performance based gas detection system design
TRANSCRIPT
-
7/30/2019 Performance Based Gas Detection System Design
1/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page1
PerformanceBasedGasDetectionSystemDesignforHydrocarbonStorage
TankSystems
SrinivasanN.Ganesan,M.S.,P.E.MENARegionManager,KenexisDMCC,Dubai,UAE
EdwardM.Marszal,PE,ISA84ExpertABSTRACT
Thedesignof hydrocarbon gasdetection systemsusing risk analysismethods is drawing a lot of
attentionbecause industryexpertshavecometoaconsensusthatdesigncodesused intraditional
gas detection system designwork are not sufficient for opendoor process areas having serious
hazards,suchas fire,flammablegasandtoxicgas. The ISATechnicalReportTR84.00.07provides
guidelinesforthedesignoffireandgassystemsinunenclosedprocessareasinaccordancewiththe
principles given in IEC 61511 standards. This paper presents an overview of the design of gas
detection systems using risk assessmentmethods that are described in the ISA technical report.
Thesemethods
are
statistical
in
nature
and
are
used
to
assign
and
verify
targets
for
the
performance
metrics(detectorcoverageandsafetyavailability)ofgasdetectionsystems.Thispaperalsoprovides
anoverviewof theperformancebased safety lifecycleofgasdetection systems fromconceptual
designstagetooperationsandmaintenance.
1. INTRODUCTIONRiskassessmenttechniquesarebeingincreasinglyusedinthedesignofengineeredsafeguards,such
as FireandGasDetectionandSuppression Systems (FGS),Safety Instrumented Systems (SIS)and
AlarmSystems.Theprinciplesofriskassessmentused inthedesignofSIScanalsobeused inthe
design of Gas Detection Systems. A Gas Detection System is a type of instrumented safeguard
intendedtoreducerisksposedbyprocessplants,suchassafetyrisk,environmentalrisk,andasset
risk (commercial/business) to tolerable levels. However, gas detection systems systems are only
capable of mitigating the consequence of a loss of containment, whereas safety instrumented
systemsarecapableofpreventingtheconsequencefromoccurringaltogether.
AllautomatedsafetysystemssuchasFGS,SIS,andHigh IntegrityPressureProtectionSystems
(HIPPS)needabasisofsafetyfortheselectionanddesignofitsfunctionalelements(sensor,logic
solverandfinalcontrolelements).InthedesignofGasDetectionSystems, it is importanttoselect
detectorsof theappropriate technologyand caremustbe taken toposition the rightnumberof
detectors at the correct location for the system to respondondemand. In addition, thebasisof
safety
specifies
the
mechanical
integrity
requirements
for
the
equipment
with
respect
to
the
type
andfrequencyofpreventivemaintenancetasksrequired.Inshort,thebasisofsafetyisatthecoreof
decisionsthataremadewithreferencetoselectionandmaintenanceofinstruments.
The two options for choosing basis of safety are prescriptive and performancebased.
Prescriptivebasisofsafety (suchasNFPA72andEN54 for firealarmingequipment)specifiesthe
type of equipment, its location for installation and also addresses the requirements tomaintain
them.Notonlydo theprescriptive standards forFGSdesignprovideaverycomprehensivesetof
-
7/30/2019 Performance Based Gas Detection System Design
2/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page2
rules for designing equipment,but they are also sowell established for thedesign of fire alarm
systemsthattheyareoftenemployed,at least, forthesignalingportionofgasdetectionsystems.
Thesestandardshaveevolvedtobeveryeffectiveforthefirealarms inoccupiedbuildings,suchas
office buildings, hospitals, and schools, but often fall short for gas detection and even for fire
detectioninopenprocessareas.
Prescriptivestandards
provide
detailed
requirements
for
basis
many
gas
and
fire
system
applications.However, theydonotprovidedetailed requirements forgasdetection inopendoor
areas, such as chemical process units and hydrocarbon storage tank farms. Some of the gas
detection systemelements (sensor, logic solver, finalcontrolelement) typically found inchemical
process facilitiesarenotadequatelycoveredby theseprescriptivestandards. Inaddition, theydo
notprovideanoptimalsolutiontodealwiththehazardsassociatedwithprocessfacilities,suchasoil
refineries and petrochemical plants. Specifically, they are not geared towards hazards such as,
combustible hydrocarbon gases and toxic gases. As amatter of fact, toxic gases are completely
unaddressedbytheseprescriptivestandards,andcombustiblegasesonlyslightly.
Itisworthwhiletopointoutthattheinstitutionsthatdevelopedtheseprescriptivestandardsare
cognizantoftheirshortcomingsandthereforeallowtheuseofperformancebasedbasisofsafetyin
areas where the users of the standards believe that the prescriptive guidance is ineffective.
