Risk Mitigation on Ammonia and Methanol Pri-

mary Steam Reformers using Retrofitted Safety

Instrumented Systems: A Comparative Cost-
benefit, Risk-informed Study
Dimitrios Karydas1, Glenn Mahnken1
1
FM Global, P.O. Box 9102 Norwood, Massachusetts, USA

Abstract.
Primary steam reformers used in the “front end” of ammonia and methanol
process plants are subject to severe property damage and extended produc-
tion downtime in case of accidents initiated by abnormal deviations in cer-
tain process parameters. Safety instrumented systems can be installed on
primary reformers to help reduce the frequency of such process upsets. After
conducting a hazard analysis to identify the critical process parameters in a
primary reformer, the appropriate level of reliability for instrumented safe-
guards should be determined using known risk ranking methods. A risk-
informed cost-benefit analysis tool can then be deployed to compare alterna-
tive safety instrumentation systems, as demonstrated by an example in this
paper.

1. Introduction
The methodology for the assessment of the functional specifications and selection of
the safety integrity level (SIL) of safety instrumented systems (SIS) for the purpose
of risk reduction for any hazardous industrial process was described in an earlier pa-
per [1]. To summarize, the following steps are involved:
1. Conduct a process hazards analysis in order to identify process safety functions
and differentiate these functions from basic process control functions.
2. Allocate the identified safety functions to SIS or other means of protection.
3. Evaluate the criticality and needed SIL of the safety functions allocated to SIS
in terms of the necessary risk reduction associated with the identified process
hazards.
4. Select the appropriate SIS that will perform the identified safety functions at the
required SIL.
This paper describes the application of the above methodology to the primary re-
forming process utilized in the manufacture of methanol and ammonia. In addition,
we present a method for comparing the cost of risk reduction, as achieved by the al-
ternatives of conventional hard-wired interlocks or programmable SIS.
2. Hazards Analysis of Primary Steam Reformers

The first key step in the conventional process for manufacture of methanol and am-
monia is the production of hydrogen and oxides of carbon by a catalytic reforming
reaction of process steam and desulphurized natural gas feedstock at high pressure
(30 bar) and temperature (800 °C). The reaction takes place inside special alloy tu-
bes which are externally heated in the radiant section of a large, gas-fired furnace
(primary reformer). A typical gas-fired reformer furnace is on the order of 10 – 15 m
high and has a footprint of approximately 30 m x 25 m. Based on loss experience,
the most frequently occurring catastrophic failure mode for primary reformers in-
volves catalyst tube overheating and rupture, which can result in property damages
of several million $US and significant business interruption, for “re-tubing” the re-
former furnace. Utilizing known hazard analysis techniques such as Hazard and O-
perability Study, or HAZOP [2], the process deviations which can lead to such acci-
dents can be identified, as indicated in Table 1, which depicts a worksheet page of a
hypothetical Hazard and Operability (HAZOP) study of a steam reformer.
Process deviation: low steam flow to catalyst tubes
Cause Consequence Safeguard C F SIL
Waste heat boiler Provide a low steam 2 4 3
failure (dry-firing, flow trip
feedwater piping
freezing, etc.) Rapid overheating of Mechanical Integrity
catalyst and tubes re- Program: NDE and
Superheater fail- sulting in tube dam- hydrostatic tests on
ure in reformer age, and catalyst de- steam system pres-
convection section composition. The sure parts; Fitness
latter may cause sub- for Service method-
Rupture of high sequent tube over- ology; visual inspec-
pressure steam heating and destruc- tions.
piping or header tion upon restart

Pigtail or reformer
tube cracks
Procedures and Op-
Operator error erator training

Table 1. Example worksheet page from a HAZOP on a Primary Reformer (Note:

Critical safety systems should be identified during the HAZOP study and high-
lighted)
The worksheet in Table 1 demonstrates the necessary focus of the hazard analysis on
the clear presentation of safety functions to be performed by SIS or hard-wired inter-
locks. A complete set of HAZOP worksheets for a primary reformer would identify
several additional critical process parameters, including process gas flow, steam-to-
carbon ratio, and reformer fuel flow.
Special attention should be given during the HAZOP to identify necessary safety
functions and characterize their criticality, so they can be allocated to SIS with a
commensurate SIL. The analysis team must clearly highlight the identified critical
safety functions, especially to differentiate them from the functions performed by
the less reliable basic process control systems of the reformer. Columns C, F, and
SIL in Table 1 become the foundation of the functional specification for the safety
integrity level of the SIS, as explained below.

