01 June 2003
Fire and gas
By Kimberly A. Dejmek and Richard Skone
Standard's use spreading, but confusion still surrounds FGS.
Consistency is the hallmark of any great organization or process. When it comes to fire and gas systems (FGSs), consistency is not a desired goal; it is a must. But since the promulgation of ISA S84.01 in 1996, there has been confusion surrounding the treatment of fire and gas systems. Some believe that the standard excludes coverage in fire and gas systems, while others prepare FGS specifications that require compliance with ANSI/ISA S84.0.01-1996. This has led to inconsistency in the approach between and within operating companies.
The request for compliance with both S84 and National Fire Protection Association (NFPA) standards creates additional implementation issues. Simultaneously meeting the requirements of both standards limits the available equipment, configurations, and architectures. In many cases, the user has already specified the equipment and its configuration, making it impossible to meet standards.
All a misunderstanding
"Fire and gas systems are excluded" is often heard in discussions of the ISA standard on safety instrumented systems. This can be true, or not, depending upon the specific application in question. The exclusion that is often misquoted is from paragraph 1.2.14, which reads:
"Systems where operator action is the sole means required to return the process to a safe state are not covered by this standard (e.g., alarm systems, fire and gas monitoring systems, etc.)."
The key concept in this paragraph is that the exclusion applies to "systems where operator action is the sole means required to return the process to a safe state." This exclusion does not, therefore, address FGSs that automatically initiate process actions, but those that only monitor and generate alarms.
Another area of confusion surrounding the applicability of S84 to FGSs is whether the application of fire-mitigation materials should be a part of the safety instrumented function (SIF). This is not an issue that can be generally resolved, but instead requires case-by-case consideration. Just as you can review process-related SIFs to identify the actions required to achieve functional safety, you can similarly apply this identification of "safety critical actions" to an FGS. If the successful initiation of fire mitigation achieves the risk reduction allocated to the FGS, then these actions, along with the identified process actions, are safety critical.
The ISA/International Electrotechnical Committee (IEC) standards for safety instrumented systems (SISs) and the NFPA standards addressing FGSs developed in isolation, with the systems treated as separate and independent. However, the edges between these two types of systems are blurring, creating overlap between the system requirements. Many SISs have inputs from fire and gas detectors and generate outputs to process and fire-fighting equipment.
Plenty of options
Complications set in
Implementing a system compliant with NFPA 72 requires equipment that has been tested and approved under the rules of the standard. Each component used in a system must work with all other components to which it will connect. Dedicated FGS component suppliers have performed the necessary testing and received the necessary certification. However, when there is a request for additional compliance with S84, and more specifically, with a safety integrity level (SIL), selecting FGS equipment becomes more complicated.
One key issue is the limited selection of logic-solving devices certified under NFPA 72 that are capable of meeting the higher SIL performance criteria. The traditional fire panel has a failure rate of 5.7E-06 per hour, which results in a probability of failure on demand (PFD) of 2.5E-02 at annual testing. This PFD is consistent with a SIL 1 level of performance. You will need quarterly testing to achieve SIL 2 performance, and even monthly testing is insufficient to achieve SIL 3. Additionally, certification of traditional fire panels has not occurred under IEC61508, making their use in today's environment even less likely. Programmable logic solvers certified under IEC61508 and NFPA 72 are available, but the current selection is extremely limited.
Another area of conflict is the S84 (and IEC) requirement for periodic functional testing and some of the currently available fire suppression and mitigation equipment. S84 states, "periodic functional tests shall be conducted . . . including the sensor(s), the logic solver, and the final element(s)." There are a number of fire-fighting systems that are not compatible with regular testing, including foam, carbon dioxide, FM200, Halon, dry chemical agents, and even some water applications. A number of the agents are in canisters equipped with a valve that opens when a demand hits the fire-mitigation system. You cannot test the valve, however, without releasing the contents of the container. If the contents release, you would need to replace them. You cannot test other systems because, although reusable, exposure to the fire-fighting agents would damage the process or computing equipment in the area.
The codes addressing the design of such equipment are prescriptive in nature, and hence leave little room for modification. NFPA-2001-16 requires a visual inspection of the canisters on a five-year schedule and states in paragraph 4-1.1 that "discharge tests are not required." In order for the treatment of fire and gas systems to be compatible with that of SISs, there will need to be an update of the codes dictating the design of fire suppression and mitigation equipment.
