Beruflich Dokumente
Kultur Dokumente
ABSTRACT
Current standards covering fire and gas systems are prescriptive and focus on commercial
applications such as buildings. Many end users in the process industry believe there is a need for
a performance based standard for fire and gas systems used in industrial applications. Other
performance based standards such as IEC 615081 and 615112 use the term SIL (Safety Integrity
Level) to describe system performance. There are many devices used in safety instrumented
systems in the process industries that are independently certified for use in certain integrity
levels. However, there is considerable debate whether fire & gas system hardware should have
SIL ratings at all. Vendors are naturally interested in promoting independently certified hardware
in order to differentiate their products. However, considering the differences between safety
instrumented systems and fire & gas systems, focusing on the SIL rating or performance of the
actual fire & gas hardware alone may be a misleading and questionable practice. This paper
reviews a) the differences between safety instrumented systems and fire & gas systems, b) how
typical voting of fire & gas sensors not only reduces nuisance trips (which is desirable) but also
reduces the likelihood of the system actually responding to a true demand (which is not
desirable), and c) why concepts and standards that apply to safety instrumented systems (e.g.,
SIL ratings) may not be appropriate for fire & gas systems.
INTRODUCTION
Vendors are interested in promoting certified products such as fire & gas sensors as a way to
differentiate themselves. For example, a vendor may gain a marketing advantage stating they
have a single sensor that is certified for use in SIL 2 applications. However, there has been
considerable debate within the industry whether fire and gas hardware should have SIL ratings at
all. Some are strongly opposed to the idea. However, there is recognition that current standards
such as EN 543 and NFPA 724 do not adequately cover industrial fire & gas applications. Hence
the need to consider a potentially new standard and the formation of a new task team within the
ISA SP84 committee (covering safety instrumented systems in the process industry).
EN 504025 and IEC draft 60079-296 on gas detection and safety integrity levels have recently
been released. These documents focus on the effectiveness of the fire & gas system hardware
alone and use the term SIL as used in IEC 61508 and 61511. However, IEC 61511 focuses on
safety instrumented systems which are prevention layers, although the concepts presented in the
standard can be applied to all safety layers, including mitigation layers.
The assumption with prevention layers is that a) they will always be able to see the hazardous
condition, and that b) if they respond correctly their action will prevent the hazardous event from
occurring. In other words, using a SIL 2 rated sensor, a SIL 2 rated logic solver, and a SIL 2
rated final element should result in a SIL 2 rated function that should provide at least a Risk
Reduction Factor of 100 (see table 1) assuming all the other requirements in the standard are
met. If a properly functioning sensor is unable to see the hazardous condition it was designed to
detect, and if a properly functioning final element doesn’t eliminate the hazard, then the system
simply wasn’t designed properly.
However, fire & gas systems, which are mitigation layers, are different. Sensors may be
working properly, but they simply may never see the gas release or fire. For example, sensors
may be placed improperly, there may not be enough sensors, wind may dilute the gas before it
can be detected, obstructions may divert the release or hide a fire, a release or fire may be too
small to be detected, etc. The system may respond properly, but there is no guarantee that the
consequences of the hazardous event will actually be eliminated or mitigated. For example, the
deluge may not put out a large fire, the blow down may not be fast enough to prevent reaching a
critical accumulation of gas, etc. In other words, using a SIL 2 rated sensor, a SIL 2 rated logic
solver, and a SIL 2 rated final element may not result in a SIL 2 rated function that may not
provide a Risk Reduction Factor of 100. This concept can be better understood with the fault tree
shown in Figure 1.
Yes: P=.9
Yes: P=.99
No: P=.1
Yes: P=.9
X / year
No: P=.01
No: P=.1
Detector Coverage: The probability of the device actually being able to see the
hazardous condition.
Hardware Response: The probability of the hardware responding properly to the
demand. 1-PFD (Probability of Failure on Demand)
Mitigation effectiveness: The probability that the overall system response actually prevents
or mitigates the hazardous event.
If the detection coverage is less than 90% (as it typically is, as described below), and the
mitigation effectiveness is less than 90% (as it typically is, as described below), then debating on
the level of performance of the fire & gas system hardware alone may prove to be of little worth
since the overall risk reduction will never be greater than 10. In other words, the overall system
will not even reach the SIL 1 range, as explained below.
90% x 90% = 81%. One minus the Safety Availability is the Probability of Failure on
Demand (PFD). 100% - 81% = 19%. The reciprocal of PFD is the Risk Reduction Factor (RRF).
1/.19 = 5. SIL 1, the lowest level of safety performance, is represented by a RRF range of 10 to
100. Therefore, focusing on the hardware alone, as some naturally wish to do, is no guarantee of
an effective system. The overall system in this example will never meet SIL 1 performance no
matter what hardware is used.
DETECTOR COVERAGE
Some fire & gas applications take action based on only one sensor going into alarm.
