TECHNICAL REPORT ISA-TR84.00.07-2018 Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness Approved August 10, 2018 NOTICE OF COPYRIGHT This is a copyright document and may not be copied or distributed in any form or manner without the permission of ISA. This copy of the document was made for the sole use of the person to whom ISA provided it and is subject to the restrictions stated in ISA’s license to that person. It may not be provided to any other person in print, electronic, or any other form. Violations of ISA’s copyright will be prosecuted to the fullest extent of the law and may result in substantial civil and criminal penalties. ISA-TR84.00.07-2018, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness ISBN: 978-1-64331-036-7 Copyright © 2018 by ISA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherw ise), without the prior written permission of the publisher. ISA 67 T.W. Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 E-mail: standards@isa.org -3- ISA-TR84.00.07-2018 Preface This preface is included for information purposes and is not part of ISA -TR84.00.07-2018. This technical report has been prepared as part of the service of ISA, the International Society of Automation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA, 67 T.W. Alexander Drive; P.O. Box 12277; Research Triangle Park, N .C. 27709; Telephone (919) 549-8411; Fax (919) 5498288; E-mail: standards@isa.org. This ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of standards, recommended practices, and technical reports. The Department is further aware of the benefits to users of ISA standards documents of inc orporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, the Department will endeavor to introduce SI and acceptable metric units in all new and revised standards documents to the greatest extent possible. The Metric Practice Guide, which has been published by the Institute of Electrical and Electronics Engineers (IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards. Participation in the ISA standards -making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION — ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISA’S PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS DOCUMENT, AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NONDISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT: WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR FOR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NONDISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS, OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 -4- APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USER’S PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION. ISA ( www.isa.org ) is a nonprofit professional association that sets the standard for those who apply engineering and technology to improve the management, safety, a nd cybersecurity of modern automation and control systems used across industry and critical infrastructure. Founded in 1945, ISA develops widely used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world. ISA owns Automation.com , a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation ( www.automationfederation.org ), an association of nonprofit organizations serving as “The Voice of Automat ion.” Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute ( www.isasecure.org ) and the ISA Wireless Compliance Institute ( www.isa100wci.org ). The following served as active members of ISA84 Working Group 7 in developing this technical report: NAME COMPANY M. Scott, FGS Co-Chair K. Mitchell, FGS Co-Chair I. Barreiro D. Blackburn A. Brier D. Chisholm R. Chittilapilly F. Dagerman R. Dunn L. Garcia C. George I. Gibson N. Gopalaswami P. Goteti M. Hochleitner W. Gutierrez Ramirez P. Gruhn S. Harman F. Hendi P. Herena E. Jandik J. Kallambettu P. Kannan S. King L. Laskowski B. Leong J. McNay E. Marszal aeSolutions Kenexis Consulting Corp Chevron Phillips 66 BriTech Systems Phillips 66 Oil & Natural Gas Corp MSA Safety DuPont Siemens Flint Hills Resources Consultant Honeywell Process Solutions Honeywell Process Solutions SIS-TECH Solutions LP Pryxida Tech aeSolutions Eaton Schneider Electric BakerRisk Chevron Bechtel Petroleum Development Oman Honeywell Emerson Chevron Micropack Ltd. Kenexis Consulting Corp Copyright 2018 ISA. All rights reserved. -5T. Mukoda G. Pajak S. Pate A. Petre M. Ratcliffe E. Revilla E. Roche A. Sahraei P. Seiler R. Seitz E. Sharpe R. Skone K. Szafron A. Summers A. Woltman D. Zetterberg ISA-TR84.00.07-2018 DuPont aeSolutions Det-Tronics Westech Industrial Ltd. Jacobs Engineering & Construction LLC Chevron SIS-TECH Solutions LP BP Emerson ASRC Energy Services Suncor Energy FireBus Systems BP SIS-TECH Solutions LP Consultant Chevron The following served as members of the ISA Standards and Practices Board and approved this technical report on August 10, 2018: NAME M. Wilkins, Vice President D. Bartusiak D. Brandl P. Brett E. Cosman D. Dunn J. Federlein B. Fitzpatrick J.-P. Hauet D. Lee G. Lehmann T. McAvinew V. Mezzano C. Monchinski G. Nasby M. Nixon D. Reed N. Sands H. Sasajima H. Storey K. Unger I. Verhappen D. Visnich I. Weber W. Weidman J. Weiss D. Zetterberg COMPANY Yokogawa UK Ltd. ExxonMobil Research & Engineering BR&L Consulting Honeywell Inc. OIT Concepts, LLC T.F. Hudgins, Inc. - Allied Reliability Group Federlein & Assoc. LLC Wood PLC Hauet.com Avid Solutions Inc. AECOM Consultant Fluor Corp. Automated Control Concepts Inc. City of Guelph Water Services Emerson Process Management Rockwell Automation DuPont Fieldcomm Group Inc. Asia-Pacific Herman Storey Consulting Advanced Operational Excellence Co. Industrial Automation Networks Burns & McDonnell Siemens AG DF FA Consultant Applied Control Solutions LLC Chevron Energy Technology Co. Copyright 2018 ISA. All rights reserved. This page intentionally left blank. Copyright 2018 ISA. All rights reserved. -7- ISA-TR84.00.07-2018 Contents Foreword ...................................................................................................................................................- 9 Introduction..............................................................................................................................................- 11 1 Scope .............................................................................................................................................- 15 - 2 References .....................................................................................................................................- 15 - 3 Definition of terms and acronyms ...................................................................................................- 17 - 4 Risk concepts in FGS design .........................................................................................................- 19 - 5 FGS engineering activities in a project workflow ............................................................................- 40 - Annex A Sample semi-quantitative performance target selection technique ......................................- 43 Annex B Detector coverage assessment techniques ..........................................................................- 53 Annex C Mitigation action effectiveness concept ................................................................................- 63 Annex D Application examples ............................................................................................................- 67 Annex E Evaluation of computational fluid dynamics vs. target gas cloud for indoor gas detection design (reference 2.17) ...........................................................................................................- 97 - Copyright 2018 ISA. All rights reserved. This page intentionally left blank. Copyright 2018 ISA. All rights reserved. -9- ISA-TR84.00.07-2018 Foreword The work to develop this edition of ISA-TR84.00.07 began in 2014 and was completed in 2018. At the same time, the functional safety standard ANSI/ISA 84.00.01 -2004 was undergoing updates in parallel with IEC 61511. The ISA84 Fire and Gas Working Group main tained awareness of committee activities associated with modifying the governing standards. The scope of updates to the 2nd Edition of this technical report was limited by the ISA84 committee, and it was not in the working group’s charter to align this edition of the technical report with the subsequent issuance of ISA’s functional safety standard. This technical report describes how the underlying principles of the functional safety standards can be applied to fire and gas systems. Those same underlying principles that were used to develop the guidance in the technical report remain consistent in the new issuance of IEC 61511 2016 and ANSI/ISA-61511-2018 (replacing ANSI/ISA-84.00.01-2004). Because of the timing associated with approval and publication, this technical report retains the references to ANSI/ISA 84.00.01-2004. At the time of publication, the working group provides this acknowledgment that the recent publication of ANSI/ISA-61511-2018 retains the same scope, application and underlying principles associated with fire and gas systems. ISA-TR84.00.07-2018 is intended for use in evaluating the effectiveness of fire and gas systems (FGSs) in process industry applications. It addresses the implementation of FGSs to reduce the risk of hazardous releases involving safety impact. NOTE Users can choose to apply the concepts in this technical report to environmental and/or operational loss scenarios. ISA-TR84.00.07-2018 is provided for information purposes only and is not part of ANSI/ISA 84.00.01-2004 (IEC 61511 Modified) (reference 2.1). ANSI/ISA-84.00.01-2004 and IEC 61511 (reference 2.9) are performance-based standards that provide the minimum requirements for designing and managing a safety instrumented system (SIS). As part of the safety lifecycle, the functional and integrity requirements are established for safety functions that reduce the risk of hazardous events identified using a hazard and risk analysis. Guidance is provided in Part 3 of either ANSI/ISA -84.00.01-2004 or IEC 61511 on the various methods used to evaluate risk and allocate risk reduction to identified safety functions. An underlying assumption in all of the methods is that the identified safety functions are capable of achieving the allocated risk reduction in the operating en vironment. The scope of ANSI/ISA-84.00.01-2004 covers electrical / electronic / programmable electronic systems for use in safety applications. Accordingly, the ISA84 committee develops standards and technical reports to provide guidelines for the implementation of automated (or instrumented) systems in safety applications. The purpose of ISA-TR84.00.07-2018 is to provide guidance on how to evaluate the effectiveness of identified FGS functions in a manner that is consistent with the underlying principles of ANSI/ISA-84.00.01-2004. FGS functions that are identified as safety controls, alarms, or interlocks should be implemented according to the applicable requirements of ANSI/ISA-84.91.01-2012 (reference 2.10) and ANSI/ISA-84.00.01-2004, based on the degree of risk reduction being claimed for the FGS function, in addition to relevant application specific practices. For example, FGS functions should be implemented per applicable requirements in the following standards, based on the risk reduction needed: • General fire and gas system safeguards with no specific risk reduction claimed should be implemented per application-specific standards from local jurisdiction having authority. • FGS functions with claimed FGS risk reduction factor (RRF) less than or equal to 10 should be implemented per applicable requirements of ANSI/ISA-84.91.01-2012, Safety Controls, Alarms and Interlocks in the Process Industries. • FGS function with claimed FGS risk reduction factor (RRF) in excess of 10 should be implemented per the applicable requirements of ANSI/ISA-84.91.01-2012 and ANSI/ISACopyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 10 - 84.00.01-2004 (based on IEC 61511 compliance, which includes consideration f or IEC 61508 compliance and/or end-user prior use approval of sensor, logic solver and final element subsystems). Prescriptive approaches for the design of some/all components of a n FGS are provided in recognized and generally accepted good engineering practices (ref erence 2.2 and 2.3) for certain applications. In complex hazard scenarios, especially those involving high -risk exposure (e.g., offshore oil and gas installations), and in situations where no other prescriptive guidance is available, supplementing these practices with performance-based analysis can result in an improved design with more effective coverage and lower probability of FGS failure. It is ultimately the user’s decision on when to apply performance-based approaches. Nothing in this technical report suggests the prescriptive practices are invalid or that they should not be followed as required by local jurisdictional authorities. The concepts underlying a performance -based approach are suitable to the analysis and design of FGSs in process industries, and these principles can be used effectively in conjunction with other good engineering practices. THE EXAMPLE RISK ANALYSIS METHODS AND RISK CRITERIA CONTAINED IN THIS TECHNICAL REPORT HAVE BEEN PROVIDED SOLELY AS EXPLANATORY MATERIAL AND SHOULD NOT BE INTERPRETED AS RECOMMENDATIONS. ALSO, THE EXAMPLE FGS ARCHITECTURES, DETECTOR COVERAGES, AND MITIGATION EFFECTIVENESS REPRESENT POSSIBLE SYSTEM CONFIGURATIONS AND SHOULD NOT BE INTERPRETED AS RECOMMENDATIONS. THE CONFIGURATIONS USED IN ACTUAL APPLICATIONS ARE SPECIFIC TO THE OPERATING ENVIRONMENT AND PROCESS CONDITIONS IN WHICH THEY ARE USED. AS SUCH, NO GENERAL RECOMMENDATIONS CAN BE PROVIDED THAT ARE APPLICABLE IN ALL SITUATIONS. THE USER OF THIS TECHNICAL REPORT IS CAUTIONED TO CLEARLY UNDERSTAND THE ASSUMPTIONS AND DATA ASSOCIATED WITH THE METHODOLOGIES IN THIS DOCUMENT BEFORE ATTEMPTING TO UTILIZE THE METHODS PRESENTED HEREIN. Users of ISA-TR84.00.07-2018 will include: • Vendors, end-users, and consultants who are applying the performance-based concepts to FGS functions, in addition to other applicable good engineering practices . • Hazard and risk analysis teams that are allocating risk reduction to FGS functions. • FGS designers who want to understand the impact of detector coverage and mitigation effectiveness on the integrity of FGS functions. • Any additional entities who wish to gain further insight into performance based FGS design concepts. Copyright 2018 ISA. All rights reserved. - 11 - ISA-TR84.00.07-2018 Introduction The ISA84 standards committee formed a working group to study the analysis and design processes that are commonly used in the process industry for fire and gas systems (FGSs) and to provide guidance on how these processes can be adapted to i ncorporate performance-based concepts. FGSs, as they are considered in this report, are a subset of industrial automation and control systems that are employed in the process industries for the purpose of detecting loss of containment of hazardous materials from the process and initiating a response to mitigate the release impact. Loss of containment can be a small leak or a catastrophic release. It can be detected by measuring the presence of the released materials (e.g., gas concentration) or inferred from the effects of the release (e.g., thermal radiation from a fire) . Detection methods considered in this technical report can include detection of combustible gas, toxic gas, smoke, flame, acoustic emission, or rapid heat rise in areas adjacent to the process itself and in critical areas, such as occupied buildings or buildings with unrated electrical equipment. Detector coverage and associated detection capability var y substantially depending on the hazard scenario and the characteristics of the detector. Actions taken by the FGS can be manually or automatically initiated and can affect a wide variety of systems, such as sheltering in place or evacuation in response to audible and visual alarm indications; water deluge; fire suppressant initiation; manipulation of heating, ventilation, and air conditioning (HVAC) system equipment; process isolation; or process depressurization. Similar to detection capability, the effectiveness of these mitigative actions is highly scenario dependent. Use of performance-based design is not widely adopted for FGSs within the process industries. However, ANSI/ISA-84.00.01-2004 or IEC 61511 can be employed as a design basis for mitigative fire and gas safety functions by considering the following definitions from ANSI/ISA-84.00.01-2004 or IEC 61511: mitigation action that reduces the consequence(s) of a hazardous event NOTE 1 Examples include emergency depressurization on detection of a confirmed fire or gas leak. prevention action that reduces the likelihood of occurrence of a hazardous event protection layer any independent mechanism that reduces risk by control, prevention , or mitigation NOTE 1 It can be a process engineering mechanism such as the size of vessels containing hazardous chemicals, a mechanical mechanism such as a relief valve, a SIS, or an administrative procedure such as an emergency plan against an imminent hazard. These responses may be automated or initiated by human actions. [SOURCE: IEC 61511-1:2016, Definition 3.2.61, modified – reference to Figure 9 removed from Note 1] safety function function to be implemented by one or more protection layers, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event NOTE 1 The safe state of the process for each identified safety function is defined such that a stable state has been achieved and the specified hazardous event has been avoided or sufficiently mitigated. [SOURCE: IEC 61511-1:2016, Definition 3.2.69, added Note 1, derived from 10.3.1.d] safety instrumented function (SIF) safety function to be implemented by a safety instrumented system (SIS) NOTE 1 A SIF is designed to achieve a required SIL, which is determined in relationship with the other protection layers participating in the reduction of the same risk. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 12 - There are two broadly different philosoph ical approaches used in the process industries for establishing design requirements to ensure the availability and effectiveness of FGS s: prescriptive and performance-based. The choice of design method is an owner/operator decision. FGSs have traditionally been designed and implemented according to various good engineering practices, such as NFPA 72 (reference 2.2) and EN 54 (reference 2.3). These prescriptive practices do not require evaluation of the risk reduction capability of the FGS as measured by its safety integrity and probability of failure on demand (PFD), nor do they consider quantitative measures for detector coverage. A performance-based approach consistent with the ANSI/ISA-84.00.01-2004 or IEC 61511 is attractive because it builds on the strength of the existing standard. However, without guidance, a performance-based approach has historically been challenging to apply to FGS design due to several factors. Traditional hazard and risk analysis techniques are suited for hazards related to process deviations from normal operation. These process hazards have known initiating causes and consequences, allowing the safety function to be specifically designed to detect the event and to respond by achieving or maintaining a safe state of the process . FGSs are typically implemented to reduce the risk of general loss of containment, such as leaks from equipment seals, flanges, and piping, and are often not associated with a specific hazardous scenario. These hazards can be difficult to define and analyze and often require the use of advanced risk analysis techniques, such as gas dispersion, fire, and explosion modeling. Most often FGSs do not prevent hazardous consequences from occurring, but rather mitigate the effects of an event that has already occurred. FGSs typically reduce the magnitude and severity of the consequence instead of eliminating it. Typical hazard and risk analysis assumes that the identified safety function eliminates the consequence. Therefore, it is important to understand and evaluate the hazard scenario resulting from FGS operation to ensure that the residual risk is acceptable. An FGS can provide poor risk reduction due to an inadequate detection rate. An analysis by Health and Safety Executive (HSE) of eight years of hydrocarbon release data (reference 2.4) showed that the effective detection rate was about 60%. The detection of many releases was significantly delayed, leading to higher consequences than expected. Even if very high integrity can be achieved by the hardware design and testing (e.g., low average probability of failure on demand), sufficient reduction in risk will not occur unless the detector coverage is also very high. For FGS functions, detector coverage should be analyzed with the same (if not more) quantitative rigor as the verification of the average probability of failure on demand for the hardware design. FGS effectiveness is also related to the ability of the mitigation elements (e.g., fire water system, ventilation system, process isolation) to function in a way that reduces hazardous consequences predictably. Mitigation can include • stopping the process • diverting the hazardous material • applying fire water with the appropriate flow and spray characteristics • activating alarms notifying personnel to shelter in place or evacuate As in the case of detector coverage, the effectiveness of the mitigative actions is dependent on many situational or scenario-specific factors. As a result of these complexities, initiating an FGS’s action might not necessarily mean that the consequence can be fully mitigated. As a result of these factors, a comprehensive approach to the hazard and risk analysis is indic ated, as it is often difficult to develop a sound technical justification for allocating risk reduction to FGS functions using a simplified risk assessment process, such as layer of protection analysis (LOPA) Copyright 2018 ISA. All rights reserved. - 13 - ISA-TR84.00.07-2018 (reference 2.5 and 2.6). The identification of FGS functions and allocation of performance targets to them requires hazard and risk considerations that are beyond typical LOPA implementation. Furthermore, FGS performance verification should include evaluation of the detector coverage and consider the effectiveness of the mitigative actions and the safety availability of FGS hardware and software design. This ISA technical report describes the analysis that should be undertaken and the effectiveness criteria that should be specified when an FGS is implemented in a safety application. The report integrates performance-based fire and gas system design techniques into the applicable portions of the safety life cycle described in either ANSI/ISA-84.00.01-2004 or IEC 61511. The report also discusses the development of detector-coverage criteria applicable to each FGS function and includes a series of application examples (Annex D) that illustrate the techniques used to develop and verify the detector coverage and mitigation effectiveness. Copyright 2018 ISA. All rights reserved. This page intentionally left blank. Copyright 2018 ISA. All rights reserved. - 15 - ISA-TR84.00.07-2018 1 Scope This technical report is informative and does not contain any mandatory requirements. This technical report is intended to be used in conjunction with other good engineering practices applicable to FGS installations. It is not intended to stand alone or be a replacement for ap plicationspecific practices. ISA-TR84.00.07 is a derivative of the ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) standard with application to process industries. This technical report is intended to address detection and mitigation of fire, combustible gas, and toxic gas hazards in process areas. Fire detection and mitigation within nonprocess areas is outside the scope of this document. This technical report is intended to: • Be used by those with a thorough understanding of ANSI/ISA -84.00.01-2004. • Clarify the additional information that should be considered when developing a performance based FGS design. This includes integrating the design activities into relevant portions of the safety life-cycle model. • Clarify how to define FGS functions within typical FGS designs where automatic action is taken as a result of detection of a fire or gas event. • Provide example scenario assessments to demonstrate the application of performance-based concepts to the analysis and design of FGSs. • Demonstrate that any coverage or effectiveness factor below 90% results in an FGS risk reduction factor of less than 10 of the FGS design. • Offer a performance-based methodology—for facilities using a prescriptive methodology (e.g., API-14C or API 14G) (reference 2.20 and 2.21) to allocate fire and gas detection. The methodology provides considerations for how to improve fire and gas effectiveness . The performance-based design process described in this TR can provide more effective hazard detection and detector placement in cases where fusible plugs (fire) may be needed. • Define a methodology that addresses the design and effectiveness of FGS mitigative functions that is consistent with the underlying principles used to design and assess the effectiveness of preventative functions. 2 References 1. ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1, 2 & 3, International Society of Automation, Research Triangle Park, N.C., 2004. 2. NFPA 72, National Fire Alarm Code, National Fire Protection Association, 2016. 3. EN 54-2: 1997 Fire Detection and Fire Alarm Systems Part 2: Control and Indicating Equipment. 4. HSE Offshore Fire and Explosion Strategy – Issue 1; http://www.hse.gov.uk/offshore/strategy/fgdetect.htm . 5. CCPS/AIChE, Layer of Protection Analysis: Simplified Process Risk Assessment, First Edition, New York, 2001. 6. CCPS/AICHE, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, First Edition, New York 2015. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 16 - 7. CCPS/AIChE, Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition, New York, 1999. 8. ANSI/ISA-TR84.00.02, Safety Instrumented Systems (SIS) – Safety Integrity Level (SIL) Evaluation Techniques, International Society of Automation, Research Triangle Park, N.C., 2002. 9. IEC 61511:2016, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1, 2 & 3. 10. ANSI/ISA-84.91.01-2012, Safety Controls, Alarms and Interlocks in the Process Industries . 11. U.K. HSE OTO 2001/055, OSD Hydrocarbon Release Reduction Campaign—Report on the Hydrocarbon Release Incident Investigation Project –1/4/2000 to 31/3/2001. 12. U.K. HSE OTO 93 002 – Offshore Gas Detector Siting Criterion Investigation of Detector Spacing, April 1993. 13. IEC 60079-29-1: Explosive atmospheres – Part 29-1: Gas detectors – Performance requirements of detectors for flammable gases . 14. IEC 60079-29-2: Explosive atmospheres – Part 29-2: Gas detectors – Selection, installation, use and maintenance of detectors for flammable gases and oxygen . 15. IEC 60079-29-4: Explosive atmospheres – Part 29-4: Gas detectors – Performance requirements of open path detectors for flammable gases . 16. A Review of Very Large Vapor Cloud Explosions’, U.K. Health and Safety Executive, Pipelines and Hazardous Materials Safety Administration (U .S. Department of Transport). 17. Evaluation of Computational Fluid Dynamics vs Target Gas Cloud for Indoor Gas Detection Design, J McNay, Dr. Ryan Hilditch, Published and Presented 25th October 2016 , MKOCPS Symposium. 18. OGP Report 434-7, Consequence Modelling, International Association of Oil and Gas Producers, March 2010. 19. ANSI/ISA-18.2-2016, Management of Alarm Systems for the Process Industries . 20. API 14C, Recommended Practice for Analysis, Design, Installation, and Testing of Safety Systems for Offshore Production Facilities, 8 th edition, 2017. 21. API 14G, Recommended Practice for Fire Prevention and Control on Fixed Open -type Offshore Production Platforms, 4th edition, 2013. 22. FM Global Property Loss Prevention Data Sheets 5-48 Jan 2011. Copyright 2018 ISA. All rights reserved. - 17 - ISA-TR84.00.07-2018 3 Definition of terms and acronyms 3.1 Definitions This section contains definitions of terms that have been introduced or clarified with respect to performance-based FGS applications and included in this technical report. detector (geographic) coverage The fraction of the geometric area or volume of a defined monitored process area that, if a hazard were to occur in a given geographic location, would be detected considering the defined voting arrangement. detector (scenario) coverage The fraction of the hazard scenarios from process equipment within a defined and monitored process area that can be detected considering the frequency and magnitude of the hazard scenarios and the defined voting arrangement. fire and gas mapping The analysis of detector coverage to examine a proposed or existing FGS detector layout/voting arrangement and verify FGS performance targets are achieved by the design. FGS effectiveness The ability of the FGS function to detect and mitigate a design -basis hazard under a demand condition. NOTE 1 FGS effectiveness is dependent on a number of factors associate d with design, installation, site-specific operating conditions, and maintenance. FGS effectiveness is a function of the selected FGS performance metrics, including detector coverage, FGS safety availability, and mitigation action effectiveness, accounting for common cause, common mode, and systematic failures. FGS risk reduction factor The ability of the FGS function to reduce the frequency of occurrence or the severity of harm. NOTE 1 FGS risk reduction factor is analyzed quantitatively for FGS functions that prevent or completely mitigate the hazard as a factor equal to the reciprocal of one (1) minus FGS effectiveness. NOTE 2 For FGS safety functions that do not completely mitigate the hazard, the residual risk is included in the analysis of FGS risk reduction. See Annex C for example. FGS safety availability The availability of the fire and gas function designed to automatically mitigate the consequences of hazards. NOTE 1 FGS availability is equal to one minus the probability of failure on demand (PFDav g) for the FGS safety function (sensor, logic solver, and/or final element). mitigation action effectiveness The confidence that the final element(s) actions will successfully mitigate the consequence of the hazard defined in the FGS basis of design. NOTE 1 Refer to Annex D for additional guidance on mitigation effectiveness. 