38 0 3MB
TECHNICAL REPORT
ISA-TR84.00.07-2018
Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness Approved August 10, 2018
NOTICE OF COPYRIGHT This is a copyright document and may not be copied or distributed in any form or manner without the permission of ISA. This copy of the document was made for the sole use of the person to whom ISA provided it and is subject to the restrictions stated in ISA’s license to that person. It may not be provided to any other person in print, electronic, or any other form. Violations of ISA’s copyright will be prosecuted to the fullest extent of the law and may result in substantial civil and criminal penalties.
ISA-TR84.00.07-2018, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness ISBN: 978-1-64331-036-7 Copyright © 2018 by ISA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherw ise), without the prior written permission of the publisher. ISA 67 T.W. Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 E-mail: [email protected]
-3-
ISA-TR84.00.07-2018
Preface This preface is included for information purposes and is not part of ISA -TR84.00.07-2018. This technical report has been prepared as part of the service of ISA, the International Society of Automation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA, 67 T.W. Alexander Drive; P.O. Box 12277; Research Triangle Park, N .C. 27709; Telephone (919) 549-8411; Fax (919) 5498288; E-mail: [email protected]. This ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of standards, recommended practices, and technical reports. The Department is further aware of the benefits to users of ISA standards documents of inc orporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, the Department will endeavor to introduce SI and acceptable metric units in all new and revised standards documents to the greatest extent possible. The Metric Practice Guide, which has been published by the Institute of Electrical and Electronics Engineers (IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards. Participation in the ISA standards -making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION — ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISA’S PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS DOCUMENT, AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NONDISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT: WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR FOR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NONDISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS, OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
-4-
APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USER’S PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION. ISA ( www.isa.org ) is a nonprofit professional association that sets the standard for those who apply engineering and technology to improve the management, safety, a nd cybersecurity of modern automation and control systems used across industry and critical infrastructure. Founded in 1945, ISA develops widely used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world. ISA owns Automation.com , a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation ( www.automationfederation.org ), an association of nonprofit organizations serving as “The Voice of Automat ion.” Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute ( www.isasecure.org ) and the ISA Wireless Compliance Institute ( www.isa100wci.org ). The following served as active members of ISA84 Working Group 7 in developing this technical report: NAME
COMPANY
M. Scott, FGS Co-Chair K. Mitchell, FGS Co-Chair I. Barreiro D. Blackburn A. Brier D. Chisholm R. Chittilapilly F. Dagerman R. Dunn L. Garcia C. George I. Gibson N. Gopalaswami P. Goteti M. Hochleitner W. Gutierrez Ramirez P. Gruhn S. Harman F. Hendi P. Herena E. Jandik J. Kallambettu P. Kannan S. King L. Laskowski B. Leong J. McNay E. Marszal
aeSolutions Kenexis Consulting Corp Chevron Phillips 66 BriTech Systems Phillips 66 Oil & Natural Gas Corp MSA Safety DuPont Siemens Flint Hills Resources Consultant Honeywell Process Solutions Honeywell Process Solutions SIS-TECH Solutions LP Pryxida Tech aeSolutions Eaton Schneider Electric BakerRisk Chevron Bechtel Petroleum Development Oman Honeywell Emerson Chevron Micropack Ltd. Kenexis Consulting Corp Copyright 2018 ISA. All rights reserved.
-5T. Mukoda G. Pajak S. Pate A. Petre M. Ratcliffe E. Revilla E. Roche A. Sahraei P. Seiler R. Seitz E. Sharpe R. Skone K. Szafron A. Summers A. Woltman D. Zetterberg
ISA-TR84.00.07-2018
DuPont aeSolutions Det-Tronics Westech Industrial Ltd. Jacobs Engineering & Construction LLC Chevron SIS-TECH Solutions LP BP Emerson ASRC Energy Services Suncor Energy FireBus Systems BP SIS-TECH Solutions LP Consultant Chevron
The following served as members of the ISA Standards and Practices Board and approved this technical report on August 10, 2018: NAME M. Wilkins, Vice President D. Bartusiak D. Brandl P. Brett E. Cosman D. Dunn J. Federlein B. Fitzpatrick J.-P. Hauet D. Lee G. Lehmann T. McAvinew V. Mezzano C. Monchinski G. Nasby M. Nixon D. Reed N. Sands H. Sasajima H. Storey K. Unger I. Verhappen D. Visnich I. Weber W. Weidman J. Weiss D. Zetterberg
COMPANY Yokogawa UK Ltd. ExxonMobil Research & Engineering BR&L Consulting Honeywell Inc. OIT Concepts, LLC T.F. Hudgins, Inc. - Allied Reliability Group Federlein & Assoc. LLC Wood PLC Hauet.com Avid Solutions Inc. AECOM Consultant Fluor Corp. Automated Control Concepts Inc. City of Guelph Water Services Emerson Process Management Rockwell Automation DuPont Fieldcomm Group Inc. Asia-Pacific Herman Storey Consulting Advanced Operational Excellence Co. Industrial Automation Networks Burns & McDonnell Siemens AG DF FA Consultant Applied Control Solutions LLC Chevron Energy Technology Co.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
-7-
ISA-TR84.00.07-2018
Contents Foreword ...................................................................................................................................................- 9 Introduction..............................................................................................................................................- 11 1
Scope .............................................................................................................................................- 15 -
2
References .....................................................................................................................................- 15 -
3
Definition of terms and acronyms ...................................................................................................- 17 -
4
Risk concepts in FGS design .........................................................................................................- 19 -
5
FGS engineering activities in a project workflow ............................................................................- 40 -
Annex A Sample semi-quantitative performance target selection technique ......................................- 43 Annex B Detector coverage assessment techniques ..........................................................................- 53 Annex C Mitigation action effectiveness concept ................................................................................- 63 Annex D Application examples ............................................................................................................- 67 Annex E Evaluation of computational fluid dynamics vs. target gas cloud for indoor gas detection design (reference 2.17) ...........................................................................................................- 97 -
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
-9-
ISA-TR84.00.07-2018
Foreword The work to develop this edition of ISA-TR84.00.07 began in 2014 and was completed in 2018. At the same time, the functional safety standard ANSI/ISA 84.00.01 -2004 was undergoing updates in parallel with IEC 61511. The ISA84 Fire and Gas Working Group main tained awareness of committee activities associated with modifying the governing standards. The scope of updates to the 2nd Edition of this technical report was limited by the ISA84 committee, and it was not in the working group’s charter to align this edition of the technical report with the subsequent issuance of ISA’s functional safety standard. This technical report describes how the underlying principles of the functional safety standards can be applied to fire and gas systems. Those same underlying principles that were used to develop the guidance in the technical report remain consistent in the new issuance of IEC 61511 2016 and ANSI/ISA-61511-2018 (replacing ANSI/ISA-84.00.01-2004). Because of the timing associated with approval and publication, this technical report retains the references to ANSI/ISA 84.00.01-2004. At the time of publication, the working group provides this acknowledgment that the recent publication of ANSI/ISA-61511-2018 retains the same scope, application and underlying principles associated with fire and gas systems. ISA-TR84.00.07-2018 is intended for use in evaluating the effectiveness of fire and gas systems (FGSs) in process industry applications. It addresses the implementation of FGSs to reduce the risk of hazardous releases involving safety impact. NOTE Users can choose to apply the concepts in this technical report to environmental and/or operational loss scenarios.
ISA-TR84.00.07-2018 is provided for information purposes only and is not part of ANSI/ISA 84.00.01-2004 (IEC 61511 Modified) (reference 2.1). ANSI/ISA-84.00.01-2004 and IEC 61511 (reference 2.9) are performance-based standards that provide the minimum requirements for designing and managing a safety instrumented system (SIS). As part of the safety lifecycle, the functional and integrity requirements are established for safety functions that reduce the risk of hazardous events identified using a hazard and risk analysis. Guidance is provided in Part 3 of either ANSI/ISA -84.00.01-2004 or IEC 61511 on the various methods used to evaluate risk and allocate risk reduction to identified safety functions. An underlying assumption in all of the methods is that the identified safety functions are capable of achieving the allocated risk reduction in the operating en vironment. The scope of ANSI/ISA-84.00.01-2004 covers electrical / electronic / programmable electronic systems for use in safety applications. Accordingly, the ISA84 committee develops standards and technical reports to provide guidelines for the implementation of automated (or instrumented) systems in safety applications. The purpose of ISA-TR84.00.07-2018 is to provide guidance on how to evaluate the effectiveness of identified FGS functions in a manner that is consistent with the underlying principles of ANSI/ISA-84.00.01-2004. FGS functions that are identified as safety controls, alarms, or interlocks should be implemented according to the applicable requirements of ANSI/ISA-84.91.01-2012 (reference 2.10) and ANSI/ISA-84.00.01-2004, based on the degree of risk reduction being claimed for the FGS function, in addition to relevant application specific practices. For example, FGS functions should be implemented per applicable requirements in the following standards, based on the risk reduction needed: •
General fire and gas system safeguards with no specific risk reduction claimed should be implemented per application-specific standards from local jurisdiction having authority.
•
FGS functions with claimed FGS risk reduction factor (RRF) less than or equal to 10 should be implemented per applicable requirements of ANSI/ISA-84.91.01-2012, Safety Controls, Alarms and Interlocks in the Process Industries.
•
FGS function with claimed FGS risk reduction factor (RRF) in excess of 10 should be implemented per the applicable requirements of ANSI/ISA-84.91.01-2012 and ANSI/ISACopyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 10 -
84.00.01-2004 (based on IEC 61511 compliance, which includes consideration f or IEC 61508 compliance and/or end-user prior use approval of sensor, logic solver and final element subsystems). Prescriptive approaches for the design of some/all components of a n FGS are provided in recognized and generally accepted good engineering practices (ref erence 2.2 and 2.3) for certain applications. In complex hazard scenarios, especially those involving high -risk exposure (e.g., offshore oil and gas installations), and in situations where no other prescriptive guidance is available, supplementing these practices with performance-based analysis can result in an improved design with more effective coverage and lower probability of FGS failure. It is ultimately the user’s decision on when to apply performance-based approaches. Nothing in this technical report suggests the prescriptive practices are invalid or that they should not be followed as required by local jurisdictional authorities. The concepts underlying a performance -based approach are suitable to the analysis and design of FGSs in process industries, and these principles can be used effectively in conjunction with other good engineering practices. THE EXAMPLE RISK ANALYSIS METHODS AND RISK CRITERIA CONTAINED IN THIS TECHNICAL REPORT HAVE BEEN PROVIDED SOLELY AS EXPLANATORY MATERIAL AND SHOULD NOT BE INTERPRETED AS RECOMMENDATIONS. ALSO, THE EXAMPLE FGS ARCHITECTURES, DETECTOR COVERAGES, AND MITIGATION EFFECTIVENESS REPRESENT POSSIBLE SYSTEM CONFIGURATIONS AND SHOULD NOT BE INTERPRETED AS RECOMMENDATIONS. THE CONFIGURATIONS USED IN ACTUAL APPLICATIONS ARE SPECIFIC TO THE OPERATING ENVIRONMENT AND PROCESS CONDITIONS IN WHICH THEY ARE USED. AS SUCH, NO GENERAL RECOMMENDATIONS CAN BE PROVIDED THAT ARE APPLICABLE IN ALL SITUATIONS. THE USER OF THIS TECHNICAL REPORT IS CAUTIONED TO CLEARLY UNDERSTAND THE ASSUMPTIONS AND DATA ASSOCIATED WITH THE METHODOLOGIES IN THIS DOCUMENT BEFORE ATTEMPTING TO UTILIZE THE METHODS PRESENTED HEREIN. Users of ISA-TR84.00.07-2018 will include: •
Vendors, end-users, and consultants who are applying the performance-based concepts to FGS functions, in addition to other applicable good engineering practices .
•
Hazard and risk analysis teams that are allocating risk reduction to FGS functions.
•
FGS designers who want to understand the impact of detector coverage and mitigation effectiveness on the integrity of FGS functions.
•
Any additional entities who wish to gain further insight into performance based FGS design concepts.
Copyright 2018 ISA. All rights reserved.
- 11 -
ISA-TR84.00.07-2018
Introduction The ISA84 standards committee formed a working group to study the analysis and design processes that are commonly used in the process industry for fire and gas systems (FGSs) and to provide guidance on how these processes can be adapted to i ncorporate performance-based concepts. FGSs, as they are considered in this report, are a subset of industrial automation and control systems that are employed in the process industries for the purpose of detecting loss of containment of hazardous materials from the process and initiating a response to mitigate the release impact. Loss of containment can be a small leak or a catastrophic release. It can be detected by measuring the presence of the released materials (e.g., gas concentration) or inferred from the effects of the release (e.g., thermal radiation from a fire) . Detection methods considered in this technical report can include detection of combustible gas, toxic gas, smoke, flame, acoustic emission, or rapid heat rise in areas adjacent to the process itself and in critical areas, such as occupied buildings or buildings with unrated electrical equipment. Detector coverage and associated detection capability var y substantially depending on the hazard scenario and the characteristics of the detector. Actions taken by the FGS can be manually or automatically initiated and can affect a wide variety of systems, such as sheltering in place or evacuation in response to audible and visual alarm indications; water deluge; fire suppressant initiation; manipulation of heating, ventilation, and air conditioning (HVAC) system equipment; process isolation; or process depressurization. Similar to detection capability, the effectiveness of these mitigative actions is highly scenario dependent. Use of performance-based design is not widely adopted for FGSs within the process industries. However, ANSI/ISA-84.00.01-2004 or IEC 61511 can be employed as a design basis for mitigative fire and gas safety functions by considering the following definitions from ANSI/ISA-84.00.01-2004 or IEC 61511: mitigation action that reduces the consequence(s) of a hazardous event NOTE 1 Examples include emergency depressurization on detection of a confirmed fire or gas leak.
prevention action that reduces the likelihood of occurrence of a hazardous event protection layer any independent mechanism that reduces risk by control, prevention , or mitigation NOTE 1 It can be a process engineering mechanism such as the size of vessels containing hazardous chemicals, a mechanical mechanism such as a relief valve, a SIS, or an administrative procedure such as an emergency plan against an imminent hazard. These responses may be automated or initiated by human actions. [SOURCE: IEC 61511-1:2016, Definition 3.2.61, modified – reference to Figure 9 removed from Note 1]
safety function function to be implemented by one or more protection layers, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event NOTE 1 The safe state of the process for each identified safety function is defined such that a stable state has been achieved and the specified hazardous event has been avoided or sufficiently mitigated. [SOURCE: IEC 61511-1:2016, Definition 3.2.69, added Note 1, derived from 10.3.1.d]
safety instrumented function (SIF) safety function to be implemented by a safety instrumented system (SIS) NOTE 1 A SIF is designed to achieve a required SIL, which is determined in relationship with the other protection layers participating in the reduction of the same risk.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 12 -
There are two broadly different philosoph ical approaches used in the process industries for establishing design requirements to ensure the availability and effectiveness of FGS s: prescriptive and performance-based. The choice of design method is an owner/operator decision. FGSs have traditionally been designed and implemented according to various good engineering practices, such as NFPA 72 (reference 2.2) and EN 54 (reference 2.3). These prescriptive practices do not require evaluation of the risk reduction capability of the FGS as measured by its safety integrity and probability of failure on demand (PFD), nor do they consider quantitative measures for detector coverage. A performance-based approach consistent with the ANSI/ISA-84.00.01-2004 or IEC 61511 is attractive because it builds on the strength of the existing standard. However, without guidance, a performance-based approach has historically been challenging to apply to FGS design due to several factors. Traditional hazard and risk analysis techniques are suited for hazards related to process deviations from normal operation. These process hazards have known initiating causes and consequences, allowing the safety function to be specifically designed to detect the event and to respond by achieving or maintaining a safe state of the process . FGSs are typically implemented to reduce the risk of general loss of containment, such as leaks from equipment seals, flanges, and piping, and are often not associated with a specific hazardous scenario. These hazards can be difficult to define and analyze and often require the use of advanced risk analysis techniques, such as gas dispersion, fire, and explosion modeling. Most often FGSs do not prevent hazardous consequences from occurring, but rather mitigate the effects of an event that has already occurred. FGSs typically reduce the magnitude and severity of the consequence instead of eliminating it. Typical hazard and risk analysis assumes that the identified safety function eliminates the consequence. Therefore, it is important to understand and evaluate the hazard scenario resulting from FGS operation to ensure that the residual risk is acceptable. An FGS can provide poor risk reduction due to an inadequate detection rate. An analysis by Health and Safety Executive (HSE) of eight years of hydrocarbon release data (reference 2.4) showed that the effective detection rate was about 60%. The detection of many releases was significantly delayed, leading to higher consequences than expected. Even if very high integrity can be achieved by the hardware design and testing (e.g., low average probability of failure on demand), sufficient reduction in risk will not occur unless the detector coverage is also very high. For FGS functions, detector coverage should be analyzed with the same (if not more) quantitative rigor as the verification of the average probability of failure on demand for the hardware design. FGS effectiveness is also related to the ability of the mitigation elements (e.g., fire water system, ventilation system, process isolation) to function in a way that reduces hazardous consequences predictably. Mitigation can include •
stopping the process
•
diverting the hazardous material
•
applying fire water with the appropriate flow and spray characteristics
•
activating alarms notifying personnel to shelter in place or evacuate
As in the case of detector coverage, the effectiveness of the mitigative actions is dependent on many situational or scenario-specific factors. As a result of these complexities, initiating an FGS’s action might not necessarily mean that the consequence can be fully mitigated. As a result of these factors, a comprehensive approach to the hazard and risk analysis is indic ated, as it is often difficult to develop a sound technical justification for allocating risk reduction to FGS functions using a simplified risk assessment process, such as layer of protection analysis (LOPA)
Copyright 2018 ISA. All rights reserved.
- 13 -
ISA-TR84.00.07-2018
(reference 2.5 and 2.6). The identification of FGS functions and allocation of performance targets to them requires hazard and risk considerations that are beyond typical LOPA implementation. Furthermore, FGS performance verification should include evaluation of the detector coverage and consider the effectiveness of the mitigative actions and the safety availability of FGS hardware and software design. This ISA technical report describes the analysis that should be undertaken and the effectiveness criteria that should be specified when an FGS is implemented in a safety application. The report integrates performance-based fire and gas system design techniques into the applicable portions of the safety life cycle described in either ANSI/ISA-84.00.01-2004 or IEC 61511. The report also discusses the development of detector-coverage criteria applicable to each FGS function and includes a series of application examples (Annex D) that illustrate the techniques used to develop and verify the detector coverage and mitigation effectiveness.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
- 15 -
ISA-TR84.00.07-2018
1 Scope This technical report is informative and does not contain any mandatory requirements. This technical report is intended to be used in conjunction with other good engineering practices applicable to FGS installations. It is not intended to stand alone or be a replacement for ap plicationspecific practices. ISA-TR84.00.07 is a derivative of the ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) standard with application to process industries. This technical report is intended to address detection and mitigation of fire, combustible gas, and toxic gas hazards in process areas. Fire detection and mitigation within nonprocess areas is outside the scope of this document. This technical report is intended to: •
Be used by those with a thorough understanding of ANSI/ISA -84.00.01-2004.
