Performance Based Gas Detection System Design

7/30/2019 Performance Based Gas Detection System Design

1/15

Oil&GasIndustryConclaveIOCL,Delhi,India Page1

PerformanceBasedGasDetectionSystemDesignforHydrocarbonStorage

TankSystems

SrinivasanN.Ganesan,M.S.,P.E.MENARegionManager,KenexisDMCC,Dubai,UAE

EdwardM.Marszal,PE,ISA84ExpertABSTRACT

Thedesignof hydrocarbon gasdetection systemsusing risk analysismethods is drawing a lot of

attentionbecause industryexpertshavecometoaconsensusthatdesigncodesused intraditional

gas detection system designwork are not sufficient for opendoor process areas having serious

hazards,suchas fire,flammablegasandtoxicgas. The ISATechnicalReportTR84.00.07provides

guidelinesforthedesignoffireandgassystemsinunenclosedprocessareasinaccordancewiththe

principles given in IEC 61511 standards. This paper presents an overview of the design of gas

detection systems using risk assessmentmethods that are described in the ISA technical report.

Thesemethods

are

statistical

in

nature

and

are

used

to

assign

and

verify

targets

for

the

performance

metrics(detectorcoverageandsafetyavailability)ofgasdetectionsystems.Thispaperalsoprovides

anoverviewof theperformancebased safety lifecycleofgasdetection systems fromconceptual

designstagetooperationsandmaintenance.

1. INTRODUCTIONRiskassessmenttechniquesarebeingincreasinglyusedinthedesignofengineeredsafeguards,such

as FireandGasDetectionandSuppression Systems (FGS),Safety Instrumented Systems (SIS)and

AlarmSystems.Theprinciplesofriskassessmentused inthedesignofSIScanalsobeused inthe

design of Gas Detection Systems. A Gas Detection System is a type of instrumented safeguard

intendedtoreducerisksposedbyprocessplants,suchassafetyrisk,environmentalrisk,andasset

risk (commercial/business) to tolerable levels. However, gas detection systems systems are only

capable of mitigating the consequence of a loss of containment, whereas safety instrumented

systemsarecapableofpreventingtheconsequencefromoccurringaltogether.

AllautomatedsafetysystemssuchasFGS,SIS,andHigh IntegrityPressureProtectionSystems

(HIPPS)needabasisofsafetyfortheselectionanddesignofitsfunctionalelements(sensor,logic

solverandfinalcontrolelements).InthedesignofGasDetectionSystems, it is importanttoselect

detectorsof theappropriate technologyand caremustbe taken toposition the rightnumberof

detectors at the correct location for the system to respondondemand. In addition, thebasisof

safety

specifies

the

mechanical

integrity

requirements

for

the

equipment

with

respect

to

the

type

andfrequencyofpreventivemaintenancetasksrequired.Inshort,thebasisofsafetyisatthecoreof

decisionsthataremadewithreferencetoselectionandmaintenanceofinstruments.

The two options for choosing basis of safety are prescriptive and performancebased.

Prescriptivebasisofsafety (suchasNFPA72andEN54 for firealarmingequipment)specifiesthe

type of equipment, its location for installation and also addresses the requirements tomaintain

them.Notonlydo theprescriptive standards forFGSdesignprovideaverycomprehensivesetof


2/15


rules for designing equipment,but they are also sowell established for thedesign of fire alarm

systemsthattheyareoftenemployed,at least, forthesignalingportionofgasdetectionsystems.

Thesestandardshaveevolvedtobeveryeffectiveforthefirealarms inoccupiedbuildings,suchas

office buildings, hospitals, and schools, but often fall short for gas detection and even for fire

detectioninopenprocessareas.

Prescriptivestandards

provide

detailed

requirements

for

basis

many

gas

and

fire

system

applications.However, theydonotprovidedetailed requirements forgasdetection inopendoor

areas, such as chemical process units and hydrocarbon storage tank farms. Some of the gas

detection systemelements (sensor, logic solver, finalcontrolelement) typically found inchemical

process facilitiesarenotadequatelycoveredby theseprescriptivestandards. Inaddition, theydo

notprovideanoptimalsolutiontodealwiththehazardsassociatedwithprocessfacilities,suchasoil

refineries and petrochemical plants. Specifically, they are not geared towards hazards such as,

combustible hydrocarbon gases and toxic gases. As amatter of fact, toxic gases are completely

unaddressedbytheseprescriptivestandards,andcombustiblegasesonlyslightly.

Itisworthwhiletopointoutthattheinstitutionsthatdevelopedtheseprescriptivestandardsare

cognizantoftheirshortcomingsandthereforeallowtheuseofperformancebasedbasisofsafetyin

areas where the users of the standards believe that the prescriptive guidance is ineffective.