3. Safety Instrumented Systems

International standards, such as the International Electrotechnical Commission IEC-
61508 [3] and ISA-SP84 [4] of the Instrument Society of America, establish per-
formance-based criteria for the life cycle (i.e., the design, installation, operation, and
decommissioning) of programmable electronic systems (PES) used for safety related
functions. Quantitative definitions of Safety Integrity Levels (SIL) are given in
ISA-SP84, and IEC 61508. Each SIL corresponds to a range of probability of failure
on demand. The IEC 61508 definitions are listed in Table 2.

Safety Integrity Level Probability of Failure on Risk Reduction Factor [5]

(SIL) Demand (PFD)
4 10-4-10-5 >10,000
3 10-3-10-4 1,000-10,000
2 10-2-10-3 1,000-100
1 10-1-10-2 10-100

Table 2. Safety Integrity Level, as defined by IEC 61508

The criticality of the process deviation should be defined in terms of its likelihood
(F) and severity of consequences (C) during the process hazards analysis. A corre-
sponding safety integrity level (SIL) can then be assigned to each critical function
using agreed upon quantitative or qualitative risk ranking matrices [1].

4. Risk-informed Cost Benefit Comparison of

Alternative Safety Systems
Achieving risk reduction through installation of SIS may lead to the need for cost
comparison of competing alternative instrumentation systems. Considering, for ex-
ample, that a primary steam reformer has been severely damaged by a tube overheat-
ing accident and needs refractory and structural repairs, in addition to being com-
pletely “re-tubed”, the owner might be faced with a decision to install either a
conventional relay-based (hardwired) or a programmable safety instrumented system
for protection of the rebuilt furnace. The costs indicated in Table 3 were assumed for
purposes of an example and should not be taken as representative for actual situa-
tions. The intent of this example is to illustrate a method for comparison and not to
intentionally favor either alternative.

Probability HWS PES

Item Distribution ($US Mil) ($US Mil)
Installation & Maintenance
Purchase Cost None - fixed $0.15 $0.30
Maintenance Cost @ $20k/y for 20 years Normal $0.40 $0.10
Training Cost @ $3k/y for 20 years Normal $0.06 $0.10
Sub Total $0.61 $0.50
If SIS functions properly upon demand
Property Damage Normal $0.40 $0.40
Business interruption (one day downtime) Normal $0.20 $0.20
SIS repair cost per event none $0.00 $0.00
Sub Total $0.60 $0.60
If SIS FAILS upon Demand
Property Damage Normal $10.00 $10.00
Business interruption Uniform $45.00 $15.00
SIS repair cost per event Normal $0.02 $0.01
Sub Total $55.02 $25.01

Table 3. Cost Assumptions for Risk-based Cost Comparison of Hard-wired System

(HWS) vs. Programmable SIS (PES). Shaded items are treated as random variables.