Performancebased standards use risk assessment techniques for decisions involving selection,
design,andmaintenanceofgasdetectionsystems.Theintentoftheperformancebasedapproachis
not to replace the prescriptive method, but to supplement it where prescriptive methods are
ineffective.
Industrypractitionersrecognizedtheneedformoreguidanceforperformancebaseddesignfor
gasdetectionsystemsandcame toaconsensus that thisguidancehas tocome fromastandards
organization like the InternationalSocietyofAutomation (ISA). ISAStandardsPanel84createda
specialworking
group
called
working
group
7
specifically
to
address
performance
based
design
of
fireandgassystems.The ISATechnicalReportTR84.00.07thatcameoutof theworkinggroup7
providesguidelinesforfireandgassystemsinaccordancewiththeprinciplesprovidedinIEC61511
standards.TheTechnicalReportTR84.00.07hasgenerated considerable interestamongoil&gas
operating companies and EPC companies and itjumpstarted the application of risk assessment
techniquestodesignfireandgasdetectionandsuppressionsystems.
ThebasisoftheIEC61511standardistospecifytargetsforperformancemetricsforeachsafety
instrumentedfunctionthatisprotectingtheplantfromprocessrelatedrisks.Thetargetisselected
basedonthe riskassociatedwith thehazard thatthesafety instrumented function is intendedto
prevent.Gasdetectionsystemsposechallengeswhentryingtouseriskanalysistechniquesthatare
compliantwith
ISA84/IEC
61511
standards
for
safety
instrumented
systems.
The
hazards
associated
withgasdetectionsystems(especiallyasapplied inthechemicalprocess industries)aregeneral in
natureand it isdifficulttocharacterizethem inthecontextof layerofprotectionanalysis (LOPA).
Initiatingeventscausedbyleaksduetocorrosion,erosion,andotherphysicochemicalforcesarenot
included in LOPA. Although the concept of probability of failure on demand is applicable to gas
detection system functions, component equipment failures are not the only consideration and
usuallynoteventhemost important.The inabilityofangasdetectionsystem functiontodetecta
gas leakbecauseof lackofcoveragecanalso leadtofailureondemand.RecentdatafromtheUK
-
7/30/2019 Performance Based Gas Detection System Design
3/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page3
NorthSeaareaindicatethatmorethan30%ofmajorgasreleaseswerenotdetectedbyautomated
systems.
TheISA84workinggroup7determinedthatagasdetectionsystemcanbedesignedsimilartoa
SIS ifdetectorcoverage isconsideredasanadditionalperformancemetric.Inadditiontoassigning
targetsforsafetyavailability(equivalenttoSIL),targetsfordetectorcoverageneedtobeassigned
forgas
detection
systems
so
that
the
verification
and
validation
of
detector
coverage
is
required
in
thegasdetectionsystemdesign.
2. FIREandGASDESIGNLIFECYCLEThesafety lifecycledefined intheISATechnicalReportTR84.00.07forfireandgassystems isvery
similartotheonedefinedforsafetyinstrumentedsystemsintheIEC61511standard.Riskscenarios
must be identified before fire and gas systems can be selected for a particular application. The
hazardsandconsequencesassociatedwitheachscenariomustbeanalyzedtaking intoaccountthe
impactonhumanlivesandassets.Itisalsoimportanttoconsiderthefrequencyofoccurrenceofthe
consequence while making decisions on the fire and gas system. If it is anticipated that the
consequencewill
occur
quite
frequently,
then
amore
rugged
risk
mitigation
system
needs
to
be
considered.
Ariskassessmentisperformedbeforemakingadecisionontheneedforafireandgassystem.If
the unmitigated risk is tolerable, there would be no design for a fire and gas system. If the
unmitigatedrisk isnottolerable,recommendationswouldbemadetodesignafireandgassystem
toreducetheoverallrisktotolerablelevels.
Ifadecision ismade to installa fireandgas system, the initialdesign is typicallydoneusing
heuristics (rulesof thumb).The ISATechnicalReportTR84.00.07proposes that theprocurement
andinstallationoffireandgassystemsshouldnotimmediatelyfollowtheinitialdesign.Instead,the
technicalreport
suggests
that
the
coverage
provided
by
the
detector
layout
in
the
initial
design
be
calculated and verified to check if it meets its target. In addition to the coverage, the safety
availability(equivalenttoSIL)foreachfunctionshouldbecalculatedandverifiedinaway identical
toverifyingtheSILofasafetyinstrumentedsysteminaccordancewiththeIEC61511standard.The
typicalworkflowinthesafetylifecycleofperformancebasedfireandgassystemdesignisshownin
Figure1.