•
Clarify the additional information that should be considered when developing a performance based FGS design. This includes integrating the design activities into relevant portions of the safety life-cycle model.
•
Clarify how to define FGS functions within typical FGS designs where automatic action is taken as a result of detection of a fire or gas event.
•
Provide example scenario assessments to demonstrate the application of performance-based concepts to the analysis and design of FGSs.
•
Demonstrate that any coverage or effectiveness factor below 90% results in an FGS risk reduction factor of less than 10 of the FGS design.
•
Offer a performance-based methodology—for facilities using a prescriptive methodology (e.g., API-14C or API 14G) (reference 2.20 and 2.21) to allocate fire and gas detection. The methodology provides considerations for how to improve fire and gas effectiveness . The performance-based design process described in this TR can provide more effective hazard detection and detector placement in cases where fusible plugs (fire) may be needed.
•
Define a methodology that addresses the design and effectiveness of FGS mitigative functions that is consistent with the underlying principles used to design and assess the effectiveness of preventative functions.
2 References 1. ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1, 2 & 3, International Society of Automation, Research Triangle Park, N.C., 2004. 2. NFPA 72, National Fire Alarm Code, National Fire Protection Association, 2016. 3. EN 54-2: 1997 Fire Detection and Fire Alarm Systems Part 2: Control and Indicating Equipment. 4. HSE Offshore Fire and Explosion Strategy – Issue 1; http://www.hse.gov.uk/offshore/strategy/fgdetect.htm . 5. CCPS/AIChE, Layer of Protection Analysis: Simplified Process Risk Assessment, First Edition, New York, 2001. 6. CCPS/AICHE, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, First Edition, New York 2015.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 16 -
7. CCPS/AIChE, Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition, New York, 1999. 8. ANSI/ISA-TR84.00.02, Safety Instrumented Systems (SIS) – Safety Integrity Level (SIL) Evaluation Techniques, International Society of Automation, Research Triangle Park, N.C., 2002. 9. IEC 61511:2016, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1, 2 & 3. 10. ANSI/ISA-84.91.01-2012, Safety Controls, Alarms and Interlocks in the Process Industries . 11. U.K. HSE OTO 2001/055, OSD Hydrocarbon Release Reduction Campaign—Report on the Hydrocarbon Release Incident Investigation Project –1/4/2000 to 31/3/2001. 12. U.K. HSE OTO 93 002 – Offshore Gas Detector Siting Criterion Investigation of Detector Spacing, April 1993. 13. IEC 60079-29-1: Explosive atmospheres – Part 29-1: Gas detectors – Performance requirements of detectors for flammable gases . 14. IEC 60079-29-2: Explosive atmospheres – Part 29-2: Gas detectors – Selection, installation, use and maintenance of detectors for flammable gases and oxygen . 15. IEC 60079-29-4: Explosive atmospheres – Part 29-4: Gas detectors – Performance requirements of open path detectors for flammable gases . 16. A Review of Very Large Vapor Cloud Explosions’, U.K. Health and Safety Executive, Pipelines and Hazardous Materials Safety Administration (U .S. Department of Transport). 17. Evaluation of Computational Fluid Dynamics vs Target Gas Cloud for Indoor Gas Detection Design, J McNay, Dr. Ryan Hilditch, Published and Presented 25th October 2016 , MKOCPS Symposium. 18. OGP Report 434-7, Consequence Modelling, International Association of Oil and Gas Producers, March 2010. 19. ANSI/ISA-18.2-2016, Management of Alarm Systems for the Process Industries . 20. API 14C, Recommended Practice for Analysis, Design, Installation, and Testing of Safety Systems for Offshore Production Facilities, 8 th edition, 2017. 21. API 14G, Recommended Practice for Fire Prevention and Control on Fixed Open -type Offshore Production Platforms, 4th edition, 2013. 22. FM Global Property Loss Prevention Data Sheets 5-48 Jan 2011.
Copyright 2018 ISA. All rights reserved.
- 17 -
ISA-TR84.00.07-2018
3 Definition of terms and acronyms 3.1 Definitions This section contains definitions of terms that have been introduced or clarified with respect to performance-based FGS applications and included in this technical report. detector (geographic) coverage The fraction of the geometric area or volume of a defined monitored process area that, if a hazard were to occur in a given geographic location, would be detected considering the defined voting arrangement. detector (scenario) coverage The fraction of the hazard scenarios from process equipment within a defined and monitored process area that can be detected considering the frequency and magnitude of the hazard scenarios and the defined voting arrangement. fire and gas mapping The analysis of detector coverage to examine a proposed or existing FGS detector layout/voting arrangement and verify FGS performance targets are achieved by the design. FGS effectiveness The ability of the FGS function to detect and mitigate a design -basis hazard under a demand condition. NOTE 1 FGS effectiveness is dependent on a number of factors associate d with design, installation, site-specific operating conditions, and maintenance. FGS effectiveness is a function of the selected FGS performance metrics, including detector coverage, FGS safety availability, and mitigation action effectiveness, accounting for common cause, common mode, and systematic failures.
FGS risk reduction factor The ability of the FGS function to reduce the frequency of occurrence or the severity of harm. NOTE 1 FGS risk reduction factor is analyzed quantitatively for FGS functions that prevent or completely mitigate the hazard as a factor equal to the reciprocal of one (1) minus FGS effectiveness. NOTE 2 For FGS safety functions that do not completely mitigate the hazard, the residual risk is included in the analysis of FGS risk reduction. See Annex C for example.
FGS safety availability The availability of the fire and gas function designed to automatically mitigate the consequences of hazards. NOTE 1 FGS availability is equal to one minus the probability of failure on demand (PFDav g) for the FGS safety function (sensor, logic solver, and/or final element).
mitigation action effectiveness The confidence that the final element(s) actions will successfully mitigate the consequence of the hazard defined in the FGS basis of design. NOTE 1 Refer to Annex D for additional guidance on mitigation effectiveness.
1ooN voting arrangement Implementation of 1ooN (where N > 1) voting in an FGS is such that upon activation of any single detector in a monitored area with multiple detectors, the logic solver commands specified safety action(s) to occur. NOTE 1 This arrangement tends to provide a higher level of safety in that a dangerous undetected failure of a single detector will not inhibit the required safety action once the hazard is detected by a ny second nonfailed detector. This arrangement also provides a relatively higher level of exposure to spurious activation of the FGS , because a false alarm signal generated by any single detector will cause safety action(s) to occur when no hazard is prese nt.
MooN voting arrangement Implementation of MooN (where N > 1) voting in an FGS is such that the logic solver commands specified safety action(s) to occur only upon activation of any M or more detectors in a monitored area.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 18 -
3.2 Abbreviations and acronyms 1ooN: one out of N voting 1oo2: one out of two voting 3D: three dimensional AIChE: American Institute of Chemical Engineers ALARP: as low as reasonably practicable ANSI: American National Standards Institute API: American Petroleum Institute CCPS: Center for Chemical Process Safety CCTV: closed-circuit television CFD: computational fluid dynamics ERPG: emergency response planning guideline ESD: emergency shutdown FEED: front-end engineering design H2S: hydrogen sulfide HSE: Health and Safety Executive HVAC: heating ventilation air conditioning IDLH: immediately dangerous to life and health IEC: International Electrotechnical Commission IR: infrared ISA: International Society of Automation FGS: fire and gas system λ DU : dangerous undetected failure rate LEL/LFL: lower explosive limit/lower flammability limit LOPA: layers of protection analysis MOS: metal oxide semiconductor NFPA: National Fire Protection Association OSHA: Occupational Safety and Health Administration PEL: permissible exposure limit PFDavg: probability of failure on demand average
Copyright 2018 ISA. All rights reserved.
- 19 -
ISA-TR84.00.07-2018
PHA: process hazards analysis PPM: parts per million QRA: quantitative risk assessment RHO: radiant heat output RRF: risk reduction factor SIF: safety instrumented function SIL: safety integrity level SIS: safety instrumented system STEL: short-term exposure limit TI: test interval TLV: threshold limit value TWA: time weighted average UV: ultraviolet VCE: vapor cloud explosion
4 Risk concepts in FGS design This technical report provides an overview of some hazard and risk analysis methods applicable to fire and gas system design, including qualitative, semi-quantitative, and fully quantitative methods to estimate risk. Hazard and risk analyses are often used to identify loss-of-containment events due to a process deviation from normal operation. In contrast, most FGS functions are specified to address the risk of loss of containment due to problems with equipment mechanical integrity or other general causes of loss of containment not related to process hazard analysis (PHA) scenarios. Regardless of how the need for these functions is identified, an FGS can be important to an overall risk management strategy. A performance-based design of safety functions is proceeded by analyzing the hazard and risk of credible scenarios and allocating risk reduction to safety functions that will be specifically designed to address these events. Although a variety of methods are used in the process industries, an increasingly common method is layer of protection analysis (LOPA) (reference 2.5 and 2.6). LOPA is an established method for evaluating hazardous event propagation and assessing the capability of safety functions in reducing event risk. An important objective of LOPA is to ensure adequate independence and separation of the initiating causes from independent protection layers to minimize common cause, common mode, and systematic failures. However, LOPA does have limitations, which become clear when examining FGS functions. LOPA typically considers only two possible states for a candidate protection layer: success or failure. If the protection layer fails, there is a consequence. If the protection layer succeeds, the propagation of the hazardous event is halted and there is no consequence. While this is an appropriate assumption for many independent protection layers, it is not suitable for FGSs, since they typically do not stop the loss of containment event from occurring. Instead, a successful FGS function prevents an already bad situation from getting wor se. It is crucial to ensure that common cause and dependent mode failures are evaluated between the FGS and the initiating source. If the enduser risk criteria are based on preventing the hazardous event (i.e., preventing the release of
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 20 -
materials), no risk reduction will be claimed for the FGS. Nevertheless, the principles in this TR may be used to provide guidance for improved FGS safeguard design. This technical report presents a risk model to illustrate the concepts of how mitigative system risk can be analyzed. It addresses the detector coverage, safety availability, and mitigation effectiveness, and thereby allows these factors to be explicitly considered in the hazard and risk assessment. This model uses a simplified event tree to illustrate the risk analysis of identified initiating events from the initiating cause(s) to the final outcome(s). For FGSs, the simplified event tree (Figure 1) considers three aspects of FGS effectiveness: detector coverage, FGS safety availability, and mitigation effectiveness. While this simplified event tree shows mitigation effectiveness as a single probabilistic value, this is only to illustrate the risk concepts. In reality, the effectiveness of mitigation actions is often a more complex collection of factors. The event tree branches represent the probability of success and the probability of failure of these aspects —the mathematical complements. The event tree begins with a hazard arising from loss of containment within an area of concern and follows the propagation of the scenario through the success (yes)/failure (no) of each aspect contributing to effectiveness. Quantitative analysis can be used to report the relative likelihood and magnitude of the consequence of each potential outcome. Risk assessment determines the tolerability of the potential outcomes based on the consequence severity and likelihood by comparing the outcome frequency and consequence severity to the end-user risk criteria.
Figure 1 – FGS effectiveness model The first aspect of FGS effectiveness is the probability that the hazard is detectable given the detector layout and chosen voting arrangement. For example, if action is taken upon activation of two or more gas detectors, the hazard is detectable only if the scenario involves a gas cloud that covers at least two detectors in the array. Loss of containment places a demand on the FGS, requiring its sensor array to detect the hazardous condition and to initiate required action . Failed detection allows the incipient condition to escalate to a larger magnitude event. This escalated hazard might not be detectable by other detectors in the FGS; and if detectable, the FGS might not be effective in mitigating the larger hazard. This complexity has not been incorporated into the risk model in this technical report. For the sake of simplicity, it is assumed that a n incipient condition that is not detected due to inadequate detector coverage results in an unmitigated hazard that is beyond the capability of the FGS to effectively mitigate. The second branch of the event tree (FGS safety availability) represents the probability of successful FGS activation upon a detected hazard. FGS functions comprise sensor(s), logic solver(s), and final element(s). Failure of the FGS function to operate on demand results in
Copyright 2018 ISA. All rights reserved.
- 21 -
ISA-TR84.00.07-2018
escalation of the consequence. Quantification of the probability of failure on demand can be performed using the techniques presented in ISA-TR84.00.02 (reference 2.8). The third branch of the event tree is the FGS mitigation action effectiveness, which has an impact on the event outcomes and should be carefully considered when evaluating overall effectiveness of an FGS function. The design intent of an FGS is typically not to prevent a hazardous condition from initially occurring, but rather to reduce (or mitigate) the severity of consequences to a lower level. A small fire is prevented from becoming a large fire that can escalate into a larger or unacceptable consequence. A small gas release that presents a toxic and/or fire hazard is prevented from becoming a large gas accumulation that could result in a larger or unacceptable consequence. Therefore, the residual risk associated with a successful FGS operation should be considered in the overall determination of risk acceptability. However, it would be technically incorrect to consider the FGS detector coverage, safety availability, and mitigation effectiveness in the same manner as one would consider independent protection layers. The separate depiction in the event tree of FGS detector coverage, safety availability, and mitigation effectiveness is simply intended to highlight the aspects of the FGS that make its evaluation different from the typical instrumented safeguard. Personnel involved in the design or modification of FGSs should consider that any change to the FGS or to the context in which it is installed will most likely result in changes to the values of all three of these parameters. Different methods with different degrees of quantitative rigor are used in the process industries to implement the concepts discussed in the preceding paragraphs. These methods range from semi quantitative techniques to full quantitative risk analysis (QRA) methods. A quantitative risk analysis can be used to make decisions about the risk reduction strategy (ref erence 2.7). The QRA should be based on a comprehensive risk analysis and consequence modeling for the hazardous event under consideration. Semi-quantitative methods utilize scoring methods that categorize the attributes that define risk and then select grades of FGS performance based on the results of the scoring process (see Annex A). Where possible and practical, other instrumented safety systems, such as safety instrumented functions, should be designed to prevent loss of containment. The development of a methodology to allow the allocation and verification of the risk reduction capab ility of an FGS function should not be construed as an endorsement of the use of an FGS function in lieu of a properly designed preventive safety instrumented function. Thus, if risk analysis determines that two orders of magnitude of risk reduction is required to address a high-pressure scenario in a vessel, a safety instrumented function closing inlet feed to the vessel upon detection of high pressure with a risk reduction of two orders of magnitude is preferable. This technical report does not endorse addressing the above hazardous event with a safety instrumented function achieving one order of magnitude in combination with an FGS function providing the remaining one order of magnitude in risk reduction. This technical report focuses on the implementatio n of FGSs to protect people and the environment when the process is operating normally, but loss of containment has occurred due to such factors as corrosion, erosion, a leaking gasket, or tubing failure, or the process is operating abnormally, and preventative layers have failed. Thus, consider a different scenario where the pressure in the vessel is within tolerable limits ( e.g., not high) and loss of containment has occurred. In this scenario, an FGS function is an appropriate choice for reducing the risk, because there is no potential for implementing a preventive safety instrumented function to prevent loss of containment. It is advisable to use an approach that ensures : •
Loss of containment is minimized through implementation of preventive systems and an equipment mechanical integrity program .
•
FGSs are designed and maintained to be effective in reducing the severity of loss-ofcontainment.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 22 -
4.1 Performance-based FGS design process Design and implementation of an FGS can be performed in a manner that is consistent with the underlying principles of both ANSI/ISA-84.00.01-2004 and IEC 61511. The fundamental approach is to examine the hazard and risk in order to establish required FGS performance, and then to specify a design that achieves that performance. This performance-based FGS design process is illustrated in Figure 2, and it integrates into the relevant portions of a safety life cycle for safety functions.
NOTE Steps 7, 8, 9, and 10 may require iteration to meet performance targets.
Figure 2 – Performance-based FGS design process
4.2 Planning: Fire and gas philosophy Planning for performance-based FGS design should include determination of the end user’s fire and gas system philosophy. This philosophy is a well-reasoned technical basis that establishes the overall goals for hazard detection and mitigation. It should be consistent with the end user’s risk acceptance criteria that will be us ed in the allocation of safety functions to protection layers. It guides choices made by FGS designers. Appropriate choices for a given user facility are often best performed through standardized application of a fire and gas philosophy. FGSs are beneficial in mitigating the severity of hazards typical to the process industries. Additional information about these hazards can be found in CCPS ( reference 2.7). The description here is intended to aid in defining FGS performance objectives based on the chosen philosophy of the end user.
Copyright 2018 ISA. All rights reserved.
- 23 -
ISA-TR84.00.07-2018
To understand performance requirements for FGS, it is important to have a definition of the end user’s philosophy that is being applied to mitigate hazards. Mitigation systems usually need to have a philosophy developed before a designer can proc eed. Different users of this TR will have different philosophical approaches toward detection and mitigation of fire and gas hazards. This section describes how the elements of the fire and gas philosophy translate to performance-based FGS design. Some elements of a mitigation philosophy are included in codes, industry recommended practices, or company standards. However, elements associated with detection and mitigation are usually established by the end user. The primary questions to be addressed in defining the performance objectives for fire and gas mitigation: •
What magnitude of hazards should the FGS detection equipment be designed for?
•
What FGS actions are required to successfully mitigate the hazard?
This TR provides guidance on how the chosen philosophy will impact performance-based FGS design.
