sil rating for f&g system hardware

SIL RATINGS FOR FIRE & GAS SYSTEM HARDWARE – ARE WE BARKING UP THE WRONG TREE?

Paul Gruhn, PE, CFSE, ICS Triplex, Houston, TX

ABSTRACT Current standards covering fire and gas systems are prescriptive and focus on commercial

applications such as buildings. Many end users in the process industry believe there is a need for a performance based standard for fire and gas systems used in industrial applications. Other performance based standards such as IEC 615081 and 615112 use the term SIL (Safety Integrity Level) to describe system performance. There are many devices used in safety instrumented systems in the process industries that are independently certified for use in certain integrity levels. However, there is considerable debate whether fire & gas system hardware should have SIL ratings at all. Vendors are naturally interested in promoting independently certified hardware in order to differentiate their products. However, considering the differences between safety instrumented systems and fire & gas systems, focusing on the SIL rating or performance of the actual fire & gas hardware alone may be a misleading and questionable practice. This paper reviews a) the differences between safety instrumented systems and fire & gas systems, b) how typical voting of fire & gas sensors not only reduces nuisance trips (which is desirable) but also reduces the likelihood of the system actually responding to a true demand (which is not desirable), and c) why concepts and standards that apply to safety instrumented systems (e.g., SIL ratings) may not be appropriate for fire & gas systems.

INTRODUCTION

Vendors are interested in promoting certified products such as fire & gas sensors as a way to differentiate themselves. For example, a vendor may gain a marketing advantage stating they have a single sensor that is certified for use in SIL 2 applications. However, there has been considerable debate within the industry whether fire and gas hardware should have SIL ratings at all. Some are strongly opposed to the idea. However, there is recognition that current standards such as EN 543 and NFPA 724 do not adequately cover industrial fire & gas applications. Hence the need to consider a potentially new standard and the formation of a new task team within the ISA SP84 committee (covering safety instrumented systems in the process industry).

SIL Ratings for Fire & Gas Systems 1 Gruhn

DIFFERENCES BETWEEN PREVENTION AND MITIGATION LAYERS Table 1 shows the performance requirements for the different SILs according to IEC 61511.

Table 1: Performance Requirements for Safety Integrity Levels

EN 504025 and IEC draft 60079-296 on gas detection and safety integrity levels have recently

been released. These documents focus on the effectiveness of the fire & gas system hardware alone and use the term SIL as used in IEC 61508 and 61511. However, IEC 61511 focuses on safety instrumented systems which are prevention layers, although the concepts presented in the standard can be applied to all safety layers, including mitigation layers.

The assumption with prevention layers is that a) they will always be able to see the hazardous condition, and that b) if they respond correctly their action will prevent the hazardous event from occurring. In other words, using a SIL 2 rated sensor, a SIL 2 rated logic solver, and a SIL 2 rated final element should result in a SIL 2 rated function that should provide at least a Risk Reduction Factor of 100 (see table 1) assuming all the other requirements in the standard are met. If a properly functioning sensor is unable to see the hazardous condition it was designed to detect, and if a properly functioning final element doesn’t eliminate the hazard, then the system simply wasn’t designed properly.

However, fire & gas systems, which are mitigation layers, are different. Sensors may be working properly, but they simply may never see the gas release or fire. For example, sensors may be placed improperly, there may not be enough sensors, wind may dilute the gas before it can be detected, obstructions may divert the release or hide a fire, a release or fire may be too small to be detected, etc. The system may respond properly, but there is no guarantee that the consequences of the hazardous event will actually be eliminated or mitigated. For example, the deluge may not put out a large fire, the blow down may not be fast enough to prevent reaching a critical accumulation of gas, etc. In other words, using a SIL 2 rated sensor, a SIL 2 rated logic solver, and a SIL 2 rated final element may not result in a SIL 2 rated function that may not provide a Risk Reduction Factor of 100. This concept can be better understood with the fault tree shown in Figure 1.