2.1. IdentifyGasDetectionSystemRequirementsThefirststepintheFGSsafetylifecycleisidentifyingtheneedforagasdetectionsystem.Theneed
foragasdetection systemusually stems from riskassessment studies, suchasPHA,HAZOP,and
Whatif
checklist.
Typically,
the
study
team
would
come
to
aqualitative
consensus
that
the
unmitigated risk is not tolerable andwould recommend the implementation of a gas detection
systemformitigatingtherisktotolerablelevels.Evensemiquantitativeriskanalysistechniqueslike
layerofprotectionanalysis (LOPA)often recommendthe implementationof fireandgassystems.
Andfinally,alotofjurisdictionsaroundtheworldmandatethecreationofsafetycasesthatinclude
quantitativeriskassessment(QRA)studiesinplantdesignasaprerequisitetoissueanoperational
permitforthefacility.
-
7/30/2019 Performance Based Gas Detection System Design
4/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page4
Figure1.TypicalworkflowinthesafetylifecycleofperformancebasedFGS
If aQRA study has been the basis for an operational license from an authority, the process
facilityneedstohaveagasdetectionsysteminplacewhoseperformanceisinaccordancewiththe
assumptionsmade in theQRA study otherwise, the basis for the safety case and operational
permitsareinvalid. Inaddition,industrybestpracticesandcorporateHSEpoliciesoftenrequiregas
detection systems tobe implemented inaprocess facility tomitigate risk. Lastbutnot the least,
insurancecompaniesoftenrequireafullyfunctionalfireandgassystemasaprerequisitetoinsure
thefacility.
2.2. GasDetectionSystemPhilosophyDevelopmentOnce
the
need
for
agas
detection
system
has
been
established,
the
next
step
in
the
safety
life
cycle
is the development of a gas detection system philosophy document (which often incorporates
requirements for fire detection aswell as gasdetection). Efforts shouldbedirected towards the
creationofacomprehensive fireandgasphilosophy thatwouldbethebasis formakingdecisions
involvingthedesignof fireandgassystems.The fireandgassystemphilosophywoulddefinethe
tools,techniques,policies,andproceduressurroundingfireandgassystemdesign.Thedocument,
compliantwiththeIEC61511standardandISATechnicalReport84.00.07,isdevelopedonce,most
likelyatthecorporatelevel,sothephilosophycanbeappliedtoallfireandgassystemswithinthe
organization. Inotherwords, itprovidesacommon framework formakingdecisions involving fire
andgassystemsthroughouttheorganization.
Theintent
of
the
fire
and
gas
philosophy
document
is
to
standardize
the
methods
that
will
be
used in identifyingthehazardsthe fireandgassystems intend toprotectagainst.Hazardswillbe
identifiedbasedoncriteriasuchaspropertiesofmaterialbeingprocessed(flammability,reactivity,
toxicity),andprocessconditions(pressure,temperature).Thephilosophydocumentwillhavethelist
ofrequirementsforthesafetyanalysisthat isgoingtobeperformed. Inadditiontosettingupthe
methodsandproceduresfordesigningfireandgassystems,therewillbecriteriaforvariousdesign
related tasks, such as zone definition, and zone grading. Therewill also be criteria for assigning
-
7/30/2019 Performance Based Gas Detection System Design
5/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page5
targetsforperformancemetrics(detectorcoverageandsafetyavailability)andcriteriaforchoosing
theappropriatetechnologyfordetectorsandvotingarchitecturefordetectionequipment.
2.3. GasDetectionSystemZoneDefinitionandCategorizationThenext step in the lifecycle is zonedefinition,which requiresa thoroughunderstandingof the
processbeing
analyzed.
Technical
documentation
such
as
process
flow
diagrams,
piping
&
instrumentationdiagrams,cause&effectdiagrams,andplotplanswouldaidintheunderstandingof
the facilitybeingstudied.Theprocessstartsoutby identifyingzoneswithin theentireplantarea.
Zones are small areas that are geographically limited so that specificmitigation actions could be
takendependinguponthehazardpresentwithintheparticularzone.
Itisworthwhiletopointoutwhyzonedefinitioniscriticaltothesafetylifecycle.Differentareas
inaprocessplanthavedifferentgasreleasehazards.Someprocessunitssuchasaminetreatment
unitsandsulfurrecoveryunitsposeaH2Stoxicgashazard.Someareasmaybepronetopoolfires
whileothersmaybepronetogasreleasesorgasjetfires.Therefore,itbecomesimportanttodefine
andsegregatethezonesfromeachother.
Finally, the definition of zones will assist plant operations personnel trained in hazard
communication to respondeffectively toanemergencysituation. Ina fireorgasreleasescenario,
operationspersonnelwillbeforcedtoshutdownprocessunitsandbringthemtoasafestateasa
proactivemeasure tomitigate the consequence. Emergency response action plans in a process
facilityaredevelopedwithagoodunderstandingofthenatureandlocationofthehazards.
