SIL RATINGS FOR FIRE & GAS SYSTEM HARDWARE –

ARE WE BARKING UP THE WRONG TREE?

Paul Gruhn, PE, CFSE, ICS Triplex, Houston, TX

ABSTRACT
Current standards covering fire and gas systems are prescriptive and focus on commercial
applications such as buildings. Many end users in the process industry believe there is a need for
a performance based standard for fire and gas systems used in industrial applications. Other
performance based standards such as IEC 615081 and 615112 use the term SIL (Safety Integrity
Level) to describe system performance. There are many devices used in safety instrumented
systems in the process industries that are independently certified for use in certain integrity
levels. However, there is considerable debate whether fire & gas system hardware should have
SIL ratings at all. Vendors are naturally interested in promoting independently certified hardware
in order to differentiate their products. However, considering the differences between safety
instrumented systems and fire & gas systems, focusing on the SIL rating or performance of the
actual fire & gas hardware alone may be a misleading and questionable practice. This paper
reviews a) the differences between safety instrumented systems and fire & gas systems, b) how
typical voting of fire & gas sensors not only reduces nuisance trips (which is desirable) but also
reduces the likelihood of the system actually responding to a true demand (which is not
desirable), and c) why concepts and standards that apply to safety instrumented systems (e.g.,
SIL ratings) may not be appropriate for fire & gas systems.

INTRODUCTION
Vendors are interested in promoting certified products such as fire & gas sensors as a way to
differentiate themselves. For example, a vendor may gain a marketing advantage stating they
have a single sensor that is certified for use in SIL 2 applications. However, there has been
considerable debate within the industry whether fire and gas hardware should have SIL ratings at
all. Some are strongly opposed to the idea. However, there is recognition that current standards
such as EN 543 and NFPA 724 do not adequately cover industrial fire & gas applications. Hence
the need to consider a potentially new standard and the formation of a new task team within the
ISA SP84 committee (covering safety instrumented systems in the process industry).

SIL Ratings for Fire & Gas Systems 1 Gruhn

 DIFFERENCES BETWEEN PREVENTION AND MITIGATION LAYERS
Table 1 shows the performance requirements for the different SILs according to IEC 61511.

Table 1: Performance Requirements for Safety Integrity Levels

EN 504025 and IEC draft 60079-296 on gas detection and safety integrity levels have recently
been released. These documents focus on the effectiveness of the fire & gas system hardware
alone and use the term SIL as used in IEC 61508 and 61511. However, IEC 61511 focuses on
safety instrumented systems which are prevention layers, although the concepts presented in the
standard can be applied to all safety layers, including mitigation layers.
The assumption with prevention layers is that a) they will always be able to see the hazardous
condition, and that b) if they respond correctly their action will prevent the hazardous event from
occurring. In other words, using a SIL 2 rated sensor, a SIL 2 rated logic solver, and a SIL 2
rated final element should result in a SIL 2 rated function that should provide at least a Risk
Reduction Factor of 100 (see table 1) assuming all the other requirements in the standard are
met. If a properly functioning sensor is unable to see the hazardous condition it was designed to
detect, and if a properly functioning final element doesn’t eliminate the hazard, then the system
simply wasn’t designed properly.
However, fire & gas systems, which are mitigation layers, are different. Sensors may be
working properly, but they simply may never see the gas release or fire. For example, sensors
may be placed improperly, there may not be enough sensors, wind may dilute the gas before it
can be detected, obstructions may divert the release or hide a fire, a release or fire may be too
small to be detected, etc. The system may respond properly, but there is no guarantee that the
consequences of the hazardous event will actually be eliminated or mitigated. For example, the
deluge may not put out a large fire, the blow down may not be fast enough to prevent reaching a
critical accumulation of gas, etc. In other words, using a SIL 2 rated sensor, a SIL 2 rated logic
solver, and a SIL 2 rated final element may not result in a SIL 2 rated function that may not
provide a Risk Reduction Factor of 100. This concept can be better understood with the fault tree
shown in Figure 1.