1ooN voting arrangement Implementation of 1ooN (where N > 1) voting in an FGS is such that upon activation of any single detector in a monitored area with multiple detectors, the logic solver commands specified safety action(s) to occur. NOTE 1 This arrangement tends to provide a higher level of safety in that a dangerous undetected failure of a single detector will not inhibit the required safety action once the hazard is detected by a ny second nonfailed detector. This arrangement also provides a relatively higher level of exposure to spurious activation of the FGS , because a false alarm signal generated by any single detector will cause safety action(s) to occur when no hazard is prese nt. MooN voting arrangement Implementation of MooN (where N > 1) voting in an FGS is such that the logic solver commands specified safety action(s) to occur only upon activation of any M or more detectors in a monitored area. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 18 - 3.2 Abbreviations and acronyms 1ooN: one out of N voting 1oo2: one out of two voting 3D: three dimensional AIChE: American Institute of Chemical Engineers ALARP: as low as reasonably practicable ANSI: American National Standards Institute API: American Petroleum Institute CCPS: Center for Chemical Process Safety CCTV: closed-circuit television CFD: computational fluid dynamics ERPG: emergency response planning guideline ESD: emergency shutdown FEED: front-end engineering design H2S: hydrogen sulfide HSE: Health and Safety Executive HVAC: heating ventilation air conditioning IDLH: immediately dangerous to life and health IEC: International Electrotechnical Commission IR: infrared ISA: International Society of Automation FGS: fire and gas system λ DU : dangerous undetected failure rate LEL/LFL: lower explosive limit/lower flammability limit LOPA: layers of protection analysis MOS: metal oxide semiconductor NFPA: National Fire Protection Association OSHA: Occupational Safety and Health Administration PEL: permissible exposure limit PFDavg: probability of failure on demand average Copyright 2018 ISA. All rights reserved. - 19 - ISA-TR84.00.07-2018 PHA: process hazards analysis PPM: parts per million QRA: quantitative risk assessment RHO: radiant heat output RRF: risk reduction factor SIF: safety instrumented function SIL: safety integrity level SIS: safety instrumented system STEL: short-term exposure limit TI: test interval TLV: threshold limit value TWA: time weighted average UV: ultraviolet VCE: vapor cloud explosion 4 Risk concepts in FGS design This technical report provides an overview of some hazard and risk analysis methods applicable to fire and gas system design, including qualitative, semi-quantitative, and fully quantitative methods to estimate risk. Hazard and risk analyses are often used to identify loss-of-containment events due to a process deviation from normal operation. In contrast, most FGS functions are specified to address the risk of loss of containment due to problems with equipment mechanical integrity or other general causes of loss of containment not related to process hazard analysis (PHA) scenarios. Regardless of how the need for these functions is identified, an FGS can be important to an overall risk management strategy. A performance-based design of safety functions is proceeded by analyzing the hazard and risk of credible scenarios and allocating risk reduction to safety functions that will be specifically designed to address these events. Although a variety of methods are used in the process industries, an increasingly common method is layer of protection analysis (LOPA) (reference 2.5 and 2.6). LOPA is an established method for evaluating hazardous event propagation and assessing the capability of safety functions in reducing event risk. An important objective of LOPA is to ensure adequate independence and separation of the initiating causes from independent protection layers to minimize common cause, common mode, and systematic failures. However, LOPA does have limitations, which become clear when examining FGS functions. LOPA typically considers only two possible states for a candidate protection layer: success or failure. If the protection layer fails, there is a consequence. If the protection layer succeeds, the propagation of the hazardous event is halted and there is no consequence. While this is an appropriate assumption for many independent protection layers, it is not suitable for FGSs, since they typically do not stop the loss of containment event from occurring. Instead, a successful FGS function prevents an already bad situation from getting wor se. It is crucial to ensure that common cause and dependent mode failures are evaluated between the FGS and the initiating source. If the enduser risk criteria are based on preventing the hazardous event (i.e., preventing the release of Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 20 - materials), no risk reduction will be claimed for the FGS. Nevertheless, the principles in this TR may be used to provide guidance for improved FGS safeguard design. This technical report presents a risk model to illustrate the concepts of how mitigative system risk can be analyzed. It addresses the detector coverage, safety availability, and mitigation effectiveness, and thereby allows these factors to be explicitly considered in the hazard and risk assessment. This model uses a simplified event tree to illustrate the risk analysis of identified initiating events from the initiating cause(s) to the final outcome(s). For FGSs, the simplified event tree (Figure 1) considers three aspects of FGS effectiveness: detector coverage, FGS safety availability, and mitigation effectiveness. While this simplified event tree shows mitigation effectiveness as a single probabilistic value, this is only to illustrate the risk concepts. In reality, the effectiveness of mitigation actions is often a more complex collection of factors. The event tree branches represent the probability of success and the probability of failure of these aspects —the mathematical complements. The event tree begins with a hazard arising from loss of containment within an area of concern and follows the propagation of the scenario through the success (yes)/failure (no) of each aspect contributing to effectiveness. Quantitative analysis can be used to report the relative likelihood and magnitude of the consequence of each potential outcome. Risk assessment determines the tolerability of the potential outcomes based on the consequence severity and likelihood by comparing the outcome frequency and consequence severity to the end-user risk criteria. Figure 1 – FGS effectiveness model The first aspect of FGS effectiveness is the probability that the hazard is detectable given the detector layout and chosen voting arrangement. For example, if action is taken upon activation of two or more gas detectors, the hazard is detectable only if the scenario involves a gas cloud that covers at least two detectors in the array. Loss of containment places a demand on the FGS, requiring its sensor array to detect the hazardous condition and to initiate required action . Failed detection allows the incipient condition to escalate to a larger magnitude event. This escalated hazard might not be detectable by other detectors in the FGS; and if detectable, the FGS might not be effective in mitigating the larger hazard. This complexity has not been incorporated into the risk model in this technical report. For the sake of simplicity, it is assumed that a n incipient condition that is not detected due to inadequate detector coverage results in an unmitigated hazard that is beyond the capability of the FGS to effectively mitigate. The second branch of the event tree (FGS safety availability) represents the probability of successful FGS activation upon a detected hazard. FGS functions comprise sensor(s), logic solver(s), and final element(s). Failure of the FGS function to operate on demand results in Copyright 2018 ISA. All rights reserved. - 21 - ISA-TR84.00.07-2018 escalation of the consequence. Quantification of the probability of failure on demand can be performed using the techniques presented in ISA-TR84.00.02 (reference 2.8). The third branch of the event tree is the FGS mitigation action effectiveness, which has an impact on the event outcomes and should be carefully considered when evaluating overall effectiveness of an FGS function. The design intent of an FGS is typically not to prevent a hazardous condition from initially occurring, but rather to reduce (or mitigate) the severity of consequences to a lower level. A small fire is prevented from becoming a large fire that can escalate into a larger or unacceptable consequence. A small gas release that presents a toxic and/or fire hazard is prevented from becoming a large gas accumulation that could result in a larger or unacceptable consequence. Therefore, the residual risk associated with a successful FGS operation should be considered in the overall determination of risk acceptability. However, it would be technically incorrect to consider the FGS detector coverage, safety availability, and mitigation effectiveness in the same manner as one would consider independent protection layers. The separate depiction in the event tree of FGS detector coverage, safety availability, and mitigation effectiveness is simply intended to highlight the aspects of the FGS that make its evaluation different from the typical instrumented safeguard. Personnel involved in the design or modification of FGSs should consider that any change to the FGS or to the context in which it is installed will most likely result in changes to the values of all three of these parameters. Different methods with different degrees of quantitative rigor are used in the process industries to implement the concepts discussed in the preceding paragraphs. These methods range from semi quantitative techniques to full quantitative risk analysis (QRA) methods. A quantitative risk analysis can be used to make decisions about the risk reduction strategy (ref erence 2.7). The QRA should be based on a comprehensive risk analysis and consequence modeling for the hazardous event under consideration. Semi-quantitative methods utilize scoring methods that categorize the attributes that define risk and then select grades of FGS performance based on the results of the scoring process (see Annex A). Where possible and practical, other instrumented safety systems, such as safety instrumented functions, should be designed to prevent loss of containment. The development of a methodology to allow the allocation and verification of the risk reduction capab ility of an FGS function should not be construed as an endorsement of the use of an FGS function in lieu of a properly designed preventive safety instrumented function. Thus, if risk analysis determines that two orders of magnitude of risk reduction is required to address a high-pressure scenario in a vessel, a safety instrumented function closing inlet feed to the vessel upon detection of high pressure with a risk reduction of two orders of magnitude is preferable. This technical report does not endorse addressing the above hazardous event with a safety instrumented function achieving one order of magnitude in combination with an FGS function providing the remaining one order of magnitude in risk reduction. This technical report focuses on the implementatio n of FGSs to protect people and the environment when the process is operating normally, but loss of containment has occurred due to such factors as corrosion, erosion, a leaking gasket, or tubing failure, or the process is operating abnormally, and preventative layers have failed. Thus, consider a different scenario where the pressure in the vessel is within tolerable limits ( e.g., not high) and loss of containment has occurred. In this scenario, an FGS function is an appropriate choice for reducing the risk, because there is no potential for implementing a preventive safety instrumented function to prevent loss of containment. It is advisable to use an approach that ensures : • Loss of containment is minimized through implementation of preventive systems and an equipment mechanical integrity program . • FGSs are designed and maintained to be effective in reducing the severity of loss-ofcontainment. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 22 - 4.1 Performance-based FGS design process Design and implementation of an FGS can be performed in a manner that is consistent with the underlying principles of both ANSI/ISA-84.00.01-2004 and IEC 61511. The fundamental approach is to examine the hazard and risk in order to establish required FGS performance, and then to specify a design that achieves that performance. This performance-based FGS design process is illustrated in Figure 2, and it integrates into the relevant portions of a safety life cycle for safety functions. NOTE Steps 7, 8, 9, and 10 may require iteration to meet performance targets. Figure 2 – Performance-based FGS design process 4.2 Planning: Fire and gas philosophy Planning for performance-based FGS design should include determination of the end user’s fire and gas system philosophy. This philosophy is a well-reasoned technical basis that establishes the overall goals for hazard detection and mitigation. It should be consistent with the end user’s risk acceptance criteria that will be us ed in the allocation of safety functions to protection layers. It guides choices made by FGS designers. Appropriate choices for a given user facility are often best performed through standardized application of a fire and gas philosophy. FGSs are beneficial in mitigating the severity of hazards typical to the process industries. Additional information about these hazards can be found in CCPS ( reference 2.7). The description here is intended to aid in defining FGS performance objectives based on the chosen philosophy of the end user. Copyright 2018 ISA. All rights reserved. - 23 - ISA-TR84.00.07-2018 To understand performance requirements for FGS, it is important to have a definition of the end user’s philosophy that is being applied to mitigate hazards. Mitigation systems usually need to have a philosophy developed before a designer can proc eed. Different users of this TR will have different philosophical approaches toward detection and mitigation of fire and gas hazards. This section describes how the elements of the fire and gas philosophy translate to performance-based FGS design. Some elements of a mitigation philosophy are included in codes, industry recommended practices, or company standards. However, elements associated with detection and mitigation are usually established by the end user. The primary questions to be addressed in defining the performance objectives for fire and gas mitigation: • What magnitude of hazards should the FGS detection equipment be designed for? • What FGS actions are required to successfully mitigate the hazard? This TR provides guidance on how the chosen philosophy will impact performance-based FGS design. 4.3 Fire detection philosophy When flammable or combustible hydrocarbon liquids are released from the process, accumulate, and are subsequently ignited, the result is a turbulent diffusion fire. The extent of a pool fire hazard is governed by the size of the pool, the burning intensity of the fuel, and to a lesser extent, meteorological conditions. When pressurized gas (or liquid/two -phase) is released and ignited immediately upon release, the result is a momentum-driven, turbulent jet fire. The extent of a jet fire hazard is governed by the rate of release, the shape of the flame, the flame orientation, and the burning intensity of the fuel. Both pool fires and jet fires emit thermal radiation, which can be haz ardous to people within seconds of exposure. Process equipment or structures can be damaged within minutes of intense fire exposure, especially if fireproofing is not provided or not effective. Fires can produce heavy smoke, which is hazardous if introduced in an occupied building. Personnel can be harmed either by the direct effect of the ignition of the hydrocarbon release or by exposure to an ongoing fire if the ability to safely evacuate is impaired. Fire detection can be beneficial in the latter case, by detecting an incipient fire in time before further exposure to personnel or impairment of evacuation routes can occur. The actions that are most effective in the early (incipient) stage of a fire are: • alarms and evacuation/sheltering of personnel • automatic emergency shutdown (ESD) with isolation of fuel and depressurizing • activation of deluge systems/foam systems to suppress burning, cool surrounding equipment, or, in some cases, extinguish the fire If a fire is not detected early (incipient), the potential exists for the fire to escalate to a hazard that impacts more equipment, impacts evacuation/egress, and causes more severe harm to people and the process. Fire detection philosophy statements are useful in determining the performance objectives o f fire detection system. The performance objective will guide the designer on the magnitude of fire that should be detected and the safety actions to be automatically activated. With a specific philosophy statement, the FGS designer can identify the perfor mance objectives, and this will guide the designer to choose the proper basis of design. Without a well-defined philosophy, the FGS designer can provide a system that is over-designed or under-designed and does not achieve enduser expectations. The following are two different philosophies for fire detection. Each is valid for a particular application. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 24 Table 1 – Example fire detection philosophies Fire Detection Philosophy Elements of Philosophy Decision Typical Application Goal is to detect fire as early as practical to reduce the possibility of escalation, minimize impact to the asset, and allow personnel to take appropriate protective actions. Within a monitored process area: Detection: Incipient fire Occupied offshore facilities Successful FGS mitigation Onshore process plants with significant occupancy • prompt evacuation or shelter-in-place response to alarm notification • isolate fuel source • depressurize the process • initiate fixed fire suppression of affected equipment and surrounding equipment Migration beyond monitored process area: Detection: Smoke at building air intakes High-value assets Occupied offshore facilities Successful FGS mitigation: Goal is to detect fire that has the potential to produce major damage beyond the area of origin to mitigate against total asset loss. • prompt evacuation or shelter-in-place response to alarm notification • shutdown ventilation Within a monitored process area: Detection: Fully developed fire Successful FGS mitigation • Normally unmanned installations, onshore or offshore, with limited firefighting capability isolate fuel source and allow to extinguish by depletion of fuel Migration beyond monitored process area: Detection: (none) It is impractical to detect all potential fire hazards. Detection can occur of an incipient hazard (early stage) or a fully developed hazard. Note that with larger fires, optical flame detector performance might be degraded. Safety actions can be as simple as containment and isolation of fuel, or as complicated as isolation, depressurizing, and suppression. The fire detection philosophy should specify if alarms and FGS actions will occur on a single detector in alarm state (1ooN) or require more than one detector in alarm state (e.g., 2ooN). 4.4 Flammable gas detection philosophy When flammable gas (or volatile liquid) is released but not immediately ignited, a flammable fuel air mixture forms, which can accumulate and/or migrate away from the point of release. Safe dispersion occurs when the gas dilutes in air below the lower flammable limit (LFL) concentration. If there is an absence of physical confinement of the flame front and absence of flame front interaction with turbulence-inducing obstacles, then the flame will not significantly accelerate. If ignited, the initial phenomenon is a short-duration, transient fire that burns from the point of ignition through the gas cloud in short duration. The flame front expands slowly near the point of ignition. In the event the flame front does not accelerate, the vapor cloud fire will not produce a significant pressure wave (blast). The fire is therefore called a flash fire. A flash fire is hazardous, but the extent is limited to the shape/size of the flame envelope itself. However, gas can accumulate in confined and semi-confined areas of a process. Historically, a minimum gas cloud accumulation of 5 meters (reference 2.4 and 2.12) was demonstrated to be sufficient for enabling a flame front to accelerate to a velocity that has the potential to cause a significant pressure wave. This does not exclude the potential that under adverse conditions, an accumulation of less than 5 meters might result in similar hazards. This pressure wave is also called a blast, and the phenomenon is known as a vapor cloud explosion (VCE). The extent of the VCE hazard is governed by the amount of gas accumulation and the degree of confinement and congestion, and it can be measured as the pressure generated by the blast and its duration. Copyright 2018 ISA. All rights reserved. - 25 - ISA-TR84.00.07-2018 Personnel located outdoors are often not injured by the pressure wave itself but can be hurt by high-velocity fragments. Non-blast-resistant structures can be severely damaged or collapse, causing harm to building occupants. Blast effects can result in hazards at significant distance beyond the boundary of the flammable cloud. It is desirable to detect flammable gas before ignition, especially if it is in a confined and congested area where the gas can accumulate. FGS can be beneficial in detecting the presence of a flammable fuel-air mixture (or detecting a release of high-pressure gas). Automatic actions can be taken by the FGS to minimize both the possibility of ignition and the severity of the vapor cloud fire hazard. Actions that are most effective in the early stage of a gas release or accumulation are: • alarms and evacuation/sheltering of personnel • automatic ESD with isolation and depressurizing equipment that can be leaking gas • automatic control of ignition sources (electrical de-energization, etc.) • activation of deluge systems to disperse gas and suppress burning of the gas In this context, early detection means before a high probability of ignition or before a large accumulation occurs. If gas is not detected early, there is the potential for further accumulation resulting in escalation to a more severe hazard, including the potential for a VCE, or for gas to migrate beyond the process area to locations where there is either high personnel occupancy or strong ignition sources. Within a few seconds or less, a vapor cloud fire will burn back to the p oint of ignition and cause the hazards described above; however, the aftereffects can include a residual jet fire (f or a momentum-driven release) or pool fire (for a liquid release/pooling), or perhaps both. The residual fire will continue to burn until the source of the fuel is isolated and any accumulated fuel is consumed. While it is highly preferable to detect a flammable gas hazard before ignition to safeguard life, FGS can also be beneficial in detecting the residual fire and taking actions to limit its duration and intensity. There are several different philosophies for flammable gas detection. Flammable gas detection can be applied to detecting either an accumulation of gas or a release of gas. Actions could be prompt evacuation, shelter in place in response to an alarm notification, or acting to limit the size/extent and ignition potential for a vapor cloud. The following are two different philosophies for flammable gas detection. Each is valid for a particular application. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 26 - Table 2 – Example combustible gas detection philosophies Flammable Gas Detection Philosophy Elements of Philosophy Decision Detect credible gas releases by strategically placing detection equipment in proximity to release sources to minimize potential for extended duration gas release that could ignite with severe consequences. Within a monitored area: Detection: Leak/release sources and size should be identified, and detectors located in proximity to leak sources to provide incipient (early) indication of a hazard before gas migrates to a location where ignition and escalation are likely. Typical Application Successful FGS mitigation: • alarm to evacuate personnel to safety and allow controlled operator shutdown (or automatic ESD) Migration beyond a monitored area: Detection: Variation in gas cloud size and direction makes it difficult to specify detector layout and spacing within a monitored area to address all possible leak scenarios. Because ignition sources and occupancy are well controlled within a process area, detection within a monitored area should be supplemented with perimeter gas detection to improve confidence that the release will be detected before migrating to a strong ignition source or area with higher occupancy and a more severe impact. Onshore process plants Successful FGS mitigation: alarm to evacuate personnel to safety and allow controlled operator shutdown (or automatic ESD) Detect gas accumulations in hazardous quantities that, if ignited, could cause significant impairment to life, safety, and the asset. Within a monitored area: Detection: Gas dispersion patterns might not be predictable, and gas hazards are most severe in areas where gas can accumulate within confined and congested process areas. Detectors should be placed in areas where gas can accumulate in order to mitigate a threshold accumulation volume that can result in a more severe blast, which could impair structural integrity or impair evacuation/egress. Successful FGS mitigation: • isolate fuel source and depressurize • de-energize electrical apparatus • evacuate personnel to safety Offshore facilities Migration beyond a monitored area: Detection: Reliable detection cannot be assured in areas where gas does not accumulate (absence of confinement/congestion), nor is the severity of an ignited gas cloud of high concern due to the lower severity of a vapor cloud fire (no VCE). Credible leak scenarios should be identified, and detection of gas migration should be provided at receptors of concern (detection at HVAC air intakes, etc.). Successful FGS mitigation: • alarm to shelter/evacuate personnel • de-energize electrical apparatus It is impractical to detect all gas leaks, even all leaks that could be hazardous. Release sources and direction of dispersion cannot always be predicted with certainty. In some locations, where gas can be dispersed by wind or ventilation, a strategy of placing detectors only around likely release sources can have limited effectiveness. The gas detection philosophy should specify if alarms and FGS executive actions will occur on a single detector in alarm state (1ooN) or require more than one detector in alarm state (2ooN). A well-defined philosophy will guide the FGS user in determining the correct performance objectives. 4.5 Toxic gas detection philosophy Toxic gas detection involves an analysis of a specific application, as general guidelines are difficult to set due to the widely varying hazards of different toxic materials, the variations in concentrations of toxic materials, and the high dependency of toxic hazards on site-specific factors, including Copyright 2018 ISA. All rights reserved. - 27 - ISA-TR84.00.07-2018 meteorology. Therefore, one approach is to select a hazard scenario and model the extent of the hazard (e.g., dispersion, computational fluid dynamics [CFD]). To model a toxic gas hazard, consider the smallest hazard scenario that would require detection; this can be based on either risk or a team-based review and should be likely to occur in the project lifetime. A second approach is to directly postulate the magnitude of a toxic gas volume that is of concern and then design using a geographic technique (e.g., 5 m H2S cloud size, 8 m H2S cloud size) . The objective of a toxic gas detection system is to detect concentrations of gas that could be hazardous to personnel in time for proper protective actions to be taken. Automatic actions can be taken by the FGS to minimize the severity of the hazard. Actions that are most effective in early stage of gas release or accumulation are: • alarms and evacuation/sheltering of personnel • automatic ESD with isolation and depressurizing equipment that can be leaking gas The following is an example philosophy for toxic gas detection. Table 3 – Example toxic gas detection philosophies Toxic Gas Detection Philosophy Elements of Philosophy Decision Detect credible gas releases by strategically placing detection equipment in proximity to release sources to minimize potential for extended duration gas hazard that could result in severe consequences. Within a monitored area: Detection: Leak/release sources and size should be identified, and detectors should be located in proximity to leak sources to provide early indication of a hazard before gas migrates to a location where exposure is likely. Typical Application Successful FGS mitigation: • alarm to evacuate personnel to safety or shelter and allow controlled operator shutdown (or automatic ESD) Migration beyond a monitored area: Detection: Variation in gas cloud size and direction results in difficulty specifying the detector layout and spacing within a monitored area to address all possible leak scenarios. Because occupancy is well controlled within a process area, detection within a monitored area should be supplemented with perimeter gas detection or gas detection along egress paths to improve confidence that the release will be detected before migrating to an area with higher occupancy and more severe impact. Onshore process plants and offshore facilities Successful FGS mitigation: • alarm to evacuate personnel to safety or shelter and allow controlled operator shutdown (or automatic ESD) 4.6 Fire and gas hazard assessment, requirements specification, and performance verification Determining the target performance of an FGS function should be accomplished using hazard and risk analysis. In this context, performance includes: safety availability of the FGS equipment, the coverage of the FGS detectors, and the effectiveness of the mitigative actions . A design for FGS mitigation requires input from the end user’s fire and gas philosophy in terms of establishing the performance objectives. Techniques used to select target FGS performance should consider parameters that affect the hazard and risk. They are often applied on an equipment-item basis to determine if an FGS should be considered to protect each equipment item and, if protection is required, what degree of performance should be targeted in the design. The hazard and risk parameters that should be considered include the following: Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 28 - • material flammability/toxicity • process temperature • process pressure • hazard frequency • source leak size • ignition sources • potential for gas accumulation • environmental conditions Two typical strategies for the hazard and risk assessment for the selection of FGS performance targets are used in industry. These two general approaches are referred to as semi-quantitative and fully quantitative risk analysis. While the fully quantitative risk analysis methodologies are more precise, the semi-quantitative methods are also acceptable. • Semi-quantitative risk analysis has a level of effort similar to layer of protection analysis (reference 2.5 and 2.6). It uses lookup tables and “order of magnitude” selections to categorize various risk parameters and thereby establish the needed performance targets. These semi quantitative techniques need to be calibrated to ensure that these coarse level -of-effort tools provide satisfactory results. See Annex A for an example of a semi-quantitative hazard and risk analysis. • Fully quantitative risk analysis verifies that quantitative ri sk tolerances have been achieved using detailed quantification of the hazard and risk. While the fully quantitative analysis provides more accurate results, it is also more time consuming and can be resource intensive (see Annex D). The following steps are broadly applicable to both strategies for hazard and risk analysis. 