December 2019

Environment and Safety

How changes to functional safety standards can optimize fire and gas detection

ANSI/ISA-84 is one of the most influential standards in functional safety and has been a driver for instrumented process safety improvements over the last 20 yr. It is a comprehensive norm covering a wide range of aspects related to functional safety in process industries, including the entire life cycle of designing, implementing and operating safety systems.

Naranjo, E., Emerson Automation Solutions

ANSI/ISA-84 is one of the most influential standards in functional safety and has been a driver for instrumented process safety improvements over the last 20 yr. It is a comprehensive norm covering a wide range of aspects related to functional safety in process industries, including the entire life cycle of designing, implementing and operating safety systems.

Originally released in 1996, it was expanded, updated and harmonized with IEC 61511 in 2004, which is its current version. It has three parts:

  • Part 1: Framework, Definitions, System, Hardware and Software Requirements
  • Part 2: Guidelines for the Application of ANSI/ISA-84.00.01-2004 Part 1—Informative
  • Part 3: Guidance for the Determination of the Required Safety Integrity Levels—Informative.

Many resources are available online that cover this standard and its use. This article’s focus is more specific, concentrating on recent changes to the technical report, ISA-TR84.00.07-2018, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness,1 which addresses fire and gas system (FGS) design.

Technical reports

ANSI/ISA-84 has spawned a series of supplementary technical reports, each with greater depth on specific safety-related topics, such as verification of safety instrumented functions, wireless sensors, mechanical integrity and fault tree analysis. ISA-TR84.00.07-2018 was first issued in 2010 and has been updated with a 2018 edition. Given the length of time it can take for companies to evaluate and begin implementing large-scale standards changes, many are likely still just beginning to consider its implications in detail.

Part of the reason for treating this topic in a technical report is the nature of FGS designs. First, they are not safety systems in the sense outlined in the main standard, because they are not designed to prevent an incident, but, instead, to provide mitigation of an incident in progress. Fire and gas systems act because a fire has already started. Second, fire and gas sensors are not deterministic. As pointed out by the standard, “Even a properly designed and managed FGS can provide poor risk reduction in the operating environment due to inadequate detector coverage and mitigation effectiveness.”

For example, there is no question that a properly functioning and correctly installed pressure transmitter will be able to detect and measure an overpressure incident. Conversely, while there is no question that a flame detector can detect the type of flame for which it is intended (FIG. 1), real-world effectiveness of an FGS deployment depends on having the right location, sensing coverage, minimum intensity for detection and other factors. Due to this dependency on detection effectiveness, fire and gas systems must be evaluated differently.

FIG. 1. Flame detectors are typically designed to sense specific radiation wavelengths produced by burning hydrocarbons and/or burning hydrogen. This tuned sensitivity helps avoid false alarms. Photo courtesy of Emerson.
FIG. 1. Flame detectors are typically designed to sense specific radiation wavelengths produced by burning hydrocarbons and/or burning hydrogen. This tuned sensitivity helps avoid false alarms. Photo courtesy of Emerson.

Engineers creating FGS-related safety functions and using the original 2010 technical report for guidance will now find substantial changes in the 2018 version. Most of these updates expand the range of acceptable technologies for various applications. They also add discussions on safety philosophy and offer practical guidance on implementation. These updates provide many more resources for assessing risk and configuring systems.

Looking at the forest: Conceptual changes

Some of the topics addressed in the revisions are specifically related to sensor technologies and deployment options. Others take the bigger picture into view and suggest ways to change conceptual approaches. For example, the 2018 version specifies that the guidance offered is intended for addressing hazards in process areas. The following are several more specific examples.

Earlier design integration. The new version shifts the emphasis on when the design process should begin. Just as ANSI/ISA-84 emphasizes the concept of the safety instrumented system (SIS) lifecycle, the 2018 technical report drives designers to include the FGS design much earlier than in the larger SIS design process. This prevents looking at the completed plans and deciding how to configure the FGS to make it fit. The standard recognizes that it is not enough to teach FGS designers simply how to perform a fire and gas hazard assessment, create a system and bolt it on. To be enduring, the lifecycle steps must be part of the FGS design process and integrated into every stage of a larger project for design, implementation and operation of a new plant, or for an upgrade to an existing automation system.