4.3 Fire detection philosophy When flammable or combustible hydrocarbon liquids are released from the process, accumulate, and are subsequently ignited, the result is a turbulent diffusion fire. The extent of a pool fire hazard is governed by the size of the pool, the burning intensity of the fuel, and to a lesser extent, meteorological conditions. When pressurized gas (or liquid/two -phase) is released and ignited immediately upon release, the result is a momentum-driven, turbulent jet fire. The extent of a jet fire hazard is governed by the rate of release, the shape of the flame, the flame orientation, and the burning intensity of the fuel. Both pool fires and jet fires emit thermal radiation, which can be haz ardous to people within seconds of exposure. Process equipment or structures can be damaged within minutes of intense fire exposure, especially if fireproofing is not provided or not effective. Fires can produce heavy smoke, which is hazardous if introduced in an occupied building. Personnel can be harmed either by the direct effect of the ignition of the hydrocarbon release or by exposure to an ongoing fire if the ability to safely evacuate is impaired. Fire detection can be beneficial in the latter case, by detecting an incipient fire in time before further exposure to personnel or impairment of evacuation routes can occur. The actions that are most effective in the early (incipient) stage of a fire are: •
alarms and evacuation/sheltering of personnel
•
automatic emergency shutdown (ESD) with isolation of fuel and depressurizing
•
activation of deluge systems/foam systems to suppress burning, cool surrounding equipment, or, in some cases, extinguish the fire
If a fire is not detected early (incipient), the potential exists for the fire to escalate to a hazard that impacts more equipment, impacts evacuation/egress, and causes more severe harm to people and the process. Fire detection philosophy statements are useful in determining the performance objectives o f fire detection system. The performance objective will guide the designer on the magnitude of fire that should be detected and the safety actions to be automatically activated. With a specific philosophy statement, the FGS designer can identify the perfor mance objectives, and this will guide the designer to choose the proper basis of design. Without a well-defined philosophy, the FGS designer can provide a system that is over-designed or under-designed and does not achieve enduser expectations. The following are two different philosophies for fire detection. Each is valid for a particular application.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 24 Table 1 – Example fire detection philosophies
Fire Detection Philosophy
Elements of Philosophy Decision
Typical Application
Goal is to detect fire as early as practical to reduce the possibility of escalation, minimize impact to the asset, and allow personnel to take appropriate protective actions.
Within a monitored process area: Detection: Incipient fire
Occupied offshore facilities
Successful FGS mitigation
Onshore process plants with significant occupancy
•
prompt evacuation or shelter-in-place response to alarm notification
•
isolate fuel source
•
depressurize the process
•
initiate fixed fire suppression of affected equipment and surrounding equipment
Migration beyond monitored process area: Detection: Smoke at building air intakes
High-value assets
Occupied offshore facilities
Successful FGS mitigation:
Goal is to detect fire that has the potential to produce major damage beyond the area of origin to mitigate against total asset loss.
•
prompt evacuation or shelter-in-place response to alarm notification
•
shutdown ventilation
Within a monitored process area: Detection: Fully developed fire Successful FGS mitigation •
Normally unmanned installations, onshore or offshore, with limited firefighting capability
isolate fuel source and allow to extinguish by depletion of fuel
Migration beyond monitored process area: Detection: (none)
It is impractical to detect all potential fire hazards. Detection can occur of an incipient hazard (early stage) or a fully developed hazard. Note that with larger fires, optical flame detector performance might be degraded. Safety actions can be as simple as containment and isolation of fuel, or as complicated as isolation, depressurizing, and suppression. The fire detection philosophy should specify if alarms and FGS actions will occur on a single detector in alarm state (1ooN) or require more than one detector in alarm state (e.g., 2ooN).
4.4 Flammable gas detection philosophy When flammable gas (or volatile liquid) is released but not immediately ignited, a flammable fuel air mixture forms, which can accumulate and/or migrate away from the point of release. Safe dispersion occurs when the gas dilutes in air below the lower flammable limit (LFL) concentration. If there is an absence of physical confinement of the flame front and absence of flame front interaction with turbulence-inducing obstacles, then the flame will not significantly accelerate. If ignited, the initial phenomenon is a short-duration, transient fire that burns from the point of ignition through the gas cloud in short duration. The flame front expands slowly near the point of ignition. In the event the flame front does not accelerate, the vapor cloud fire will not produce a significant pressure wave (blast). The fire is therefore called a flash fire. A flash fire is hazardous, but the extent is limited to the shape/size of the flame envelope itself. However, gas can accumulate in confined and semi-confined areas of a process. Historically, a minimum gas cloud accumulation of 5 meters (reference 2.4 and 2.12) was demonstrated to be sufficient for enabling a flame front to accelerate to a velocity that has the potential to cause a significant pressure wave. This does not exclude the potential that under adverse conditions, an accumulation of less than 5 meters might result in similar hazards. This pressure wave is also called a blast, and the phenomenon is known as a vapor cloud explosion (VCE). The extent of the VCE hazard is governed by the amount of gas accumulation and the degree of confinement and congestion, and it can be measured as the pressure generated by the blast and its duration.
Copyright 2018 ISA. All rights reserved.
- 25 -
ISA-TR84.00.07-2018
Personnel located outdoors are often not injured by the pressure wave itself but can be hurt by high-velocity fragments. Non-blast-resistant structures can be severely damaged or collapse, causing harm to building occupants. Blast effects can result in hazards at significant distance beyond the boundary of the flammable cloud. It is desirable to detect flammable gas before ignition, especially if it is in a confined and congested area where the gas can accumulate. FGS can be beneficial in detecting the presence of a flammable fuel-air mixture (or detecting a release of high-pressure gas). Automatic actions can be taken by the FGS to minimize both the possibility of ignition and the severity of the vapor cloud fire hazard. Actions that are most effective in the early stage of a gas release or accumulation are: •
alarms and evacuation/sheltering of personnel
•
automatic ESD with isolation and depressurizing equipment that can be leaking gas
•
automatic control of ignition sources (electrical de-energization, etc.)
•
activation of deluge systems to disperse gas and suppress burning of the gas
In this context, early detection means before a high probability of ignition or before a large accumulation occurs. If gas is not detected early, there is the potential for further accumulation resulting in escalation to a more severe hazard, including the potential for a VCE, or for gas to migrate beyond the process area to locations where there is either high personnel occupancy or strong ignition sources. Within a few seconds or less, a vapor cloud fire will burn back to the p oint of ignition and cause the hazards described above; however, the aftereffects can include a residual jet fire (f or a momentum-driven release) or pool fire (for a liquid release/pooling), or perhaps both. The residual fire will continue to burn until the source of the fuel is isolated and any accumulated fuel is consumed. While it is highly preferable to detect a flammable gas hazard before ignition to safeguard life, FGS can also be beneficial in detecting the residual fire and taking actions to limit its duration and intensity. There are several different philosophies for flammable gas detection. Flammable gas detection can be applied to detecting either an accumulation of gas or a release of gas. Actions could be prompt evacuation, shelter in place in response to an alarm notification, or acting to limit the size/extent and ignition potential for a vapor cloud. The following are two different philosophies for flammable gas detection. Each is valid for a particular application.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 26 -
Table 2 – Example combustible gas detection philosophies Flammable Gas Detection Philosophy
Elements of Philosophy Decision
Detect credible gas releases by strategically placing detection equipment in proximity to release sources to minimize potential for extended duration gas release that could ignite with severe consequences.
Within a monitored area: Detection: Leak/release sources and size should be identified, and detectors located in proximity to leak sources to provide incipient (early) indication of a hazard before gas migrates to a location where ignition and escalation are likely.
Typical Application
Successful FGS mitigation: •
alarm to evacuate personnel to safety and allow controlled operator shutdown (or automatic ESD)
Migration beyond a monitored area: Detection: Variation in gas cloud size and direction makes it difficult to specify detector layout and spacing within a monitored area to address all possible leak scenarios. Because ignition sources and occupancy are well controlled within a process area, detection within a monitored area should be supplemented with perimeter gas detection to improve confidence that the release will be detected before migrating to a strong ignition source or area with higher occupancy and a more severe impact.
Onshore process plants
Successful FGS mitigation: alarm to evacuate personnel to safety and allow controlled operator shutdown (or automatic ESD) Detect gas accumulations in hazardous quantities that, if ignited, could cause significant impairment to life, safety, and the asset.
Within a monitored area: Detection: Gas dispersion patterns might not be predictable, and gas hazards are most severe in areas where gas can accumulate within confined and congested process areas. Detectors should be placed in areas where gas can accumulate in order to mitigate a threshold accumulation volume that can result in a more severe blast, which could impair structural integrity or impair evacuation/egress. Successful FGS mitigation: •
isolate fuel source and depressurize
•
de-energize electrical apparatus
•
evacuate personnel to safety
Offshore facilities
Migration beyond a monitored area: Detection: Reliable detection cannot be assured in areas where gas does not accumulate (absence of confinement/congestion), nor is the severity of an ignited gas cloud of high concern due to the lower severity of a vapor cloud fire (no VCE). Credible leak scenarios should be identified, and detection of gas migration should be provided at receptors of concern (detection at HVAC air intakes, etc.). Successful FGS mitigation: •
alarm to shelter/evacuate personnel
•
de-energize electrical apparatus
It is impractical to detect all gas leaks, even all leaks that could be hazardous. Release sources and direction of dispersion cannot always be predicted with certainty. In some locations, where gas can be dispersed by wind or ventilation, a strategy of placing detectors only around likely release sources can have limited effectiveness. The gas detection philosophy should specify if alarms and FGS executive actions will occur on a single detector in alarm state (1ooN) or require more than one detector in alarm state (2ooN). A well-defined philosophy will guide the FGS user in determining the correct performance objectives.
4.5 Toxic gas detection philosophy Toxic gas detection involves an analysis of a specific application, as general guidelines are difficult to set due to the widely varying hazards of different toxic materials, the variations in concentrations of toxic materials, and the high dependency of toxic hazards on site-specific factors, including
Copyright 2018 ISA. All rights reserved.
- 27 -
ISA-TR84.00.07-2018
meteorology. Therefore, one approach is to select a hazard scenario and model the extent of the hazard (e.g., dispersion, computational fluid dynamics [CFD]). To model a toxic gas hazard, consider the smallest hazard scenario that would require detection; this can be based on either risk or a team-based review and should be likely to occur in the project lifetime. A second approach is to directly postulate the magnitude of a toxic gas volume that is of concern and then design using a geographic technique (e.g., 5 m H2S cloud size, 8 m H2S cloud size) . The objective of a toxic gas detection system is to detect concentrations of gas that could be hazardous to personnel in time for proper protective actions to be taken. Automatic actions can be taken by the FGS to minimize the severity of the hazard. Actions that are most effective in early stage of gas release or accumulation are: •
alarms and evacuation/sheltering of personnel
•
automatic ESD with isolation and depressurizing equipment that can be leaking gas
The following is an example philosophy for toxic gas detection. Table 3 – Example toxic gas detection philosophies Toxic Gas Detection Philosophy
Elements of Philosophy Decision
Detect credible gas releases by strategically placing detection equipment in proximity to release sources to minimize potential for extended duration gas hazard that could result in severe consequences.
Within a monitored area: Detection: Leak/release sources and size should be identified, and detectors should be located in proximity to leak sources to provide early indication of a hazard before gas migrates to a location where exposure is likely.
Typical Application
Successful FGS mitigation: •
alarm to evacuate personnel to safety or shelter and allow controlled operator shutdown (or automatic ESD)
Migration beyond a monitored area: Detection: Variation in gas cloud size and direction results in difficulty specifying the detector layout and spacing within a monitored area to address all possible leak scenarios. Because occupancy is well controlled within a process area, detection within a monitored area should be supplemented with perimeter gas detection or gas detection along egress paths to improve confidence that the release will be detected before migrating to an area with higher occupancy and more severe impact.
Onshore process plants and offshore facilities
Successful FGS mitigation: •
alarm to evacuate personnel to safety or shelter and allow controlled operator shutdown (or automatic ESD)
4.6 Fire and gas hazard assessment, requirements specification, and performance verification Determining the target performance of an FGS function should be accomplished using hazard and risk analysis. In this context, performance includes: safety availability of the FGS equipment, the coverage of the FGS detectors, and the effectiveness of the mitigative actions . A design for FGS mitigation requires input from the end user’s fire and gas philosophy in terms of establishing the performance objectives. Techniques used to select target FGS performance should consider parameters that affect the hazard and risk. They are often applied on an equipment-item basis to determine if an FGS should be considered to protect each equipment item and, if protection is required, what degree of performance should be targeted in the design. The hazard and risk parameters that should be considered include the following:
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 28 -
•
material flammability/toxicity
•
process temperature
•
process pressure
•
hazard frequency
•
source leak size
•
ignition sources
•
potential for gas accumulation
•
environmental conditions
Two typical strategies for the hazard and risk assessment for the selection of FGS performance targets are used in industry. These two general approaches are referred to as semi-quantitative and fully quantitative risk analysis. While the fully quantitative risk analysis methodologies are more precise, the semi-quantitative methods are also acceptable. •
Semi-quantitative risk analysis has a level of effort similar to layer of protection analysis (reference 2.5 and 2.6). It uses lookup tables and “order of magnitude” selections to categorize various risk parameters and thereby establish the needed performance targets. These semi quantitative techniques need to be calibrated to ensure that these coarse level -of-effort tools provide satisfactory results. See Annex A for an example of a semi-quantitative hazard and risk analysis.
•
Fully quantitative risk analysis verifies that quantitative ri sk tolerances have been achieved using detailed quantification of the hazard and risk. While the fully quantitative analysis provides more accurate results, it is also more time consuming and can be resource intensive (see Annex D).
The following steps are broadly applicable to both strategies for hazard and risk analysis.
4.6.1
Step 1 – Identify areas of concern
FGS installations in the process industries are typically designed to address hazards associated with loss-of-containment events caused by leaks, corrosion, and erosion. In many cases, FGSs are only expected to provide general process area coverage. Under these circumstances, the FGS design can be based on simple prescriptive practices (e.g., references 2.2 and 2.3), if available for the application. In some process plants, their implementation is beneficial, while in others use of an FGS is unnecessary. Not all process plants will even undergo a formal analysis of FGS design requirements. The determination of whether formal assessment of FGS design requirements analysis is required will be the result of end-user policies/procedures and regulatory oversight, such as: •
process hazards analysis (PHA) recommendations
•
QRA for FGS
•
end-user standards and design practices
•
regulatory requirements
•
auditor recommendations
•
FGS screening analysis
•
previous incidents
An FGS screening analysis can be used to identify areas of concern where FGS installation can be beneficial in reducing risk. An FGS screening analysis should consider the flammability and toxicity of the materials being processed, which would identify process equipment that represents an area of concern for possible performance-based FGS design. The plot plans, process flow
Copyright 2018 ISA. All rights reserved.
- 29 -
ISA-TR84.00.07-2018
diagrams, heat and material balance, and P&IDs should be analyzed to identify the process material(s) and normal operating conditions, and whether the materials processed contain fire hazards, combustible gas hazards, or toxic gas hazards.
4.6.2
Step 2 – Identify hazard/risk scenarios
Performance-based FGS design requires identification of hazard scenarios for which FGS functions are designed. Although the FGS is expected to perform on demand for a wide range of general hazards, a few specific hazards should be identified to establish target performance and allow measurement of achieved performance. Major equipment items should be analyzed to identify the type of fire or gas hazard, and this should include storage tanks, pressure vessels, pumps, compressors, separation equipment (distilla tion towers, etc.), and heat exchangers. The type of hazard depends on the process fluid composition, the process conditions (temperature and pressure), the size and duration of the credible release, and the type and location of ignition sources. Performance targets are defined with respect to the hazard scenario(s) that FGS design is intended to detect and adequately mitigate. This step can involve direct hazard identification (e.g., 50 kW radiant heat output fire, 10 m 3 combustible gas accumulation, 20% LFL accumulation) or identification of credible scenarios involving release of hazardous material that could give rise to fire and gas hazards. These include corrosion-initiated leaks, flange gasket leaks, and small diameter tubing failures. Where scenarios are selected as the basis of design, the analysis should consider the attributes in sufficient detail to determine the potential physical characteristics of the hazard scenario, such as fire size or gas dispersion extent. This step results in a list of equipment items and associated hazards/scenarios that are carried forward to subsequent steps.
4.6.3
Step 3 – Analyze consequences
Once a fire or gas scenario is identified, a consequence severity study should be undertaken to determine the physical extent of the hazard and the potential to escalate the severity if not detected. This either takes the form of a model that predicts the physical effects of the release, or is based on qualitative (e.g., PHA team judgment) or semi-quantitative techniques. The end user should decide the criteria used to analyze the extent of the unmitigated fire, combustible gas, or toxic gas hazard scenario (qualitative, semi-quantitative, and/or full quantitative). The following sections address quantitative methods only. The application of consequence modeling is not addressed in detail in this technical report. Refer to CCPS (reference 2.7) for more guidance. Fire hazards For fire scenarios, the extent of fire and thermal radiation effects are usually required to determine detector layout requirements. Fire detectors using optical or visual detection means are sensitive to the amount of radiant heat output from the fire , but limited by a threshold amount of radiation received at the detector below which a fire cannot be detected. Consequence models predict these physical effects as a function of orientation and distance from the fire. Results of fire models provide the basis to determine the number and location of fire detectors necessary to detect a given fire scenario. The fire analysis should identify a threshold amount of radiant heat output that can result in a potential hazard, or escalation of a hazard based on the typ e of processing equipment and layout. The criteria should be used as the end point for the fire consequence analysis. Combustible gas hazards For a combustible gas hazard, consideration should be given to the dispersion and potential accumulation of gas in unconfined or semi-confined areas, and estimates should be developed of
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 30 -
the extent of the combustible gas hazard. Although this can be accomplished by defining the volume of the gas accumulation of concern, gas dispersion/accumulation modeling and explosion analysis in confined or congested areas should be considered. Gas dispersion analysis using similarity models is adequate for some outdoor locations where dispersion is only affected by momentum jet effects as well as atmospheric effects. Dispersion modeling results should be generated for concentrations at the threshold for alarm for gas detectors. Similarity models and other simplified empirical models can be misleading when studying gas dispersion, especially for indoor releases. Simplified models can yield vastly different concentration profiles than full computational fluid dynamics (CFD) models. In most cases, ventilation and geometry dominate the dispersion, so most simplified/empirical models cannot accurately capture this information to a sufficient resolution. Further, simplified models frequently do not account for turbulence or the interaction with solid surfaces. These play a significant role in the shape, size, and concentration of the vapor cloud and thus need to be evaluated with sufficient resolution. Gas dispersion in confined or congested spaces or enclosed volumes should use consequence analysis methods (e.g., CFD) to examine concentration profiles under the influence of forced ventilation systems rather than atmospheric effects. For flammable/combustible gas hazards, the gas concentration is the primary means of potential hazard detection; however, the actual hazard can include one or more of vapor cloud explosion (confined or semi-confined), fire, or toxic inhalation exposure. The hazard is a function of volume of hazardous material, concentration, and level of confinement in the case of vapor cloud explosion. As the volume increases, a more severe hazard becomes more likely. Therefore, the detector placement is predicated on criter ia to detect the gas concentration early enough that action can be taken before the release becomes a larger gas cloud of potentially higher concentration. With earlier activation, the hazard potential can be lowered (e.g., maximum explosion overpressure that could be tolerated without severe damage or loss of life). The development of these criteria is provided by CCPS (reference 2.7) but is outside the scope of this technical report. Toxic gas hazards For facilities that store, handle, or process toxic gases, the worst credible scenario can be an uncontrolled release of a toxic substance to the atmosphere. Facilities that deal with these substances generally invest in equipment to handle the substance , such as vents to flares, scrubbers, incinerators, or alternate containment vessels. The failure of this equipment, its controls, or the piping system itself (leaks, erosion, and corrosion) can lead to a release. Gas detection systems are often utilized to help mitigate this potential hazard. It is common practice for companies handling toxic gas releases to conduct dispersion modeling of credible scenarios to determine the potential effect of a given release. Dispersion modeling will address plant and surrounding area topography information, leak rate inform ation, plant weather data, and toxicity information. ERPG ( emergency response planning guidelines) numbers or IDLH (immediately dangerous to life and heath) numbers are often used to characterize the extent of the acute toxicity hazard. The design intent of toxic gas detection is to mitigate the severity of the unmitigated hazard scenario. This is typically accomplished by early detection that results in more effective emergency response, containment, or the evacuation of personnel to a safe location. Unmit igated consequences should define the extent of impact of the unmitigated hazard outcome, which can include onsite and/or potentially offsite consequences. Escalation of flammable and toxic gas hazards The design intent of fire and gas detection is usually to mitigate an already hazardous situation. This is typically accomplished by limiting the extent of the hazard or, in some cases, providing for Copyright 2018 ISA. All rights reserved.
