A Case Study of Safety IntegrityLevel Assessment andVerification: ElectronicsDivision Product LineEvaluation and AnalysisJohn Day, Hal Thomas, and James VanOmmerenAir Products and Chemicals, Allentown, PA 18195; dayjd@airproducts.com (for correspondence)

Published online 18 December 2007 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10243

With the adoption of IEC 61511 (Functionalsafety—Safety instrumented systems for the processindustry sector) and ANSI/ISA-84.00.01-2004 (IEC61511 Mod, Functional safety: safety instrumentedsystems for the process industry sector, Parts 1–3)standards, Air Products, and Chemicals has made aconcerted effort to provide a standardized approachto the design and implementation of safety instru-mented systems following the safety lifecycle model.This presentation provides a case study describing themethodology used during the safety integrity level(SIL) assessment and verification of existing electron-ics division product lines. SIL assessment was accom-plished through the use of hazard identification; like-lihood, consequence, and risk analysis. Each of theelectronics division product’s safety instrumentedfunction (SIF) was identified during SIL Assessment,making use of both layer of protection analysis(LOPA) and consequence analysis. A target SIL wasdetermined for each SIF through quantitative andqualitative analysis. SIL Verification was accom-plished using fault tree analysis in order to determinethe average probability of failure on demand(PFDAVG) of each SIF. This analysis was a joint col-

laboration between the process safety and processcontrols engineering teams. � 2007 American Insti-tute of Chemical Engineers Process Saf Prog 27: 185–191, 2008

Keywords: SIL assessment, SIL verification, LOPA,IEC 61511

COMPANY BACKGROUNDThe electronics division of Air Products and Chem-

icals is a $2 billion (FY2006) in sales global businessfocused on providing specialty gases and chemicals,high purity equipment, and on site services to theelectronics market. Our customers include manufac-turers of integrated circuit, memory chips, liquid crys-tal displays, and light emitting diodes.

BACKGROUNDIn 2003, Air Products began a proactive approach

to develop internal work processes, tools, and train-ing in anticipation of the pending adoption of ANSI/ISA-84.00.01-2004. This included the development ofthe following aids for use in SIL assessment and SILverification:

1. Software tools2. Global work processes3. Global engineering standards and procedures4. Training materials5. SIL application library6. Standard templates for SIL documentation

Please note that it is not appropriate to reference the data in this paper asit was developed for illustration purposes only. Actual analyses require datareferences and risk targets that are both auditable and defensible by thecompany performing the analysis.

� 2007 American Institute of Chemical Engineers

Process Safety Progress (Vol.27, No.3) September 2008 185

Internally developed software tools have beendeployed for use by Air Products process safety andengineering personnel. Fault Tree Analysis software(APTree) and Layer of Protection Analysis software(APLoPA) have been developed for quantifying risks,performing frequency analysis, and for verification ofsafety instrumented system performance. Failure ratedata and frequency data for use by these programswas obtained through industry generic failure ratedata books, third party consultants, licensed data-bases, supplier safety manuals, supplier failure modeeffects and diagnostic analysis reports, and internalprocess plant operating experience.

Basic engineering policies (BEP) for use in thedesign and implementation of safety instrumentedsystems were developed in order to establish andcommunicate the company’s high level policy andstrategy for the transition to the new industry stand-ard. The BEP provided guidance for more specificand detail oriented engineering procedures andstandards which were then developed.

Training materials were prepared using both inter-nal and external process safety, process control, andinstrumentation design experts. These materials cov-ered various aspects of process safety analysis andwere developed with specific Air Products terminol-ogy and work processes in mind. This training wasrolled out to the company in a systematic approach.

An applications library was developed that con-tains typical instrumented protection systems designsthat have been preanalyzed to support productionengineering as well as fundamental information suchas FMEA reports, manufacturer safety manuals, etc.After completion, SIL assessments were added to thelibrary for future use to support management ofchange or to serve as a starting point for similarapplications. This library has the benefit of helping toreduce engineering time and to facilitate consistentimplementations across multiple business units.Standard templates for SIL assessment and verificationreports were developed. These reports provide a con-sistent presentation format that aids the ease of useand understanding of the material.