4.6.1 Step 1 – Identify areas of concern FGS installations in the process industries are typically designed to address hazards associated with loss-of-containment events caused by leaks, corrosion, and erosion. In many cases, FGSs are only expected to provide general process area coverage. Under these circumstances, the FGS design can be based on simple prescriptive practices (e.g., references 2.2 and 2.3), if available for the application. In some process plants, their implementation is beneficial, while in others use of an FGS is unnecessary. Not all process plants will even undergo a formal analysis of FGS design requirements. The determination of whether formal assessment of FGS design requirements analysis is required will be the result of end-user policies/procedures and regulatory oversight, such as: • process hazards analysis (PHA) recommendations • QRA for FGS • end-user standards and design practices • regulatory requirements • auditor recommendations • FGS screening analysis • previous incidents An FGS screening analysis can be used to identify areas of concern where FGS installation can be beneficial in reducing risk. An FGS screening analysis should consider the flammability and toxicity of the materials being processed, which would identify process equipment that represents an area of concern for possible performance-based FGS design. The plot plans, process flow Copyright 2018 ISA. All rights reserved. - 29 - ISA-TR84.00.07-2018 diagrams, heat and material balance, and P&IDs should be analyzed to identify the process material(s) and normal operating conditions, and whether the materials processed contain fire hazards, combustible gas hazards, or toxic gas hazards. 4.6.2 Step 2 – Identify hazard/risk scenarios Performance-based FGS design requires identification of hazard scenarios for which FGS functions are designed. Although the FGS is expected to perform on demand for a wide range of general hazards, a few specific hazards should be identified to establish target performance and allow measurement of achieved performance. Major equipment items should be analyzed to identify the type of fire or gas hazard, and this should include storage tanks, pressure vessels, pumps, compressors, separation equipment (distilla tion towers, etc.), and heat exchangers. The type of hazard depends on the process fluid composition, the process conditions (temperature and pressure), the size and duration of the credible release, and the type and location of ignition sources. Performance targets are defined with respect to the hazard scenario(s) that FGS design is intended to detect and adequately mitigate. This step can involve direct hazard identification (e.g., 50 kW radiant heat output fire, 10 m 3 combustible gas accumulation, 20% LFL accumulation) or identification of credible scenarios involving release of hazardous material that could give rise to fire and gas hazards. These include corrosion-initiated leaks, flange gasket leaks, and small diameter tubing failures. Where scenarios are selected as the basis of design, the analysis should consider the attributes in sufficient detail to determine the potential physical characteristics of the hazard scenario, such as fire size or gas dispersion extent. This step results in a list of equipment items and associated hazards/scenarios that are carried forward to subsequent steps. 4.6.3 Step 3 – Analyze consequences Once a fire or gas scenario is identified, a consequence severity study should be undertaken to determine the physical extent of the hazard and the potential to escalate the severity if not detected. This either takes the form of a model that predicts the physical effects of the release, or is based on qualitative (e.g., PHA team judgment) or semi-quantitative techniques. The end user should decide the criteria used to analyze the extent of the unmitigated fire, combustible gas, or toxic gas hazard scenario (qualitative, semi-quantitative, and/or full quantitative). The following sections address quantitative methods only. The application of consequence modeling is not addressed in detail in this technical report. Refer to CCPS (reference 2.7) for more guidance. Fire hazards For fire scenarios, the extent of fire and thermal radiation effects are usually required to determine detector layout requirements. Fire detectors using optical or visual detection means are sensitive to the amount of radiant heat output from the fire , but limited by a threshold amount of radiation received at the detector below which a fire cannot be detected. Consequence models predict these physical effects as a function of orientation and distance from the fire. Results of fire models provide the basis to determine the number and location of fire detectors necessary to detect a given fire scenario. The fire analysis should identify a threshold amount of radiant heat output that can result in a potential hazard, or escalation of a hazard based on the typ e of processing equipment and layout. The criteria should be used as the end point for the fire consequence analysis. Combustible gas hazards For a combustible gas hazard, consideration should be given to the dispersion and potential accumulation of gas in unconfined or semi-confined areas, and estimates should be developed of Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 30 - the extent of the combustible gas hazard. Although this can be accomplished by defining the volume of the gas accumulation of concern, gas dispersion/accumulation modeling and explosion analysis in confined or congested areas should be considered. Gas dispersion analysis using similarity models is adequate for some outdoor locations where dispersion is only affected by momentum jet effects as well as atmospheric effects. Dispersion modeling results should be generated for concentrations at the threshold for alarm for gas detectors. Similarity models and other simplified empirical models can be misleading when studying gas dispersion, especially for indoor releases. Simplified models can yield vastly different concentration profiles than full computational fluid dynamics (CFD) models. In most cases, ventilation and geometry dominate the dispersion, so most simplified/empirical models cannot accurately capture this information to a sufficient resolution. Further, simplified models frequently do not account for turbulence or the interaction with solid surfaces. These play a significant role in the shape, size, and concentration of the vapor cloud and thus need to be evaluated with sufficient resolution. Gas dispersion in confined or congested spaces or enclosed volumes should use consequence analysis methods (e.g., CFD) to examine concentration profiles under the influence of forced ventilation systems rather than atmospheric effects. For flammable/combustible gas hazards, the gas concentration is the primary means of potential hazard detection; however, the actual hazard can include one or more of vapor cloud explosion (confined or semi-confined), fire, or toxic inhalation exposure. The hazard is a function of volume of hazardous material, concentration, and level of confinement in the case of vapor cloud explosion. As the volume increases, a more severe hazard becomes more likely. Therefore, the detector placement is predicated on criter ia to detect the gas concentration early enough that action can be taken before the release becomes a larger gas cloud of potentially higher concentration. With earlier activation, the hazard potential can be lowered (e.g., maximum explosion overpressure that could be tolerated without severe damage or loss of life). The development of these criteria is provided by CCPS (reference 2.7) but is outside the scope of this technical report. Toxic gas hazards For facilities that store, handle, or process toxic gases, the worst credible scenario can be an uncontrolled release of a toxic substance to the atmosphere. Facilities that deal with these substances generally invest in equipment to handle the substance , such as vents to flares, scrubbers, incinerators, or alternate containment vessels. The failure of this equipment, its controls, or the piping system itself (leaks, erosion, and corrosion) can lead to a release. Gas detection systems are often utilized to help mitigate this potential hazard. It is common practice for companies handling toxic gas releases to conduct dispersion modeling of credible scenarios to determine the potential effect of a given release. Dispersion modeling will address plant and surrounding area topography information, leak rate inform ation, plant weather data, and toxicity information. ERPG ( emergency response planning guidelines) numbers or IDLH (immediately dangerous to life and heath) numbers are often used to characterize the extent of the acute toxicity hazard. The design intent of toxic gas detection is to mitigate the severity of the unmitigated hazard scenario. This is typically accomplished by early detection that results in more effective emergency response, containment, or the evacuation of personnel to a safe location. Unmit igated consequences should define the extent of impact of the unmitigated hazard outcome, which can include onsite and/or potentially offsite consequences. Escalation of flammable and toxic gas hazards The design intent of fire and gas detection is usually to mitigate an already hazardous situation. This is typically accomplished by limiting the extent of the hazard or, in some cases, providing for Copyright 2018 ISA. All rights reserved. - 31 - ISA-TR84.00.07-2018 additional time before escalation to allow for effective emergency response and containment and/or to allow for the evacuation of personnel to a safe location. In addition to an incipient fire or gas release scenario used for establishing detector location and placement, the consequence analysis should include an assessment of the potential outcome of that scenario if unmitigated by the FGS. This could result in escalation of the hazardous event into a larger, more severe consequence than the scenario selected as the basis of design for FGS detection. This severe consequence represents the potential outcome of FGS failure due to inadequate detector coverage, poor FGS availability, or ineffective mitigation actions. Other consequence modification factors Occupancy, time at risk, and ignition probability are other factors that could be considered when assessing risk to personnel safety. These factors should be justified through scenario -specific analysis that ensures that these factors are reasonable and appropriate for the scenario under consideration. For example, occupancy likely changes as plant personnel respond to potential or realized loss of containment. In contrast, the likelihood that a release is flammable is dependent on the chemical properties, release size and location, and dispersion potential. When fl ammable liquids or gases are involved in the scenario, it is possible to estimate the potential for a fire or explosion using qualitative, semi-quantitative, or quantitative methods. Ignition probability data for combustible liquids, flammable liquids, and flammable gases is provided by CCPS (ref erence 2.7). Guidance on determining appropriate values for these factors is outside the scope of th is technical report. 4.6.4 Step 4 – Analyze hazard frequency Before establishing FGS performance requirements, consideration should be given to the likelihood or frequency of the hazard(s) that could result in the unmitigated/escalated consequence severity. Further, a decision can be made about the tolerability of an unmitigated fire and gas risk, which can guide decisions about the scope of an FGS design. Release frequency can be determined by applying databases of equipment failure rates to the identified scenario, but could also be based on qualitative (e.g., PHA team judgment) or semi-quantitative techniques. In many cases, a risk scenario arises from equipment damage and failure mechanisms, such as general corrosion, that are well understood. In these cases, application of industry failure rate data should be considered. For example, such databases inclu de leak frequencies for components, such as piping, flanges, pressure vessels, and compressor seals. Methods for adjusting industry failure data based on site-specific inspection and maintenance histories are also available. In some cases, the hazard scenario can arise from unique factors that should be addressed in a scenario-specific analysis. An example is an uncontrolled release of a flammable gas in gas production wells due to produced sand causing erosive damage to flowlines. In this case, industry failure rate databases are of limited value. The end user’s prior experience and a considerable amount of judgment can be utilized to establish the frequency of the release scenario. It is often the case that fire and gas detection is provided in an area to detect release from multiple sources of potential release. In these cases, there should be some effort taken to aggregate the frequency of the potential hazard scenarios in the area of concern. This is accomplished by accounting for a number of equipment leak scenarios with similar consequences and generating the sum total or cumulative frequency of release. This aids in minimizing the number of scenarios that need to be individually analyzed. For example, sum the frequency of all scenarios with 50 kW radiant fire in the area of concern. 4.6.5 Step 5 – Assess unmitigated hazard/risk Unmitigated hazard/risk is measured before considering the benefit of the proposed FGS. The most conservative approach is to assume that the FGS is unavailable in the event of the hazard. The unmitigated/escalated consequence severity and hazard frequency can be compared to endCopyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 32 - user criteria for tolerability. This can be accomplished through application of a hazard/risk matrix with sufficiently detailed information regarding consequ ence severity and likelihood. Alternatively, quantitative risk criteria can be stated in terms of tolerable mitigated event likelihood. If the criteria indicate that the unmitigated hazard/risk scenario is tolerable, additional risk reduction using FGS function(s) is not required unless otherwise mandated by local legal requirements. If the hazard/risk is higher than target criteria, then the risk reduction requirements should be established for the applicable fire, combustible gas, or toxic gas detection f unction in the FGS. If the outcome of this step results in an acceptable situation with no additional risk reduction, further analysis of performance-based requirements for FGS design is optional. Design of the FGS and sensor placement should be based on existing methods for system design, such as the applicable national standard or industry guidelines and relying on the judgment of a qualified engineer for sensor placement. Good practice guidelines in Annex B should be considered for sensor placement. 4.6.6 Step 6 – Identify FGS performance targets After previous steps in the hazard/risk assessment, equipment of concern and hazards of concern will have been identified and the consequence severity/likelihood and acceptability of an unmitigated hazard will have been considered. The presentation of this information can vary in format. The information can take the form of a qualitative hazard assessment, a fully quantitative risk assessment, or a semi-quantitative assessment of hazard/risk. FGS designers with more qualitative hazard input can apply broad guidance from industry or company practices to establish a single and uniform performance target (e.g., 85% target detector coverage). FGS designers with more quantitative hazard information can establish performance targets that are specific to the hazards being assessed. More information on the selection of FGS performance targets is included in the annexes of this TR. Annex A contains an example of a semi-quantitative approach for selecting FGS performance targets, and Annex D contains worked examples of FGS performance target selection, using a variety of methods for a variety of applications. FGS performance metrics FGS performance targets should be consistent with the end-user philosophy for hazard detection and mitigation, based on the level of hazard and risk associated with process hazards in a monitored area, and agreed upon by the end user. Achievement of FGS performance targets should be through application of one or more of the listed FGS performance metrics shown in table 4. In the absence of specific guidance from the end-user philosophy, the following options should be considered for metrics: 1. Applications with claimed FGS risk reduction factor ≤ 10: Quantification of detector coverage as FGS performance metric. Qualitative consideration of other performance metrics. 2. Preventative FGS safety functions: Applications with claimed FGS risk reduction factor (RRF) in excess of 10. Quantify detector coverage and safety availability. 3. Mitigative FGS safety functions: Applications with claimed FGS RRF in excess of 10. Quantify detector coverage, safety availability, and mitigation action effectiven ess. Note that for these types of functions it is difficult to achieve target RRF, as they require strong FGS detector coverage, as well as FGS mitigation effectiveness. Classification of an FGS function as either preventative or mitigative is the responsibility of the end user of this technical report. Where unmitigated hazard severity is deemed to pose an elevated level of hazard/risk, FGS mitigation as well as other non-FGS means of risk reduction should be considered. Target FGS performance can be defined in various ways, such as an FGS risk reduction factor, percent reduction in risk of unmitigated hazard severity, or maximum allowable Copyright 2018 ISA. All rights reserved. - 33 - ISA-TR84.00.07-2018 PFD avg of the FGS function. Target FGS performance should be established to reduce the likelihood of an unmitigated hazard outcome. Table 4 – FGS performance metrics Performance Metric Expression Recommended Application Guidance FGS detector coverage Quantitative: Probability Applications where claimed FGS Annex A risk reduction factor ≤ 10 Applications where claimed FGS Annex D risk reduction factor > 10 FGS safety availability Qualitative confirmation Applications where claimed FGS Annex D risk reduction factor ≤ 10 Quantitative: Probability Applications where claimed FGS Annex D risk reduction factor > 10 FGS mitigation action Qualitative confirmation effectiveness Mitigation applications where Annex C claimed FGS risk reduction factor ≤ 10 Quantitative: Probability Mitigation applications where Annex C claimed FGS risk reduction factor > 10 Performance targets for FGS detector coverage should be quantified for all applications where any risk reduction is claimed. Detector coverage should be defined per each FGS function associated with area monitoring. Performance targets for FGS safety availability should be confirmed, and, wherever FGS target RRF exceeds 10, FGS safety availability should be quantified. Confirmation should at minimum include prior use experience and compliance to any applicable industry standards. Quantification of FGS safety availability should be expressed based on an FGS function associated with coverage in a defined monitored area. Where applicable, performance targets for FGS mitigation action effectiveness should be confirmed, and, wherever the FGS target RRF exceeds 10, FGS mitigation action effectiveness should be quantified. Guidance on mitigation action effectiveness is provided in clause 6.2. 10 and Annex C, including information on estimating this metric at a hazard scenario-by-scenario level of detail. As illustrated in Figure 3, FGS performance targets should be selected such that the target risk reduction can be achieved by the FGS safety function. FGS effectiveness is the product of applicable performance metrics including detector coverage, FGS safety availability, and FGS mitigative action effectiveness accounting for common cause, common mode, and systematic failures. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 34 - FGS Detector Coverage FGS Safety Availability Yes Yes FGS Mitigation Effectiveness Relative Likelihood Outcome 0.9 0.76 Mitigated 0.1 0.08 Unmitigated 0.01 Unmitigated 0.15 Unmitigated 0.99 0.85 Design Basis Hazard No 1 0.01 No 0.15 FGS Effectiveness 0.76 Figure 3 – FGS effectiveness Where FGS function(s) are claimed to reduce risk, FGS effectiveness should be sufficient to reduce risk associated with the unmitigated hazard severity to meet the end-user risk guidance. Reducing risk significantly beyond one order of magnitude (fire and gas RRF > 10) might not be practical for many mitigation applications, because the achieved risk reduction is usually limited by detector placement, achieved coverage, or mitigation effectiveness rather than FGS safety availability. In fact, an achieved detector coverage factor below 90% limits the overall achieved RRF < 10 irrespective of other FGS performance metrics. NOTE The risk of the mitigated hazard assuming 100% detector coverage, FGS availability, and mitigation effectiveness (e.g., perfect FGS operation) can still result in an intolerable risk. This could occur if the frequency of the initiating event or the mitigated consequence severity is high. In these cases, other risk reduction means (hazard prevention) should be utilized to meet the risk criteria (fully quantitative). Design-basis hazard for measuring target FGS performance Underlying the concept of performance-based FGS design is the need to detect a hazard of threshold size/magnitude or larger. The designer should specify this hazard when identifying performance targets. The specified hazard threshold size/magnitude should be: • consistent with the end-user philosophy for hazard detection and mitigation • based on the level of risk associated with process hazards in a monitored area • likelihood of hazard • severity of escalated hazard if not adequately detected and mitigated • within the capability of the FGS actions to meet the target hazard mitigation (e.g., reduce severity by one order of magnitude) • agreed upon by the end user NOTE Use of a prior analysis of fire and gas hazards from other process safety or loss prevention activities should verify the prior analysis meets the above criteria to be used in the FGS design. Where detection of an incipient hazard is required, the prior hazard analysis should align with those design requirements. Design-basis hydrocarbon fire Hydrocarbon fires can be detected either during the incipient stage (early) or in the fully developed stage. Automatic safety actions for fire suppression should be considered in identifying th e design- Copyright 2018 ISA. All rights reserved. - 35 - ISA-TR84.00.07-2018 basis hazard. Hydrocarbon fire detection will typically be based on detection of an incipient fire. Some philosophies will not require incipient fire detection in all areas, particularly unmanned installations. The following table provides guidanc e on several alternatives for selecting the design-basis hazard. Table 5 – Examples of design-basis fire hazards Detection Philosophy Design-Basis Hazard within Monitored Area Typical Application Incipient hydrocarbon fire detection 1-ft x 1-ft liquid hydrocarbon fire Medium to high hazard areas Fully developed hydrocarbon fire detection Matches test conditions for liquid fire detection 10-kW radiant heat output High hazard areas – alarm 50-kW radiant heat output High hazard areas – safety action 100-kW radiant heat output Medium hazard areas 36-inch gas plume fire Typical test conditions for gas plume fire detection 250+ kW radiant heat output Low hazard areas 5-mm leak in pressurized gas system 12-mm flange leak QRA credible leak scenarios. Fire model used to determine hazard size/thermal radiation 0.5-meter × 1.0-meter flame Single detector criteria 1.0-meter × 3.0-meter flame Two or more detector criteria 25-mm or larger leak of pressurized gas, jet fire Annular release from well blowout, jet fire Major accident hazard scenarios Pooling hydrocarbon fire covering deck or secondary containment area If a release scenario is selected instead of a specified hazard magnitude, then fire modeling should be used to determine the extent of the fire hazard and the detectability of fire effects as a function of distance. The following end-point criteria should be considered: • severe damage to process equipment above 37.5 kW/m 2 (12,000 Btu/hr/ft 2 ) • life-threatening thermal radiation for short exposure above 20 kW/m 2 (6,500 Btu/hr/ft 2 ) • serious burn injury and blocked escape routes above 12.5 kW/m 2 (4,000 Btu/hr/ft 2 ) • moderate burn injury above 5.0 kW/m 2 (1,700 Btu/hr/ft 2 ) for short exposure (<1 minute) The installed system should be capable of functioning properly within the selected zone of thermal radiation. In addition, the designer should consider modeling thermal radiation to the threshold of detectability for the selected fire detection technology (e.g., optical, heat) in accordance with the vendor-specified performance capability. Design-basis combustible gas hazard Gas detectors can be positioned to detect a specified size/magnitude of release or to detect a specified volume of gas. The choice for a design-basis gas hazard should be consistent with the end-user philosophy on gas detection. The following table provides guidance on alternatives for selecting the design-basis hazard. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 36 Table 6 – Examples of design-basis gas hazards Detection Philosophy Design-Basis Hazard within Monitored Area Typical Application Detect credible gas releases by strategically placing detection equipment in proximity to release. Flammable gas cloud associated with leak of 1 to 5 mm high-pressure gas release Moderate to high hazard area Flammable gas hazard associated with leak of 12 to 25 mm low pressure gas release Low hazard area Significant release (reference 2.11) of flammable gas associated with: High hazard area Detect gas accumulations in hazardous quantities that, if ignited, could cause large-scale impact to life, safety, and the asset. Analysis of dense and dilute clouds can be applied within this philosophy to represent 1ooN/2ooN coverage (alarm or action). • kg/s (0.22 lbs/sec) for gas and two phase with duration less than 2 minutes • 0.2 kg/s (0.44 lbs/sec) for liquid (oil/condensate/nonprocess) with duration less than 5 minutes Flammable gas cloud associated with 3 lb/sec leak (11,000 lb/hr) based on a 25 mm hole diameter at 100 psig. 2000 lb quantity in 10 minutes Moderate to low hazard area 5-meter spherical cloud accumulation Within process areas of high confinement and congestion 7- to 8-meter spherical cloud diameter Within process areas of moderate confinement and congestion 10-meter spherical cloud accumulation Within process areas of low confinement and congestion Intermediate cloud dimension (5 to 10 meters) with blast modeling Explosion modeling to determine threshold of severe structural damage and impairment of evacuation (150 mbar/3 psig) It is the responsibility of the end user to determine if the purpose of gas detection is incipient (early) detection or major hazard detection, which implies quantities of gas could be present that if ignited could cause large-scale safety impacts. If a release scenario is selected instead of a specified hazard magnitude, then gas dispersion/accumulation modeling should be used to determine the extent of the combustible hazard, and the detectability as a function of distance. The following end-point criteria should be considered: • 20% of LFL: Threshold of ignitability of gas when using similarity-based gas dispersion models • 5% to 10% of LFL: Threshold of detectability of gas using selecte d gas detection equipment Design-basis toxic gas hazard Toxic gas detectors can be positioned to detect a specific size or magnitude of toxic hazard within a process area or migration of toxic gas beyond the process area, or they can be positioned to protect access and egress pathways. The choice for the design-basis hazard should be consistent with the end-user philosophy and guidance from the competent authority on toxic gas exposure levels. Direct specification of the extent of a toxic gas hazard is one alternative. The second option is to specify one or more release scenarios and model accordingly. If a release scenario is selected instead of a specified hazard magnitude, then toxic gas dispersion modeling should be used to determine the ex tent of the toxic gas hazard and the detectability of the hazard scenario. The following end-point criteria can be considered: Copyright 2018 ISA. All rights reserved. - 37 - ISA-TR84.00.07-2018 • IDLH concentration for acute safety exposure • threshold weighted average (TWA)-threshold limit value (TLV)/short-term exposure limit (STEL)/permissible exposure limit (PEL) for chronic health exposure In addition, modeling should address the threshold of detectability of target toxic gas using selected gas detection equipment and vendor-approved performance capability. 