Uploaded by Soft Softwares

Isa-tr-840007-ed-2018 (1)

advertisement
TECHNICAL REPORT
ISA-TR84.00.07-2018
Guidance on the Evaluation of Fire,
Combustible Gas, and Toxic Gas
System Effectiveness
Approved August 10, 2018
NOTICE OF COPYRIGHT
This is a copyright document and may not be copied or
distributed in any form or manner without the permission of
ISA. This copy of the document was made for the sole use of
the person to whom ISA provided it and is subject to the
restrictions stated in ISA’s license to that person.
It may not be provided to any other person in print,
electronic, or any other form. Violations of ISA’s copyright
will be prosecuted to the fullest extent of the law and may
result in substantial civil and criminal penalties.
ISA-TR84.00.07-2018, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas
System Effectiveness
ISBN: 978-1-64331-036-7
Copyright © 2018 by ISA. All rights reserved. Printed in the United States of America. No part of
this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means (electronic, mechanical, photocopying, recording, or otherw ise), without the prior
written permission of the publisher.
ISA
67 T.W. Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709
E-mail: standards@isa.org
-3-
ISA-TR84.00.07-2018
Preface
This preface is included for information purposes and is not part of ISA -TR84.00.07-2018.
This technical report has been prepared as part of the service of ISA, the International Society of
Automation. To be of real value, this document should not be static but should be subject to
periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that
they be addressed to the Secretary, Standards and Practices Board; ISA, 67 T.W. Alexander Drive;
P.O. Box 12277; Research Triangle Park, N .C. 27709; Telephone (919) 549-8411; Fax (919) 5498288; E-mail: standards@isa.org.
This ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general, and the International System of Units (SI) in particular, in the
preparation of standards, recommended practices, and technical reports. The Department is
further aware of the benefits to users of ISA standards documents of inc orporating suitable
references to the SI (and the metric system) in their business and professional dealings with other
countries. Toward this end, the Department will endeavor to introduce SI and acceptable metric
units in all new and revised standards documents to the greatest extent possible. The Metric
Practice Guide, which has been published by the Institute of Electrical and Electronics Engineers
(IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for
definitions, symbols, abbreviations, and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
interests in the development of ISA standards. Participation in the ISA standards -making process
by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or
of any of the standards, recommended practices, and technical reports that ISA develops.
CAUTION — ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR
VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA
DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF
THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY
PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN
RESPONSIBILITY.
PURSUANT TO ISA’S PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT
APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS
DOCUMENT, AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A
LICENSE ON A WORLDWIDE, NONDISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE
ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE
INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT:
WWW.ISA.ORG/STANDARDSPATENTS.
OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF
ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS
OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING
INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR FOR DETERMINING
WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH
SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE
REASONABLE OR NONDISCRIMINATORY.
ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS
THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND
PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER.
ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS,
OPERATIONS, OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
-4-
APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN
HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND
PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USER’S
PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF
ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH
PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT.
THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED
BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE
POTENTIAL ISSUES IN THIS VERSION.
ISA ( www.isa.org ) is a nonprofit professional association that sets the standard for those who apply
engineering and technology to improve the management, safety, a nd cybersecurity of modern
automation and control systems used across industry and critical infrastructure. Founded in 1945,
ISA develops widely used global standards; certifies industry professionals; provides education
and training; publishes books and technical articles; hosts conferences and exhibits; and provides
networking and career development programs for its 40,000 members and 400,000 customers
around the world.
ISA owns Automation.com , a leading online publisher of automation-related content, and is the
founding sponsor of The Automation Federation ( www.automationfederation.org ), an association of
nonprofit organizations serving as “The Voice of Automat ion.” Through a wholly owned subsidiary,
ISA bridges the gap between standards and their implementation with the ISA Security Compliance
Institute ( www.isasecure.org ) and the ISA Wireless Compliance Institute ( www.isa100wci.org ).
The following served as active members of ISA84 Working Group 7 in developing this technical
report:
NAME
COMPANY
M. Scott, FGS Co-Chair
K. Mitchell, FGS Co-Chair
I. Barreiro
D. Blackburn
A. Brier
D. Chisholm
R. Chittilapilly
F. Dagerman
R. Dunn
L. Garcia
C. George
I. Gibson
N. Gopalaswami
P. Goteti
M. Hochleitner
W. Gutierrez Ramirez
P. Gruhn
S. Harman
F. Hendi
P. Herena
E. Jandik
J. Kallambettu
P. Kannan
S. King
L. Laskowski
B. Leong
J. McNay
E. Marszal
aeSolutions
Kenexis Consulting Corp
Chevron
Phillips 66
BriTech Systems
Phillips 66
Oil & Natural Gas Corp
MSA Safety
DuPont
Siemens
Flint Hills Resources
Consultant
Honeywell Process Solutions
Honeywell Process Solutions
SIS-TECH Solutions LP
Pryxida Tech
aeSolutions
Eaton
Schneider Electric
BakerRisk
Chevron
Bechtel
Petroleum Development Oman
Honeywell
Emerson
Chevron
Micropack Ltd.
Kenexis Consulting Corp
Copyright 2018 ISA. All rights reserved.
-5T. Mukoda
G. Pajak
S. Pate
A. Petre
M. Ratcliffe
E. Revilla
E. Roche
A. Sahraei
P. Seiler
R. Seitz
E. Sharpe
R. Skone
K. Szafron
A. Summers
A. Woltman
D. Zetterberg
ISA-TR84.00.07-2018
DuPont
aeSolutions
Det-Tronics
Westech Industrial Ltd.
Jacobs Engineering & Construction LLC
Chevron
SIS-TECH Solutions LP
BP
Emerson
ASRC Energy Services
Suncor Energy
FireBus Systems
BP
SIS-TECH Solutions LP
Consultant
Chevron
The following served as members of the ISA Standards and Practices Board and approved this technical
report on August 10, 2018:
NAME
M. Wilkins, Vice President
D. Bartusiak
D. Brandl
P. Brett
E. Cosman
D. Dunn
J. Federlein
B. Fitzpatrick
J.-P. Hauet
D. Lee
G. Lehmann
T. McAvinew
V. Mezzano
C. Monchinski
G. Nasby
M. Nixon
D. Reed
N. Sands
H. Sasajima
H. Storey
K. Unger
I. Verhappen
D. Visnich
I. Weber
W. Weidman
J. Weiss
D. Zetterberg
COMPANY
Yokogawa UK Ltd.
ExxonMobil Research & Engineering
BR&L Consulting
Honeywell Inc.
OIT Concepts, LLC
T.F. Hudgins, Inc. - Allied Reliability Group
Federlein & Assoc. LLC
Wood PLC
Hauet.com
Avid Solutions Inc.
AECOM
Consultant
Fluor Corp.
Automated Control Concepts Inc.
City of Guelph Water Services
Emerson Process Management
Rockwell Automation
DuPont
Fieldcomm Group Inc. Asia-Pacific
Herman Storey Consulting
Advanced Operational Excellence Co.
Industrial Automation Networks
Burns & McDonnell
Siemens AG DF FA
Consultant
Applied Control Solutions LLC
Chevron Energy Technology Co.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
-7-
ISA-TR84.00.07-2018
Contents
Foreword ...................................................................................................................................................- 9 Introduction..............................................................................................................................................- 11 1
Scope .............................................................................................................................................- 15 -
2
References .....................................................................................................................................- 15 -
3
Definition of terms and acronyms ...................................................................................................- 17 -
4
Risk concepts in FGS design .........................................................................................................- 19 -
5
FGS engineering activities in a project workflow ............................................................................- 40 -
Annex A  Sample semi-quantitative performance target selection technique ......................................- 43 Annex B  Detector coverage assessment techniques ..........................................................................- 53 Annex C  Mitigation action effectiveness concept ................................................................................- 63 Annex D  Application examples ............................................................................................................- 67 Annex E  Evaluation of computational fluid dynamics vs. target gas cloud for indoor gas
detection design (reference 2.17) ...........................................................................................................- 97 -
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
-9-
ISA-TR84.00.07-2018
Foreword
The work to develop this edition of ISA-TR84.00.07 began in 2014 and was completed in 2018. At
the same time, the functional safety standard ANSI/ISA 84.00.01 -2004 was undergoing updates in
parallel with IEC 61511. The ISA84 Fire and Gas Working Group main tained awareness of
committee activities associated with modifying the governing standards. The scope of updates to
the 2nd Edition of this technical report was limited by the ISA84 committee, and it was not in the
working group’s charter to align this edition of the technical report with the subsequent issuance
of ISA’s functional safety standard.
This technical report describes how the underlying principles of the functional safety standards
can be applied to fire and gas systems. Those same underlying principles that were used to
develop the guidance in the technical report remain consistent in the new issuance of IEC 61511 2016 and ANSI/ISA-61511-2018 (replacing ANSI/ISA-84.00.01-2004). Because of the timing
associated with approval and publication, this technical report retains the references to ANSI/ISA 84.00.01-2004. At the time of publication, the working group provides this acknowledgment that
the recent publication of ANSI/ISA-61511-2018 retains the same scope, application and underlying
principles associated with fire and gas systems.
ISA-TR84.00.07-2018 is intended for use in evaluating the effectiveness of fire and gas systems
(FGSs) in process industry applications. It addresses the implementation of FGSs to reduce the
risk of hazardous releases involving safety impact.
NOTE Users can choose to apply the concepts in this technical report to environmental and/or operational loss
scenarios.
ISA-TR84.00.07-2018 is provided for information purposes only and is not part of ANSI/ISA 84.00.01-2004 (IEC 61511 Modified) (reference 2.1).
ANSI/ISA-84.00.01-2004 and IEC 61511 (reference 2.9) are performance-based standards that
provide the minimum requirements for designing and managing a safety instrumented system
(SIS). As part of the safety lifecycle, the functional and integrity requirements are established for
safety functions that reduce the risk of hazardous events identified using a hazard and risk
analysis. Guidance is provided in Part 3 of either ANSI/ISA -84.00.01-2004 or IEC 61511 on the
various methods used to evaluate risk and allocate risk reduction to identified safety functions. An
underlying assumption in all of the methods is that the identified safety functions are capable of
achieving the allocated risk reduction in the operating en vironment.
The scope of ANSI/ISA-84.00.01-2004 covers electrical / electronic / programmable electronic
systems for use in safety applications. Accordingly, the ISA84 committee develops standards and
technical reports to provide guidelines for the implementation of automated (or instrumented)
systems in safety applications. The purpose of ISA-TR84.00.07-2018 is to provide guidance on
how to evaluate the effectiveness of identified FGS functions in a manner that is consistent with
the underlying principles of ANSI/ISA-84.00.01-2004. FGS functions that are identified as safety
controls, alarms, or interlocks should be implemented according to the applicable requirements of
ANSI/ISA-84.91.01-2012 (reference 2.10) and ANSI/ISA-84.00.01-2004, based on the degree of
risk reduction being claimed for the FGS function, in addition to relevant application specific
practices. For example, FGS functions should be implemented per applicable requirements in the
following standards, based on the risk reduction needed:
•
General fire and gas system safeguards with no specific risk reduction claimed should be
implemented per application-specific standards from local jurisdiction having authority.
•
FGS functions with claimed FGS risk reduction factor (RRF) less than or equal to 10 should be
implemented per applicable requirements of ANSI/ISA-84.91.01-2012, Safety Controls, Alarms
and Interlocks in the Process Industries.
•
FGS function with claimed FGS risk reduction factor (RRF) in excess of 10 should be
implemented per the applicable requirements of ANSI/ISA-84.91.01-2012 and ANSI/ISACopyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 10 -
84.00.01-2004 (based on IEC 61511 compliance, which includes consideration f or IEC 61508
compliance and/or end-user prior use approval of sensor, logic solver and final element subsystems).
Prescriptive approaches for the design of some/all components of a n FGS are provided in
recognized and generally accepted good engineering practices (ref erence 2.2 and 2.3) for certain
applications. In complex hazard scenarios, especially those involving high -risk exposure (e.g.,
offshore oil and gas installations), and in situations where no other prescriptive guidance is
available, supplementing these practices with performance-based analysis can result in an
improved design with more effective coverage and lower probability of FGS failure. It is ultimately
the user’s decision on when to apply performance-based approaches. Nothing in this technical
report suggests the prescriptive practices are invalid or that they should not be followed as required
by local jurisdictional authorities. The concepts underlying a performance -based approach are
suitable to the analysis and design of FGSs in process industries, and these principles can be
used effectively in conjunction with other good engineering practices.
THE EXAMPLE RISK ANALYSIS METHODS AND RISK CRITERIA CONTAINED IN
THIS TECHNICAL REPORT HAVE BEEN PROVIDED SOLELY AS EXPLANATORY
MATERIAL AND SHOULD NOT BE INTERPRETED AS RECOMMENDATIONS.
ALSO, THE EXAMPLE FGS ARCHITECTURES, DETECTOR COVERAGES, AND
MITIGATION EFFECTIVENESS REPRESENT POSSIBLE SYSTEM CONFIGURATIONS
AND SHOULD NOT BE INTERPRETED AS RECOMMENDATIONS. THE
CONFIGURATIONS USED IN ACTUAL APPLICATIONS ARE SPECIFIC TO THE
OPERATING ENVIRONMENT AND PROCESS CONDITIONS IN WHICH THEY ARE
USED. AS SUCH, NO GENERAL RECOMMENDATIONS CAN BE PROVIDED THAT
ARE APPLICABLE IN ALL SITUATIONS.
THE USER OF THIS TECHNICAL REPORT IS CAUTIONED TO CLEARLY
UNDERSTAND THE ASSUMPTIONS AND DATA ASSOCIATED WITH THE
METHODOLOGIES IN THIS DOCUMENT BEFORE ATTEMPTING TO UTILIZE THE
METHODS PRESENTED HEREIN.
Users of ISA-TR84.00.07-2018 will include:
•
Vendors, end-users, and consultants who are applying the performance-based concepts to
FGS functions, in addition to other applicable good engineering practices .
•
Hazard and risk analysis teams that are allocating risk reduction to FGS functions.
•
FGS designers who want to understand the impact of detector coverage and mitigation
effectiveness on the integrity of FGS functions.
•
Any additional entities who wish to gain further insight into performance based FGS design
concepts.
Copyright 2018 ISA. All rights reserved.
- 11 -
ISA-TR84.00.07-2018
Introduction
The ISA84 standards committee formed a working group to study the analysis and design
processes that are commonly used in the process industry for fire and gas systems (FGSs) and to
provide guidance on how these processes can be adapted to i ncorporate performance-based
concepts.
FGSs, as they are considered in this report, are a subset of industrial automation and control
systems that are employed in the process industries for the purpose of detecting loss of
containment of hazardous materials from the process and initiating a response to mitigate the
release impact. Loss of containment can be a small leak or a catastrophic release. It can be
detected by measuring the presence of the released materials (e.g., gas concentration) or inferred
from the effects of the release (e.g., thermal radiation from a fire) .
Detection methods considered in this technical report can include detection of combustible gas,
toxic gas, smoke, flame, acoustic emission, or rapid heat rise in areas adjacent to the process
itself and in critical areas, such as occupied buildings or buildings with unrated electrical
equipment. Detector coverage and associated detection capability var y substantially depending on
the hazard scenario and the characteristics of the detector.
Actions taken by the FGS can be manually or automatically initiated and can affect a wide variety
of systems, such as sheltering in place or evacuation in response to audible and visual alarm
indications; water deluge; fire suppressant initiation; manipulation of heating, ventilation, and air
conditioning (HVAC) system equipment; process isolation; or process depressurization. Similar to
detection capability, the effectiveness of these mitigative actions is highly scenario dependent.
Use of performance-based design is not widely adopted for FGSs within the process industries.
However, ANSI/ISA-84.00.01-2004 or IEC 61511 can be employed as a design basis for mitigative
fire and gas safety functions by considering the following definitions from ANSI/ISA-84.00.01-2004
or IEC 61511:
mitigation
action that reduces the consequence(s) of a hazardous event
NOTE 1 Examples include emergency depressurization on detection of a confirmed fire or gas leak.
prevention
action that reduces the likelihood of occurrence of a hazardous event
protection layer
any independent mechanism that reduces risk by control, prevention , or mitigation
NOTE 1 It can be a process engineering mechanism such as the size of vessels containing hazardous chemicals, a
mechanical mechanism such as a relief valve, a SIS, or an administrative procedure such as an emergency plan against
an imminent hazard. These responses may be automated or initiated by human actions.
[SOURCE: IEC 61511-1:2016, Definition 3.2.61, modified – reference to Figure 9 removed from Note 1]
safety function
function to be implemented by one or more protection layers, which is intended to achieve or
maintain a safe state for the process, with respect to a specific hazardous event
NOTE 1 The safe state of the process for each identified safety function is defined such that a stable state has been
achieved and the specified hazardous event has been avoided or sufficiently mitigated.
[SOURCE: IEC 61511-1:2016, Definition 3.2.69, added Note 1, derived from 10.3.1.d]
safety instrumented function (SIF)
safety function to be implemented by a safety instrumented system (SIS)
NOTE 1 A SIF is designed to achieve a required SIL, which is determined in relationship with the other protection layers
participating in the reduction of the same risk.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 12 -
There are two broadly different philosoph ical approaches used in the process industries for
establishing design requirements to ensure the availability and effectiveness of FGS s: prescriptive
and performance-based. The choice of design method is an owner/operator decision. FGSs have
traditionally been designed and implemented according to various good engineering practices,
such as NFPA 72 (reference 2.2) and EN 54 (reference 2.3). These prescriptive practices do not
require evaluation of the risk reduction capability of the FGS as measured by its safety integrity
and probability of failure on demand (PFD), nor do they consider quantitative measures for detector
coverage.
A performance-based approach consistent with the ANSI/ISA-84.00.01-2004 or IEC 61511 is
attractive because it builds on the strength of the existing standard. However, without guidance, a
performance-based approach has historically been challenging to apply to FGS design due to
several factors.
Traditional hazard and risk analysis techniques are suited for hazards related to process deviations
from normal operation. These process hazards have known initiating causes and consequences,
allowing the safety function to be specifically designed to detect the event and to respond by
achieving or maintaining a safe state of the process . FGSs are typically implemented to reduce
the risk of general loss of containment, such as leaks from equipment seals, flanges, and piping,
and are often not associated with a specific hazardous scenario. These hazards can be difficult to
define and analyze and often require the use of advanced risk analysis techniques, such as gas
dispersion, fire, and explosion modeling.
Most often FGSs do not prevent hazardous consequences from occurring, but rather mitigate the
effects of an event that has already occurred. FGSs typically reduce the magnitude and severity
of the consequence instead of eliminating it. Typical hazard and risk analysis assumes that the
identified safety function eliminates the consequence. Therefore, it is important to understand and
evaluate the hazard scenario resulting from FGS operation to ensure that the residual risk is
acceptable.
An FGS can provide poor risk reduction due to an inadequate detection rate. An analysis by Health
and Safety Executive (HSE) of eight years of hydrocarbon release data (reference 2.4) showed
that the effective detection rate was about 60%. The detection of many releases was significantly
delayed, leading to higher consequences than expected. Even if very high integrity can be
achieved by the hardware design and testing (e.g., low average probability of failure on demand),
sufficient reduction in risk will not occur unless the detector coverage is also very high. For FGS
functions, detector coverage should be analyzed with the same (if not more) quantitative rigor as
the verification of the average probability of failure on demand for the hardware design.
FGS effectiveness is also related to the ability of the mitigation elements (e.g., fire water system,
ventilation system, process isolation) to function in a way that reduces hazardous consequences
predictably. Mitigation can include
•
stopping the process
•
diverting the hazardous material
•
applying fire water with the appropriate flow and spray characteristics
•
activating alarms notifying personnel to shelter in place or evacuate
As in the case of detector coverage, the effectiveness of the mitigative actions is dependent on
many situational or scenario-specific factors. As a result of these complexities, initiating an FGS’s
action might not necessarily mean that the consequence can be fully mitigated.
As a result of these factors, a comprehensive approach to the hazard and risk analysis is indic ated,
as it is often difficult to develop a sound technical justification for allocating risk reduction to FGS
functions using a simplified risk assessment process, such as layer of protection analysis (LOPA)
Copyright 2018 ISA. All rights reserved.
- 13 -
ISA-TR84.00.07-2018
(reference 2.5 and 2.6). The identification of FGS functions and allocation of performance targets
to them requires hazard and risk considerations that are beyond typical LOPA implementation.
Furthermore, FGS performance verification should include evaluation of the detector coverage and
consider the effectiveness of the mitigative actions and the safety availability of FGS hardware
and software design.
This ISA technical report describes the analysis that should be undertaken and the effectiveness
criteria that should be specified when an FGS is implemented in a safety application. The report
integrates performance-based fire and gas system design techniques into the applicable portions
of the safety life cycle described in either ANSI/ISA-84.00.01-2004 or IEC 61511. The report also
discusses the development of detector-coverage criteria applicable to each FGS function and
includes a series of application examples (Annex D) that illustrate the techniques used to develop
and verify the detector coverage and mitigation effectiveness.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
- 15 -
ISA-TR84.00.07-2018
1 Scope
This technical report is informative and does not contain any mandatory requirements.
This technical report is intended to be used in conjunction with other good engineering practices
applicable to FGS installations. It is not intended to stand alone or be a replacement for ap plicationspecific practices.
ISA-TR84.00.07 is a derivative of the ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) standard with
application to process industries. This technical report is intended to address detection and
mitigation of fire, combustible gas, and toxic gas hazards in process areas. Fire detection and
mitigation within nonprocess areas is outside the scope of this document.
This technical report is intended to:
•
Be used by those with a thorough understanding of ANSI/ISA -84.00.01-2004.
•
Clarify the additional information that should be considered when developing a performance based FGS design. This includes integrating the design activities into relevant portions of the
safety life-cycle model.
•
Clarify how to define FGS functions within typical FGS designs where automatic action is taken
as a result of detection of a fire or gas event.
•
Provide example scenario assessments to demonstrate the application of performance-based
concepts to the analysis and design of FGSs.
•
Demonstrate that any coverage or effectiveness factor below 90% results in an FGS risk
reduction factor of less than 10 of the FGS design.
•
Offer a performance-based methodology—for facilities using a prescriptive methodology (e.g.,
API-14C or API 14G) (reference 2.20 and 2.21) to allocate fire and gas detection. The
methodology provides considerations for how to improve fire and gas effectiveness . The
performance-based design process described in this TR can provide more effective hazard
detection and detector placement in cases where fusible plugs (fire) may be needed.
•
Define a methodology that addresses the design and effectiveness of FGS mitigative functions
that is consistent with the underlying principles used to design and assess the effectiveness of
preventative functions.
2 References
1. ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems
for the Process Industry Sector, Parts 1, 2 & 3, International Society of Automation,
Research Triangle Park, N.C., 2004.
2. NFPA 72, National Fire Alarm Code, National Fire Protection Association, 2016.
3. EN 54-2: 1997 Fire Detection and Fire Alarm Systems Part 2: Control and Indicating
Equipment.
4. HSE Offshore Fire and Explosion Strategy – Issue 1;
http://www.hse.gov.uk/offshore/strategy/fgdetect.htm .
5. CCPS/AIChE, Layer of Protection Analysis: Simplified Process Risk Assessment, First
Edition, New York, 2001.
6. CCPS/AICHE, Guidelines for Initiating Events and Independent Protection Layers in Layer of
Protection Analysis, First Edition, New York 2015.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 16 -
7. CCPS/AIChE, Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition,
New York, 1999.
8. ANSI/ISA-TR84.00.02, Safety Instrumented Systems (SIS) – Safety Integrity Level (SIL)
Evaluation Techniques, International Society of Automation, Research Triangle Park, N.C.,
2002.
9. IEC 61511:2016, Functional Safety: Safety Instrumented Systems for the Process Industry
Sector, Parts 1, 2 & 3.
10. ANSI/ISA-84.91.01-2012, Safety Controls, Alarms and Interlocks in the Process Industries .
11. U.K. HSE OTO 2001/055, OSD Hydrocarbon Release Reduction Campaign—Report on the
Hydrocarbon Release Incident Investigation Project –1/4/2000 to 31/3/2001.
12. U.K. HSE OTO 93 002 – Offshore Gas Detector Siting Criterion Investigation of Detector
Spacing, April 1993.
13. IEC 60079-29-1: Explosive atmospheres – Part 29-1: Gas detectors – Performance
requirements of detectors for flammable gases .
14. IEC 60079-29-2: Explosive atmospheres – Part 29-2: Gas detectors – Selection, installation,
use and maintenance of detectors for flammable gases and oxygen .
15. IEC 60079-29-4: Explosive atmospheres – Part 29-4: Gas detectors – Performance
requirements of open path detectors for flammable gases .
16. A Review of Very Large Vapor Cloud Explosions’, U.K. Health and Safety Executive,
Pipelines and Hazardous Materials Safety Administration (U .S. Department of Transport).
17. Evaluation of Computational Fluid Dynamics vs Target Gas Cloud for Indoor Gas Detection
Design, J McNay, Dr. Ryan Hilditch, Published and Presented 25th October 2016 , MKOCPS
Symposium.
18. OGP Report 434-7, Consequence Modelling, International Association of Oil and Gas
Producers, March 2010.
19. ANSI/ISA-18.2-2016, Management of Alarm Systems for the Process Industries .
20. API 14C, Recommended Practice for Analysis, Design, Installation, and Testing of Safety
Systems for Offshore Production Facilities, 8 th edition, 2017.