CASE STUDY SPECIFICSThis case study describes the work process

followed in the SIL assessment and verification ofpreviously designed safety instrumented systemswithin our electronics division equipment productlines. The analysis examples presented in this casestudy are for illustrative purposes only.

Data GatheringA summary of products for evaluation was pre-

pared and grouped per application and known haz-ards. A number of equipment offerings were eval-

Figure 1. ISA 84.01 safety lifecycle.

186 September 2008 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.27, No.3)

uated using the work process described in this casestudy. This includes equipment products listed in thefollowing product groups:

1. GasGuard� QMAC:analytical systems/product qual-ity monitoring systems

2. GasGuard� bulk specialty gas systems (BSGS)3. GasGuard� high flow systems, gas cabinets, valve

manifold boxes4. Isomodule/Y cylinder heater control systems5. GGT� subatmospheric gas generators6. Nitrogen purifiers

These product groups have been designed by AirProducts over the past 10 years for both internal useand for sale to outside customers. Hazard identifica-tion and consequence analysis had been performedduring the development of the individual productlines. Instrumented protections were previouslydesigned based on the hazard and consequence anal-ysis. This information was collected and used in theSIL assessment and verification.

The steps outlined in the safety lifecycle [1](Figure 1) were used as the basis for the evaluation.Some steps were bypassed as the products beingevaluated were existing designs. For this case study,the existing process hazard analysis (PHA) and risk

assessment were examined and updated using layerof protection analysis (LOPA) [2,3]. A SIL target wasdefined for each SIF by back-calculating the requiredrisk reduction needed to be achieved for that SIF inorder to satisfy the Air Products’ corporate risk target.Each existing SIF was then evaluated to determinewhat performance could be achieved given itsdesign, architecture, configuration and mechanical in-tegrity program. Calculated performance was thencompared to the SIL target (using maximum allow-able PFDAVG) to confirm that the safety instrumentedfunction was adequate, coupled with the other layersof protection to meet our corporate risk target.

SIL AssessmentThe goal of the SIL Assessment was to identify

all safety instrumented functions (SIF) and todetermine a required performance level for eachSIF. Air Products classifies risks into importancelevels (L1 through L3). Only L3S SIF was eval-uated during this case study. It is Air Products’interpretation that the L3S classification correspondsto a SIF as defined in IEC 61511. Table1 describesthe importance level classifications used within AirProducts.

Table 1. Importance level classification.

ImportanceLevel Class Subcategory Application Examples Basis/Comments

L1 L1 Regulatory control Maximum flexibility,minimum riskEquipment Interlocks where loss of

equipment is not considered significant Financial risk acceptable tothe responsible businessarea

Environmental monitoringEquipment monitoringInformation/statusShutdown prealarmsShutdown associated with acceptable risk

involving equipment damage, businessinterruption

L2 L2S Emergency response–fire detection backingup automatic sprinklers

Safety, health, and/orenvironmental protectioninvolving specificregulatory requirementsor providing protectionagainst loss of process orenergy containment

Protection required to comply with federal,state, or local regulations

Safety, health, and/or environmentalprotection deemed important, but notmeeting the definition of critical safetyprotection

L2P Loss prevention for: Financial risk or assetprotection that isunacceptable to theresponsible businessarea

Major equipment damageSignificant business interruptionSignificant environmental risk

L3 L3S Critical safety protection Considered a safetyinstrumented function(SIF) per IEC 61511

Protection that is designed to prevent animmediate, life-threatening process safetyincident when a demand occurs

L3P Critical product protection Critical product protectionas defined by internalcompany work process

Process Safety Progress (Vol.27, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2008 187

At Air Products, the importance level helps classifythe level of security, administrative controls, and me-chanical integrity requirements. The importance levelalso provides guidance and requirements for the levelof segregation and independence required betweenthe safety instrumented system (SIS) and basic proc-ess control system (BPCS).

