Some lively email exchanges occur in some of the ISA Technical and Industry email lists. I usually find out about these if one gets forwarded my way. If I could express one wish to the ISA folks it would be to web and RSS-enable these email lists, so that I could more easily discover them in my Google searches and persistent RSS search feeds.

If you’re not familiar with persistent RSS searches, I recommend you visit Google Blog Search or Google News Search. You can subscribe to any of the searches you run and you’ll get a notice when something new is posted. Or you can get an email if you choose the email alert option–as if we need more emails!

Enough with this side tangent, on to the matter in the ISA Safety email list. A thread discussed the risk mitigation effectiveness regarding fire and gas (F&G) systems as safety instrumented systems (SIS). SIS-TECH Solutions founder Angela Summers wrote a thorough response to arguments raised by several other list members. The first excerpt I gleaned is around the reliability of fire and gas systems:

An SIS is a safety function that is independent and separate from the BPCS [basic process control system], acts to achieve or maintain a safe state of the process when abnormal process conditions are detected, and achieves a PFD [probability of failure on demand] less than 0.1. As noted by other postings, a significant performance limitation for fire and gas systems is the detector and mitigation effectiveness.

Angela sums up her reasoning:

The vast majority of fire and gas systems are not SIS, because they do not achieve or maintain a safe state of the process, but rather act after equipment design limits have been exceeded. Further, fire and gas systems are not typically capable of achieving the required dependability (integrity and reliability) to be considered an IPL [independent protection layer].

Fire and gas systems may be implemented in the SIS logic solver according to IEC 61511/ISA 84.00.01-2004, which requires that the user ensure that the non-SIS functions do not impact the functionality and/or integrity of the SIS.

In my email thread that circulated among the Emerson safety expert community, TÜV CFSE-certified Len Laskowski, whom you may recall from earlier safety posts, agreed with Angela’s reasoning:

An F&G system is almost impossible to attain a SIL 1 level risk reduction for the effectiveness reasons Angela states. I also agree that for prevention or maintaining a safe state of the process, it cannot be considered an IPL and it should not be given credit in a LOPA to prevent an incident. However, it is an SIS system because IEC 61511 defines SIS to be preventive or mitigative. F&G is clearly mitigative because the incident has already occurred. F&G tries to mitigate the hazard as best it can and give operations time to escape or take further actions. It just rarely achieves a SIL level. If one wants to disqualify it as an SIS because it is not at least SIL 1, well we need to discuss that a bit further. Yes, we can do them in the SIS system as long as in doesn’t affect the SIS as Angela states. And yes, we should make them as reliable as possible. Reliability and availability is the name of the game for F&G.

Len is also a member of SP84 Working Group 6 sub-committee on Fire & Gas Systems. This working group is developing a Technical Report (ISA-TR84.00.07) to clarify the relationship between Fire & Gas Systems and Safety Instrumented Systems.

Emerson’s Mike Boudreaux, whom you also may recall from earlier posts was the one who looped me in on this email. He adds:

DeltaV SIS was designed for emergency shutdown (ESD), burner management systems (BMS), and fire and gas (F&G) applications. There are often significant integration benefits to implementing the ESD, F&G, and BMS systems in the same SIS platform. Without question, an F&G system benefits from the SIS Safety Lifecycle model provided by IEC 61511.

There are significant differences between F&G and ESD applications. While an ESD system switches outputs off if it detects a dangerous situation, a F&G system will normally switch on water sprays or inert gas discharge in the case of fire, or sound alarms and switch on blowers in the case of releases of toxic or flammable gas.

Here is a summary of the major differences between F&G and ESD applications:

• An ESD system operates before the accident has occurred, whereas an F&G system takes action to minimize the effects of the incident after it has occurred.
• An ESD system is typically the facility’s last line of prevention against an incident, whereas a F&G system is typically the first line of mitigation of an incident.
• An ESD system is evaluated on the probability that it will be able to act when a demand occurs. A F&G system is evaluated based on the effectiveness to detect and mitigate the incident once it has occurred.
• Most ESD systems are SIL rated, whereas most F&G systems are not SIL rated.
• Most ESD systems are normally energized, whereas most F&G systems are normally de-energized (energize to trip).
• An ESD spurious trip causes plant downtime, whereas an F&G spurious trip can cause equipment damage and potential injury.

If your responsibilities include safety instrumented systems, there are some really good and hotly debated discussions going on that you may want to join. I only wish these were more visible and easily found through searches and persistent RSS searches.

Update: Mike sent me a Twitter tweet that he has a Safety Instrumented Systems Friendfeed room setup and added this post. You may want to join this room if you have an interest in SIS and want to see items as they are posted by Mike, me and others (including you) who are members of this room.