21. API 14G, Recommended Practice for Fire Prevention and Control on Fixed Open -type Offshore
Production Platforms, 4th edition, 2013.
22. FM Global Property Loss Prevention Data Sheets 5-48 Jan 2011.
Copyright 2018 ISA. All rights reserved.
- 17 -
ISA-TR84.00.07-2018
3 Definition of terms and acronyms
3.1 Definitions
This section contains definitions of terms that have been introduced or clarified with respect to
performance-based FGS applications and included in this technical report.
detector (geographic) coverage
The fraction of the geometric area or volume of a defined monitored process area that, if a hazard
were to occur in a given geographic location, would be detected considering the defined voting
arrangement.
detector (scenario) coverage
The fraction of the hazard scenarios from process equipment within a defined and monitored
process area that can be detected considering the frequency and magnitude of the hazard
scenarios and the defined voting arrangement.
fire and gas mapping
The analysis of detector coverage to examine a proposed or existing FGS detector layout/voting
arrangement and verify FGS performance targets are achieved by the design.
FGS effectiveness
The ability of the FGS function to detect and mitigate a design -basis hazard under a demand
condition.
NOTE 1 FGS effectiveness is dependent on a number of factors associate d with design, installation, site-specific
operating conditions, and maintenance. FGS effectiveness is a function of the selected FGS performance metrics,
including detector coverage, FGS safety availability, and mitigation action effectiveness, accounting for common cause,
common mode, and systematic failures.
FGS risk reduction factor
The ability of the FGS function to reduce the frequency of occurrence or the severity of harm.
NOTE 1 FGS risk reduction factor is analyzed quantitatively for FGS functions that prevent or completely mitigate the
hazard as a factor equal to the reciprocal of one (1) minus FGS effectiveness.
NOTE 2 For FGS safety functions that do not completely mitigate the hazard, the residual risk is included in the analysis
of FGS risk reduction. See Annex C for example.
FGS safety availability
The availability of the fire and gas function designed to automatically mitigate the consequences
of hazards.
NOTE 1 FGS availability is equal to one minus the probability of failure on demand (PFDav g) for the FGS safety function
(sensor, logic solver, and/or final element).
mitigation action effectiveness
The confidence that the final element(s) actions will successfully mitigate the consequence of the
hazard defined in the FGS basis of design.
NOTE 1 Refer to Annex D for additional guidance on mitigation effectiveness.
1ooN voting arrangement
Implementation of 1ooN (where N > 1) voting in an FGS is such that upon activation of any single
detector in a monitored area with multiple detectors, the logic solver commands specified safety
action(s) to occur.
NOTE 1 This arrangement tends to provide a higher level of safety in that a dangerous undetected failure of a single
detector will not inhibit the required safety action once the hazard is detected by a ny second nonfailed detector. This
arrangement also provides a relatively higher level of exposure to spurious activation of the FGS , because a false alarm
signal generated by any single detector will cause safety action(s) to occur when no hazard is prese nt.
MooN voting arrangement
Implementation of MooN (where N > 1) voting in an FGS is such that the logic solver commands
specified safety action(s) to occur only upon activation of any M or more detectors in a monitored
area.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 18 -
3.2 Abbreviations and acronyms
1ooN: one out of N voting
1oo2: one out of two voting
3D: three dimensional
AIChE: American Institute of Chemical Engineers
ALARP: as low as reasonably practicable
ANSI: American National Standards Institute
API: American Petroleum Institute
CCPS: Center for Chemical Process Safety
CCTV: closed-circuit television
CFD: computational fluid dynamics
ERPG: emergency response planning guideline
ESD: emergency shutdown
FEED: front-end engineering design
H2S: hydrogen sulfide
HSE: Health and Safety Executive
HVAC: heating ventilation air conditioning
IDLH: immediately dangerous to life and health
IEC: International Electrotechnical Commission
IR: infrared
ISA: International Society of Automation
FGS: fire and gas system
λ DU : dangerous undetected failure rate
LEL/LFL: lower explosive limit/lower flammability limit
LOPA: layers of protection analysis
MOS: metal oxide semiconductor
NFPA: National Fire Protection Association
OSHA: Occupational Safety and Health Administration
PEL: permissible exposure limit
PFDavg: probability of failure on demand average
Copyright 2018 ISA. All rights reserved.
- 19 -
ISA-TR84.00.07-2018
PHA: process hazards analysis
PPM: parts per million
QRA: quantitative risk assessment
RHO: radiant heat output
RRF: risk reduction factor
SIF: safety instrumented function
SIL: safety integrity level
SIS: safety instrumented system
STEL: short-term exposure limit
TI: test interval
TLV: threshold limit value
TWA: time weighted average
UV: ultraviolet
VCE: vapor cloud explosion
4 Risk concepts in FGS design
This technical report provides an overview of some hazard and risk analysis methods applicable
to fire and gas system design, including qualitative, semi-quantitative, and fully quantitative
methods to estimate risk. Hazard and risk analyses are often used to identify loss-of-containment
events due to a process deviation from normal operation. In contrast, most FGS functions are
specified to address the risk of loss of containment due to problems with equipment mechanical
integrity or other general causes of loss of containment not related to process hazard analysis
(PHA) scenarios. Regardless of how the need for these functions is identified, an FGS can be
important to an overall risk management strategy.
A performance-based design of safety functions is proceeded by analyzing the hazard and risk of
credible scenarios and allocating risk reduction to safety functions that will be specifically designed
to address these events. Although a variety of methods are used in the process industries, an
increasingly common method is layer of protection analysis (LOPA) (reference 2.5 and 2.6). LOPA
is an established method for evaluating hazardous event propagation and assessing the capability
of safety functions in reducing event risk. An important objective of LOPA is to ensure adequate
independence and separation of the initiating causes from independent protection layers to
minimize common cause, common mode, and systematic failures.
However, LOPA does have limitations, which become clear when examining FGS functions. LOPA
typically considers only two possible states for a candidate protection layer: success or failure. If
the protection layer fails, there is a consequence. If the protection layer succeeds, the propagation
of the hazardous event is halted and there is no consequence. While this is an appropriate
assumption for many independent protection layers, it is not suitable for FGSs, since they typically
do not stop the loss of containment event from occurring. Instead, a successful FGS function
prevents an already bad situation from getting wor se. It is crucial to ensure that common cause
and dependent mode failures are evaluated between the FGS and the initiating source. If the enduser risk criteria are based on preventing the hazardous event (i.e., preventing the release of
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 20 -
materials), no risk reduction will be claimed for the FGS. Nevertheless, the principles in this TR
may be used to provide guidance for improved FGS safeguard design.
This technical report presents a risk model to illustrate the concepts of how mitigative system risk
can be analyzed. It addresses the detector coverage, safety availability, and mitigation
effectiveness, and thereby allows these factors to be explicitly considered in the hazard and risk
assessment. This model uses a simplified event tree to illustrate the risk analysis of identified
initiating events from the initiating cause(s) to the final outcome(s). For FGSs, the simplified event
tree (Figure 1) considers three aspects of FGS effectiveness: detector coverage, FGS safety
availability, and mitigation effectiveness. While this simplified event tree shows mitigation
effectiveness as a single probabilistic value, this is only to illustrate the risk concepts. In reality,
the effectiveness of mitigation actions is often a more complex collection of factors. The event tree
branches represent the probability of success and the probability of failure of these aspects —the
mathematical complements.
The event tree begins with a hazard arising from loss of containment within an area of concern
and follows the propagation of the scenario through the success (yes)/failure (no) of each aspect
contributing to effectiveness. Quantitative analysis can be used to report the relative likelihood
and magnitude of the consequence of each potential outcome. Risk assessment determines the
tolerability of the potential outcomes based on the consequence severity and likelihood by
comparing the outcome frequency and consequence severity to the end-user risk criteria.
Figure 1 – FGS effectiveness model
The first aspect of FGS effectiveness is the probability that the hazard is detectable given the
detector layout and chosen voting arrangement. For example, if action is taken upon activation of
two or more gas detectors, the hazard is detectable only if the scenario involves a gas cloud that
covers at least two detectors in the array. Loss of containment places a demand on the FGS,
requiring its sensor array to detect the hazardous condition and to initiate required action . Failed
detection allows the incipient condition to escalate to a larger magnitude event. This escalated
hazard might not be detectable by other detectors in the FGS; and if detectable, the FGS might
not be effective in mitigating the larger hazard. This complexity has not been incorporated into the
risk model in this technical report. For the sake of simplicity, it is assumed that a n incipient
condition that is not detected due to inadequate detector coverage results in an unmitigated hazard
that is beyond the capability of the FGS to effectively mitigate.
The second branch of the event tree (FGS safety availability) represents the probability of
successful FGS activation upon a detected hazard. FGS functions comprise sensor(s), logic
solver(s), and final element(s). Failure of the FGS function to operate on demand results in
Copyright 2018 ISA. All rights reserved.
- 21 -
ISA-TR84.00.07-2018
escalation of the consequence. Quantification of the probability of failure on demand can be
performed using the techniques presented in ISA-TR84.00.02 (reference 2.8).
The third branch of the event tree is the FGS mitigation action effectiveness, which has an impact
on the event outcomes and should be carefully considered when evaluating overall effectiveness
of an FGS function. The design intent of an FGS is typically not to prevent a hazardous condition
from initially occurring, but rather to reduce (or mitigate) the severity of consequences to a lower
level. A small fire is prevented from becoming a large fire that can escalate into a larger or
unacceptable consequence. A small gas release that presents a toxic and/or fire hazard is
prevented from becoming a large gas accumulation that could result in a larger or unacceptable
consequence. Therefore, the residual risk associated with a successful FGS operation should be
considered in the overall determination of risk acceptability.
However, it would be technically incorrect to consider the FGS detector coverage, safety
availability, and mitigation effectiveness in the same manner as one would consider independent
protection layers. The separate depiction in the event tree of FGS detector coverage, safety
availability, and mitigation effectiveness is simply intended to highlight the aspects of the FGS that
make its evaluation different from the typical instrumented safeguard. Personnel involved in the
design or modification of FGSs should consider that any change to the FGS or to the context in
which it is installed will most likely result in changes to the values of all three of these parameters.
Different methods with different degrees of quantitative rigor are used in the process industries to
implement the concepts discussed in the preceding paragraphs. These methods range from semi quantitative techniques to full quantitative risk analysis (QRA) methods. A quantitative risk analysis
can be used to make decisions about the risk reduction strategy (ref erence 2.7). The QRA should
be based on a comprehensive risk analysis and consequence modeling for the hazardous event
under consideration. Semi-quantitative methods utilize scoring methods that categorize the
attributes that define risk and then select grades of FGS performance based on the results of the
scoring process (see Annex A).
Where possible and practical, other instrumented safety systems, such as safety instrumented
functions, should be designed to prevent loss of containment. The development of a methodology
to allow the allocation and verification of the risk reduction capab ility of an FGS function should
not be construed as an endorsement of the use of an FGS function in lieu of a properly designed
preventive safety instrumented function. Thus, if risk analysis determines that two orders of
magnitude of risk reduction is required to address a high-pressure scenario in a vessel, a safety
instrumented function closing inlet feed to the vessel upon detection of high pressure with a risk
reduction of two orders of magnitude is preferable. This technical report does not endorse
addressing the above hazardous event with a safety instrumented function achieving one order of
magnitude in combination with an FGS function providing the remaining one order of magnitude in
risk reduction. This technical report focuses on the implementatio n of FGSs to protect people and
the environment when the process is operating normally, but loss of containment has occurred due
to such factors as corrosion, erosion, a leaking gasket, or tubing failure, or the process is operating
abnormally, and preventative layers have failed. Thus, consider a different scenario where the
pressure in the vessel is within tolerable limits ( e.g., not high) and loss of containment has
occurred. In this scenario, an FGS function is an appropriate choice for reducing the risk, because
there is no potential for implementing a preventive safety instrumented function to prevent loss of
containment.
It is advisable to use an approach that ensures :
•
Loss of containment is minimized through implementation of preventive systems and an
equipment mechanical integrity program .
•
FGSs are designed and maintained to be effective in reducing the severity of loss-ofcontainment.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 22 -
4.1 Performance-based FGS design process
Design and implementation of an FGS can be performed in a manner that is consistent with the
underlying principles of both ANSI/ISA-84.00.01-2004 and IEC 61511. The fundamental approach
is to examine the hazard and risk in order to establish required FGS performance, and then to
specify a design that achieves that performance. This performance-based FGS design process is
illustrated in Figure 2, and it integrates into the relevant portions of a safety life cycle for safety
functions.
NOTE Steps 7, 8, 9, and 10 may require iteration to meet performance targets.
Figure 2 – Performance-based FGS design process
4.2 Planning: Fire and gas philosophy
Planning for performance-based FGS design should include determination of the end user’s fire
and gas system philosophy. This philosophy is a well-reasoned technical basis that establishes
the overall goals for hazard detection and mitigation. It should be consistent with the end user’s
risk acceptance criteria that will be us ed in the allocation of safety functions to protection layers.
It guides choices made by FGS designers. Appropriate choices for a given user facility are often
best performed through standardized application of a fire and gas philosophy.
FGSs are beneficial in mitigating the severity of hazards typical to the process industries.
Additional information about these hazards can be found in CCPS ( reference 2.7). The description
here is intended to aid in defining FGS performance objectives based on the chosen philosophy of
the end user.
Copyright 2018 ISA. All rights reserved.
- 23 -
ISA-TR84.00.07-2018
To understand performance requirements for FGS, it is important to have a definition of the end
user’s philosophy that is being applied to mitigate hazards. Mitigation systems usually need to
have a philosophy developed before a designer can proc eed. Different users of this TR will have
different philosophical approaches toward detection and mitigation of fire and gas hazards. This
section describes how the elements of the fire and gas philosophy translate to performance-based
FGS design. Some elements of a mitigation philosophy are included in codes, industry
recommended practices, or company standards. However, elements associated with detection and
mitigation are usually established by the end user.
The primary questions to be addressed in defining the performance objectives for fire and gas
mitigation:
•
What magnitude of hazards should the FGS detection equipment be designed for?
•
What FGS actions are required to successfully mitigate the hazard?
This TR provides guidance on how the chosen philosophy will impact performance-based FGS
design.
4.3 Fire detection philosophy
When flammable or combustible hydrocarbon liquids are released from the process, accumulate,
and are subsequently ignited, the result is a turbulent diffusion fire. The extent of a pool fire hazard
is governed by the size of the pool, the burning intensity of the fuel, and to a lesser extent,
meteorological conditions. When pressurized gas (or liquid/two -phase) is released and ignited
immediately upon release, the result is a momentum-driven, turbulent jet fire. The extent of a jet
fire hazard is governed by the rate of release, the shape of the flame, the flame orientation, and
the burning intensity of the fuel.
Both pool fires and jet fires emit thermal radiation, which can be haz ardous to people within
seconds of exposure. Process equipment or structures can be damaged within minutes of intense
fire exposure, especially if fireproofing is not provided or not effective. Fires can produce heavy
smoke, which is hazardous if introduced in an occupied building. Personnel can be harmed either
by the direct effect of the ignition of the hydrocarbon release or by exposure to an ongoing fire if
the ability to safely evacuate is impaired. Fire detection can be beneficial in the latter case, by
detecting an incipient fire in time before further exposure to personnel or impairment of evacuation
routes can occur.
The actions that are most effective in the early (incipient) stage of a fire are:
•
alarms and evacuation/sheltering of personnel
•
automatic emergency shutdown (ESD) with isolation of fuel and depressurizing
•
activation of deluge systems/foam systems to suppress burning, cool surrounding equipment,
or, in some cases, extinguish the fire
If a fire is not detected early (incipient), the potential exists for the fire to escalate to a hazard that
impacts more equipment, impacts evacuation/egress, and causes more severe harm to people and
the process.
Fire detection philosophy statements are useful in determining the performance objectives o f fire
detection system. The performance objective will guide the designer on the magnitude of fire that
should be detected and the safety actions to be automatically activated. With a specific philosophy
statement, the FGS designer can identify the perfor mance objectives, and this will guide the
designer to choose the proper basis of design. Without a well-defined philosophy, the FGS
designer can provide a system that is over-designed or under-designed and does not achieve enduser expectations. The following are two different philosophies for fire detection. Each is valid for
a particular application.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 24 Table 1 – Example fire detection philosophies
Fire Detection Philosophy
Elements of Philosophy Decision
Typical Application
Goal is to detect fire as early as
practical to reduce the possibility
of escalation, minimize impact to
the asset, and allow personnel to
take appropriate protective
actions.
Within a monitored process area:
Detection: Incipient fire
Occupied offshore facilities
Successful FGS mitigation
Onshore process plants with
significant occupancy
•
prompt evacuation or shelter-in-place response to
alarm notification
•
isolate fuel source
•
depressurize the process
•
initiate fixed fire suppression of affected equipment
and surrounding equipment
Migration beyond monitored process area:
Detection: Smoke at building air intakes
High-value assets
Occupied offshore facilities
Successful FGS mitigation:
Goal is to detect fire that has the
potential to produce major damage
beyond the area of origin to
mitigate against total asset loss.
•
prompt evacuation or shelter-in-place response to
alarm notification
•
shutdown ventilation
Within a monitored process area:
Detection: Fully developed fire
Successful FGS mitigation
•
Normally unmanned installations,
onshore or offshore, with limited
firefighting capability
isolate fuel source and allow to extinguish by
depletion of fuel
Migration beyond monitored process area:
Detection: (none)
It is impractical to detect all potential fire hazards. Detection can occur of an incipient hazard (early
stage) or a fully developed hazard. Note that with larger fires, optical flame detector performance
might be degraded. Safety actions can be as simple as containment and isolation of fuel, or as
complicated as isolation, depressurizing, and suppression. The fire detection philosophy should
specify if alarms and FGS actions will occur on a single detector in alarm state (1ooN) or require
more than one detector in alarm state (e.g., 2ooN).
4.4 Flammable gas detection philosophy
When flammable gas (or volatile liquid) is released but not immediately ignited, a flammable fuel air mixture forms, which can accumulate and/or migrate away from the point of release. Safe
dispersion occurs when the gas dilutes in air below the lower flammable limit (LFL) concentration.
If there is an absence of physical confinement of the flame front and absence of flame front
interaction with turbulence-inducing obstacles, then the flame will not significantly accelerate. If
ignited, the initial phenomenon is a short-duration, transient fire that burns from the point of ignition
through the gas cloud in short duration. The flame front expands slowly near the point of ignition.
In the event the flame front does not accelerate, the vapor cloud fire will not produce a significant
pressure wave (blast). The fire is therefore called a flash fire. A flash fire is hazardous, but the
extent is limited to the shape/size of the flame envelope itself.
However, gas can accumulate in confined and semi-confined areas of a process. Historically, a
minimum gas cloud accumulation of 5 meters (reference 2.4 and 2.12) was demonstrated to be
sufficient for enabling a flame front to accelerate to a velocity that has the potential to cause a
significant pressure wave. This does not exclude the potential that under adverse conditions, an
accumulation of less than 5 meters might result in similar hazards. This pressure wave is also
called a blast, and the phenomenon is known as a vapor cloud explosion (VCE). The extent of the
VCE hazard is governed by the amount of gas accumulation and the degree of confinement and
congestion, and it can be measured as the pressure generated by the blast and its duration.
Copyright 2018 ISA. All rights reserved.
- 25 -
ISA-TR84.00.07-2018
Personnel located outdoors are often not injured by the pressure wave itself but can be hurt by
high-velocity fragments. Non-blast-resistant structures can be severely damaged or collapse,
causing harm to building occupants. Blast effects can result in hazards at significant distance
beyond the boundary of the flammable cloud.
It is desirable to detect flammable gas before ignition, especially if it is in a confined and congested
area where the gas can accumulate. FGS can be beneficial in detecting the presence of a
flammable fuel-air mixture (or detecting a release of high-pressure gas). Automatic actions can be
taken by the FGS to minimize both the possibility of ignition and the severity of the vapor cloud
fire hazard. Actions that are most effective in the early stage of a gas release or accumulation are:
•
alarms and evacuation/sheltering of personnel
•
automatic ESD with isolation and depressurizing equipment that can be leaking gas
•
automatic control of ignition sources (electrical de-energization, etc.)
•
activation of deluge systems to disperse gas and suppress burning of the gas
In this context, early detection means before a high probability of ignition or before a large
accumulation occurs. If gas is not detected early, there is the potential for further accumulation
resulting in escalation to a more severe hazard, including the potential for a VCE, or for gas to
migrate beyond the process area to locations where there is either high personnel occupancy or
strong ignition sources.
Within a few seconds or less, a vapor cloud fire will burn back to the p oint of ignition and cause
the hazards described above; however, the aftereffects can include a residual jet fire (f or a
momentum-driven release) or pool fire (for a liquid release/pooling), or perhaps both. The residual
fire will continue to burn until the source of the fuel is isolated and any accumulated fuel is
consumed. While it is highly preferable to detect a flammable gas hazard before ignition to
safeguard life, FGS can also be beneficial in detecting the residual fire and taking actions to limit
its duration and intensity.
There are several different philosophies for flammable gas detection. Flammable gas detection
can be applied to detecting either an accumulation of gas or a release of gas. Actions could be
prompt evacuation, shelter in place in response to an alarm notification, or acting to limit the
size/extent and ignition potential for a vapor cloud. The following are two different philosophies for
flammable gas detection. Each is valid for a particular application.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 26 -
Table 2 – Example combustible gas detection philosophies
Flammable Gas Detection
Philosophy
Elements of Philosophy Decision
Detect credible gas releases by
strategically placing detection
equipment in proximity to release
sources to minimize potential for
extended duration gas release
that could ignite with severe
consequences.
Within a monitored area:
Detection: Leak/release sources and size should be identified, and
detectors located in proximity to leak sources to provide incipient (early)
indication of a hazard before gas migrates to a location where ignition
and escalation are likely.
Typical
Application
Successful FGS mitigation:
•
alarm to evacuate personnel to safety and allow controlled operator
shutdown (or automatic ESD)
Migration beyond a monitored area:
Detection: Variation in gas cloud size and direction makes it difficult to
specify detector layout and spacing within a monitored area to address all
possible leak scenarios. Because ignition sources and occupancy are
well controlled within a process area, detection within a monitored area
should be supplemented with perimeter gas detection to improve
confidence that the release will be detected before migrating to a strong
ignition source or area with higher occupancy and a more severe impact.
Onshore process
plants
Successful FGS mitigation:
alarm to evacuate personnel to safety and allow controlled operator
shutdown (or automatic ESD)
Detect gas accumulations in
hazardous quantities that, if
ignited, could cause significant
impairment to life, safety, and the
asset.
Within a monitored area:
Detection: Gas dispersion patterns might not be predictable, and gas
hazards are most severe in areas where gas can accumulate within
confined and congested process areas. Detectors should be placed in
areas where gas can accumulate in order to mitigate a threshold
accumulation volume that can result in a more severe blast, which could
impair structural integrity or impair evacuation/egress.
Successful FGS mitigation:
•
isolate fuel source and depressurize
•
de-energize electrical apparatus
•
evacuate personnel to safety
Offshore facilities
Migration beyond a monitored area:
Detection: Reliable detection cannot be assured in areas where gas does
not accumulate (absence of confinement/congestion), nor is the severity
of an ignited gas cloud of high concern due to the lower severity of a
vapor cloud fire (no VCE). Credible leak scenarios should be identified,
and detection of gas migration should be provided at receptors of
concern (detection at HVAC air intakes, etc.).
Successful FGS mitigation:
•
alarm to shelter/evacuate personnel
•
de-energize electrical apparatus
It is impractical to detect all gas leaks, even all leaks that could be hazardous. Release sources
and direction of dispersion cannot always be predicted with certainty. In some locations, where
gas can be dispersed by wind or ventilation, a strategy of placing detectors only around likely
release sources can have limited effectiveness. The gas detection philosophy should specify if
alarms and FGS executive actions will occur on a single detector in alarm state (1ooN) or require
more than one detector in alarm state (2ooN). A well-defined philosophy will guide the FGS user
in determining the correct performance objectives.
4.5 Toxic gas detection philosophy
Toxic gas detection involves an analysis of a specific application, as general guidelines are difficult
to set due to the widely varying hazards of different toxic materials, the variations in concentrations
of toxic materials, and the high dependency of toxic hazards on site-specific factors, including
Copyright 2018 ISA. All rights reserved.
- 27 -
ISA-TR84.00.07-2018
meteorology. Therefore, one approach is to select a hazard scenario and model the extent of the
hazard (e.g., dispersion, computational fluid dynamics [CFD]). To model a toxic gas hazard,
consider the smallest hazard scenario that would require detection; this can be based on either
risk or a team-based review and should be likely to occur in the project lifetime. A second approach
is to directly postulate the magnitude of a toxic gas volume that is of concern and then design
using a geographic technique (e.g., 5 m H2S cloud size, 8 m H2S cloud size) .
The objective of a toxic gas detection system is to detect concentrations of gas that could be
hazardous to personnel in time for proper protective actions to be taken. Automatic actions can be
taken by the FGS to minimize the severity of the hazard. Actions that are most effective in early stage of gas release or accumulation are:
•
alarms and evacuation/sheltering of personnel
•
automatic ESD with isolation and depressurizing equipment that can be leaking gas
The following is an example philosophy for toxic gas detection.
Table 3 – Example toxic gas detection philosophies
Toxic Gas Detection Philosophy
Elements of Philosophy Decision
Detect credible gas releases by
strategically placing detection
equipment in proximity to release
sources to minimize potential for
extended duration gas hazard that
could result in severe
consequences.