Detection Coverage

Hardware Response

Mitigation Effectiveness

Leak/Fire

Yes: P=.9

Yes: P=.99

No: P=.1

Yes: P=.9

X / year No: P=.01

No: P=.1

Figure 1: Factors Effecting Fire and Gas System Performance

Detector Coverage: The probability of the device actually being able to see the hazardous condition.

Hardware Response: The probability of the hardware responding properly to the demand. 1-PFD (Probability of Failure on Demand)

Mitigation effectiveness: The probability that the overall system response actually prevents or mitigates the hazardous event.

If the detection coverage is less than 90% (as it typically is, as described below), and the

mitigation effectiveness is less than 90% (as it typically is, as described below), then debating on the level of performance of the fire & gas system hardware alone may prove to be of little worth since the overall risk reduction will never be greater than 10. In other words, the overall system will not even reach the SIL 1 range, as explained below.

90% x 90% = 81%. One minus the Safety Availability is the Probability of Failure on Demand (PFD). 100% - 81% = 19%. The reciprocal of PFD is the Risk Reduction Factor (RRF). 1/.19 = 5. SIL 1, the lowest level of safety performance, is represented by a RRF range of 10 to 100. Therefore, focusing on the hardware alone, as some naturally wish to do, is no guarantee of an effective system. The overall system in this example will never meet SIL 1 performance no matter what hardware is used.

DETECTOR COVERAGE

Some fire & gas applications take action based on only one sensor going into alarm. However, many systems implement some form of voting or redundancy of multiple sensors in a zone to reduce the likelihood of system activation due to a single sensor failure. Typically, two or more sensors in a zone must go into alarm before automatic action is taken. While this reduces the probability of nuisance trips due to a single sensor failure, anecdotal user evidence suggests it also reduces the probability of actually responding to a hazardous event. It may actually be less


swasb0

Migas Indonesia

likely for two or more detectors in a zone to be in the effected area, assuming the layout of detectors has not been changed with the implementation of voting.

End user studies have shown figures for detector coverage for a single sensor (1 out of N) being as high as 98%, dual sensor (2 out of N) effectiveness ranging from 20 to 90%, and three or more sensors (3 out of N) being 60% or less. An often referred to HSE (United Kingdom Health & Safety Executive) report sites automated fire detection coverage in the range of 75%. One way to possibly improve on this situation would be to not require multiple sensors to see the same level of gas (e.g., 50% LEL (Lower Explosive Limit)), but rather take action if one sensor were to see the high level (e.g., 50% LEL) and any other sensor were to see a lower level (e.g., 25% LEL).

EXAMPLE

Consider an example of an inlet separator in an enclosed space. Let’s assume the vessel has a total of five valves, ten flanges and one hundred feet of piping. Various data books and/or historical company data list yearly gas leak probabilities for different size openings. The following set of numbers are assumed for this example study:

1” hole: 2.90E-2 (94% of cases) 6” hole: 1.50E-3 (5% of cases) Rupture: 3.10E-4 (1% of cases)

The risk matrix shown in Figure 2 shall be used in the example. Frequency Categories Consequence Categories > 10,000 years 10,000 - 1,000 years 1,000 - 100 years 100 - 10 years 10 - 1 years 1 - No Injury / First Aid A A A B B 10 - Injury A A B B C 100 - Disability A B B C C 1,000 - Fatality B B C C D 10,000 - Multiple Fatalities B C C D D

Risk Categories: A Acceptable design, no changes required B Consider other possible controls / safety layers C Requires addition of multiple diverse safety layers D Unacceptable design Notes: 1. Safety layers are assumed to be independent and provide at least one order of magnitude benefit. 2. Additional layers could be personnel gas detectors, procedures, etc.