Performancebased standards use risk assessment techniques for decisions involving selection,

design,andmaintenanceofgasdetectionsystems.Theintentoftheperformancebasedapproachis

not to replace the prescriptive method, but to supplement it where prescriptive methods are

ineffective.

Industrypractitionersrecognizedtheneedformoreguidanceforperformancebaseddesignfor

gasdetectionsystemsandcame toaconsensus that thisguidancehas tocome fromastandards

organization like the InternationalSocietyofAutomation (ISA). ISAStandardsPanel84createda

specialworking

group

called

working

group

7

specifically

to

address

performance

based

design

of

fireandgassystems.The ISATechnicalReportTR84.00.07thatcameoutof theworkinggroup7

providesguidelinesforfireandgassystemsinaccordancewiththeprinciplesprovidedinIEC61511

standards.TheTechnicalReportTR84.00.07hasgenerated considerable interestamongoil&gas

operating companies and EPC companies and itjumpstarted the application of risk assessment

techniquestodesignfireandgasdetectionandsuppressionsystems.

ThebasisoftheIEC61511standardistospecifytargetsforperformancemetricsforeachsafety

instrumentedfunctionthatisprotectingtheplantfromprocessrelatedrisks.Thetargetisselected

basedonthe riskassociatedwith thehazard thatthesafety instrumented function is intendedto

prevent.Gasdetectionsystemsposechallengeswhentryingtouseriskanalysistechniquesthatare

compliantwith

ISA84/IEC

61511

standards

for

safety

instrumented

systems.

The

hazards

associated

withgasdetectionsystems(especiallyasapplied inthechemicalprocess industries)aregeneral in

natureand it isdifficulttocharacterizethem inthecontextof layerofprotectionanalysis (LOPA).

Initiatingeventscausedbyleaksduetocorrosion,erosion,andotherphysicochemicalforcesarenot

included in LOPA. Although the concept of probability of failure on demand is applicable to gas

detection system functions, component equipment failures are not the only consideration and

usuallynoteventhemost important.The inabilityofangasdetectionsystem functiontodetecta

gas leakbecauseof lackofcoveragecanalso leadtofailureondemand.RecentdatafromtheUK


3/15


NorthSeaareaindicatethatmorethan30%ofmajorgasreleaseswerenotdetectedbyautomated

systems.

TheISA84workinggroup7determinedthatagasdetectionsystemcanbedesignedsimilartoa

SIS ifdetectorcoverage isconsideredasanadditionalperformancemetric.Inadditiontoassigning

targetsforsafetyavailability(equivalenttoSIL),targetsfordetectorcoverageneedtobeassigned

forgas

detection

systems

so

that

the

verification

and

validation

of

detector

coverage

is

required

in

thegasdetectionsystemdesign.

2. FIREandGASDESIGNLIFECYCLEThesafety lifecycledefined intheISATechnicalReportTR84.00.07forfireandgassystems isvery

similartotheonedefinedforsafetyinstrumentedsystemsintheIEC61511standard.Riskscenarios

must be identified before fire and gas systems can be selected for a particular application. The

hazardsandconsequencesassociatedwitheachscenariomustbeanalyzedtaking intoaccountthe

impactonhumanlivesandassets.Itisalsoimportanttoconsiderthefrequencyofoccurrenceofthe

consequence while making decisions on the fire and gas system. If it is anticipated that the

consequencewill

occur

quite

frequently,

then

amore

rugged

risk

mitigation

system

needs

to

be

considered.

Ariskassessmentisperformedbeforemakingadecisionontheneedforafireandgassystem.If

the unmitigated risk is tolerable, there would be no design for a fire and gas system. If the

unmitigatedrisk isnottolerable,recommendationswouldbemadetodesignafireandgassystem

toreducetheoverallrisktotolerablelevels.

Ifadecision ismade to installa fireandgas system, the initialdesign is typicallydoneusing

heuristics (rulesof thumb).The ISATechnicalReportTR84.00.07proposes that theprocurement

andinstallationoffireandgassystemsshouldnotimmediatelyfollowtheinitialdesign.Instead,the

technicalreport

suggests

that

the

coverage

provided

by

the

detector

layout

in

the

initial

design

be

calculated and verified to check if it meets its target. In addition to the coverage, the safety

availability(equivalenttoSIL)foreachfunctionshouldbecalculatedandverifiedinaway identical

toverifyingtheSILofasafetyinstrumentedsysteminaccordancewiththeIEC61511standard.The

typicalworkflowinthesafetylifecycleofperformancebasedfireandgassystemdesignisshownin

Figure1.