Within a monitored area:
Detection: Leak/release sources and size should be identified, and
detectors should be located in proximity to leak sources to provide early
indication of a hazard before gas migrates to a location where exposure
is likely.
Typical
Application
Successful FGS mitigation:
•
alarm to evacuate personnel to safety or shelter and allow controlled
operator shutdown (or automatic ESD)
Migration beyond a monitored area:
Detection: Variation in gas cloud size and direction results in difficulty
specifying the detector layout and spacing within a monitored area to
address all possible leak scenarios. Because occupancy is well
controlled within a process area, detection within a monitored area
should be supplemented with perimeter gas detection or gas detection
along egress paths to improve confidence that the release will be
detected before migrating to an area with higher occupancy and more
severe impact.
Onshore process
plants and offshore
facilities
Successful FGS mitigation:
•
alarm to evacuate personnel to safety or shelter and allow controlled
operator shutdown (or automatic ESD)
4.6 Fire and gas hazard assessment, requirements specification, and
performance verification
Determining the target performance of an FGS function should be accomplished using hazard and
risk analysis. In this context, performance includes: safety availability of the FGS equipment, the
coverage of the FGS detectors, and the effectiveness of the mitigative actions . A design for FGS
mitigation requires input from the end user’s fire and gas philosophy in terms of establishing the
performance objectives.
Techniques used to select target FGS performance should consider parameters that affect the
hazard and risk. They are often applied on an equipment-item basis to determine if an FGS should
be considered to protect each equipment item and, if protection is required, what degree of
performance should be targeted in the design. The hazard and risk parameters that should be
considered include the following:
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 28 -
•
material flammability/toxicity
•
process temperature
•
process pressure
•
hazard frequency
•
source leak size
•
ignition sources
•
potential for gas accumulation
•
environmental conditions
Two typical strategies for the hazard and risk assessment for the selection of FGS performance
targets are used in industry. These two general approaches are referred to as semi-quantitative
and fully quantitative risk analysis. While the fully quantitative risk analysis methodologies are
more precise, the semi-quantitative methods are also acceptable.
•
Semi-quantitative risk analysis has a level of effort similar to layer of protection analysis
(reference 2.5 and 2.6). It uses lookup tables and “order of magnitude” selections to categorize
various risk parameters and thereby establish the needed performance targets. These semi quantitative techniques need to be calibrated to ensure that these coarse level -of-effort tools
provide satisfactory results. See Annex A for an example of a semi-quantitative hazard and
risk analysis.
•
Fully quantitative risk analysis verifies that quantitative ri sk tolerances have been achieved
using detailed quantification of the hazard and risk. While the fully quantitative analysis
provides more accurate results, it is also more time consuming and can be resource intensive
(see Annex D).
The following steps are broadly applicable to both strategies for hazard and risk analysis.
4.6.1
Step 1 – Identify areas of concern
FGS installations in the process industries are typically designed to address hazards associated
with loss-of-containment events caused by leaks, corrosion, and erosion. In many cases, FGSs
are only expected to provide general process area coverage. Under these circumstances, the FGS
design can be based on simple prescriptive practices (e.g., references 2.2 and 2.3), if available
for the application. In some process plants, their implementation is beneficial, while in others use
of an FGS is unnecessary. Not all process plants will even undergo a formal analysis of FGS
design requirements. The determination of whether formal assessment of FGS design
requirements analysis is required will be the result of end-user policies/procedures and regulatory
oversight, such as:
•
process hazards analysis (PHA) recommendations
•
QRA for FGS
•
end-user standards and design practices
•
regulatory requirements
•
auditor recommendations
•
FGS screening analysis
•
previous incidents
An FGS screening analysis can be used to identify areas of concern where FGS installation can
be beneficial in reducing risk. An FGS screening analysis should consider the flammability and
toxicity of the materials being processed, which would identify process equipment that represents
an area of concern for possible performance-based FGS design. The plot plans, process flow
Copyright 2018 ISA. All rights reserved.
- 29 -
ISA-TR84.00.07-2018
diagrams, heat and material balance, and P&IDs should be analyzed to identify the process
material(s) and normal operating conditions, and whether the materials processed contain fire
hazards, combustible gas hazards, or toxic gas hazards.
4.6.2
Step 2 – Identify hazard/risk scenarios
Performance-based FGS design requires identification of hazard scenarios for which FGS
functions are designed. Although the FGS is expected to perform on demand for a wide range of
general hazards, a few specific hazards should be identified to establish target performance and
allow measurement of achieved performance.
Major equipment items should be analyzed to identify the type of fire or gas hazard, and this should
include storage tanks, pressure vessels, pumps, compressors, separation equipment (distilla tion
towers, etc.), and heat exchangers. The type of hazard depends on the process fluid composition,
the process conditions (temperature and pressure), the size and duration of the credible release,
and the type and location of ignition sources.
Performance targets are defined with respect to the hazard scenario(s) that FGS design is intended
to detect and adequately mitigate. This step can involve direct hazard identification (e.g., 50 kW
radiant heat output fire, 10 m 3 combustible gas accumulation, 20% LFL accumulation) or
identification of credible scenarios involving release of hazardous material that could give rise to
fire and gas hazards. These include corrosion-initiated leaks, flange gasket leaks, and small
diameter tubing failures. Where scenarios are selected as the basis of design, the analysis should
consider the attributes in sufficient detail to determine the potential physical characteristics of the
hazard scenario, such as fire size or gas dispersion extent.
This step results in a list of equipment items and associated hazards/scenarios that are carried
forward to subsequent steps.
4.6.3
Step 3 – Analyze consequences
Once a fire or gas scenario is identified, a consequence severity study should be undertaken to
determine the physical extent of the hazard and the potential to escalate the severity if not
detected. This either takes the form of a model that predicts the physical effects of the release, or
is based on qualitative (e.g., PHA team judgment) or semi-quantitative techniques. The end user
should decide the criteria used to analyze the extent of the unmitigated fire, combustible gas, or
toxic gas hazard scenario (qualitative, semi-quantitative, and/or full quantitative). The following
sections address quantitative methods only. The application of consequence modeling is not
addressed in detail in this technical report. Refer to CCPS (reference 2.7) for more guidance.
Fire hazards
For fire scenarios, the extent of fire and thermal radiation effects are usually required to determine
detector layout requirements. Fire detectors using optical or visual detection means are sensitive
to the amount of radiant heat output from the fire , but limited by a threshold amount of radiation
received at the detector below which a fire cannot be detected. Consequence models predict these
physical effects as a function of orientation and distance from the fire. Results of fire models
provide the basis to determine the number and location of fire detectors necessary to detect a
given fire scenario.
The fire analysis should identify a threshold amount of radiant heat output that can result in a
potential hazard, or escalation of a hazard based on the typ e of processing equipment and layout.
The criteria should be used as the end point for the fire consequence analysis.
Combustible gas hazards
For a combustible gas hazard, consideration should be given to the dispersion and potential
accumulation of gas in unconfined or semi-confined areas, and estimates should be developed of
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 30 -
the extent of the combustible gas hazard. Although this can be accomplished by defining the
volume of the gas accumulation of concern, gas dispersion/accumulation modeling and explosion
analysis in confined or congested areas should be considered.
Gas dispersion analysis using similarity models is adequate for some outdoor locations where
dispersion is only affected by momentum jet effects as well as atmospheric effects. Dispersion
modeling results should be generated for concentrations at the threshold for alarm for gas
detectors. Similarity models and other simplified empirical models can be misleading when
studying gas dispersion, especially for indoor releases. Simplified models can yield vastly different
concentration profiles than full computational fluid dynamics (CFD) models. In most cases,
ventilation and geometry dominate the dispersion, so most simplified/empirical models cannot
accurately capture this information to a sufficient resolution. Further, simplified models frequently
do not account for turbulence or the interaction with solid surfaces. These play a significant role
in the shape, size, and concentration of the vapor cloud and thus need to be evaluated with
sufficient resolution. Gas dispersion in confined or congested spaces or enclosed volumes should
use consequence analysis methods (e.g., CFD) to examine concentration profiles under the
influence of forced ventilation systems rather than atmospheric effects.
For flammable/combustible gas hazards, the gas concentration is the primary means of potential
hazard detection; however, the actual hazard can include one or more of vapor cloud explosion
(confined or semi-confined), fire, or toxic inhalation exposure.
The hazard is a function of volume of hazardous material, concentration, and level of confinement
in the case of vapor cloud explosion. As the volume increases, a more severe hazard becomes
more likely. Therefore, the detector placement is predicated on criter ia to detect the gas
concentration early enough that action can be taken before the release becomes a larger gas cloud
of potentially higher concentration. With earlier activation, the hazard potential can be lowered
(e.g., maximum explosion overpressure that could be tolerated without severe damage or loss of
life). The development of these criteria is provided by CCPS (reference 2.7) but is outside the
scope of this technical report.
Toxic gas hazards
For facilities that store, handle, or process toxic gases, the worst credible scenario can be an
uncontrolled release of a toxic substance to the atmosphere. Facilities that deal with these
substances generally invest in equipment to handle the substance , such as vents to flares,
scrubbers, incinerators, or alternate containment vessels. The failure of this equipment, its
controls, or the piping system itself (leaks, erosion, and corrosion) can lead to a release. Gas
detection systems are often utilized to help mitigate this potential hazard.
It is common practice for companies handling toxic gas releases to conduct dispersion modeling
of credible scenarios to determine the potential effect of a given release. Dispersion modeling will
address plant and surrounding area topography information, leak rate inform ation, plant weather
data, and toxicity information. ERPG ( emergency response planning guidelines) numbers or IDLH
(immediately dangerous to life and heath) numbers are often used to characterize the extent of
the acute toxicity hazard.
The design intent of toxic gas detection is to mitigate the severity of the unmitigated hazard
scenario. This is typically accomplished by early detection that results in more effective emergency
response, containment, or the evacuation of personnel to a safe location. Unmit igated
consequences should define the extent of impact of the unmitigated hazard outcome, which can
include onsite and/or potentially offsite consequences.
Escalation of flammable and toxic gas hazards
The design intent of fire and gas detection is usually to mitigate an already hazardous situation.
This is typically accomplished by limiting the extent of the hazard or, in some cases, providing for
Copyright 2018 ISA. All rights reserved.
- 31 -
ISA-TR84.00.07-2018
additional time before escalation to allow for effective emergency response and containment
and/or to allow for the evacuation of personnel to a safe location.
In addition to an incipient fire or gas release scenario used for establishing detector location and
placement, the consequence analysis should include an assessment of the potential outcome of
that scenario if unmitigated by the FGS. This could result in escalation of the hazardous event into
a larger, more severe consequence than the scenario selected as the basis of design for FGS
detection. This severe consequence represents the potential outcome of FGS failure due to
inadequate detector coverage, poor FGS availability, or ineffective mitigation actions.
Other consequence modification factors
Occupancy, time at risk, and ignition probability are other factors that could be considered when
assessing risk to personnel safety. These factors should be justified through scenario -specific
analysis that ensures that these factors are reasonable and appropriate for the scenario under
consideration. For example, occupancy likely changes as plant personnel respond to potential or
realized loss of containment. In contrast, the likelihood that a release is flammable is dependent
on the chemical properties, release size and location, and dispersion potential. When fl ammable
liquids or gases are involved in the scenario, it is possible to estimate the potential for a fire or
explosion using qualitative, semi-quantitative, or quantitative methods. Ignition probability data for
combustible liquids, flammable liquids, and flammable gases is provided by CCPS (ref erence 2.7).
Guidance on determining appropriate values for these factors is outside the scope of th is technical
report.
4.6.4
Step 4 – Analyze hazard frequency
Before establishing FGS performance requirements, consideration should be given to the
likelihood or frequency of the hazard(s) that could result in the unmitigated/escalated consequence
severity. Further, a decision can be made about the tolerability of an unmitigated fire and gas risk,
which can guide decisions about the scope of an FGS design. Release frequency can be
determined by applying databases of equipment failure rates to the identified scenario, but could
also be based on qualitative (e.g., PHA team judgment) or semi-quantitative techniques.
In many cases, a risk scenario arises from equipment damage and failure mechanisms, such as
general corrosion, that are well understood. In these cases, application of industry failure rate data
should be considered. For example, such databases inclu de leak frequencies for components,
such as piping, flanges, pressure vessels, and compressor seals. Methods for adjusting industry
failure data based on site-specific inspection and maintenance histories are also available.
In some cases, the hazard scenario can arise from unique factors that should be addressed in a
scenario-specific analysis. An example is an uncontrolled release of a flammable gas in gas
production wells due to produced sand causing erosive damage to flowlines. In this case, industry
failure rate databases are of limited value. The end user’s prior experience and a considerable
amount of judgment can be utilized to establish the frequency of the release scenario.
It is often the case that fire and gas detection is provided in an area to detect release from multiple
sources of potential release. In these cases, there should be some effort taken to aggregate the
frequency of the potential hazard scenarios in the area of concern. This is accomplished by
accounting for a number of equipment leak scenarios with similar consequences and generating
the sum total or cumulative frequency of release. This aids in minimizing the number of scenarios
that need to be individually analyzed. For example, sum the frequency of all scenarios with 50 kW
radiant fire in the area of concern.
4.6.5
Step 5 – Assess unmitigated hazard/risk
Unmitigated hazard/risk is measured before considering the benefit of the proposed FGS. The
most conservative approach is to assume that the FGS is unavailable in the event of the hazard.
The unmitigated/escalated consequence severity and hazard frequency can be compared to endCopyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 32 -
user criteria for tolerability. This can be accomplished through application of a hazard/risk matrix
with sufficiently detailed information regarding consequ ence severity and likelihood. Alternatively,
quantitative risk criteria can be stated in terms of tolerable mitigated event likelihood. If the criteria
indicate that the unmitigated hazard/risk scenario is tolerable, additional risk reduction using FGS
function(s) is not required unless otherwise mandated by local legal requirements. If the
hazard/risk is higher than target criteria, then the risk reduction requirements should be established
for the applicable fire, combustible gas, or toxic gas detection f unction in the FGS.
If the outcome of this step results in an acceptable situation with no additional risk reduction,
further analysis of performance-based requirements for FGS design is optional. Design of the FGS
and sensor placement should be based on existing methods for system design, such as the
applicable national standard or industry guidelines and relying on the judgment of a qualified
engineer for sensor placement. Good practice guidelines in Annex B should be considered for
sensor placement.
4.6.6
Step 6 – Identify FGS performance targets
After previous steps in the hazard/risk assessment, equipment of concern and hazards of concern
will have been identified and the consequence severity/likelihood and acceptability of an
unmitigated hazard will have been considered. The presentation of this information can vary in
format. The information can take the form of a qualitative hazard assessment, a fully quantitative
risk assessment, or a semi-quantitative assessment of hazard/risk. FGS designers with more
qualitative hazard input can apply broad guidance from industry or company practices to establish
a single and uniform performance target (e.g., 85% target detector coverage). FGS designers with
more quantitative hazard information can establish performance targets that are specific to the
hazards being assessed.
More information on the selection of FGS performance targets is included in the annexes of this
TR. Annex A contains an example of a semi-quantitative approach for selecting FGS performance
targets, and Annex D contains worked examples of FGS performance target selection, using a
variety of methods for a variety of applications.
FGS performance metrics
FGS performance targets should be consistent with the end-user philosophy for hazard detection
and mitigation, based on the level of hazard and risk associated with process hazards in a
monitored area, and agreed upon by the end user. Achievement of FGS performance targets
should be through application of one or more of the listed FGS performance metrics shown in table
4. In the absence of specific guidance from the end-user philosophy, the following options should
be considered for metrics:
1. Applications with claimed FGS risk reduction factor ≤ 10: Quantification of detector
coverage as FGS performance metric. Qualitative consideration of other performance
metrics.
2. Preventative FGS safety functions: Applications with claimed FGS risk reduction factor
(RRF) in excess of 10. Quantify detector coverage and safety availability.
3. Mitigative FGS safety functions: Applications with claimed FGS RRF in excess of 10.
Quantify detector coverage, safety availability, and mitigation action effectiven ess. Note
that for these types of functions it is difficult to achieve target RRF, as they require strong
FGS detector coverage, as well as FGS mitigation effectiveness.
Classification of an FGS function as either preventative or mitigative is the responsibility of the
end user of this technical report. Where unmitigated hazard severity is deemed to pose an elevated
level of hazard/risk, FGS mitigation as well as other non-FGS means of risk reduction should be
considered. Target FGS performance can be defined in various ways, such as an FGS risk
reduction factor, percent reduction in risk of unmitigated hazard severity, or maximum allowable
Copyright 2018 ISA. All rights reserved.
- 33 -
ISA-TR84.00.07-2018
PFD avg of the FGS function. Target FGS performance should be established to reduce the
likelihood of an unmitigated hazard outcome.
Table 4 – FGS performance metrics
Performance Metric
Expression
Recommended Application
Guidance
FGS detector coverage
Quantitative: Probability
Applications where claimed FGS
Annex A
risk reduction factor ≤ 10
Applications where claimed FGS
Annex D
risk reduction factor > 10
FGS safety availability
Qualitative confirmation
Applications where claimed FGS
Annex D
risk reduction factor ≤ 10
Quantitative: Probability
Applications where claimed FGS
Annex D
risk reduction factor > 10
FGS mitigation action
Qualitative confirmation
effectiveness
Mitigation applications where
Annex C
claimed FGS risk reduction factor
≤ 10
Quantitative: Probability
Mitigation applications where
Annex C
claimed FGS risk reduction factor
> 10
Performance targets for FGS detector coverage should be quantified for all applications where any
risk reduction is claimed. Detector coverage should be defined per each FGS function associated
with area monitoring.
Performance targets for FGS safety availability should be confirmed, and, wherever FGS target
RRF exceeds 10, FGS safety availability should be quantified. Confirmation should at minimum
include prior use experience and compliance to any applicable industry standards.
Quantification of FGS safety availability should be expressed based on an FGS function associated
with coverage in a defined monitored area.
Where applicable, performance targets for FGS mitigation action effectiveness should be
confirmed, and, wherever the FGS target RRF exceeds 10, FGS mitigation action effectiveness
should be quantified. Guidance on mitigation action effectiveness is provided in clause 6.2. 10 and
Annex C, including information on estimating this metric at a hazard scenario-by-scenario level of
detail.
As illustrated in Figure 3, FGS performance targets should be selected such that the target risk
reduction can be achieved by the FGS safety function. FGS effectiveness is the product of
applicable performance metrics including detector coverage, FGS safety availability, and FGS
mitigative action effectiveness accounting for common cause, common mode, and systematic
failures.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 34 -
FGS Detector
Coverage
FGS Safety
Availability
Yes
Yes
FGS Mitigation
Effectiveness
Relative
Likelihood
Outcome
0.9
0.76
Mitigated
0.1
0.08
Unmitigated
0.01
Unmitigated
0.15
Unmitigated
0.99
0.85
Design Basis Hazard
No
1
0.01
No
0.15
FGS Effectiveness
0.76
Figure 3 – FGS effectiveness
Where FGS function(s) are claimed to reduce risk, FGS effectiveness should be sufficient to reduce
risk associated with the unmitigated hazard severity to meet the end-user risk guidance.
Reducing risk significantly beyond one order of magnitude (fire and gas RRF > 10) might not be
practical for many mitigation applications, because the achieved risk reduction is usually limited
by detector placement, achieved coverage, or mitigation effectiveness rather than FGS safety
availability. In fact, an achieved detector coverage factor below 90% limits the overall achieved
RRF < 10 irrespective of other FGS performance metrics.
NOTE The risk of the mitigated hazard assuming 100% detector coverage, FGS availability, and mitigation effectiveness
(e.g., perfect FGS operation) can still result in an intolerable risk. This could occur if the frequency of the initiating event
or the mitigated consequence severity is high. In these cases, other risk reduction means (hazard prevention) should be
utilized to meet the risk criteria (fully quantitative).
Design-basis hazard for measuring target FGS performance
Underlying the concept of performance-based FGS design is the need to detect a hazard of
threshold size/magnitude or larger. The designer should specify this hazard when identifying
performance targets. The specified hazard threshold size/magnitude should be:
•
consistent with the end-user philosophy for hazard detection and mitigation
•
based on the level of risk associated with process hazards in a monitored area
•
likelihood of hazard
•
severity of escalated hazard if not adequately detected and mitigated
•
within the capability of the FGS actions to meet the target hazard mitigation (e.g., reduce
severity by one order of magnitude)
•
agreed upon by the end user
NOTE Use of a prior analysis of fire and gas hazards from other process safety or loss prevention activities should
verify the prior analysis meets the above criteria to be used in the FGS design. Where detection of an incipient hazard
is required, the prior hazard analysis should align with those design requirements.
Design-basis hydrocarbon fire
Hydrocarbon fires can be detected either during the incipient stage (early) or in the fully developed
stage. Automatic safety actions for fire suppression should be considered in identifying th e design-
Copyright 2018 ISA. All rights reserved.
- 35 -
ISA-TR84.00.07-2018
basis hazard. Hydrocarbon fire detection will typically be based on detection of an incipient fire.
Some philosophies will not require incipient fire detection in all areas, particularly unmanned
installations. The following table provides guidanc e on several alternatives for selecting the
design-basis hazard.
Table 5 – Examples of design-basis fire hazards
Detection Philosophy
Design-Basis Hazard
within Monitored Area
Typical Application
Incipient hydrocarbon fire
detection
1-ft x 1-ft liquid hydrocarbon fire
Medium to high hazard areas
Fully developed
hydrocarbon fire detection
Matches test conditions for liquid fire
detection
10-kW radiant heat output
High hazard areas – alarm
50-kW radiant heat output
High hazard areas – safety action
100-kW radiant heat output
Medium hazard areas
36-inch gas plume fire
Typical test conditions for gas plume fire
detection
250+ kW radiant heat output
Low hazard areas
5-mm leak in pressurized gas system
12-mm flange leak
QRA credible leak scenarios.
Fire model used to determine hazard
size/thermal radiation
0.5-meter × 1.0-meter flame
Single detector criteria
1.0-meter × 3.0-meter flame
Two or more detector criteria
25-mm or larger leak of pressurized
gas, jet fire
Annular release from well blowout, jet
fire
Major accident hazard scenarios
Pooling hydrocarbon fire covering deck
or secondary containment area
If a release scenario is selected instead of a specified hazard magnitude, then fire modeling should
be used to determine the extent of the fire hazard and the detectability of fire effects as a function
of distance. The following end-point criteria should be considered:
•
severe damage to process equipment above 37.5 kW/m 2 (12,000 Btu/hr/ft 2 )
•
life-threatening thermal radiation for short exposure above 20 kW/m 2 (6,500 Btu/hr/ft 2 )
•
serious burn injury and blocked escape routes above 12.5 kW/m 2 (4,000 Btu/hr/ft 2 )
•
moderate burn injury above 5.0 kW/m 2 (1,700 Btu/hr/ft 2 ) for short exposure (<1 minute)
The installed system should be capable of functioning properly within the selected zone of thermal
radiation. In addition, the designer should consider modeling thermal radiation to the threshold of
detectability for the selected fire detection technology (e.g., optical, heat) in accordance with the
vendor-specified performance capability.
Design-basis combustible gas hazard
Gas detectors can be positioned to detect a specified size/magnitude of release or to detect a
specified volume of gas. The choice for a design-basis gas hazard should be consistent with the
end-user philosophy on gas detection. The following table provides guidance on alternatives for
selecting the design-basis hazard.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 36 Table 6 – Examples of design-basis gas hazards
Detection Philosophy
Design-Basis Hazard
within Monitored Area
Typical Application
Detect credible gas releases by
strategically placing detection
equipment in proximity to release.
Flammable gas cloud associated with
leak of 1 to 5 mm high-pressure gas
release
Moderate to high hazard area
Flammable gas hazard associated with
leak of 12 to 25 mm low pressure gas
release
Low hazard area
Significant release (reference 2.11) of
flammable gas associated with:
High hazard area
Detect gas accumulations in
hazardous quantities that, if
ignited, could cause large-scale
impact to life, safety, and the
asset.
Analysis of dense and dilute
clouds can be applied within this
philosophy to represent
1ooN/2ooN coverage (alarm or
action).
•
kg/s (0.22 lbs/sec) for gas and two
phase with duration less than
2 minutes
•
0.2 kg/s (0.44 lbs/sec) for liquid
(oil/condensate/nonprocess) with
duration less than 5 minutes
Flammable gas cloud associated with 3
lb/sec leak (11,000 lb/hr) based on a 25
mm hole diameter at 100 psig. 2000 lb
quantity in 10 minutes
Moderate to low hazard area
5-meter spherical cloud accumulation
Within process areas of high confinement
and congestion
7- to 8-meter spherical cloud diameter
Within process areas of moderate
confinement and congestion
10-meter spherical cloud accumulation
Within process areas of low confinement and
congestion
Intermediate cloud dimension (5 to 10
meters) with blast modeling
Explosion modeling to determine threshold of
severe structural damage and impairment of
evacuation (150 mbar/3 psig)
It is the responsibility of the end user to determine if the purpose of gas detection is incipient
(early) detection or major hazard detection, which implies quantities of gas could be present that
if ignited could cause large-scale safety impacts.