PHA information that was prepared during thedesign phase was reviewed to identify instrumentedsafeguards. Air Products typically employs theHAZOP methodology for process hazard identifica-tion analysis. An example of a typical PHA HAZOPworksheet is listed in Table2. The PHA report detailsthe possible hazards, the consequence of the hazard,and any safeguards that may exist. Note the safe-guards may include equipment and process design,mechanical protection systems, instrumented protec-tion systems, and administrative controls.

Air Products’ developed layer of protection analy-sis (APLoPA) and fault tree analysis (APTree) soft-ware programs were used during the SIL assessmentand verification work process. APTree was used todetermine initiating cause frequencies for the LOPAwhen needed and the PFDAVG for identified SIF’s.LOPA accounts for multiple layers of independentprotection that are typically part of a process design.

Typical layers of protection may include:

1. Basic process control system (BPCS)—Regulatorycontrol

2. Alarms that provide enough time for knowledgea-ble operators to recover from initial upsets prior tothe hazardous event

3. Safety instrumented functions4. Inherent pressure containing strength5. Pressure relief devices6. Secondary containment7. Barricades8. Administrative controls9. Exposure probability

The LOPA results are reported in a table formatfrom the APLoPA software. Figures 2 and 3 illus-trate an example (developed for training purposes)that demonstrates the execution and methodologyused during the SIL Assessment portion of the casestudy.

Figure 2 shows a representation of a typical con-trol and safety instrument system used for overpres-sure protection of a pressure vessel. Figure 3 detailsthe APLoPA report for the example in Figure 2.

Figure 3 observes the following points:

1. This analysis assumes that the pressure letdowncontrol and the vent control utilize totally inde-pendent input and output cards.

2. No credit for alarm layer of protection because oflack of operator response time.

3. No credit for SIS protection taken during this stageof analysis.

The LOPA results detail the initiating causes andfrequency of each event that was evaluated. All layersof protection receiving credit are listed with its re-spective probability of failure. In the example in Fig-ure 3, the overall event likelihood that the vessel willrupture due to overpressure is the sum of the individ-ual intermediate event likelihoods. This can be calcu-lated as follows:

Overall event likelihood ¼ 1:63 3 10�4

þ 8:15 3 10�6 þ 9:623 10�6

¼ 1:813 10�4 ðyr�1ÞðWithout SIS CreditÞ

The performance level or maximum allowablePFDAVG required for the SIS is determined by dividingthe Target Frequency by the Overall Event Likelihood.In this example, an additional 2.77 3 1022 PFDAVG

Table 2. Typical process hazards analysis hazop worksheet.

Deviation Causes Consequences Safeguards Class Recommendations

High pressure Column steamreboiler pressurecontrol failure,causingexcessive heatinput

Columnoverpressureand potentialmechanicalfailure of thevessel andrelease of itscontents

Mechanicaldesign ofvessel

L1 Install SIF withinthe SIS to stopreboiler steam flowupon high columnpressure

High pressurealarms withoperatorintervention

L1

Pressure reliefvalve

L3

High pressure Steam reboilertube leakcausing highpressure steamto enter vessel

Columnoverpressureand potentialmechanicalfailure of thevessel andrelease of itscontents.

High pressurealarms withoperatorintervention

L1 See previous item

Pressure reliefvalve

L3

188 September 2008 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.27, No.3)

risk reduction is required from the SIS to meet a targetfrequency of 5 3 1026. The required SIS performancefalls within the SIL 1 range, but we perform ourSIL verification to ensure that the actual ‘‘asdesigned and maintained SIF’’ does not exceed thisvalue, i.e., the SIF PFDAVG must be less than orequal to the required maximum allowable PFDAVG.

The assessment results were summarized in a SILassessment report. This report included the followinginformation:

1. Executive summary of the SIL ratings (maximumallowable PFDAVG) required to meet overall com-pany targets

2. System description, hazards, and safeguards3. Reference design documents4. APLoPA results5. APTree results (if applicable)6. Failure rate data with references used in analysis

This report is being stored in a common work areathat is shared within the company’s process safetycommunity for reuse on future projects and evalua-tions.