A fixed purchase cost of equipment was assumed for each option, while other fac-
tors were assumed to be uncertain variables described by the indicated probability
functions. Based upon reports from industry sources, in some situations the hard-
wired system can present very long lead times of 6-9 months or more for design and
installation, while a PES requires a relatively short 2-3 months. This difference in
lead times is reflected in this example by the higher cost of Business Interruption al-
located to the case of failure of the hard-wired system to respond upon demand.
Property damage, on the other hand, is considered essentially independent of the
type of instrumentation.
Once the important costs and their associated distribution functions are established,
the two options can be compared by a simple Monte Carlo simulation in which the
probability of failure on demand for the two competing options is assumed to follow
a given probability distribution.
Table 4 shows the results of a comparison of hard-wired vs. programmable SIS
based on the cost assumptions in Table 3. A Monte Carlo simulation was run assum-
ing a binomial probability distribution for failure on demand, with average failure
rate equal to the indicated SIL. The SIL (or average failure on demand rate) of the
HWS was maintained constant at 5 x 10-4, while the SIL or average failure rate of
the PES was taken as the independent variable (SIL 2, 3 and 4). For purposes of
simplifying the comparison of the alternative safety systems, the number of demands
made by the process was assumed to be constant at 5 demands per year for the two
systems. The 20-year life cycle “total predicted cost” of each system was determined
by an algorithm which includes the probabilistically weighted costs of potential
losses in case of random failures of the system to respond on demand to a process
upset. Each case in the table was run at a simulation level of 10,000 trials using
“Crystal Ball” software [6]. The “preferred system” for each case indicated in Table
4 is the one whose total predicted cost is expected to be less than the predicted cost
of the competing safety system

Case SIL of HWS SIL of PES Preferred Confidence

System (percentile)
1 5 x 10-4 5 x 10-4 PES 88.9
2 5 x 10-4 5 x 10-3 PES 61.8
3 5 x 10-4 5 x 10-2 HWS 94.7

Table 4. Comparison of Hard-wired (HWS) vs Programmable (PES) Safety Systems based on

Total Predicted Costs.

Case No. 1 indicates that where the two safety systems have equal likelihood of fai-
lure on demand (SIL 4), the PES represents a lower total predicted cost, with 88.9 %
confidence level. In this situation, the larger Business Interruption (BI) penalty asso-
ciated with longer lead times for the HWS is the predominant factor in the simulati-
on. For Case No. 3, on the other hand, the PES is assigned a 100-fold higher failure
rate, or a SIL 2, which is typical of the reliability level of an ordinary industrial PLC
with built-in redundancy and self diagnostics of high coverage factor used to per-
form safety functions. For this case, the higher reliability of the HWS vs. the PES
predominates and the HWS becomes the preferred system.

5. Conclusions
The first step in the evaluation of safety instrumentation for a primary steam re-
former, as for any hazardous equipment, should be a hazards analysis which identi-
fies the critical process deviations and the corresponding critical safety functions.
Subsequently, the level of confidence (reliability and availability) at which these
safety functions must be performed should be determined based upon established
risk criteria. Finally, the "life cycle costs” of alternative safety instrumented systems
and SIL's can be compared using simple probabilistic simulations models, which
take into account the uncertainty of the costs and the reliability of the safety instru-
mented systems.

References

1. Karydas, D., Mahnken, G. Safety analysis and system design of thermal oxidizers
used for environmental protection from VOC emissions. In: Pasman, H.J., Fred-
holm, O., Jacobssen, A. (Ed) Proceedings of 10th International Symposium on
Loss Prevention in the Process Industries, 19-21 June 2001, Stockholm Sweden,
Elsevier Publishing, 2001, pages 545-559.
2. Kletz, Trevor A., HAZOP & HAZAN, Identifying and Assessing Process Indus-
try Hazards, Institution of Chemical Engineers, Rugby U.K., 4th Edition, 1999.
3. IEC 61508: Functional Safety of Electrical / Electronic / Programmable Elec-
tronic Safety-Related Systems, International Electrotechnical Commission, Ge-
neva, 1999.
4. ANSI/ISA S84.01-1996, Applications of Safety Instrumented Systems for the
Process Industry, Instrument Society of America, Research Triangle Park, N.
Carolina, USA, February 1996.
5. Risk reduction factor adapted from “A Practical Guide to Designing Safety In-
strumented Systems”, Moore Products Automation, Publication BLQL-4, Rev. 1,
1999.
6. “Crystal Ball 2000” software from Decisioneering, Inc. Denver, CO 80202 USA.