ThedefinitionandcategorizationofzonesinatypicalprocessfacilityareshowninFigure2.The
categorizationofzones isnecessarytoselecttheappropriatemitigationtechniquesandactionsfor
each particular zone. Thedifferent zone categories such asH,N,G, E, T, andV define different
attributes of a process area. The first type of zone is type Hwhichwould include hydrocarbon
processareas
having
fire
and
combustible/toxic
gas
hazards.
The
second
type
of
zone
is
type
N
whichwouldalsoincludeprocessareas,butwithnonhydrocarbonfirehazards.Theareawithnon
hydrocarbon firehazard isnotgrouped into typeH zonebecause thedetectionand suppression
equipmentfornonhydrocarbonrelatedfiresisdifferentfromthoseofhydrocarbonrelatedfires.
Figure2.Definitionandcategorizationofzones
-
7/30/2019 Performance Based Gas Detection System Design
6/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page6
Thethirdtypeofzone istypeGwhichwould includeoccupancyareas,suchascontrolrooms,
maintenanceworkshops,and administrativeoffices thatarenormallyoccupiedbypeopleandno
chemicalprocessingoccursinsidethem.ThefourthtypeofzoneistypeEwhichwouldincludenon
hydrocarbon special equipment protection areas like instrument control rack rooms that house
unratedelectricalequipmentandposeanexplosionhazard if flammablegaseswere toenter the
zone.
ThefifthtypeofzoneistypeTwhichincludesgasturbineenclosuresandengineenclosuresfor
whichthe fireandgasequipmentrequirementsareveryspecificandstringent.Thesixthandfinal
zone type is typeVwhich includes air intakeducts ofoccupied buildings in closeproximity to a
hydrocarbonprocess area. TypeV zone is similar to type E zone from a standpointof detecting
flammableandtoxicgasesenteringoccupiedbuildingsthroughanairintakesystem.
Figure3.Typicalzonelistforaprocessarea
Theresultofthezonedefinitiontask isazone listthat isshown inFigure3.Eachzonewillbe
identifiedbya specific tagnumberdefining the zonealongwithabriefdescriptionof the zones
locationanditscontents.Thezonelistwillalsoshowthecategory(asmentionedabove)alongwith
theattributeswhythatcategorywaschosenforthatparticularzone.Thezonelistisenteredintoa
databasecalledtheFGSdesignbasistoolkitformanagingthezones.
2.4. SettingandVerifyingPerformanceTargetsOnceallthezonesare identified,targetsfordetectorcoverageandFGSsafetyavailability(forFGS
functions)ineachzoneneedtobeassignedconsistentwiththecorporatephilosophyonfireandgas
systemdesign.
The
detector
coverage
for
the
initial
design
will
be
calculated
using
quantitative
models and will be verified to check if itmeets its target. Similarly, the FGS safety availability
(equivalent to SIL) for the functionality in each zone will be calculated and verified using
conventionalSILverificationtechniqueslaidoutintheIEC61511standard.
Ifitisdeterminedthattheperformancemetricsfailtomeettheirtarget,theinitialfireandgas
system designwill be revised bymaking changes to the number and position of detectors. The
-
7/30/2019 Performance Based Gas Detection System Design
7/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page7
verificationcalculationsare rerunon the reviseddesignand this recursiveprocesscontinuesuntil
theperformancemetricsmeettheirtarget.
AssigningDetectorCoverageForthefireandgasdetectorcoverage,theISATechnicalReportTR84.00.07identifiestwotypesof
coverageassessment
methods
scenario
coverage
and
geographic
coverage.
Scenariocoverageisdefinedasthefractionofthereleasescenariosthatwouldoccurasaresult
ofthelossofcontainmentinadefinedandmonitoredprocessareathatcanbedetectedbyrelease
detection equipment considering the frequency andmagnitude of the release scenarios and the
definedvotingarrangement.
Geographiccoverage isdefinedas the fractionof thegeometricarea (atagivenelevationof
analysis)ofadefinedmonitoredprocessareawhich,ifareleaseweretooccurinagivengeographic
location,would be detected by the release detection equipment considering the defined voting
arrangement.
Consistentwith
the
above
definitions
from
the
ISA
Technical
Report,
there
are
two
common
methodsforassigningtargetsfordetectorcoveragefullyquantitativeandsemiquantitative.Inthe
fully quantitative method, the targets for detector coverage are calculated using rigorous
mathematical models that estimate the likelihood of an event and the magnitude of the
consequence ifthateventweretooccur.Aconsequencesuchasagasreleasewouldbemodeled
using dispersion modeling techniques to determine the size and location of the gas cloud. In
addition, fire and explosionmodels will be used to determine the impact on human lives and
propertyifthegascloudweretoigniteandexplode.