4.6.7 Step 7 – FGS conceptual design In addition to the design basis above, the initial design of the fire and gas system components , as well as sensor placement, should be based on existing methods for system design, such as the applicable national standard or industry guidelines, and on the judgment of a qualified engineer for some items, such as sensor placement. For instance, some users space detectors based on a maximum spacing that will result in a minimal hazard. NOTE If the target risk reduction for the FGS safety function is > 10, then IEC 61511 practices will apply to the sensor, logic solver, and final element subsystems. An initial FGS detector layout should be proposed using expert judgment by considering the factors discussed in Annex B.5, which have an impact on FGS effectiveness. When identifying scenarios that are used to establish FGS performance targets, it is important to consider the design limitations of automatic FGS activation. Ensure that the basis -of-design hazards are appropriate given the limitation of the system. For e xample, detector location/placement for a fire suppression system design that extinguishes only an incipient fire will need to be designed with detector location and placement sufficient to detect early -stage fire scenarios. Design should consider the amount of time between when the hazard initially becomes detectable by the selected equipment and the time when the expected degree of risk reduction can no longer be achieved due to a fully escalated hazard. This will define the overall response time requirem ent for the FGS safety function. 4.6.8 Step 8 – Verify detector coverage The proposed location of fire and gas detectors should be analyzed to determine how effective the proposed array of detectors with a given voting arrangement will be in detecting the hazard and initiating a specified safety action. An assessment of detector coverage involves analysis of the potential sources of fire and gas within a given monitored process area and the performance of a proposed detector design, including the number, type, lo cation, orientation, and set points of detectors. There are (at least) two possible approaches that can be used for fire and gas mapping of detector coverage: geographic coverage and scenario coverage. In either case, the analytical method to determine achieved coverage should involve a computer model to map detection coverage. Refer to Annex B for attributes that modeling software may contain. Design verification should account for common cause, common mode, and dependencies between the detector coverage, safety availability and mitigation effectiveness and between the FGS and the initiating source of the hazard or other IPLs. The coverage levels that have been achieved for a given proposed detector array are then compared against selected performance targets. If the coverage target has been achieved, the proposed design is acceptable. If the target is not achieved, the type, number, and/or location of detectors should be reviewed and modified until the coverage target is achieved. 4.6.9 Step 9 – Verify FGS Safety Availability Quantitative verification of the FGS safety availability should be per applicable guidance of ISA for safety instrumented functions (SIFs). FGS safety availability is calculated per FGS function and is the mathematical complement of the probability of failure on demand (PFD). PFD for an FGS function is a summation of the sensor PFDavg + logic solver PFDavg + final element PFDavg, Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 38 - where the PFDavg is a function of the dangerous undetected failure rate of each device, the voting architecture of each device grouping, and the proof test interval of the devices. Verification can be accomplished using the techniques presented in the ISA-TR84.00.02 for analysis of SIFs. However, several significant differences between SIFs and FGS functions should be noted to ensure an accurate assessment of FGS safety availability is achieved. First, proper definition of the FGS function is critical to ac curately assessing the FGS safety availability. The quantity of detectors and possible voting schemes of the FGS function are directly related to the detector design basis, which specifies the gas cloud or flame size that the detector array can detect with the goal of mitigating further accumulation , such that the gas cloud or flame size cannot escalate to a catastrophic event. FGS applications can be designed to act when a single sensor goes into alarm. However, most systems implement some form of voting o f multiple sensors in an area of concern to reduce the likelihood of system activation from a single sensor failure. Typically, two or more sensors in an area of concern must go into alarm before automatic action is taken. While this reduces the probabilit y of nuisance trips from a single sensor failure, it also reduces the probability of successfully responding to a hazardous event. It is less likely for two or more detectors to be in the area of concern, assuming the layout of detectors has not been changed with the implementation of voting. Detector voting schemes cannot be determined until a detector design basis is established (e.g., the sensor array should be designed to detect an accumulation of combustible gas with a maximum diameter of 5 meters). If an area of concern contains three detectors, the ability of the detectors to detect the event within the required time will determine whether the voting scheme is 1oo1, 1oo2, 1oo3, or 2oo3. Thus, if the postulated 5-meter gas accumulation is moved throughout the area of concern and, at any one time, only one detector can “see” the accumulation, the voting scheme is 1oo1. The other two detectors cannot “see” the accumulation volume in question and thus should not be considered as redundant measurements for the hazard scenario. Second, one should consider the source of the failure rate data being used in the PFD avg calculation itself. Failure rate data is readily available from a variety of data sources (vendor data, industry data, site specific data, etc.). However, if one looks closely, this failure rate data as presented typically includes an assumption that the device will operate in a fail -safe, de-energizeto-trip mode. Most FGSs operate in an energize-to-trip arrangement. Consider a failure mode where a logic solver is unable to energize its output. In a de -energize-to-trip scheme, this type of failure will prevent one from initially opening a fail -closed valve during startup. Thus, it would be classified as a safe failure by the manufacturer. However, i n an energize-to-trip scheme, this type of failure prevents one from opening a suppression valve during a demand. Thus, it should be classified as a dangerous failure. Thus, one needs to carefully review the failure rate data being considered for use in the calculations. Also, motive force needed for any energize-to-trip mitigative actions should be available long enough to meet the design intent of the FGS action. For example, the availability of deluge or suppression systems should be included in the calculation. FGS designs typically involve actuation of final elements that might be controlled by other systems, such as isolation valves controlled by the safety instrumented system logic solver. Any equipment that is required for FGS operation should be included in the FGS availability calculation. If the equipment associated with the FGS is used by any other protection layer for the same hazardous event, the common cause impact on overall risk reduction of this design should be evaluated. The safety availability that has been achieved for a given FGS function is then compared against a selected performance target. If the safety availability target has been achieved, the components and architecture of the FGS function are acceptable. If the target is not achieved, design parameters, such as redundancy, diagnostics, and test intervals , should be reviewed and modified until the target availability is achieved. Copyright 2018 ISA. All rights reserved. - 39 - ISA-TR84.00.07-2018 4.6.10 Step 10 – Verify effectiveness of FGS actions Mitigation action effectiveness is the confidence that the results of activating the final control element(s) of an FGS function will successfully mitigate the consequence of a defined hazard as expected (e.g., prevents a small fire or gas accumulation from escalating to a large fire or accumulation). In this contingency, the FGS function can be ineffective such that the outcome of the event is not significantly different than it would be if no detection or activation occurred. The concept of effectiveness of the FGS actions is meaningful only when conside ring FGS functions that are intended to mitigate hazards; therefore, this has also been referred to as “mitigation effectiveness.” In the less frequent applications where FGS functions prevent a hazard, this branch of the event tree is not meaningful. The reduction in severity afforded by a mitigation action will be related to the magnitude of the hazard being acted upon and the fundamental limitations of the capability of the FGS actions to be effective. In general, effectiveness of the FGS actions is likely to be very high when the magnitude of the detected hazard is small and detection occurs quickly, so the desired safety action can be taken well before there is the potential for hazard escalation. Conversely, even correct detection and activation of the FGS actions might be ineffective: 1. Due to an excessive time delay between initiation of the FGS action and when such actions can be considered effective. For example, combustible gas detection that isolates a process and opens depressurizing (blowdown) valves can take 20 minutes or more before the pressure in the system has significantly reduced with a corresponding reduction in the discharge rate of a gas leak. During the intervening period, the gas that already leaked from the system could ignite. 2. Due to severe consequences associated with the initial loss of containment event that would result in a consequence magnitude beyond the design of the FGS actions. For example, a catastrophic pipeline rupture will very likely result in an immediate vapor clou d explosion hazard that can have severe consequences before the FGS function can effectively mitigate them. The ensuing fire might be mitigated, but not before severe safety consequences have already occurred. As a result, the design verification should account for these codependencies. Mitigation effectiveness is recognized as a valid FGS performance metric that will fundamentally limit the amount of claimed risk reduction for an FGS function below the ideal outcome of 100% confidence in effective FGS actions. In concept, early detection of small or incipient hazards provides “high” confidence that FGS mitigation actions will be successful. Late detection results in “low” confidence. Similarly, low confidence results in under detection of a hazard that is an order of magnitude larger than the design-basis hazard. While guidance on this topic continues to evolve, as a minimum for all applications, users of this TR should examine the existing or proposed FGS function to ensure that FGS actions are creditable as being effective in reducing the magnitude and severity of the unmitigated hazard. The concerns raised about mitigation effectiveness highlight using a very cautionary approach when considering FGS systems in applications where claimed risk reduction associated with FGS mitigation exceeds a factor of 10. The method of verifying mitigation action effectiveness will depend upon the type of action one takes (e.g., evacuation of personnel versus deployment of fire suppression versus isolation and de-pressurization of the process). Further guidance on FGS mitigation action effectiveness is in Annex C. 4.6.11 Step 11 – Determine FGS effectiveness (mitigated risk) The FGS effectiveness achieved for an FGS function should be compared against the selected performance target (see Figure 1). If the target has been achieved, the proposed design is acceptable. If the target is not achieved, the conceptual FGS design should be reviewed and modified. Increased coverage, availability, and/or mitigation actions should be achieved and reverified until reaching the target FGS effectiveness. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 40 - In addition, the estimated response time for the FGS safety function should be verified against the requirement established during conceptual design. If the FGS safety response includes evacuation or other human actions, the FGS safety function response time evaluation should consider nonoptimal conditions for personnel egress or sheltering that are likely to occur during a real demand condition. The results of the hazard and risk analysis and performance target verification are compiled into FGS performance requirements specifications. 5 FGS engineering activities in a project workflow FGS engineering activities occur at different stages of a project for design, implementation, and operation of a new plant or upgrade of existing control system s. Before any engineering activities, the FGS philosophy should be developed by or in conjunction with the end user. 5.1 Basic engineering (FEED) An initial FGS design should be produced. Documents required from the front-end engineering design (FEED) include the major equipment list, process flow diagrams (PFDs), process hazards analysis (PHA) documentation for hazard identification, and the layout of major process equipment. Loss prevention activities including fire hazard analysis should be reviewed. These documents allow one to determine FGS performance targets through an evaluation of hazards/risks associated with major process equipment. The type and magnitude of hazard scenarios that will be the basis of FGS design should be determined. A voting philosophy and detector set points should be selected, which allow one to establish initial coverage targets. For an existing facility undergoing a redesign or upgrade of the FGS system, decisions about the accep tability or reuse of existing equipment in the new design should be made during basic engineering. Once performance requirements are established, an initial FGS design can be developed ; FGS mapping can be conducted; coverage can be verified; and the FGS effectiveness can be evaluated if applicable. The results are used to provide estimates of the type, number, and location of fire and gas detectors. As detailed 3D process models are not available at this stage, only a preliminary evaluation of detector coverage can be made, but this should consider the location of major equipment. The basic engineering phase ends with an initial FGS design with estimates on type, number, and location of detectors required to meet the performance requirements. Basic engineering should include a specification of the FGS logic solver and a functional description of the logic. Equipment design requirements should include event survivability items such as fireproofing. 5.2 Detailed engineering FGS engineering activities include a review of process hazards and revalidation of FGS performance targets. Three-dimensional process models will mature with location of piping, utilities, electrical elements, and vendor-supplied packaged equipment. When the 3D model is at the 60% milestone, a detailed design of detector placement can be undertaken. The detector layout should be reevaluated and updated to ensure coverage requirements are met. Due to the development of the 3D process model between conceptual engineering and detailed engineering, significant changes to the FGS detector mapping are likely. The achievement of coverage targets should be verified, and detector placement optimized using FGS mapping, and one should evaluate the FGS effectiveness if applicable. Requirements for FGS maintenance and testing should be developed. Constructability and maintainability issues are typically first identified during detailed engineering, such as the practical limitations of where detectors can be mounted. Further, near the end of detailed engineering, the 3D process model matures to the 90% milestone. A final verification of the FGS mapping and evaluation of FGS effectiveness, if applicable, should Copyright 2018 ISA. All rights reserved. - 41 - ISA-TR84.00.07-2018 be performed to ensure that adjustments to the location of piping, cable trays, and conduit do no t impede detector performance. This results in a final layout for the FGS, with location and orientation requirements for all detectors in the FGS. Detailed engineering deliverables should be completed for the FGS. 5.3 Installation and commissioning After construction and during commissioning, the FGS should be validated in the field against the requirements specification. This includes validation of detector type, location, orientation , and response time. Detector FGS mapping and associated coverage should be checked and updated as needed to reflect any changes in detector placement during construction, including confirmation that specified coverage targets have been achieved. 5.4 Operations and maintenance During operation and maintenance, the FGS should be maintained and tested per specifications developed during engineering design. This includes reviewing the FGS as part of the management of change process to ensure that any changes to the process area are reviewed to determine their impact on the FGS. New or modified process equipment can create new potential leak sources , which can change the requirements for the FGS or create new obstacles that should be modeled to ensure detector coverage is not comprom ised. 5.5 Periodic assessment and audit The assumptions used in the FGS specification and design (e.g., FGS detector mapping and alarm response action) should be subject to periodic assessment and revalidation. The performance of the FGS safety function during inspection/testing or actual demands should be evaluated periodically against the specification requirements. Unacceptable FGS safety function performance on test or demand should be investigated and corrected promptly. The end user should establish the frequency of periodic assessments. It is recommended that periodic assessments coincide with other process safety revalidation activities. Copyright 2018 ISA. All rights reserved. This page intentionally left blank. Copyright 2018 ISA. All rights reserved. - 43 - ISA-TR84.00.07-2018 Annex A Sample semi-quantitative performance target selection technique FGS performance targets define the ability of a n FGS function to detect, alarm, and if necessary, act to mitigate the consequence of a fire or gas release upon a demand condition. In concept, a higher hazard installation should require higher levels of performance; while a lower hazard installation should allow lower levels of performance, so that FGS res ources can be effectively allocated. Depending on the end-user process hazard analysis (PHA) and FGS philosophies, the factors used to assess risk of fire and gas hazards in hydrocarbon processing areas can be evaluated in a semiquantitative method. The factors in a semi-quantitative analysis yielding performance targets for FGS should be calibrated based on the assessment of typical hazard scenarios, consequences, likelihoods, and target risk reduction for the facility under evaluation. The ability of this method to achieve the desired level of risk reduction is contingent upon the process conditions and equipment being consistent with the assumptions used to develop the performance targets. For situations that do not conform to these assumptions, the user should consider altering the method based on siteand user-specific factors. This annex presents an example methodology using a scoring system developed for a hydrocarbon processing facility with fire, combustible gas , and H2S toxic gas hazards. This ranking procedure is used to evaluate the hydrocarbon fire, combustible gas, and toxic (H2S) gas risks for each area into one of three risk categories (high, medium, low) for the purpose of establishing FGS detector coverage performance targets. The sample methodology described here should only be applied to FGS safety functions with a target FGS risk reduction factor ≤ 10. The reader should be aware of the requirements contained in existing standards applicable to FGS functions based on risk reduction factor targets as described in the foreword of this technical report. The following technical instructions apply to this specific example of a semi-quantitative method. The example risk analysis methods and risk criteria contained in this annex have been provid ed solely as explanatory material and should not be interpreted as recommendations. Hazard ranking is a function of the equipment, hazards, consequences, likelihood, occupancy, and special factors. Ranking requires an equipment-by-equipment assessment of factors, including: • • • • identifying hydrocarbon processing equipment • identify credible sources of hydrocarbon gas or liquid release • identify amount and type of processing equipment in FGS zone • identify process conditions that could aggravate/mitigate consequence severity assessing consequence severity • identify equipment that the FGS is intended to safeguard • assess magnitude of safety consequences (injury versus life threatening) • identify confinement and congestion in process areas that could aggravate combustible gas hazards assessing hazard likelihood • determine likelihood of release from all identified release sources • identify credible ignition sources (continuous and intermittent) • identify the effective response action to prevent safety impacts assessing level occupancy in FGS zone • identify normal/routine occupancy (operations, maintenance, contract) • identify nonroutine occupancy (operations, maintenance, contract) Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 44 - If an FGS zone is not easily characterized by one or more of the factors that comprise t he FGS zone hazard rank, quantitative risk analysis should be considered. Figure A.1 shows the hazard ranking procedure. Figure A.1 – Hazard ranking procedure Copyright 2018 ISA. All rights reserved. - 45 - ISA-TR84.00.07-2018 The ranking procedure uses numerical scoring to assess the risk associated with a given area. As an input to task one, FGS zones requiring further hazard review have been previously identified. A.1 Task 1 – Select major process equipment item Identify the major process equipment in the FGS zone (or perform the analysis one major equipment item at a time). Figure A.2 assigns a default likelihood score to each type of processing equipment typically found in a process industry facility, and Figure A.3 assigns a consequence score based on the phase of the material in the process equipment. The scores account for the baseline consequence and baseline likelihood of a release that could result in a significant fire, combustible gas, or toxic gas hazard. Equipment Item Shell & tube heat exchanger Base Likelihood Score 2.0 Plate & frame heat exchanger 3 Air cooled heat exchanger 2 Column/tower/contactor 2.5 Compressor/expander 3 Pressure vessel/reactor 2 Centrifugal pump 3 Reciprocating pump 3 Atmospheric storage tank 1 LP storage tank 1 Fired heater 2 Pig launcher/receiver 2 Sump/sump pump 1 Piping manifold 1 Single welded pipe segment 1 Figure A.2 – Major equipment item base likelihood scores Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 46 - Process Material Phase Base Consequence Score Stable liquids 1 Volatile liquid 2 Gas 3 Figure A.3 – Process material base consequence scores NBP = normal boiling point Stable Liquid T (Process) -< FP (Flash Point); FP and NBP volatile constituent representing > 3 mol% of streams Volatile Liquid FP < T (process) < NBP Gas T (process) > NPB; Gas also includes cryogenic liquids where T(amb) > NBP A.2 Task 2 – Adjust likelihood score for occupancy The base likelihood score should be adjusted as necessary to reflect the occupancy environment near the major equipment item. This should be based either on the impact to occupants from the design-basis hazard, or the impact based on the unmitigated/escalated hazard that the FGS design intends mitigate. Figure A.4 defines occupancy adjustment factors. The result is an adjusted likelihood for toxic hazards, if applicable. No further likelihood adjustment is required for toxic hazards. Additional adjustment is required for fire and flammable hazard likelihood s. NOTE Figure A.4 should be reviewed for occupancy to determine an adjustment factor and then reviewed for escape to determine an adjustment factor. The worst-case (e.g., highest number) adjustment factor should be selected. Occupancy Environment FGS Protection from Area of Immediate Impact FGS Protection from Escalation Using Evacuation, Escape, Rescue Model Adjustment Rare occupancy (less than 15 min per day) ~1% Rapid escape likely from area of impact of escalated hazard (1 to 3 minutes) –2 Moderate occupancy (routine operator rounds) ~ 10% Egress possible using designated routes. Short-duration protection required from escalated hazard (3 to 10 minutes) –1 High occupancy (near continuous occupancy) > 30% Muster using designated routes + evacuation from temporary safety refuge. Extended protection required from escalated hazard (10 to 30 minutes) 0 Figure A.4 – Occupancy adjustment Copyright 2018 ISA. All rights reserved. - 47 - A.3 ISA-TR84.00.07-2018 Task 3 – Adjust likelihood score for ignition environment factors The ignition environment adjustment task is not applicable to toxic hazards. If fire or flammable gas hazards are of concern, then the likelihood score should be further adjusted for ignition probability. Figure A.5 defines ignition adjustment factors. Description Adjustment –1.5 Low ignition probability (3%) Average ignition probability (10%) –1 Moderate ignition probability (30%) –0.5 High ignition probability (near 100%) 0 Figure A.5 – Ignition environment adjustment A.4 Task 4 – Adjust consequence score for process conditions The base consequence score should be adjusted for process pressure. This adjustment applies to fire, flammable, and toxic gas hazards. Higher process pressure indicates a higher magnitude of consequence severity if a release were to occur. Process temperature is already factored into the default consequence score. Figure A.6 defines process pressure adjustment factors. Pressure Adjustment Atm to 50 psig –0.5 50 to 150 psig 0 150 to 300 psig 0.5 300 to 1,000 psig 1 > 1,000 psig 1.5 Figure A.6 – Process pressure adjustment A.5 Task 5 – Adjust consequence score for flammability environment The base consequence score should be adjusted for factors related to the environment around a burning gas cloud, if it were to occur. This is related to process confinement and congestion factors. A higher degree of confinement and congestion lead s to a more severe consequence. Figure A.7 defines the flammability environment adjustment. The flammability environment adjustment should only be applied if flammable gas hazards are being evaluated. Do not adjust the consequence score with this factor if toxic hazards are being evaluated. Environment Type Adjustment Notes (Confinement & Obstacle Density) No confinement/low congestion –1 "3D Low" Some confinement/ moderate congestion 0 "2D Med" Confinement/high congestion 2 "2D High" Figure A.7 – Flammability environment adjustment Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 A.6 - 48 - Task 6 – Adjust consequence score for toxic gas concentration If a toxic (H2S) hazard is present, the base consequence score should be adjusted for the concentration of toxins (e.g., hydrogen sulfide) in the process fluid. This adjustment applies only to toxic gas hazards. A higher toxin concentration is indicative of a higher magnitude of consequence severity if a release were to occur. Figure A.8 provides typical H2S concentration adjustment factors. Concentration (v/v) Adjustment < 100 ppm Notes No H2S analysis 100 ppm to 1000 ppm –1 1000 ppm to 1% 0 1% to 3% 1 3% to 10% 2 > 10% 3 Figure A.8 – H2S concentration adjustment A.7 Task 7 – Determine FGS hazard rank For each hazard (fire, combustible, and toxic), each equipment item is assigned an individual adjusted likelihood score and an adjusted consequence score. The hazard rank is the sum of the adjusted likelihood score and the adjusted consequence score. This score indicates the degree of the hazard and ultimately the risk of fire, combustible gas , or toxic gas hazards. The calculated value is defined as the adjusted baseline hazard rank. The highest individual value of the baseline hazard rank for all equipment within a given FGS zone is defined as the zone hazard rank. A.8 Task 8 – Determine need for FGS Each area receives a performance target for fire, flammable gas , and toxic (e.g., H2S) gas hazards, which take the form of grades. These grades are listed in Figure A.9. Each of the grades defines a relative level of fire or gas risk , with grade A being the highest risk areas and grade C being the lowest risk areas requiring detection. A.8.1 Task 8.1 – Fire detection performance targets Design of fire detection systems is predicated on the principal that a turbulent diffusion fire should be sensed early enough that automatic control action can be taken, if required, during the incipient stage of the fire to maximize safety and limit commercial losses to a tolerable level. Incipient fire detection requires an adequate number of detectors that are st rategically located in a manner to provide adequate coverage. Fire detection performance targets are selected based on the results of the semi -quantitative FGS screening procedure described in this annex. The result of the semi-quantitative method is the fire hazard rank, which is representative of the relative fire risk. A higher hazard rank represents a higher level of risk, which subsequently requires a higher performance target on the FGS to mitigate risk. Figure A.10 details the relationship between the fire hazard rank, the fire grade, and the detection performance target. Copyright 2018 ISA. All rights reserved. - 49 - ISA-TR84.00.07-2018 Grade Exposure Definition A High hazard potential B Moderate hazard potential C Low or very low hazard potential No FGS Risk is tolerable w/o benefit of FGS Figure A.9 – Fire and gas performance grades Adjusted Hazard Rank Grade Fire Detection Coverage ≥7 A* > 0.90 5 to < 7 A 0.90 2 to < 5 B 0.80 0.5 to < 2 C 0.60 < 0.5 N/A No target coverage Figure A.10 – Fire hazard rank and detection performance target Fire detection performance targets are evaluated in locations where fires could occur with sufficient intensity to result in life, safety, or commercial impact. In these locations, radiant heat output (RHO) is used as the criterion to specify the flame magnitude of the design-basis fire that one wants to detect. The magnitude of a fire hazard is related to its fire size, which is directly correlated to its RHO. NOTE This applies to fires that are not expected to produce excessive amounts of smoke before flaming fire. This procedure is written on the principle that optical flame detection in locations with higher fire hazard exposure should be sensitive to lower levels of RHO than fire detection in locations with lower fire hazard exposure. Fire grade A is typically assigned to areas with higher levels of fire risk. These areas are characterized by hydrocarbon handling areas where small fires could cause significant damage in a short period of time or rapidly escalate. Such fires might be due to the potenti al for a higher consequence severity (e.g., high-pressure gas from a compressor) or from a higher likelihood of fire (e.g., small bore pipework and pump seals). For the performance targets associated with grade A, a minimum of 90% detector coverage is achieved for detection of a design-basis fire size. Fire grade B is assigned to most hydrocarbon processing areas throughout the facility. These areas are categorized by “normal” risk processing areas and typically contain fixed equipment with moderate to low likelihood of fire. For the performance targets associated with grade B, a minimum of 80% detector coverage is achieved for detection of a design -basis fire size. Fire grade C is assigned to areas where the risk of a fire is relatively low. Grade C areas are characterized by a low potential for severe consequences (for example, due to high flash point fuel). For the performance targets associated with grade C a minimum of 60% detector coverage is achieved for a design-basis fire size. An FGS zone with a hazard rank of 7.0 or greater should have a fire grade A*. For zones gradedºA*, the installed fire detection system should be capable of exceeding the grade A performance targets. FGS zones graded A* will likely have a risk reduction factor target for the FGS function that is greater than 10. Achieving this risk reduction factor requires performance targets for system availability and mitigation effectiveness, which are outside the scope of this method. Refer to the foreword of the technical report for additional guidance. In addition, the FGS zone should also be subject to additional risk studies, such as a QRA analysis, to verify that fire risk is adequately reduced . Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 A.8.2 - 50 - Task 8.2 – Combustible gas detection performance targets Design of combustible gas detection is predicated on being able to sense a threshold volume of gas at an incipient stage when action can be taken to prevent significant loss were that volume of gas to ignite and result in a deflagration. The goal is not to prevent any size flammable cloud from forming, igniting, or deflagrating. The goal is to limit flame front accelera tion of such ignited gas clouds to a speed that has been demonstrated to be below the threshold of structural damage in process environments. The degree of hazard and the damage from a combustible gas deflagration is related to the size of the cloud and other factors, such as confinement, and the presence of turbulence-inducing obstacles. Combustible gas detection performance targets are evaluated in locations where ignited gas clouds could cause damage from explosion overpressure. In these locations, the smallest gas cloud that has the potential to cause such damage, or the smallest gas cloud that can reasonably be developed, is used to define requirements for placing combustible gas detectors. Combustible gas performance targets are selected based on the results of the semi-quantitative FGS screening procedure described in this annex. The result of the semi-quantitative method is the combustible gas hazard rank that is representative of the relative combustible gas risk. A higher hazard rank represents a higher level of risk, which subsequently requires a higher performance target on the FGS to mitigate risk. Figure A.11 details the relationship between the combustible gas hazard rank and the combustible gas grade. Adjusted Hazard Rank Grade Gas Detection Coverage ≥7 A* > 0.90 5 to < 7 A 0.90 2 to < 5 B 0.80 0.5 to < 2 C 0.60 < 0.5 N/A No target coverage Figure A.11 – Combustible gas hazard rank and detection performance target Combustible gas grade A is typically assigned to FGS zones subject to higher risk, either due to high frequency release sources (such as rotating equipment) or a high degree of confinement of a burning gas cloud that could cause damaging flame acceleration and overpressure when subject to a relatively small gas release. For this performance target for grade A, the gas detection system should be capable of achieving 90% coverage for detection of a design-basis combustible gas hazard. Combustible gas grade B is typically assigned to areas subject to a moderate degr ee of confinement of a burning gas cloud. For this performance target for grade B, the gas detection system should be capable of achieving 80% coverage for detection of a design -basis combustible gas hazard. Combustible gas grade C is typically assigned to open hydrocarbon processing areas with fixed equipment, relatively low operating pressure, and well-controlled ignition sources. The gas detection system should have 60% detector coverage to detect a design -basis combustible gas hazard. In some cases, the primary hazard of concern is the migration of combustible gas beyond hydrocarbon processing areas where access and ignition sources are well controlled. In these cases, consider perimeter detection in lieu of gas detection within the area of the equipment containing the hazardous material. Copyright 2018 ISA. All rights reserved. - 51 - ISA-TR84.00.07-2018 An FGS zone with a hazard rank of 7.0 or greater should result in a combustible gas grade A*. For zones graded A*, the installed combustible gas detection system shou ld be capable of exceeding the grade A performance targets. FGS zones graded A* will likely have a risk reduction factor target for the FGS function that is greater than 10. Achieving this risk reduction factor involves having performance targets for system availability and mitigation ef fectiveness, which are outside the scope of this method. Refer to the foreword of the technical report for additional guidance. In addition, the FGS zone should also be subject to additional risk studies, such as QRA analysis , to verify that combustible gas risk is adequately reduced. A.8.3 Task 8.3 – Toxic gas detection performance targets In this example procedure, toxic gas detection is limited to hydrogen sulfide (H 2 S) hazards. H 2 S performance targets are evaluated in locations where H 2 S could cause serious injury. Personnel who enter areas of the facility containing H 2 S are assumed to be wearing personal H 2 S monitors at all times. This is the primary means of safety once a worker is in an H 2 S -containing area and is near equipment containing H 2 S. Fixed H 2 S detectors should not be the primary means of safety at these locations, because a very large number of detectors would be required to protect every possible exposure. Fixed H 2 S detectors are the primary means of safety to alert personnel who either are not in the area at the time or are within the area but not immediately exposed to a hazardous release. The goal is to either prevent personnel from entering the area or evacuating personnel from the area, depending on their initial location. Performance of H 2 S gas detection is based on the likelihood and severity of the toxic gas hazards present. Defining performance targets requires defining the hazard. For H 2 S, this is the smallest gas cloud that has the potential to cause serious injury. This is descriptiv e of the magnitude of the hazard that requires detection and is used to define requirements for placing toxic gas detectors. Toxic gas performance targets are selected based on the results of the semi -quantitative FGS hazard rank procedure described in this annex. The result of the semi-quantitative method is the toxic gas hazard rank that is representative of the relative toxic gas risk. A higher hazard rank represents a higher level of risk, which subsequently requires a higher performance target on the FGS to mitigate risk. Figure A.12 details the relationship between the toxic gas hazard rank and the toxic gas grade. Adjusted Hazard Rank Grade Gas Detection Coverage ≥ 7.5 A* > 0.90 5.5 or < 7.5 A 0.90 3.5 to < 5.5 B 0.80 1.5 to < 3.5 C 0.60 <1.5 N/A No target coverage Figure A.12 – Toxic gas hazard rank and detection performance target Toxic gas grade A is typically assigned to FGS zones where a life-threatening toxic hazard could occur from a relatively small gas release at a distance well outsi de the localized area of the release. Toxic gas grade B is typically used when there is a moderate degree of an injury-level toxic hazard that could occur from a small release at a distance well outside the localized area of the release . Toxic gas grade C is used when an injury-level toxic hazard could occur only from a large release at a distance beyond the localized area of the release. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 52 - An FGS zone with a hazard rank of 7.5 or greater should result in a toxic gas grade A*. For zones graded A*, the installed toxic gas detection system should be capable of exceeding the grade A performance targets. FGS zones graded A* will likely have a risk reduction factor target for the FGS function that is greater than 10. Achieving this risk reduction factor involve s having performance targets for system availability and mitigation effectiveness, which are outside the scope of this method. Refer to the foreword of the technical report for additional guidance. In addition, the FGS zone should also be subject to additional risk studies, such as a QRA analysis , to verify that the toxic gas risk is adequately mitigated. Toxic gas grade A, grade B, and grade C FGS zones should be capable of detecting a spherical gas cloud equal in size to the distance to the acute injury end point when analyzed for the designbasis hazard scenario. For toxic gas hazards, the extent of graded area should be taken as the distance to the detection limit for the design-basis hazard scenario. These distances are determined based on the results of toxic gas design-basis dispersion modeling. Copyright 2018 ISA. All rights reserved. - 53 - ISA-TR84.00.07-2018 Annex B Detector coverage assessment techniques B.1 Detector geographic coverage assessment The following example FGS architectures, detector coverages, and mitigation effectiveness represent possible system configurations and should not be interpreted as recommendations. The configurations used in actual applications are specific to the operating environment and process conditions in which they are used. As such, no general recommendations can be provided that are applicable in all situations. A geographic coverage assessment seeks to determine the degree of coverag e of a monitored area that contains a process with potential fire or gas hazards. The goal is to determine the fraction of a monitored process area that is covered if a release occurs in a given geographic location. Geographic coverage is a function of the release detection equipment in the monitored process area, considering obstacles that prevent or inhibit detection and the defined voting arrangement for the safety action of interest. For example, an array of many flame detectors in a monitored area with few obstacles and a 1ooN voting arrangement would yield a higher geographic coverage than an array with only a few flame detectors in an area congested with process equipment and a 2ooN voting arrangement. Detector geographic coverage does not require a specific risk scenario to determine coverage. The method assumes a hazard could occur anywhere within a monitored area and seeks to determine how well covered that area is. Detector geographic coverage does require general information about the magnitude of the fire or gas hazard that requires detection in a monitored area. B.2 Criteria for fire (geographic) coverage assessment In general, a system’s ability to detect a fire of given intensity increases as the number of f ire detectors in a monitored area increases. However, there is a threshold fire intensity below which the system cannot activate due to limitations of the sensitivity of flame detectors. Since an analysis of geographic coverage is not conducted on a scenar io-by-scenario basis, a general criterion needs to be established to determine the fire intensity that requires detection at any location within a monitored area. This criterion determines the analytical end point for adding more detectors to obtain a given level of coverage. Most optical flame detection methods are sensitive to thermal radiation at various wavelengths, and the radiated heat output of a fire is an important parameter in determining the threshold for detection. Guidance for determining the appropriate fire design-basis hazard for detection is provided in Clause 6 of this TR. Selecting a very low threshold detection criterion can be appropriate in some instances that are extremely vulnerable to small fire effects or present a severe potential for fire escalation; while in other situations , this criterion can lead to an excessive number of flame detectors, because small fires cannot be sensed at moderate to large distances from a detector. On the other hand, selecting a very large threshold crit erion can be appropriate in instances where only minimal coverage is required to annunciate a fire in a normally unoccupied process area; while in other situations, it can allow a fire to grow to an unacceptably large size beyond which automatic control actions (e.g., suppression) can be considered effective. Note that with larger fires, optical flame detector performance might be degraded. B.2.1 Procedure for fire-detector geographic coverage assessment 1. Select a design-basis hazard for detection—a threshold fire magnitude that requires detection of an incipient hazard (e.g., fire intensity of 1 ft by 1 ft at 100 ft requires detection) . 2. Select a geographic location for analysis . 3. Determine if the geographic location is within the field of view of each fire detector in the monitored area. For optical fire detection, ensure that obstructions between the detector and the geographic location are accounted for in making this determinatio n. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 54 - 4. If 1ooN voting is proposed, flag the location as covered only if it is within the field of view of one (or more) fire detectors in the monitored area. 5. If 2ooN voting is proposed, flag the location as covered only if it is within the field of view of two (or more) fire detectors in the monitored area. 6. Increment the analysis over all geographic locations in the monitored area. 7. Create a sum-total of all covered locations and determine the overall fraction of geographic area that is covered in the monitored area (i.e., detector geographic coverage). B.2.2 Attributes of fire detection coverage assessment Although there are many methods for fire detector coverage assessment, ranging from manual drawing to computer-aided design, there are some common critical attributes of effective assessment studies. The fire coverage assessment (i.e., fire detection mapping) should consider, at a minimum, the following attributes for fire detection modeling. It should: • perform coverage mapping in three dimensions • calculate the analysis results for user-required elevation of interest • utilize the specification of the fire detector (e.g., the results of the analysis should create a map that is identical to the “cone of vision” presented in the equipment vendor’s product literature, accounting for any de-sensitizing factors relevant to the application typically revealed in the FM 3260 test procedure) • model the effects of changes in detector elevation away from the elevation of interest • model the effects of the changing angle of declination with respect to the elevation of interest • model different detector sensitivity settings for each detector • model detector sensitivity with respect to multiple fires from different materials of interest for each detector as required (e.g., methanol fires, methane fires, and hexane fires) • model multiple obstruction geometries • present results that indicate the fraction of the monitored area where: no detectors are sighted, a single detector is sighted, two or more detectors are sighted B.3 Criteria for gas (geographic) coverage assessment The ability to detect a gas hazard at an incipient stage increases as the number of detectors increases. However, there are practical limits on the number and position of detectors that will imply the possibility of a small release going undetected as the gas disperses below its detectable concentration or situations where a small release remains undetected for a period of time until gas accumulation occurs in a semi-confined or confined area. Since an analysis of geographic coverage is not conducted on a scenario-by-scenario basis, a general criterion needs to be established to determine the size of gas release that requires detection anywhere within a monitored area. This criterion determines the analytical end point for adding more detectors to obtain a given level of coverage. Guidance on determining an appropriate design-basis hazard for detection is in Section 6 of this TR. From a practical standpoint, the size and shape of a gas release that requires detection are required to perform a basis analysis of gas detector coverage. For flammable gas detection, factors such as the degree of confinement and presence of turbulence -inducing obstacles require consideration. The typical form of this criterion is a spherical gas cloud of given size (e.g., 5-meter diameter); the actual value can be based on analytical consequence modeling or a study of the effects of flammable gas cloud size and the potential for damag ing blast effects from a deflagration. A smaller gas release criterion might be used in certain situations that are vulnerable to fire or explosion effects; while in other situations a small criterion can lead to an excessive number of detectors in an area that presents minimal hazard. A larger criterion can be appropriate in some Copyright 2018 ISA. All rights reserved. - 55 - ISA-TR84.00.07-2018 situations; while in others it can allow an unacceptably large accumulation of combustible gas that presents a significant escalation hazard beyond the capability of the mitigation system’s effectiveness. B.3.1 Procedure for gas-detector geographic coverage assessment 1. Select a design-basis hazard for detection—a threshold gas accumulation that requires detection of an incipient hazard (e.g., gas accumulation of less than 16 ft [5 m] in diameter requires detection at 20% LFL for a point detector or 1.0 LFL meters for a line-of-sight detector). 2. Select a geographic location for analysis. 3. Determine if the gas accumulation of threshold magnitude that is centered at a geographic location can be sensed by each detector (point or open -path type) in the monitored area. 4. If 1ooN voting is proposed, flag the location as covered only if threshold gas accumulation can be sensed by one (or more) gas detectors in the monitored area. 5. If 2ooN voting is proposed, flag the location as covered only if threshold gas accumulation can be sensed by two (or more) gas detectors in the monitored area. 6. Increment the analysis over all geographic locations in the monitored area. 7. Create a sum total of all covered locations and determine the overall fraction of a geographic area that is covered in the monitored area (i.e., detector geographic coverage). B.3.2 Attributes of gas detection coverage assessment Although there are many methods for gas detector coverage assessment, ranging from manual drawing to computer-aided design, there are some common critical attributes of effective assessment studies. The gas coverage assessment (i.e., gas detection mapping) should consider, at a minimum, the following attributes for gas detection modeling. It should: • perform coverage mapping in three dimensions • model point detection systems along with open path detection systems (e.g., accounting for beam attenuation) • present results in three dimensions and at a user selected elevation of interest • present tabular results that indicate the fraction of the covered area where: no detectors are sighted, a single detector is sighted, two or more detectors are sighted The advantages of the geographic coverage assessment include an easy-to-understand graphical representation of results. There is no requirement to generate specific scenario -by-scenario coverage results, giving an easily repeatable and auditable detection layout. Computational requirements are high for this method (as well as scenario coverage). The method also ensures that if the cloud size of concern exists, it will not remain undetected. The disadvantages of geographic coverage assessment include the fact that it does not account for the likelihood of gas migration and ignition. Alternatively, the method focuses on the accumulations that would result in unacceptable consequences, providing detectors to ensure these high -risk instances do not remain undetected. This allows the designer to focus only on those areas where gas accumulation presents a hazard of concern, thereby optimizing where gas accumulation may be credible, but would not present a significant hazard. B.4 Detector (scenario) coverage assessment The identified risk scenario(s), consequences, and event likelihood are used in the scenario coverage assessment. Scenario coverage is a more detailed assessment that is required for fully quantitative risk analysis techniques; whereas semi-quantitative risk analysis techniques generally rely on geographic coverage methods. Even when using semi -quantitative methods, use of scenario coverage—especially for gas detection—can provide more detailed information about the risk posed by a process plant and the effectiveness of different detector arrays. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 56 - Consequence analysis generates information about the potential impact of the identified fire and gas release scenarios. The impact zones are overlaid on the plan view of the area under analysis. Most often, the impact zones are based on turbulent diffusion fire models, showing flame size and shape, or gas dispersion, for unconfined or semi-confined areas. A determination is made for each detector in the monitored area as to whether it is capable of detecting the scenario. B.4.1 Procedure for fire detector (scenario) coverage a ssessment 1. Select a hazard scenario in the monitored area . 2. Select the first consequence outcome of the scenario. For a fire, each outcome is represented as one of the possible flame orientations. 3. Determine if the consequence outcome is within the field of view of each fire detector in the monitored area. For optical fire detection, ensure that obstructions between the detector and the geographic location are accounted for i n making this determination. 4. If 1ooN voting is proposed, flag the scenario outcome as covered only if it is within the field of view of one (or more) fire detectors in the monitored area. 5. If 2ooN voting is proposed, flag the scenario outcome as covered on ly if it is within the field of view of two (or more) fire detectors in the monitored area. 6. Increment the analysis of all scenario outcomes for the selected hazard. 7. Increment the analysis over all hazard scenarios in the monitored area. The ratio of detectable releases to the total is the detector (scenario) coverage for fire detection in the monitored area. B.4.2 Procedure for gas detector (scenario) coverage a ssessment 1. Select a hazard scenario in the identified monitored area. 2. Select the first consequence outcome of the scenario. For a gas release, each outcome is represented as a cloud profile from the dispersion analysis, with possible multiple wind directions, meteorological conditions, and ventilation patterns. 3. Determine if the consequence outcome can be sensed by each detector in the monitored area. 4. If 1ooN voting is proposed, flag the scenario outcome as covered only if it can be sensed above the threshold concentration for alarm by one (or more) detectors in the monitored area. 5. If 2ooN voting is proposed, flag the scenario outcome as covered only if it can be sensed above the threshold concentration for alarm by two (or more) detectors in the monitored area. 6. Increment the analysis of all scenario outcomes for the selected hazard. 7. Increment the analysis over all hazard scenarios in the monitored area. The ratio of detectable releases to the total is the achieved detector (scenario) coverage for gas detection in the monitored area. The advantages of scenario coverage assessment include a graphical representation of results showing the likelihood of gas migration at a facility. However, computational requirements are high for this method. Scenario coverage may allow the layout to be optimized based on which detectors are effective against the scenarios evaluated. The disadvantages of scenario -based coverage assessments include traditional modeling techniques not accounting for near field blockages, varying vertical orientations of release, and , ultimately, running a finite number of scenarios where the outputs are entirely dependent upon the number of scenarios evaluated. When analyzing explosion overpressure hazards, this method may not account for certain release scenarios that are the most hazardous with respect to consequences. For example, a gas may only migrate to a location in 1% of the scenarios, but that 1% may result in the most destructive consequence. Copyright 2018 ISA. All rights reserved. - 57 - B.5 ISA-TR84.00.07-2018 Factors considered when developing detector layout Where process-area fire or gas detection is specified, an initial detector layout should be proposed. When developing a layout, the designer should consider several key attributes that will impact the performance of the detection system. Although coverage should be evaluated for the proposed layout, it is important to recognize factors that influence a coverage calculation. This section lists several of these factors that the designer should consider in developing detector layout. This is a checklist for the designer, but it is not intended to prov ide a complete technical discussion of each factor. Further, the factors are not to be considered as prescriptive; rather, the weight of each factor should be determined by studying coverage as described elsewhere in this technical report. These factors are applicable to process-area fire and gas detection, and consideration has been given to applications where the process is located outdoors as well as indoors. B.5.1 Fire detection – indoor and outdoor application 1. End-user fire and gas detection and mitigation philosophy: This addresses the end user’s objectives for fire detection and mitigation, identifying safety and loss prevention goals. For example, does the detection of fire or gas result in an alarm -only condition or is executive action required? 2. End-user design standards for fire and gas detection : This includes the end user’s standards for fire detection, including target fire size and thresholds for adequate fire coverage. 3. Equipment of concern for fire hazard and leak sources: Consideration should be given to the equipment that is intended to be monitored for hydrocarbon fire hazards, and this can be based on legal requirements, end-user design standards, the end-user philosophy, or fire hazard and risk assessment of the type of equipment and fuel. 4. Equipment that is of possible concern includes the following: • heat exchangers • column/tower/contactors • compressor/expanders • pressure vessel/reactors • centrifugal pumps • reciprocating pumps • atmospheric storage tank • LP storage tanks • fired heaters • pig launcher/receivers • sump/sump pumps • piping manifolds • single-welded pipe segments • production wellheads 5. Flammable material • Fuel type, liquid fire, gas fire, etc.: The type of flammable material determines the elevation of fire detection required. • Inventory: A large inventory can potentially drastically change an FGS philosophy by changing the severity of potential consequences. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 58 - • Volatility/flash point: The material volatility/flash point can significantly alter potential hazardous outcomes. For example, high flash poi nt fuels have a significantly lower potential for severe consequences than low flash point fuels. • Process pressure/release velocity: Higher pressures and release velocities can cause a higher discharge rate. This can result in a jet fire instead of a pool fire. • Process temperature: Temperature can significantly change the volatility of fuel and the density of released gas. Flammability limits: The flammability limits can determine if pool fire or jet fire are credible outcomes, which affects detector positi oning. 6. Coverage area: Congestion is a major factor to consider, as large equipment or highly congested piping can significantly block the view of flame detectors and limit migration of smoke. 7. Boundaries of the area to be covered by fire detection: Boundaries define the extent of the area surrounding monitored equipment that is intended to be covered for hydrocarbon fire hazards. Factors considered for setting the boundary area include existing constraints, such as all equipment in a bounded area should have similar fire hazards, should activate the same alarms and executive actions and initiate the same procedural personnel protective actions (muster or evacuation). 8. Target fire size/design basis fire size: See Clause 6 of this TR for guidance on target fire size. 9. Fuel spill containment area/drainage: Containment and drainage influence the location of fire detection based on containment of liquid fuel spills. 