Figure 2: 5x5 Risk Matrix with 4 Overall Risk Levels

The PHA (Process Hazards Analysis) team needs to decide the consequences (as shown in the left column in Figure 2) for different size releases depending upon whether they are mitigated or not. In this example, a 1” release was assumed to have an unmitigated consequence of 100 (disability) and a mitigated consequence of 1 (first aid). A 6” release was assumed to have an unmitigated consequence of 1,000 (fatality) and a mitigated consequence of 10 (injury). A rupture was assumed to have an unmitigated consequence of 10,000 (multiple fatalities) and a mitigated consequence of 100 (disability).


The event tree shown in Figure 3 works as follows. Assume a release actually happens (i.e., the probability is 1.0).

Detection coverage represents the probability that the detector will actually see the hazardous condition (not whether the detector is actually functioning properly). In other words, will there actually be gas at the sensor, or in the path of an open beam detector, or will a fire be in the field of view of a detector, etc. As described previously, a figure of 90% is optimistic for some scenarios and configurations.

A 90% probability that the fire & gas system activates represents the low end of SIL 1 performance (90% - 99%).

Mitigation effectiveness represents the probability that the overall system response will actually prevent or mitigate the hazardous event. This number can vary greatly and can include the effectiveness of other safety layers, blow down systems, deluge systems, water curtains or other methods of mitigation. For example, it’s unlikely that any mitigation will reduce the impact of a major release, although it may reduce the impact of a minor release. A figure of 90% may be optimistic for many scenarios.

The weighting factors are the combinational probabilities for each branch in the tree (e.g., 0.9 x 0.9 x 0.9 = .73).

The consequence numbers were discussed above. The weighted consequence is the weighting factor multiplied by the consequence number for

each branch in the tree. The total number is the sum of the weighted consequences. The worst case unmitigated

consequence of 100 (disability) is reduced to 28, which could be rounded down to 10 (injury).

Detection Coverage F&G Activates


Weighting Factor Consequence

Weighted Consequence

Yes 0.9 73% 1 0.729 Yes 0.9 0.9 0.1 8% 100 8.1 Leak Scenario No

1.00E+00 0.1 9% 100 9 No 0.1 10% 100 10 100% Total 27.829

Figure 3: 1” Leak Scenario with SIL 1 F&G


Figure 4 is the same event tree assuming a low end SIL 2 fire & gas system were utilized (99% - 99.9%). The total weighted consequence still rounds down to 10. The same result would occur even if utilizing a SIL 3 fire & gas system. Detection coverage and mitigation effectiveness limit overall system performance.

Detection Coverage F&G Activates


Weighting Factor Consequence

Weighted Consequence

Yes 0.9 80% 1 0.8019 Yes 0.99 0.9 0.1 9% 100 8.91 Leak Scenario No

1.00E+00 0.01 1% 100 0.9 No 0.1 10% 100 10 100% Total 20.6119

Figure 4: 1” Leak Scenario with SIL 2 F&G

Similar event trees were developed for the 6” and rupture cases. The results are summarized in Table 2. The release sizes, total rates, percentages and consequences before mitigation were discussed earlier. The mitigation after consequences are the results of the event trees for each case.

The “average consequence” number is a weighted average of the three “before mitigation consequence” numbers multiplied by the corresponding percentages. The average before mitigated consequence of 100 (244 rounded down) remains an average after mitigated consequence of 100 (75 rounded up). Note: The after mitigation consequence numbers would not change significantly whether SIL 1, 2 or 3 rated fire and gas system hardware were utilized.

Release size Total rate Percentage Before Mitigation

Consequence After Mitigation Consequence

1 inch 2.90E-02 94.09% 100 27 6 inch 1.51E-03 4.89% 1,000 429 Rupture 3.13E-04 1.02% 10,000 2,782 Average Consequence 244 75 Overall Frequency 3.08E-02 3.08E-02

Table 2: Consequence Before and After Mitigation

The overall frequency number (3.08E-2/yr or 1/32 yr) is the sum of the three total rates. 32 years falls within 10-100 year column in Figure 2. With a consequence of 100 (disability), the design results in an overall risk level of C. This means the overall process design still requires the addition of multiple, diverse safety layers. This simple example also supports the notion that in terms of consequence reduction, the fire and gas system does not even provide one order of magnitude risk reduction, no matter how good the hardware is.