2.1. IdentifyGasDetectionSystemRequirementsThefirststepintheFGSsafetylifecycleisidentifyingtheneedforagasdetectionsystem.Theneed

foragasdetection systemusually stems from riskassessment studies, suchasPHA,HAZOP,and

Whatif

checklist.

Typically,

the

study

team

would

come

to

aqualitative

consensus

that

the

unmitigated risk is not tolerable andwould recommend the implementation of a gas detection

systemformitigatingtherisktotolerablelevels.Evensemiquantitativeriskanalysistechniqueslike

layerofprotectionanalysis (LOPA)often recommendthe implementationof fireandgassystems.

Andfinally,alotofjurisdictionsaroundtheworldmandatethecreationofsafetycasesthatinclude

quantitativeriskassessment(QRA)studiesinplantdesignasaprerequisitetoissueanoperational

permitforthefacility.


4/15


Figure1.TypicalworkflowinthesafetylifecycleofperformancebasedFGS

If aQRA study has been the basis for an operational license from an authority, the process

facilityneedstohaveagasdetectionsysteminplacewhoseperformanceisinaccordancewiththe

assumptionsmade in theQRA study otherwise, the basis for the safety case and operational

permitsareinvalid. Inaddition,industrybestpracticesandcorporateHSEpoliciesoftenrequiregas

detection systems tobe implemented inaprocess facility tomitigate risk. Lastbutnot the least,

insurancecompaniesoftenrequireafullyfunctionalfireandgassystemasaprerequisitetoinsure

thefacility.

2.2. GasDetectionSystemPhilosophyDevelopmentOnce

the

need

for

agas

detection

system

has

been

established,

the

next

step

in

the

safety

life

cycle

is the development of a gas detection system philosophy document (which often incorporates

requirements for fire detection aswell as gasdetection). Efforts shouldbedirected towards the

creationofacomprehensive fireandgasphilosophy thatwouldbethebasis formakingdecisions

involvingthedesignof fireandgassystems.The fireandgassystemphilosophywoulddefinethe

tools,techniques,policies,andproceduressurroundingfireandgassystemdesign.Thedocument,

compliantwiththeIEC61511standardandISATechnicalReport84.00.07,isdevelopedonce,most

likelyatthecorporatelevel,sothephilosophycanbeappliedtoallfireandgassystemswithinthe

organization. Inotherwords, itprovidesacommon framework formakingdecisions involving fire

andgassystemsthroughouttheorganization.

Theintent

of

the

fire

and

gas

philosophy

document

is

to

standardize

the

methods

that

will

be

used in identifyingthehazardsthe fireandgassystems intend toprotectagainst.Hazardswillbe

identifiedbasedoncriteriasuchaspropertiesofmaterialbeingprocessed(flammability,reactivity,

toxicity),andprocessconditions(pressure,temperature).Thephilosophydocumentwillhavethelist

ofrequirementsforthesafetyanalysisthat isgoingtobeperformed. Inadditiontosettingupthe

methodsandproceduresfordesigningfireandgassystems,therewillbecriteriaforvariousdesign

related tasks, such as zone definition, and zone grading. Therewill also be criteria for assigning


5/15


targetsforperformancemetrics(detectorcoverageandsafetyavailability)andcriteriaforchoosing

theappropriatetechnologyfordetectorsandvotingarchitecturefordetectionequipment.

2.3. GasDetectionSystemZoneDefinitionandCategorizationThenext step in the lifecycle is zonedefinition,which requiresa thoroughunderstandingof the

processbeing

analyzed.

Technical

documentation

such

as

process

flow

diagrams,

piping

&

instrumentationdiagrams,cause&effectdiagrams,andplotplanswouldaidintheunderstandingof

the facilitybeingstudied.Theprocessstartsoutby identifyingzoneswithin theentireplantarea.

Zones are small areas that are geographically limited so that specificmitigation actions could be

takendependinguponthehazardpresentwithintheparticularzone.

Itisworthwhiletopointoutwhyzonedefinitioniscriticaltothesafetylifecycle.Differentareas

inaprocessplanthavedifferentgasreleasehazards.Someprocessunitssuchasaminetreatment

unitsandsulfurrecoveryunitsposeaH2Stoxicgashazard.Someareasmaybepronetopoolfires

whileothersmaybepronetogasreleasesorgasjetfires.Therefore,itbecomesimportanttodefine

andsegregatethezonesfromeachother.