Unlikeasafetyinstrumentedsystem,agasdetectionsystemcanonlymitigatetheconsequence
but cannot prevent the initiating event from happening. Initiating events (such as a gas release)
causedbyfactorssuchasweldedjointfailure,pipe/equipmentcorrosion,andgasketfailurecannot
beadequatelyaddressedduringariskanalysisstudylikeHAZOP.Itisthereforenotpossibletoplan
aheadforaconsequenceofthisnatureandthefrequencyofoccurrencecannotbecalculatedbased
onafamiliarmatrixofinitiatingevents.Instead,historicalfailuredataofequipmentwillbeusedto
estimate leak rate. The leak size is assumed to follow a standard statistical distribution and the
likelihoodofoccurrencewillbecalculatedusingtheestimatedleakrateandleaksize.
Once the parameters are estimated, a risk integration task is carried out integrating the
consequenceandlikelihoodtogeneratealistofpossiblescenarios.Eachscenariowillbeassociated
withacertainrisklevelanditwillbemodeledusingeventtrees.Theriskposedbyeachscenariowill
bemodified taking into account variousmitigating factors, such as ignitionprobability, explosion
probability,occupancyprobability,andmitigationeffectiveness.The individualriskassociatedwith
hundreds of thousands of scenarios in each zonewill be integrated using a risk integration tool
(eventtree)liketheoneshowninFigure4.
ThesemiquantitativeapproachissimilarwithrespecttolevelofanalysisefforttoLOPA(layerof
protectionanalysis)usedinSISdesignwheretableswithordersofmagnitudeinriskparametersare
usedtoestablishperformancerequirements.Thesemiquantitativetechniquesneedtobecalibrated
-
7/30/2019 Performance Based Gas Detection System Design
8/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page8
inordertoensureaccuracyoftheresults.Itisateambasedriskanalysisofafireandgaszoneusing
calibratedriskassessmenttables.
Figure4.Riskintegrationusingeventtreeforscenariocoverage
The likelihood of an event (based on type of equipment in the zone), magnitude of the
consequence(based
on
process
parameters
such
as
temperature,
pressure
and
material
composition), andmitigating factors (such as occupancy and ignition sources) are considered in
determining the levelofrisk,utilizingaprocesssimilar toa riskgraph.Gradesareassigned inside
eachzoneusingariskgraphora riskmatrixthat isdeveloped forthispurpose.Figure5showsa
typicalexampleofthedifferentgradesthatcouldbeusedinsideazoneandtheassociatedlevelof
riskalongwithtargetsfortheperformancemetrics(detectorcoverage&safetyavailability).
Figure5.Zonegradesandassociatedlevelofrisk
Theperformancetargetassignedtoeachgradeinazoneisintendedtomaketherisktolerable
for that particular zone. In the table shown in Figure 5, the risk associatedwithGrade A is the
highestand the riskassociatedwithGradeC is the lowest.Therefore, it isprudent toassign90%
-
7/30/2019 Performance Based Gas Detection System Design
9/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page9
geographiccoverageand95%safetyavailabilityforGradeAand60%geographiccoverageand90%
safetyavailabilityforGradeCtoreducerisktotolerablelevels.
Itisimportanttonotethatadetailedandcomprehensivecalibrationofthetablescontainingthe
performance targets is essential to the dependability and reliability of the semiquantitative
approach.A fullyquantitative risk analysis isperformedon typicalprocess zones thathavebeen
assignedperformance
targets
and
zone
grade
and
the
magnitude
of
risk
reduction
is
determined.
The data from this analysis is used to develop an empiricalmodel that is the backbone for this
approach. The calibration technique is going tobebased on geographic coverage asopposed to
scenariocoveragebecauseofthestrongpositivecorrelationbetweenthesetwocoveragemethods.
Inaddition,geographiccoverageissignificantlyeasierandlessexpensivetodeterminethanscenario
coverage.
Inadditiontoselectingdifferentgradeswithinazone, it isalsoimportanttodefineboundaries
for the different graded areaswithin that particular zone. In otherwords, one can conveniently
assumethatthehazardsdonotexistoutsidethegradedareasinanyparticularzone.Asmentioned
earlier, the criteria for assigning gradeswithin a zonemust be available in the FGS philosophy
document.The
assignment
of
the
extents
of
agraded
area
is
done
in
avery
similar
fashion
to
electricalareaclassification,wherepotential leaksourcesare identifiedandareaswithinacertain
distance of those sources are set off as graded. While performing a geographic coverage
assessment,thecalculationsarelimitedonlytothegradedareasandnottotheentirezone.