ESTIMATING DETECTION COVERAGE AND MITIGATION EFFECTIVENESS Just as there are different methods of analyzing safety instrumented system performance

(e.g., Reliability Block Diagrams, Fault Trees, Markov Models) there are different methods of estimating detection coverage. There are many variables to consider, such as the size of area to be monitored; enclosed, partially enclosed, or non-enclosed space; number of detectors; density of gas; wind speed; number of leak sources in the space, etc. Simple and complex models currently used by members within the fire and gas task team show detector coverage varying greatly. Detection coverage is very high for single sensors and a catastrophic release. Detection coverage is very low for multiple sensors detecting medium or small releases. Estimating mitigation effectiveness may best be done by reviewing historical company records and/or expert opinion (e.g., the PHA team).

CONCLUSIONS Concepts that apply to prevention safety layers such as safety instrumented systems do not

necessarily apply to mitigation safety layers such as fire & gas systems. Unlike safety instrumented system hardware, claiming any integrity level for fire & gas hardware alone is misleading. That information alone does not allow one to determine whether that the overall system will meet the desired level of risk reduction.

A chain is only as strong as its weakest link. Focusing on the performance of the fire & gas hardware alone and not accounting for the detector coverage and mitigation effectiveness is just as misleading as focusing only on the logic solver in a safety instrumented system. The impact of field devices (sensors and final elements) typically has a dominating impact on safety instrumented system performance. Similarly, detector coverage and mitigation effectiveness have a dominating impact on fire & gas system performance and may prevent most systems from ever meeting SIL 1 performance levels.

However, it is possible to apply performance based concepts to fire and gas systems. It is possible to assign risk reduction targets for fire and gas systems and apply quantitative techniques in system verification. Work is proceeding within the ISA 84 committee on ways to account for detector coverage, mitigation effectiveness and other factors, thus allowing a quantitative, performance based approach to fire and gas system design. Once the detector coverage and mitigation effectiveness limitations are better understood and addressed, then focusing on the SIL rating of the hardware will be more meaningful.

ACKNOWLEDGEMENTS The author does not claim to be the original developer of this work and gratefully

acknowledges the ongoing efforts within the ISA 84 committee and fire & gas task team, information presented by end users such as Shell, BP and Chevron, and analysis work done by Kenexis. The intent of publishing this paper is to inform industry of the work being done, stimulate discussion, and recruit others to be involved in the continuing effort.

REFERENCES 1. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related

systems. 2. IEC 61511: Functional Safety: Safety Instrumented Systems for the Process Industry Sector. 3. EN 54: Fire detection and fire alarm systems. 4. NFPA 72: National Fire Alarm Code.


5. EN 50402: Electrical apparatus for the detection and measurement of combustible or toxic gases or vapours or of oxygen. Requirements on the functional safety of fixed gas detection systems.

6. IEC draft 60079-29: Equipment for the detection and measurement of flammable gases - Guide for selection, installation, use and maintenance.

Author Bio: Paul Gruhn, PE, CFSE is a Safety Product Specialist at ICS Triplex in Houston, Texas. Paul is an ISA Fellow, a member of the ISA 84 standard committee and its fire & gas task team, the developer and instructor of ISA courses on safety systems, co-author of the ISA textbook on the subject, and a member of the A&M Instrumentation Symposium Steering Committee. He has a B.S. degree in Mechanical Engineering from Illinois Institute of Technology, is a licensed Professional Engineer (PE) in Texas, and a Certified Functional Safety Expert (CFSE).


sil rating for f&g system hardware

Documents