Performance metrics. ANSI/ISA-84 quantifies risk-reduction and protection levels to evaluate SIS effectiveness; but, as previously mentioned, it is difficult to apply the same hard numerical analysis to an FGS, given the variability of detector coverage, safety availability and mitigation effectiveness. Consequently, there are just two classifications in the technical report: a risk-reduction factor (RRF) greater than 10 (RRF > 10), or less than or equal to 10 (RRF ≤ 10). Techniques for both classifications are illustrated in the annexes. The report recognizes that, in practical terms, not every assessment requires a quantitative probability, so there is more discussion of qualitative aspects. When the risk-reduction factor is less than or equal to 10, semiquantitative methods and qualitative confirmations are deemed enough. Guidance for both types of classifications are provided in annexes A, C and D.

Mitigation action verification step. The new version adds a step to the lifecycle for verification of mitigation action effectiveness. Although the 2010 version defines mitigation effectiveness and describes its use in Section 5, the assessment of the probability that the results of activating final elements will successfully mitigate the consequence of a hazard are not included as a step. By placing the verification in terms of the lifecycle steps, the new report acknowledges that, in addition to detector coverage and safety availability, mitigation effectiveness must be verified to obtain greater assurance of FGS performance.

Limits on risk reduction. New guidance in the 2018 technical report puts a practical limit to the risk reduction achieved through FGS design. Taking credit for risk reduction factors beyond one order of magnitude is risky. Even one-order-of-magnitude risk reduction can be achieved only if detector coverage and effectiveness factors are equal to or greater than 90%, which is rarely achieved (FIG. 2) because there are too many uncontrolled factors in addition to the number, type and placement of detectors. As the technical reports suggest, in most process plants, it is impractical to provide flame and gas detectors to address every flammable or toxic gas release scenario.

FIG. 2. Achieving the highest risk reduction factor depends on having effective coverage through careful sensor placement. Flame detectors are optical, so they depend on the same field-of-vision considerations as cameras. If placed behind an obstruction, their vision will be reduced. Rendering used with permission and the courtesy of Detect3D model, Insight Numerics.
FIG. 2. Achieving the highest risk reduction factor depends on having effective coverage through careful sensor placement. Flame detectors are optical, so they depend on the same field-of-vision considerations as cameras. If placed behind an obstruction, their vision will be reduced. Rendering used with permission and the courtesy of Detect3D model, Insight Numerics.

Design details. The 2010 technical report makes little reference to design-basis hazards, but the 2018 version goes into detail with more examples. Tables 5 and 6 offer an extensive list, including use of new sensor technologies.

Sensor device selection. The technologies discussed in the 2010 technical report reflected the state of the art in the years just prior, basically more than 10 yr ago. Since then, a broader and much improved range of sensor options has emerged, such as ultrasonic gas detectors (FIG. 3). These can detect the sound made by a pressurized gas leak, providing immediate response rather than waiting for a gas cloud to accumulate to the point where it can be detected by conventional sensors. Most FGS implementations will need both technologies, but well-placed ultrasonic detectors can respond more quickly in critical applications.

FIG. 3. Ultrasonic gas detectors do not look for a specific gas, but instead listen for characteristic noises made in ultrasonic frequency ranges by pressurized gas escaping through a leak. When positioned carefully, they can detect a release long before enough gas has escaped to be detectable by other methods. Photo courtesy of Emerson.
FIG. 3. Ultrasonic gas detectors do not look for a specific gas, but instead listen for characteristic noises made in ultrasonic frequency ranges by pressurized gas escaping through a leak. When positioned carefully, they can detect a release long before enough gas has escaped to be detectable by other methods. Photo courtesy of Emerson.

Getting into the trees: More specific, prescriptive changes of practices

Engineers familiar with the original 2010 version will find many more design and implementation practices spelled out in the 2018 update. As already shown, most of the updates relate to philosophy and practices within the larger safety context, but there are also more granular considerations, such as specific sensor types and acceptable technologies. The following are a few of the more critical points.