- 31 -
ISA-TR84.00.07-2018
additional time before escalation to allow for effective emergency response and containment and/or to allow for the evacuation of personnel to a safe location. In addition to an incipient fire or gas release scenario used for establishing detector location and placement, the consequence analysis should include an assessment of the potential outcome of that scenario if unmitigated by the FGS. This could result in escalation of the hazardous event into a larger, more severe consequence than the scenario selected as the basis of design for FGS detection. This severe consequence represents the potential outcome of FGS failure due to inadequate detector coverage, poor FGS availability, or ineffective mitigation actions. Other consequence modification factors Occupancy, time at risk, and ignition probability are other factors that could be considered when assessing risk to personnel safety. These factors should be justified through scenario -specific analysis that ensures that these factors are reasonable and appropriate for the scenario under consideration. For example, occupancy likely changes as plant personnel respond to potential or realized loss of containment. In contrast, the likelihood that a release is flammable is dependent on the chemical properties, release size and location, and dispersion potential. When fl ammable liquids or gases are involved in the scenario, it is possible to estimate the potential for a fire or explosion using qualitative, semi-quantitative, or quantitative methods. Ignition probability data for combustible liquids, flammable liquids, and flammable gases is provided by CCPS (ref erence 2.7). Guidance on determining appropriate values for these factors is outside the scope of th is technical report.
4.6.4
Step 4 – Analyze hazard frequency
Before establishing FGS performance requirements, consideration should be given to the likelihood or frequency of the hazard(s) that could result in the unmitigated/escalated consequence severity. Further, a decision can be made about the tolerability of an unmitigated fire and gas risk, which can guide decisions about the scope of an FGS design. Release frequency can be determined by applying databases of equipment failure rates to the identified scenario, but could also be based on qualitative (e.g., PHA team judgment) or semi-quantitative techniques. In many cases, a risk scenario arises from equipment damage and failure mechanisms, such as general corrosion, that are well understood. In these cases, application of industry failure rate data should be considered. For example, such databases inclu de leak frequencies for components, such as piping, flanges, pressure vessels, and compressor seals. Methods for adjusting industry failure data based on site-specific inspection and maintenance histories are also available. In some cases, the hazard scenario can arise from unique factors that should be addressed in a scenario-specific analysis. An example is an uncontrolled release of a flammable gas in gas production wells due to produced sand causing erosive damage to flowlines. In this case, industry failure rate databases are of limited value. The end user’s prior experience and a considerable amount of judgment can be utilized to establish the frequency of the release scenario. It is often the case that fire and gas detection is provided in an area to detect release from multiple sources of potential release. In these cases, there should be some effort taken to aggregate the frequency of the potential hazard scenarios in the area of concern. This is accomplished by accounting for a number of equipment leak scenarios with similar consequences and generating the sum total or cumulative frequency of release. This aids in minimizing the number of scenarios that need to be individually analyzed. For example, sum the frequency of all scenarios with 50 kW radiant fire in the area of concern.
4.6.5
Step 5 – Assess unmitigated hazard/risk
Unmitigated hazard/risk is measured before considering the benefit of the proposed FGS. The most conservative approach is to assume that the FGS is unavailable in the event of the hazard. The unmitigated/escalated consequence severity and hazard frequency can be compared to endCopyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 32 -
user criteria for tolerability. This can be accomplished through application of a hazard/risk matrix with sufficiently detailed information regarding consequ ence severity and likelihood. Alternatively, quantitative risk criteria can be stated in terms of tolerable mitigated event likelihood. If the criteria indicate that the unmitigated hazard/risk scenario is tolerable, additional risk reduction using FGS function(s) is not required unless otherwise mandated by local legal requirements. If the hazard/risk is higher than target criteria, then the risk reduction requirements should be established for the applicable fire, combustible gas, or toxic gas detection f unction in the FGS. If the outcome of this step results in an acceptable situation with no additional risk reduction, further analysis of performance-based requirements for FGS design is optional. Design of the FGS and sensor placement should be based on existing methods for system design, such as the applicable national standard or industry guidelines and relying on the judgment of a qualified engineer for sensor placement. Good practice guidelines in Annex B should be considered for sensor placement.
4.6.6
Step 6 – Identify FGS performance targets
After previous steps in the hazard/risk assessment, equipment of concern and hazards of concern will have been identified and the consequence severity/likelihood and acceptability of an unmitigated hazard will have been considered. The presentation of this information can vary in format. The information can take the form of a qualitative hazard assessment, a fully quantitative risk assessment, or a semi-quantitative assessment of hazard/risk. FGS designers with more qualitative hazard input can apply broad guidance from industry or company practices to establish a single and uniform performance target (e.g., 85% target detector coverage). FGS designers with more quantitative hazard information can establish performance targets that are specific to the hazards being assessed. More information on the selection of FGS performance targets is included in the annexes of this TR. Annex A contains an example of a semi-quantitative approach for selecting FGS performance targets, and Annex D contains worked examples of FGS performance target selection, using a variety of methods for a variety of applications. FGS performance metrics FGS performance targets should be consistent with the end-user philosophy for hazard detection and mitigation, based on the level of hazard and risk associated with process hazards in a monitored area, and agreed upon by the end user. Achievement of FGS performance targets should be through application of one or more of the listed FGS performance metrics shown in table 4. In the absence of specific guidance from the end-user philosophy, the following options should be considered for metrics: 1. Applications with claimed FGS risk reduction factor ≤ 10: Quantification of detector coverage as FGS performance metric. Qualitative consideration of other performance metrics. 2. Preventative FGS safety functions: Applications with claimed FGS risk reduction factor (RRF) in excess of 10. Quantify detector coverage and safety availability. 3. Mitigative FGS safety functions: Applications with claimed FGS RRF in excess of 10. Quantify detector coverage, safety availability, and mitigation action effectiven ess. Note that for these types of functions it is difficult to achieve target RRF, as they require strong FGS detector coverage, as well as FGS mitigation effectiveness. Classification of an FGS function as either preventative or mitigative is the responsibility of the end user of this technical report. Where unmitigated hazard severity is deemed to pose an elevated level of hazard/risk, FGS mitigation as well as other non-FGS means of risk reduction should be considered. Target FGS performance can be defined in various ways, such as an FGS risk reduction factor, percent reduction in risk of unmitigated hazard severity, or maximum allowable
Copyright 2018 ISA. All rights reserved.
- 33 -
ISA-TR84.00.07-2018
PFD avg of the FGS function. Target FGS performance should be established to reduce the likelihood of an unmitigated hazard outcome. Table 4 – FGS performance metrics Performance Metric
Expression
Recommended Application
Guidance
FGS detector coverage
Quantitative: Probability
Applications where claimed FGS
Annex A
risk reduction factor ≤ 10 Applications where claimed FGS
Annex D
risk reduction factor > 10 FGS safety availability
Qualitative confirmation
Applications where claimed FGS
Annex D
risk reduction factor ≤ 10 Quantitative: Probability
Applications where claimed FGS
Annex D
risk reduction factor > 10
FGS mitigation action
Qualitative confirmation
effectiveness
Mitigation applications where
Annex C
claimed FGS risk reduction factor ≤ 10 Quantitative: Probability
Mitigation applications where
Annex C
claimed FGS risk reduction factor > 10
Performance targets for FGS detector coverage should be quantified for all applications where any risk reduction is claimed. Detector coverage should be defined per each FGS function associated with area monitoring. Performance targets for FGS safety availability should be confirmed, and, wherever FGS target RRF exceeds 10, FGS safety availability should be quantified. Confirmation should at minimum include prior use experience and compliance to any applicable industry standards. Quantification of FGS safety availability should be expressed based on an FGS function associated with coverage in a defined monitored area. Where applicable, performance targets for FGS mitigation action effectiveness should be confirmed, and, wherever the FGS target RRF exceeds 10, FGS mitigation action effectiveness should be quantified. Guidance on mitigation action effectiveness is provided in clause 6.2. 10 and Annex C, including information on estimating this metric at a hazard scenario-by-scenario level of detail. As illustrated in Figure 3, FGS performance targets should be selected such that the target risk reduction can be achieved by the FGS safety function. FGS effectiveness is the product of applicable performance metrics including detector coverage, FGS safety availability, and FGS mitigative action effectiveness accounting for common cause, common mode, and systematic failures.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 34 -
FGS Detector Coverage
FGS Safety Availability Yes
Yes
FGS Mitigation Effectiveness
Relative Likelihood
Outcome
0.9
0.76
Mitigated
0.1
0.08
Unmitigated
0.01
Unmitigated
0.15
Unmitigated
0.99 0.85
Design Basis Hazard
No 1
0.01 No 0.15 FGS Effectiveness
0.76
Figure 3 – FGS effectiveness Where FGS function(s) are claimed to reduce risk, FGS effectiveness should be sufficient to reduce risk associated with the unmitigated hazard severity to meet the end-user risk guidance. Reducing risk significantly beyond one order of magnitude (fire and gas RRF > 10) might not be practical for many mitigation applications, because the achieved risk reduction is usually limited by detector placement, achieved coverage, or mitigation effectiveness rather than FGS safety availability. In fact, an achieved detector coverage factor below 90% limits the overall achieved RRF < 10 irrespective of other FGS performance metrics. NOTE The risk of the mitigated hazard assuming 100% detector coverage, FGS availability, and mitigation effectiveness (e.g., perfect FGS operation) can still result in an intolerable risk. This could occur if the frequency of the initiating event or the mitigated consequence severity is high. In these cases, other risk reduction means (hazard prevention) should be utilized to meet the risk criteria (fully quantitative).
Design-basis hazard for measuring target FGS performance Underlying the concept of performance-based FGS design is the need to detect a hazard of threshold size/magnitude or larger. The designer should specify this hazard when identifying performance targets. The specified hazard threshold size/magnitude should be: •
consistent with the end-user philosophy for hazard detection and mitigation
•
based on the level of risk associated with process hazards in a monitored area •
likelihood of hazard
•
severity of escalated hazard if not adequately detected and mitigated
•
within the capability of the FGS actions to meet the target hazard mitigation (e.g., reduce severity by one order of magnitude)
•
agreed upon by the end user
NOTE Use of a prior analysis of fire and gas hazards from other process safety or loss prevention activities should verify the prior analysis meets the above criteria to be used in the FGS design. Where detection of an incipient hazard is required, the prior hazard analysis should align with those design requirements.
Design-basis hydrocarbon fire Hydrocarbon fires can be detected either during the incipient stage (early) or in the fully developed stage. Automatic safety actions for fire suppression should be considered in identifying th e design-
Copyright 2018 ISA. All rights reserved.
- 35 -
ISA-TR84.00.07-2018
basis hazard. Hydrocarbon fire detection will typically be based on detection of an incipient fire. Some philosophies will not require incipient fire detection in all areas, particularly unmanned installations. The following table provides guidanc e on several alternatives for selecting the design-basis hazard. Table 5 – Examples of design-basis fire hazards Detection Philosophy
Design-Basis Hazard within Monitored Area
Typical Application
Incipient hydrocarbon fire detection
1-ft x 1-ft liquid hydrocarbon fire
Medium to high hazard areas
Fully developed hydrocarbon fire detection
Matches test conditions for liquid fire detection 10-kW radiant heat output
High hazard areas – alarm
50-kW radiant heat output
High hazard areas – safety action
100-kW radiant heat output
Medium hazard areas
36-inch gas plume fire
Typical test conditions for gas plume fire detection
250+ kW radiant heat output
Low hazard areas
5-mm leak in pressurized gas system 12-mm flange leak
QRA credible leak scenarios. Fire model used to determine hazard size/thermal radiation
0.5-meter × 1.0-meter flame
Single detector criteria
1.0-meter × 3.0-meter flame
Two or more detector criteria
25-mm or larger leak of pressurized gas, jet fire Annular release from well blowout, jet fire
Major accident hazard scenarios
Pooling hydrocarbon fire covering deck or secondary containment area
If a release scenario is selected instead of a specified hazard magnitude, then fire modeling should be used to determine the extent of the fire hazard and the detectability of fire effects as a function of distance. The following end-point criteria should be considered: •
severe damage to process equipment above 37.5 kW/m 2 (12,000 Btu/hr/ft 2 )
•
life-threatening thermal radiation for short exposure above 20 kW/m 2 (6,500 Btu/hr/ft 2 )
•
serious burn injury and blocked escape routes above 12.5 kW/m 2 (4,000 Btu/hr/ft 2 )
•
moderate burn injury above 5.0 kW/m 2 (1,700 Btu/hr/ft 2 ) for short exposure ( 10, then IEC 61511 practices will apply to the sensor, logic solver, and final element subsystems.
An initial FGS detector layout should be proposed using expert judgment by considering the factors discussed in Annex B.5, which have an impact on FGS effectiveness. When identifying scenarios that are used to establish FGS performance targets, it is important to consider the design limitations of automatic FGS activation. Ensure that the basis -of-design hazards are appropriate given the limitation of the system. For e xample, detector location/placement for a fire suppression system design that extinguishes only an incipient fire will need to be designed with detector location and placement sufficient to detect early -stage fire scenarios. Design should consider the amount of time between when the hazard initially becomes detectable by the selected equipment and the time when the expected degree of risk reduction can no longer be achieved due to a fully escalated hazard. This will define the overall response time requirem ent for the FGS safety function.
4.6.8
Step 8 – Verify detector coverage
The proposed location of fire and gas detectors should be analyzed to determine how effective the proposed array of detectors with a given voting arrangement will be in detecting the hazard and initiating a specified safety action. An assessment of detector coverage involves analysis of the potential sources of fire and gas within a given monitored process area and the performance of a proposed detector design, including the number, type, lo cation, orientation, and set points of detectors. There are (at least) two possible approaches that can be used for fire and gas mapping of detector coverage: geographic coverage and scenario coverage. In either case, the analytical method to determine achieved coverage should involve a computer model to map detection coverage. Refer to Annex B for attributes that modeling software may contain. Design verification should account for common cause, common mode, and dependencies between the detector coverage, safety availability and mitigation effectiveness and between the FGS and the initiating source of the hazard or other IPLs. The coverage levels that have been achieved for a given proposed detector array are then compared against selected performance targets. If the coverage target has been achieved, the proposed design is acceptable. If the target is not achieved, the type, number, and/or location of detectors should be reviewed and modified until the coverage target is achieved.
4.6.9
Step 9 – Verify FGS Safety Availability
Quantitative verification of the FGS safety availability should be per applicable guidance of ISA for safety instrumented functions (SIFs). FGS safety availability is calculated per FGS function and is the mathematical complement of the probability of failure on demand (PFD). PFD for an FGS function is a summation of the sensor PFDavg + logic solver PFDavg + final element PFDavg,
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 38 -
where the PFDavg is a function of the dangerous undetected failure rate of each device, the voting architecture of each device grouping, and the proof test interval of the devices. Verification can be accomplished using the techniques presented in the ISA-TR84.00.02 for analysis of SIFs. However, several significant differences between SIFs and FGS functions should be noted to ensure an accurate assessment of FGS safety availability is achieved. First, proper definition of the FGS function is critical to ac curately assessing the FGS safety availability. The quantity of detectors and possible voting schemes of the FGS function are directly related to the detector design basis, which specifies the gas cloud or flame size that the detector array can detect with the goal of mitigating further accumulation , such that the gas cloud or flame size cannot escalate to a catastrophic event. FGS applications can be designed to act when a single sensor goes into alarm. However, most systems implement some form of voting o f multiple sensors in an area of concern to reduce the likelihood of system activation from a single sensor failure. Typically, two or more sensors in an area of concern must go into alarm before automatic action is taken. While this reduces the probabilit y of nuisance trips from a single sensor failure, it also reduces the probability of successfully responding to a hazardous event. It is less likely for two or more detectors to be in the area of concern, assuming the layout of detectors has not been changed with the implementation of voting. Detector voting schemes cannot be determined until a detector design basis is established (e.g., the sensor array should be designed to detect an accumulation of combustible gas with a maximum diameter of 5 meters). If an area of concern contains three detectors, the ability of the detectors to detect the event within the required time will determine whether the voting scheme is 1oo1, 1oo2, 1oo3, or 2oo3. Thus, if the postulated 5-meter gas accumulation is moved throughout the area of concern and, at any one time, only one detector can “see” the accumulation, the voting scheme is 1oo1. The other two detectors cannot “see” the accumulation volume in question and thus should not be considered as redundant measurements for the hazard scenario. Second, one should consider the source of the failure rate data being used in the PFD avg calculation itself. Failure rate data is readily available from a variety of data sources (vendor data, industry data, site specific data, etc.). However, if one looks closely, this failure rate data as presented typically includes an assumption that the device will operate in a fail -safe, de-energizeto-trip mode. Most FGSs operate in an energize-to-trip arrangement. Consider a failure mode where a logic solver is unable to energize its output. In a de -energize-to-trip scheme, this type of failure will prevent one from initially opening a fail -closed valve during startup. Thus, it would be classified as a safe failure by the manufacturer. However, i n an energize-to-trip scheme, this type of failure prevents one from opening a suppression valve during a demand. Thus, it should be classified as a dangerous failure. Thus, one needs to carefully review the failure rate data being considered for use in the calculations. Also, motive force needed for any energize-to-trip mitigative actions should be available long enough to meet the design intent of the FGS action. For example, the availability of deluge or suppression systems should be included in the calculation. FGS designs typically involve actuation of final elements that might be controlled by other systems, such as isolation valves controlled by the safety instrumented system logic solver. Any equipment that is required for FGS operation should be included in the FGS availability calculation. If the equipment associated with the FGS is used by any other protection layer for the same hazardous event, the common cause impact on overall risk reduction of this design should be evaluated. The safety availability that has been achieved for a given FGS function is then compared against a selected performance target. If the safety availability target has been achieved, the components and architecture of the FGS function are acceptable. If the target is not achieved, design parameters, such as redundancy, diagnostics, and test intervals , should be reviewed and modified until the target availability is achieved.