However, many systems implement some form of voting or redundancy of multiple sensors in a
zone to reduce the likelihood of system activation due to a single sensor failure. Typically, two
or more sensors in a zone must go into alarm before automatic action is taken. While this reduces
the probability of nuisance trips due to a single sensor failure, anecdotal user evidence suggests it
also reduces the probability of actually responding to a hazardous event. It may actually be less
EXAMPLE
Consider an example of an inlet separator in an enclosed space. Let’s assume the vessel has a
total of five valves, ten flanges and one hundred feet of piping. Various data books and/or
historical company data list yearly gas leak probabilities for different size openings. The
following set of numbers are assumed for this example study:
1” hole: 2.90E-2 (94% of cases)
6” hole: 1.50E-3 (5% of cases)
Rupture: 3.10E-4 (1% of cases)
Frequency Categories
Consequence Categories > 10,000 years 10,000 - 1,000 years 1,000 - 100 years 100 - 10 years 10 - 1 years
1 - No Injury / First Aid A A A B B
10 - Injury A A B B C
100 - Disability A B B C C
1,000 - Fatality B B C C D
10,000 - Multiple Fatalities B C C D D
Risk Categories:
A Acceptable design, no changes required
B Consider other possible controls / safety layers
C Requires addition of multiple diverse safety layers
D Unacceptable design
Notes:
1. Safety layers are assumed to be independent and provide at least one order of magnitude benefit.
2. Additional layers could be personnel gas detectors, procedures, etc.
The PHA (Process Hazards Analysis) team needs to decide the consequences (as shown in
the left column in Figure 2) for different size releases depending upon whether they are mitigated
or not. In this example, a 1” release was assumed to have an unmitigated consequence of 100
(disability) and a mitigated consequence of 1 (first aid). A 6” release was assumed to have an
unmitigated consequence of 1,000 (fatality) and a mitigated consequence of 10 (injury). A
rupture was assumed to have an unmitigated consequence of 10,000 (multiple fatalities) and a
mitigated consequence of 100 (disability).
No
0.1 10% 100 10
100%
Total 27.829
No
0.1 10% 100 10
100%
Total 20.6119
Similar event trees were developed for the 6” and rupture cases. The results are summarized
in Table 2. The release sizes, total rates, percentages and consequences before mitigation were
discussed earlier. The mitigation after consequences are the results of the event trees for each
case.
The “average consequence” number is a weighted average of the three “before mitigation
consequence” numbers multiplied by the corresponding percentages. The average before
mitigated consequence of 100 (244 rounded down) remains an average after mitigated
consequence of 100 (75 rounded up). Note: The after mitigation consequence numbers would not
change significantly whether SIL 1, 2 or 3 rated fire and gas system hardware were utilized.
Before Mitigation After Mitigation
Release size Total rate Percentage Consequence Consequence
1 inch 2.90E-02 94.09% 100 27
6 inch 1.51E-03 4.89% 1,000 429
Rupture 3.13E-04 1.02% 10,000 2,782
The overall frequency number (3.08E-2/yr or 1/32 yr) is the sum of the three total rates. 32
years falls within 10-100 year column in Figure 2. With a consequence of 100 (disability), the
design results in an overall risk level of C. This means the overall process design still requires
the addition of multiple, diverse safety layers. This simple example also supports the notion that
in terms of consequence reduction, the fire and gas system does not even provide one order of
magnitude risk reduction, no matter how good the hardware is.
CONCLUSIONS
Concepts that apply to prevention safety layers such as safety instrumented systems do not
necessarily apply to mitigation safety layers such as fire & gas systems. Unlike safety
instrumented system hardware, claiming any integrity level for fire & gas hardware alone is
misleading. That information alone does not allow one to determine whether that the overall
system will meet the desired level of risk reduction.
A chain is only as strong as its weakest link. Focusing on the performance of the fire & gas
hardware alone and not accounting for the detector coverage and mitigation effectiveness is just
as misleading as focusing only on the logic solver in a safety instrumented system. The impact of
field devices (sensors and final elements) typically has a dominating impact on safety
instrumented system performance. Similarly, detector coverage and mitigation effectiveness
have a dominating impact on fire & gas system performance and may prevent most systems from
ever meeting SIL 1 performance levels.
However, it is possible to apply performance based concepts to fire and gas systems. It is
possible to assign risk reduction targets for fire and gas systems and apply quantitative
techniques in system verification. Work is proceeding within the ISA 84 committee on ways to
account for detector coverage, mitigation effectiveness and other factors, thus allowing a
quantitative, performance based approach to fire and gas system design. Once the detector
coverage and mitigation effectiveness limitations are better understood and addressed, then
focusing on the SIL rating of the hardware will be more meaningful.
ACKNOWLEDGEMENTS
The author does not claim to be the original developer of this work and gratefully
acknowledges the ongoing efforts within the ISA 84 committee and fire & gas task team,
information presented by end users such as Shell, BP and Chevron, and analysis work done by
Kenexis. The intent of publishing this paper is to inform industry of the work being done,
stimulate discussion, and recruit others to be involved in the continuing effort.
REFERENCES
1. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related
systems.
2. IEC 61511: Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
3. EN 54: Fire detection and fire alarm systems.
4. NFPA 72: National Fire Alarm Code.
Author Bio: Paul Gruhn, PE, CFSE is a Safety Product Specialist at ICS Triplex in Houston,
Texas. Paul is an ISA Fellow, a member of the ISA 84 standard committee and its fire & gas task
team, the developer and instructor of ISA courses on safety systems, co-author of the ISA
textbook on the subject, and a member of the A&M Instrumentation Symposium Steering
Committee. He has a B.S. degree in Mechanical Engineering from Illinois Institute of
Technology, is a licensed Professional Engineer (PE) in Texas, and a Certified Functional Safety
Expert (CFSE).