SIL VerificationOnce a safety instrumented function was identi-

fied during the assessment phase, a detailed reviewand quantification of the safety instrumented func-tion risk reduction capability was performed. Thisincluded review and collection of the following in-formation:

1. Equipment operating and maintenance manuals2. SIF electrical schematics3. SIF vendor model number and catalog data4. Component failure rate/performance data5. Safety manuals that might exist

Figure 3. LOPA report example (without SIS credit). [Color figure can be viewed in the online issue, which isavailable at www.interscience.wiley.com.]

Figure 2. Overpressure protection diagram. [Color figure can be viewed in the online issue, which is availableat www.interscience.wiley.com.]

Process Safety Progress (Vol.27, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2008 189

If applicable failure rate data was not availablefrom the manufacturer or was insufficient, an internalfailure rate database was used. The PFDAVG of eachindividual SIF was calculated as a function of prooftest frequency using APTree software. An example ofa 1 out of 1 High Pressure SIF evaluated usingAPTree is shown in Figure 4. Figure 4 terminology isas follows:

Component Inputs1. L 5 Failure Rate/Yr2. P0 5 Probability of being failed at time zero3. T 5 Proof test interval (Yr)

Gate Outputs1. LB 5 Average Failure Rate (Yr21)2. PB 5 PFDAVG (probability)

The PFDAVG was determined for multiple prooftest frequencies. An example of the summary ofPFDAVG for both of the 1oo1 and 1oo2 High PressureSIF’s from Figure 2 are given in Table3.

Following calculation of the PFDAVG for each SIF,these layers of protection were inserted back into theoriginal LOPA analysis to confirm that our corporaterisk targets (target frequency) were being met. Figure 5shows the final LOPA analysis using the PFDAVG cal-culated during the SIL Verification phase of the casestudy. In this example, a SIF proof test frequency of1 year is required to meet the target frequency.

Overall event likelihood ¼ 4:19 3 10�6

þ 2:09 3 10�7 þ 3:133 10�7

¼ 4:713 10�6ðyr�1ÞðWithout SIS CreditÞ

The final results for each SIF were summarized ina SIL verification report. This report included the fol-lowing information:

1. Detailed SIF description2. PFDAVG results3. Reference design documents4. Design, configuration, and mechanical integrity

assumptions5. APTree reports

This report is being stored in a common work areathat is shared within the Air Products engineeringcommunity for reuse on future projects and evalua-tions.

CONCLUSIONAir Products and Chemicals has begun imple-

mentation of a standardized approach to performSIL assessments and verifications when necessary.This risk-based approach included development of

Table 3. PFDAVG summary results.

Proof TestInterval (years)

PFDavg1oo 1 (Yr21)

PFDavg1oo 2 (Yr21)

0.5 0.0169 0.01311 0.0325 0.02572 0.0632 0.05043 0.0925 0.0743

Figure 4. APTree example. [Color figure can be viewed in the online issue, which is available at www.interscience.wiley.com.]

190 September 2008 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.27, No.3)

training materials and software tools customized toour modified internal work process. An applicationlibrary of commonly used instrumented protectionschemes allows for pre-evaluated and consistentdesigns across multiple business areas. Thisapproach allows for a cost effective and timelydesign of safety instrumented protections for ourbusiness.

LITERATURE CITED1. ANSI/ISA-84.01-1996: Application of Safety Instru-

mented Systems for the Process Industry.2. CCPS Guideline Book, Layer of Protection Analy-

sis—Simplified Process Risk Assessment, New York,New York, 2001.

3. ISA TR84.00.04 Part 1, Guidelines for the Implementa-tion of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), 2005.

Figure 5. Final LOPA analysis report with SIS credit. [Color figure can be viewed in the online issue, which isavailable at www.interscience.wiley.com.]

Process Safety Progress (Vol.27, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2008 191