SIL Ratings for Fire & Gas Systems 2 Gruhn

 Leak/Fire Detection Hardware Mitigation
Coverage Response Effectiveness

Yes: P=.9

Yes: P=.99

No: P=.1
Yes: P=.9

X / year
No: P=.01

No: P=.1

Figure 1: Factors Effecting Fire and Gas System Performance

Detector Coverage: The probability of the device actually being able to see the
hazardous condition.
Hardware Response: The probability of the hardware responding properly to the
demand. 1-PFD (Probability of Failure on Demand)
Mitigation effectiveness: The probability that the overall system response actually prevents
or mitigates the hazardous event.

If the detection coverage is less than 90% (as it typically is, as described below), and the
mitigation effectiveness is less than 90% (as it typically is, as described below), then debating on
the level of performance of the fire & gas system hardware alone may prove to be of little worth
since the overall risk reduction will never be greater than 10. In other words, the overall system
will not even reach the SIL 1 range, as explained below.
90% x 90% = 81%. One minus the Safety Availability is the Probability of Failure on
Demand (PFD). 100% - 81% = 19%. The reciprocal of PFD is the Risk Reduction Factor (RRF).
1/.19 = 5. SIL 1, the lowest level of safety performance, is represented by a RRF range of 10 to
100. Therefore, focusing on the hardware alone, as some naturally wish to do, is no guarantee of
an effective system. The overall system in this example will never meet SIL 1 performance no
matter what hardware is used.

DETECTOR COVERAGE
Some fire & gas applications take action based on only one sensor going into alarm.
However, many systems implement some form of voting or redundancy of multiple sensors in a
zone to reduce the likelihood of system activation due to a single sensor failure. Typically, two
or more sensors in a zone must go into alarm before automatic action is taken. While this reduces
the probability of nuisance trips due to a single sensor failure, anecdotal user evidence suggests it
also reduces the probability of actually responding to a hazardous event. It may actually be less

SIL Ratings for Fire & Gas Systems 3 Gruhn

likely for two or more detectors in a zone to be in the effected area, assuming the layout of
detectors has not been changed with the implementation of voting.
End user studies have shown figures for detector coverage for a single sensor (1 out of N)
being as high as 98%, dual sensor (2 out of N) effectiveness ranging from 20 to 90%, and three
or more sensors (3 out of N) being 60% or less. An often referred to HSE (United Kingdom
Health & Safety Executive) report sites automated fire detection coverage in the range of 75%.
One way to possibly improve on this situation would be to not require multiple sensors to see the
same level of gas (e.g., 50% LEL (Lower Explosive Limit)), but rather take action if one sensor
were to see the high level (e.g., 50% LEL) and any other sensor were to see a lower level (e.g.,
25% LEL).

EXAMPLE
Consider an example of an inlet separator in an enclosed space. Let’s assume the vessel has a
total of five valves, ten flanges and one hundred feet of piping. Various data books and/or
historical company data list yearly gas leak probabilities for different size openings. The
following set of numbers are assumed for this example study:
1” hole: 2.90E-2 (94% of cases)
6” hole: 1.50E-3 (5% of cases)
Rupture: 3.10E-4 (1% of cases)

The risk matrix shown in Figure 2 shall be used in the example.

Consequence Categories
1 - No Injury / First Aid
10 - Injury
100 - Disability
1,000 - Fatality
10,000 - Multiple Fatalities
Frequency Categories
> 10,000 years 10,000 - 1,000 years 1,000 - 100 years 100 - 10 years 10 - 1 years
A A A B B
A A B B C
A B B C C
B B C C D
B C C D D

Risk Categories:
A Acceptable design, no changes required
B Consider other possible controls / safety layers
C Requires addition of multiple diverse safety layers
D Unacceptable design

Notes:
1. Safety layers are assumed to be independent and provide at least one order of magnitude benefit.
2. Additional layers could be personnel gas detectors, procedures, etc.