Finally, the definition of zones will assist plant operations personnel trained in hazard

communication to respondeffectively toanemergencysituation. Ina fireorgasreleasescenario,

operationspersonnelwillbeforcedtoshutdownprocessunitsandbringthemtoasafestateasa

proactivemeasure tomitigate the consequence. Emergency response action plans in a process

facilityaredevelopedwithagoodunderstandingofthenatureandlocationofthehazards.

ThedefinitionandcategorizationofzonesinatypicalprocessfacilityareshowninFigure2.The

categorizationofzones isnecessarytoselecttheappropriatemitigationtechniquesandactionsfor

each particular zone. Thedifferent zone categories such asH,N,G, E, T, andV define different

attributes of a process area. The first type of zone is type Hwhichwould include hydrocarbon

processareas

having

fire

and

combustible/toxic

gas

hazards.

The

second

type

of

zone

is

type

N

whichwouldalsoincludeprocessareas,butwithnonhydrocarbonfirehazards.Theareawithnon

hydrocarbon firehazard isnotgrouped into typeH zonebecause thedetectionand suppression

equipmentfornonhydrocarbonrelatedfiresisdifferentfromthoseofhydrocarbonrelatedfires.

Figure2.Definitionandcategorizationofzones


6/15


Thethirdtypeofzone istypeGwhichwould includeoccupancyareas,suchascontrolrooms,

maintenanceworkshops,and administrativeoffices thatarenormallyoccupiedbypeopleandno

chemicalprocessingoccursinsidethem.ThefourthtypeofzoneistypeEwhichwouldincludenon

hydrocarbon special equipment protection areas like instrument control rack rooms that house

unratedelectricalequipmentandposeanexplosionhazard if flammablegaseswere toenter the

zone.

ThefifthtypeofzoneistypeTwhichincludesgasturbineenclosuresandengineenclosuresfor

whichthe fireandgasequipmentrequirementsareveryspecificandstringent.Thesixthandfinal

zone type is typeVwhich includes air intakeducts ofoccupied buildings in closeproximity to a

hydrocarbonprocess area. TypeV zone is similar to type E zone from a standpointof detecting

flammableandtoxicgasesenteringoccupiedbuildingsthroughanairintakesystem.

Figure3.Typicalzonelistforaprocessarea

Theresultofthezonedefinitiontask isazone listthat isshown inFigure3.Eachzonewillbe

identifiedbya specific tagnumberdefining the zonealongwithabriefdescriptionof the zones

locationanditscontents.Thezonelistwillalsoshowthecategory(asmentionedabove)alongwith

theattributeswhythatcategorywaschosenforthatparticularzone.Thezonelistisenteredintoa

databasecalledtheFGSdesignbasistoolkitformanagingthezones.

2.4. SettingandVerifyingPerformanceTargetsOnceallthezonesare identified,targetsfordetectorcoverageandFGSsafetyavailability(forFGS

functions)ineachzoneneedtobeassignedconsistentwiththecorporatephilosophyonfireandgas

systemdesign.

The

detector

coverage

for

the

initial

design

will

be

calculated

using

quantitative

models and will be verified to check if itmeets its target. Similarly, the FGS safety availability

(equivalent to SIL) for the functionality in each zone will be calculated and verified using

conventionalSILverificationtechniqueslaidoutintheIEC61511standard.

Ifitisdeterminedthattheperformancemetricsfailtomeettheirtarget,theinitialfireandgas

system designwill be revised bymaking changes to the number and position of detectors. The


7/15


verificationcalculationsare rerunon the reviseddesignand this recursiveprocesscontinuesuntil

theperformancemetricsmeettheirtarget.

AssigningDetectorCoverageForthefireandgasdetectorcoverage,theISATechnicalReportTR84.00.07identifiestwotypesof

coverageassessment

methods

scenario

coverage

and

geographic

coverage.

Scenariocoverageisdefinedasthefractionofthereleasescenariosthatwouldoccurasaresult

ofthelossofcontainmentinadefinedandmonitoredprocessareathatcanbedetectedbyrelease

detection equipment considering the frequency andmagnitude of the release scenarios and the

definedvotingarrangement.

Geographiccoverage isdefinedas the fractionof thegeometricarea (atagivenelevationof

analysis)ofadefinedmonitoredprocessareawhich,ifareleaseweretooccurinagivengeographic

location,would be detected by the release detection equipment considering the defined voting

arrangement.

Consistentwith

the

above

definitions

from

the

ISA

Technical

Report,

there

are

two

common

methodsforassigningtargetsfordetectorcoveragefullyquantitativeandsemiquantitative.Inthe

fully quantitative method, the targets for detector coverage are calculated using rigorous

mathematical models that estimate the likelihood of an event and the magnitude of the

consequence ifthateventweretooccur.Aconsequencesuchasagasreleasewouldbemodeled

using dispersion modeling techniques to determine the size and location of the gas cloud. In

addition, fire and explosionmodels will be used to determine the impact on human lives and

propertyifthegascloudweretoigniteandexplode.