If a release scenario is selected instead of a specified hazard magnitude, then gas
dispersion/accumulation modeling should be used to determine the extent of the combustible
hazard, and the detectability as a function of distance. The following end-point criteria should be
considered:
•
20% of LFL: Threshold of ignitability of gas when using similarity-based gas dispersion models
•
5% to 10% of LFL: Threshold of detectability of gas using selecte d gas detection equipment
Design-basis toxic gas hazard
Toxic gas detectors can be positioned to detect a specific size or magnitude of toxic hazard within
a process area or migration of toxic gas beyond the process area, or they can be positioned to
protect access and egress pathways. The choice for the design-basis hazard should be consistent
with the end-user philosophy and guidance from the competent authority on toxic gas exposure
levels. Direct specification of the extent of a toxic gas hazard is one alternative. The second option
is to specify one or more release scenarios and model accordingly.
If a release scenario is selected instead of a specified hazard magnitude, then toxic gas dispersion
modeling should be used to determine the ex tent of the toxic gas hazard and the detectability of
the hazard scenario. The following end-point criteria can be considered:
Copyright 2018 ISA. All rights reserved.
- 37 -
ISA-TR84.00.07-2018
•
IDLH concentration for acute safety exposure
•
threshold weighted average (TWA)-threshold limit value (TLV)/short-term exposure limit
(STEL)/permissible exposure limit (PEL) for chronic health exposure
In addition, modeling should address the threshold of detectability of target toxic gas using
selected gas detection equipment and vendor-approved performance capability.
4.6.7
Step 7 – FGS conceptual design
In addition to the design basis above, the initial design of the fire and gas system components , as
well as sensor placement, should be based on existing methods for system design, such as the
applicable national standard or industry guidelines, and on the judgment of a qualified engineer
for some items, such as sensor placement. For instance, some users space detectors based on a
maximum spacing that will result in a minimal hazard.
NOTE If the target risk reduction for the FGS safety function is > 10, then IEC 61511 practices will apply to the sensor,
logic solver, and final element subsystems.
An initial FGS detector layout should be proposed using expert judgment by considering the factors
discussed in Annex B.5, which have an impact on FGS effectiveness.
When identifying scenarios that are used to establish FGS performance targets, it is important to
consider the design limitations of automatic FGS activation. Ensure that the basis -of-design
hazards are appropriate given the limitation of the system. For e xample, detector
location/placement for a fire suppression system design that extinguishes only an incipient fire will
need to be designed with detector location and placement sufficient to detect early -stage fire
scenarios.
Design should consider the amount of time between when the hazard initially becomes detectable
by the selected equipment and the time when the expected degree of risk reduction can no longer
be achieved due to a fully escalated hazard. This will define the overall response time requirem ent
for the FGS safety function.
4.6.8
Step 8 – Verify detector coverage
The proposed location of fire and gas detectors should be analyzed to determine how effective the
proposed array of detectors with a given voting arrangement will be in detecting the hazard and
initiating a specified safety action. An assessment of detector coverage involves analysis of the
potential sources of fire and gas within a given monitored process area and the performance of a
proposed detector design, including the number, type, lo cation, orientation, and set points of
detectors. There are (at least) two possible approaches that can be used for fire and gas mapping
of detector coverage: geographic coverage and scenario coverage. In either case, the analytical
method to determine achieved coverage should involve a computer model to map detection
coverage. Refer to Annex B for attributes that modeling software may contain.
Design verification should account for common cause, common mode, and dependencies between
the detector coverage, safety availability and mitigation effectiveness and between the FGS and
the initiating source of the hazard or other IPLs. The coverage levels that have been achieved for
a given proposed detector array are then compared against selected performance targets. If the
coverage target has been achieved, the proposed design is acceptable. If the target is not
achieved, the type, number, and/or location of detectors should be reviewed and modified until the
coverage target is achieved.
4.6.9
Step 9 – Verify FGS Safety Availability
Quantitative verification of the FGS safety availability should be per applicable guidance of ISA for
safety instrumented functions (SIFs). FGS safety availability is calculated per FGS function and is
the mathematical complement of the probability of failure on demand (PFD). PFD for an FGS
function is a summation of the sensor PFDavg + logic solver PFDavg + final element PFDavg,
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 38 -
where the PFDavg is a function of the dangerous undetected failure rate of each device, the voting
architecture of each device grouping, and the proof test interval of the devices. Verification can be
accomplished using the techniques presented in the ISA-TR84.00.02 for analysis of SIFs.
However, several significant differences between SIFs and FGS functions should be noted to
ensure an accurate assessment of FGS safety availability is achieved.
First, proper definition of the FGS function is critical to ac curately assessing the FGS safety
availability. The quantity of detectors and possible voting schemes of the FGS function are directly
related to the detector design basis, which specifies the gas cloud or flame size that the detector
array can detect with the goal of mitigating further accumulation , such that the gas cloud or flame
size cannot escalate to a catastrophic event. FGS applications can be designed to act when a
single sensor goes into alarm. However, most systems implement some form of voting o f multiple
sensors in an area of concern to reduce the likelihood of system activation from a single sensor
failure. Typically, two or more sensors in an area of concern must go into alarm before automatic
action is taken. While this reduces the probabilit y of nuisance trips from a single sensor failure, it
also reduces the probability of successfully responding to a hazardous event. It is less likely for
two or more detectors to be in the area of concern, assuming the layout of detectors has not been
changed with the implementation of voting.
Detector voting schemes cannot be determined until a detector design basis is established (e.g.,
the sensor array should be designed to detect an accumulation of combustible gas with a maximum
diameter of 5 meters). If an area of concern contains three detectors, the ability of the detectors
to detect the event within the required time will determine whether the voting scheme is 1oo1,
1oo2, 1oo3, or 2oo3. Thus, if the postulated 5-meter gas accumulation is moved throughout the
area of concern and, at any one time, only one detector can “see” the accumulation, the voting
scheme is 1oo1. The other two detectors cannot “see” the accumulation volume in question and
thus should not be considered as redundant measurements for the hazard scenario.
Second, one should consider the source of the failure rate data being used in the PFD avg
calculation itself. Failure rate data is readily available from a variety of data sources (vendor data,
industry data, site specific data, etc.). However, if one looks closely, this failure rate data as
presented typically includes an assumption that the device will operate in a fail -safe, de-energizeto-trip mode. Most FGSs operate in an energize-to-trip arrangement. Consider a failure mode
where a logic solver is unable to energize its output. In a de -energize-to-trip scheme, this type of
failure will prevent one from initially opening a fail -closed valve during startup. Thus, it would be
classified as a safe failure by the manufacturer. However, i n an energize-to-trip scheme, this type
of failure prevents one from opening a suppression valve during a demand. Thus, it should be
classified as a dangerous failure. Thus, one needs to carefully review the failure rate data being
considered for use in the calculations.
Also, motive force needed for any energize-to-trip mitigative actions should be available long
enough to meet the design intent of the FGS action. For example, the availability of deluge or
suppression systems should be included in the calculation. FGS designs typically involve actuation
of final elements that might be controlled by other systems, such as isolation valves controlled by
the safety instrumented system logic solver. Any equipment that is required for FGS operation
should be included in the FGS availability calculation. If the equipment associated with the FGS is
used by any other protection layer for the same hazardous event, the common cause impact on
overall risk reduction of this design should be evaluated.
The safety availability that has been achieved for a given FGS function is then compared against
a selected performance target. If the safety availability target has been achieved, the components
and architecture of the FGS function are acceptable. If the target is not achieved, design
parameters, such as redundancy, diagnostics, and test intervals , should be reviewed and modified
until the target availability is achieved.
Copyright 2018 ISA. All rights reserved.
- 39 -
ISA-TR84.00.07-2018
4.6.10 Step 10 – Verify effectiveness of FGS actions
Mitigation action effectiveness is the confidence that the results of activating the final control
element(s) of an FGS function will successfully mitigate the consequence of a defined hazard as
expected (e.g., prevents a small fire or gas accumulation from escalating to a large fire or
accumulation). In this contingency, the FGS function can be ineffective such that the outcome of
the event is not significantly different than it would be if no detection or activation occurred. The
concept of effectiveness of the FGS actions is meaningful only when conside ring FGS functions
that are intended to mitigate hazards; therefore, this has also been referred to as “mitigation
effectiveness.” In the less frequent applications where FGS functions prevent a hazard, this branch
of the event tree is not meaningful.
The reduction in severity afforded by a mitigation action will be related to the magnitude of the
hazard being acted upon and the fundamental limitations of the capability of the FGS actions to
be effective. In general, effectiveness of the FGS actions is likely to be very high when the
magnitude of the detected hazard is small and detection occurs quickly, so the desired safety
action can be taken well before there is the potential for hazard escalation. Conversely, even
correct detection and activation of the FGS actions might be ineffective:
1. Due to an excessive time delay between initiation of the FGS action and when such actions
can be considered effective. For example, combustible gas detection that isolates a
process and opens depressurizing (blowdown) valves can take 20 minutes or more before
the pressure in the system has significantly reduced with a corresponding reduction in the
discharge rate of a gas leak. During the intervening period, the gas that already leaked
from the system could ignite.
2. Due to severe consequences associated with the initial loss of containment event that
would result in a consequence magnitude beyond the design of the FGS actions. For
example, a catastrophic pipeline rupture will very likely result in an immediate vapor clou d
explosion hazard that can have severe consequences before the FGS function can
effectively mitigate them. The ensuing fire might be mitigated, but not before severe safety
consequences have already occurred.
As a result, the design verification should account for these codependencies. Mitigation
effectiveness is recognized as a valid FGS performance metric that will fundamentally limit the
amount of claimed risk reduction for an FGS function below the ideal outcome of 100% confidence
in effective FGS actions. In concept, early detection of small or incipient hazards provides “high”
confidence that FGS mitigation actions will be successful. Late detection results in “low”
confidence. Similarly, low confidence results in under detection of a hazard that is an order of
magnitude larger than the design-basis hazard. While guidance on this topic continues to evolve,
as a minimum for all applications, users of this TR should examine the existing or proposed FGS
function to ensure that FGS actions are creditable as being effective in reducing the magnitude
and severity of the unmitigated hazard. The concerns raised about mitigation effectiveness
highlight using a very cautionary approach when considering FGS systems in applications where
claimed risk reduction associated with FGS mitigation exceeds a factor of 10.
The method of verifying mitigation action effectiveness will depend upon the type of action one
takes (e.g., evacuation of personnel versus deployment of fire suppression versus isolation and
de-pressurization of the process). Further guidance on FGS mitigation action effectiveness is in
Annex C.
4.6.11 Step 11 – Determine FGS effectiveness (mitigated risk)
The FGS effectiveness achieved for an FGS function should be compared against the selected
performance target (see Figure 1). If the target has been achieved, the proposed design is
acceptable. If the target is not achieved, the conceptual FGS design should be reviewed and
modified. Increased coverage, availability, and/or mitigation actions should be achieved and
reverified until reaching the target FGS effectiveness.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 40 -
In addition, the estimated response time for the FGS safety function should be verified against the
requirement established during conceptual design. If the FGS safety response includes evacuation
or other human actions, the FGS safety function response time evaluation should consider
nonoptimal conditions for personnel egress or sheltering that are likely to occur during a real
demand condition.
The results of the hazard and risk analysis and performance target verification are compiled into
FGS performance requirements specifications.
5 FGS engineering activities in a project workflow
FGS engineering activities occur at different stages of a project for design, implementation, and
operation of a new plant or upgrade of existing control system s.
Before any engineering activities, the FGS philosophy should be developed by or in conjunction
with the end user.
5.1 Basic engineering (FEED)
An initial FGS design should be produced. Documents required from the front-end engineering
design (FEED) include the major equipment list, process flow diagrams (PFDs), process hazards
analysis (PHA) documentation for hazard identification, and the layout of major process equipment.
Loss prevention activities including fire hazard analysis should be reviewed. These documents
allow one to determine FGS performance targets through an evaluation of hazards/risks associated
with major process equipment. The type and magnitude of hazard scenarios that will be the basis
of FGS design should be determined. A voting philosophy and detector set points should be
selected, which allow one to establish initial coverage targets. For an existing facility undergoing
a redesign or upgrade of the FGS system, decisions about the accep tability or reuse of existing
equipment in the new design should be made during basic engineering.
Once performance requirements are established, an initial FGS design can be developed ; FGS
mapping can be conducted; coverage can be verified; and the FGS effectiveness can be evaluated
if applicable. The results are used to provide estimates of the type, number, and location of fire
and gas detectors. As detailed 3D process models are not available at this stage, only a preliminary
evaluation of detector coverage can be made, but this should consider the location of major
equipment. The basic engineering phase ends with an initial FGS design with estimates on type,
number, and location of detectors required to meet the performance requirements. Basic
engineering should include a specification of the FGS logic solver and a functional description of
the logic. Equipment design requirements should include event survivability items such as
fireproofing.
5.2 Detailed engineering
FGS engineering activities include a review of process hazards and revalidation of FGS
performance targets. Three-dimensional process models will mature with location of piping,
utilities, electrical elements, and vendor-supplied packaged equipment. When the 3D model is at
the 60% milestone, a detailed design of detector placement can be undertaken. The detector layout
should be reevaluated and updated to ensure coverage requirements are met. Due to the
development of the 3D process model between conceptual engineering and detailed engineering,
significant changes to the FGS detector mapping are likely. The achievement of coverage targets
should be verified, and detector placement optimized using FGS mapping, and one should evaluate
the FGS effectiveness if applicable. Requirements for FGS maintenance and testing should be
developed. Constructability and maintainability issues are typically first identified during detailed
engineering, such as the practical limitations of where detectors can be mounted.
Further, near the end of detailed engineering, the 3D process model matures to the 90% milestone.
A final verification of the FGS mapping and evaluation of FGS effectiveness, if applicable, should
Copyright 2018 ISA. All rights reserved.
- 41 -
ISA-TR84.00.07-2018
be performed to ensure that adjustments to the location of piping, cable trays, and conduit do no t
impede detector performance. This results in a final layout for the FGS, with location and
orientation requirements for all detectors in the FGS. Detailed engineering deliverables should be
completed for the FGS.
5.3 Installation and commissioning
After construction and during commissioning, the FGS should be validated in the field against the
requirements specification. This includes validation of detector type, location, orientation , and
response time. Detector FGS mapping and associated coverage should be checked and updated
as needed to reflect any changes in detector placement during construction, including confirmation
that specified coverage targets have been achieved.
5.4 Operations and maintenance
During operation and maintenance, the FGS should be maintained and tested per specifications
developed during engineering design. This includes reviewing the FGS as part of the management
of change process to ensure that any changes to the process area are reviewed to determine their
impact on the FGS. New or modified process equipment can create new potential leak sources ,
which can change the requirements for the FGS or create new obstacles that should be modeled
to ensure detector coverage is not comprom ised.
5.5 Periodic assessment and audit
The assumptions used in the FGS specification and design (e.g., FGS detector mapping and alarm
response action) should be subject to periodic assessment and revalidation. The performance of
the FGS safety function during inspection/testing or actual demands should be evaluated
periodically against the specification requirements. Unacceptable FGS safety function
performance on test or demand should be investigated and corrected promptly. The end user
should establish the frequency of periodic assessments. It is recommended that periodic
assessments coincide with other process safety revalidation activities.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
- 43 -
ISA-TR84.00.07-2018
Annex A  Sample semi-quantitative performance target selection technique
FGS performance targets define the ability of a n FGS function to detect, alarm, and if necessary,
act to mitigate the consequence of a fire or gas release upon a demand condition. In concept, a
higher hazard installation should require higher levels of performance; while a lower hazard
installation should allow lower levels of performance, so that FGS res ources can be effectively
allocated.
Depending on the end-user process hazard analysis (PHA) and FGS philosophies, the factors used
to assess risk of fire and gas hazards in hydrocarbon processing areas can be evaluated in a semiquantitative method. The factors in a semi-quantitative analysis yielding performance targets for
FGS should be calibrated based on the assessment of typical hazard scenarios, consequences,
likelihoods, and target risk reduction for the facility under evaluation. The ability of this method to
achieve the desired level of risk reduction is contingent upon the process conditions and equipment
being consistent with the assumptions used to develop the performance targets. For situations that
do not conform to these assumptions, the user should consider altering the method based on siteand user-specific factors.
This annex presents an example methodology using a scoring system developed for a hydrocarbon
processing facility with fire, combustible gas , and H2S toxic gas hazards. This ranking procedure
is used to evaluate the hydrocarbon fire, combustible gas, and toxic (H2S) gas risks for each area
into one of three risk categories (high, medium, low) for the purpose of establishing FGS detector
coverage performance targets. The sample methodology described here should only be applied to
FGS safety functions with a target FGS risk reduction factor ≤ 10. The reader should be aware of
the requirements contained in existing standards applicable to FGS functions based on risk
reduction factor targets as described in the foreword of this technical report. The following
technical instructions apply to this specific example of a semi-quantitative method. The example
risk analysis methods and risk criteria contained in this annex have been provid ed solely as
explanatory material and should not be interpreted as recommendations.
Hazard ranking is a function of the equipment, hazards, consequences, likelihood, occupancy, and
special factors. Ranking requires an equipment-by-equipment assessment of factors, including:
•
•
•
•
identifying hydrocarbon processing equipment
•
identify credible sources of hydrocarbon gas or liquid release
•
identify amount and type of processing equipment in FGS zone
•
identify process conditions that could aggravate/mitigate consequence severity
assessing consequence severity
•
identify equipment that the FGS is intended to safeguard
•
assess magnitude of safety consequences (injury versus life threatening)
•
identify confinement and congestion in process areas that could aggravate combustible
gas hazards
assessing hazard likelihood
•
determine likelihood of release from all identified release sources
•
identify credible ignition sources (continuous and intermittent)
•
identify the effective response action to prevent safety impacts
assessing level occupancy in FGS zone
•
identify normal/routine occupancy (operations, maintenance, contract)
•
identify nonroutine occupancy (operations, maintenance, contract)
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 44 -
If an FGS zone is not easily characterized by one or more of the factors that comprise t he FGS
zone hazard rank, quantitative risk analysis should be considered.
Figure A.1 shows the hazard ranking procedure.
Figure A.1 – Hazard ranking procedure
Copyright 2018 ISA. All rights reserved.
- 45 -
ISA-TR84.00.07-2018
The ranking procedure uses numerical scoring to assess the risk associated with a given area. As
an input to task one, FGS zones requiring further hazard review have been previously identified.
A.1
Task 1 – Select major process equipment item
Identify the major process equipment in the FGS zone (or perform the analysis one major
equipment item at a time). Figure A.2 assigns a default likelihood score to each type of processing
equipment typically found in a process industry facility, and Figure A.3 assigns a consequence
score based on the phase of the material in the process equipment. The scores account for the
baseline consequence and baseline likelihood of a release that could result in a significant fire,
combustible gas, or toxic gas hazard.
Equipment Item
Shell & tube heat exchanger
Base Likelihood
Score
2.0
Plate & frame heat exchanger
3
Air cooled heat exchanger
2
Column/tower/contactor
2.5
Compressor/expander
3
Pressure vessel/reactor
2
Centrifugal pump
3
Reciprocating pump
3
Atmospheric storage tank
1
LP storage tank
1
Fired heater
2
Pig launcher/receiver
2
Sump/sump pump
1
Piping manifold
1
Single welded pipe segment
1
Figure A.2 – Major equipment item base likelihood scores
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 46 -
Process Material Phase
Base
Consequence
Score
Stable liquids
1
Volatile liquid
2
Gas
3
Figure A.3 – Process material base consequence scores
NBP = normal boiling point
Stable Liquid T (Process) -< FP (Flash Point);
FP and NBP volatile constituent representing > 3 mol% of streams
Volatile Liquid FP < T (process) < NBP
Gas
T (process) > NPB; Gas also includes cryogenic liquids where T(amb) > NBP
A.2
Task 2 – Adjust likelihood score for occupancy
The base likelihood score should be adjusted as necessary to reflect the occupancy environment
near the major equipment item. This should be based either on the impact to occupants from the
design-basis hazard, or the impact based on the unmitigated/escalated hazard that the FGS design
intends mitigate. Figure A.4 defines occupancy adjustment factors. The result is an adjusted
likelihood for toxic hazards, if applicable. No further likelihood adjustment is required for toxic
hazards. Additional adjustment is required for fire and flammable hazard likelihood s.
NOTE Figure A.4 should be reviewed for occupancy to determine an adjustment factor and then reviewed for escape to
determine an adjustment factor. The worst-case (e.g., highest number) adjustment factor should be selected.
Occupancy Environment
FGS Protection from Area of
Immediate Impact
FGS Protection from Escalation
Using Evacuation, Escape,
Rescue Model
Adjustment
Rare occupancy
(less than 15 min per day) ~1%
Rapid escape likely from area of
impact of escalated hazard (1 to 3
minutes)
–2
Moderate occupancy
(routine operator rounds) ~ 10%
Egress possible using designated
routes. Short-duration protection
required from escalated hazard (3 to
10 minutes)
–1
High occupancy
(near continuous occupancy) > 30%
Muster using designated routes
+ evacuation from temporary safety
refuge.
Extended protection required from
escalated hazard (10 to 30 minutes)
0
Figure A.4 – Occupancy adjustment
Copyright 2018 ISA. All rights reserved.
- 47 -
A.3
ISA-TR84.00.07-2018
Task 3 – Adjust likelihood score for ignition environment factors
The ignition environment adjustment task is not applicable to toxic hazards. If fire or flammable
gas hazards are of concern, then the likelihood score should be further adjusted for ignition
probability. Figure A.5 defines ignition adjustment factors.
Description
Adjustment
–1.5
Low ignition probability (3%)
Average ignition probability (10%)
–1
Moderate ignition probability (30%)
–0.5
High ignition probability (near 100%)
0
Figure A.5 – Ignition environment adjustment
A.4
Task 4 – Adjust consequence score for process conditions
The base consequence score should be adjusted for process pressure. This adjustment applies to
fire, flammable, and toxic gas hazards. Higher process pressure indicates a higher magnitude of
consequence severity if a release were to occur. Process temperature is already factored into the
default consequence score. Figure A.6 defines process pressure adjustment factors.
Pressure
Adjustment
Atm to 50 psig
–0.5
50 to 150 psig
0
150 to 300 psig
0.5
300 to 1,000 psig
1
> 1,000 psig
1.5
Figure A.6 – Process pressure adjustment
A.5
Task 5 – Adjust consequence score for flammability environment
The base consequence score should be adjusted for factors related to the environment around a
burning gas cloud, if it were to occur. This is related to process confinement and congestion
factors. A higher degree of confinement and congestion lead s to a more severe consequence.
Figure A.7 defines the flammability environment adjustment. The flammability environment
adjustment should only be applied if flammable gas hazards are being evaluated. Do not adjust
the consequence score with this factor if toxic hazards are being evaluated.
Environment Type
Adjustment
Notes (Confinement &
Obstacle Density)
No confinement/low
congestion
–1
"3D Low"
Some confinement/
moderate
congestion
0
"2D Med"
Confinement/high
congestion
2
"2D High"
Figure A.7 – Flammability environment adjustment
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
A.6
- 48 -
Task 6 – Adjust consequence score for toxic gas concentration
If a toxic (H2S) hazard is present, the base consequence score should be adjusted for the
concentration of toxins (e.g., hydrogen sulfide) in the process fluid. This adjustment applies only
to toxic gas hazards. A higher toxin concentration is indicative of a higher magnitude of
consequence severity if a release were to occur. Figure A.8 provides typical H2S concentration
adjustment factors.
Concentration (v/v)
Adjustment
< 100 ppm
Notes
No H2S analysis
100 ppm to 1000 ppm
–1
1000 ppm to 1%
0
1% to 3%
1
3% to 10%
2
> 10%
3
Figure A.8 – H2S concentration adjustment
A.7
Task 7 – Determine FGS hazard rank
For each hazard (fire, combustible, and toxic), each equipment item is assigned an individual
adjusted likelihood score and an adjusted consequence score. The hazard rank is the sum of the
adjusted likelihood score and the adjusted consequence score. This score indicates the degree of
the hazard and ultimately the risk of fire, combustible gas , or toxic gas hazards.
The calculated value is defined as the adjusted baseline hazard rank. The highest individual value
of the baseline hazard rank for all equipment within a given FGS zone is defined as the zone
hazard rank.
A.8
Task 8 – Determine need for FGS
Each area receives a performance target for fire, flammable gas , and toxic (e.g., H2S) gas hazards,
which take the form of grades. These grades are listed in Figure A.9.
Each of the grades defines a relative level of fire or gas risk , with grade A being the highest risk
areas and grade C being the lowest risk areas requiring detection.
A.8.1
Task 8.1 – Fire detection performance targets
Design of fire detection systems is predicated on the principal that a turbulent diffusion fire should
be sensed early enough that automatic control action can be taken, if required, during the incipient
stage of the fire to maximize safety and limit commercial losses to a tolerable level. Incipient fire
detection requires an adequate number of detectors that are st rategically located in a manner to
provide adequate coverage.
Fire detection performance targets are selected based on the results of the semi -quantitative FGS
screening procedure described in this annex. The result of the semi-quantitative method is the fire
hazard rank, which is representative of the relative fire risk. A higher hazard rank represents a
higher level of risk, which subsequently requires a higher performance target on the FGS to
mitigate risk. Figure A.10 details the relationship between the fire hazard rank, the fire grade, and
the detection performance target.
Copyright 2018 ISA. All rights reserved.
