Q: I have a question regarding the design of a fire and gas detection system in a control building. According to our project philosophy, the confirmed fire detection in the control room shall activate a complete shutdown in the process area. The process area will be managed by a dedicated, SIL-certified emergency shutdown (ESD) and fire and gas (F&G) PLC system.
Since the control building is far away from the process area, we designed a dedicated fire alarm control panel for the control building. The fire alarm control panel of the control building will be the same topology as the process ESD/F&G PLC system and is SIL certified. The control building’s fire detectors (smoke, flame and hydrogen) will be connected individually to the fire alarm control panel (no loops are foreseen) to maximize the reliability of the system and minimize any common-cause failures. The voting between the different detectors will be implemented as software inside the control program.
Why did we use this technique and not the addressable type of fire alarm panels, or make a loop for the different detectors? According to our design practice, we didn’t apply this technique, especially in the SIL certified system.
Is there a standard that insists on using detectors in the control building in a loop and not directly or individually connected to the fire alarm control system? Is it acceptable to use the issues from a lack of communication fire alarm control panel for this kind of application? Which is considered the most critical reason for plant shutdown?
Ragab Abdel Fattah, senior instrument engineer / [email protected]
A1: Triggering a full plant shutdown when fire is detected by a sensor should be carefully analyzed to make sure the triggering isn’t caused by a malfunctioning sensor (dust buildup, etc.) and determine that it’s safe to trigger an immediate, full shutdown of the entire plant. In many processes (such as turning off cooling), it can cause equal or worse safety problems.
If wireless sensors are used, they should be multichannel designs with two frequency bands, so they’ll automatically change the frequency band in case of interference. Also, look into why hydrogen gets into the control building in the first place, and if necessary, make sure the sensors are located at the highest point in a closed space. Why? Because hydrogen rises to the highest point, and when its concentration reaches 3% by volume, the mixture become explosive (as was the case at Fukushima). The sensor must not only be located near the ceiling, but must also be able to open a vent in addition to triggering an alarm.
I agree that your fire alarm system should be addressable (Figure 1).
In the age of artificial intelligence (AI), robots and self-operating equipment, there’s a need to reevaluate an overall safety philosophy because as AI advances, human intelligence (HI) seems to be degrading. A new generation of button pushers are growing up—I call them "clicksters,” who believe square root is a key on a keyboard, logarithm is an African insect, and wisdom is something that you can look up and print out from Google or Wikipedia.
All joking aside, we need a third layer of safety protection from operators and automation errors, and takes over control if either asks for an unsafe step to be taken. Neither human or automatic responses are reliable all the time. For example, a decision by an operator to turn off automatic safety controls caused the accidents at Chernobyl.
Depending on full automation or allowing operators to override automation are both wrong strategies because it’s hard—sometimes impossible—to make the right decision. This is similar to deciding where the fine line is betwen free speach and censorship. In both cases, the decision must not be to stick with one or the other. A third option should be considered, namely the consequences of the selected action. In terms of safety, we need an override control layer that looks at consequences, no matter who or what is initiating it, and overrules it. Naturally, this requires a deep understanding of the process being controlled, and a level of understanding that no clickster can look up on Google.
Béla Lipták / [email protected]
A2: I don’t know the regulations in your area, so you should check what I write against your local codes.
In North America and many other jurisdictions worldwide, a fire panel for manned buildings falls under different regulations. A control room is normally classified as a manned building and falls under these different regulations.
Fire panels are also classified as life safety systems (a very deliberate definition), and come under various building and fire codes (e.g. NFPA 72). The equipment, design, installation and commissioning must be certified under these fire codes. They have significant differences to the usual SIS:
- Longer battery backup times (e.g. 24 hours)
- Specific, standardized displays (mainly for fire department responders, so they can quickly access where the problem is. They deal with many different companies, so having different setups would be a problem)
- Specific input/output line monitoring
- People designing and installing this equipment must be certified under applicable codes
Be very careful specifying IEC 61508 equipment for life safety systems because some may need additional certification to comply with building/fire codes, but not usually. The insurance companies will look for the life safety system certification.
Simon Lucchini, CFSE, MIE Aust CPEng (Australia), chief controls specialist, Fluor fellow in safety systems / [email protected]
A3: Addressable loops help reduce cabling and cable costs. I’m surprised that the plant shuts downs due to fire in a control room. A spurious alarm should not trip the plant. I suggest reconsidering this situation, and providing a manual S/D button instead, which control room operators can use once they’re sure.
H S Gambhir, control and safety engineer / [email protected]
A4: Regarding whether there’s a standard or code that requires using a specific wiring methodology for your system, as far as I am aware, there is no such requirement. In fire alarm systems, using of addressable devices is common practice, and there are performance requirements in the fire codes for wiring addressable devices to a panel. Please refer to NFPA 72 about wiring systems.
Simon Pate, process control engineer / [email protected]
A5: Until instruments, automation and controls become reliable enough, I think we still need to keep humans in safety loops. Sooner or later, either instrumentation or automation will fail. Then, with so little experience in working without automation, humans won't know what to do either. That's the lesson I take home from Three Mile Island, Fukushima, Air France 447, and so many other disasters.
People become stupid when under enough stress and fatigue. I know. I’ve been stressed and fatigued at 2 a.m. on a 24-hour duty call, and experienced operators don’t come cheaply. This is more than just training. This is an attitude and a philosophy because we can't save operators from themselves. If someone has a misconception stuck in his brain, there is little we can do to remedy it. This is a cultural shift toward more process awareness and integrity monitoring.
Jake Brodsky, control engineer / [email protected]