10. Ignition sources: The location of strong ignition sources could influence detector layout (e.g., a pump seal fire hazard requires localized detection). 11. Obstructions (permanent/temporary): Obstructions include process equipment, piping, cable trays, electrical cabinets, scaffolding, and laydown areas that can impede detector views. For indoor process area (e.g., a compressor building) flame detection, obstructions can impede the detector’s ability to “see” the complete target. 12. Ventilation characteristics – HVAC, forced ventilation, or wind: For indoor applications, ventilation characteristics can affect detection. This can include the ventilation system preventing smoke migration or causing smoke extraction. Small fires can be difficult to detect when large ventilation systems are installed in industrial applications. Considerations should include strategically positioned flame detection instead of heat detection. 13. In outdoor fire detection applications, the initial detector layout should be influenced by the direction of the prevailing wind but also address normal and abnormal meteorological conditions, such as nighttime and low-wind conditions, and the type of fire (jet, flash, pool, etc.). 14. Available technologies for hydrocarbon fire detection : The initial detector layout is affected by the type of fire detection technology selected. Some technologies are m ore sensitive than others at detecting early stage or incipient fire hazards. Fewer detectors are needed when selecting more sensitive technology types. Also, spurious alarm avoidance should be considered, because some types of detectors are less robust in certain applications where false alarm stimuli are present. Refer to FM Property Loss Prevention Data Sheets 5 -48 for guidance about the strengths and weakness of the various detector technologies and applications. Typical detector technologies include th e following: • Frangible bulb: Designed to respond to the energy of a fire that increases the temperature of a heat-sensitive element. A frangible bulb uses a fluid-filled bulb. Copyright 2018 ISA. All rights reserved. - 59 - ISA-TR84.00.07-2018 • Bimetallic heat: Designed to respond to the energy of a fire that increases the temperature of a heat-sensitive element. Bimetallic heat uses a temperature-sensitive strip. • Closed-circuit television (CCTV)/visual: Designed to respond to the visual signature of a flame, using onboard algorithms to distinguish between real flames and other, nonvisual, background radiative sources (i.e., flare radiation, turbine exhausts). The technology uses imaging sensors in the visual/near-IR region of the electromagnetic spectrum to monitor the field of view for the presence of flame. Infrared (IR): This technology is designed to respond to the spectral signature of the hot CO2 energy emitted by hydrocarbon fires in the 4.3 4.4 micrometers range. The technology combines spectral analysis with flicker frequency (1 to 20 Hz) algorithms to prevent false alarming that results from black-body radiation. Multispectral IR (multi-IR): The technology is designed to minimize false alarms and increase sensitivity by analyzing signals coming from three or four sensors that filter wavelengths within the infrared spectrum. Nonfire radiation sources are rejected through the detector internal algorithms. • Ultraviolet (UV) flame detection: The technology is designed to respond to radiation emitted by a wide variety of fires including hydrocarbon, hydrogen, and metal based. The detector typically operates with wavelengths shorter than 260 nm to avoid interference from the sun and other sources of radiation present in the ultraviolet spectrum. • UV/IR (ultraviolet/infrared): The technology is designed to minimize false alarms by using sensors that are sensitive to both ultraviolet and infrared radiation wavelengths and by comparing their thresholds simultaneously. For that reason, the detector has a good immunity to false alarming and is suitable for both indoor and outdoor applications. 15. Execution Logic 1ooN (Alarm Coverage) versus Executive Action Coverage (2ooN): 2ooN provides the system with robustness and reliability (spurious trip avoidance), but it requires more detectors to achieve the target coverage. 1ooN provides adequate single detector alarm coverage with fewer detectors, but it does not consider the need for confirmed fire detection (voted) before safety actions are taken. 16. Detector technology/vendor-specific characteristics: Characteristics include the effective viewing distance (within a detector’s field of view) for a threshold fire size. This is determined by detector type. A smaller viewing distance requires more detectors for a particular application to meet the target coverage requirements. Off-axis viewing distances should also be considered. Larger off-axis distances can require fewer detectors for a particular application. 17. Non-ideal conditions that limit detection coverage: These factors can reduce the sensitivit y of detector optics due to dust, dirt, fog, and steam. They also include background sources of IR radiation that could desensitize detectors. 18. Application environment: Detector performance can be affected by site temperature, humidity, RF interference, and any site considerations for detector coverage or detector interference. 19. False alarm stimuli: Stimuli include sources of UV or IR radiation that could result in false alarms. The location of normal flame sources, such as flare, should be considered. 20. Electrical area classification: Electrical equipment should conform to local codes and standards (e.g., U.S. National Electric Code, Europe-International Electrotechnical Commission). 21. Cross voting between FGS zones/monitored areas: The analysis should determine if there is a need to limit the detection of a hazard outside the zone/monitored area where a detector is located. 22. Detector installation constraints (constructability and maintainability): These constraints include limitations on mounting detection equipment on an existing structure; imitations due to areas that need to be avoided for vehicle access; limitations due to detection equipment Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 60 - accessibility for routine maintenance; or end-user specifications to increase detectors to allow for the unavailability of a single detector due to a fault or maintenance activities. B.5.2 Gas detection – indoor and outdoor application (reference 2.13, 2.14, 2.15) 1. End-user fire and gas detection and mitigation philosophy: This addresses the end user’s objectives for flammable or toxic gas detection and mitigation. It identifies safety and loss prevention goals. The philosophy will determine, for example, if the detection of fire or gas results in an alarm-only condition or whether executive action is required. The philosophy guides users in detecting gas accumulation or gas leak scenarios. 2. Equipment of concern for combustible or toxic gas hazard/leak sources: Consideration should be given to the equipment that is of concern, which can include the following: • heat exchangers • column/tower/contactors • compressor/expanders • pressure vessel/reactors • centrifugal pumps • reciprocating pumps • atmospheric storage tank • LP storage tanks • fired heaters • launcher/receivers • sump/sump pumps • piping manifolds • single welded pipe segments • production wellheads 3. Process streams/material • material phase (liquid, vapor, two phase) • inventory • volatility/flash point • process pressure/release velocity • process temperature • flammability limits • toxicity limits, IDLH, OSHA PEL/STEL • gas mixtures (toxic material mixed with flammable gas) 4. Boundaries of area to be covered by gas detection: Factors considered for setting the boundary area include existing constraints. All equipment in a bounded area should activate the same alarms and executive actions and initiate the same procedural personnel protective actions (muster or evacuation). In addition, bounded areas should include similar gas hazards. 5. Target gas accumulation/leak size/design-basis gas hazard: See Clause 6 of this TR for guidance on the size and extent of gas accumulation. 6. Flammability environment: Locations of confinement and congestion, where gases are most likely to accumulate should be identified. For heavy gases, identify low spots where Copyright 2018 ISA. All rights reserved. - 61 - ISA-TR84.00.07-2018 accumulation or confinement may occur. For light gases, identify locations where gases can become trapped above process equipment where accumulation or confinement may occur. 7. Ignition sources: Sources of ignition include the following: • open flames/sparks • high temperatures (above auto-ignition) • nonroutine sources (e.g., vehicles) 8. Obstructions (permanent/temporary): Congestion/confinement are factors to consider for both indoor and outdoor gas detection, because they can significantly impact gas migration and the behavior of ignition. 9. Ventilation characteristics – HVAC, forced ventilation, or wind: Ventilation has a strong influence on the migration of gas indoors and affects the optimal location for gas detectors. Gas detectors should be located strategically based on known ventilation characteristics, both normal and worst-case ventilation characteristics. FGSs using forced ventilation as a mitigation action are often energized to trip systems. Fans, blowers , and air handling units require considerably more power than other typical final elements. The UPS system for the sensors and logic solvers typically does not have enough capacity to power a forced ventilation system , and emergency standby generators may need to be considered. In outdoor gas detection applications, the initial detect or layout should be influenced by the direction of the prevailing wind, but also should address normal and abnormal meteorological conditions such as nighttime and low wind conditions, where gas can accumulate in areas of partial confinement and congestion . 10. Available technologies for gas detection: The initial detector layout should be sensitive to the type of gas detection technology selected. This is particularly important if one selects openpath gas detection instead of point gas detection. Fewer detectors are used with more sensitive technology types or lower alarm set points. Also, spurious alarm avoidance should be considered, because different types of detectors can be less robust in certain applications where the detector is cross-sensitive to nontarget gases. Many detector technologies exist, including but not limited to, the following: • Infrared (IR): Combustible gases have a characteristic absorption signature . This technology relies on the absorption of IR radiation between a source and a receiver. This can be implemented as either open path or point infrared gas detectors. • Catalytic bead: This technology relies on a catalyst to oxidize any combustible gas entering at low temperatures. • Ultrasonic: This technology uses the detection of an acoustic signature of a leak rather than the presence of a gas. • Metal oxide semiconductor (MOS): The technology is designed to measure a signal that resulted from a change in the electrical conductivity of a heated metal oxide chip when exposed to the toxic gas. • Electrochemical cell: This technology is used for toxic gas detection. This technology is designed to measure a signal proportional to the gas diffused into a cell filled with an electrolyte solution. • Laser absorption spectroscopy: This approach utilizes the absorption characteristics of the individual molecule of the target gases to determine the concentration of gas. Devices are tuned to see specific flammable or toxic gases. Normally imple mented as open path. 11. Target gas type(s) and detectability: Major gas type targets include combustible and toxic gas. Detectability for combustible gas is determined through leak source or accumulation detection with the size of the leak and the size of accumulation being varied respectively. Toxic gas detectability is determined through leak detection with leak size being varied. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 62 - 12. Density of target gas compared to ambient air: The density of the target gas has a strong influence on the migration of gas both indoors and outdoors. Gas detectors should be located strategically based on the known density characteristics of the target gas relative to ambient air. As the density of the target gas relative to ambient air increases, detector elevation should be lowered from incipient release elevations. Conversely, if density is lighter than ambient air, detector elevation should be increased. 13. Execution logic 1ooN (alarm coverage) versus executive action coverage (2ooN): 2ooN provides robustness and reliability to the system (spurious trip avoidance), but it requires more detectors to achieve the target coverage. 1ooN provides adequate single detector alarm coverage with fewer detectors, but it does not consider the need to have confirmed gas detection (voted) before safety actions are taken. 14. Personnel entry and exit locations (toxic gas detection): Toxic gas detection can be required at points of entry and normal exit or emergency egress. 15. Vendor-specific characteristics: Detection limits, alarm set points, and vendor specifications will affect the location and number of gas detectors. 16. Nonideal conditions that limit detection coverage : This includes dirty optics on gas detectors, potential catalyst poisons, and cross sensitivity of gases. 17. Application environment • Open-path gas detection: Fog, steam, heat, and any site considerations for detector coverage or detector interference. • Point gas detectors: Where space is congested and prohibits the use of open -path detectors, more suitable for unpredictable applications and h igher risk areas. 18. Detector performance can be affected by site temperature, humidity, RF interference , and any site considerations for detector coverage or detector interference from false alarm stimuli. • Sensitivity of detector to nontarget gas • Nuisance alarms can stem from factors such as wind, vibration, or dirt/dust. Detectors with self-diagnostics can lower the occurrence of such nuisance alarms. 19. Electrical area classification: Considerations should include whether there are end -user requirements to detect flammable gas migration outside the area of well-controlled ignition. Copyright 2018 ISA. All rights reserved. - 63 - ISA-TR84.00.07-2018 Annex C Mitigation action effectiveness concept Mitigation action effectiveness is defined as how confidence one is that the result of activating the final element(s) will successfully mitigate the consequence of a defined hazard as expected (e.g., it prevents a small fire or gas accumulation from escalating to a large fire or accumulation). The FGS must be activated in a sufficiently timely fashion to reduce the event severity. An FGS function might be ineffective such that the outcome of the event is not significantly different than it would be without detection or activation. It is possible to detect a hazard and have successful activation of the final element(s) associated with the FGS function, and yet the result is not complete or effective hazard mitigation. The reduction in severity afforded by a mitigation action will be related to the magnitude of the hazard being acted upon and the fundamental limitations of the capability of the FGS actions to be effective. In general, the effectiveness of the FGS actions is likely to be very high when the magnitude of the detected hazard is small and detection occurs quickly, which allows the desired safety action to be taken well before there is the potential for hazard escalation. Conversely, even correct detection and activation of the FGS actions might be ineffective due to : 1. An excessive time delay in the initiation of the FGS action, resulting in hazard escalation. For example: • Combustible gas detection that isolates a process and opens depressuri zing (blowdown) valves can require 20 minutes or more before the pressure in the system has significantly reduced, with a corresponding reduction in the discharge rate of a gas leak. During the intervening period, the gas already leaked from the system could ignite. 2. Human factors that result in a degraded response action. For example : • Personnel addressing the hazard do not evacuate the facility in a timely fashion. • Personnel cannot evacuate a facility as planned (e.g., temporary scaffold blocks the evacuation route). 3. Severe consequences that are associated with the initial loss of containment event that have a consequence magnitude beyond the design of the FGS actions. For example: • A catastrophic pipeline rupture will very likely result in an immediate vapor cloud explosion hazard that can cause severe consequences before the FGS function is able to effectively mitigate it. The ensuing fire might be mitigated but not before severe safety consequences have already occurred. • Rupture of a toxic gas (e.g., chlorine) storage container rapidly causes impact s beyond the immediate area, resulting in loss of life before alarming and precautiona ry actions become effective. The method of evaluating mitigation action effectiveness depends on the type of FGS response action that is taken. These actions can be classified in the following general categories: 1. The FGS safety action involves direct actions on the process, including isolation and depressurization, such that this action meets the intention of the risk acceptance criteria without further mitigation. Thus, the hazard is mitigated, and escalation avoided. A hazardous outcome may still occur. The severity could be small in magnitude (e.g., a small flash fire instead of a vapor cloud explosion with a severe impact to equipment and personnel), or, depending on other factors, it may be large in magnitude. The probability of failure of the direct actions was already addressed in the FGS safety availability analysis. A mitigation action effectiveness would be a number greater than 0 and less than 1.0 , depending on the ability of the direct actions on the process to mitigate the hazard. 2. The FGS safety action involves nonprocess actions that mitigate the severity of consequence (e.g., suppression, deluge). The effectiveness of the nonprocess actions is dependent upon the magnitude of the initial hazard being wit hin the basis of design of the FGS mitigation Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 64 - system. For hazard cases that fall within the basis of design, a mitigation effectiveness of 1.0 may be used if the mitigation system is verified as suitable for use in the application that aligns with the FGS basis of design. Considerations should include sufficient inventory for suppression material and sufficient energy availability for transport of the material. Refer to step 9 for guidance about the inclusion of these systems in the availability analysis. Cases for which the hazard magnitude exceeds the mitigation system capability (e.g., the scenario begins with a catastrophic equipment failure that results in an initial fire larger than the design capability of the suppression system or a large toxic gas c loud that precludes safe evacuation) where the risk associated with failures exceeds the basis of design should be analyzed separately and addressed using inherently safer design or risk reduction means other than the FGS. This separate risk analysis falls out of the scope of this TR. 3. The FGS safety action primarily involves evacuation or sheltering of personnel. Mitigation action effectiveness is typically less than 1.0 for human response to the alarm. Determination of the mitigation action effectiveness c an be based on demonstrated evacuation drilled performance in similar operating environments. In some cases, the credited safety function may involve diverse actions in response to the activation of the FGS. As these actions are not independent, the FGS effectiveness is evaluated as a single complex function. In addition, not all of these actions result in full mitigation of the consequence of concern. This can be explicitly included by expanding the FGS risk model (event tree) to include the range of the f actors that modify the outcomes and associated severities. Consider the following example of a natural gas compressor station consisting of an enclosed compressor building containing a single compressor. The compressor station is equipped with optical fire detectors that will, upon detection of a fire, activate a chemical fire suppressant system that is designed to extinguish the fire. The compressor station is controlled and maintained by two staff members who are primarily located in a control room adjace nt to the compressor building. The operators have the means to manually extinguish the fire. The end user wants to consider both automatic and manual actions in the risk analysis. For this reason, the effectiveness of the activation of the FGS is not a simple probability that the dry chemical system puts the fire out. Instead, it is a complex combination of mechanical and human interactions. Some of the factors that will determine that amount of mitigation that is achieved will include: 1. What is the probability that the dry chemical system will extinguish the fire? This probability is a function of the size of the fire and other contributing factors. The independent review of the dry chemical system identified failure modes that could result in insufficient p erformance and the failure to completely mitigate the hazards. Failure of the dry chemical system to extinguish the fire could be caused by: • excessive HVAC action removing the chemical agent too rapidly • doors left open, preventing the chemical agent from properly accumulating • other factors 2. If the automatic fire extinguishment system fails, will an operations staff member manually extinguish the fire with handheld equipment? 3. If the automatic fire extinguishment system fails and oper ations staff attempts to control the fire manually, will they be injured during the process? 4. If the automatic fire extinguishment system does effectively operate, will operations staff still be injured as the result of entering the room before extinguishing chemicals and combustion byproducts are ventilated. The following event tree depicts an analysis of this complex safety function. Copyright 2018 ISA. All rights reserved. - 65 - Auto Extinguished FGS Activated Manual Extinguish Attempted Personnel Injured Manual by Fumes (during Extinguish fire) Effective ISA-TR84.00.07-2018 Personnel Injured Personnel by Fumes (after Personnel fail Enter too Early fire) to evacuate Early Entry 0.1 Success 0.8 Injured by Fumes 0.2 Not Injured 0.8 Single Injury No Early Entry 0.9 Injured by Fumes 0.3 Seal Fire 1 Attempted 0.9 Failure 0.2 Not Injured 0.7 Success 0.9 Failure 0.1 Not Attempted 0.1 Consequence Sumation None Injury Single Fatality Multiple Fatalities Figure C.1 Consequence / Probability Fail to Evacuate 0.2 Evacuate 0.8 Fail to Evacuate 0.2 Evacuate 0.8 0.016 No consequence 0.064 No consequence 0.72 Single Fatality 0.054 No consequence 0.1134 Multiple Fatalities 0.00252 No consequence 0.01008 Multiple Fatalities 0.004 No consequence 0.016 0.90748 0.016 0.054 0.00652 Event tree representing complex mitigation action effectiveness Copyright 2018 ISA. All rights reserved. This page intentionally left blank. Copyright 2018 ISA. All rights reserved. - 67 - ISA-TR84.00.07-2018 Annex D Application examples ANSI/ISA-84.00.01-2004 is a risk-based standard that achieves functional safety through risk reduction. Risk, per the standard, is calculated as the product of frequency and consequences. Prevention systems (e.g., SIS) reduce the risk by reducing the frequency; and mitigation systems (like FGS) typically reduce the risk by reducing the severity of the consequences. The following application examples illustrate performance-based FGS design as described in Clause 6. Examples are provided for fire detection, combustible gas detection, and toxic gas detection. The examples also show a range of fire and gas philosophies and a range of required FGS risk reductions. Table D.1 is a summary of example calculations in this annex. Table D.1 – Example summary Example Hazard Example Description FGS Risk Risk FGS Final Reduction Analysis Element Target Method Action Fire detection and suppression in Less than Semi- ESD and an oil & gas well bay 10 quantitative deluge Combustible Combustible gas detection in a Greater Quantitative ESD gas natural gas production platform than 10 Toxic gas Toxic (H2S) gas detection in an Greater Quantitative Evacuation/ onshore gas processing plant than 10 Monitored D.1 D.2 D.3 D.1 Fire shelter Application example – fire detection and suppression in oil and gas w ell bay module This example involves hydrocarbon fire detection in the well bay of an integrated offshore oil and gas production platform. The platform handles flammable hydrocarbon liquids and gases under high pressure. An ignited release of flammable material presents a significant hazard to personnel on the platform. The end user has an existing fire detection philosophy that was developed to guide the performance-based design. D.1.1 Facility information The example is a module on an offshore oil and gas production platform. The module is fully enclosed on two sides, partially enclosed on another, and open on one side. The area is a rectangular shape and is 20 meters (65 ft) in length on each side. The module contains 16 wellhead assemblies (i.e., wellhead plus Christmas tree) and a wellhead control panel (instrumentation and control cabinet) located on the north side of the module. A 3D visualization and plot view of the module are shown in Figure D.1. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 68 - Figure D.1 – Example: Offshore well bay module D.1.2 Fire and gas hazard assessment The end user’s fire hazard analysis includes an evaluation of the process that includes the following factors: • material processed • process pressure and temperature • equipment potentially involved in a fire • occupancy of the facility • electrical area classification Because this is a process module containing flammable hydrocarbon processed at high pressure with the potential presence of personnel on the platform, the external fire hazard/risk analysis determined the need for fire detection, with a requirement for an FGS risk reduction target of less than 10. Since there is no requirement for FGS risk reduction exceeding 10, a semi-quantitative hazard/risk assessment (Annex A) was used to establish FGS performance targets in this example. As a result, the performance metrics used in this example will includ e detector coverage (quantitative), FGS safety availability (qualitative), and mitigation action effectiveness (qualitative). The end user’s detection philosophy is for incipient (early-stage) fire detection, automatic shutoff of the process, and initiating firewater deluge by activating the fire water pump and opening the deluge valve. Step 1 – Identify areas of concern The operating company for this platform has standardized design practices in place that require incipient fire detection to be installed in all areas of offshore facilities that handle well production fluids. Step 2 – Identify hazard/risk scenarios The hazard analysis identified the potential for leaks from the wellhead , and a range of release sizes were considered credible scenarios. To simplify this analysis for illustrative purposes, the analysis of only one risk scenario is included here. The scenario involves a pinhole leak from the wellhead resulting in a potential turbulent jet fire in the module. The cause could be corrosion, erosion, or mechanical failure of the equipment. Although there are no strong sources of ignition located in the module (open flames, unclassified electrical equipment, etc.), the possibility of ignition cannot be discounted. This is the most likely release sce nario that will place a demand on the fire detection system. Other scenarios (not analyzed in this example) include a large leak (e.g., flange failure) and a rupture of a process connection to the wellhead. Copyright 2018 ISA. All rights reserved. - 69 - ISA-TR84.00.07-2018 Step 3 – Analyze consequences The credible consequence of this scenario is a potentially life-threatening injury to a single person if present in the well bay module at the time of the release. In this example , a range of semiquantitative consequence factors were considered, including the following information gathered from probability of failure on demand (PFD): • Wellhead pressure is 1500 psig. • Process temperature is 100°F. • Process fluid has a flash point of -10°F. Step 4 – Analyze hazard frequency In this example, frequency analysis was considered using semi-quantitative factors including: From facility information: • Equipment type From discussion with the end user: • Personnel are in the area of the well bay approximately 2 hours per day. From plot plants and the plant 3D model: • The well bay area is moderately congested, with grated decking above and below. • There are no strong ignition sources (open flames, hot surfaces, etc.) in the vicinity of the well bay. Step 5 – Assess unmitigated hazard/risk The well bay contains a total of 16 production wells, each handling flammable hydrocarbons. Each well operates at the same temperature, pressure, composition, etc. Therefore, analysis performance target selection was carried out for a single well , and the results were applied for all 16 wellheads. The process fluids present both fire and combustible gas hazards. However, for the purposes of demonstration, only analysis of fire hazards will be presented in this application example. The well bay was defined as a single FGS zone. Several factors were considered when m aking this determination; these considerations include: • Commonality of hazards: All wellheads in the well bay operate under the same conditions; therefore, the hazard presented by a release is the same regardless of the source. • Actions taken automatically by the FGS: A confirmed fire (2ooN) will cause shut-in of the wells, initiate platform ESD, and initiate the fixed fire suppression system. Step 6 – Identify FGS performance targets A semi-quantitative analysis (Annex A) was carried out to determine the performance targets for the optical flame detection system. Performance targets include fire detector coverage. Several key inputs are required to perform the semi-quantitative performance target selection. These inputs were gathered from discussion with the end user of the platform and from engineering documents , including P&IDs, PFDs, plot plans, and plant 3D models. An FGS philosophy was developed to guide the design team in carrying out the performance -based design of the detection system. Key inputs for the analysis that were documented in the FGS philosophy include: • Early (incipient) detection of hydrocarbon fire hazards is done using optical fire detectors. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 70 - • Performance target selection is to be carried out using the semi-quantitative methodology. • The design-basis fire hazard is an incipient fire. The design intent of the system is detection of a 1-ft x 1-ft hydrocarbon fire (approximately 50 kW) within 10 ft of all major equipment items for which performance targets have been assigned. • Flame detector mapping is carried out using the geographic coverage methodology. • 2ooN voting is required for the FGS to take executive actions. Detector coverage mapping should demonstrate adequate coverage with a 2ooN voting arrangement. With these inputs, the semi-quantitative hazard ranking methodology was applied as described in Annex A of this report. The semi-quantitative methodology is applied once for each major equipment item. In the case of the well bay, the analysis is identical for all wellheads and therefore can be performed once and applied to all wellheads. The results are as follows: Likelihood Base likelihood factor = 2 Occupancy adjustment = – 1 Adjusted Likelihood Score 2 2 + (–1) = 1 Ignition environment = –1.5 2 + (–1) + (–1.5) = – 0.5 Adjusted likelihood score –0.5 Consequence Adjusted Consequence Score 2 Base consequence factor = 2 Process pressure adjustment = 1.5 Other factors 2 + 1.5 = 3.5 Adjusted consequence score 3.5 N/A Notes From Figure A.2: Wellhead assembly selected From Figure A.4: Moderate occupancy selected based on personnel in the area approximately 2 hours per day. Two of 24 hours is approximately 10% occupancy. From Figure A.5: Low ignition probability. If applying a semi-quantitative method to toxic gas, this adjustment would only be included for fire/combustible gas hazards (per Figure A.1). Summation of base likelihood factor and all adjustment factors Notes From Figure A.3: The process fluid is a “volatile” liquid because the temperature of the process (100 F) is greater than the flash point (–10 F), but less than the boiling point. From Figure A.6: Wellhead pressure is > 1000 psig. Note that for combustible gas and toxic gas analysis there are two additional consequence modification factors to consider (per Figure A.1). Summation of base consequence factor and all adjustment factors Fire Adjusted Hazard Rank = Adjusted Fire Likelihood Score + Adjusted Fire Consequence Score = –0.5 + 3.5 = 3.0 The fire adjusted hazard rank of 3.0 results in a fire detection requirement of Grade B. From Figure A.10, the performance target for Grade B fire hazards is 80% detector coverage. In addition, the design and implementation of the FGS function will conform to applicable requirements of ANSI/ISA-84.91.01-2012 (reference 2.10), consistent with the target FGS risk reduction factor. Copyright 2018 ISA. All rights reserved. - 71 - ISA-TR84.00.07-2018 Step 7 – Initial FGS design The proposed FGS system design is based on expert judgment and heuristics through the application of the prescriptive requirements of the appropriate national standards and industry guidelines (Annex B). In the initial design, two optical flame detectors were specified. These detectors are located in opposing corners of the well bay as shown in Figure D.2a and D.2b. Figure D.2a – Optical flame detector conceptual design Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 72 - Figure D.2b – Optical flame detector conceptual design Step 8 – Verify detector coverage The designers are guided by the end-user FGS philosophy to use geographic coverage assessment for hydrocarbon fire hazards. The target for this assessment is to achieve 80% (gradeºB), with 2ooN coverage with a 10-ft monitored area of the graded equipment. The extent of the monitored area is shown in Figure D.3. Copyright 2018 ISA. All rights reserved. - 73 - ISA-TR84.00.07-2018 Figure D.3 – Well bay monitored areas and extent of grade B area Figure D.4 shows the achieved coverage for the initial design of two optical flame detectors. In Figure D.4, areas covered by two or more detectors are displayed in green ; areas covered by a single detector are shown in yellow; and areas not covered (i.e., a fire at this location would not be detectable by the FGS) are shown in red. In the image on the right, the detector coverage is displayed for the entire well bay, while the image on the left shows the coverage only within the monitored areas. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 74 - Figure D.4 – Fire detection geographic coverage map, initial detector layout Based on the results of the geographic coverage assessment, it was determined that approximately 93% of the monitored area is covered by one or more detectors (1ooN coverage), and 24% is covered by two or more detectors (2ooN coverage). Because this is not adequate to achieve the 80% coverage target for a 2ooN voting arrangement, the conceptual design should be modified to provide a higher degree of detector coverage. This design modification involved two additional flame detectors, one located in the top right and one located in the bottom left of the well bay. The results for the modified design are shown in Figure D.5. Copyright 2018 ISA. All rights reserved. - 75 - ISA-TR84.00.07-2018 Figure D.5 – Fire detection geographic coverage map, modified detector la yout In the modified design, it was determined that approximately 95% of the monitored area is covered by one or more detectors (1ooN), and 82% is covered by two or more detectors (2ooN). Because this design achieves the 80% 2ooN coverage target for the grade B areas, this design should provide acceptable performance in terms of fire detector coverage. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 76 - Step 9 – Verify FGS safety availability Upon a confirmed fire (2ooN vote) the FGS actives the fire suppression systems (deluge) in the well bay. The safety availability was verified qualitatively, because there were no requirements for FGS risk reduction in excess of a factor of 10. Sensors (optical flame detectors), a logic solver, and final elements (isolation valve, firewater pump, and deluge valves) were deemed suitable for use in this application per end-user approval for this facility. While not required, it was noted that the FGS logic solver was certified for use in safety integrity level (SIL) 2 applications through conformance with IEC 61508. Auxiliary systems were included in the verification , because some FGS final elements rely on support systems or do not operate in a fail-safe configuration. For example, in the case of an electric motor –driven fire water pump, power supply failure was considered and deemed suitable for use in this application due to the frequency of testing and the presence of a redundant power supply. Step 10 – Verify effectiveness of FGS actions The design intent is to detect an incipient fire hazard (50 kW fire) and initiate wellhead shut-in, open deluge valves, and start the fire water pump. The mitigation actions include isolation of inventory (wellhead shut-in) and suppression of the fire. Fire protection personnel confirmed that these actions are highly effective. An incipient fire is well within the capability of the fire water deluge system to suppress and cool surrounding equipment while minimizing thermal radiation effects to personnel evacuating the area. As it relates to the selected basis of design of the system, the mitigation effectiveness is confirmed and does not need additional quantitative analysis. Step 11 – FGS effectiveness (mitigated risk) Because the achieved FGS detector coverage of 82% exceeds the target of 80% for the 2ooN voting arrangement, the performance target is satisfied and the modified design of four detectors is suitable for use in the application. Copyright 2018 ISA. All rights reserved. - 77 - D.2 ISA-TR84.00.07-2018 Application example – Combustible gas detection in a natural gas production platform This example involves combustible gas detection in an offshore natural gas production platform. This is a small platform that contains a large amount of process equipment that results in significant confinement and congestion. It is a normally unmanned ins tallation. The platform produces flammable hydrocarbon gas under high pressure. An ignited gas release presents a potentially significant fire and explosion hazard to personnel, who may be on the platform conducting maintenance and other activities. D.2.1 Facility information The platform is open to the atmosphere on all sides. It is approximately 50 ft in length and 50 ft in width (15 m by 15 m). The deck is comprised of grated material. The well bay module includes nine wellheads located as shown in Figure D.6 and Figure D.7. For simplification of this analysis and for illustrative purposes, other equipment , including piping, instrument connections, and well control panels, are disregarded. The fluid being processed has been approximated as methane gas for this example problem. Methane has a lower flammable limit (LFL) of approximately 5% methane in air. Figure D.6 – Example: Offshore gas production facility Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 78 - Figure D.7 – Gas well bay (plan view) D.2.2 Fire and gas hazard assessment The hazard analysis employed by the end user of this facility includes an evaluation to determine if combustible gas detection should be employed. The analysis including the following factors: • material processed • process pressure and temperature • potential sources of combustible gas • occupancy of the facility • degree of confinement and congestion in the process areas Because this is a production facility processing flammable gases at high pressure with the potential presence of personnel on the platform during maintenance activities, the criteria determined the re was a need for combustible gas detection. A risk analysis was desired to determine if the unmitigated combustible gas hazard posed a risk high enough to warrant further risk reduction. The end user’s philosophy for detection and mitigation is to detect gas accumulation at an early (incipient) stage with automatic shutoff of all wells on the platform. This philosophy guides the designers to use gas accumulation detection as the basis of design. Fully quantitative hazard/risk analysis was selected for this application example to determine FGS risk reduction requirements. The results of step 1 through step 6 will demonstrate a target FGS risk reduction greater than 10 for scenarios within the basis of design (i.e., early [incipient] stage gas detection). Hazard scenarios that exceed the FGS design basis were analyzed separately by major hazards analysis and addressed through means of risk reduction other than the FGS (AnnexºC). The FGS performance metrics were detector coverage (quantitative), FGS safety availability (quantitative), and mitigation effectiveness (quantitative). Step 1 – Identify areas of concern The area of concern was identified for this facility as the entire deck of the platform containing the well bay, as shown in Figure D.7. Copyright 2018 ISA. All rights reserved. - 79 - ISA-TR84.00.07-2018 Step 2 – Identify hazards/risk scenarios The hazard analysis identified a credible potential for leaks to occur from any of the nine gas wellheads. A range of release sizes are considered credible scenarios. For simplification of this analysis and for illustrative purposes, the analysis of only o ne risk scenario is included here. The scenario involves a pinhole leak from the flowline caused by erosive action of the fluid (e.g., sand production) resulting in a release of combustible gas on the platform. This is the most likely release scenario that will place a demand on the gas detection system. Other scenarios (not analyzed in this example) include a large leak and a rupture of equipment. The leak to be analyzed was idealized as a ¼ -in (6-mm) equivalent hole diameter releasing flammable methane gas at 1100 psi and 100°F (7600 kPa and 38°C). Because the platform is open to the atmosphere, the end user wanted an analysis of this hazard that was sensitive to the local meteorological conditions at the facility, including a variety of typical wind speed s and wind directions. For the purposes of the example, only two wind speeds were considered: a typical wind speed of 11 miles/hr (5 m/s) and a low (non-favorable) wind speed of 3.4 miles/hr (1.5 m/s). Step 3 – Analyze consequences In this example a range of consequence analysis options were considered, including qualitative estimates, simplified hazard correlation tables, and gas dispersion modeling. In this case , the gas dispersion model was selected to analyze the size of the flammable envelope and its p ossible location with respect to the proposed location of gas detection equipment. The dispersion model selected allowed for analysis of the flammable profile , and the model was sensitive to the quantity of material released, the rate of release, and meteo rological conditions. Gas discharge models were used to calculate the release rate from the ¼ -in (6-mm) diameter hole under 1100 psi and 100°F (7600 kPa and 38°C) process conditions. The discharge model calculated a release rate of 0.5 lb/sec (0.23 kg/s). The dispersion model results showed dispersion in the downwind direction to an end point equivalent to 50% LFL. This value was chosen to correlate with the sensitivity of the combustible gas detection equipment to be used in this application. Results of the gas dispersion model show the potential for a combustible gas accumulation of 20 ft (6 m) in the downwind direction and approximately 10 ft (3 m) in the crosswind direction. Analysis shows an accumulation of 1900 cubic feet (55 cubic meters). In addition, blast modeling was conducted to show that this accumulation can result in 3 psig (21 kPa) overpressure of concern on the structure. The results were obtained under credible meteorological conditions for the facility at wind speeds of 3.4 miles/hr (1.5 m/s). The model was studied and determined to be relatively insensitive to atmospheric stability for this example problem and relatively sensitive to assumed wind speed. Figure D.8 illustrates the output of the gas dispersion and accumulation model. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 80 - Figure D.8 – CFD gas dispersion and accumulation model If this accumulation were to occur and the combustible gas cloud was ignited, a vapor cloud fire could occur. A vapor cloud explosion is credible if this small leak of gas per the basis of design is not detected early, and the accumulation could increase to the credible maximum of 55 m 3 of gas within the flammable envelope. Discussion of the parameters impacting the outcome of an ignited vapor cloud is beyond the scope of this technical report. Refer to CCPS Guidelines for Chemical Process Quantitative Risk Analysis (reference 2.7) for more information. The credible consequence of this scenario is a potential loss of life if personnel are present in the well bay module at the time of the vapor cloud fire/explosion. Based on the expected personnel staffing, the occupancy of the well bay module is considered to be no more than 2 hours out of each 24-hour day, or about 8%. This is consistent with a normally unoccupied installation. Per the end user’s protocols for hazard and risk assessment, the use of conditional modifiers and enabling factors is permitted. Step 4 – Analyze hazard frequency In this example, a range of frequency analysis options were considered , including qualitative estimates, simplified frequency lookup tables for generic situations, and quantitative analysis of industry failure and leak data for specific equipment items. In this case, the offshore industry maintains databases of equipment leak frequencies, and this database contained the appropriate leak frequency. The likelihood of a pinhole leak in a single wellhead producing natural gas with the range was found to be 5E-3 per wellhead-year. A probability of 30% for delayed ignition of high -pressure gas releases was selected for this release, based on offshore event data for similar releases. The frequency of a flash fire event is therefore 1.5E-3 per year for a single wellhead. Since there are nine total wellheads, the total frequency of the flash fire event is nine times the frequency of a single wellhead, or 1.4E-2 per year. Lack of normal occupancy on the platform reduces the risk to personnel. In this case, the platform is occupied only 8% of the time. The hazard scenario is a mechanical integrity failure that has no apparent correlation Copyright 2018 ISA. All rights reserved. - 81 - ISA-TR84.00.07-2018 its occurrence and the occupancy of the platform. Therefore, there is an 8 % probability that an ignited release could result in the identified safety consequence to personnel, owing to the low occupancy. F unmitigated = 1.5E-3 per year per wellhead x 9 wellheads x 0.08 occupancy factor = 1.1E-3 per year risk to personnel No other protection layers were identified that would reduce the frequency of the hazard. Step 5 – Assess unmitigated hazard/risk Based on the operating company’s risk criteria, the likelihood of this consequence severity should be reduced to less than 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). The frequency of the hazard scenario without the benefit of the gas detection system was calculated as 1.1E-3 per year (1.1 chance in 1,000 per year). The risk criteria is 1E-4 per year. Therefore, the risk criteria have not been satisfied for the unmitigated hazard/risk. Step 6 – Identify FGS performance requirements Based on the results of step 5, a recommendation was made to design a combustible gas detection and automatic shutdown system that would reduce the risk by a factor of 11. Automatic shutdown would involve closing well surface safety and wing valves in the event of gas detection. Gas detection for similar facilities using IR adsorption technology has proven effective. Initial targets for gas detector coverage was selected as 93% with an FGS safety availability of greater than 98% based on the unmitigated risk model and the target risk f requency of 1E-04 per year. These are selected as initial approximations based on the application of the risk model to achieve a risk reduction greater than 11. Because the safety action for this FGS safety function is process shutoff and isolation of the segment, the confidence is high that an effective mitigation will occur when the initiating event is the leak within the basis of design. The initial selection of mitigation effectiveness is 1.0. See Step 10 for additional considerations. Applying the quantitative risk model (event tree) was used to determine the likelihood for the unmitigated and mitigated outcomes. Detection Coverage FGS Safety Availability Mitigation Effectiveness Yes Likelihood Safety Consequence Contribution 1 9.11E-01 0 0.00 0 0.00E+00 1 0.00 1.86E-02 1 0.02 7.00E-02 1 0.07 FGS effectiveness = Detector Coverage x FGS Safety Availability Weighted Average Consequence 0.09 Yes 0.98 0.93 Hazard Scenario No 1 0.02 No 0.07 = 0.93 x 0.98 x 1.0 = 0.9114 (91% FGS effectiveness) Unmitigated Risk = = = F unmitigated (1 – FGS effectiveness) 1.1E-3 per year x (1 – 0.9114) 1.0E-4 per year Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 82 - Therefore, a target FGS effectiveness of approximately 0.91 will reduce risk to a level that satisfies the risk criteria of no more than 1.0E-4 per year. In addition, the design and implementation of the FGS function with a claimed FGS risk reduction factor (RRF) greater than 10 will conform to the applicable requirements of ANSI/ISA -84.91.012012 (reference 2.10) and ANSI/ISA-84.00.01-2004 (reference 2.1). Step 7 – Initial FGS design The proposed gas detection/shutdown system design is based on expert judgment and heuristics through applying the prescriptive requirements of the appropriate national standard s and industry guidelines (Annex B). The design involves the use of open path combustible gas detection with three detector sets placed on the platform as shown in Figure D.9. Figure D.9 – Initial gas detection system design: Open path gas detector placement The gas detectors generate a 4–20 mA signal proportional to the measured gas concentration and also generate discrete alarms when the combustible gas concentration is detected above a threshold value as measured in LFL-meters for a detected gas level. The sensor signal is received by a logic solver, which sends a command to shut down all wells in the well bay when gas is sensed. This would effectively shut off the source of the combustible gas from the leak point and mitigate the flammable hazard over a short period of time as the pressure at the source drops. Combustible gas detectors will be configured with sensitivity that allows for detection of a combustible gas concentration of 0.5 LFL-meters or greater. This will provide adequate sensitivity to detect the hazard scenario of concern given the ov erall dimensions of the module and the proposed location of detectors. The initial design did not specify whether any single detector in alarm state will cause the shutdown system to activate (e.g., 1ooN voting arrangement), or if multiple detectors are required to cause isolation. Spurious activation of the FGS does not result in a hazard but is an undesired event from an economic standpoint. Copyright 2018 ISA. All rights reserved. - 83 - ISA-TR84.00.07-2018 Step 8 – Assess detector coverage Detector geographic coverage A computer model was used to analyze geographic coverage consistent with the methodology shown in Annex B of this technical report. The model generated coverage factors for both a 1ooN voting arrangement (any single detector has the capability to initiate a shutdown) as well as a 2ooN voting arrangement (two or more detectors are required to be in alarm state to initiate a shutdown). Graphical output of the model that calculated geographic coverage is provided in Figure D.10. Figure D.10 – Gas detector geographic coverage map, initial gas detector layout The geographic coverage results show that approximately 78 % of the module is covered by one or more open path gas detectors. The area that is covered by both detectors is much less, in this case only 21%. In addition, 22% of the module is not in the area covered by any of the three detectors, meaning a threshold volume of combustible gas at those locations cannot be sensed by the initial detector layout. Step 9 – Verify FGS safety availability The safety function was initially defined to include only one detector to sense the hazard. Thus, a 1oo1 voting architecture was considered. A shutdown of the leaking single wellhead has been included in the FGS function. In addition, it was specified that functional testing of sensors and the logic solver will occur at an interval of once per year. Per local regulatory requirements, the functional test interval of final element valves will occur at an interval of once per month. Methods and sample calculations on how to calculate PFDavg are included in ISA-TR84.00.02 (reference 2.8). The primary inputs for this activity include device failure rate data and functional testing intervals. Shut-in of gas wells uses a deenergize-to-trip signal. Using simplified equations, the resultant PFDavg for the FGS function is 0.015 or an FGS safety availability of 1 – 0.015 = 0.985. Reliability data for the selected FGS equipment was identified. Any failure rate data used should be in conformance with ANSI/ISA-84.00.01-2004 (reference 2.1). Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 Device Type Open path IR gas detector FGS logic solver Wellhead shut-in valve including final element interface - 84 Dangerous Undetected Failure Rate λDU (per hour) 2.0E-06 1.0E-07 1.4E-06 Proof Test Interval 12 months 12 months 12 months To calculate the FGS safety availability for the function, the PFDavg should be calculated for each of the FGS function components. The 1oo1 PFDavg equation was used. The PFDavg for the open path IR gas detectors is calculated as follows: 𝑃𝐹𝐷𝐴𝑉𝐺 = 𝜆 𝐷𝑈 *𝑇𝐼 2 Simplified equation for 1oo1 voting configuration from ISA-TR84.00.02 (reference 2.8) For this example, the equation becomes: PFD AVG DU *TI 1.00E 06 * (1* 8760) 8.8E 03 For the SIL certified logic solver, the PFDavg at the prescribed test interval was taken from the vendor’s safety manual as 4.4E-4. For the final element (ESD valve), the PFDavg is calculated using the simplified 1oo1 equation from ISA TR84.00.02 (reference 2.8). PFD AVG DU *TI 1.4 E 06 * (8760) 6.1E 03 2 2 Subsystem Sensor FGS logic solver Final element PFDavg 8.8E-3 4.4E-4 6.1E-3 Total 1.5E-2 FGS Component(s) IR gas detectors Safety PLC Wellhead shut-in valves 98.5% safety availability Step 10 – Verify Effectiveness of FGS Actions Actions taken by the FGS can be manually or automatically initiated and can affect a wide variety of systems. This example considers automatic shutdowns that involve the closing of well surface safety and wing valves in the event of early (incipient) gas detection. If successful, this action will result in a state that meets the risk acceptance criteria (i.e., a small flash fire instead of a vapor cloud explosion with a severe impact to the platform and personnel). The probability of failure of these actions is incorporated in the FGS safety availability analysis. Therefore, a mitigation effectiveness of 1.0 is used in this design. Step 11 – FGS effectiveness (Mitigated Risk) The frequency of the hazard scenario with consideration of the benefit of the gas detection system (detector coverage, FGS safety availability, and mitigation action effectiveness) was calculated as shown in Figure D.11. The initial calculation was performed using the detector (scenario) coverage and 1ooN voting arrangement. Copyright 2018 ISA. All rights reserved. - 85 - Detection Coverage FGS Safety Availability ISA-TR84.00.07-2018 Mitigation Effectiveness Likelihood Yes Yes Yes 1 7.68E-01 0 0.00E+00 0.985 No 0.78 Hazard Scenario No 1 0.015 1.17E-02 No 0.22 2.20E-01 Figure D.11 – Mitigated risk assessment: existing detector layout FGS effectiveness = Detector Coverage x FGS Safety Availability x Mitigation Action Effectiveness = 0.78 x 0.985 x 1.0 = 0.768 (77% FGS effectiveness) Unmitigated Risk = = = F unmitigated (1 – FGS effectiveness) 1.1E-3 per year x (1 – 0.768) 2.5E-4 per year The design reduces the risk of the unmitigated hazard by a factor of 1/(1 – 0.768) or a risk reduction of about 4. The overall likelihood of the hazard scenario was calculated as 2.5E-4 per year (a 2.5 chance in 10,000 per year). This remains a factor of 2.5 above the maximum likelihood that was selected for this scenario of 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). Therefore, the risk has improved over the unmitigated design, but the risk criteria have not been satisfied with the initial design. Modify FGS design (iteration of Step 7 through Step 11) Since the risk criterion was not satisfied by the initial gas detection design, the design was modified to meet this objective. Options that should be explored include the following: • adding one or more additional gas detectors to increase detector coverage • increasing the frequency of functional tests of the existing system design to increase FGS safety availability In this case, the end user wanted to analyze the problem with an open path gas detector located south of the nine wells in addition to the existing three detectors. The additional detector is positioned in a manner that would detect gas from wells in an unfavorable wind condition (e.g., wind blowing from the northwest). Figure D.12 shows the modified detector layout. The coverage model was rerun for this scenario, and the results are shown below in Figure D.13. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 86 - Figure D.12 – Modified gas detector layout Figure D.13 – Gas detector geographic coverage map, modified gas detector layout The results for the modified detector layout show that the approximately 97% of possible hazard scenario outcomes are covered by the detector layout and can be sensed by at least one detector (1ooN voting). The application of the quantitative risk model (event tree) shows the calculation of the likelihood of the unmitigated and mitigated outcomes. Copyright 2018 ISA. All rights reserved. - 87 Detection Coverage FGS Safety Availability ISA-TR84.00.07-2018 Mitigation Effectiveness Likelihood Yes Yes Yes 1 9.55E-01 0 0.00E+00 0.985 No 0.97 Hazard Scenario No 1 0.015 1.46E-02 No 0.03 3.00E-02 FGS effectiveness = Detector Coverage x FGS Safety Availability x Mitigation Action Effectiveness = 0.97 x 0.985 x 1.0 = 0.955 (96% FGS effectiveness) Unmitigated Risk = = = F unmitigated (1 – FGS effectiveness) 1.1E-3 per year x (1 – 0.96) 4.4E-5 per year The design reduces the risk by a factor of 1/(1 – 0.96) or a risk reduction of about 25. The overall likelihood of the hazard scenario was reduced in the modified layout to 4.4E-5 per year (a 4.4 chance in 100,000 per year). This is below the maximum risk that was selected for this scenario of 1 chance in 10,000 per year (10 -4 per year individual risk of fatality). Therefore, the risk criteria have been satisfied with the modified design using four detectors. