1、 ISA-TR84.00.07-2010 Technical Report Guidance on the Evaluation of Fire, Combustible Gas and Toxic Gas System Effectiveness Approved 15 January 2010 ISA-TR84.00.07-2010 Guidance on the Evaluation of Fire and Gas System Effectiveness ISBN: 978-1-936007-43-1 Copyright 2010 by ISA. All rights reserved
2、. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander
3、 Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709- 3 - ISA-TR84.00.07-2010 Copyright 2010 ISA. All rights reserved. Preface This preface is included for information purposes and is not part of ISATR84.00.07. This technical report has been prepared as part of the service of ISA, the
4、International Society of Automation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA, 67 Alexander
5、Drive; P.O. Box 12277; Research Triangle Park, NC 277099; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. This ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI
6、) in particular, in the preparation of instrumentation standards, recommended practices, and technical reports. The Department is further aware of the benefits to users of ISA standards documents of incorporating suitable references to the SI (and the metric system) in their business and professiona
7、l dealings with other countries. Toward this end, the Department will endeavor to introduce SI and acceptable metric units in all new and revised standards documents to the greatest extent possible. The Metric Practice Guide, which has been published by the Institute of Electrical and Electronics En
8、gineers (IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standa
9、rds. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE
10、 EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SU
11、CH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NON-D
12、ISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT: www.isa.org/StandardsPatents. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER
13、OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SU
14、BMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NON-DISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT
15、AND ITS OWNER. ISA-TR84.00.07-2010 - 4 - Copyright 2010 ISA. All rights reserved. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZ
16、ARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES B
17、EFORE IMPLEMENTING THIS DOCUMENT. THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION. The following served as members of ISA84 in developing this technical report: NAME C
18、OMPANY W. Johnson, Chair E I du Pont V. Maggioli, Managing Director Feltronics Corp R. Adamski RA Safety Consulting LLC T. Ando Yokogawa Electric Co R. Avali Westinghouse Electric Corp L. Beckman Safeplex Systems Inc J. Campbell ConocoPhillips I. Chen Aramco R. Chittilapilly Oil http:/www.hse.gov.uk
19、/offshore/strategy/fgdetect.htm. 2.5 CCPS/AIChE, Layer of Protection Analysis: Simplified Process Risk Assessment, First Edition, New York, 2001. 2.6 CCPS/AIChE, Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition, New York, 2000. 2.7 ANSI/ISA-TR84.00.02, Safety Instrumented S
20、ystems (SIS) Safety Integrity Level (SIL) Evaluation Techniques, International Society of Automation, Research Triangle Park, NC, 2002. 2.8 IEC 61511 Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1, 2 and if detectable, the FGS may or may not be effective in m
21、itigating the larger hazard. This complexity has not been incorporated into the risk model in this technical report. For the sake of simplicity, it is assumed that a hazardous event that is not detected due to inadequate detector coverage results in an unmitigated hazard that is beyond the capabilit
22、y of the FGS to effectively mitigate. The second aspect of FGS effectiveness represents the probability of successful FGS activation upon a detected release. FGS functions are comprised of sensor(s), logic solver(s), and final element(s). Successful activation is assumed to result in a successfully
23、mitigated hazard. Failure of the FGS function to operate on demand results in escalation of hazard. Quantification of the probability of failure on demand can be performed using the techniques presented in ISA-TR84.00.02 (ref 2.7). The third aspect is the mitigation effectiveness, which has a signif
24、icant impact on the event outcome and should be carefully considered when evaluating FGS effectiveness. The design intent of an FGS is typically not to prevent a hazardous condition from initially occurring, but rather to reduce (or mitigate) the consequences to a lower level. A small fire is preven
25、ted from becoming a large fire that can escalate into a catastrophic consequence. A small gas release that presents a toxic and/or fire hazard is prevented from becoming a large gas accumulation that could result in a catastrophic consequence. Therefore, the residual risk associated with successful
26、FGS operation needs to be considered in the overall determination of risk acceptability, as well as the probability of FGS failure leading to larger consequences. There will be situations in which a detected fire or gas release with successful activation of the FGS function will not result in comple
27、te or effective mitigation. The success or failure of the mitigation system is related to magnitude of the event being mitigated and the limitations of the mitigation strategy itself. Mitigation effectiveness is high when detection of the loss of containment occurs soon enough to allow the desired s
28、afety action to be taken prior to escalation of the hazard. Late activation of the FGS (possibly ISA-TR84.00.07-2010 - 18 - Copyright 2010 ISA. All rights reserved. due to inadequate detector coverage or one or more FGS component failures) would likely result in a hazard magnitude beyond that for wh
29、ich the FGS was designed. Mitigation effectiveness may be accounted for in different ways depending on the risk analysis method being used. For simplified analysis, many users choose to exclude FGS from consideration as a protection layer due to the uncertain or unpredictable outcome of FGS action.