Figure 2: 5x5 Risk Matrix with 4 Overall Risk Levels

The PHA (Process Hazards Analysis) team needs to decide the consequences (as shown in
the left column in Figure 2) for different size releases depending upon whether they are mitigated
or not. In this example, a 1” release was assumed to have an unmitigated consequence of 100
(disability) and a mitigated consequence of 1 (first aid). A 6” release was assumed to have an
unmitigated consequence of 1,000 (fatality) and a mitigated consequence of 10 (injury). A
rupture was assumed to have an unmitigated consequence of 10,000 (multiple fatalities) and a
mitigated consequence of 100 (disability).

SIL Ratings for Fire & Gas Systems 4 Gruhn

 The event tree shown in Figure 3 works as follows. Assume a release actually happens (i.e.,
the probability is 1.0).
Detection coverage represents the probability that the detector will actually see the hazardous
condition (not whether the detector is actually functioning properly). In other words, will there
actually be gas at the sensor, or in the path of an open beam detector, or will a fire be in the field
of view of a detector, etc. As described previously, a figure of 90% is optimistic for some
scenarios and configurations.
A 90% probability that the fire & gas system activates represents the low end of SIL 1
performance (90% - 99%).
Mitigation effectiveness represents the probability that the overall system response will
actually prevent or mitigate the hazardous event. This number can vary greatly and can include
the effectiveness of other safety layers, blow down systems, deluge systems, water curtains or
other methods of mitigation. For example, it’s unlikely that any mitigation will reduce the impact
of a major release, although it may reduce the impact of a minor release. A figure of 90% may be
optimistic for many scenarios.
The weighting factors are the combinational probabilities for each branch in the tree (e.g., 0.9
x 0.9 x 0.9 = .73).
The consequence numbers were discussed above.
The weighted consequence is the weighting factor multiplied by the consequence number for
each branch in the tree.
The total number is the sum of the weighted consequences. The worst case unmitigated
consequence of 100 (disability) is reduced to 28, which could be rounded down to 10 (injury).

Detection Mitigation Weighting Weighted

Coverage F&G Activates Effectiveness Factor Consequence Consequence

Yes 0.9 73% 1 0.729

Yes 0.9
0.9 0.1 8% 100 8.1
Leak Scenario No
1.00E+00 0.1 9% 100 9

No
0.1 10% 100 10
100%
Total 27.829

Figure 3: 1” Leak Scenario with SIL 1 F&G

SIL Ratings for Fire & Gas Systems 5 Gruhn

 Figure 4 is the same event tree assuming a low end SIL 2 fire & gas system were utilized
(99% - 99.9%). The total weighted consequence still rounds down to 10. The same result would
occur even if utilizing a SIL 3 fire & gas system. Detection coverage and mitigation
effectiveness limit overall system performance.

Detection Mitigation Weighting Weighted

Coverage F&G Activates Effectiveness Factor Consequence Consequence

Yes 0.9 80% 1 0.8019

Yes 0.99
0.9 0.1 9% 100 8.91
Leak Scenario No
1.00E+00 0.01 1% 100 0.9

No
0.1 10% 100 10
100%
Total 20.6119

Figure 4: 1” Leak Scenario with SIL 2 F&G

Similar event trees were developed for the 6” and rupture cases. The results are summarized
in Table 2. The release sizes, total rates, percentages and consequences before mitigation were
discussed earlier. The mitigation after consequences are the results of the event trees for each
case.
The “average consequence” number is a weighted average of the three “before mitigation
consequence” numbers multiplied by the corresponding percentages. The average before
mitigated consequence of 100 (244 rounded down) remains an average after mitigated
consequence of 100 (75 rounded up). Note: The after mitigation consequence numbers would not
change significantly whether SIL 1, 2 or 3 rated fire and gas system hardware were utilized.
Before Mitigation After Mitigation
Release size Total rate Percentage Consequence Consequence
1 inch 2.90E-02 94.09% 100 27
6 inch 1.51E-03 4.89% 1,000 429
Rupture 3.13E-04 1.02% 10,000 2,782

Average Consequence 244 75

Overall Frequency 3.08E-02 3.08E-02

Table 2: Consequence Before and After Mitigation

The overall frequency number (3.08E-2/yr or 1/32 yr) is the sum of the three total rates. 32
years falls within 10-100 year column in Figure 2. With a consequence of 100 (disability), the
design results in an overall risk level of C. This means the overall process design still requires
the addition of multiple, diverse safety layers. This simple example also supports the notion that
in terms of consequence reduction, the fire and gas system does not even provide one order of
magnitude risk reduction, no matter how good the hardware is.