Copyright 2018 ISA. All rights reserved.
- 39 -
ISA-TR84.00.07-2018
4.6.10 Step 10 – Verify effectiveness of FGS actions Mitigation action effectiveness is the confidence that the results of activating the final control element(s) of an FGS function will successfully mitigate the consequence of a defined hazard as expected (e.g., prevents a small fire or gas accumulation from escalating to a large fire or accumulation). In this contingency, the FGS function can be ineffective such that the outcome of the event is not significantly different than it would be if no detection or activation occurred. The concept of effectiveness of the FGS actions is meaningful only when conside ring FGS functions that are intended to mitigate hazards; therefore, this has also been referred to as “mitigation effectiveness.” In the less frequent applications where FGS functions prevent a hazard, this branch of the event tree is not meaningful. The reduction in severity afforded by a mitigation action will be related to the magnitude of the hazard being acted upon and the fundamental limitations of the capability of the FGS actions to be effective. In general, effectiveness of the FGS actions is likely to be very high when the magnitude of the detected hazard is small and detection occurs quickly, so the desired safety action can be taken well before there is the potential for hazard escalation. Conversely, even correct detection and activation of the FGS actions might be ineffective: 1. Due to an excessive time delay between initiation of the FGS action and when such actions can be considered effective. For example, combustible gas detection that isolates a process and opens depressurizing (blowdown) valves can take 20 minutes or more before the pressure in the system has significantly reduced with a corresponding reduction in the discharge rate of a gas leak. During the intervening period, the gas that already leaked from the system could ignite. 2. Due to severe consequences associated with the initial loss of containment event that would result in a consequence magnitude beyond the design of the FGS actions. For example, a catastrophic pipeline rupture will very likely result in an immediate vapor clou d explosion hazard that can have severe consequences before the FGS function can effectively mitigate them. The ensuing fire might be mitigated, but not before severe safety consequences have already occurred. As a result, the design verification should account for these codependencies. Mitigation effectiveness is recognized as a valid FGS performance metric that will fundamentally limit the amount of claimed risk reduction for an FGS function below the ideal outcome of 100% confidence in effective FGS actions. In concept, early detection of small or incipient hazards provides “high” confidence that FGS mitigation actions will be successful. Late detection results in “low” confidence. Similarly, low confidence results in under detection of a hazard that is an order of magnitude larger than the design-basis hazard. While guidance on this topic continues to evolve, as a minimum for all applications, users of this TR should examine the existing or proposed FGS function to ensure that FGS actions are creditable as being effective in reducing the magnitude and severity of the unmitigated hazard. The concerns raised about mitigation effectiveness highlight using a very cautionary approach when considering FGS systems in applications where claimed risk reduction associated with FGS mitigation exceeds a factor of 10. The method of verifying mitigation action effectiveness will depend upon the type of action one takes (e.g., evacuation of personnel versus deployment of fire suppression versus isolation and de-pressurization of the process). Further guidance on FGS mitigation action effectiveness is in Annex C.
4.6.11 Step 11 – Determine FGS effectiveness (mitigated risk) The FGS effectiveness achieved for an FGS function should be compared against the selected performance target (see Figure 1). If the target has been achieved, the proposed design is acceptable. If the target is not achieved, the conceptual FGS design should be reviewed and modified. Increased coverage, availability, and/or mitigation actions should be achieved and reverified until reaching the target FGS effectiveness.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 40 -
In addition, the estimated response time for the FGS safety function should be verified against the requirement established during conceptual design. If the FGS safety response includes evacuation or other human actions, the FGS safety function response time evaluation should consider nonoptimal conditions for personnel egress or sheltering that are likely to occur during a real demand condition. The results of the hazard and risk analysis and performance target verification are compiled into FGS performance requirements specifications.
5 FGS engineering activities in a project workflow FGS engineering activities occur at different stages of a project for design, implementation, and operation of a new plant or upgrade of existing control system s. Before any engineering activities, the FGS philosophy should be developed by or in conjunction with the end user.
5.1 Basic engineering (FEED) An initial FGS design should be produced. Documents required from the front-end engineering design (FEED) include the major equipment list, process flow diagrams (PFDs), process hazards analysis (PHA) documentation for hazard identification, and the layout of major process equipment. Loss prevention activities including fire hazard analysis should be reviewed. These documents allow one to determine FGS performance targets through an evaluation of hazards/risks associated with major process equipment. The type and magnitude of hazard scenarios that will be the basis of FGS design should be determined. A voting philosophy and detector set points should be selected, which allow one to establish initial coverage targets. For an existing facility undergoing a redesign or upgrade of the FGS system, decisions about the accep tability or reuse of existing equipment in the new design should be made during basic engineering. Once performance requirements are established, an initial FGS design can be developed ; FGS mapping can be conducted; coverage can be verified; and the FGS effectiveness can be evaluated if applicable. The results are used to provide estimates of the type, number, and location of fire and gas detectors. As detailed 3D process models are not available at this stage, only a preliminary evaluation of detector coverage can be made, but this should consider the location of major equipment. The basic engineering phase ends with an initial FGS design with estimates on type, number, and location of detectors required to meet the performance requirements. Basic engineering should include a specification of the FGS logic solver and a functional description of the logic. Equipment design requirements should include event survivability items such as fireproofing.
5.2 Detailed engineering FGS engineering activities include a review of process hazards and revalidation of FGS performance targets. Three-dimensional process models will mature with location of piping, utilities, electrical elements, and vendor-supplied packaged equipment. When the 3D model is at the 60% milestone, a detailed design of detector placement can be undertaken. The detector layout should be reevaluated and updated to ensure coverage requirements are met. Due to the development of the 3D process model between conceptual engineering and detailed engineering, significant changes to the FGS detector mapping are likely. The achievement of coverage targets should be verified, and detector placement optimized using FGS mapping, and one should evaluate the FGS effectiveness if applicable. Requirements for FGS maintenance and testing should be developed. Constructability and maintainability issues are typically first identified during detailed engineering, such as the practical limitations of where detectors can be mounted. Further, near the end of detailed engineering, the 3D process model matures to the 90% milestone. A final verification of the FGS mapping and evaluation of FGS effectiveness, if applicable, should
Copyright 2018 ISA. All rights reserved.
- 41 -
ISA-TR84.00.07-2018
be performed to ensure that adjustments to the location of piping, cable trays, and conduit do no t impede detector performance. This results in a final layout for the FGS, with location and orientation requirements for all detectors in the FGS. Detailed engineering deliverables should be completed for the FGS.
5.3 Installation and commissioning After construction and during commissioning, the FGS should be validated in the field against the requirements specification. This includes validation of detector type, location, orientation , and response time. Detector FGS mapping and associated coverage should be checked and updated as needed to reflect any changes in detector placement during construction, including confirmation that specified coverage targets have been achieved.
5.4 Operations and maintenance During operation and maintenance, the FGS should be maintained and tested per specifications developed during engineering design. This includes reviewing the FGS as part of the management of change process to ensure that any changes to the process area are reviewed to determine their impact on the FGS. New or modified process equipment can create new potential leak sources , which can change the requirements for the FGS or create new obstacles that should be modeled to ensure detector coverage is not comprom ised.
5.5 Periodic assessment and audit The assumptions used in the FGS specification and design (e.g., FGS detector mapping and alarm response action) should be subject to periodic assessment and revalidation. The performance of the FGS safety function during inspection/testing or actual demands should be evaluated periodically against the specification requirements. Unacceptable FGS safety function performance on test or demand should be investigated and corrected promptly. The end user should establish the frequency of periodic assessments. It is recommended that periodic assessments coincide with other process safety revalidation activities.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
- 43 -
ISA-TR84.00.07-2018
Annex A Sample semi-quantitative performance target selection technique FGS performance targets define the ability of a n FGS function to detect, alarm, and if necessary, act to mitigate the consequence of a fire or gas release upon a demand condition. In concept, a higher hazard installation should require higher levels of performance; while a lower hazard installation should allow lower levels of performance, so that FGS res ources can be effectively allocated. Depending on the end-user process hazard analysis (PHA) and FGS philosophies, the factors used to assess risk of fire and gas hazards in hydrocarbon processing areas can be evaluated in a semiquantitative method. The factors in a semi-quantitative analysis yielding performance targets for FGS should be calibrated based on the assessment of typical hazard scenarios, consequences, likelihoods, and target risk reduction for the facility under evaluation. The ability of this method to achieve the desired level of risk reduction is contingent upon the process conditions and equipment being consistent with the assumptions used to develop the performance targets. For situations that do not conform to these assumptions, the user should consider altering the method based on siteand user-specific factors. This annex presents an example methodology using a scoring system developed for a hydrocarbon processing facility with fire, combustible gas , and H2S toxic gas hazards. This ranking procedure is used to evaluate the hydrocarbon fire, combustible gas, and toxic (H2S) gas risks for each area into one of three risk categories (high, medium, low) for the purpose of establishing FGS detector coverage performance targets. The sample methodology described here should only be applied to FGS safety functions with a target FGS risk reduction factor ≤ 10. The reader should be aware of the requirements contained in existing standards applicable to FGS functions based on risk reduction factor targets as described in the foreword of this technical report. The following technical instructions apply to this specific example of a semi-quantitative method. The example risk analysis methods and risk criteria contained in this annex have been provid ed solely as explanatory material and should not be interpreted as recommendations. Hazard ranking is a function of the equipment, hazards, consequences, likelihood, occupancy, and special factors. Ranking requires an equipment-by-equipment assessment of factors, including: •
•
•
•
identifying hydrocarbon processing equipment •
identify credible sources of hydrocarbon gas or liquid release
•
identify amount and type of processing equipment in FGS zone
•
identify process conditions that could aggravate/mitigate consequence severity
assessing consequence severity •
identify equipment that the FGS is intended to safeguard
•
assess magnitude of safety consequences (injury versus life threatening)
•
identify confinement and congestion in process areas that could aggravate combustible gas hazards
assessing hazard likelihood •
determine likelihood of release from all identified release sources
•
identify credible ignition sources (continuous and intermittent)
•
identify the effective response action to prevent safety impacts
assessing level occupancy in FGS zone •
identify normal/routine occupancy (operations, maintenance, contract)
•
identify nonroutine occupancy (operations, maintenance, contract)
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 44 -
If an FGS zone is not easily characterized by one or more of the factors that comprise t he FGS zone hazard rank, quantitative risk analysis should be considered. Figure A.1 shows the hazard ranking procedure.
Figure A.1 – Hazard ranking procedure
Copyright 2018 ISA. All rights reserved.
- 45 -
ISA-TR84.00.07-2018
The ranking procedure uses numerical scoring to assess the risk associated with a given area. As an input to task one, FGS zones requiring further hazard review have been previously identified.
A.1
Task 1 – Select major process equipment item
Identify the major process equipment in the FGS zone (or perform the analysis one major equipment item at a time). Figure A.2 assigns a default likelihood score to each type of processing equipment typically found in a process industry facility, and Figure A.3 assigns a consequence score based on the phase of the material in the process equipment. The scores account for the baseline consequence and baseline likelihood of a release that could result in a significant fire, combustible gas, or toxic gas hazard.
Equipment Item Shell & tube heat exchanger
Base Likelihood Score 2.0
Plate & frame heat exchanger
3
Air cooled heat exchanger
2
Column/tower/contactor
2.5
Compressor/expander
3
Pressure vessel/reactor
2
Centrifugal pump
3
Reciprocating pump
3
Atmospheric storage tank
1
LP storage tank
1
Fired heater
2
Pig launcher/receiver
2
Sump/sump pump
1
Piping manifold
1
Single welded pipe segment
1
Figure A.2 – Major equipment item base likelihood scores
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 46 -
Process Material Phase
Base Consequence Score
Stable liquids
1
Volatile liquid
2
Gas
3
Figure A.3 – Process material base consequence scores NBP = normal boiling point Stable Liquid T (Process) -< FP (Flash Point); FP and NBP volatile constituent representing > 3 mol% of streams Volatile Liquid FP < T (process) < NBP Gas
T (process) > NPB; Gas also includes cryogenic liquids where T(amb) > NBP
A.2
Task 2 – Adjust likelihood score for occupancy
The base likelihood score should be adjusted as necessary to reflect the occupancy environment near the major equipment item. This should be based either on the impact to occupants from the design-basis hazard, or the impact based on the unmitigated/escalated hazard that the FGS design intends mitigate. Figure A.4 defines occupancy adjustment factors. The result is an adjusted likelihood for toxic hazards, if applicable. No further likelihood adjustment is required for toxic hazards. Additional adjustment is required for fire and flammable hazard likelihood s. NOTE Figure A.4 should be reviewed for occupancy to determine an adjustment factor and then reviewed for escape to determine an adjustment factor. The worst-case (e.g., highest number) adjustment factor should be selected.
Occupancy Environment FGS Protection from Area of Immediate Impact
FGS Protection from Escalation Using Evacuation, Escape, Rescue Model
Adjustment
Rare occupancy (less than 15 min per day) ~1%
Rapid escape likely from area of impact of escalated hazard (1 to 3 minutes)
–2
Moderate occupancy (routine operator rounds) ~ 10%
Egress possible using designated routes. Short-duration protection required from escalated hazard (3 to 10 minutes)
–1
High occupancy (near continuous occupancy) > 30%
Muster using designated routes + evacuation from temporary safety refuge. Extended protection required from escalated hazard (10 to 30 minutes)
0
Figure A.4 – Occupancy adjustment
Copyright 2018 ISA. All rights reserved.
- 47 -
A.3
ISA-TR84.00.07-2018
Task 3 – Adjust likelihood score for ignition environment factors
The ignition environment adjustment task is not applicable to toxic hazards. If fire or flammable gas hazards are of concern, then the likelihood score should be further adjusted for ignition probability. Figure A.5 defines ignition adjustment factors. Description
Adjustment –1.5
Low ignition probability (3%) Average ignition probability (10%)
–1
Moderate ignition probability (30%)
–0.5
High ignition probability (near 100%)
0
Figure A.5 – Ignition environment adjustment
A.4
Task 4 – Adjust consequence score for process conditions
The base consequence score should be adjusted for process pressure. This adjustment applies to fire, flammable, and toxic gas hazards. Higher process pressure indicates a higher magnitude of consequence severity if a release were to occur. Process temperature is already factored into the default consequence score. Figure A.6 defines process pressure adjustment factors. Pressure
Adjustment
Atm to 50 psig
–0.5
50 to 150 psig
0
150 to 300 psig
0.5
300 to 1,000 psig
1
> 1,000 psig
1.5
Figure A.6 – Process pressure adjustment
A.5
Task 5 – Adjust consequence score for flammability environment
The base consequence score should be adjusted for factors related to the environment around a burning gas cloud, if it were to occur. This is related to process confinement and congestion factors. A higher degree of confinement and congestion lead s to a more severe consequence. Figure A.7 defines the flammability environment adjustment. The flammability environment adjustment should only be applied if flammable gas hazards are being evaluated. Do not adjust the consequence score with this factor if toxic hazards are being evaluated.
Environment Type
Adjustment
Notes (Confinement & Obstacle Density)
No confinement/low congestion
–1
"3D Low"
Some confinement/ moderate congestion
0
"2D Med"
Confinement/high congestion
2
"2D High"
Figure A.7 – Flammability environment adjustment
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
A.6
- 48 -
Task 6 – Adjust consequence score for toxic gas concentration
If a toxic (H2S) hazard is present, the base consequence score should be adjusted for the concentration of toxins (e.g., hydrogen sulfide) in the process fluid. This adjustment applies only to toxic gas hazards. A higher toxin concentration is indicative of a higher magnitude of consequence severity if a release were to occur. Figure A.8 provides typical H2S concentration adjustment factors. Concentration (v/v)
Adjustment
< 100 ppm
Notes No H2S analysis
100 ppm to 1000 ppm
–1
1000 ppm to 1%
0
1% to 3%
1
3% to 10%
2
> 10%
3
Figure A.8 – H2S concentration adjustment
A.7
Task 7 – Determine FGS hazard rank
For each hazard (fire, combustible, and toxic), each equipment item is assigned an individual adjusted likelihood score and an adjusted consequence score. The hazard rank is the sum of the adjusted likelihood score and the adjusted consequence score. This score indicates the degree of the hazard and ultimately the risk of fire, combustible gas , or toxic gas hazards. The calculated value is defined as the adjusted baseline hazard rank. The highest individual value of the baseline hazard rank for all equipment within a given FGS zone is defined as the zone hazard rank.
A.8
Task 8 – Determine need for FGS
Each area receives a performance target for fire, flammable gas , and toxic (e.g., H2S) gas hazards, which take the form of grades. These grades are listed in Figure A.9. Each of the grades defines a relative level of fire or gas risk , with grade A being the highest risk areas and grade C being the lowest risk areas requiring detection. A.8.1
Task 8.1 – Fire detection performance targets
Design of fire detection systems is predicated on the principal that a turbulent diffusion fire should be sensed early enough that automatic control action can be taken, if required, during the incipient stage of the fire to maximize safety and limit commercial losses to a tolerable level. Incipient fire detection requires an adequate number of detectors that are st rategically located in a manner to provide adequate coverage. Fire detection performance targets are selected based on the results of the semi -quantitative FGS screening procedure described in this annex. The result of the semi-quantitative method is the fire hazard rank, which is representative of the relative fire risk. A higher hazard rank represents a higher level of risk, which subsequently requires a higher performance target on the FGS to mitigate risk. Figure A.10 details the relationship between the fire hazard rank, the fire grade, and the detection performance target.
Copyright 2018 ISA. All rights reserved.
- 49 -
ISA-TR84.00.07-2018
Grade
Exposure Definition
A
High hazard potential
B
Moderate hazard potential
C
Low or very low hazard potential
No FGS
Risk is tolerable w/o benefit of FGS
Figure A.9 – Fire and gas performance grades Adjusted Hazard Rank
Grade
Fire Detection Coverage
≥7
A*
> 0.90
5 to < 7
A
0.90
2 to < 5
B
0.80
0.5 to < 2
C
0.60
< 0.5
N/A
No target coverage
Figure A.10 – Fire hazard rank and detection performance target Fire detection performance targets are evaluated in locations where fires could occur with sufficient intensity to result in life, safety, or commercial impact. In these locations, radiant heat output (RHO) is used as the criterion to specify the flame magnitude of the design-basis fire that one wants to detect. The magnitude of a fire hazard is related to its fire size, which is directly correlated to its RHO. NOTE This applies to fires that are not expected to produce excessive amounts of smoke before flaming fire. This procedure is written on the principle that optical flame detection in locations with higher fire hazard exposure should be sensitive to lower levels of RHO than fire detection in locations with lower fire hazard exposure.