- 49 -
ISA-TR84.00.07-2018
Grade
Exposure Definition
A
High hazard potential
B
Moderate hazard potential
C
Low or very low hazard potential
No FGS
Risk is tolerable w/o benefit of FGS
Figure A.9 – Fire and gas performance grades
Adjusted
Hazard Rank
Grade
Fire Detection Coverage
≥7
A*
> 0.90
5 to < 7
A
0.90
2 to < 5
B
0.80
0.5 to < 2
C
0.60
< 0.5
N/A
No target coverage
Figure A.10 – Fire hazard rank and detection performance target
Fire detection performance targets are evaluated in locations where fires could occur with sufficient
intensity to result in life, safety, or commercial impact. In these locations, radiant heat output (RHO)
is used as the criterion to specify the flame magnitude of the design-basis fire that one wants to
detect. The magnitude of a fire hazard is related to its fire size, which is directly correlated to its
RHO.
NOTE This applies to fires that are not expected to produce excessive amounts of smoke before flaming fire. This
procedure is written on the principle that optical flame detection in locations with higher fire hazard exposure should be
sensitive to lower levels of RHO than fire detection in locations with lower fire hazard exposure.
Fire grade A is typically assigned to areas with higher levels of fire risk. These areas are
characterized by hydrocarbon handling areas where small fires could cause significant damage in
a short period of time or rapidly escalate. Such fires might be due to the potenti al for a higher
consequence severity (e.g., high-pressure gas from a compressor) or from a higher likelihood of
fire (e.g., small bore pipework and pump seals). For the performance targets associated with
grade A, a minimum of 90% detector coverage is achieved for detection of a design-basis fire size.
Fire grade B is assigned to most hydrocarbon processing areas throughout the facility. These
areas are categorized by “normal” risk processing areas and typically contain fixed equipment with
moderate to low likelihood of fire. For the performance targets associated with grade B, a minimum
of 80% detector coverage is achieved for detection of a design -basis fire size.
Fire grade C is assigned to areas where the risk of a fire is relatively low. Grade C areas are
characterized by a low potential for severe consequences (for example, due to high flash point
fuel). For the performance targets associated with grade C a minimum of 60% detector coverage
is achieved for a design-basis fire size.
An FGS zone with a hazard rank of 7.0 or greater should have a fire grade A*. For zones gradedºA*,
the installed fire detection system should be capable of exceeding the grade A performance
targets. FGS zones graded A* will likely have a risk reduction factor target for the FGS function
that is greater than 10. Achieving this risk reduction factor requires performance targets for system
availability and mitigation effectiveness, which are outside the scope of this method. Refer to the
foreword of the technical report for additional guidance.
In addition, the FGS zone should also be subject to additional risk studies, such as a QRA analysis,
to verify that fire risk is adequately reduced .
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
A.8.2
- 50 -
Task 8.2 – Combustible gas detection performance targets
Design of combustible gas detection is predicated on being able to sense a threshold volume of
gas at an incipient stage when action can be taken to prevent significant loss were that volume of
gas to ignite and result in a deflagration. The goal is not to prevent any size flammable cloud from
forming, igniting, or deflagrating. The goal is to limit flame front accelera tion of such ignited gas
clouds to a speed that has been demonstrated to be below the threshold of structural damage in
process environments. The degree of hazard and the damage from a combustible gas deflagration
is related to the size of the cloud and other factors, such as confinement, and the presence of
turbulence-inducing obstacles.
Combustible gas detection performance targets are evaluated in locations where ignited gas
clouds could cause damage from explosion overpressure. In these locations, the smallest gas
cloud that has the potential to cause such damage, or the smallest gas cloud that can reasonably
be developed, is used to define requirements for placing combustible gas detectors.
Combustible gas performance targets are selected based on the results of the semi-quantitative
FGS screening procedure described in this annex. The result of the semi-quantitative method is
the combustible gas hazard rank that is representative of the relative combustible gas risk. A higher
hazard rank represents a higher level of risk, which subsequently requires a higher performance
target on the FGS to mitigate risk. Figure A.11 details the relationship between the combustible
gas hazard rank and the combustible gas grade.
Adjusted
Hazard
Rank
Grade
Gas Detection Coverage
≥7
A*
> 0.90
5 to < 7
A
0.90
2 to < 5
B
0.80
0.5 to < 2
C
0.60
< 0.5
N/A
No target coverage
Figure A.11 – Combustible gas hazard rank and detection performance target
Combustible gas grade A is typically assigned to FGS zones subject to higher risk, either due to
high frequency release sources (such as rotating equipment) or a high degree of confinement of a
burning gas cloud that could cause damaging flame acceleration and overpressure when subject
to a relatively small gas release. For this performance target for grade A, the gas detection system
should be capable of achieving 90% coverage for detection of a design-basis combustible gas
hazard.
Combustible gas grade B is typically assigned to areas subject to a moderate degr ee of
confinement of a burning gas cloud. For this performance target for grade B, the gas detection
system should be capable of achieving 80% coverage for detection of a design -basis combustible
gas hazard.
Combustible gas grade C is typically assigned to open hydrocarbon processing areas with fixed
equipment, relatively low operating pressure, and well-controlled ignition sources. The gas
detection system should have 60% detector coverage to detect a design -basis combustible gas
hazard.
In some cases, the primary hazard of concern is the migration of combustible gas beyond
hydrocarbon processing areas where access and ignition sources are well controlled. In these
cases, consider perimeter detection in lieu of gas detection within the area of the equipment
containing the hazardous material.
Copyright 2018 ISA. All rights reserved.
- 51 -
ISA-TR84.00.07-2018
An FGS zone with a hazard rank of 7.0 or greater should result in a combustible gas grade A*.
For zones graded A*, the installed combustible gas detection system shou ld be capable of
exceeding the grade A performance targets. FGS zones graded A* will likely have a risk reduction
factor target for the FGS function that is greater than 10. Achieving this risk reduction factor
involves having performance targets for system availability and mitigation ef fectiveness, which are
outside the scope of this method. Refer to the foreword of the technical report for additional
guidance.
In addition, the FGS zone should also be subject to additional risk studies, such as QRA analysis ,
to verify that combustible gas risk is adequately reduced.
A.8.3
Task 8.3 – Toxic gas detection performance targets
In this example procedure, toxic gas detection is limited to hydrogen sulfide (H 2 S) hazards. H 2 S
performance targets are evaluated in locations where H 2 S could cause serious injury. Personnel
who enter areas of the facility containing H 2 S are assumed to be wearing personal H 2 S monitors
at all times. This is the primary means of safety once a worker is in an H 2 S -containing area and
is near equipment containing H 2 S. Fixed H 2 S detectors should not be the primary means of safety
at these locations, because a very large number of detectors would be required to protect every
possible exposure. Fixed H 2 S detectors are the primary means of safety to alert personnel who
either are not in the area at the time or are within the area but not immediately exposed to a
hazardous release. The goal is to either prevent personnel from entering the area or evacuating
personnel from the area, depending on their initial location.
Performance of H 2 S gas detection is based on the likelihood and severity of the toxic gas hazards
present. Defining performance targets requires defining the hazard. For H 2 S, this is the smallest
gas cloud that has the potential to cause serious injury. This is descriptiv e of the magnitude of the
hazard that requires detection and is used to define requirements for placing toxic gas detectors.
Toxic gas performance targets are selected based on the results of the semi -quantitative FGS
hazard rank procedure described in this annex. The result of the semi-quantitative method is the
toxic gas hazard rank that is representative of the relative toxic gas risk. A higher hazard rank
represents a higher level of risk, which subsequently requires a higher performance target on the
FGS to mitigate risk. Figure A.12 details the relationship between the toxic gas hazard rank and
the toxic gas grade.
Adjusted
Hazard Rank
Grade
Gas Detection Coverage
≥ 7.5
A*
> 0.90
5.5 or < 7.5
A
0.90
3.5 to < 5.5
B
0.80
1.5 to < 3.5
C
0.60
<1.5
N/A
No target coverage
Figure A.12 – Toxic gas hazard rank and detection performance target
Toxic gas grade A is typically assigned to FGS zones where a life-threatening toxic hazard could
occur from a relatively small gas release at a distance well outsi de the localized area of the release.
Toxic gas grade B is typically used when there is a moderate degree of an injury-level toxic hazard
that could occur from a small release at a distance well outside the localized area of the release .
Toxic gas grade C is used when an injury-level toxic hazard could occur only from a large release
at a distance beyond the localized area of the release.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 52 -
An FGS zone with a hazard rank of 7.5 or greater should result in a toxic gas grade A*. For zones
graded A*, the installed toxic gas detection system should be capable of exceeding the grade A
performance targets. FGS zones graded A* will likely have a risk reduction factor target for the
FGS function that is greater than 10. Achieving this risk reduction factor involve s having
performance targets for system availability and mitigation effectiveness, which are outside the
scope of this method. Refer to the foreword of the technical report for additional guidance. In
addition, the FGS zone should also be subject to additional risk studies, such as a QRA analysis ,
to verify that the toxic gas risk is adequately mitigated.
Toxic gas grade A, grade B, and grade C FGS zones should be capable of detecting a spherical
gas cloud equal in size to the distance to the acute injury end point when analyzed for the designbasis hazard scenario. For toxic gas hazards, the extent of graded area should be taken as the
distance to the detection limit for the design-basis hazard scenario. These distances are
determined based on the results of toxic gas design-basis dispersion modeling.
Copyright 2018 ISA. All rights reserved.
- 53 -
ISA-TR84.00.07-2018
Annex B  Detector coverage assessment techniques
B.1
Detector geographic coverage assessment
The following example FGS architectures, detector coverages, and mitigation effectiveness
represent possible system configurations and should not be interpreted as recommendations. The
configurations used in actual applications are specific to the operating environment and process
conditions in which they are used. As such, no general recommendations can be provided that are
applicable in all situations.
A geographic coverage assessment seeks to determine the degree of coverag e of a monitored
area that contains a process with potential fire or gas hazards. The goal is to determine the fraction
of a monitored process area that is covered if a release occurs in a given geographic location.
Geographic coverage is a function of the release detection equipment in the monitored process
area, considering obstacles that prevent or inhibit detection and the defined voting arrangement
for the safety action of interest. For example, an array of many flame detectors in a monitored area
with few obstacles and a 1ooN voting arrangement would yield a higher geographic coverage than
an array with only a few flame detectors in an area congested with process equipment and a 2ooN
voting arrangement. Detector geographic coverage does not require a specific risk scenario to
determine coverage. The method assumes a hazard could occur anywhere within a monitored area
and seeks to determine how well covered that area is. Detector geographic coverage does require
general information about the magnitude of the fire or gas hazard that requires detection in a
monitored area.
B.2
Criteria for fire (geographic) coverage assessment
In general, a system’s ability to detect a fire of given intensity increases as the number of f ire
detectors in a monitored area increases. However, there is a threshold fire intensity below which
the system cannot activate due to limitations of the sensitivity of flame detectors. Since an analysis
of geographic coverage is not conducted on a scenar io-by-scenario basis, a general criterion
needs to be established to determine the fire intensity that requires detection at any location within
a monitored area. This criterion determines the analytical end point for adding more detectors to
obtain a given level of coverage.
Most optical flame detection methods are sensitive to thermal radiation at various wavelengths,
and the radiated heat output of a fire is an important parameter in determining the threshold for
detection. Guidance for determining the appropriate fire design-basis hazard for detection is
provided in Clause 6 of this TR. Selecting a very low threshold detection criterion can be
appropriate in some instances that are extremely vulnerable to small fire effects or present a
severe potential for fire escalation; while in other situations , this criterion can lead to an excessive
number of flame detectors, because small fires cannot be sensed at moderate to large distances
from a detector. On the other hand, selecting a very large threshold crit erion can be appropriate
in instances where only minimal coverage is required to annunciate a fire in a normally unoccupied
process area; while in other situations, it can allow a fire to grow to an unacceptably large size
beyond which automatic control actions (e.g., suppression) can be considered effective. Note that
with larger fires, optical flame detector performance might be degraded.
B.2.1
Procedure for fire-detector geographic coverage assessment
1. Select a design-basis hazard for detection—a threshold fire magnitude that requires detection
of an incipient hazard (e.g., fire intensity of 1 ft by 1 ft at 100 ft requires detection) .
2. Select a geographic location for analysis .
3. Determine if the geographic location is within the field of view of each fire detector in the
monitored area. For optical fire detection, ensure that obstructions between the detector and
the geographic location are accounted for in making this determinatio n.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 54 -
4. If 1ooN voting is proposed, flag the location as covered only if it is within the field of view of
one (or more) fire detectors in the monitored area.
5. If 2ooN voting is proposed, flag the location as covered only if it is within the field of view of
two (or more) fire detectors in the monitored area.
6. Increment the analysis over all geographic locations in the monitored area.
7. Create a sum-total of all covered locations and determine the overall fraction of geographic
area that is covered in the monitored area (i.e., detector geographic coverage).
B.2.2
Attributes of fire detection coverage assessment
Although there are many methods for fire detector coverage assessment, ranging from manual
drawing to computer-aided design, there are some common critical attributes of effective
assessment studies. The fire coverage assessment (i.e., fire detection mapping) should consider,
at a minimum, the following attributes for fire detection modeling. It should:
•
perform coverage mapping in three dimensions
•
calculate the analysis results for user-required elevation of interest
•
utilize the specification of the fire detector (e.g., the results of the analysis should create a
map that is identical to the “cone of vision” presented in the equipment vendor’s product
literature, accounting for any de-sensitizing factors relevant to the application typically
revealed in the FM 3260 test procedure)
•
model the effects of changes in detector elevation away from the elevation of interest
•
model the effects of the changing angle of declination with respect to the elevation of interest
•
model different detector sensitivity settings for each detector
•
model detector sensitivity with respect to multiple fires from different materials of interest for
each detector as required (e.g., methanol fires, methane fires, and hexane fires)
•
model multiple obstruction geometries
•
present results that indicate the fraction of the monitored area where: no detectors are sighted,
a single detector is sighted, two or more detectors are sighted
B.3
Criteria for gas (geographic) coverage assessment
The ability to detect a gas hazard at an incipient stage increases as the number of detectors
increases. However, there are practical limits on the number and position of detectors that will
imply the possibility of a small release going undetected as the gas disperses below its detectable
concentration or situations where a small release remains undetected for a period of time until gas
accumulation occurs in a semi-confined or confined area. Since an analysis of geographic
coverage is not conducted on a scenario-by-scenario basis, a general criterion needs to be
established to determine the size of gas release that requires detection anywhere within a
monitored area. This criterion determines the analytical end point for adding more detectors to
obtain a given level of coverage.
Guidance on determining an appropriate design-basis hazard for detection is in Section 6 of this
TR. From a practical standpoint, the size and shape of a gas release that requires detection are
required to perform a basis analysis of gas detector coverage. For flammable gas detection, factors
such as the degree of confinement and presence of turbulence -inducing obstacles require
consideration. The typical form of this criterion is a spherical gas cloud of given size (e.g., 5-meter
diameter); the actual value can be based on analytical consequence modeling or a study of the
effects of flammable gas cloud size and the potential for damag ing blast effects from a deflagration.
A smaller gas release criterion might be used in certain situations that are vulnerable to fire or
explosion effects; while in other situations a small criterion can lead to an excessive number of
detectors in an area that presents minimal hazard. A larger criterion can be appropriate in some
Copyright 2018 ISA. All rights reserved.
- 55 -
ISA-TR84.00.07-2018
situations; while in others it can allow an unacceptably large accumulation of combustible gas that
presents a significant escalation hazard beyond the capability of the mitigation system’s
effectiveness.
B.3.1
Procedure for gas-detector geographic coverage assessment
1. Select a design-basis hazard for detection—a threshold gas accumulation that requires
detection of an incipient hazard (e.g., gas accumulation of less than 16 ft [5 m] in diameter
requires detection at 20% LFL for a point detector or 1.0 LFL meters for a line-of-sight
detector).
2. Select a geographic location for analysis.
3. Determine if the gas accumulation of threshold magnitude that is centered at a geographic
location can be sensed by each detector (point or open -path type) in the monitored area.
4. If 1ooN voting is proposed, flag the location as covered only if threshold gas accumulation
can be sensed by one (or more) gas detectors in the monitored area.
5. If 2ooN voting is proposed, flag the location as covered only if threshold gas accumulation
can be sensed by two (or more) gas detectors in the monitored area.
6. Increment the analysis over all geographic locations in the monitored area.
7. Create a sum total of all covered locations and determine the overall fraction of a geographic
area that is covered in the monitored area (i.e., detector geographic coverage).
B.3.2
Attributes of gas detection coverage assessment
Although there are many methods for gas detector coverage assessment, ranging from manual
drawing to computer-aided design, there are some common critical attributes of effective
assessment studies. The gas coverage assessment (i.e., gas detection mapping) should consider,
at a minimum, the following attributes for gas detection modeling. It should:
•
perform coverage mapping in three dimensions
•
model point detection systems along with open path detection systems (e.g., accounting for
beam attenuation)
•
present results in three dimensions and at a user selected elevation of interest
•
present tabular results that indicate the fraction of the covered area where: no detectors are
sighted, a single detector is sighted, two or more detectors are sighted
The advantages of the geographic coverage assessment include an easy-to-understand graphical
representation of results. There is no requirement to generate specific scenario -by-scenario
coverage results, giving an easily repeatable and auditable detection layout. Computational
requirements are high for this method (as well as scenario coverage). The method also ensures
that if the cloud size of concern exists, it will not remain undetected. The disadvantages of
geographic coverage assessment include the fact that it does not account for the likelihood of gas
migration and ignition. Alternatively, the method focuses on the accumulations that would result in
unacceptable consequences, providing detectors to ensure these high -risk instances do not remain
undetected. This allows the designer to focus only on those areas where gas accumulation
presents a hazard of concern, thereby optimizing where gas accumulation may be credible, but
would not present a significant hazard.
B.4
Detector (scenario) coverage assessment
The identified risk scenario(s), consequences, and event likelihood are used in the scenario
coverage assessment. Scenario coverage is a more detailed assessment that is required for fully
quantitative risk analysis techniques; whereas semi-quantitative risk analysis techniques generally
rely on geographic coverage methods. Even when using semi -quantitative methods, use of
scenario coverage—especially for gas detection—can provide more detailed information about the
risk posed by a process plant and the effectiveness of different detector arrays.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 56 -
Consequence analysis generates information about the potential impact of the identified fire and
gas release scenarios. The impact zones are overlaid on the plan view of the area under analysis.
Most often, the impact zones are based on turbulent diffusion fire models, showing flame size and
shape, or gas dispersion, for unconfined or semi-confined areas. A determination is made for each
detector in the monitored area as to whether it is capable of detecting the scenario.
B.4.1
Procedure for fire detector (scenario) coverage a ssessment
1. Select a hazard scenario in the monitored area .
2. Select the first consequence outcome of the scenario. For a fire, each outcome is represented
as one of the possible flame orientations.
3. Determine if the consequence outcome is within the field of view of each fire detector in the
monitored area. For optical fire detection, ensure that obstructions between the detector and
the geographic location are accounted for i n making this determination.
4. If 1ooN voting is proposed, flag the scenario outcome as covered only if it is within the field of
view of one (or more) fire detectors in the monitored area.
5. If 2ooN voting is proposed, flag the scenario outcome as covered on ly if it is within the field of
view of two (or more) fire detectors in the monitored area.
6. Increment the analysis of all scenario outcomes for the selected hazard.
7. Increment the analysis over all hazard scenarios in the monitored area.
The ratio of detectable releases to the total is the detector (scenario) coverage for fire detection
in the monitored area.
B.4.2
Procedure for gas detector (scenario) coverage a ssessment
1. Select a hazard scenario in the identified monitored area.
2. Select the first consequence outcome of the scenario. For a gas release, each outcome is
represented as a cloud profile from the dispersion analysis, with possible multiple wind
directions, meteorological conditions, and ventilation patterns.
3. Determine if the consequence outcome can be sensed by each detector in the monitored area.
4. If 1ooN voting is proposed, flag the scenario outcome as covered only if it can be sensed above
the threshold concentration for alarm by one (or more) detectors in the monitored area.
5. If 2ooN voting is proposed, flag the scenario outcome as covered only if it can be sensed above
the threshold concentration for alarm by two (or more) detectors in the monitored area.
6. Increment the analysis of all scenario outcomes for the selected hazard.
7. Increment the analysis over all hazard scenarios in the monitored area.
The ratio of detectable releases to the total is the achieved detector (scenario) coverage for gas
detection in the monitored area.
The advantages of scenario coverage assessment include a graphical representation of results
showing the likelihood of gas migration at a facility. However, computational requirements are high
for this method. Scenario coverage may allow the layout to be optimized based on which detectors
are effective against the scenarios evaluated. The disadvantages of scenario -based coverage
assessments include traditional modeling techniques not accounting for near field blockages,
varying vertical orientations of release, and , ultimately, running a finite number of scenarios where
the outputs are entirely dependent upon the number of scenarios evaluated. When analyzing
explosion overpressure hazards, this method may not account for certain release scenarios that
are the most hazardous with respect to consequences. For example, a gas may only migrate to a
location in 1% of the scenarios, but that 1% may result in the most destructive consequence.
Copyright 2018 ISA. All rights reserved.
- 57 -
B.5
ISA-TR84.00.07-2018
Factors considered when developing detector layout
Where process-area fire or gas detection is specified, an initial detector layout should be proposed.
When developing a layout, the designer should consider several key attributes that will impact the
performance of the detection system. Although coverage should be evaluated for the proposed
layout, it is important to recognize factors that influence a coverage calculation. This section lists
several of these factors that the designer should consider in developing detector layout. This is a
checklist for the designer, but it is not intended to prov ide a complete technical discussion of each
factor. Further, the factors are not to be considered as prescriptive; rather, the weight of each
factor should be determined by studying coverage as described elsewhere in this technical report.
These factors are applicable to process-area fire and gas detection, and consideration has been
given to applications where the process is located outdoors as well as indoors.
B.5.1
Fire detection – indoor and outdoor application
1. End-user fire and gas detection and mitigation philosophy: This addresses the end user’s
objectives for fire detection and mitigation, identifying safety and loss prevention goals. For
example, does the detection of fire or gas result in an alarm -only condition or is executive
action required?
2. End-user design standards for fire and gas detection : This includes the end user’s standards
for fire detection, including target fire size and thresholds for adequate fire coverage.
3. Equipment of concern for fire hazard and leak sources: Consideration should be given to the
equipment that is intended to be monitored for hydrocarbon fire hazards, and this can be based
on legal requirements, end-user design standards, the end-user philosophy, or fire hazard and
risk assessment of the type of equipment and fuel.
4. Equipment that is of possible concern includes the following:
•
heat exchangers
•
column/tower/contactors
•
compressor/expanders
•
pressure vessel/reactors
•
centrifugal pumps
•
reciprocating pumps
•
atmospheric storage tank
•
LP storage tanks
•
fired heaters
•
pig launcher/receivers
•
sump/sump pumps
•
piping manifolds
•
single-welded pipe segments
•
production wellheads
5. Flammable material
•
Fuel type, liquid fire, gas fire, etc.: The type of flammable material determines the elevation
of fire detection required.
•
Inventory: A large inventory can potentially drastically change an FGS philosophy by
changing the severity of potential consequences.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 58 -
•
Volatility/flash point: The material volatility/flash point can significantly alter potential
hazardous outcomes. For example, high flash poi nt fuels have a significantly lower
potential for severe consequences than low flash point fuels.
•
Process pressure/release velocity: Higher pressures and release velocities can cause a
higher discharge rate. This can result in a jet fire instead of a pool fire.
•
Process temperature: Temperature can significantly change the volatility of fuel and the
density of released gas. Flammability limits: The flammability limits can determine if pool
fire or jet fire are credible outcomes, which affects detector positi oning.
6. Coverage area: Congestion is a major factor to consider, as large equipment or highly
congested piping can significantly block the view of flame detectors and limit migration of
smoke.
7. Boundaries of the area to be covered by fire detection: Boundaries define the extent of the
area surrounding monitored equipment that is intended to be covered for hydrocarbon fire
hazards. Factors considered for setting the boundary area include existing constraints, such
as all equipment in a bounded area should have similar fire hazards, should activate the same
alarms and executive actions and initiate the same procedural personnel protective actions
(muster or evacuation).
8. Target fire size/design basis fire size: See Clause 6 of this TR for guidance on target fire size.
9. Fuel spill containment area/drainage: Containment and drainage influence the location of fire
detection based on containment of liquid fuel spills.
10. Ignition sources: The location of strong ignition sources could influence detector layout (e.g.,
a pump seal fire hazard requires localized detection).
11. Obstructions (permanent/temporary): Obstructions include process equipment, piping, cable
trays, electrical cabinets, scaffolding, and laydown areas that can impede detector views. For
indoor process area (e.g., a compressor building) flame detection, obstructions can impede
the detector’s ability to “see” the complete target.
12. Ventilation characteristics – HVAC, forced ventilation, or wind: For indoor applications,
ventilation characteristics can affect detection. This can include the ventilation system
preventing smoke migration or causing smoke extraction. Small fires can be difficult to detect
when large ventilation systems are installed in industrial applications. Considerations should
include strategically positioned flame detection instead of heat detection.
13. In outdoor fire detection applications, the initial detector layout should be influenced by the
direction of the prevailing wind but also address normal and abnormal meteorological
conditions, such as nighttime and low-wind conditions, and the type of fire (jet, flash, pool,
etc.).
14. Available technologies for hydrocarbon fire detection : The initial detector layout is affected by
the type of fire detection technology selected. Some technologies are m ore sensitive than
others at detecting early stage or incipient fire hazards. Fewer detectors are needed when
selecting more sensitive technology types. Also, spurious alarm avoidance should be
considered, because some types of detectors are less robust in certain applications where
false alarm stimuli are present. Refer to FM Property Loss Prevention Data Sheets 5 -48 for
guidance about the strengths and weakness of the various detector technologies and
applications. Typical detector technologies include th e following:
•
Frangible bulb: Designed to respond to the energy of a fire that increases the temperature
of a heat-sensitive element. A frangible bulb uses a fluid-filled bulb.