Figure6showstheextentofgradingandthegeographiccoverageforatypicalprocesszone.The
geographiccoverageshownontherightisacolorcodedmapwhereredindicatesthatnodetectors
can detect the hazard, yellowmeans that only one detector can detect the hazard and green
indicates that two or more detectors can detect the hazard. The visual map may also be
supplementedwithtablesindicatingpercentageofthegeographicareawithnocoverage,coverage
byonedetectorandcoveragebytwoormoredetectors.
Figure6.Extentofgradingandgeographiccoverageinaprocesszone
VerifyingDetectorCoverageAfterassigningthetargetsfordetectorcoverage,thenextstep istoverifythefireandgassystem
detectorcoverage.Theverificationisbasedonfactorssuchaszonedefinition,performancetargets,
andapprovedproceduresforperformingcoveragecalculations.Theresultofthisanalysiswillbea
-
7/30/2019 Performance Based Gas Detection System Design
10/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page10
visualfireandgasmapthatisacolorcodedrepresentationoftheareascoveredandtheextentof
coverageofeacharea.
Theperformanceofthedetectorplaysamajorroleinagasdetectormappingassessmentandit
is usually provided by the equipment manufacturer. When performing a gas detector mapping
assessment one needs to consider many attributes of the zone in consideration, the first
considerationwould
be
the
performance
of
the
detector.
Subsequently,
the
size
and
shape
of
the
gas release needs to be considered relative to the location of the detection equipment. When
employing geographic coverage, the analyst sets the size of a design basis cloud, usually by
determiningtheminimumgascloudsizethatcouldresultinasignificantconsequence(often,4,5or
10metersindiameter,dependingonthesituation). Thisdesignbasiscloudisthemovedaroundthe
zone that is under analysis. For each point in the zone, the ability of each individual detector to
detect the design basis cloud if it were centered at that point is determined, fully in three
dimensions. Forscenariocoverage,eachpotentialrelease(consideringmultipleholesizes,multiple
releaseorientationsandmultiplewinddirections) isplotted,andtheneachdetector isassessedto
determine if it would detect that release. The methods for gas detection coverage analysis are
visually
described
in
Figure
7.
Figure7.GasDetectionMappingTechniqueIllustration
Thegeographic firedetectorcoverageforanexamplegasolinestorageareawitha fewexport
pumpsisshowninFigure8. Inthisgeographiccoveragefigure,greenindicatescoveragebytwoor
moredetectors,yellow indicatescoveragebyasingledetector,andred indicatesnocoverage.It is
alsoimportanttonotethattheareascontainingequipmentandvesselinternalsareeliminatedfrom
thecoveragecalculations.
Figures9and
10
show
geographic
risk
profiles
that
result
from
the
more
rigorous
quantitative
riskanalysisprocessandassociatedscenariocoverageassessment. Thefirstresult(Figure9)shows
theunmitigatedrisk,ortheriskassumingthatthereisnogasdetectionsysteminplace.
-
7/30/2019 Performance Based Gas Detection System Design
11/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page11
Figure8. GeographicCoverageofaTypicalGasolineTankArea
The geographic risk profile in a zone is represented using the visible color spectrum, where a
colorindicatesthefrequencyofagasrelease(orafirerelease)existingatthatspecificlocation. At
anyparticularlocation,colorsontherightsideofthevisiblecolorspectrumindicatehighlikelihood
ofagasreleaseorfireandcolorsontheleftsideofthevisiblespectrumindicatelowlikelihoodofa
gasreleaseorfire.
Figure9. GeographicRiskProfile(UnmitigatedbyGasDetection)
Figure10presentsthemitigatedgeographicriskprofilethat includesriskreductionbythegas
detectionsystem. Inthiscase,thegassystemcomprisesoftwopointdetectorsonthe leftsideof
thetankandanopenpathdetectorbetweenthetankandtheassociatedtransferpumps.Thegraph
containscolorspredominantlyonthe leftsideofthevisiblecolorspectrum indicatingthattherisk
hasbeensubstantiallyreduced. Thisfigureisdrawn,onceagain,byconsideringalloftheleaksthat
arepossible,butinsteadofplottingallofthegasclouds,onlythegascloudsthatarenotdetectedby
-
7/30/2019 Performance Based Gas Detection System Design
12/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page12
the gas detection array are plotted. In addition, a calculation of the fraction of releases that are
detectediscalculated. Thisdetectionfractionisthescenariocoverage,whichcansubsequentlybe
usedintheriskintegrationeventtree.
Figure10. GeographicRiskProfile(UnmitigatedbyGasDetection)
FGSSafetyAvailabilityAs discussed earlier, performance targets for safety availability need to be assigned and verified
along with the detector coverage. The ISA Technical Report TR 84.00.07 specifically defines the
metricintermsofsafetyavailabilityinlieuofsafetyintegritylevel(SIL)becauseitwasbelievedthat
assigningsafety
integrity
level
would
be
inappropriate
for
fire
and
gas
systems.