Implementing an FGS that is compliant with S84 and NFPA72 can be quite difficult, and yet most specifications request both standards. Many are concerned that there is a disparity between the expectations of the owner/operator and the systems actually provided. The FGS specifications often identify S84 as a design standard, but fail to provide sufficient definition of the SIF to support proper design and evaluation.
There are three options for the boundaries when following the requirement for S84 compliance. Option 1—which only includes the logic solver—represents what suppliers are likely to provide. The provision of an FGS logic solver that complies with the target SIL does not ensure that the SIF will meet the target. Option 2 includes FGS detection, the FGS, and SIS logic solvers and process output actions. It is possible to provide a system with these boundaries that meets the requirements of the standards and complies with a target SIL; however, FGS vendors rarely have the knowledge and skills required to design and evaluate such a system. Option 3, which includes all the elements of the FGS, detection, logic solvers, process outputs, and FGS outputs, is generally not possible to provide given the inability to test the releasing system, as previously discussed. The worst situation, and that which is the most likely to exist, is the owner/operators believe that they are requesting and receiving option 3, and the suppliers are providing option 1.
Matter of interpretation
Consider the example of an FGS specification that requests a SIL 2 system to detect fire in a compressor-control building using thermal rate-of-rise detectors and, via a standard fire panel, lights a strobe to the SIS logic solver that shuts down the motor-driven compressor. Depending upon the supplier's interpretation of the request, the supplier could provide a number of different system configurations at the door.
Option 1: This option only contains the fire panel. As previously stated, the traditional fire panel has a failure rate of 5.7E-06 per hour, requiring quarterly testing to achieve SIL 2 performance.
Option 2: This option includes thermal detection, the fire panel, the SIS logic solver, and compressor motor shutdown. The fault tree illustrates the logic model of the base-case system. Using published failure-rate data for the system components and annual testing, the system only achieves SIL 1–level performance. Quarterly testing improves the performance of the system to SIL 2 with a PFD of 8.54E-03, or a safety availability of 99.15%.
Option 3: This option addresses the entire system, including the gaseous clean-agent (NFPA 2001) release. In order to suppress a fire successfully, officials calculated the release of at least two clean-agent bottles. If it is not possible to test the entire system, as previously discussed, then you can utilize a five-year replacement schedule. It was impossible for the base case of just two bottles to meet SIL 2. When testing monthly, the system safety availability was approximately 50%. If one maintains the five-year replacement philosophy and considers monthly testing of the system, then a bank of seven bottles would be required to provide SIL 2 performance (PFD = 8.16E-03). If a one-year replacement philosophy were instituted, then a bank of four bottles would be required to achieve SIL 2 performance (PFD = 4.76E-03).
The following data, obtained from OREDA-92 and IEEE500, was used in the analysis: clean-agent release, 8E-06 per hour; fire and gas panel, 5.7E-06 per hour; control relay, 1.66E-07 per hour; MCC relay, 5.0E-08 per hour; thermal detector, 1.01E-06 per hour.
The relationship between the FGS and the SIS standards is somewhat ambiguous, but if they come from the same perspective as process SIFs you can develop a logical, repeatable approach. Where the FGS initiates actions critical to safety and provides required risk reduction, the S84 "exclusion" is inapplicable and you should apply all the SIS requirements. Therefore, it is important that those involved with an FGS are educated in the scope, terminology, and requirements of the SIS standards to ensure that those providing equipment meet the expectations of those purchasing it. As understanding improves and the FGS specifications are written and interpreted to reflect the true requirements of the owner/operator, the areas of the NFPA code conflicting with the ability to provide an FGS that also serves as a portion of SIS will be apparent. It will then be possible for the standards and the equipment to evolve in a way that supports the common objectives to provide an FGS that adequately protects the public, personnel, and facilities. ST
Behind the byline
Kimberly A. Dejmek, P.E., C.F.S.E. is a senior engineer at Baker Engineering and Risk Consultants in Stafford, Texas. Richard Skone is a systems business development manager at Detector Electronics in Houston.