Unlikeasafetyinstrumentedsystem,agasdetectionsystemcanonlymitigatetheconsequence

but cannot prevent the initiating event from happening. Initiating events (such as a gas release)

causedbyfactorssuchasweldedjointfailure,pipe/equipmentcorrosion,andgasketfailurecannot

beadequatelyaddressedduringariskanalysisstudylikeHAZOP.Itisthereforenotpossibletoplan

aheadforaconsequenceofthisnatureandthefrequencyofoccurrencecannotbecalculatedbased

onafamiliarmatrixofinitiatingevents.Instead,historicalfailuredataofequipmentwillbeusedto

estimate leak rate. The leak size is assumed to follow a standard statistical distribution and the

likelihoodofoccurrencewillbecalculatedusingtheestimatedleakrateandleaksize.

Once the parameters are estimated, a risk integration task is carried out integrating the

consequenceandlikelihoodtogeneratealistofpossiblescenarios.Eachscenariowillbeassociated

withacertainrisklevelanditwillbemodeledusingeventtrees.Theriskposedbyeachscenariowill

bemodified taking into account variousmitigating factors, such as ignitionprobability, explosion

probability,occupancyprobability,andmitigationeffectiveness.The individualriskassociatedwith

hundreds of thousands of scenarios in each zonewill be integrated using a risk integration tool

(eventtree)liketheoneshowninFigure4.

ThesemiquantitativeapproachissimilarwithrespecttolevelofanalysisefforttoLOPA(layerof

protectionanalysis)usedinSISdesignwheretableswithordersofmagnitudeinriskparametersare

usedtoestablishperformancerequirements.Thesemiquantitativetechniquesneedtobecalibrated


8/15


inordertoensureaccuracyoftheresults.Itisateambasedriskanalysisofafireandgaszoneusing

calibratedriskassessmenttables.

Figure4.Riskintegrationusingeventtreeforscenariocoverage

The likelihood of an event (based on type of equipment in the zone), magnitude of the

consequence(based

on

process

parameters

such

as

temperature,

pressure

and

material

composition), andmitigating factors (such as occupancy and ignition sources) are considered in

determining the levelofrisk,utilizingaprocesssimilar toa riskgraph.Gradesareassigned inside

eachzoneusingariskgraphora riskmatrixthat isdeveloped forthispurpose.Figure5showsa

typicalexampleofthedifferentgradesthatcouldbeusedinsideazoneandtheassociatedlevelof

riskalongwithtargetsfortheperformancemetrics(detectorcoverage&safetyavailability).

Figure5.Zonegradesandassociatedlevelofrisk

Theperformancetargetassignedtoeachgradeinazoneisintendedtomaketherisktolerable

for that particular zone. In the table shown in Figure 5, the risk associatedwithGrade A is the

highestand the riskassociatedwithGradeC is the lowest.Therefore, it isprudent toassign90%


9/15


geographiccoverageand95%safetyavailabilityforGradeAand60%geographiccoverageand90%

safetyavailabilityforGradeCtoreducerisktotolerablelevels.

Itisimportanttonotethatadetailedandcomprehensivecalibrationofthetablescontainingthe

performance targets is essential to the dependability and reliability of the semiquantitative

approach.A fullyquantitative risk analysis isperformedon typicalprocess zones thathavebeen

assignedperformance

targets

and

zone

grade

and

the

magnitude

of

risk

reduction

is

determined.

The data from this analysis is used to develop an empiricalmodel that is the backbone for this

approach. The calibration technique is going tobebased on geographic coverage asopposed to

scenariocoveragebecauseofthestrongpositivecorrelationbetweenthesetwocoveragemethods.

Inaddition,geographiccoverageissignificantlyeasierandlessexpensivetodeterminethanscenario

coverage.

Inadditiontoselectingdifferentgradeswithinazone, it isalsoimportanttodefineboundaries

for the different graded areaswithin that particular zone. In otherwords, one can conveniently

assumethatthehazardsdonotexistoutsidethegradedareasinanyparticularzone.Asmentioned

earlier, the criteria for assigning gradeswithin a zonemust be available in the FGS philosophy

document.The

assignment

of

the

extents

of

agraded

area

is

done

in

avery

similar

fashion

to

electricalareaclassification,wherepotential leaksourcesare identifiedandareaswithinacertain

distance of those sources are set off as graded. While performing a geographic coverage

assessment,thecalculationsarelimitedonlytothegradedareasandnottotheentirezone.

