0.1 1 1 0.0163 1 1 1
fails open

Date: 09-Feb-2007 15:04:43 Analyst: DAYJD Version: 2.1.0 - 2.0.0

Figure 3: LOPA Report Example (Without SIS Credit)

Figure 3 Notes:

1. This analysis assumes that the pressure letdown control and the vent control
utilize totally independent input and output cards.
2. No credit for alarm layer of protection due to lack of operator response time.
3. No credit for SIS protection taken during this stage of analysis
The LOPA results detail the initiating causes and frequency of each event that was
evaluated. All layers of protection receiving credit are listed with its respective
probability of failure. In the example in Figure 3, the overall event likelihood that the
vessel will rupture due to overpressure is the sum of the individual intermediate event
likelihoods. This can be calculated as follows:

Overall Event Likelihood = 1.63x10-4 + 8.15x10-6 + 9.62x10-6 = 1.81x10-4 (yr -1)

(Without SIS Credit)

The performance level or maximum allowable PFDAVG required for the SIS is determined
by dividing the Target Frequency by the Overall Event Likelihood. In this example, an
additional 2.77x10-2 PFDAVG risk reduction is required from the SIS to meet a target
frequency of 5x10-6. The required SIS performance falls within the SIL 1 range, but we
perform our SIL verification to ensure that the actual “as designed and maintained SIF”
does not exceed this value, i.e. the SIF PFDAVG must be less than or equal to the
required maximum allowable PFDAVG.

The assessment results were summarized in a SIL Assessment Report. This report
included the following information:
1. Executive summary of the SIL ratings (maximum allowable PFDAVG) required to
meet overall company targets
2. System description, hazards and safeguards
3. Reference design documents
4. APLoPA Results
5. APTree Results (if applicable)
6. Failure rate data with references used in analysis

This report is being stored in a common work area that is shared within the company’s
Process Safety community for reuse on future projects and evaluations.

SIL Verification

Once a safety instrumented function was identified during the assessment phase, a
detailed review and quantification of the safety instrumented function risk reduction
capability was performed. This included review and collection of the following
information:
1. Equipment Operating and Maintenance Manuals
 2. SIF electrical schematics
3. SIF vendor model number and catalog data
4. Component failure rate/performance data
5. Safety manuals that might exist.

If applicable failure rate data was not available from the manufacturer or was
insufficient, an internal failure rate database was used. The PFDavg of each individual
SIF was calculated as a function of proof test frequency using APTree software. An
example of a 1 out of 1 High Pressure SIF evaluated using APTree is shown in Figure 4.

High pressure SIF 1oo1

fails to function

LB=6.549E-2
HPSIF PB=6.319E-2

Sensor / hardwired logic Isolation valve fails to close

failure

LB=5.159E-2 LB=1.39E-2
SL PB=5.015E-2 Iso PB=1.397E-2

R1 relay fails to function Ball valve fails to close

L=3.0E-3 T=2 Po=1.0E-4 L=1.18E-2 T=2 Po=1.0E-4

Pressure switch fails to Solenoid valve fails to vent

function L=2.1E-3 T=2 Po=1.0E-4
L=4.64E-2 T=2 Po=1.0E-4

Impulse line plugged

Figure 4 Notes: L=2.19E-3 T=2 Po=1.0E-4
Clean dry vapor service

Block valve purposely not Block valve in

installed in impulse tubing impulse tubing
closed

Figure 4: APTree Example

Figure 4 Terminology
Fault Tree Component Inputs
1. L = Failure Rate/Yr
2. P0 = Probability of being failed at time zero
3. T = Proof test interval (Yr)

Fault Tree Gate Outputs

 1. LB = Average Failure Rate (Yr-1)
2. PB = PFDAVG (probability)

The PFDavg was determined for multiple proof test frequencies. An example of the
summary of PFDavg for both of the 1oo1 and 1oo2 High Pressure SIF’s from Figure 2 are
given in Table 3.

Table 3: PFDAVG Summary Results

Proof Test PFDavg PFDavg

-1 -1
Interval 1 oo 1 (Yr ) 1 oo 2 (Yr )
(years)
0.5 0.0169 0.0131
1 0.0325 0.0257
2 0.0632 0.0504
3 0.0925 0.0743

Following calculation of the PFDAVG for each SIF, these layers of protection were
inserted back into the original LOPA analysis to confirm that our corporate risk targets
(target frequency) were being met. Figure 5 shows the final LOPA analysis using the
PFDAVG calculated during the SIL Verification phase of the case study. In this example, a
SIF proof test frequency of 1 year is required to meet the target frequency.

Layer of Protection Analysis Report - Generated 09-Mar-2007 16:44:30

Scenario: Pressure vessel rupture due to overpressure (SIF Credit per Verification)
Calculation References
Complete Incomplete
Target Frequency: 5.0E-06 Calculated Frequency: 4.7111E-06 Required Performance: Target Achieved

Intermediate Initiating Cause Initiation Alarm PIC vent 1oo2 HP SIF 1oo1 HP SIF Spring Probability Prob Person Prob of
Event Frequency Protection control fail to fail to function fail to function Operated Vessel Present Fatality if
Frequency (1/yr) Layer Fails to vent Relief Valve Ruptures Person
Protect Fails to Open Present
4.19E-06 Pressure letdown PIC 0.1 1 0.1 0.0257 1 0.0163 1 1 1
(loop) fails dangerous
2.09E-07 Common Mode BPCS 5.00E-04 1 1 0.0257 1 0.0163 1 1 1
dangerous output
3.13E-07 Control valve spuriosusly 5.90E-03 1 0.1 1 0.0325 0.0163 1 1 1
fails open

Date: 09-Mar-2007 16:44:07 Analyst: DAYJD Version: 2.1.1 - 2.0.0

Figure 5: Final LOPA Analysis Report with SIS Credit

Overall Event Likelihood = 4.19x10-6 + 2.09x10-7 + 3.13x10-7 = 4.71x10-6 (yr -1)(With

SIS Credit)
 The final results for each SIF were summarized in a SIL Verification Report. This report
included the following information:
1. Detailed SIF description
2. PFDavg results
3. Reference design documents
4. Design, Configuration and Mechanical Integrity assumptions
5. APTree reports

This report is being stored in a common work area that is shared within the Air Products
Engineering community for reuse on future projects and evaluations.

CONCLUSION

Air Products and Chemicals has begun implementation of a standardized approach to

perform SIL Assessments and Verifications when necessary. This risk-based approach
included development of training materials and software tools customized to our
modified internal work process. An application library of commonly used instrumented
protection schemes allows for pre-evaluated and consistent designs across multiple
business areas. This approach allows for a cost effective and timely design of safety
instrumented protections for our business.

References

1. IEC 61511 "Functional safety - Safety instrumented systems for the process industry
sector".

2. ANSI/ISA-84.00.01-2004 Parts 1-3 (IEC 61511 Mod) "Functional Safety: Safety

Instrumented Systems for the Process Industry Sector".

3. ANSI/ISA-84.01-1996: Application of Safety Instrumented Systems for the Process

Industry.

4. CCPS Guideline Book, Layer of Protection Analysis – Simplified Process Risk

Assessment, New York, New York, 2001.

5. ISA TR84.00.04 Part 1, Guidelines for the Implementation of ANSI/ISA-

84.00.01-2004 (IEC 61511 Mod), 2005.

View publication stats