Copyright 2018 ISA. All rights reserved.
- 59 -
ISA-TR84.00.07-2018
•
Bimetallic heat: Designed to respond to the energy of a fire that increases the temperature
of a heat-sensitive element. Bimetallic heat uses a temperature-sensitive strip.
•
Closed-circuit television (CCTV)/visual: Designed to respond to the visual signature of a
flame, using onboard algorithms to distinguish between real flames and other, nonvisual,
background radiative sources (i.e., flare radiation, turbine exhausts). The technology uses
imaging sensors in the visual/near-IR region of the electromagnetic spectrum to monitor
the field of view for the presence of flame.
Infrared (IR): This technology is designed to respond to the spectral signature of the hot
CO2 energy emitted by hydrocarbon fires in the 4.3 4.4 micrometers range. The technology
combines spectral analysis with flicker frequency (1 to 20 Hz) algorithms to prevent false
alarming that results from black-body radiation.
Multispectral IR (multi-IR): The technology is designed to minimize false alarms and
increase sensitivity by analyzing signals coming from three or four sensors that filter
wavelengths within the infrared spectrum. Nonfire radiation sources are rejected through
the detector internal algorithms.
•
Ultraviolet (UV) flame detection: The technology is designed to respond to radiation emitted
by a wide variety of fires including hydrocarbon, hydrogen, and metal based. The detector
typically operates with wavelengths shorter than 260 nm to avoid interference from the sun
and other sources of radiation present in the ultraviolet spectrum.
•
UV/IR (ultraviolet/infrared): The technology is designed to minimize false alarms by using
sensors that are sensitive to both ultraviolet and infrared radiation wavelengths and by
comparing their thresholds simultaneously. For that reason, the detector has a good
immunity to false alarming and is suitable for both indoor and outdoor applications.
15. Execution Logic 1ooN (Alarm Coverage) versus Executive Action Coverage (2ooN): 2ooN
provides the system with robustness and reliability (spurious trip avoidance), but it requires
more detectors to achieve the target coverage. 1ooN provides adequate single detector alarm
coverage with fewer detectors, but it does not consider the need for confirmed fire detection
(voted) before safety actions are taken.
16. Detector technology/vendor-specific characteristics: Characteristics include the effective
viewing distance (within a detector’s field of view) for a threshold fire size. This is determined
by detector type. A smaller viewing distance requires more detectors for a particular application
to meet the target coverage requirements. Off-axis viewing distances should also be
considered. Larger off-axis distances can require fewer detectors for a particular application.
17. Non-ideal conditions that limit detection coverage: These factors can reduce the sensitivit y of
detector optics due to dust, dirt, fog, and steam. They also include background sources of IR
radiation that could desensitize detectors.
18. Application environment: Detector performance can be affected by site temperature, humidity,
RF interference, and any site considerations for detector coverage or detector interference.
19. False alarm stimuli: Stimuli include sources of UV or IR radiation that could result in false
alarms. The location of normal flame sources, such as flare, should be considered.
20. Electrical area classification: Electrical equipment should conform to local codes and standards
(e.g., U.S. National Electric Code, Europe-International Electrotechnical Commission).
21. Cross voting between FGS zones/monitored areas: The analysis should determine if there is
a need to limit the detection of a hazard outside the zone/monitored area where a detector is
located.
22. Detector installation constraints (constructability and maintainability): These constraints
include limitations on mounting detection equipment on an existing structure; imitations due to
areas that need to be avoided for vehicle access; limitations due to detection equipment
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 60 -
accessibility for routine maintenance; or end-user specifications to increase detectors to allow
for the unavailability of a single detector due to a fault or maintenance activities.
B.5.2
Gas detection – indoor and outdoor application (reference 2.13, 2.14, 2.15)
1. End-user fire and gas detection and mitigation philosophy: This addresses the end user’s
objectives for flammable or toxic gas detection and mitigation. It identifies safety and loss
prevention goals. The philosophy will determine, for example, if the detection of fire or gas
results in an alarm-only condition or whether executive action is required. The philosophy
guides users in detecting gas accumulation or gas leak scenarios.
2. Equipment of concern for combustible or toxic gas hazard/leak sources: Consideration should
be given to the equipment that is of concern, which can include the following:
•
heat exchangers
•
column/tower/contactors
•
compressor/expanders
•
pressure vessel/reactors
•
centrifugal pumps
•
reciprocating pumps
•
atmospheric storage tank
•
LP storage tanks
•
fired heaters
•
launcher/receivers
•
sump/sump pumps
•
piping manifolds
•
single welded pipe segments
•
production wellheads
3. Process streams/material
•
material phase (liquid, vapor, two phase)
•
inventory
•
volatility/flash point
•
process pressure/release velocity
•
process temperature
•
flammability limits
•
toxicity limits, IDLH, OSHA PEL/STEL
•
gas mixtures (toxic material mixed with flammable gas)
4. Boundaries of area to be covered by gas detection: Factors considered for setting the boundary
area include existing constraints. All equipment in a bounded area should activate the same
alarms and executive actions and initiate the same procedural personnel protective actions
(muster or evacuation). In addition, bounded areas should include similar gas hazards.
5. Target gas accumulation/leak size/design-basis gas hazard: See Clause 6 of this TR for
guidance on the size and extent of gas accumulation.
6. Flammability environment: Locations of confinement and congestion, where gases are most
likely to accumulate should be identified. For heavy gases, identify low spots where
Copyright 2018 ISA. All rights reserved.
- 61 -
ISA-TR84.00.07-2018
accumulation or confinement may occur. For light gases, identify locations where gases can
become trapped above process equipment where accumulation or confinement may occur.
7. Ignition sources: Sources of ignition include the following:
•
open flames/sparks
•
high temperatures (above auto-ignition)
•
nonroutine sources (e.g., vehicles)
8. Obstructions (permanent/temporary): Congestion/confinement are factors to consider for both
indoor and outdoor gas detection, because they can significantly impact gas migration and the
behavior of ignition.
9. Ventilation characteristics – HVAC, forced ventilation, or wind: Ventilation has a strong
influence on the migration of gas indoors and affects the optimal location for gas detectors.
Gas detectors should be located strategically based on known ventilation characteristics, both
normal and worst-case ventilation characteristics. FGSs using forced ventilation as a mitigation
action are often energized to trip systems. Fans, blowers , and air handling units require
considerably more power than other typical final elements. The UPS system for the sensors
and logic solvers typically does not have enough capacity to power a forced ventilation system ,
and emergency standby generators may need to be considered.
In outdoor gas detection applications, the initial detect or layout should be influenced by the
direction of the prevailing wind, but also should address normal and abnormal
meteorological conditions such as nighttime and low wind conditions, where gas can
accumulate in areas of partial confinement and congestion .
10. Available technologies for gas detection: The initial detector layout should be sensitive to the
type of gas detection technology selected. This is particularly important if one selects openpath gas detection instead of point gas detection. Fewer detectors are used with more sensitive
technology types or lower alarm set points. Also, spurious alarm avoidance should be
considered, because different types of detectors can be less robust in certain applications
where the detector is cross-sensitive to nontarget gases. Many detector technologies exist,
including but not limited to, the following:
•
Infrared (IR): Combustible gases have a characteristic absorption signature . This
technology relies on the absorption of IR radiation between a source and a receiver. This
can be implemented as either open path or point infrared gas detectors.
•
Catalytic bead: This technology relies on a catalyst to oxidize any combustible gas entering
at low temperatures.
•
Ultrasonic: This technology uses the detection of an acoustic signature of a leak rather
than the presence of a gas.
•
Metal oxide semiconductor (MOS): The technology is designed to measure a signal that
resulted from a change in the electrical conductivity of a heated metal oxide chip when
exposed to the toxic gas.
•
Electrochemical cell: This technology is used for toxic gas detection. This technology is
designed to measure a signal proportional to the gas diffused into a cell filled with an
electrolyte solution.
•
Laser absorption spectroscopy: This approach utilizes the absorption characteristics of the
individual molecule of the target gases to determine the concentration of gas. Devices are
tuned to see specific flammable or toxic gases. Normally imple mented as open path.
11. Target gas type(s) and detectability: Major gas type targets include combustible and toxic gas.
Detectability for combustible gas is determined through leak source or accumulation detection
with the size of the leak and the size of accumulation being varied respectively. Toxic gas
detectability is determined through leak detection with leak size being varied.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 62 -
12. Density of target gas compared to ambient air: The density of the target gas has a strong
influence on the migration of gas both indoors and outdoors. Gas detectors should be located
strategically based on the known density characteristics of the target gas relative to ambient
air. As the density of the target gas relative to ambient air increases, detector elevation should
be lowered from incipient release elevations. Conversely, if density is lighter than ambient air,
detector elevation should be increased.
13. Execution logic 1ooN (alarm coverage) versus executive action coverage (2ooN): 2ooN
provides robustness and reliability to the system (spurious trip avoidance), but it requires more
detectors to achieve the target coverage. 1ooN provides adequate single detector alarm
coverage with fewer detectors, but it does not consider the need to have confirmed gas
detection (voted) before safety actions are taken.
14. Personnel entry and exit locations (toxic gas detection): Toxic gas detection can be required
at points of entry and normal exit or emergency egress.
15. Vendor-specific characteristics: Detection limits, alarm set points, and vendor specifications
will affect the location and number of gas detectors.
16. Nonideal conditions that limit detection coverage : This includes dirty optics on gas detectors,
potential catalyst poisons, and cross sensitivity of gases.
17. Application environment
•
Open-path gas detection: Fog, steam, heat, and any site considerations for detector
coverage or detector interference.
•
Point gas detectors: Where space is congested and prohibits the use of open -path
detectors, more suitable for unpredictable applications and h igher risk areas.
18. Detector performance can be affected by site temperature, humidity, RF interference , and any
site considerations for detector coverage or detector interference from false alarm stimuli.
•
Sensitivity of detector to nontarget gas
•
Nuisance alarms can stem from factors such as wind, vibration, or dirt/dust.
Detectors with self-diagnostics can lower the occurrence of such nuisance alarms.
19. Electrical area classification: Considerations should include whether there are end -user
requirements to detect flammable gas migration outside the area of well-controlled ignition.
Copyright 2018 ISA. All rights reserved.
- 63 -
ISA-TR84.00.07-2018
Annex C  Mitigation action effectiveness concept
Mitigation action effectiveness is defined as how confidence one is that the result of activating the
final element(s) will successfully mitigate the consequence of a defined hazard as expected (e.g.,
it prevents a small fire or gas accumulation from escalating to a large fire or accumulation). The
FGS must be activated in a sufficiently timely fashion to reduce the event severity. An FGS function
might be ineffective such that the outcome of the event is not significantly different than it would
be without detection or activation.
It is possible to detect a hazard and have successful activation of the final element(s) associated
with the FGS function, and yet the result is not complete or effective hazard mitigation. The
reduction in severity afforded by a mitigation action will be related to the magnitude of the hazard
being acted upon and the fundamental limitations of the capability of the FGS actions to be
effective. In general, the effectiveness of the FGS actions is likely to be very high when the
magnitude of the detected hazard is small and detection occurs quickly, which allows the desired
safety action to be taken well before there is the potential for hazard escalation. Conversely, even
correct detection and activation of the FGS actions might be ineffective due to :
1. An excessive time delay in the initiation of the FGS action, resulting in hazard escalation. For
example:
•
Combustible gas detection that isolates a process and opens depressuri zing (blowdown)
valves can require 20 minutes or more before the pressure in the system has significantly
reduced, with a corresponding reduction in the discharge rate of a gas leak. During the
intervening period, the gas already leaked from the system could ignite.
2. Human factors that result in a degraded response action. For example :
•
Personnel addressing the hazard do not evacuate the facility in a timely fashion.
•
Personnel cannot evacuate a facility as planned (e.g., temporary scaffold blocks the
evacuation route).
3. Severe consequences that are associated with the initial loss of containment event that have
a consequence magnitude beyond the design of the FGS actions. For example:
•
A catastrophic pipeline rupture will very likely result in an immediate vapor cloud explosion
hazard that can cause severe consequences before the FGS function is able to effectively
mitigate it. The ensuing fire might be mitigated but not before severe safety consequences
have already occurred.
•
Rupture of a toxic gas (e.g., chlorine) storage container rapidly causes impact s beyond the
immediate area, resulting in loss of life before alarming and precautiona ry actions become
effective.
The method of evaluating mitigation action effectiveness depends on the type of FGS response
action that is taken. These actions can be classified in the following general categories:
1. The FGS safety action involves direct actions on the process, including isolation and
depressurization, such that this action meets the intention of the risk acceptance criteria
without further mitigation. Thus, the hazard is mitigated, and escalation avoided. A hazardous
outcome may still occur. The severity could be small in magnitude (e.g., a small flash fire
instead of a vapor cloud explosion with a severe impact to equipment and personnel), or,
depending on other factors, it may be large in magnitude. The probability of failure of the direct
actions was already addressed in the FGS safety availability analysis. A mitigation action
effectiveness would be a number greater than 0 and less than 1.0 , depending on the ability of
the direct actions on the process to mitigate the hazard.
2. The FGS safety action involves nonprocess actions that mitigate the severity of consequence
(e.g., suppression, deluge). The effectiveness of the nonprocess actions is dependent upon
the magnitude of the initial hazard being wit hin the basis of design of the FGS mitigation
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 64 -
system. For hazard cases that fall within the basis of design, a mitigation effectiveness of 1.0
may be used if the mitigation system is verified as suitable for use in the application that aligns
with the FGS basis of design. Considerations should include sufficient inventory for
suppression material and sufficient energy availability for transport of the material. Refer to
step 9 for guidance about the inclusion of these systems in the availability analysis. Cases for
which the hazard magnitude exceeds the mitigation system capability (e.g., the scenario begins
with a catastrophic equipment failure that results in an initial fire larger than the design
capability of the suppression system or a large toxic gas c loud that precludes safe evacuation)
where the risk associated with failures exceeds the basis of design should be analyzed
separately and addressed using inherently safer design or risk reduction means other than the
FGS. This separate risk analysis falls out of the scope of this TR.
3. The FGS safety action primarily involves evacuation or sheltering of personnel. Mitigation
action effectiveness is typically less than 1.0 for human response to the alarm. Determination
of the mitigation action effectiveness c an be based on demonstrated evacuation drilled
performance in similar operating environments.
In some cases, the credited safety function may involve diverse actions in response to the
activation of the FGS. As these actions are not independent, the FGS effectiveness is evaluated
as a single complex function. In addition, not all of these actions result in full mitigation of the
consequence of concern. This can be explicitly included by expanding the FGS risk model (event
tree) to include the range of the f actors that modify the outcomes and associated severities.
Consider the following example of a natural gas compressor station consisting of an enclosed
compressor building containing a single compressor. The compressor station is equipped with
optical fire detectors that will, upon detection of a fire, activate a chemical fire suppressant system
that is designed to extinguish the fire. The compressor station is controlled and maintained by two
staff members who are primarily located in a control room adjace nt to the compressor building.
The operators have the means to manually extinguish the fire. The end user wants to consider
both automatic and manual actions in the risk analysis. For this reason, the effectiveness of the
activation of the FGS is not a simple probability that the dry chemical system puts the fire out.
Instead, it is a complex combination of mechanical and human interactions. Some of the factors
that will determine that amount of mitigation that is achieved will include:
1. What is the probability that the dry chemical system will extinguish the fire? This probability is
a function of the size of the fire and other contributing factors. The independent review of the
dry chemical system identified failure modes that could result in insufficient p erformance and
the failure to completely mitigate the hazards. Failure of the dry chemical system to extinguish
the fire could be caused by:
•
excessive HVAC action removing the chemical agent too rapidly
•
doors left open, preventing the chemical agent from properly accumulating
•
other factors
2. If the automatic fire extinguishment system fails, will an operations staff member manually
extinguish the fire with handheld equipment?
3. If the automatic fire extinguishment system fails and oper ations staff attempts to control the
fire manually, will they be injured during the process?
4. If the automatic fire extinguishment system does effectively operate, will operations staff still
be injured as the result of entering the room before extinguishing chemicals and combustion
byproducts are ventilated.
The following event tree depicts an analysis of this complex safety function.
Copyright 2018 ISA. All rights reserved.
- 65 -
Auto
Extinguished
FGS Activated
Manual
Extinguish
Attempted
Personnel Injured Manual
by Fumes (during Extinguish
fire)
Effective
ISA-TR84.00.07-2018
Personnel Injured
Personnel
by Fumes (after Personnel fail
Enter too Early fire)
to evacuate
Early Entry
0.1
Success
0.8
Injured by Fumes
0.2
Not Injured
0.8
Single Injury
No Early Entry
0.9
Injured by Fumes
0.3
Seal Fire
1
Attempted
0.9
Failure
0.2
Not Injured
0.7
Success
0.9
Failure
0.1
Not Attempted
0.1
Consequence Sumation
None
Injury
Single Fatality
Multiple Fatalities
Figure C.1
Consequence /
Probability
Fail to Evacuate
0.2
Evacuate
0.8
Fail to Evacuate
0.2
Evacuate
0.8
0.016
No consequence
0.064
No consequence
0.72
Single Fatality
0.054
No consequence
0.1134
Multiple Fatalities
0.00252
No consequence
0.01008
Multiple Fatalities
0.004
No consequence
0.016
0.90748
0.016
0.054
0.00652
Event tree representing complex mitigation action effectiveness
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
- 67 -
ISA-TR84.00.07-2018
Annex D  Application examples
ANSI/ISA-84.00.01-2004 is a risk-based standard that achieves functional safety through risk
reduction. Risk, per the standard, is calculated as the product of frequency and consequences.
Prevention systems (e.g., SIS) reduce the risk by reducing the frequency; and mitigation systems
(like FGS) typically reduce the risk by reducing the severity of the consequences. The following
application examples illustrate performance-based FGS design as described in Clause 6.
Examples are provided for fire detection, combustible gas detection, and toxic gas detection. The
examples also show a range of fire and gas philosophies and a range of required FGS risk
reductions. Table D.1 is a summary of example calculations in this annex.
Table D.1 – Example summary
Example
Hazard
Example Description
FGS Risk
Risk
FGS Final
Reduction
Analysis
Element
Target
Method
Action
Fire detection and suppression in
Less than
Semi-
ESD and
an oil & gas well bay
10
quantitative
deluge
Combustible
Combustible gas detection in a
Greater
Quantitative
ESD
gas
natural gas production platform
than 10
Toxic gas
Toxic (H2S) gas detection in an
Greater
Quantitative
Evacuation/
onshore gas processing plant
than 10
Monitored
D.1
D.2
D.3
D.1
Fire
shelter
Application example – fire detection and suppression in oil and gas w ell bay
module
This example involves hydrocarbon fire detection in the well bay of an integrated offshore oil and
gas production platform. The platform handles flammable hydrocarbon liquids and gases under
high pressure. An ignited release of flammable material presents a significant hazard to personnel
on the platform. The end user has an existing fire detection philosophy that was developed to guide
the performance-based design.
D.1.1
Facility information
The example is a module on an offshore oil and gas production platform. The module is fully
enclosed on two sides, partially enclosed on another, and open on one side. The area is a
rectangular shape and is 20 meters (65 ft) in length on each side. The module contains 16 wellhead
assemblies (i.e., wellhead plus Christmas tree) and a wellhead control panel (instrumentation and
control cabinet) located on the north side of the module. A 3D visualization and plot view of the
module are shown in Figure D.1.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 68 -
Figure D.1 – Example: Offshore well bay module
D.1.2
Fire and gas hazard assessment
The end user’s fire hazard analysis includes an evaluation of the process that includes the
following factors:
•
material processed
•
process pressure and temperature
•
equipment potentially involved in a fire
•
occupancy of the facility
•
electrical area classification
Because this is a process module containing flammable hydrocarbon processed at high pressure
with the potential presence of personnel on the platform, the external fire hazard/risk analysis
determined the need for fire detection, with a requirement for an FGS risk reduction target of less
than 10. Since there is no requirement for FGS risk reduction exceeding 10, a semi-quantitative
hazard/risk assessment (Annex A) was used to establish FGS performance targets in this example.
As a result, the performance metrics used in this example will includ e detector coverage
(quantitative), FGS safety availability (qualitative), and mitigation action effectiveness (qualitative).
The end user’s detection philosophy is for incipient (early-stage) fire detection, automatic shutoff
of the process, and initiating firewater deluge by activating the fire water pump and opening the
deluge valve.
Step 1 – Identify areas of concern
The operating company for this platform has standardized design practices in place that require
incipient fire detection to be installed in all areas of offshore facilities that handle well production
fluids.
Step 2 – Identify hazard/risk scenarios
The hazard analysis identified the potential for leaks from the wellhead , and a range of release
sizes were considered credible scenarios. To simplify this analysis for illustrative purposes, the
analysis of only one risk scenario is included here. The scenario involves a pinhole leak from the
wellhead resulting in a potential turbulent jet fire in the module. The cause could be corrosion,
erosion, or mechanical failure of the equipment. Although there are no strong sources of ignition
located in the module (open flames, unclassified electrical equipment, etc.), the possibility of
ignition cannot be discounted. This is the most likely release sce nario that will place a demand on
the fire detection system. Other scenarios (not analyzed in this example) include a large leak (e.g.,
flange failure) and a rupture of a process connection to the wellhead.
Copyright 2018 ISA. All rights reserved.
- 69 -
ISA-TR84.00.07-2018
Step 3 – Analyze consequences
The credible consequence of this scenario is a potentially life-threatening injury to a single person
if present in the well bay module at the time of the release. In this example , a range of semiquantitative consequence factors were considered, including the following information gathered
from probability of failure on demand (PFD):
•
Wellhead pressure is 1500 psig.
•
Process temperature is 100°F.
•
Process fluid has a flash point of -10°F.
Step 4 – Analyze hazard frequency
In this example, frequency analysis was considered using semi-quantitative factors including:
From facility information:
•
Equipment type
From discussion with the end user:
•
Personnel are in the area of the well bay approximately 2 hours per day.
From plot plants and the plant 3D model:
•
The well bay area is moderately congested, with grated decking above and below.
•
There are no strong ignition sources (open flames, hot surfaces, etc.) in the vicinity of the well
bay.
Step 5 – Assess unmitigated hazard/risk
The well bay contains a total of 16 production wells, each handling flammable hydrocarbons. Each
well operates at the same temperature, pressure, composition, etc. Therefore, analysis
performance target selection was carried out for a single well , and the results were applied for all
16 wellheads. The process fluids present both fire and combustible gas hazards. However, for the
purposes of demonstration, only analysis of fire hazards will be presented in this application
example.
The well bay was defined as a single FGS zone. Several factors were considered when m aking
this determination; these considerations include:
•
Commonality of hazards: All wellheads in the well bay operate under the same conditions;
therefore, the hazard presented by a release is the same regardless of the source.
•
Actions taken automatically by the FGS: A confirmed fire (2ooN) will cause shut-in of the wells,
initiate platform ESD, and initiate the fixed fire suppression system.
Step 6 – Identify FGS performance targets
A semi-quantitative analysis (Annex A) was carried out to determine the performance targets for
the optical flame detection system. Performance targets include fire detector coverage. Several
key inputs are required to perform the semi-quantitative performance target selection. These inputs
were gathered from discussion with the end user of the platform and from engineering documents ,
including P&IDs, PFDs, plot plans, and plant 3D models.
An FGS philosophy was developed to guide the design team in carrying out the performance -based
design of the detection system. Key inputs for the analysis that were documented in the FGS
philosophy include:
•
Early (incipient) detection of hydrocarbon fire hazards is done using optical fire detectors.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 70 -
•
Performance target selection is to be carried out using the semi-quantitative methodology.
•
The design-basis fire hazard is an incipient fire. The design intent of the system is detection
of a 1-ft x 1-ft hydrocarbon fire (approximately 50 kW) within 10 ft of all major equipment items
for which performance targets have been assigned.
•
Flame detector mapping is carried out using the geographic coverage methodology.
•
2ooN voting is required for the FGS to take executive actions. Detector coverage mapping
should demonstrate adequate coverage with a 2ooN voting arrangement.
With these inputs, the semi-quantitative hazard ranking methodology was applied as described in
Annex A of this report. The semi-quantitative methodology is applied once for each major
equipment item. In the case of the well bay, the analysis is identical for all wellheads and therefore
can be performed once and applied to all wellheads. The results are as follows:
Likelihood
Base likelihood
factor = 2
Occupancy
adjustment = –
1
Adjusted Likelihood
Score
2
2 + (–1) = 1
Ignition
environment =
–1.5
2 + (–1) + (–1.5) = –
0.5
Adjusted
likelihood score
–0.5
Consequence
Adjusted
Consequence Score
2
Base
consequence
factor = 2
Process
pressure
adjustment =
1.5
Other factors
2 + 1.5 = 3.5
Adjusted
consequence
score
3.5
N/A
Notes
From Figure A.2: Wellhead assembly selected
From Figure A.4: Moderate occupancy
selected based on personnel in the area
approximately 2 hours per day. Two of 24
hours is approximately 10% occupancy.
From Figure A.5: Low ignition probability.
If applying a semi-quantitative method to toxic
gas, this adjustment would only be included for
fire/combustible gas hazards (per Figure A.1).