Figure6showstheextentofgradingandthegeographiccoverageforatypicalprocesszone.The

geographiccoverageshownontherightisacolorcodedmapwhereredindicatesthatnodetectors

can detect the hazard, yellowmeans that only one detector can detect the hazard and green

indicates that two or more detectors can detect the hazard. The visual map may also be

supplementedwithtablesindicatingpercentageofthegeographicareawithnocoverage,coverage

byonedetectorandcoveragebytwoormoredetectors.

Figure6.Extentofgradingandgeographiccoverageinaprocesszone

VerifyingDetectorCoverageAfterassigningthetargetsfordetectorcoverage,thenextstep istoverifythefireandgassystem

detectorcoverage.Theverificationisbasedonfactorssuchaszonedefinition,performancetargets,

andapprovedproceduresforperformingcoveragecalculations.Theresultofthisanalysiswillbea


10/15


visualfireandgasmapthatisacolorcodedrepresentationoftheareascoveredandtheextentof

coverageofeacharea.

Theperformanceofthedetectorplaysamajorroleinagasdetectormappingassessmentandit

is usually provided by the equipment manufacturer. When performing a gas detector mapping

assessment one needs to consider many attributes of the zone in consideration, the first

considerationwould

be

the

performance

of

the

detector.

Subsequently,

the

size

and

shape

of

the

gas release needs to be considered relative to the location of the detection equipment. When

employing geographic coverage, the analyst sets the size of a design basis cloud, usually by

determiningtheminimumgascloudsizethatcouldresultinasignificantconsequence(often,4,5or

10metersindiameter,dependingonthesituation). Thisdesignbasiscloudisthemovedaroundthe

zone that is under analysis. For each point in the zone, the ability of each individual detector to

detect the design basis cloud if it were centered at that point is determined, fully in three

dimensions. Forscenariocoverage,eachpotentialrelease(consideringmultipleholesizes,multiple

releaseorientationsandmultiplewinddirections) isplotted,andtheneachdetector isassessedto

determine if it would detect that release. The methods for gas detection coverage analysis are

visually

described

in

Figure

7.

Figure7.GasDetectionMappingTechniqueIllustration

Thegeographic firedetectorcoverageforanexamplegasolinestorageareawitha fewexport

pumpsisshowninFigure8. Inthisgeographiccoveragefigure,greenindicatescoveragebytwoor

moredetectors,yellow indicatescoveragebyasingledetector,andred indicatesnocoverage.It is

alsoimportanttonotethattheareascontainingequipmentandvesselinternalsareeliminatedfrom

thecoveragecalculations.

Figures9and

10

show

geographic

risk

profiles

that

result

from

the

more

rigorous

quantitative

riskanalysisprocessandassociatedscenariocoverageassessment. Thefirstresult(Figure9)shows

theunmitigatedrisk,ortheriskassumingthatthereisnogasdetectionsysteminplace.


11/15


Figure8. GeographicCoverageofaTypicalGasolineTankArea

The geographic risk profile in a zone is represented using the visible color spectrum, where a

colorindicatesthefrequencyofagasrelease(orafirerelease)existingatthatspecificlocation. At

anyparticularlocation,colorsontherightsideofthevisiblecolorspectrumindicatehighlikelihood

ofagasreleaseorfireandcolorsontheleftsideofthevisiblespectrumindicatelowlikelihoodofa

gasreleaseorfire.

Figure9. GeographicRiskProfile(UnmitigatedbyGasDetection)

Figure10presentsthemitigatedgeographicriskprofilethat includesriskreductionbythegas

detectionsystem. Inthiscase,thegassystemcomprisesoftwopointdetectorsonthe leftsideof

thetankandanopenpathdetectorbetweenthetankandtheassociatedtransferpumps.Thegraph

containscolorspredominantlyonthe leftsideofthevisiblecolorspectrum indicatingthattherisk

hasbeensubstantiallyreduced. Thisfigureisdrawn,onceagain,byconsideringalloftheleaksthat

arepossible,butinsteadofplottingallofthegasclouds,onlythegascloudsthatarenotdetectedby


12/15


the gas detection array are plotted. In addition, a calculation of the fraction of releases that are

detectediscalculated. Thisdetectionfractionisthescenariocoverage,whichcansubsequentlybe

usedintheriskintegrationeventtree.

Figure10. GeographicRiskProfile(UnmitigatedbyGasDetection)

FGSSafetyAvailabilityAs discussed earlier, performance targets for safety availability need to be assigned and verified

along with the detector coverage. The ISA Technical Report TR 84.00.07 specifically defines the

metricintermsofsafetyavailabilityinlieuofsafetyintegritylevel(SIL)becauseitwasbelievedthat

assigningsafety

integrity

level

would

be

inappropriate

for

fire

and

gas

systems.