The
effectiveness
of
afireandgassystemtorespondondemandisprimarilyafunctionofthedetectorcoveragerather
thantheruggednessofhardwareelements.Thedetectorcoveragehastobeextremelyhigh(99%)in
orderforthedifferencebetweenSIL2andSIL3probabilityoffailuretobeofanysignificance.
Duringthe conceptualdesignofthe fire andgassystem,FGS safety functionsaredefinedand
targets for safety availability are assigned in accordance with the guidelines given in the FGS
philosophy document.The fire and gasdetectionequipmentselected to achieve the performance
targetmustmeetboththegeneralandspecificrequirementsspecificationasappliedtotheoverall
system.
The
factors
that
influence
the
FGS
functions
ability
to
achieve
the
target
are
component
selection, fault tolerance, functional test interval, effect of common cause failures, and the
diagnosticcoverageofdevicesintheloop.Allthesevariablesareusedinthecalculationstoverifyif
the specified safety availability target has been achieved. The safety availability verification
calculationsareidenticaltotheSILcalculationsdoneforsafetyinstrumentedsystemsandarebased
ontheequationscontainedintheISATechnicalReportTR84.00.02.
-
7/30/2019 Performance Based Gas Detection System Design
13/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page13
The verification calculations aredoneusing a customized tool kit that isdeveloped from the
equationsgiven in the ISATechnicalReportTR84.00.02.Asanoption, theverificationcalculations
canalsobeperformedmanuallyusingthesameequationswiththeaidofasoftwareapplication.
2.5. GasDetectionSystemSafetyRequirementsSpecificationThe
next
step
in
the
gas
detection
system
life
cycle
is
to
generate
the
gas
detection
system
safety
requirements specification (SRS) for the system. The safety requirements specification is a
comprehensivedocumentthat includesdetectorplacementdrawings,cause&effectdiagramsand
generalrequirementsontheattributesofthegasdetectionsystem.
After verifying the safety availability of all the functions, the final design needs to be
documented in a safety requirements specification (SRS). The SRSdefineshow the gasdetection
system will perform and it is essentially the basis for the design and engineering of the FGS
equipment.Itcontainsnotonlythefunctionalspecificationthatdefinesthedesignbasisbut italso
containsintegrityspecificationsthatdefinethesystemintermsofitsperformancemetrics(detector
coverage and safety availability). The FGS requirements specification provides the functional
specificationof
the
FGS
logic
solver
which
could
be
either
take
the
form
of
cause
and
effect
diagram
orabinarylogicdiagram.TheIEC61511/ISA84standardsprovideguidelinesandachecklistforthe
itemsthatmustbepartoftheFGSrequirementsspecification.
2.6. DetailedDesign&ProcedureDevelopmentThe next step in the gas detection system design life cycle involves the detailed design and
engineeringof the system. This step involves a varietyof tasks such as loop sheetdevelopment,
internalwiring diagram preparation, cable schedule drawingdevelopment, andPLC (logic solver)
programming. Alongwiththedetaileddesignandengineering,proceduresarealsodeveloped for
the fire and gas system for various phases of the life cycle, such as startup, operations,
maintenance,and
de
commissioning.
It
is
quite
likely
that
design
shortcomings
may
be
discovered
duringproceduredevelopmentandthismaytriggertheneedtorevisittheinitialstepsofthesafety
lifecycleandmakechangestoincludeprovisionsforbypassesandresetswithouthavingtotakethe
systemoffline.Ifahardwarecomponentinthefireandgassystemfails,thefailedcomponentmust
be detected and repairedwithin themeantimetorepair (MTTR) thatwas assumed during the
designphaseandsystemmaintenanceproceduresmustclearlyaddressrepairsofthisnaturethat
haveanimpactonthefacilitystolerablerisklevel.Finally,thefunctionaltestingofthefireandgas
systemneeds tobecarriedoutonaperiodicbasisandproceduresneed tobedeveloped for the
same.
2.7. Procurement,Construction&InstallationThe next step in the fire and gas system life cycle involves the procurement, construction and
installationoftheequipmentthathasbeenengineered.Physicalhardwaresuchas,instrumentation
cabinets, cables, fire detectors, and gas detectors will be purchased and installed on site. It is
recommendedthatcautionbeexercisedduringtheinstallationoffieldequipmentforgasdetection
systemsbecausethelocationandorientationofthedetectionequipmenthasaprofoundimpacton
thesystemsabilitytoachievetolerablerisk.The locationandorientationofthedetectorsmustbe
consistent with the values given in the safety requirements specification. Furthermore, the
-
7/30/2019 Performance Based Gas Detection System Design
14/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page14
placementof equipmentwith respect to thedetectorsmustbe consistentwith the assumptions
made during the design phase. Upon successful completion of the hardware installation, the
softwareisinstalledintothesystemandthelogicsolveriscustomprogrammedforthefacility.