Summation of base likelihood factor and all
adjustment factors
Notes
From Figure A.3: The process fluid is a
“volatile” liquid because the temperature of the
process (100 F) is greater than the flash point
(–10 F), but less than the boiling point.
From Figure A.6: Wellhead pressure is > 1000
psig.
Note that for combustible gas and toxic gas
analysis there are two additional consequence
modification factors to consider (per Figure
A.1).
Summation of base consequence factor and all
adjustment factors
Fire Adjusted Hazard Rank = Adjusted Fire Likelihood Score + Adjusted Fire Consequence Score
= –0.5 + 3.5 = 3.0
The fire adjusted hazard rank of 3.0 results in a fire detection requirement of Grade B. From Figure
A.10, the performance target for Grade B fire hazards is 80% detector coverage.
In addition, the design and implementation of the FGS function will conform to applicable
requirements of ANSI/ISA-84.91.01-2012 (reference 2.10), consistent with the target FGS risk
reduction factor.
Copyright 2018 ISA. All rights reserved.
- 71 -
ISA-TR84.00.07-2018
Step 7 – Initial FGS design
The proposed FGS system design is based on expert judgment and heuristics through the
application of the prescriptive requirements of the appropriate national standards and industry
guidelines (Annex B). In the initial design, two optical flame detectors were specified. These
detectors are located in opposing corners of the well bay as shown in Figure D.2a and D.2b.
Figure D.2a – Optical flame detector conceptual design
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 72 -
Figure D.2b – Optical flame detector conceptual design
Step 8 – Verify detector coverage
The designers are guided by the end-user FGS philosophy to use geographic coverage
assessment for hydrocarbon fire hazards. The target for this assessment is to achieve 80%
(gradeºB), with 2ooN coverage with a 10-ft monitored area of the graded equipment. The extent of
the monitored area is shown in Figure D.3.
Copyright 2018 ISA. All rights reserved.
- 73 -
ISA-TR84.00.07-2018
Figure D.3 – Well bay monitored areas and extent of grade B area
Figure D.4 shows the achieved coverage for the initial design of two optical flame detectors. In
Figure D.4, areas covered by two or more detectors are displayed in green ; areas covered by a
single detector are shown in yellow; and areas not covered (i.e., a fire at this location would not
be detectable by the FGS) are shown in red. In the image on the right, the detector coverage is
displayed for the entire well bay, while the image on the left shows the coverage only within the
monitored areas.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 74 -
Figure D.4 – Fire detection geographic coverage map, initial detector layout
Based on the results of the geographic coverage assessment, it was determined that approximately
93% of the monitored area is covered by one or more detectors (1ooN coverage), and 24% is
covered by two or more detectors (2ooN coverage). Because this is not adequate to achieve the
80% coverage target for a 2ooN voting arrangement, the conceptual design should be modified to
provide a higher degree of detector coverage. This design modification involved two additional
flame detectors, one located in the top right and one located in the bottom left of the well bay. The
results for the modified design are shown in Figure D.5.
Copyright 2018 ISA. All rights reserved.
- 75 -
ISA-TR84.00.07-2018
Figure D.5 – Fire detection geographic coverage map, modified detector la yout
In the modified design, it was determined that approximately 95% of the monitored area is covered
by one or more detectors (1ooN), and 82% is covered by two or more detectors (2ooN). Because
this design achieves the 80% 2ooN coverage target for the grade B areas, this design should
provide acceptable performance in terms of fire detector coverage.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 76 -
Step 9 – Verify FGS safety availability
Upon a confirmed fire (2ooN vote) the FGS actives the fire suppression systems (deluge) in the
well bay. The safety availability was verified qualitatively, because there were no requirements for
FGS risk reduction in excess of a factor of 10. Sensors (optical flame detectors), a logic solver,
and final elements (isolation valve, firewater pump, and deluge valves) were deemed suitable for
use in this application per end-user approval for this facility. While not required, it was noted that
the FGS logic solver was certified for use in safety integrity level (SIL) 2 applications through
conformance with IEC 61508. Auxiliary systems were included in the verification , because some
FGS final elements rely on support systems or do not operate in a fail-safe configuration. For
example, in the case of an electric motor –driven fire water pump, power supply failure was
considered and deemed suitable for use in this application due to the frequency of testing and the
presence of a redundant power supply.
Step 10 – Verify effectiveness of FGS actions
The design intent is to detect an incipient fire hazard (50 kW fire) and initiate wellhead shut-in,
open deluge valves, and start the fire water pump. The mitigation actions include isolation of
inventory (wellhead shut-in) and suppression of the fire. Fire protection personnel confirmed that
these actions are highly effective. An incipient fire is well within the capability of the fire water
deluge system to suppress and cool surrounding equipment while minimizing thermal radiation
effects to personnel evacuating the area. As it relates to the selected basis of design of the system,
the mitigation effectiveness is confirmed and does not need additional quantitative analysis.
Step 11 – FGS effectiveness (mitigated risk)
Because the achieved FGS detector coverage of 82% exceeds the target of 80% for the 2ooN
voting arrangement, the performance target is satisfied and the modified design of four detectors
is suitable for use in the application.
Copyright 2018 ISA. All rights reserved.
- 77 -
D.2
ISA-TR84.00.07-2018
Application example – Combustible gas detection in a natural gas
production platform
This example involves combustible gas detection in an offshore natural gas production platform.
This is a small platform that contains a large amount of process equipment that results in significant
confinement and congestion. It is a normally unmanned ins tallation. The platform produces
flammable hydrocarbon gas under high pressure. An ignited gas release presents a potentially
significant fire and explosion hazard to personnel, who may be on the platform conducting
maintenance and other activities.
D.2.1
Facility information
The platform is open to the atmosphere on all sides. It is approximately 50 ft in length and 50 ft in
width (15 m by 15 m). The deck is comprised of grated material. The well bay module includes
nine wellheads located as shown in Figure D.6 and Figure D.7. For simplification of this analysis
and for illustrative purposes, other equipment , including piping, instrument connections, and well
control panels, are disregarded. The fluid being processed has been approximated as methane
gas for this example problem. Methane has a lower flammable limit (LFL) of approximately 5%
methane in air.
Figure D.6 – Example: Offshore gas production facility
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 78 -
Figure D.7 – Gas well bay (plan view)
D.2.2
Fire and gas hazard assessment
The hazard analysis employed by the end user of this facility includes an evaluation to determine
if combustible gas detection should be employed. The analysis including the following factors:
•
material processed
•
process pressure and temperature
•
potential sources of combustible gas
•
occupancy of the facility
•
degree of confinement and congestion in the process areas
Because this is a production facility processing flammable gases at high pressure with the potential
presence of personnel on the platform during maintenance activities, the criteria determined the re
was a need for combustible gas detection. A risk analysis was desired to determine if the
unmitigated combustible gas hazard posed a risk high enough to warrant further risk reduction.
The end user’s philosophy for detection and mitigation is to detect gas accumulation at an early
(incipient) stage with automatic shutoff of all wells on the platform. This philosophy guides the
designers to use gas accumulation detection as the basis of design.
Fully quantitative hazard/risk analysis was selected for this application example to determine FGS
risk reduction requirements. The results of step 1 through step 6 will demonstrate a target FGS
risk reduction greater than 10 for scenarios within the basis of design (i.e., early [incipient] stage
gas detection). Hazard scenarios that exceed the FGS design basis were analyzed separately by
major hazards analysis and addressed through means of risk reduction other than the FGS
(AnnexºC). The FGS performance metrics were detector coverage (quantitative), FGS safety
availability (quantitative), and mitigation effectiveness (quantitative).
Step 1 – Identify areas of concern
The area of concern was identified for this facility as the entire deck of the platform containing the
well bay, as shown in Figure D.7.
Copyright 2018 ISA. All rights reserved.
- 79 -
ISA-TR84.00.07-2018
Step 2 – Identify hazards/risk scenarios
The hazard analysis identified a credible potential for leaks to occur from any of the nine gas
wellheads. A range of release sizes are considered credible scenarios. For simplification of this
analysis and for illustrative purposes, the analysis of only o ne risk scenario is included here. The
scenario involves a pinhole leak from the flowline caused by erosive action of the fluid (e.g., sand
production) resulting in a release of combustible gas on the platform. This is the most likely release
scenario that will place a demand on the gas detection system. Other scenarios (not analyzed in
this example) include a large leak and a rupture of equipment.
The leak to be analyzed was idealized as a ¼ -in (6-mm) equivalent hole diameter releasing
flammable methane gas at 1100 psi and 100°F (7600 kPa and 38°C). Because the platform is open
to the atmosphere, the end user wanted an analysis of this hazard that was sensitive to the local
meteorological conditions at the facility, including a variety of typical wind speed s and wind
directions. For the purposes of the example, only two wind speeds were considered: a typical wind
speed of 11 miles/hr (5 m/s) and a low (non-favorable) wind speed of 3.4 miles/hr (1.5 m/s).
Step 3 – Analyze consequences
In this example a range of consequence analysis options were considered, including qualitative
estimates, simplified hazard correlation tables, and gas dispersion modeling. In this case , the gas
dispersion model was selected to analyze the size of the flammable envelope and its p ossible
location with respect to the proposed location of gas detection equipment. The dispersion model
selected allowed for analysis of the flammable profile , and the model was sensitive to the quantity
of material released, the rate of release, and meteo rological conditions.
Gas discharge models were used to calculate the release rate from the ¼ -in (6-mm) diameter hole
under 1100 psi and 100°F (7600 kPa and 38°C) process conditions. The discharge model
calculated a release rate of 0.5 lb/sec (0.23 kg/s). The dispersion model results showed dispersion
in the downwind direction to an end point equivalent to 50% LFL. This value was chosen to
correlate with the sensitivity of the combustible gas detection equipment to be used in this
application.
Results of the gas dispersion model show the potential for a combustible gas accumulation of 20
ft (6 m) in the downwind direction and approximately 10 ft (3 m) in the crosswind direction. Analysis
shows an accumulation of 1900 cubic feet (55 cubic meters). In addition, blast modeling was
conducted to show that this accumulation can result in 3 psig (21 kPa) overpressure of concern on
the structure. The results were obtained under credible meteorological conditions for the facility at
wind speeds of 3.4 miles/hr (1.5 m/s). The model was studied and determined to be relatively
insensitive to atmospheric stability for this example problem and relatively sensitive to assumed
wind speed. Figure D.8 illustrates the output of the gas dispersion and accumulation model.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 80 -
Figure D.8 – CFD gas dispersion and accumulation model
If this accumulation were to occur and the combustible gas cloud was ignited, a vapor cloud fire
could occur. A vapor cloud explosion is credible if this small leak of gas per the basis of design is
not detected early, and the accumulation could increase to the credible maximum of 55 m 3 of gas
within the flammable envelope. Discussion of the parameters impacting the outcome of an ignited
vapor cloud is beyond the scope of this technical report. Refer to CCPS Guidelines for Chemical
Process Quantitative Risk Analysis (reference 2.7) for more information.
The credible consequence of this scenario is a potential loss of life if personnel are present in the
well bay module at the time of the vapor cloud fire/explosion. Based on the expected personnel
staffing, the occupancy of the well bay module is considered to be no more than 2 hours out of
each 24-hour day, or about 8%. This is consistent with a normally unoccupied installation. Per the
end user’s protocols for hazard and risk assessment, the use of conditional modifiers and enabling
factors is permitted.
Step 4 – Analyze hazard frequency
In this example, a range of frequency analysis options were considered , including qualitative
estimates, simplified frequency lookup tables for generic situations, and quantitative analysis of
industry failure and leak data for specific equipment items. In this case, the offshore industry
maintains databases of equipment leak frequencies, and this database contained the appropriate
leak frequency.
The likelihood of a pinhole leak in a single wellhead producing natural gas with the range was
found to be 5E-3 per wellhead-year. A probability of 30% for delayed ignition of high -pressure gas
releases was selected for this release, based on offshore event data for similar releases. The
frequency of a flash fire event is therefore 1.5E-3 per year for a single wellhead. Since there are
nine total wellheads, the total frequency of the flash fire event is nine times the frequency of a
single wellhead, or 1.4E-2 per year.
Lack of normal occupancy on the platform reduces the risk to personnel. In this case, the platform
is occupied only 8% of the time. The hazard scenario is a mechanical integrity failure that has no
apparent correlation
Copyright 2018 ISA. All rights reserved.
- 81 -
ISA-TR84.00.07-2018
its occurrence and the occupancy of the platform. Therefore, there is an 8 % probability that an
ignited release could result in the identified safety consequence to personnel, owing to the low
occupancy.
F unmitigated
= 1.5E-3 per year per wellhead x 9 wellheads x 0.08 occupancy factor
= 1.1E-3 per year risk to personnel
No other protection layers were identified that would reduce the frequency of the hazard.
Step 5 – Assess unmitigated hazard/risk
Based on the operating company’s risk criteria, the likelihood of this consequence severity should
be reduced to less than 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). The
frequency of the hazard scenario without the benefit of the gas detection system was calculated
as 1.1E-3 per year (1.1 chance in 1,000 per year). The risk criteria is 1E-4 per year. Therefore, the
risk criteria have not been satisfied for the unmitigated hazard/risk.
Step 6 – Identify FGS performance requirements
Based on the results of step 5, a recommendation was made to design a combustible gas detection
and automatic shutdown system that would reduce the risk by a factor of 11. Automatic shutdown
would involve closing well surface safety and wing valves in the event of gas detection. Gas
detection for similar facilities using IR adsorption technology has proven effective. Initial targets
for gas detector coverage was selected as 93% with an FGS safety availability of greater than 98%
based on the unmitigated risk model and the target risk f requency of 1E-04 per year. These are
selected as initial approximations based on the application of the risk model to achieve a risk
reduction greater than 11. Because the safety action for this FGS safety function is process shutoff
and isolation of the segment, the confidence is high that an effective mitigation will occur when the
initiating event is the leak within the basis of design. The initial selection of mitigation effectiveness
is 1.0. See Step 10 for additional considerations. Applying the quantitative risk model (event tree)
was used to determine the likelihood for the unmitigated and mitigated outcomes.
Detection
Coverage
FGS Safety
Availability
Mitigation
Effectiveness
Yes
Likelihood
Safety
Consequence Contribution
1
9.11E-01
0
0.00
0
0.00E+00
1
0.00
1.86E-02
1
0.02
7.00E-02
1
0.07
FGS effectiveness = Detector Coverage x FGS Safety Availability
Weighted Average Consequence
0.09
Yes
0.98
0.93
Hazard Scenario
No
1
0.02
No
0.07
= 0.93 x 0.98 x 1.0
= 0.9114 (91% FGS effectiveness)
Unmitigated Risk
=
=
=
F unmitigated (1 – FGS effectiveness)
1.1E-3 per year x (1 – 0.9114)
1.0E-4 per year
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 82 -
Therefore, a target FGS effectiveness of approximately 0.91 will reduce risk to a level that satisfies
the risk criteria of no more than 1.0E-4 per year.
In addition, the design and implementation of the FGS function with a claimed FGS risk reduction
factor (RRF) greater than 10 will conform to the applicable requirements of ANSI/ISA -84.91.012012 (reference 2.10) and ANSI/ISA-84.00.01-2004 (reference 2.1).
Step 7 – Initial FGS design
The proposed gas detection/shutdown system design is based on expert judgment and heuristics
through applying the prescriptive requirements of the appropriate national standard s and industry
guidelines (Annex B). The design involves the use of open path combustible gas detection with
three detector sets placed on the platform as shown in Figure D.9.
Figure D.9 – Initial gas detection system design: Open path gas detector placement
The gas detectors generate a 4–20 mA signal proportional to the measured gas concentration and
also generate discrete alarms when the combustible gas concentration is detected above a
threshold value as measured in LFL-meters for a detected gas level. The sensor signal is received
by a logic solver, which sends a command to shut down all wells in the well bay when gas is
sensed. This would effectively shut off the source of the combustible gas from the leak point and
mitigate the flammable hazard over a short period of time as the pressure at the source drops.
Combustible gas detectors will be configured with sensitivity that allows for detection of a
combustible gas concentration of 0.5 LFL-meters or greater. This will provide adequate sensitivity
to detect the hazard scenario of concern given the ov erall dimensions of the module and the
proposed location of detectors. The initial design did not specify whether any single detector in
alarm state will cause the shutdown system to activate (e.g., 1ooN voting arrangement), or if
multiple detectors are required to cause isolation. Spurious activation of the FGS does not result
in a hazard but is an undesired event from an economic standpoint.
Copyright 2018 ISA. All rights reserved.
- 83 -
ISA-TR84.00.07-2018
Step 8 – Assess detector coverage
Detector geographic coverage
A computer model was used to analyze geographic coverage consistent with the methodology
shown in Annex B of this technical report. The model generated coverage factors for both a 1ooN
voting arrangement (any single detector has the capability to initiate a shutdown) as well as a
2ooN voting arrangement (two or more detectors are required to be in alarm state to initiate a
shutdown). Graphical output of the model that calculated geographic coverage is provided in
Figure D.10.
Figure D.10 – Gas detector geographic coverage map, initial gas detector layout
The geographic coverage results show that approximately 78 % of the module is covered by one
or more open path gas detectors. The area that is covered by both detectors is much less, in this
case only 21%. In addition, 22% of the module is not in the area covered by any of the three
detectors, meaning a threshold volume of combustible gas at those locations cannot be sensed by
the initial detector layout.
Step 9 – Verify FGS safety availability
The safety function was initially defined to include only one detector to sense the hazard. Thus, a
1oo1 voting architecture was considered. A shutdown of the leaking single wellhead has been
included in the FGS function. In addition, it was specified that functional testing of sensors and the
logic solver will occur at an interval of once per year. Per local regulatory requirements, the
functional test interval of final element valves will occur at an interval of once per month.
Methods and sample calculations on how to calculate PFDavg are included in ISA-TR84.00.02
(reference 2.8). The primary inputs for this activity include device failure rate data and functional
testing intervals. Shut-in of gas wells uses a deenergize-to-trip signal. Using simplified equations,
the resultant PFDavg for the FGS function is 0.015 or an FGS safety availability of 1 – 0.015 =
0.985.
Reliability data for the selected FGS equipment was identified. Any failure rate data used should
be in conformance with ANSI/ISA-84.00.01-2004 (reference 2.1).
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
Device Type
Open path IR gas detector
FGS logic solver
Wellhead shut-in valve
including final element interface
- 84 Dangerous Undetected
Failure Rate λDU (per hour)
2.0E-06
1.0E-07
1.4E-06
Proof Test
Interval
12 months
12 months
12 months
To calculate the FGS safety availability for the function, the PFDavg should be calculated for each
of the FGS function components.
The 1oo1 PFDavg equation was used. The PFDavg for the open path IR gas detectors is calculated
as follows:
𝑃𝐹𝐷𝐴𝑉𝐺 =
𝜆 𝐷𝑈 *𝑇𝐼
2
Simplified equation for 1oo1 voting configuration from ISA-TR84.00.02 (reference 2.8)
For this example, the equation becomes:
PFD AVG  DU *TI  1.00E  06 * (1* 8760)  8.8E  03
For the SIL certified logic solver, the PFDavg at the prescribed test interval was taken from the
vendor’s safety manual as 4.4E-4.
For the final element (ESD valve), the PFDavg is calculated using the simplified 1oo1 equation
from ISA TR84.00.02 (reference 2.8).
PFD AVG 
 DU *TI 1.4 E  06 * (8760)

 6.1E  03
2
2
Subsystem
Sensor
FGS logic solver
Final element
PFDavg
8.8E-3
4.4E-4
6.1E-3
Total
1.5E-2
FGS Component(s)
IR gas detectors
Safety PLC
Wellhead shut-in
valves
98.5% safety
availability
Step 10 – Verify Effectiveness of FGS Actions
Actions taken by the FGS can be manually or automatically initiated and can affect a wide variety
of systems. This example considers automatic shutdowns that involve the closing of well surface
safety and wing valves in the event of early (incipient) gas detection. If successful, this action will
result in a state that meets the risk acceptance criteria (i.e., a small flash fire instead of a vapor
cloud explosion with a severe impact to the platform and personnel). The probability of failure of
these actions is incorporated in the FGS safety availability analysis. Therefore, a mitigation
effectiveness of 1.0 is used in this design.
Step 11 – FGS effectiveness (Mitigated Risk)
The frequency of the hazard scenario with consideration of the benefit of the gas detection system
(detector coverage, FGS safety availability, and mitigation action effectiveness) was calculated as
shown in Figure D.11. The initial calculation was performed using the detector (scenario) coverage
and 1ooN voting arrangement.
Copyright 2018 ISA. All rights reserved.
- 85 -
Detection
Coverage
FGS Safety
Availability
ISA-TR84.00.07-2018
Mitigation
Effectiveness
Likelihood
Yes
Yes
Yes
1
7.68E-01
0
0.00E+00
0.985 No
0.78
Hazard Scenario
No
1
0.015
1.17E-02
No
0.22
2.20E-01
Figure D.11 – Mitigated risk assessment: existing detector layout
FGS effectiveness = Detector Coverage x FGS Safety Availability x Mitigation Action Effectiveness
= 0.78 x 0.985 x 1.0
= 0.768 (77% FGS effectiveness)
Unmitigated Risk
=
=
=
F unmitigated (1 – FGS effectiveness)
1.1E-3 per year x (1 – 0.768)
2.5E-4 per year
The design reduces the risk of the unmitigated hazard by a factor of 1/(1 – 0.768) or a risk reduction
of about 4.
The overall likelihood of the hazard scenario was calculated as 2.5E-4 per year (a 2.5 chance in
10,000 per year). This remains a factor of 2.5 above the maximum likelihood that was selected for
this scenario of 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). Therefore,
the risk has improved over the unmitigated design, but the risk criteria have not been satisfied with
the initial design.
Modify FGS design (iteration of Step 7 through Step 11)
Since the risk criterion was not satisfied by the initial gas detection design, the design was modified
to meet this objective. Options that should be explored include the following:
•
adding one or more additional gas detectors to increase detector coverage
•
increasing the frequency of functional tests of the existing system design to increase FGS
safety availability
In this case, the end user wanted to analyze the problem with an open path gas detector located
south of the nine wells in addition to the existing three detectors. The additional detector is
positioned in a manner that would detect gas from wells in an unfavorable wind condition (e.g.,
wind blowing from the northwest). Figure D.12 shows the modified detector layout. The coverage
model was rerun for this scenario, and the results are shown below in Figure D.13.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 86 -
Figure D.12 – Modified gas detector layout
Figure D.13 – Gas detector geographic coverage map, modified gas detector layout
The results for the modified detector layout show that the approximately 97% of possible hazard
scenario outcomes are covered by the detector layout and can be sensed by at least one detector
(1ooN voting). The application of the quantitative risk model (event tree) shows the calculation of
the likelihood of the unmitigated and mitigated outcomes.
Copyright 2018 ISA. All rights reserved.
- 87 Detection
Coverage
FGS Safety
Availability
ISA-TR84.00.07-2018
Mitigation
Effectiveness
Likelihood
Yes
Yes
Yes
1
9.55E-01
0
0.00E+00
0.985 No
0.97
Hazard Scenario
No
1
0.015
1.46E-02
No
0.03
3.00E-02
FGS effectiveness = Detector Coverage x FGS Safety Availability x Mitigation Action Effectiveness
= 0.97 x 0.985 x 1.0
= 0.955 (96% FGS effectiveness)
Unmitigated Risk
=
=
=
F unmitigated (1 – FGS effectiveness)
1.1E-3 per year x (1 – 0.96)
4.4E-5 per year
The design reduces the risk by a factor of 1/(1 – 0.96) or a risk reduction of about 25.
The overall likelihood of the hazard scenario was reduced in the modified layout to 4.4E-5 per year
(a 4.4 chance in 100,000 per year). This is below the maximum risk that was selected for this
scenario of 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). Therefore, the
risk criteria have been satisfied with the modified design using four detectors.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
D.3
- 88 -
Application example – Toxic (H 2 S) gas detection in onshore gas processing
plant
This example involves toxic gas detection in an onshor e gas processing plant. The process
includes hydrocarbon gas containing hydrogen sulfide (H 2 S). A process gas release to the
atmosphere presents an acute toxicity hazard to workers.
D.3.1
Facility information
The plant contains an operating unit in which gas is processed under pressure. The unit is
approximately 100 ft in length and 100 ft in width. The plant contains two separator vessels, a
pump and a compressor, as shown in Figure D.14. For simplification of this analysis and for
illustrative purposes, other equipment, including piping, instrument connections, and well control
panels, are disregarded. The fluid being processed has been approximated as propane gas with
1% H 2 S (10,000 ppm H 2 S v/v) for this example. H 2 S has an acute toxicity concentration of concern
of 100 ppm (v/v), which is the concentration immediately dangerous to life and health (IDLH). H 2 S
can be detected at concentrations as low as 10 ppm using available detector technologies .
Figure D.14 – Example: Onshore gas processing facility
D.3.2
Hazard assessment
The end user’s philosophy of toxic gas detection is to detect concentrations of gas that could be
hazardous to personnel, so that action can be taken to evacuate personnel to safety within 15
minutes. Early (incipient) and effective detection allows personnel to evacuate, take shelter, and
respond by safely shutting down the process. The philosophy requires identifying leak/release
sources and size and locating detectors in the correct proximity and orientation of release sources
in order to provide early (incipient) indication of a hazard. Based on these philosophy elements,
the decision is to detect credible releases by strategically placing detection equipment in proximity
to release sources to mitigate the size, extent, and duration of the H 2 S gas hazard.