The

effectiveness

of

afireandgassystemtorespondondemandisprimarilyafunctionofthedetectorcoveragerather

thantheruggednessofhardwareelements.Thedetectorcoveragehastobeextremelyhigh(99%)in

orderforthedifferencebetweenSIL2andSIL3probabilityoffailuretobeofanysignificance.

Duringthe conceptualdesignofthe fire andgassystem,FGS safety functionsaredefinedand

targets for safety availability are assigned in accordance with the guidelines given in the FGS

philosophy document.The fire and gasdetectionequipmentselected to achieve the performance

targetmustmeetboththegeneralandspecificrequirementsspecificationasappliedtotheoverall

system.

The

factors

that

influence

the

FGS

functions

ability

to

achieve

the

target

are

component

selection, fault tolerance, functional test interval, effect of common cause failures, and the

diagnosticcoverageofdevicesintheloop.Allthesevariablesareusedinthecalculationstoverifyif

the specified safety availability target has been achieved. The safety availability verification

calculationsareidenticaltotheSILcalculationsdoneforsafetyinstrumentedsystemsandarebased

ontheequationscontainedintheISATechnicalReportTR84.00.02.


13/15


The verification calculations aredoneusing a customized tool kit that isdeveloped from the

equationsgiven in the ISATechnicalReportTR84.00.02.Asanoption, theverificationcalculations

canalsobeperformedmanuallyusingthesameequationswiththeaidofasoftwareapplication.

2.5. GasDetectionSystemSafetyRequirementsSpecificationThe

next

step

in

the

gas

detection

system

life

cycle

is

to

generate

the

gas

detection

system

safety

requirements specification (SRS) for the system. The safety requirements specification is a

comprehensivedocumentthat includesdetectorplacementdrawings,cause&effectdiagramsand

generalrequirementsontheattributesofthegasdetectionsystem.

After verifying the safety availability of all the functions, the final design needs to be

documented in a safety requirements specification (SRS). The SRSdefineshow the gasdetection

system will perform and it is essentially the basis for the design and engineering of the FGS

equipment.Itcontainsnotonlythefunctionalspecificationthatdefinesthedesignbasisbut italso

containsintegrityspecificationsthatdefinethesystemintermsofitsperformancemetrics(detector

coverage and safety availability). The FGS requirements specification provides the functional

specificationof

the

FGS

logic

solver

which

could

be

either

take

the

form

of

cause

and

effect

diagram

orabinarylogicdiagram.TheIEC61511/ISA84standardsprovideguidelinesandachecklistforthe

itemsthatmustbepartoftheFGSrequirementsspecification.

2.6. DetailedDesign&ProcedureDevelopmentThe next step in the gas detection system design life cycle involves the detailed design and

engineeringof the system. This step involves a varietyof tasks such as loop sheetdevelopment,

internalwiring diagram preparation, cable schedule drawingdevelopment, andPLC (logic solver)

programming. Alongwiththedetaileddesignandengineering,proceduresarealsodeveloped for

the fire and gas system for various phases of the life cycle, such as startup, operations,

maintenance,and

de

commissioning.

It

is

quite

likely

that

design

shortcomings

may

be

discovered

duringproceduredevelopmentandthismaytriggertheneedtorevisittheinitialstepsofthesafety

lifecycleandmakechangestoincludeprovisionsforbypassesandresetswithouthavingtotakethe

systemoffline.Ifahardwarecomponentinthefireandgassystemfails,thefailedcomponentmust

be detected and repairedwithin themeantimetorepair (MTTR) thatwas assumed during the

designphaseandsystemmaintenanceproceduresmustclearlyaddressrepairsofthisnaturethat

haveanimpactonthefacilitystolerablerisklevel.Finally,thefunctionaltestingofthefireandgas

systemneeds tobecarriedoutonaperiodicbasisandproceduresneed tobedeveloped for the

same.

2.7. Procurement,Construction&InstallationThe next step in the fire and gas system life cycle involves the procurement, construction and

installationoftheequipmentthathasbeenengineered.Physicalhardwaresuchas,instrumentation

cabinets, cables, fire detectors, and gas detectors will be purchased and installed on site. It is

recommendedthatcautionbeexercisedduringtheinstallationoffieldequipmentforgasdetection

systemsbecausethelocationandorientationofthedetectionequipmenthasaprofoundimpacton

thesystemsabilitytoachievetolerablerisk.The locationandorientationofthedetectorsmustbe

consistent with the values given in the safety requirements specification. Furthermore, the


14/15


placementof equipmentwith respect to thedetectorsmustbe consistentwith the assumptions

made during the design phase. Upon successful completion of the hardware installation, the

softwareisinstalledintothesystemandthelogicsolveriscustomprogrammedforthefacility.