Table 2: “Examples of combustible gas detection philosophies.” This new table makes a differentiation as to how gas accumulations should be detected by contrasting between onshore and offshore facilities. For onshore facilities, the aim should be to place detection equipment at strategic points where risk of release is high to enable early detection. For offshore facilities, more of an overall approach is suggested to detect hazardous accumulations anywhere. In both cases, the detection system should be tied to manual or automatic emergency shutdown systems.

Table 4: “FGS performance metrics.” This new table provides qualitative and quantitative expressions for performance metrics, including FGS detector coverage, FGS safety availability and FGS mitigation action effectiveness. It includes ties to annexes A, C and D for additional guidance.

Sections 4.3 and 4.4: “Differences between detecting fires and detecting combustible gas releases.” The new standard differentiates between detecting active fires as opposed to hazardous situations still developing, such as the presence of gas. Tables 1 and 2 offer different scenarios for working in monitored areas, and for working in areas where the problem has moved beyond the monitored area.

Section 4.6.3: “Analysis of consequences”. The process of analyzing the consequences of a given fire or gas scenario, including the potential for escalation if it is not detected quickly, has been expanded. It also ties to references to the Center for Chemical Process Safety for additional guidance.

Table 5: “Examples of design-basis fire hazards.” Any FGS design must begin by defining what type of fire it is expected to encounter. Table 5, which is new, provides examples of specific types of fires (e.g., 50-kW heat output), along with typical associated applications. The table includes 10 examples of incipient hydrocarbon fires and three examples of fully developed hydrocarbon fires.

Section 5.1: “Basic engineering.” This new section discusses the mechanisms for launching the FGS design earlier in the process, in keeping with the push for earlier integration. It offers tools to help designers set targets for the FGS through an evaluation of hazards and risks associated with major process equipment.

Table 6: “Examples of design-basis gas hazards.” Like Table 5, Table 6 is also new and similarly treats the design basis for gas hazard detection. It considers the formation and size of gas clouds resulting from different types of releases, as well as the area where a cloud may be forming. The designer must determine whether the primary purpose of the system is incipient gas detection or major hazard detection, as these findings guide sensor placement and quantities. New technologies, such as ultrasonic leak detection, are now permitted to detect not only when a leak may have formed, but also where gas accumulation may not be great enough to trigger a conventional gas cloud sensor.

These are only a few examples of the expansion of the 2018 technical report. Individuals familiar with the 2010 edition will see improvements, while newcomers will find the additional hands-on guidance and advice contained in the tables and annexes very helpful. This does not negate the importance of consulting with safety system experts when designing or upgrading an FGS.

Working for balance

When comparing both technical report documents side by side, the authors are striving to create a practical balance. While an SIS and FGS both relate to safety, what they do and how they work are different, so they should not be evaluated the same way. An FGS needs both fully quantitative and semi-quantitative risk analysis, and users must understand how and where to apply these systems.

The technical report points out that, while fully quantitative analysis is more accurate, it may not be necessary, and the report sets practical limits on what operators may claim for a risk-reduction factor. Further, it requires users to base assessments on prior use experience and on compliance to other industry standards whenever an FGS target is RRF > 10.

Like all safety-related standards, ISA-TR84.00.07-2018 is naturally conservative. It tells users how to evaluate the elements necessary for an effective FGS, such as detector coverage, safety availability and mitigation effectiveness. It puts FGS design in the context of the capital project workflow, including basic engineering and detail engineering design. Users must never forget that even the best FGS has its limits and that it is only one layer of protection. The FGS cannot be relied upon to make up for other weaknesses and must instead be part of effective engineering on all levels. Making this happen is far easier when working with consultants and vendors who are able to bring their expertise to the table. HP

LITERATURE CITED

  1. ISA-TR84.00.07-2018, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness, online: https://www.isa.org/store/isa-tr840007-2018,-guidance-on-the-evaluation-of-fire,-combustible-gas,-and-toxic-gas-system-effectiveness/64416390

The Author

Related Articles

From the Archive

Comments

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}