Fire grade A is typically assigned to areas with higher levels of fire risk. These areas are characterized by hydrocarbon handling areas where small fires could cause significant damage in a short period of time or rapidly escalate. Such fires might be due to the potenti al for a higher consequence severity (e.g., high-pressure gas from a compressor) or from a higher likelihood of fire (e.g., small bore pipework and pump seals). For the performance targets associated with grade A, a minimum of 90% detector coverage is achieved for detection of a design-basis fire size. Fire grade B is assigned to most hydrocarbon processing areas throughout the facility. These areas are categorized by “normal” risk processing areas and typically contain fixed equipment with moderate to low likelihood of fire. For the performance targets associated with grade B, a minimum of 80% detector coverage is achieved for detection of a design -basis fire size. Fire grade C is assigned to areas where the risk of a fire is relatively low. Grade C areas are characterized by a low potential for severe consequences (for example, due to high flash point fuel). For the performance targets associated with grade C a minimum of 60% detector coverage is achieved for a design-basis fire size. An FGS zone with a hazard rank of 7.0 or greater should have a fire grade A*. For zones gradedºA*, the installed fire detection system should be capable of exceeding the grade A performance targets. FGS zones graded A* will likely have a risk reduction factor target for the FGS function that is greater than 10. Achieving this risk reduction factor requires performance targets for system availability and mitigation effectiveness, which are outside the scope of this method. Refer to the foreword of the technical report for additional guidance. In addition, the FGS zone should also be subject to additional risk studies, such as a QRA analysis, to verify that fire risk is adequately reduced .
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018 A.8.2
- 50 -
Task 8.2 – Combustible gas detection performance targets
Design of combustible gas detection is predicated on being able to sense a threshold volume of gas at an incipient stage when action can be taken to prevent significant loss were that volume of gas to ignite and result in a deflagration. The goal is not to prevent any size flammable cloud from forming, igniting, or deflagrating. The goal is to limit flame front accelera tion of such ignited gas clouds to a speed that has been demonstrated to be below the threshold of structural damage in process environments. The degree of hazard and the damage from a combustible gas deflagration is related to the size of the cloud and other factors, such as confinement, and the presence of turbulence-inducing obstacles. Combustible gas detection performance targets are evaluated in locations where ignited gas clouds could cause damage from explosion overpressure. In these locations, the smallest gas cloud that has the potential to cause such damage, or the smallest gas cloud that can reasonably be developed, is used to define requirements for placing combustible gas detectors. Combustible gas performance targets are selected based on the results of the semi-quantitative FGS screening procedure described in this annex. The result of the semi-quantitative method is the combustible gas hazard rank that is representative of the relative combustible gas risk. A higher hazard rank represents a higher level of risk, which subsequently requires a higher performance target on the FGS to mitigate risk. Figure A.11 details the relationship between the combustible gas hazard rank and the combustible gas grade. Adjusted Hazard Rank
Grade
Gas Detection Coverage
≥7
A*
> 0.90
5 to < 7
A
0.90
2 to < 5
B
0.80
0.5 to < 2
C
0.60
< 0.5
N/A
No target coverage
Figure A.11 – Combustible gas hazard rank and detection performance target Combustible gas grade A is typically assigned to FGS zones subject to higher risk, either due to high frequency release sources (such as rotating equipment) or a high degree of confinement of a burning gas cloud that could cause damaging flame acceleration and overpressure when subject to a relatively small gas release. For this performance target for grade A, the gas detection system should be capable of achieving 90% coverage for detection of a design-basis combustible gas hazard. Combustible gas grade B is typically assigned to areas subject to a moderate degr ee of confinement of a burning gas cloud. For this performance target for grade B, the gas detection system should be capable of achieving 80% coverage for detection of a design -basis combustible gas hazard. Combustible gas grade C is typically assigned to open hydrocarbon processing areas with fixed equipment, relatively low operating pressure, and well-controlled ignition sources. The gas detection system should have 60% detector coverage to detect a design -basis combustible gas hazard. In some cases, the primary hazard of concern is the migration of combustible gas beyond hydrocarbon processing areas where access and ignition sources are well controlled. In these cases, consider perimeter detection in lieu of gas detection within the area of the equipment containing the hazardous material.
Copyright 2018 ISA. All rights reserved.
- 51 -
ISA-TR84.00.07-2018
An FGS zone with a hazard rank of 7.0 or greater should result in a combustible gas grade A*. For zones graded A*, the installed combustible gas detection system shou ld be capable of exceeding the grade A performance targets. FGS zones graded A* will likely have a risk reduction factor target for the FGS function that is greater than 10. Achieving this risk reduction factor involves having performance targets for system availability and mitigation ef fectiveness, which are outside the scope of this method. Refer to the foreword of the technical report for additional guidance. In addition, the FGS zone should also be subject to additional risk studies, such as QRA analysis , to verify that combustible gas risk is adequately reduced. A.8.3
Task 8.3 – Toxic gas detection performance targets
In this example procedure, toxic gas detection is limited to hydrogen sulfide (H 2 S) hazards. H 2 S performance targets are evaluated in locations where H 2 S could cause serious injury. Personnel who enter areas of the facility containing H 2 S are assumed to be wearing personal H 2 S monitors at all times. This is the primary means of safety once a worker is in an H 2 S -containing area and is near equipment containing H 2 S. Fixed H 2 S detectors should not be the primary means of safety at these locations, because a very large number of detectors would be required to protect every possible exposure. Fixed H 2 S detectors are the primary means of safety to alert personnel who either are not in the area at the time or are within the area but not immediately exposed to a hazardous release. The goal is to either prevent personnel from entering the area or evacuating personnel from the area, depending on their initial location. Performance of H 2 S gas detection is based on the likelihood and severity of the toxic gas hazards present. Defining performance targets requires defining the hazard. For H 2 S, this is the smallest gas cloud that has the potential to cause serious injury. This is descriptiv e of the magnitude of the hazard that requires detection and is used to define requirements for placing toxic gas detectors. Toxic gas performance targets are selected based on the results of the semi -quantitative FGS hazard rank procedure described in this annex. The result of the semi-quantitative method is the toxic gas hazard rank that is representative of the relative toxic gas risk. A higher hazard rank represents a higher level of risk, which subsequently requires a higher performance target on the FGS to mitigate risk. Figure A.12 details the relationship between the toxic gas hazard rank and the toxic gas grade. Adjusted Hazard Rank
Grade
Gas Detection Coverage
≥ 7.5
A*
> 0.90
5.5 or < 7.5
A
0.90
3.5 to < 5.5
B
0.80
1.5 to < 3.5
C
0.60
1000 psig.
Note that for combustible gas and toxic gas analysis there are two additional consequence modification factors to consider (per Figure A.1). Summation of base consequence factor and all adjustment factors
Fire Adjusted Hazard Rank = Adjusted Fire Likelihood Score + Adjusted Fire Consequence Score = –0.5 + 3.5 = 3.0 The fire adjusted hazard rank of 3.0 results in a fire detection requirement of Grade B. From Figure A.10, the performance target for Grade B fire hazards is 80% detector coverage. In addition, the design and implementation of the FGS function will conform to applicable requirements of ANSI/ISA-84.91.01-2012 (reference 2.10), consistent with the target FGS risk reduction factor. Copyright 2018 ISA. All rights reserved.
- 71 -
ISA-TR84.00.07-2018
Step 7 – Initial FGS design The proposed FGS system design is based on expert judgment and heuristics through the application of the prescriptive requirements of the appropriate national standards and industry guidelines (Annex B). In the initial design, two optical flame detectors were specified. These detectors are located in opposing corners of the well bay as shown in Figure D.2a and D.2b.
Figure D.2a – Optical flame detector conceptual design
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 72 -
Figure D.2b – Optical flame detector conceptual design Step 8 – Verify detector coverage The designers are guided by the end-user FGS philosophy to use geographic coverage assessment for hydrocarbon fire hazards. The target for this assessment is to achieve 80% (gradeºB), with 2ooN coverage with a 10-ft monitored area of the graded equipment. The extent of the monitored area is shown in Figure D.3.
Copyright 2018 ISA. All rights reserved.
- 73 -
ISA-TR84.00.07-2018
Figure D.3 – Well bay monitored areas and extent of grade B area Figure D.4 shows the achieved coverage for the initial design of two optical flame detectors. In Figure D.4, areas covered by two or more detectors are displayed in green ; areas covered by a single detector are shown in yellow; and areas not covered (i.e., a fire at this location would not be detectable by the FGS) are shown in red. In the image on the right, the detector coverage is displayed for the entire well bay, while the image on the left shows the coverage only within the monitored areas.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 74 -
Figure D.4 – Fire detection geographic coverage map, initial detector layout Based on the results of the geographic coverage assessment, it was determined that approximately 93% of the monitored area is covered by one or more detectors (1ooN coverage), and 24% is covered by two or more detectors (2ooN coverage). Because this is not adequate to achieve the 80% coverage target for a 2ooN voting arrangement, the conceptual design should be modified to provide a higher degree of detector coverage. This design modification involved two additional flame detectors, one located in the top right and one located in the bottom left of the well bay. The results for the modified design are shown in Figure D.5. Copyright 2018 ISA. All rights reserved.
- 75 -
ISA-TR84.00.07-2018
Figure D.5 – Fire detection geographic coverage map, modified detector la yout In the modified design, it was determined that approximately 95% of the monitored area is covered by one or more detectors (1ooN), and 82% is covered by two or more detectors (2ooN). Because this design achieves the 80% 2ooN coverage target for the grade B areas, this design should provide acceptable performance in terms of fire detector coverage.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 76 -
Step 9 – Verify FGS safety availability Upon a confirmed fire (2ooN vote) the FGS actives the fire suppression systems (deluge) in the well bay. The safety availability was verified qualitatively, because there were no requirements for FGS risk reduction in excess of a factor of 10. Sensors (optical flame detectors), a logic solver, and final elements (isolation valve, firewater pump, and deluge valves) were deemed suitable for use in this application per end-user approval for this facility. While not required, it was noted that the FGS logic solver was certified for use in safety integrity level (SIL) 2 applications through conformance with IEC 61508. Auxiliary systems were included in the verification , because some FGS final elements rely on support systems or do not operate in a fail-safe configuration. For example, in the case of an electric motor –driven fire water pump, power supply failure was considered and deemed suitable for use in this application due to the frequency of testing and the presence of a redundant power supply. Step 10 – Verify effectiveness of FGS actions The design intent is to detect an incipient fire hazard (50 kW fire) and initiate wellhead shut-in, open deluge valves, and start the fire water pump. The mitigation actions include isolation of inventory (wellhead shut-in) and suppression of the fire. Fire protection personnel confirmed that these actions are highly effective. An incipient fire is well within the capability of the fire water deluge system to suppress and cool surrounding equipment while minimizing thermal radiation effects to personnel evacuating the area. As it relates to the selected basis of design of the system, the mitigation effectiveness is confirmed and does not need additional quantitative analysis. Step 11 – FGS effectiveness (mitigated risk) Because the achieved FGS detector coverage of 82% exceeds the target of 80% for the 2ooN voting arrangement, the performance target is satisfied and the modified design of four detectors is suitable for use in the application.
Copyright 2018 ISA. All rights reserved.
- 77 -
D.2
ISA-TR84.00.07-2018
Application example – Combustible gas detection in a natural gas production platform
This example involves combustible gas detection in an offshore natural gas production platform. This is a small platform that contains a large amount of process equipment that results in significant confinement and congestion. It is a normally unmanned ins tallation. The platform produces flammable hydrocarbon gas under high pressure. An ignited gas release presents a potentially significant fire and explosion hazard to personnel, who may be on the platform conducting maintenance and other activities. D.2.1
Facility information
The platform is open to the atmosphere on all sides. It is approximately 50 ft in length and 50 ft in width (15 m by 15 m). The deck is comprised of grated material. The well bay module includes nine wellheads located as shown in Figure D.6 and Figure D.7. For simplification of this analysis and for illustrative purposes, other equipment , including piping, instrument connections, and well control panels, are disregarded. The fluid being processed has been approximated as methane gas for this example problem. Methane has a lower flammable limit (LFL) of approximately 5% methane in air.
Figure D.6 – Example: Offshore gas production facility
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 78 -
Figure D.7 – Gas well bay (plan view) D.2.2
Fire and gas hazard assessment
The hazard analysis employed by the end user of this facility includes an evaluation to determine if combustible gas detection should be employed. The analysis including the following factors: •
material processed
•
process pressure and temperature
•
potential sources of combustible gas
•
occupancy of the facility
•
degree of confinement and congestion in the process areas
Because this is a production facility processing flammable gases at high pressure with the potential presence of personnel on the platform during maintenance activities, the criteria determined the re was a need for combustible gas detection. A risk analysis was desired to determine if the unmitigated combustible gas hazard posed a risk high enough to warrant further risk reduction. The end user’s philosophy for detection and mitigation is to detect gas accumulation at an early (incipient) stage with automatic shutoff of all wells on the platform. This philosophy guides the designers to use gas accumulation detection as the basis of design. Fully quantitative hazard/risk analysis was selected for this application example to determine FGS risk reduction requirements. The results of step 1 through step 6 will demonstrate a target FGS risk reduction greater than 10 for scenarios within the basis of design (i.e., early [incipient] stage gas detection). Hazard scenarios that exceed the FGS design basis were analyzed separately by major hazards analysis and addressed through means of risk reduction other than the FGS (AnnexºC). The FGS performance metrics were detector coverage (quantitative), FGS safety availability (quantitative), and mitigation effectiveness (quantitative). Step 1 – Identify areas of concern The area of concern was identified for this facility as the entire deck of the platform containing the well bay, as shown in Figure D.7.
Copyright 2018 ISA. All rights reserved.
- 79 -
ISA-TR84.00.07-2018
Step 2 – Identify hazards/risk scenarios The hazard analysis identified a credible potential for leaks to occur from any of the nine gas wellheads. A range of release sizes are considered credible scenarios. For simplification of this analysis and for illustrative purposes, the analysis of only o ne risk scenario is included here. The scenario involves a pinhole leak from the flowline caused by erosive action of the fluid (e.g., sand production) resulting in a release of combustible gas on the platform. This is the most likely release scenario that will place a demand on the gas detection system. Other scenarios (not analyzed in this example) include a large leak and a rupture of equipment. The leak to be analyzed was idealized as a ¼ -in (6-mm) equivalent hole diameter releasing flammable methane gas at 1100 psi and 100°F (7600 kPa and 38°C). Because the platform is open to the atmosphere, the end user wanted an analysis of this hazard that was sensitive to the local meteorological conditions at the facility, including a variety of typical wind speed s and wind directions. For the purposes of the example, only two wind speeds were considered: a typical wind speed of 11 miles/hr (5 m/s) and a low (non-favorable) wind speed of 3.4 miles/hr (1.5 m/s). Step 3 – Analyze consequences In this example a range of consequence analysis options were considered, including qualitative estimates, simplified hazard correlation tables, and gas dispersion modeling. In this case , the gas dispersion model was selected to analyze the size of the flammable envelope and its p ossible location with respect to the proposed location of gas detection equipment. The dispersion model selected allowed for analysis of the flammable profile , and the model was sensitive to the quantity of material released, the rate of release, and meteo rological conditions. Gas discharge models were used to calculate the release rate from the ¼ -in (6-mm) diameter hole under 1100 psi and 100°F (7600 kPa and 38°C) process conditions. The discharge model calculated a release rate of 0.5 lb/sec (0.23 kg/s). The dispersion model results showed dispersion in the downwind direction to an end point equivalent to 50% LFL. This value was chosen to correlate with the sensitivity of the combustible gas detection equipment to be used in this application. Results of the gas dispersion model show the potential for a combustible gas accumulation of 20 ft (6 m) in the downwind direction and approximately 10 ft (3 m) in the crosswind direction. Analysis shows an accumulation of 1900 cubic feet (55 cubic meters). In addition, blast modeling was conducted to show that this accumulation can result in 3 psig (21 kPa) overpressure of concern on the structure. The results were obtained under credible meteorological conditions for the facility at wind speeds of 3.4 miles/hr (1.5 m/s). The model was studied and determined to be relatively insensitive to atmospheric stability for this example problem and relatively sensitive to assumed wind speed. Figure D.8 illustrates the output of the gas dispersion and accumulation model.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 80 -
Figure D.8 – CFD gas dispersion and accumulation model If this accumulation were to occur and the combustible gas cloud was ignited, a vapor cloud fire could occur. A vapor cloud explosion is credible if this small leak of gas per the basis of design is not detected early, and the accumulation could increase to the credible maximum of 55 m 3 of gas within the flammable envelope. Discussion of the parameters impacting the outcome of an ignited vapor cloud is beyond the scope of this technical report. Refer to CCPS Guidelines for Chemical Process Quantitative Risk Analysis (reference 2.7) for more information. The credible consequence of this scenario is a potential loss of life if personnel are present in the well bay module at the time of the vapor cloud fire/explosion. Based on the expected personnel staffing, the occupancy of the well bay module is considered to be no more than 2 hours out of each 24-hour day, or about 8%. This is consistent with a normally unoccupied installation. Per the end user’s protocols for hazard and risk assessment, the use of conditional modifiers and enabling factors is permitted. Step 4 – Analyze hazard frequency In this example, a range of frequency analysis options were considered , including qualitative estimates, simplified frequency lookup tables for generic situations, and quantitative analysis of industry failure and leak data for specific equipment items. In this case, the offshore industry maintains databases of equipment leak frequencies, and this database contained the appropriate leak frequency. The likelihood of a pinhole leak in a single wellhead producing natural gas with the range was found to be 5E-3 per wellhead-year. A probability of 30% for delayed ignition of high -pressure gas releases was selected for this release, based on offshore event data for similar releases. The frequency of a flash fire event is therefore 1.5E-3 per year for a single wellhead. Since there are nine total wellheads, the total frequency of the flash fire event is nine times the frequency of a single wellhead, or 1.4E-2 per year. Lack of normal occupancy on the platform reduces the risk to personnel. In this case, the platform is occupied only 8% of the time. The hazard scenario is a mechanical integrity failure that has no apparent correlation
Copyright 2018 ISA. All rights reserved.