SIL Ratings for Fire & Gas Systems 6 Gruhn

 ESTIMATING DETECTION COVERAGE AND MITIGATION EFFECTIVENESS
Just as there are different methods of analyzing safety instrumented system performance
(e.g., Reliability Block Diagrams, Fault Trees, Markov Models) there are different methods of
estimating detection coverage. There are many variables to consider, such as the size of area to
be monitored; enclosed, partially enclosed, or non-enclosed space; number of detectors; density
of gas; wind speed; number of leak sources in the space, etc. Simple and complex models
currently used by members within the fire and gas task team show detector coverage varying
greatly. Detection coverage is very high for single sensors and a catastrophic release. Detection
coverage is very low for multiple sensors detecting medium or small releases. Estimating
mitigation effectiveness may best be done by reviewing historical company records and/or expert
opinion (e.g., the PHA team).

CONCLUSIONS
Concepts that apply to prevention safety layers such as safety instrumented systems do not
necessarily apply to mitigation safety layers such as fire & gas systems. Unlike safety
instrumented system hardware, claiming any integrity level for fire & gas hardware alone is
misleading. That information alone does not allow one to determine whether that the overall
system will meet the desired level of risk reduction.
A chain is only as strong as its weakest link. Focusing on the performance of the fire & gas
hardware alone and not accounting for the detector coverage and mitigation effectiveness is just
as misleading as focusing only on the logic solver in a safety instrumented system. The impact of
field devices (sensors and final elements) typically has a dominating impact on safety
instrumented system performance. Similarly, detector coverage and mitigation effectiveness
have a dominating impact on fire & gas system performance and may prevent most systems from
ever meeting SIL 1 performance levels.
However, it is possible to apply performance based concepts to fire and gas systems. It is
possible to assign risk reduction targets for fire and gas systems and apply quantitative
techniques in system verification. Work is proceeding within the ISA 84 committee on ways to
account for detector coverage, mitigation effectiveness and other factors, thus allowing a
quantitative, performance based approach to fire and gas system design. Once the detector
coverage and mitigation effectiveness limitations are better understood and addressed, then
focusing on the SIL rating of the hardware will be more meaningful.

ACKNOWLEDGEMENTS
The author does not claim to be the original developer of this work and gratefully
acknowledges the ongoing efforts within the ISA 84 committee and fire & gas task team,
information presented by end users such as Shell, BP and Chevron, and analysis work done by
Kenexis. The intent of publishing this paper is to inform industry of the work being done,
stimulate discussion, and recruit others to be involved in the continuing effort.

REFERENCES
1. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related
systems.
2. IEC 61511: Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
3. EN 54: Fire detection and fire alarm systems.
4. NFPA 72: National Fire Alarm Code.

SIL Ratings for Fire & Gas Systems 7 Gruhn

5. EN 50402: Electrical apparatus for the detection and measurement of combustible or toxic
gases or vapours or of oxygen. Requirements on the functional safety of fixed gas detection
systems.
6. IEC draft 60079-29: Equipment for the detection and measurement of flammable gases -
Guide for selection, installation, use and maintenance.

Author Bio: Paul Gruhn, PE, CFSE is a Safety Product Specialist at ICS Triplex in Houston,
Texas. Paul is an ISA Fellow, a member of the ISA 84 standard committee and its fire & gas task
team, the developer and instructor of ISA courses on safety systems, co-author of the ISA
textbook on the subject, and a member of the A&M Instrumentation Symposium Steering
Committee. He has a B.S. degree in Mechanical Engineering from Illinois Institute of
Technology, is a licensed Professional Engineer (PE) in Texas, and a Certified Functional Safety
Expert (CFSE).

SIL Ratings for Fire & Gas Systems 8 Gruhn