30、When an FGS is considered a protection layer, users often consider mitigation effectiveness in assessing the residual or secondary consequence of successful FGS action. For instance, when a deluge system operates, it may not completely mitigate the fire to a tolerable consequence severity. In this c
31、ase, the risk analysis would estimate the consequence severity, taking into account the mitigative effectiveness of the deluge system. This consequence severity may not be significantly different from the consequence without the deluge system, depending on the mitigation effectiveness. For advanced
32、analysis, the mitigation effectiveness would be explicitly included. However, the scope of this technical report is limited to assessing the impact of detector coverage in situations in which the FGS action is considered effective in limiting the hazardous event severity. Consequently, the mitigatio
33、n effectiveness has a PFD = 0 for the success state in Figure 1. Detailed guidance on assessing mitigation effectiveness is not included in this report. The event-tree model can also be used to assess the overall potential risk associated with the hazard scenario by determining the weighted average
34、consequence (Figure 1). This is accomplished by multiplying the likelihood of each outcome by its consequence severity ranking and then summing each outcomes contribution. The weighted average consequence and the hazard scenario likelihood yield the overall scenario risk, which can be compared to th
35、e users risk criteria. For example, the risk can be described by: Risk = CWAx Funmitigatedx PFD(IPL1)x PFD(IPL2). x PFD(IPLn)Where: CWA = Weighed average consequence Funmitigated= Frequency of hazard in events per year PFD(IPLn)= Probability of Failure of Independent Protection Layer Once the risk i
36、s understood, means can be identified to reduce this risk if necessary, such as taking steps to reduce the frequency of the unmitigated event, to improve the independent protection layers that prevent the event, or to improve the FGS effectiveness to reduce the weighted average consequence. Alternat
37、ively, a quantitative risk analysis (QRA) can be used to make decisions about the risk reduction strategy (ref 2.6). The QRA should be based on a comprehensive risk analysis and consequence modeling for the hazardous event under consideration. However, the application of QRA is beyond the scope of t
38、his technical report, so further discussions will focus on the use of simplified risk analysis. Where possible and practical, other instrumented safety systems, such as safety instrumented functions, should be designed to prevent loss of containment. The development of a methodology to allow the all
39、ocation and verification of the risk reduction capability of an FGS function should not be construed as an endorsement of the use of an FGS function in lieu of a properly designed safety instrumented function. Thus, if risk analysis determines that two orders of magnitude of risk reduction is requir
40、ed to address a high pressure scenario in a vessel, a safety instrumented function closing inlet feed to the vessel upon detection of high pressure with a risk reduction of two orders of magnitude is preferable. - 19 - ISA-TR84.00.07-2010 Copyright 2010 ISA. All rights reserved. This technical repor
41、t does not endorse addressing the above hazardous event with a safety instrumented function achieving one order of magnitude in combination with an FGS function providing the remaining one order of magnitude in risk reduction. This technical report focuses on the implementation of FGS to protect peo
42、ple and the environment when the process is operating normally, but loss of containment has occurred due to such factors as corrosion, erosion, leaking gasket, and tubing failure. Thus, consider a different scenario where the pressure in the vessel is within tolerable limits (e.g., not high) and los
43、s of containment has occurred. In this scenario, an FGS function is an appropriate choice for reducing the risk, because there is no potential for implementing a safety instrumented function to prevent loss of containment. It is advisable to use an approach that ensures: Loss of containment is minim
44、ized through implementation of preventive systems and an equipment mechanical integrity program; and. FGSs are designed and managed to be effective in reducing the impact of loss-of-containment events. 6 Performance-based FGS Lifecycle Process Design and implementation of an FGS can be performed in
45、a manner that is consistent with the underlying principles of both ANSI/ISA-84.00.01-2004 and IEC 61511. The safety lifecycle (Figure 2) can form the basis for the FGS design and management process. Prescriptive approaches for the design of some/all components of an FGS are provided in recognized an
46、d generally accepted good engineering practices (ref 2.2 and 2.3). In complex release scenarios, especially those involving high-risk exposure (e.g., offshore oil however, the actual hazard may include one or more of the following: - Vapor cloud explosion (confined or semi-confined) - Fire - Toxic i
47、nhalation exposure The hazard is a function of volume of hazardous material, concentration, and level of confinement in the case of vapor-cloud explosion. As the volume increases, the likelihood of a greater severity hazard increases. Therefore, the detector placement is predicated on criteria to de
48、tect the gas concentration early enough that action can be taken prior to the release becoming a larger gas cloud of potentially higher concentration. With earlier activation, the hazard potential may be lowered (e.g., maximum explosion overpressure that could be tolerated without severe damage or l
49、oss of life). The development of these criteria is addressed in Ref 2.6 but is outside the scope of this technical report. In the case of vapor-cloud explosions, care needs to be taken when specifying and determining the potential maximum overpressures. Most models have been shown to be limited in application. TNT equivalency methods are not transferable to vapor-cloud explosions, yet many frequently do this in error. Physics-based models are preferred. Damage estimates should not be based upon TNT explosion overpressure data in the near field because the TNT model assume