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 D.3 - 88 - Application example – Toxic (H 2 S) gas detection in onshore gas processing plant This example involves toxic gas detection in an onshor e gas processing plant. The process includes hydrocarbon gas containing hydrogen sulfide (H 2 S). A process gas release to the atmosphere presents an acute toxicity hazard to workers. D.3.1 Facility information The plant contains an operating unit in which gas is processed under pressure. The unit is approximately 100 ft in length and 100 ft in width. The plant contains two separator vessels, a pump and a compressor, as shown in Figure D.14. For simplification of this analysis and for illustrative purposes, other equipment, including piping, instrument connections, and well control panels, are disregarded. The fluid being processed has been approximated as propane gas with 1% H 2 S (10,000 ppm H 2 S v/v) for this example. H 2 S has an acute toxicity concentration of concern of 100 ppm (v/v), which is the concentration immediately dangerous to life and health (IDLH). H 2 S can be detected at concentrations as low as 10 ppm using available detector technologies . Figure D.14 – Example: Onshore gas processing facility D.3.2 Hazard assessment The end user’s philosophy of toxic gas detection is to detect concentrations of gas that could be hazardous to personnel, so that action can be taken to evacuate personnel to safety within 15 minutes. Early (incipient) and effective detection allows personnel to evacuate, take shelter, and respond by safely shutting down the process. The philosophy requires identifying leak/release sources and size and locating detectors in the correct proximity and orientation of release sources in order to provide early (incipient) indication of a hazard. Based on these philosophy elements, the decision is to detect credible releases by strategically placing detection equipment in proximity to release sources to mitigate the size, extent, and duration of the H 2 S gas hazard. Step 1– Identify areas of concern One area of concern was identified for this example problem, the gas compressor C-104. Because this facility contains significant concentrations of H 2 S in the process gas, screening criteria determined the need for toxic (H 2 S) gas detection. Copyright 2018 ISA. All rights reserved. - 89 - ISA-TR84.00.07-2018 Step 2 – Identify hazards/risk scenarios The hazard analysis identified a credible potential for leaks to occur from the compressor seal, resulting in the release of flammable and toxic gas. Personnel are potentially subject to an acute toxic hazard due to routine occupancy in the process area. Because the process is open to the atmosphere, the actual hazard at the time of a release will be sensitive to the local meteorological conditions at the facility, including a variety of typical wind speeds and wind directions. A range of release sizes are considered credible. To simplify this example, the analysis of only one risk scenario is included. The scenario involves a release from the compressor seal (full seal failure, annular release), resulting in a release of propane gas containing 1% H 2 S. This is the most likely release scenario that will place a demand on the gas detection system. The leak to be analyzed is represented as a ½-in (12-mm) equivalent hole diameter releasing process gas at compressor discharge pressure of 500 psig and 100°F. Gas discharge models were used to calculate the release rate. The discharge model calculated a total release rate of 3 lb/sec (1.4 kg/s) of process gas containing 1% H 2 S. Step 3 – Analyze consequences Gas dispersion modeling was conducted to analyze the size and extent of the toxic gas hazard and compare it with the proposed location of H 2 S gas detection equipment. The dispersion model selected allowed for analysis of the toxic concentration in the downwind direction and cross-wind direction based on similarity modeling, and the model was sensitive to the quantity of material released, the rate of release, and local meteorological conditions. For the purposes of the example , only one wind speed of 3.4 miles/h (1.5 m/s) was evaluated. The dispersion model results showed dispersion in the downwind direction to an end point of 10 ppm H 2 S. This value was chosen to correlate with the sensitivity of the H 2 S gas detection equipment to be used in this application. Life-threatening concentration (700 ppm H 2 S) and injury concentration (100 ppm H 2 S) end points were also modeled. Results of the gas dispersion model show the potential for a toxic gas envelope of dimensions 20ºft (6 m) in the downwind direction and approximately 3 ft (1 m) in the crosswind direction. This result was obtained under “typical” meteorological conditions for the facility with wind speed 3.4ºmiles/h (1.5 m/s) and neutral atmospheric stability. The model was studied and determined to be relatively insensitive to atmospheric stability for this example problem and relatively sensitiv e to assumed wind speed. Figure D.15 illustrates the output of the gas dispersion model, including the cloud footprint in the downwind and crosswind directions. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 90 - Figure D.15 – H 2 S gas dispersion model: Profile view and footprint view If this release occurred and the combustible gas cloud was not ignited, the outcome would be a toxic gas hazard. The dispersion model shows a hazard distance of approximately 150 ft in the downwind direction to the 100 ppm IDLH end point. Further, the detectable concentration of 10ºppm extends further to a distance of approximately 600 ft, and measures about 80 ft maximum in the crosswind direction at a distance of 300 ft downwind. The credible consequence of this scenario is a potentially life-threatening injury to a single person if present near the compressor at the time of the release. Step 4 – Analyze hazard frequency In this example, a quantitative analysis of industry failure and leak data for specific equipment items were used. The likelihood of seal failure from a centrifugal compressor was found to be 1E 2 per year. Per the end user’s protocols for hazard and risk assessment, the use of conditional modifiers and enabling factors is permitted. The lack of normal occupancy reduces the risk to personnel. In this case, the process area is occupied only 4% of the time. The hazard scenario is a mechanical integrity failure that has no apparent correlation between its occurrence and the occupancy of the area. Therefore, there is a 4% probability that a gas release results in the identified safety consequence, owing to the low occupancy. Step 5 – Assess unmitigated hazard/risk F unmitigated = 1E-2 per year x 0.04 occupancy factor = 4E-4 per year risk to personnel No other protection layers were identified that would reduce the frequency of the hazard. Based on the operating company’s risk criteria, the likelihood of this consequence severity should be reduced to less than three chances in 100,000 per year (3E-5 per year individual risk of fatality). The frequency of the hazard scenario without the benefit of the H 2 S gas detection system was calculated as 4E-4 per year (four chances in 10,000 per year). The risk of the scenario is a factor of 13 higher than the risk criteria of 3E-5 per year. Therefore, the risk criteria have not been satisfied for the unmitigated situation. Copyright 2018 ISA. All rights reserved. - 91 - ISA-TR84.00.07-2018 Step 6 – Identify FGS performance requirements The gap between unmitigated and tolerable risk is a factor of 15. Therefore, the performance target is an FGS effectiveness of 93%, requiring a risk reduction factor (RRF) of 15 or more in the FGS performance. The design and implementation of this FGS function with claimed FGS RRF in excess of 10 will be in conformance with the applicable requirements of ANSI/ISA -84.91.01-2012 (reference 2.10), ANSI/ISA-18.2-2016 (reference 2.19), and ANSI/ISA 84.00.01-2004 (reference 2.1). Step 7 – Initial FGS design The initial gas detection design is based on factors in Annex B.5. The design involves the use of point H 2 S gas detection (electrochemical type) with three detector sets placed in the process as shown in Figure D.16. This is the preferred equipment used by this facility, because it has prior use experience. Figure D.16 – Initial H2S gas detector layout, point electrochemical H 2 S gas detector placement H 2 S gas detectors generate a 4-20 mA signal proportional to the measured H 2 S gas concentration, and also generate alarms when the toxic gas concentration is detected above a threshold value of 10 ppm (v/v). The sensor signal is received by a logic solver, which annunciates audible and visual alarms in the process area and control room . This gives personnel the opportunity to evacuate the facility and would mitigate the toxic hazard. Toxic gas detectors will be configured with a sensitivity that allows for detection at a gas concentration of 10 ppm or greater. This will provide adequate sensitivity to detect the hazard scenario of concern. The design specifies that a single detector in alarm state will cause the alarm system to activate (e.g., 1ooN voting arrangement). Step 8 – Verify detector coverage A range of possible scenario outcomes was considered that addressed the possibility that the gas cloud would disperse downwind from the release location and could be oriented in any of the 16 postulated wind directions. In each case, the determination was made whether or not any of the gas detectors were positioned to sense the toxic gas. A computer model was used to aid in conducting coverage mapping. The results of detector (scenario) coverage method was selected because it is sensitive to the layout of the detectors with respect to the prevailing wind. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 Scenario Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Total - 92 Initiating Frequency (per yr) 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.6E-01 Directional Conditional Detected Detector Detector by FGS Coverage Frequency Wind Direction Probability N 2.9E-02 Yes 1.0 2.9E-02 NNE 4.9E-02 No 0.0 0.0E+00 NE 7.8E-02 No 0.0 0.0E+00 ENE 2.9E-02 No 0.0 0.0E+00 E 9.7E-03 Yes 1.0 9.7E-03 ESE 9.7E-03 Yes 1.0 9.7E-03 SE 5.8E-02 Yes 1.0 5.8E-02 SSE 2.9E-02 Yes 1.0 2.9E-02 S 4.9E-02 No 0.0 0.0E+00 SSW 1.9E-01 No 0.0 0.0E+00 SW 1.7E-01 No 0.0 0.0E+00 WSW 1.1E-01 Yes 1.0 1.1E-01 W 8.7E-02 Yes 1.0 8.7E-02 WNW 7.8E-02 No 0.0 0.0E+00 NW 1.9E-02 Yes 1.0 1.9E-02 NNW 9.7E-03 Yes 1.0 9.7E-03 Detector Scenario Coverage 35.9% Figure D.17 – Scenario coverage analysis for initial detector layout A probabilistic distribution of wind was obtained and shown in Figure D.18. Figure D.18 – Probabilistic wind distribution (wind rose) Detector scenario coverage A computer model was used to analyze coverage consistent with the methodology shown in AnnexºB.2 of this technical report. The model generated a coverage factor for a 1ooN voting arrangement (any single detector causes alarm). Copyright 2018 ISA. All rights reserved. - 93 - ISA-TR84.00.07-2018 Unmitigated risk of toxic gas hazard Mitigated risk of toxic gas hazard, scenario coverage (1ooN) Figure D.19 – Toxic gas (H 2 S) detector scenario coverage map, initial detector layout The coverage calculation results show that approximately 36 % of the possible outcomes are covered by detectors. This means the detector coverage is 36%. Step 9 – Verify FGS safety availability The safety function was initially defined to include a sufficiency criteria for one detector to sense a hazard. Thus, a 1ooN voting architecture was considered. In addition, it was assumed that functional testing of sensors and the logic solver occurs at an interval of once per year. F inal element (audible and visual alarms) functional testing occurs at an interval of once per month. Methods for calculating the PFDavg are adequately described in ISA-TR84.00.02 (reference 2.8). Using simplified equations, the resultant PFDavg for the FGS function is 0.01 or an FGS safety availability of 1–0.01 = 0.99. This includes sensors (1oo1 gas detector with diagnostics), logic solver (SIL 2 certified), and the final element (1oo2 visual and audible annunciation). Step 10 – Verify effectiveness of FGS actions This facility undergoes annual evacuation drills. Based on the drill performance record, on average one or more individuals do not evacuate in a timely manner 20% of the time. As a result , the initial design uses a mitigation action effectiveness of 80% for the evacuation response. Step 11 – FGS effectiveness (mitigated risk) The frequency of the hazard scenario considering the benefit of the gas detection system (detector coverage and FGS safety availability) was calculated as shown in Figure D.19. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 94 - FGS effectiveness = Detector Coverage x Safety Availability x Mitigation Action Effectiveness = 0.36 x 0.99 x 0.8 = 0.285 (28% FGS effectiveness) Unmitigated Risk = = = F unmitigated (1 – FGS effectiveness) 3.0E-4 per year x (1 – 0.285) 2.1E-4 per year The overall likelihood of the hazard scenario was calculated as 2.1E-4 per year (a 2.1 chance in 10,000 per year). This is above the maximum likelihood that was selected for this scenario of two chances in 100,000 per year (2x10 -5 per year individual risk of fatality). Therefore, the risk has improved over the unmitigated design, but the risk criteria have not been satisfied with the proposed FGS design. This is insufficient to achieve the desired performance target. Detector cover age and mitigation action effectiveness should be improved. Modify FGS design (iterate Step 7 through Step 11) Since the risk criterion was not satisfied by the initial gas detection design, the design was modified to meet this objective. Options that should be explored include the following: • adding one or more additional gas detectors to increase detector coverage • increasing the frequency of functional tests of the existing system design to increase FGS safety availability • increasing the rigor associated with evacuation/sheltering of personnel in the event of H 2 S alarming In this case, the end user wanted to analyze the problem with three additional point gas detectors located in proximity to the compressor C-104, in addition to the existing three detectors. Figure D.20 – Modified gas detector layout The modified detector layout allows for detection of additional scenario outcomes ; this is shown in Figure D.21 and Figure D.22. Copyright 2018 ISA. All rights reserved. - 95 - ISA-TR84.00.07-2018 Figure D.21 – Toxic gas (H 2 S) scenario coverage map for modified detector layout Scenario Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Seal Failure Total Initiating Frequency (per yr) 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.0E-02 1.6E-01 Directional Conditional Detected Detector Detector by FGS Coverage Frequency Wind Direction Probability N 2.9E-02 Yes 1.0 2.9E-02 NNE 4.9E-02 Yes 1.0 4.9E-02 NE 7.8E-02 Yes 1.0 7.8E-02 ENE 2.9E-02 Yes 1.0 2.9E-02 E 9.7E-03 Yes 1.0 9.7E-03 ESE 9.7E-03 Yes 1.0 9.7E-03 SE 5.8E-02 Yes 1.0 5.8E-02 SSE 2.9E-02 Yes 1.0 2.9E-02 S 4.9E-02 No 0.0 0.0E+00 SSW 1.9E-01 Yes 1.0 1.9E-01 SW 1.7E-01 Yes 1.0 1.7E-01 WSW 1.1E-01 Yes 1.0 1.1E-01 W 8.7E-02 Yes 1.0 8.7E-02 WNW 7.8E-02 Yes 1.0 7.8E-02 NW 1.9E-02 Yes 1.0 1.9E-02 NNW 9.7E-03 Yes 1.0 9.7E-03 Detector Scenario Coverage 96.4% Figure D.22 – Scenario coverage analysis for modified detector layout The results for the modified detector layout show that 96.4% of possible hazard scenario outcomes are covered by the detector layout and can be sensed by at least one detector. To improve the mitigation action effectiveness, evacuation route labeling has been enhanced, hazard-specific details have been added to personnel evacuation training, and quarterly drills have Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 96 - been established with an investigation of insufficient response. As a result, the observed evacuation performance has improved to 97% success. FGS effectiveness = Detector Coverage x Safety Availability x Mitigation Action Effectiveness = 0.964 x 0.99 x 0.97 = 0.926 (92.6% FGS effectiveness) Unmitigated Risk = = = F unmitigated (1 – FGS effectiveness) 4.0E-4 per year x (1 – 0.926) 2.97E-5 per year The overall likelihood of the hazard scenario was calculated as 2.97E-5 per year (a 2.97 chance in 100,000 per year). This satisfies the risk criteria of 3E-5 per year (3x10 -5 per year individual risk of fatality). Therefore, the modified FGS design is satisfactory. Copyright 2018 ISA. All rights reserved. - 97 - ISA-TR84.00.07-2018 Annex E Evaluation of computational fluid dynamics vs. target gas cloud for indoor gas detection design (reference 2.17) Computational fluid dynamics (CFD) has been applied in a wide range of industries and has a wide reach in applications. With respect to engineering, this tool has been applied by professionals in safety-related fields for decades, notably in building design for complex structures where compliance with prescriptive building codes is problematic. This is an important point to note when determining an appropriate application of CFD with respect to gas detection desi gn. In 1993, the U.K. HSE released OTO 93 002 (reference 2.12), which subsequently became (and is still widely regarded as) the standard document with respect to gas detection guidance for partially enclosed volumes. This document allows a geographic gas d etection placement process, whereby the potential explosion overpressures of a given area can be correlated against a gas cloud that provides these. This is a standard process for industry external applications, with an allowance for a performance-based approach with respect to the target cloud one needs to detect. It is relevant, however, where the environment is reasonably predictable and fully enclosed, to explore other avenues of design, one of which is the application of CFD modeling to analyze gas cloud behavior. This also corresponds to the overarching philosophy of CFD application in determining a specialized application where other methods are not suitable, or the time and cost required to perform detailed CFD analysis is not of benefit. An example of this is a standard external offshore/onshore congested processing facility. If the suitable number of CFD scenarios run reach a number that is recognized as sufficient for the design (accounting for environmental conditions, number of leak locat ions, and orientations), the designer will discover that the gas can and does migrate to all areas of the congested zone, whereby this time and cost would have been better spent determin ing what cloud can cause damage, and applying gas detection to detect it. Evidence also shows that in these standard applications, nil wind conditions with slow release rates provide the greatest risk of large vapor cloud explosions (reference 2.16). This does not exclude the use of CFD, however, as this analysis is based on standard external applications for which the geographic approach is suitable. Specialized applications, such as internal processing units with predictable airflow, can be a potential route for the use of CFD. An example of why this application is specialized includes the fact that airflow is relatively predictable, meaning the designer can run a limited number of scenarios with changing environmental data, and which can be classed as a sufficient spread to account for the differing environment. This cuts the number of scenarios required down to a suitable number of CFD scenarios from which to assist with gas detector placement. E.1.1 Computational fluid dynamics modeling First and foremost, applied CFD modeling tools must be used with caution, and limitations in design must be fully understood. These tools allow the user to analyze gas dispersion and the results of ignition of various gas accumulations based on the surrounding environment (explosion modeling). There are significant differences, however, between these tools and the inherent capabilities of the model and how the Navier-Stokes equations are solved/converged. Certain models, for example, are better suited for momentum-driven releases than others, and certain models cannot account fo r buoyancy as well as thermally driven fluid flow in transient assessments. Ensuring that an appropriate model is used is crucial. Practicing CFD consultants will be aware of these limitations , and it is important to note that many assumptions are included with any CFD modeling project. As a result of this, engineering judgment is still vital in achieving an appropriate model and subsequent design . Therefore, these assumptions must be fully justified and, where appropriate, provide a credible worst -case scenario to ensure the resulting design is fit for purpose and all associated risk is reduced to as low as Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 98 - reasonably practicable (ALARP). This can be carried out before reviewing the implications of the model of gas detection design. If the design process is to be optimized, CFD should be reserved for special or problematic areas of interest. Overuse in typical spaces or areas is wasteful, unnecessary, downplays the importance of the FGS safety professional, and is generally applied for commercial purposes only. This relates back to, for example, fire safety engineering where these tools are applied in internal complex environments where performance -based methods are required for design approval, but the environments are predictable enough for CFD fire modelin g to be an appropriate tool. For internal locations, good engineering principl es will allow for a design that will be safe both when the HVAC is in operation (if applicable) and when it is not. Therefore , for occasions where the HVAC is running, CFD can be utilized to review the probable behavior of the cloud and also analyze whether the target gas cloud is credible with the HVAC running. This , therefore, gives insight into how to design the gas detection. Similar assessments can be carried out when the HVAC is not running or where there are significant dead zones in the airflow. However, due to the lack of forced ventilation, the pattern of accumulation becomes far more unpredictable. Gas detection design based on these analyses becomes far more difficult and should consider plume behavior related to release orientation and plume turbulence (see Figure E.1). The orientation and specific leak source identified will provide a significant bearing on the behavior of the release; therefore, it can be challenging to select a credible worst-case leak (reference 2.18). Figure E.1 – Example plume behavior Copyright 2018 ISA. All rights reserved. - 99 - ISA-TR84.00.07-2018 To include all equipment in a model m ight be too laborious an assessment and therefore the CFD user will omit equipment from the assessment. It is important that reviewers of the analysis are aware of this, and the CFD designer is aware of the impact that removing some of these obstructions will have on the holistic gas detection strategy. It is also relevant that incomplete geometry models are a significant cause of error in CFD design that is very difficult to design out. It is not outside the realm of possibility that a dangerous cloud can be represented as “safe” or “adequately detected” in a CFD review, when in actual fact the blockages that could cause the problem have been excluded from the model. What appear to be minute changes in boundary conditions can have a large effect on fluid dynamic outcomes. Another important point to note is that the applied CFD tool must be appropriately validated on an appropriate scale for the specific application. If an onshore refinery is being modeled , for example, it is crucial not to use an unverified CFD tool, as it will likely provide differing res ults from the typical industry standard tools, which have undergone significant full -scale validation and testing by independent third-party testing facilities. Much of a CFD tool’s validation is carried out through the product life, and therefore CFD models in their infancy can provide misleading results and potentially result in an inadequate design. The application examples present simulations of a simplified internal environment in order to represent how CFD modeling can be used to analyze cloud propagation and migration in atmospheric and HVAC-driven circumstances. What these analys es show is that CFD can be a useful tool in reviewing the credible behavior of the gas clouds in such an environment where there are predictable circumstances and the conditi ons of release can be credibly defined to determine the credible worst-case scenario leak with respect to detection. E.1.2 Recommendation on application With respect to internal applications where airflow is dictated by the air change rate provided by the HVAC system, good gas detection design should be such that it will operate effectively when the HVAC is working and when it is not in operation. Therefore, one example of a good practice is to allow for CFD modeling to give an understanding of the nature of the airflow in an indoor environment, which would provide insight as to whether the target gas cloud that could generate an explosion overpressure could credibly exist. This would then di ctate whether to apply a volumetric detection design or one that focused more on the placement within the vicinity of HVAC ducting (reference 2.19). The issue of competence is one that must be addressed, as simply having access to the software is not a qualification to carry out the analysis discussed. The detailed analysis required to adequately apply CFD modeling to the gas detection placement problem is not addressed in this TR, and therefore ensuring that the analysis is performed by personnel competent in both FGS design methodologies and practicalities, as well as the intricacies of CFD analysis , is critical to the appropriateness of this methodology. Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 100 - Figure E.2 – Ambient (natural ventilation) Figure E.3 – Ambient, gas concentration Iso-surface at 60% LFL (section) Copyright 2018 ISA. All rights reserved. - 101 - ISA-TR84.00.07-2018 Figure E.4 – HVAC design 1 (mechanical extract left and right side) Figure E.5 – HVAC (1), Gas concentration Iso-surface at 60% LFL (section) Copyright 2018 ISA. All rights reserved. ISA-TR84.00.07-2018 - 102 - Figure E.6 – HVAC design 2 (mechanical extract right side only) Figure E.7 – HVAC (2), Gas concentration Iso-surface at 60% LFL (section) Copyright 2018 ISA. All rights reserved. - 103 - ISA-TR84.00.07-2018 Figures E.1 to E.7 give some context as to the dispersion and mixing levels of the gas in each ventilation regime. Figure E.7 shows the iso-surface for a 60% lower flammability limit (LFL) gas concentration in the ambient case. It can be seen that a large volume of the compartment contains 60% LFL. Figure E.5 shows the same gas concentration iso-surface outlines for HVAC design 1. As discussed previously, the majority of the gas leak seems to be entrained into the exhaust flow generated between the left side inlet/exhaust.t as the 60% LFL cloud has been significantly reduced in volume and area from the ambient case. Figure E.7 shows the gas concentration iso-surface for HVAC design 2. What is immediately apparent is that even though a greater bulk fluid movement is achieved across the width of the compartment, because this leak occurred on the left side (and lost momentum quickly) this left-toright HVAC design appears to distribute the gas t hroughout the compartment to a greater extent than HVAC design 1. This is certainly true in the case of 60% LFL. This outcome is of course biased based on the details of this particular gas leak. A similar gas leak occurring on the right side of the compartment would likely be exhausted much more effectively by HVAC design 2 than the current leak. Consider further , however, that if the leak did occur on the right side of the compartment but was in the left-side direction, and did not impinge upon a solid surface, the jet itself could distribute the gas across the compartment from right to left. HVAC design 2 would redistribute that gas again from left to right in a similar fashion as demonstrated here, but with a potentially less desirable concentration distribution. What can be concluded from a brief overview of these results is that the physical layout of the space, the attributes and location of the leak , and, of course, the design of the HVAC system (and whether or not it is operational) can each have a profound impact upon the evolution and consequence of gas cloud formation following a leak in a process area. One can understand how congestion might affect species migration and cloud formation and how air currents induc ed by HVAC systems can affect concentration distribution. One could further study the possibility of dilution-ventilation, whereby the HVAC system is designed with gas cloud dilution in mind , and one could gain insight into “dead zones” within the space where dilution of bulk fluid is not sufficiently achieved. In practical terms, understanding the inherent limitations of the CFD model results (both the inherent assumptions and user-input variability), as well as an intrinsic appreciation for the underpinning science behind the gas detection methodology, allows the user to interpret the results as an additional piece of information contributing to the best holistic detection arrangement. What is not advisable, or arguably even practical from the point of vie w of a safety practitioner, is to use a percentage scoring system from a small number of leak scenarios as a risk -based justification for detector location. This may result in leaving large volumes of the compartment with no gas detection. The question of accounting for an almost infinite number of potential leak outcomes with a finite number of (inherently uncertain) models is an extremely difficult one to argue and to validate. To demonstrate that all credible leak scenarios have been accounted for with a limited number of CFD models would be difficult. One would have to categorize leak scenarios based on a range of attributes , such as orifice size, pressure, direction, location, impinging upon congestion or unimpeded jet, atmospheric conditions , and inventory details. Subsequently, an appropriate range of leak models that represent a sufficient cross section of all credible leaks within each category must be analyzed. Qualifying the definition of what constitutes a “sufficient cross section” of potential credible cases is a daunting prospect alone, and in all likelihood, building, analyzing (sensitivity analysis), and running the range of realistic model scenarios will be a very time-consuming endeavor. Consider further that for even a relatively small facility review, there can be 20 areas like the one considered here. The costs and time requirement become disproportionately large for the expected yield or benefit of the study. Copyright 2018 ISA. All rights reserved. This page intentionally left blank. Copyright 2018 ISA. All rights reserved. Developing and promulgating sound consensus standards, recommended practices, and technical reports is one of ISA’s primary goals. To achieve this goal the Standards and Practices Department relies on the technical expertise and efforts of volunteer committee members, chairmen, and reviewers. ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United States Technical Advisory Groups (USTAGs) and provides secretariat support for International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees that develop process measurement and control standards. To obtain additional information on the Society’s standards program, please write: ISA Attn: Standards Department 67 Alexander Drive P.O. Box 12277 Research Triangle Park, N.C. 27709 ISBN: 978-1-64331-036-7