- 81 -
ISA-TR84.00.07-2018
its occurrence and the occupancy of the platform. Therefore, there is an 8 % probability that an ignited release could result in the identified safety consequence to personnel, owing to the low occupancy. F unmitigated
= 1.5E-3 per year per wellhead x 9 wellheads x 0.08 occupancy factor
= 1.1E-3 per year risk to personnel No other protection layers were identified that would reduce the frequency of the hazard. Step 5 – Assess unmitigated hazard/risk Based on the operating company’s risk criteria, the likelihood of this consequence severity should be reduced to less than 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). The frequency of the hazard scenario without the benefit of the gas detection system was calculated as 1.1E-3 per year (1.1 chance in 1,000 per year). The risk criteria is 1E-4 per year. Therefore, the risk criteria have not been satisfied for the unmitigated hazard/risk. Step 6 – Identify FGS performance requirements Based on the results of step 5, a recommendation was made to design a combustible gas detection and automatic shutdown system that would reduce the risk by a factor of 11. Automatic shutdown would involve closing well surface safety and wing valves in the event of gas detection. Gas detection for similar facilities using IR adsorption technology has proven effective. Initial targets for gas detector coverage was selected as 93% with an FGS safety availability of greater than 98% based on the unmitigated risk model and the target risk f requency of 1E-04 per year. These are selected as initial approximations based on the application of the risk model to achieve a risk reduction greater than 11. Because the safety action for this FGS safety function is process shutoff and isolation of the segment, the confidence is high that an effective mitigation will occur when the initiating event is the leak within the basis of design. The initial selection of mitigation effectiveness is 1.0. See Step 10 for additional considerations. Applying the quantitative risk model (event tree) was used to determine the likelihood for the unmitigated and mitigated outcomes. Detection Coverage
FGS Safety Availability
Mitigation Effectiveness
Yes
Likelihood
Safety Consequence Contribution
1
9.11E-01
0
0.00
0
0.00E+00
1
0.00
1.86E-02
1
0.02
7.00E-02
1
0.07
FGS effectiveness = Detector Coverage x FGS Safety Availability Weighted Average Consequence
0.09
Yes
0.98 0.93
Hazard Scenario
No
1
0.02 No 0.07
= 0.93 x 0.98 x 1.0 = 0.9114 (91% FGS effectiveness) Unmitigated Risk = =
=
F unmitigated (1 – FGS effectiveness)
1.1E-3 per year x (1 – 0.9114) 1.0E-4 per year
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 82 -
Therefore, a target FGS effectiveness of approximately 0.91 will reduce risk to a level that satisfies the risk criteria of no more than 1.0E-4 per year. In addition, the design and implementation of the FGS function with a claimed FGS risk reduction factor (RRF) greater than 10 will conform to the applicable requirements of ANSI/ISA -84.91.012012 (reference 2.10) and ANSI/ISA-84.00.01-2004 (reference 2.1). Step 7 – Initial FGS design The proposed gas detection/shutdown system design is based on expert judgment and heuristics through applying the prescriptive requirements of the appropriate national standard s and industry guidelines (Annex B). The design involves the use of open path combustible gas detection with three detector sets placed on the platform as shown in Figure D.9.
Figure D.9 – Initial gas detection system design: Open path gas detector placement The gas detectors generate a 4–20 mA signal proportional to the measured gas concentration and also generate discrete alarms when the combustible gas concentration is detected above a threshold value as measured in LFL-meters for a detected gas level. The sensor signal is received by a logic solver, which sends a command to shut down all wells in the well bay when gas is sensed. This would effectively shut off the source of the combustible gas from the leak point and mitigate the flammable hazard over a short period of time as the pressure at the source drops. Combustible gas detectors will be configured with sensitivity that allows for detection of a combustible gas concentration of 0.5 LFL-meters or greater. This will provide adequate sensitivity to detect the hazard scenario of concern given the ov erall dimensions of the module and the proposed location of detectors. The initial design did not specify whether any single detector in alarm state will cause the shutdown system to activate (e.g., 1ooN voting arrangement), or if multiple detectors are required to cause isolation. Spurious activation of the FGS does not result in a hazard but is an undesired event from an economic standpoint.
Copyright 2018 ISA. All rights reserved.
- 83 -
ISA-TR84.00.07-2018
Step 8 – Assess detector coverage Detector geographic coverage A computer model was used to analyze geographic coverage consistent with the methodology shown in Annex B of this technical report. The model generated coverage factors for both a 1ooN voting arrangement (any single detector has the capability to initiate a shutdown) as well as a 2ooN voting arrangement (two or more detectors are required to be in alarm state to initiate a shutdown). Graphical output of the model that calculated geographic coverage is provided in Figure D.10.
Figure D.10 – Gas detector geographic coverage map, initial gas detector layout The geographic coverage results show that approximately 78 % of the module is covered by one or more open path gas detectors. The area that is covered by both detectors is much less, in this case only 21%. In addition, 22% of the module is not in the area covered by any of the three detectors, meaning a threshold volume of combustible gas at those locations cannot be sensed by the initial detector layout. Step 9 – Verify FGS safety availability The safety function was initially defined to include only one detector to sense the hazard. Thus, a 1oo1 voting architecture was considered. A shutdown of the leaking single wellhead has been included in the FGS function. In addition, it was specified that functional testing of sensors and the logic solver will occur at an interval of once per year. Per local regulatory requirements, the functional test interval of final element valves will occur at an interval of once per month. Methods and sample calculations on how to calculate PFDavg are included in ISA-TR84.00.02 (reference 2.8). The primary inputs for this activity include device failure rate data and functional testing intervals. Shut-in of gas wells uses a deenergize-to-trip signal. Using simplified equations, the resultant PFDavg for the FGS function is 0.015 or an FGS safety availability of 1 – 0.015 = 0.985. Reliability data for the selected FGS equipment was identified. Any failure rate data used should be in conformance with ANSI/ISA-84.00.01-2004 (reference 2.1).
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018 Device Type Open path IR gas detector FGS logic solver Wellhead shut-in valve including final element interface
- 84 Dangerous Undetected Failure Rate λDU (per hour) 2.0E-06 1.0E-07 1.4E-06
Proof Test Interval 12 months 12 months 12 months
To calculate the FGS safety availability for the function, the PFDavg should be calculated for each of the FGS function components. The 1oo1 PFDavg equation was used. The PFDavg for the open path IR gas detectors is calculated as follows:
𝑃𝐹𝐷𝐴𝑉𝐺 =
𝜆 𝐷𝑈 *𝑇𝐼 2
Simplified equation for 1oo1 voting configuration from ISA-TR84.00.02 (reference 2.8) For this example, the equation becomes:
PFD AVG DU *TI 1.00E 06 * (1* 8760) 8.8E 03 For the SIL certified logic solver, the PFDavg at the prescribed test interval was taken from the vendor’s safety manual as 4.4E-4. For the final element (ESD valve), the PFDavg is calculated using the simplified 1oo1 equation from ISA TR84.00.02 (reference 2.8).
PFD AVG
DU *TI 1.4 E 06 * (8760) 6.1E 03 2 2
Subsystem Sensor FGS logic solver Final element
PFDavg 8.8E-3 4.4E-4 6.1E-3
Total
1.5E-2
FGS Component(s) IR gas detectors Safety PLC Wellhead shut-in valves 98.5% safety availability
Step 10 – Verify Effectiveness of FGS Actions Actions taken by the FGS can be manually or automatically initiated and can affect a wide variety of systems. This example considers automatic shutdowns that involve the closing of well surface safety and wing valves in the event of early (incipient) gas detection. If successful, this action will result in a state that meets the risk acceptance criteria (i.e., a small flash fire instead of a vapor cloud explosion with a severe impact to the platform and personnel). The probability of failure of these actions is incorporated in the FGS safety availability analysis. Therefore, a mitigation effectiveness of 1.0 is used in this design. Step 11 – FGS effectiveness (Mitigated Risk) The frequency of the hazard scenario with consideration of the benefit of the gas detection system (detector coverage, FGS safety availability, and mitigation action effectiveness) was calculated as shown in Figure D.11. The initial calculation was performed using the detector (scenario) coverage and 1ooN voting arrangement.
Copyright 2018 ISA. All rights reserved.
- 85 -
Detection Coverage
FGS Safety Availability
ISA-TR84.00.07-2018
Mitigation Effectiveness
Likelihood
Yes Yes Yes
1
7.68E-01
0
0.00E+00
0.985 No 0.78
Hazard Scenario
No
1
0.015
1.17E-02
No 0.22
2.20E-01
Figure D.11 – Mitigated risk assessment: existing detector layout FGS effectiveness = Detector Coverage x FGS Safety Availability x Mitigation Action Effectiveness = 0.78 x 0.985 x 1.0 = 0.768 (77% FGS effectiveness) Unmitigated Risk = =
=
F unmitigated (1 – FGS effectiveness)
1.1E-3 per year x (1 – 0.768) 2.5E-4 per year
The design reduces the risk of the unmitigated hazard by a factor of 1/(1 – 0.768) or a risk reduction of about 4. The overall likelihood of the hazard scenario was calculated as 2.5E-4 per year (a 2.5 chance in 10,000 per year). This remains a factor of 2.5 above the maximum likelihood that was selected for this scenario of 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). Therefore, the risk has improved over the unmitigated design, but the risk criteria have not been satisfied with the initial design. Modify FGS design (iteration of Step 7 through Step 11) Since the risk criterion was not satisfied by the initial gas detection design, the design was modified to meet this objective. Options that should be explored include the following: •
adding one or more additional gas detectors to increase detector coverage
•
increasing the frequency of functional tests of the existing system design to increase FGS safety availability
In this case, the end user wanted to analyze the problem with an open path gas detector located south of the nine wells in addition to the existing three detectors. The additional detector is positioned in a manner that would detect gas from wells in an unfavorable wind condition (e.g., wind blowing from the northwest). Figure D.12 shows the modified detector layout. The coverage model was rerun for this scenario, and the results are shown below in Figure D.13.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 86 -
Figure D.12 – Modified gas detector layout
Figure D.13 – Gas detector geographic coverage map, modified gas detector layout The results for the modified detector layout show that the approximately 97% of possible hazard scenario outcomes are covered by the detector layout and can be sensed by at least one detector (1ooN voting). The application of the quantitative risk model (event tree) shows the calculation of the likelihood of the unmitigated and mitigated outcomes.
Copyright 2018 ISA. All rights reserved.
- 87 Detection Coverage
FGS Safety Availability
ISA-TR84.00.07-2018 Mitigation Effectiveness
Likelihood
Yes Yes Yes
1
9.55E-01
0
0.00E+00
0.985 No 0.97
Hazard Scenario
No
1
0.015
1.46E-02
No 0.03
3.00E-02
FGS effectiveness = Detector Coverage x FGS Safety Availability x Mitigation Action Effectiveness = 0.97 x 0.985 x 1.0 = 0.955 (96% FGS effectiveness) Unmitigated Risk = =
=
F unmitigated (1 – FGS effectiveness)
1.1E-3 per year x (1 – 0.96) 4.4E-5 per year
The design reduces the risk by a factor of 1/(1 – 0.96) or a risk reduction of about 25. The overall likelihood of the hazard scenario was reduced in the modified layout to 4.4E-5 per year (a 4.4 chance in 100,000 per year). This is below the maximum risk that was selected for this scenario of 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). Therefore, the risk criteria have been satisfied with the modified design using four detectors.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
D.3
- 88 -
Application example – Toxic (H 2 S) gas detection in onshore gas processing plant
This example involves toxic gas detection in an onshor e gas processing plant. The process includes hydrocarbon gas containing hydrogen sulfide (H 2 S). A process gas release to the atmosphere presents an acute toxicity hazard to workers. D.3.1
Facility information
The plant contains an operating unit in which gas is processed under pressure. The unit is approximately 100 ft in length and 100 ft in width. The plant contains two separator vessels, a pump and a compressor, as shown in Figure D.14. For simplification of this analysis and for illustrative purposes, other equipment, including piping, instrument connections, and well control panels, are disregarded. The fluid being processed has been approximated as propane gas with 1% H 2 S (10,000 ppm H 2 S v/v) for this example. H 2 S has an acute toxicity concentration of concern of 100 ppm (v/v), which is the concentration immediately dangerous to life and health (IDLH). H 2 S can be detected at concentrations as low as 10 ppm using available detector technologies .
Figure D.14 – Example: Onshore gas processing facility D.3.2
Hazard assessment
The end user’s philosophy of toxic gas detection is to detect concentrations of gas that could be hazardous to personnel, so that action can be taken to evacuate personnel to safety within 15 minutes. Early (incipient) and effective detection allows personnel to evacuate, take shelter, and respond by safely shutting down the process. The philosophy requires identifying leak/release sources and size and locating detectors in the correct proximity and orientation of release sources in order to provide early (incipient) indication of a hazard. Based on these philosophy elements, the decision is to detect credible releases by strategically placing detection equipment in proximity to release sources to mitigate the size, extent, and duration of the H 2 S gas hazard. Step 1– Identify areas of concern One area of concern was identified for this example problem, the gas compressor C-104. Because this facility contains significant concentrations of H 2 S in the process gas, screening criteria determined the need for toxic (H 2 S) gas detection.
Copyright 2018 ISA. All rights reserved.
- 89 -
ISA-TR84.00.07-2018
Step 2 – Identify hazards/risk scenarios The hazard analysis identified a credible potential for leaks to occur from the compressor seal, resulting in the release of flammable and toxic gas. Personnel are potentially subject to an acute toxic hazard due to routine occupancy in the process area. Because the process is open to the atmosphere, the actual hazard at the time of a release will be sensitive to the local meteorological conditions at the facility, including a variety of typical wind speeds and wind directions. A range of release sizes are considered credible. To simplify this example, the analysis of only one risk scenario is included. The scenario involves a release from the compressor seal (full seal failure, annular release), resulting in a release of propane gas containing 1% H 2 S. This is the most likely release scenario that will place a demand on the gas detection system. The leak to be analyzed is represented as a ½-in (12-mm) equivalent hole diameter releasing process gas at compressor discharge pressure of 500 psig and 100°F. Gas discharge models were used to calculate the release rate. The discharge model calculated a total release rate of 3 lb/sec (1.4 kg/s) of process gas containing 1% H 2 S. Step 3 – Analyze consequences Gas dispersion modeling was conducted to analyze the size and extent of the toxic gas hazard and compare it with the proposed location of H 2 S gas detection equipment. The dispersion model selected allowed for analysis of the toxic concentration in the downwind direction and cross-wind direction based on similarity modeling, and the model was sensitive to the quantity of material released, the rate of release, and local meteorological conditions. For the purposes of the example , only one wind speed of 3.4 miles/h (1.5 m/s) was evaluated. The dispersion model results showed dispersion in the downwind direction to an end point of 10 ppm H 2 S. This value was chosen to correlate with the sensitivity of the H 2 S gas detection equipment to be used in this application. Life-threatening concentration (700 ppm H 2 S) and injury concentration (100 ppm H 2 S) end points were also modeled. Results of the gas dispersion model show the potential for a toxic gas envelope of dimensions 20ºft (6 m) in the downwind direction and approximately 3 ft (1 m) in the crosswind direction. This result was obtained under “typical” meteorological conditions for the facility with wind speed 3.4ºmiles/h (1.5 m/s) and neutral atmospheric stability. The model was studied and determined to be relatively insensitive to atmospheric stability for this example problem and relatively sensitiv e to assumed wind speed. Figure D.15 illustrates the output of the gas dispersion model, including the cloud footprint in the downwind and crosswind directions.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 90 -
Figure D.15 – H 2 S gas dispersion model: Profile view and footprint view If this release occurred and the combustible gas cloud was not ignited, the outcome would be a toxic gas hazard. The dispersion model shows a hazard distance of approximately 150 ft in the downwind direction to the 100 ppm IDLH end point. Further, the detectable concentration of 10ºppm extends further to a distance of approximately 600 ft, and measures about 80 ft maximum in the crosswind direction at a distance of 300 ft downwind. The credible consequence of this scenario is a potentially life-threatening injury to a single person if present near the compressor at the time of the release. Step 4 – Analyze hazard frequency In this example, a quantitative analysis of industry failure and leak data for specific equipment items were used. The likelihood of seal failure from a centrifugal compressor was found to be 1E 2 per year. Per the end user’s protocols for hazard and risk assessment, the use of conditional modifiers and enabling factors is permitted. The lack of normal occupancy reduces the risk to personnel. In this case, the process area is occupied only 4% of the time. The hazard scenario is a mechanical integrity failure that has no apparent correlation between its occurrence and the occupancy of the area. Therefore, there is a 4% probability that a gas release results in the identified safety consequence, owing to the low occupancy. Step 5 – Assess unmitigated hazard/risk F unmitigated
= 1E-2 per year x 0.04 occupancy factor
= 4E-4 per year risk to personnel No other protection layers were identified that would reduce the frequency of the hazard. Based on the operating company’s risk criteria, the likelihood of this consequence severity should be reduced to less than three chances in 100,000 per year (3E-5 per year individual risk of fatality). The frequency of the hazard scenario without the benefit of the H 2 S gas detection system was calculated as 4E-4 per year (four chances in 10,000 per year). The risk of the scenario is a factor of 13 higher than the risk criteria of 3E-5 per year. Therefore, the risk criteria have not been satisfied for the unmitigated situation.
Copyright 2018 ISA. All rights reserved.
- 91 -
ISA-TR84.00.07-2018
Step 6 – Identify FGS performance requirements The gap between unmitigated and tolerable risk is a factor of 15. Therefore, the performance target is an FGS effectiveness of 93%, requiring a risk reduction factor (RRF) of 15 or more in the FGS performance. The design and implementation of this FGS function with claimed FGS RRF in excess of 10 will be in conformance with the applicable requirements of ANSI/ISA -84.91.01-2012 (reference 2.10), ANSI/ISA-18.2-2016 (reference 2.19), and ANSI/ISA 84.00.01-2004 (reference 2.1). Step 7 – Initial FGS design The initial gas detection design is based on factors in Annex B.5. The design involves the use of point H 2 S gas detection (electrochemical type) with three detector sets placed in the process as shown in Figure D.16. This is the preferred equipment used by this facility, because it has prior use experience.