2.8. PreStartupAcceptanceTesting(Validation)The
IEC
61511
standard
requires
that
automated
safety
systems
like
gas
detection
systems
be
validatedbeforetheycanbeturnedovertooperationsandmaintenance.Validation isthetaskof
verifyingthe installationofgasdetectionsystemequipmentandsoftwareprogrammingtocheck if
the installation is conformancewith both the safety requirements specification and the detailed
engineering documentation. Validation involves a complete physical test of all safety critical
functionsstarting from the fieldall theway to theplantcontrol room.Thedeviationsdiscovered
duringthisstepwillbedocumented inarecordcalledpunch listandthe items inthepunch list
needtobesatisfactorilyresolvedbeforethesystemcanbehandedovertoplantpersonnel.
2.9. Operations,Maintenance&TestingOnce
the
validation
is
completed,
the
system
is
turned
over
to
operations
and
maintenance
for
day
todayoperations,which includesimplethingssuchasrespondingtoalarms,respondingtofailure
alarms, and periodic functional testing and preventivemaintenance to ensure that performance
levelsthatwerespecifiedduringdesignarebeingachievedroundtheclockthroughoutthelifecycle
of the facility. During the normal operation and maintenance phase of the life cycle, periodic
function testing and maintenance need to be carried out to ensure that the targets for the
performancemetrics(detectorcoverageandsafetyavailability)arestillachieved.
2.10.ManagementofChange(MOC)During the lifecycleof the facility,anychangesmade tothe facilityorto thatof the fireandgas
systemneed
to
be
considered
in
the
safety
life
cycle
to
make
sure
that
the
change(s)
do
not
affect
theperformanceofthesystem.Itisnotunusualforafacilitytogothroughawiderangeofchanges
suchasretrofittingequipment,addingnewpumps,buildingnewstructure,etc.Thesechangesmay
increasethenumberofleaksources,changezonedefinitionandmayalsochangethecategorization
ofthezonediscussedearlier. It isalsopossiblethatthesechangesmayobstructtheabilityofgas
detection equipment andmay compromise the achieved detector coverage. It is therefore very
importanttomakesurethatthefacilitysmanagementofchangeprocedures includesstepbystep
instructionstoreviewchangesthathavean impactonthegasdetectionsystem.If it isdetermined
thatchangeswillimpacttheperformanceofthegasdetectionsystem,theappropriatestepsinthe
safetylifecycleofthesystemneedstoberevisitedanddesignmustberevised.
-
7/30/2019 Performance Based Gas Detection System Design
15/15
Oil&GasIndustryConclaveIOCL,Delhi,India Page15
3. CONCLUSIONRiskassessmentmethodsarebeingincreasinglyusedinthedesignofinstrumentedsafeguards,such
asSIS,AlarmSystems,HIPPS,etc.Gasdetectionsystemsarenoexceptiontothistrend.However,
gasdetectionsystemsareonlycapableofmitigatingtheconsequence,whereassafetyinstrumented
systemsarecapableofpreventingtheconsequencefromoccurringwhichgreatlycomplicatestheir
analysis.The
hazards
associated
with
fire
and
gas
systems
are
general
in
nature
and
it
is
difficult
to
characterizetheminthecontextof layersofprotectionanalysis(LOPA).Initiatingeventscausedby
pipe leaksduetocorrosion,erosion,andotherphysicochemicalforcesaretypicallynot included in
LOPA.
TheISATechnicalReportTR84.00.07providesrecommendationsforthedesignofgasdetection
systemsinopendoorchemicalprocessareashavingserioushazards.Thetechnicalreportproposes
that an FGS be designed similar to a SIS if detector coverage is considered as an additional
performancemetric.Thispaperhasprovidedanoverviewoftheriskassessmentmethodsused in
thedesignof fire and gas systems andhasdescribed themethods available to assign and verify
targetsfortheperformancemetrics.Thispaperalsoprovidesaroadmapofthesteps involvedthe
safetylifecycleofagasdetectionsystemexplaininghoweachstepisinterconnectedwiththeother
andwhyitisimportanttofollowaholisticapproachtothedesignofautomatedsystemsinasafety
criticalenvironment.
REFERENCES
1. ISA TR84.00.07 The Application of ANSI/ISA 84.00.01 2004 Parts 13 (IEC 61511 Parts 13Modified) forSafety InstrumentedFunctions (SIFs) inFire&GasSystemsVersionA,October
2007.