Step 1– Identify areas of concern
One area of concern was identified for this example problem, the gas compressor C-104. Because
this facility contains significant concentrations of H 2 S in the process gas, screening criteria
determined the need for toxic (H 2 S) gas detection.
Copyright 2018 ISA. All rights reserved.
- 89 -
ISA-TR84.00.07-2018
Step 2 – Identify hazards/risk scenarios
The hazard analysis identified a credible potential for leaks to occur from the compressor seal,
resulting in the release of flammable and toxic gas. Personnel are potentially subject to an acute
toxic hazard due to routine occupancy in the process area. Because the process is open to the
atmosphere, the actual hazard at the time of a release will be sensitive to the local meteorological
conditions at the facility, including a variety of typical wind speeds and wind directions.
A range of release sizes are considered credible. To simplify this example, the analysis of only
one risk scenario is included. The scenario involves a release from the compressor seal (full seal
failure, annular release), resulting in a release of propane gas containing 1% H 2 S. This is the most
likely release scenario that will place a demand on the gas detection system. The leak to be
analyzed is represented as a ½-in (12-mm) equivalent hole diameter releasing process gas at
compressor discharge pressure of 500 psig and 100°F. Gas discharge models were used to
calculate the release rate. The discharge model calculated a total release rate of 3 lb/sec (1.4
kg/s) of process gas containing 1% H 2 S.
Step 3 – Analyze consequences
Gas dispersion modeling was conducted to analyze the size and extent of the toxic gas hazard
and compare it with the proposed location of H 2 S gas detection equipment. The dispersion model
selected allowed for analysis of the toxic concentration in the downwind direction and cross-wind
direction based on similarity modeling, and the model was sensitive to the quantity of material
released, the rate of release, and local meteorological conditions. For the purposes of the example ,
only one wind speed of 3.4 miles/h (1.5 m/s) was evaluated. The dispersion model results showed
dispersion in the downwind direction to an end point of 10 ppm H 2 S. This value was chosen to
correlate with the sensitivity of the H 2 S gas detection equipment to be used in this application.
Life-threatening concentration (700 ppm H 2 S) and injury concentration (100 ppm H 2 S) end points
were also modeled.
Results of the gas dispersion model show the potential for a toxic gas envelope of dimensions
20ºft (6 m) in the downwind direction and approximately 3 ft (1 m) in the crosswind direction. This
result was obtained under “typical” meteorological conditions for the facility with wind speed
3.4ºmiles/h (1.5 m/s) and neutral atmospheric stability. The model was studied and determined to
be relatively insensitive to atmospheric stability for this example problem and relatively sensitiv e
to assumed wind speed.
Figure D.15 illustrates the output of the gas dispersion model, including the cloud footprint in the
downwind and crosswind directions.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 90 -
Figure D.15 – H 2 S gas dispersion model: Profile view and footprint view
If this release occurred and the combustible gas cloud was not ignited, the outcome would be a
toxic gas hazard. The dispersion model shows a hazard distance of approximately 150 ft in the
downwind direction to the 100 ppm IDLH end point. Further, the detectable concentration of
10ºppm extends further to a distance of approximately 600 ft, and measures about 80 ft maximum
in the crosswind direction at a distance of 300 ft downwind. The credible consequence of this
scenario is a potentially life-threatening injury to a single person if present near the compressor at
the time of the release.
Step 4 – Analyze hazard frequency
In this example, a quantitative analysis of industry failure and leak data for specific equipment
items were used. The likelihood of seal failure from a centrifugal compressor was found to be 1E 2 per year. Per the end user’s protocols for hazard and risk assessment, the use of conditional
modifiers and enabling factors is permitted. The lack of normal occupancy reduces the risk to
personnel. In this case, the process area is occupied only 4% of the time. The hazard scenario is
a mechanical integrity failure that has no apparent correlation between its occurrence and the
occupancy of the area. Therefore, there is a 4% probability that a gas release results in the
identified safety consequence, owing to the low occupancy.
Step 5 – Assess unmitigated hazard/risk
F unmitigated
= 1E-2 per year x 0.04 occupancy factor
= 4E-4 per year risk to personnel
No other protection layers were identified that would reduce the frequency of the hazard.
Based on the operating company’s risk criteria, the likelihood of this consequence severity should
be reduced to less than three chances in 100,000 per year (3E-5 per year individual risk of fatality).
The frequency of the hazard scenario without the benefit of the H 2 S gas detection system was
calculated as 4E-4 per year (four chances in 10,000 per year). The risk of the scenario is a factor
of 13 higher than the risk criteria of 3E-5 per year. Therefore, the risk criteria have not been
satisfied for the unmitigated situation.
Copyright 2018 ISA. All rights reserved.
- 91 -
ISA-TR84.00.07-2018
Step 6 – Identify FGS performance requirements
The gap between unmitigated and tolerable risk is a factor of 15. Therefore, the performance target
is an FGS effectiveness of 93%, requiring a risk reduction factor (RRF) of 15 or more in the FGS
performance.
The design and implementation of this FGS function with claimed FGS RRF in excess of 10 will be
in conformance with the applicable requirements of ANSI/ISA -84.91.01-2012 (reference 2.10),
ANSI/ISA-18.2-2016 (reference 2.19), and ANSI/ISA 84.00.01-2004 (reference 2.1).
Step 7 – Initial FGS design
The initial gas detection design is based on factors in Annex B.5. The design involves the use of
point H 2 S gas detection (electrochemical type) with three detector sets placed in the process as
shown in Figure D.16. This is the preferred equipment used by this facility, because it has prior
use experience.
Figure D.16 – Initial H2S gas detector layout, point electrochemical H 2 S gas detector
placement
H 2 S gas detectors generate a 4-20 mA signal proportional to the measured H 2 S gas concentration,
and also generate alarms when the toxic gas concentration is detected above a threshold value of
10 ppm (v/v). The sensor signal is received by a logic solver, which annunciates audible and visual
alarms in the process area and control room . This gives personnel the opportunity to evacuate the
facility and would mitigate the toxic hazard. Toxic gas detectors will be configured with a sensitivity
that allows for detection at a gas concentration of 10 ppm or greater. This will provide adequate
sensitivity to detect the hazard scenario of concern. The design specifies that a single detector in
alarm state will cause the alarm system to activate (e.g., 1ooN voting arrangement).
Step 8 – Verify detector coverage
A range of possible scenario outcomes was considered that addressed the possibility that the gas
cloud would disperse downwind from the release location and could be oriented in any of the 16
postulated wind directions. In each case, the determination was made whether or not any of the
gas detectors were positioned to sense the toxic gas. A computer model was used to aid in
conducting coverage mapping. The results of detector (scenario) coverage method was selected
because it is sensitive to the layout of the detectors with respect to the prevailing wind.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
Scenario
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Total
- 92 Initiating
Frequency
(per yr)
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.6E-01
Directional
Conditional
Detected Detector Detector
by FGS
Coverage Frequency
Wind Direction Probability
N
2.9E-02 Yes
1.0
2.9E-02
NNE
4.9E-02 No
0.0
0.0E+00
NE
7.8E-02 No
0.0
0.0E+00
ENE
2.9E-02 No
0.0
0.0E+00
E
9.7E-03 Yes
1.0
9.7E-03
ESE
9.7E-03 Yes
1.0
9.7E-03
SE
5.8E-02 Yes
1.0
5.8E-02
SSE
2.9E-02 Yes
1.0
2.9E-02
S
4.9E-02 No
0.0
0.0E+00
SSW
1.9E-01 No
0.0
0.0E+00
SW
1.7E-01 No
0.0
0.0E+00
WSW
1.1E-01 Yes
1.0
1.1E-01
W
8.7E-02 Yes
1.0
8.7E-02
WNW
7.8E-02 No
0.0
0.0E+00
NW
1.9E-02 Yes
1.0
1.9E-02
NNW
9.7E-03 Yes
1.0
9.7E-03
Detector Scenario Coverage
35.9%
Figure D.17 – Scenario coverage analysis for initial detector layout
A probabilistic distribution of wind was obtained and shown in Figure D.18.
Figure D.18 – Probabilistic wind distribution (wind rose)
Detector scenario coverage
A computer model was used to analyze coverage consistent with the methodology shown in
AnnexºB.2 of this technical report. The model generated a coverage factor for a 1ooN voting
arrangement (any single detector causes alarm).
Copyright 2018 ISA. All rights reserved.
- 93 -
ISA-TR84.00.07-2018
Unmitigated risk of toxic gas hazard
Mitigated risk of toxic gas hazard, scenario
coverage (1ooN)
Figure D.19 – Toxic gas (H 2 S) detector scenario coverage map, initial detector layout
The coverage calculation results show that approximately 36 % of the possible outcomes are
covered by detectors. This means the detector coverage is 36%.
Step 9 – Verify FGS safety availability
The safety function was initially defined to include a sufficiency criteria for one detector to sense
a hazard. Thus, a 1ooN voting architecture was considered. In addition, it was assumed that
functional testing of sensors and the logic solver occurs at an interval of once per year. F inal
element (audible and visual alarms) functional testing occurs at an interval of once per month.
Methods for calculating the PFDavg are adequately described in ISA-TR84.00.02 (reference 2.8).
Using simplified equations, the resultant PFDavg for the FGS function is 0.01 or an FGS safety
availability of 1–0.01 = 0.99. This includes sensors (1oo1 gas detector with diagnostics), logic
solver (SIL 2 certified), and the final element (1oo2 visual and audible annunciation).
Step 10 – Verify effectiveness of FGS actions
This facility undergoes annual evacuation drills. Based on the drill performance record, on average
one or more individuals do not evacuate in a timely manner 20% of the time. As a result , the initial
design uses a mitigation action effectiveness of 80% for the evacuation response.
Step 11 – FGS effectiveness (mitigated risk)
The frequency of the hazard scenario considering the benefit of the gas detection system (detector
coverage and FGS safety availability) was calculated as shown in Figure D.19.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 94 -
FGS effectiveness = Detector Coverage x Safety Availability x Mitigation Action Effectiveness
= 0.36 x 0.99 x 0.8
= 0.285 (28% FGS effectiveness)
Unmitigated Risk
=
=
=
F unmitigated (1 – FGS effectiveness)
3.0E-4 per year x (1 – 0.285)
2.1E-4 per year
The overall likelihood of the hazard scenario was calculated as 2.1E-4 per year (a 2.1 chance in
10,000 per year). This is above the maximum likelihood that was selected for this scenario of two
chances in 100,000 per year (2x10 -5 per year individual risk of fatality). Therefore, the risk has
improved over the unmitigated design, but the risk criteria have not been satisfied with the
proposed FGS design.
This is insufficient to achieve the desired performance target. Detector cover age and mitigation
action effectiveness should be improved.
Modify FGS design (iterate Step 7 through Step 11)
Since the risk criterion was not satisfied by the initial gas detection design, the design was modified
to meet this objective. Options that should be explored include the following:
•
adding one or more additional gas detectors to increase detector coverage
•
increasing the frequency of functional tests of the existing system design to increase FGS
safety availability
•
increasing the rigor associated with evacuation/sheltering of personnel in the event of H 2 S
alarming
In this case, the end user wanted to analyze the problem with three additional point gas detectors
located in proximity to the compressor C-104, in addition to the existing three detectors.
Figure D.20 – Modified gas detector layout
The modified detector layout allows for detection of additional scenario outcomes ; this is shown in
Figure D.21 and Figure D.22.
Copyright 2018 ISA. All rights reserved.
- 95 -
ISA-TR84.00.07-2018
Figure D.21 – Toxic gas (H 2 S) scenario coverage map for modified detector layout
Scenario
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Seal Failure
Total
Initiating
Frequency
(per yr)
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.0E-02
1.6E-01
Directional
Conditional
Detected Detector Detector
by FGS
Coverage Frequency
Wind Direction Probability
N
2.9E-02 Yes
1.0
2.9E-02
NNE
4.9E-02 Yes
1.0
4.9E-02
NE
7.8E-02 Yes
1.0
7.8E-02
ENE
2.9E-02 Yes
1.0
2.9E-02
E
9.7E-03 Yes
1.0
9.7E-03
ESE
9.7E-03 Yes
1.0
9.7E-03
SE
5.8E-02 Yes
1.0
5.8E-02
SSE
2.9E-02 Yes
1.0
2.9E-02
S
4.9E-02 No
0.0
0.0E+00
SSW
1.9E-01 Yes
1.0
1.9E-01
SW
1.7E-01 Yes
1.0
1.7E-01
WSW
1.1E-01 Yes
1.0
1.1E-01
W
8.7E-02 Yes
1.0
8.7E-02
WNW
7.8E-02 Yes
1.0
7.8E-02
NW
1.9E-02 Yes
1.0
1.9E-02
NNW
9.7E-03 Yes
1.0
9.7E-03
Detector Scenario Coverage
96.4%
Figure D.22 – Scenario coverage analysis for modified detector layout
The results for the modified detector layout show that 96.4% of possible hazard scenario outcomes
are covered by the detector layout and can be sensed by at least one detector.
To improve the mitigation action effectiveness, evacuation route labeling has been enhanced,
hazard-specific details have been added to personnel evacuation training, and quarterly drills have
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 96 -
been established with an investigation of insufficient response. As a result, the observed
evacuation performance has improved to 97% success.
FGS effectiveness = Detector Coverage x Safety Availability x Mitigation Action Effectiveness
= 0.964 x 0.99 x 0.97
= 0.926 (92.6% FGS effectiveness)
Unmitigated Risk
=
=
=
F unmitigated (1 – FGS effectiveness)
4.0E-4 per year x (1 – 0.926)
2.97E-5 per year
The overall likelihood of the hazard scenario was calculated as 2.97E-5 per year (a 2.97 chance
in 100,000 per year). This satisfies the risk criteria of 3E-5 per year (3x10 -5 per year individual risk
of fatality). Therefore, the modified FGS design is satisfactory.
Copyright 2018 ISA. All rights reserved.
- 97 -
ISA-TR84.00.07-2018
Annex E  Evaluation of computational fluid dynamics vs. target gas cloud
for indoor gas detection design (reference 2.17)
Computational fluid dynamics (CFD) has been applied in a wide range of industries and has a wide
reach in applications. With respect to engineering, this tool has been applied by professionals in
safety-related fields for decades, notably in building design for complex structures where
compliance with prescriptive building codes is problematic. This is an important point to note when
determining an appropriate application of CFD with respect to gas detection desi gn.
In 1993, the U.K. HSE released OTO 93 002 (reference 2.12), which subsequently became (and
is still widely regarded as) the standard document with respect to gas detection guidance for
partially enclosed volumes. This document allows a geographic gas d etection placement process,
whereby the potential explosion overpressures of a given area can be correlated against a gas
cloud that provides these. This is a standard process for industry external applications, with an
allowance for a performance-based approach with respect to the target cloud one needs to detect.
It is relevant, however, where the environment is reasonably predictable and fully enclosed, to
explore other avenues of design, one of which is the application of CFD modeling to analyze gas
cloud behavior. This also corresponds to the overarching philosophy of CFD application in
determining a specialized application where other methods are not suitable, or the time and cost
required to perform detailed CFD analysis is not of benefit.
An example of this is a standard external offshore/onshore congested processing facility. If the
suitable number of CFD scenarios run reach a number that is recognized as sufficient for the
design (accounting for environmental conditions, number of leak locat ions, and orientations), the
designer will discover that the gas can and does migrate to all areas of the congested zone,
whereby this time and cost would have been better spent determin ing what cloud can cause
damage, and applying gas detection to detect it. Evidence also shows that in these standard
applications, nil wind conditions with slow release rates provide the greatest risk of large vapor
cloud explosions (reference 2.16). This does not exclude the use of CFD, however, as this analysis
is based on standard external applications for which the geographic approach is suitable.
Specialized applications, such as internal processing units with predictable airflow, can be a
potential route for the use of CFD. An example of why this application is specialized includes the
fact that airflow is relatively predictable, meaning the designer can run a limited number of
scenarios with changing environmental data, and which can be classed as a sufficient spread to
account for the differing environment. This cuts the number of scenarios required down to a
suitable number of CFD scenarios from which to assist with gas detector placement.
E.1.1
Computational fluid dynamics modeling
First and foremost, applied CFD modeling tools must be used with caution, and limitations in design
must be fully understood.
These tools allow the user to analyze gas dispersion and the results of ignition of various gas
accumulations based on the surrounding environment (explosion modeling). There are significant
differences, however, between these tools and the inherent capabilities of the model and how the
Navier-Stokes equations are solved/converged. Certain models, for example, are better suited for
momentum-driven releases than others, and certain models cannot account fo r buoyancy as well
as thermally driven fluid flow in transient assessments. Ensuring that an appropriate model is used
is crucial.
Practicing CFD consultants will be aware of these limitations , and it is important to note that many
assumptions are included with any CFD modeling project. As a result of this, engineering judgment
is still vital in achieving an appropriate model and subsequent design . Therefore, these
assumptions must be fully justified and, where appropriate, provide a credible worst -case scenario
to ensure the resulting design is fit for purpose and all associated risk is reduced to as low as
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 98 -
reasonably practicable (ALARP). This can be carried out before reviewing the implications of the
model of gas detection design. If the design process is to be optimized, CFD should be reserved
for special or problematic areas of interest. Overuse in typical spaces or areas is wasteful,
unnecessary, downplays the importance of the FGS safety professional, and is generally applied
for commercial purposes only. This relates back to, for example, fire safety engineering where
these tools are applied in internal complex environments where performance -based methods are
required for design approval, but the environments are predictable enough for CFD fire modelin g
to be an appropriate tool.
For internal locations, good engineering principl es will allow for a design that will be safe both
when the HVAC is in operation (if applicable) and when it is not. Therefore , for occasions where
the HVAC is running, CFD can be utilized to review the probable behavior of the cloud and also
analyze whether the target gas cloud is credible with the HVAC running. This , therefore, gives
insight into how to design the gas detection. Similar assessments can be carried out when the
HVAC is not running or where there are significant dead zones in the airflow. However, due to the
lack of forced ventilation, the pattern of accumulation becomes far more unpredictable. Gas
detection design based on these analyses becomes far more difficult and should consider plume
behavior related to release orientation and plume turbulence (see Figure E.1). The orientation and
specific leak source identified will provide a significant bearing on the behavior of the release;
therefore, it can be challenging to select a credible worst-case leak (reference 2.18).
Figure E.1 – Example plume behavior
Copyright 2018 ISA. All rights reserved.
- 99 -
ISA-TR84.00.07-2018
To include all equipment in a model m ight be too laborious an assessment and therefore the CFD
user will omit equipment from the assessment. It is important that reviewers of the analysis are
aware of this, and the CFD designer is aware of the impact that removing some of these
obstructions will have on the holistic gas detection strategy.
It is also relevant that incomplete geometry models are a significant cause of error in CFD design
that is very difficult to design out. It is not outside the realm of possibility that a dangerous cloud
can be represented as “safe” or “adequately detected” in a CFD review, when in actual fact the
blockages that could cause the problem have been excluded from the model. What appear to be
minute changes in boundary conditions can have a large effect on fluid dynamic outcomes.
Another important point to note is that the applied CFD tool must be appropriately validated on an
appropriate scale for the specific application. If an onshore refinery is being modeled , for example,
it is crucial not to use an unverified CFD tool, as it will likely provide differing res ults from the
typical industry standard tools, which have undergone significant full -scale validation and testing
by independent third-party testing facilities. Much of a CFD tool’s validation is carried out through
the product life, and therefore CFD models in their infancy can provide misleading results and
potentially result in an inadequate design.
The application examples present simulations of a simplified internal environment in order to
represent how CFD modeling can be used to analyze cloud propagation and migration in
atmospheric and HVAC-driven circumstances. What these analys es show is that CFD can be a
useful tool in reviewing the credible behavior of the gas clouds in such an environment where there
are predictable circumstances and the conditi ons of release can be credibly defined to determine
the credible worst-case scenario leak with respect to detection.
E.1.2
Recommendation on application
With respect to internal applications where airflow is dictated by the air change rate provided by
the HVAC system, good gas detection design should be such that it will operate effectively when
the HVAC is working and when it is not in operation. Therefore, one example of a good practice is
to allow for CFD modeling to give an understanding of the nature of the airflow in an indoor
environment, which would provide insight as to whether the target gas cloud that could generate
an explosion overpressure could credibly exist. This would then di ctate whether to apply a
volumetric detection design or one that focused more on the placement within the vicinity of HVAC
ducting (reference 2.19).
The issue of competence is one that must be addressed, as simply having access to the software
is not a qualification to carry out the analysis discussed. The detailed analysis required to
adequately apply CFD modeling to the gas detection placement problem is not addressed in this
TR, and therefore ensuring that the analysis is performed by personnel competent in both FGS
design methodologies and practicalities, as well as the intricacies of CFD analysis , is critical to the
appropriateness of this methodology.
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 100 -
Figure E.2 – Ambient (natural ventilation)
Figure E.3 – Ambient, gas concentration Iso-surface at 60% LFL (section)
Copyright 2018 ISA. All rights reserved.
- 101 -
ISA-TR84.00.07-2018
Figure E.4 – HVAC design 1 (mechanical extract left and right side)
Figure E.5 – HVAC (1), Gas concentration Iso-surface at 60% LFL (section)
Copyright 2018 ISA. All rights reserved.
ISA-TR84.00.07-2018
- 102 -
Figure E.6 – HVAC design 2 (mechanical extract right side only)
Figure E.7 – HVAC (2), Gas concentration Iso-surface at 60% LFL (section)
Copyright 2018 ISA. All rights reserved.
- 103 -
ISA-TR84.00.07-2018
Figures E.1 to E.7 give some context as to the dispersion and mixing levels of the gas in each
ventilation regime. Figure E.7 shows the iso-surface for a 60% lower flammability limit (LFL) gas
concentration in the ambient case. It can be seen that a large volume of the compartment contains
60% LFL.
Figure E.5 shows the same gas concentration iso-surface outlines for HVAC design 1. As
discussed previously, the majority of the gas leak seems to be entrained into the exhaust flow
generated between the left side inlet/exhaust.t as the 60% LFL cloud has been significantly
reduced in volume and area from the ambient case.
Figure E.7 shows the gas concentration iso-surface for HVAC design 2. What is immediately
apparent is that even though a greater bulk fluid movement is achieved across the width of the
compartment, because this leak occurred on the left side (and lost momentum quickly) this left-toright HVAC design appears to distribute the gas t hroughout the compartment to a greater extent
than HVAC design 1. This is certainly true in the case of 60% LFL.
This outcome is of course biased based on the details of this particular gas leak. A similar gas
leak occurring on the right side of the compartment would likely be exhausted much more
effectively by HVAC design 2 than the current leak. Consider further , however, that if the leak did
occur on the right side of the compartment but was in the left-side direction, and did not impinge
upon a solid surface, the jet itself could distribute the gas across the compartment from right to
left. HVAC design 2 would redistribute that gas again from left to right in a similar fashion as
demonstrated here, but with a potentially less desirable concentration distribution.
What can be concluded from a brief overview of these results is that the physical layout of the
space, the attributes and location of the leak , and, of course, the design of the HVAC system (and
whether or not it is operational) can each have a profound impact upon the evolution and
consequence of gas cloud formation following a leak in a process area. One can understand how
congestion might affect species migration and cloud formation and how air currents induc ed by
HVAC systems can affect concentration distribution. One could further study the possibility of
dilution-ventilation, whereby the HVAC system is designed with gas cloud dilution in mind , and one
could gain insight into “dead zones” within the space where dilution of bulk fluid is not sufficiently
achieved.
In practical terms, understanding the inherent limitations of the CFD model results (both the
inherent assumptions and user-input variability), as well as an intrinsic appreciation for the
underpinning science behind the gas detection methodology, allows the user to interpret the results
as an additional piece of information contributing to the best holistic detection arrangement.
What is not advisable, or arguably even practical from the point of vie w of a safety practitioner, is
to use a percentage scoring system from a small number of leak scenarios as a risk -based
justification for detector location. This may result in leaving large volumes of the compartment with
no gas detection. The question of accounting for an almost infinite number of potential leak
outcomes with a finite number of (inherently uncertain) models is an extremely difficult one to
argue and to validate. To demonstrate that all credible leak scenarios have been accounted for
with a limited number of CFD models would be difficult. One would have to categorize leak
scenarios based on a range of attributes , such as orifice size, pressure, direction, location,
impinging upon congestion or unimpeded jet, atmospheric conditions , and inventory details.
Subsequently, an appropriate range of leak models that represent a sufficient cross section of all
credible leaks within each category must be analyzed. Qualifying the definition of what constitutes
a “sufficient cross section” of potential credible cases is a daunting prospect alone, and in all
likelihood, building, analyzing (sensitivity analysis), and running the range of realistic model
scenarios will be a very time-consuming endeavor. Consider further that for even a relatively small
facility review, there can be 20 areas like the one considered here. The costs and time requirement
become disproportionately large for the expected yield or benefit of the study.
Copyright 2018 ISA. All rights reserved.
This page intentionally left blank.
Copyright 2018 ISA. All rights reserved.
Developing and promulgating sound consensus standards, recommended practices, and technical
reports is one of ISA’s primary goals. To achieve this goal the Standards and Practices Department relies
on the technical expertise and efforts of volunteer committee members, chairmen, and reviewers.
ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United
States Technical Advisory Groups (USTAGs) and provides secretariat support for International
Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees
that develop process measurement and control standards. To obtain additional information on the
Society’s standards program, please write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, N.C. 27709
ISBN: 978-1-64331-036-7
Download