Figure D.16 – Initial H2S gas detector layout, point electrochemical H 2 S gas detector placement H 2 S gas detectors generate a 4-20 mA signal proportional to the measured H 2 S gas concentration, and also generate alarms when the toxic gas concentration is detected above a threshold value of 10 ppm (v/v). The sensor signal is received by a logic solver, which annunciates audible and visual alarms in the process area and control room . This gives personnel the opportunity to evacuate the facility and would mitigate the toxic hazard. Toxic gas detectors will be configured with a sensitivity that allows for detection at a gas concentration of 10 ppm or greater. This will provide adequate sensitivity to detect the hazard scenario of concern. The design specifies that a single detector in alarm state will cause the alarm system to activate (e.g., 1ooN voting arrangement). Step 8 – Verify detector coverage A range of possible scenario outcomes was considered that addressed the possibility that the gas cloud would disperse downwind from the release location and could be oriented in any of the 16 postulated wind directions. In each case, the determination was made whether or not any of the gas detectors were positioned to sense the toxic gas. A computer model was used to aid in conducting coverage mapping. The results of detector (scenario) coverage method was selected because it is sensitive to the layout of the detectors with respect to the prevailing wind.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
Scenario Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Total
- 92 Initiating Frequency (per yr) 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.6E-01
Directional Conditional Detected Detector Detector by FGS Coverage Frequency Wind Direction Probability N 2.9E-02 Yes 1.0 2.9E-02 NNE 4.9E-02 No 0.0 0.0E+00 NE 7.8E-02 No 0.0 0.0E+00 ENE 2.9E-02 No 0.0 0.0E+00 E 9.7E-03 Yes 1.0 9.7E-03 ESE 9.7E-03 Yes 1.0 9.7E-03 SE 5.8E-02 Yes 1.0 5.8E-02 SSE 2.9E-02 Yes 1.0 2.9E-02 S 4.9E-02 No 0.0 0.0E+00 SSW 1.9E-01 No 0.0 0.0E+00 SW 1.7E-01 No 0.0 0.0E+00 WSW 1.1E-01 Yes 1.0 1.1E-01 W 8.7E-02 Yes 1.0 8.7E-02 WNW 7.8E-02 No 0.0 0.0E+00 NW 1.9E-02 Yes 1.0 1.9E-02 NNW 9.7E-03 Yes 1.0 9.7E-03 Detector Scenario Coverage 35.9%
Figure D.17 – Scenario coverage analysis for initial detector layout A probabilistic distribution of wind was obtained and shown in Figure D.18.
Figure D.18 – Probabilistic wind distribution (wind rose) Detector scenario coverage A computer model was used to analyze coverage consistent with the methodology shown in AnnexºB.2 of this technical report. The model generated a coverage factor for a 1ooN voting arrangement (any single detector causes alarm).
Copyright 2018 ISA. All rights reserved.
- 93 -
ISA-TR84.00.07-2018
Unmitigated risk of toxic gas hazard Mitigated risk of toxic gas hazard, scenario coverage (1ooN)
Figure D.19 – Toxic gas (H 2 S) detector scenario coverage map, initial detector layout The coverage calculation results show that approximately 36 % of the possible outcomes are covered by detectors. This means the detector coverage is 36%. Step 9 – Verify FGS safety availability The safety function was initially defined to include a sufficiency criteria for one detector to sense a hazard. Thus, a 1ooN voting architecture was considered. In addition, it was assumed that functional testing of sensors and the logic solver occurs at an interval of once per year. F inal element (audible and visual alarms) functional testing occurs at an interval of once per month. Methods for calculating the PFDavg are adequately described in ISA-TR84.00.02 (reference 2.8). Using simplified equations, the resultant PFDavg for the FGS function is 0.01 or an FGS safety availability of 1–0.01 = 0.99. This includes sensors (1oo1 gas detector with diagnostics), logic solver (SIL 2 certified), and the final element (1oo2 visual and audible annunciation). Step 10 – Verify effectiveness of FGS actions This facility undergoes annual evacuation drills. Based on the drill performance record, on average one or more individuals do not evacuate in a timely manner 20% of the time. As a result , the initial design uses a mitigation action effectiveness of 80% for the evacuation response. Step 11 – FGS effectiveness (mitigated risk) The frequency of the hazard scenario considering the benefit of the gas detection system (detector coverage and FGS safety availability) was calculated as shown in Figure D.19.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 94 -
FGS effectiveness = Detector Coverage x Safety Availability x Mitigation Action Effectiveness = 0.36 x 0.99 x 0.8 = 0.285 (28% FGS effectiveness) Unmitigated Risk = =
=
F unmitigated (1 – FGS effectiveness)
3.0E-4 per year x (1 – 0.285) 2.1E-4 per year
The overall likelihood of the hazard scenario was calculated as 2.1E-4 per year (a 2.1 chance in 10,000 per year). This is above the maximum likelihood that was selected for this scenario of two chances in 100,000 per year (2x10 -5 per year individual risk of fatality). Therefore, the risk has improved over the unmitigated design, but the risk criteria have not been satisfied with the proposed FGS design. This is insufficient to achieve the desired performance target. Detector cover age and mitigation action effectiveness should be improved. Modify FGS design (iterate Step 7 through Step 11) Since the risk criterion was not satisfied by the initial gas detection design, the design was modified to meet this objective. Options that should be explored include the following: •
adding one or more additional gas detectors to increase detector coverage
•
increasing the frequency of functional tests of the existing system design to increase FGS safety availability
•
increasing the rigor associated with evacuation/sheltering of personnel in the event of H 2 S alarming
In this case, the end user wanted to analyze the problem with three additional point gas detectors located in proximity to the compressor C-104, in addition to the existing three detectors.
Figure D.20 – Modified gas detector layout The modified detector layout allows for detection of additional scenario outcomes ; this is shown in Figure D.21 and Figure D.22.
Copyright 2018 ISA. All rights reserved.
- 95 -
ISA-TR84.00.07-2018
Figure D.21 – Toxic gas (H 2 S) scenario coverage map for modified detector layout
Scenario Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Total
Initiating Frequency (per yr) 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.6E-01
Directional Conditional Detected Detector Detector by FGS Coverage Frequency Wind Direction Probability N 2.9E-02 Yes 1.0 2.9E-02 NNE 4.9E-02 Yes 1.0 4.9E-02 NE 7.8E-02 Yes 1.0 7.8E-02 ENE 2.9E-02 Yes 1.0 2.9E-02 E 9.7E-03 Yes 1.0 9.7E-03 ESE 9.7E-03 Yes 1.0 9.7E-03 SE 5.8E-02 Yes 1.0 5.8E-02 SSE 2.9E-02 Yes 1.0 2.9E-02 S 4.9E-02 No 0.0 0.0E+00 SSW 1.9E-01 Yes 1.0 1.9E-01 SW 1.7E-01 Yes 1.0 1.7E-01 WSW 1.1E-01 Yes 1.0 1.1E-01 W 8.7E-02 Yes 1.0 8.7E-02 WNW 7.8E-02 Yes 1.0 7.8E-02 NW 1.9E-02 Yes 1.0 1.9E-02 NNW 9.7E-03 Yes 1.0 9.7E-03 Detector Scenario Coverage 96.4%
Figure D.22 – Scenario coverage analysis for modified detector layout The results for the modified detector layout show that 96.4% of possible hazard scenario outcomes are covered by the detector layout and can be sensed by at least one detector. To improve the mitigation action effectiveness, evacuation route labeling has been enhanced, hazard-specific details have been added to personnel evacuation training, and quarterly drills have
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 96 -
been established with an investigation of insufficient response. As a result, the observed evacuation performance has improved to 97% success. FGS effectiveness = Detector Coverage x Safety Availability x Mitigation Action Effectiveness = 0.964 x 0.99 x 0.97 = 0.926 (92.6% FGS effectiveness) Unmitigated Risk = =
=
F unmitigated (1 – FGS effectiveness)
4.0E-4 per year x (1 – 0.926) 2.97E-5 per year
The overall likelihood of the hazard scenario was calculated as 2.97E-5 per year (a 2.97 chance in 100,000 per year). This satisfies the risk criteria of 3E-5 per year (3x10 -5 per year individual risk of fatality). Therefore, the modified FGS design is satisfactory.
Copyright 2018 ISA. All rights reserved.
- 97 -
ISA-TR84.00.07-2018
Annex E Evaluation of computational fluid dynamics vs. target gas cloud for indoor gas detection design (reference 2.17) Computational fluid dynamics (CFD) has been applied in a wide range of industries and has a wide reach in applications. With respect to engineering, this tool has been applied by professionals in safety-related fields for decades, notably in building design for complex structures where compliance with prescriptive building codes is problematic. This is an important point to note when determining an appropriate application of CFD with respect to gas detection desi gn. In 1993, the U.K. HSE released OTO 93 002 (reference 2.12), which subsequently became (and is still widely regarded as) the standard document with respect to gas detection guidance for partially enclosed volumes. This document allows a geographic gas d etection placement process, whereby the potential explosion overpressures of a given area can be correlated against a gas cloud that provides these. This is a standard process for industry external applications, with an allowance for a performance-based approach with respect to the target cloud one needs to detect. It is relevant, however, where the environment is reasonably predictable and fully enclosed, to explore other avenues of design, one of which is the application of CFD modeling to analyze gas cloud behavior. This also corresponds to the overarching philosophy of CFD application in determining a specialized application where other methods are not suitable, or the time and cost required to perform detailed CFD analysis is not of benefit. An example of this is a standard external offshore/onshore congested processing facility. If the suitable number of CFD scenarios run reach a number that is recognized as sufficient for the design (accounting for environmental conditions, number of leak locat ions, and orientations), the designer will discover that the gas can and does migrate to all areas of the congested zone, whereby this time and cost would have been better spent determin ing what cloud can cause damage, and applying gas detection to detect it. Evidence also shows that in these standard applications, nil wind conditions with slow release rates provide the greatest risk of large vapor cloud explosions (reference 2.16). This does not exclude the use of CFD, however, as this analysis is based on standard external applications for which the geographic approach is suitable. Specialized applications, such as internal processing units with predictable airflow, can be a potential route for the use of CFD. An example of why this application is specialized includes the fact that airflow is relatively predictable, meaning the designer can run a limited number of scenarios with changing environmental data, and which can be classed as a sufficient spread to account for the differing environment. This cuts the number of scenarios required down to a suitable number of CFD scenarios from which to assist with gas detector placement. E.1.1
Computational fluid dynamics modeling
First and foremost, applied CFD modeling tools must be used with caution, and limitations in design must be fully understood. These tools allow the user to analyze gas dispersion and the results of ignition of various gas accumulations based on the surrounding environment (explosion modeling). There are significant differences, however, between these tools and the inherent capabilities of the model and how the Navier-Stokes equations are solved/converged. Certain models, for example, are better suited for momentum-driven releases than others, and certain models cannot account fo r buoyancy as well as thermally driven fluid flow in transient assessments. Ensuring that an appropriate model is used is crucial. Practicing CFD consultants will be aware of these limitations , and it is important to note that many assumptions are included with any CFD modeling project. As a result of this, engineering judgment is still vital in achieving an appropriate model and subsequent design . Therefore, these assumptions must be fully justified and, where appropriate, provide a credible worst -case scenario to ensure the resulting design is fit for purpose and all associated risk is reduced to as low as
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 98 -
reasonably practicable (ALARP). This can be carried out before reviewing the implications of the model of gas detection design. If the design process is to be optimized, CFD should be reserved for special or problematic areas of interest. Overuse in typical spaces or areas is wasteful, unnecessary, downplays the importance of the FGS safety professional, and is generally applied for commercial purposes only. This relates back to, for example, fire safety engineering where these tools are applied in internal complex environments where performance -based methods are required for design approval, but the environments are predictable enough for CFD fire modelin g to be an appropriate tool. For internal locations, good engineering principl es will allow for a design that will be safe both when the HVAC is in operation (if applicable) and when it is not. Therefore , for occasions where the HVAC is running, CFD can be utilized to review the probable behavior of the cloud and also analyze whether the target gas cloud is credible with the HVAC running. This , therefore, gives insight into how to design the gas detection. Similar assessments can be carried out when the HVAC is not running or where there are significant dead zones in the airflow. However, due to the lack of forced ventilation, the pattern of accumulation becomes far more unpredictable. Gas detection design based on these analyses becomes far more difficult and should consider plume behavior related to release orientation and plume turbulence (see Figure E.1). The orientation and specific leak source identified will provide a significant bearing on the behavior of the release; therefore, it can be challenging to select a credible worst-case leak (reference 2.18).
Figure E.1 – Example plume behavior
Copyright 2018 ISA. All rights reserved.
- 99 -
ISA-TR84.00.07-2018
To include all equipment in a model m ight be too laborious an assessment and therefore the CFD user will omit equipment from the assessment. It is important that reviewers of the analysis are aware of this, and the CFD designer is aware of the impact that removing some of these obstructions will have on the holistic gas detection strategy. It is also relevant that incomplete geometry models are a significant cause of error in CFD design that is very difficult to design out. It is not outside the realm of possibility that a dangerous cloud can be represented as “safe” or “adequately detected” in a CFD review, when in actual fact the blockages that could cause the problem have been excluded from the model. What appear to be minute changes in boundary conditions can have a large effect on fluid dynamic outcomes. Another important point to note is that the applied CFD tool must be appropriately validated on an appropriate scale for the specific application. If an onshore refinery is being modeled , for example, it is crucial not to use an unverified CFD tool, as it will likely provide differing res ults from the typical industry standard tools, which have undergone significant full -scale validation and testing by independent third-party testing facilities. Much of a CFD tool’s validation is carried out through the product life, and therefore CFD models in their infancy can provide misleading results and potentially result in an inadequate design. The application examples present simulations of a simplified internal environment in order to represent how CFD modeling can be used to analyze cloud propagation and migration in atmospheric and HVAC-driven circumstances. What these analys es show is that CFD can be a useful tool in reviewing the credible behavior of the gas clouds in such an environment where there are predictable circumstances and the conditi ons of release can be credibly defined to determine the credible worst-case scenario leak with respect to detection. E.1.2
Recommendation on application
With respect to internal applications where airflow is dictated by the air change rate provided by the HVAC system, good gas detection design should be such that it will operate effectively when the HVAC is working and when it is not in operation. Therefore, one example of a good practice is to allow for CFD modeling to give an understanding of the nature of the airflow in an indoor environment, which would provide insight as to whether the target gas cloud that could generate an explosion overpressure could credibly exist. This would then di ctate whether to apply a volumetric detection design or one that focused more on the placement within the vicinity of HVAC ducting (reference 2.19). The issue of competence is one that must be addressed, as simply having access to the software is not a qualification to carry out the analysis discussed. The detailed analysis required to adequately apply CFD modeling to the gas detection placement problem is not addressed in this TR, and therefore ensuring that the analysis is performed by personnel competent in both FGS design methodologies and practicalities, as well as the intricacies of CFD analysis , is critical to the appropriateness of this methodology.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 100 -
Figure E.2 – Ambient (natural ventilation)
Figure E.3 – Ambient, gas concentration Iso-surface at 60% LFL (section)
Copyright 2018 ISA. All rights reserved.
- 101 -
ISA-TR84.00.07-2018
Figure E.4 – HVAC design 1 (mechanical extract left and right side)
Figure E.5 – HVAC (1), Gas concentration Iso-surface at 60% LFL (section)
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 102 -
Figure E.6 – HVAC design 2 (mechanical extract right side only)
Figure E.7 – HVAC (2), Gas concentration Iso-surface at 60% LFL (section)
Copyright 2018 ISA. All rights reserved.
- 103 -
ISA-TR84.00.07-2018
Figures E.1 to E.7 give some context as to the dispersion and mixing levels of the gas in each ventilation regime. Figure E.7 shows the iso-surface for a 60% lower flammability limit (LFL) gas concentration in the ambient case. It can be seen that a large volume of the compartment contains 60% LFL. Figure E.5 shows the same gas concentration iso-surface outlines for HVAC design 1. As discussed previously, the majority of the gas leak seems to be entrained into the exhaust flow generated between the left side inlet/exhaust.t as the 60% LFL cloud has been significantly reduced in volume and area from the ambient case. Figure E.7 shows the gas concentration iso-surface for HVAC design 2. What is immediately apparent is that even though a greater bulk fluid movement is achieved across the width of the compartment, because this leak occurred on the left side (and lost momentum quickly) this left-toright HVAC design appears to distribute the gas t hroughout the compartment to a greater extent than HVAC design 1. This is certainly true in the case of 60% LFL. This outcome is of course biased based on the details of this particular gas leak. A similar gas leak occurring on the right side of the compartment would likely be exhausted much more effectively by HVAC design 2 than the current leak. Consider further , however, that if the leak did occur on the right side of the compartment but was in the left-side direction, and did not impinge upon a solid surface, the jet itself could distribute the gas across the compartment from right to left. HVAC design 2 would redistribute that gas again from left to right in a similar fashion as demonstrated here, but with a potentially less desirable concentration distribution. What can be concluded from a brief overview of these results is that the physical layout of the space, the attributes and location of the leak , and, of course, the design of the HVAC system (and whether or not it is operational) can each have a profound impact upon the evolution and consequence of gas cloud formation following a leak in a process area. One can understand how congestion might affect species migration and cloud formation and how air currents induc ed by HVAC systems can affect concentration distribution. One could further study the possibility of dilution-ventilation, whereby the HVAC system is designed with gas cloud dilution in mind , and one could gain insight into “dead zones” within the space where dilution of bulk fluid is not sufficiently achieved. In practical terms, understanding the inherent limitations of the CFD model results (both the inherent assumptions and user-input variability), as well as an intrinsic appreciation for the underpinning science behind the gas detection methodology, allows the user to interpret the results as an additional piece of information contributing to the best holistic detection arrangement. What is not advisable, or arguably even practical from the point of vie w of a safety practitioner, is to use a percentage scoring system from a small number of leak scenarios as a risk -based justification for detector location. This may result in leaving large volumes of the compartment with no gas detection. The question of accounting for an almost infinite number of potential leak outcomes with a finite number of (inherently uncertain) models is an extremely difficult one to argue and to validate. To demonstrate that all credible leak scenarios have been accounted for with a limited number of CFD models would be difficult. One would have to categorize leak scenarios based on a range of attributes , such as orifice size, pressure, direction, location, impinging upon congestion or unimpeded jet, atmospheric conditions , and inventory details. Subsequently, an appropriate range of leak models that represent a sufficient cross section of all credible leaks within each category must be analyzed. Qualifying the definition of what constitutes a “sufficient cross section” of potential credible cases is a daunting prospect alone, and in all likelihood, building, analyzing (sensitivity analysis), and running the range of realistic model scenarios will be a very time-consuming endeavor. Consider further that for even a relatively small facility review, there can be 20 areas like the one considered here. The costs and time requirement become disproportionately large for the expected yield or benefit of the study.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
Developing and promulgating sound consensus standards, recommended practices, and technical reports is one of ISA’s primary goals. To achieve this goal the Standards and Practices Department relies on the technical expertise and efforts of volunteer committee members, chairmen, and reviewers. ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United States Technical Advisory Groups (USTAGs) and provides secretariat support for International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees that develop process measurement and control standards. To obtain additional information on the Society’s standards program, please write: ISA Attn: Standards Department 67 Alexander Drive P.O. Box 12277 Research Triangle Park, N.C. 27709 ISBN: 978-1-64331-036-7