2.8. PreStartupAcceptanceTesting(Validation)The

IEC

61511

standard

requires

that

automated

safety

systems

like

gas

detection

systems

be

validatedbeforetheycanbeturnedovertooperationsandmaintenance.Validation isthetaskof

verifyingthe installationofgasdetectionsystemequipmentandsoftwareprogrammingtocheck if

the installation is conformancewith both the safety requirements specification and the detailed

engineering documentation. Validation involves a complete physical test of all safety critical

functionsstarting from the fieldall theway to theplantcontrol room.Thedeviationsdiscovered

duringthisstepwillbedocumented inarecordcalledpunch listandthe items inthepunch list

needtobesatisfactorilyresolvedbeforethesystemcanbehandedovertoplantpersonnel.

2.9. Operations,Maintenance&TestingOnce

the

validation

is

completed,

the

system

is

turned

over

to

operations

and

maintenance

for

day

todayoperations,which includesimplethingssuchasrespondingtoalarms,respondingtofailure

alarms, and periodic functional testing and preventivemaintenance to ensure that performance

levelsthatwerespecifiedduringdesignarebeingachievedroundtheclockthroughoutthelifecycle

of the facility. During the normal operation and maintenance phase of the life cycle, periodic

function testing and maintenance need to be carried out to ensure that the targets for the

performancemetrics(detectorcoverageandsafetyavailability)arestillachieved.

2.10.ManagementofChange(MOC)During the lifecycleof the facility,anychangesmade tothe facilityorto thatof the fireandgas

systemneed

to

be

considered

in

the

safety

life

cycle

to

make

sure

that

the

change(s)

do

not

affect

theperformanceofthesystem.Itisnotunusualforafacilitytogothroughawiderangeofchanges

suchasretrofittingequipment,addingnewpumps,buildingnewstructure,etc.Thesechangesmay

increasethenumberofleaksources,changezonedefinitionandmayalsochangethecategorization

ofthezonediscussedearlier. It isalsopossiblethatthesechangesmayobstructtheabilityofgas

detection equipment andmay compromise the achieved detector coverage. It is therefore very

importanttomakesurethatthefacilitysmanagementofchangeprocedures includesstepbystep

instructionstoreviewchangesthathavean impactonthegasdetectionsystem.If it isdetermined

thatchangeswillimpacttheperformanceofthegasdetectionsystem,theappropriatestepsinthe

safetylifecycleofthesystemneedstoberevisitedanddesignmustberevised.


15/15


3. CONCLUSIONRiskassessmentmethodsarebeingincreasinglyusedinthedesignofinstrumentedsafeguards,such

asSIS,AlarmSystems,HIPPS,etc.Gasdetectionsystemsarenoexceptiontothistrend.However,

gasdetectionsystemsareonlycapableofmitigatingtheconsequence,whereassafetyinstrumented

systemsarecapableofpreventingtheconsequencefromoccurringwhichgreatlycomplicatestheir

analysis.The

hazards

associated

with

fire

and

gas

systems

are

general

in

nature

and

it

is

difficult

to

characterizetheminthecontextof layersofprotectionanalysis(LOPA).Initiatingeventscausedby

pipe leaksduetocorrosion,erosion,andotherphysicochemicalforcesaretypicallynot included in

LOPA.

TheISATechnicalReportTR84.00.07providesrecommendationsforthedesignofgasdetection

systemsinopendoorchemicalprocessareashavingserioushazards.Thetechnicalreportproposes

that an FGS be designed similar to a SIS if detector coverage is considered as an additional

performancemetric.Thispaperhasprovidedanoverviewoftheriskassessmentmethodsused in

thedesignof fire and gas systems andhasdescribed themethods available to assign and verify

targetsfortheperformancemetrics.Thispaperalsoprovidesaroadmapofthesteps involvedthe

safetylifecycleofagasdetectionsystemexplaininghoweachstepisinterconnectedwiththeother

andwhyitisimportanttofollowaholisticapproachtothedesignofautomatedsystemsinasafety

criticalenvironment.

REFERENCES

1. ISA TR84.00.07 The Application of ANSI/ISA 84.00.01 2004 Parts 13 (IEC 61511 Parts 13Modified) forSafety InstrumentedFunctions (SIFs) inFire&GasSystemsVersionA,October

2007.

Documents

Performance Based Gas Detection System Design