SIS Survivability and Fire Safety

In my experience, few subjects cause more confusion and misunderstanding in the instrumentation and SIS arena than Fire Safety.  Even that term probably causes confusion.  To be clear, we won’t be talking about fire wardens or sprinkler systems in this post.

Today’s post is all about how the risk of fire is considered in SIS and general instrumentation design.  This subject obviously applies to refineries and other oil & gas facilities, but it is also applicable to other plant types.  In order to dispel common misconceptions, this wide-ranging post will touch on a number of different aspects of fire safety.  We won’t go into much depth on most of them, but relevant standards are provided for further reading.

ISA/IEC 61511 Survivability

First things first: what do the SIS standards say?  The performance-based SIS standards do not go into any detail on fire safety, but the requirement is generally captured in this SRS requirement:

“definition of the requirements for any SIF necessary to survive a major accident event, e.g., time required for a valve to remain operational in the event of a fire.”

The survivability requirement applies to many other catastrophic events (e.g. earthquakes, floods, explosions), but fire is given as a specific example.  It is noted elsewhere in the standard that fire is also a potential source of common cause failure to be considered in the design.

That’s it from the SIS standard.  For more detailed fire safety guidance, we must look elsewhere.

Classified Areas vs. Fire Hazardous Areas

A reasonable next question:  When should I be concerned about the risk of fire?  This leads us to our first common misconception.

Classified Areas

A classified area (aka hazardous area) is a location where flammable gases, vapors, liquids, dusts etc. may exist under certain conditions in sufficient concentrations to ignite.  Identification of these classified areas is covered under several standards, including API 500/505, IEC 60079, and NFPA 497.

Classified areas and their standards are all about how to properly design electrical systems for these areas that will minimize the risk of igniting the combustible fluids.  They are all about before a fire is started, and they say nothing about after the fire.  SIS equipment installed in a classified area needs to designed for the area classification, but that says nothing about the fire survivability of the SIS.

Fire Hazardous Areas

What you are really looking for is the Fire Hazardous Area (aka the fire zone or fire scenario envelope). This is the area where a pool fire is most likely to form and burn with sufficient intensity to damage equipment.  The two most important industry standards on this subject are API 2001 (Fire Protection in Refineries) and API 2218 (Fireproofing Practices on Petroleum and Petrochemical Processing Plants).  API 2001 is a more general document that, among other things, introduces the concept of the Fire Hazard Analysis (FHA) and makes the point that:

“Those concerned with fire prevention and protection should recognize that (although related) a process hazards analysis is not a fire protection analysis.”

API 2218 is more detail oriented and introduces the concept of Fire Scenario Envelopes.  The envelope is the space where it is likely (based on equipment configuration) that a pool fire could form with enough intensity to cause significant equipment damage.  The practice also provides generic guidance for different common equipment types as shown in the sample below:

API 2218 also provides specific guidance for fire protection of electrical and instrument cabling.  Cabling for emergency shutdown, isolation, and/or depressuring systems needs to be protected from fire exposure for 15-30 minutes unless the systems are designed to fail safe in a fire scenario.  Preferred methods for fire protection include underground burial and routing outside the fire envelope, with cable fireproofing less preferred.  Note that since most SIS systems are fail safe (i.e. de-energize to trip) this means that their cabling generally does not need to be fireproofed (at least not for safety reasons).

When fireproofing is required, there are several alternatives for different application requirements.  We will not discuss them in detail here, but they include:

Operating companies often have their own fire zone standards and methodologies, but they are generally based on the API practices above.

Fire-safe vs. Fail-safe Valves

Regardless of whether cables, transmitters, actuators, etc. need to be fireproofed, any fail-closed shutdown valve located in a fire zone (and handling combustible materials, of course) likely needs to maintain tight closure during a fire (i.e. not feed the fire).  A valve designed to maintain a tight seal during a fire is commonly called a “fire-safe” valve.

Note:  The “fire-safe” term implies nothing about the de-energize to trip “fail-safe” design of the loop, just that the valve seat will remain tight in a fire (for a while)

Standards for fire-safe valves are confusing.  Common standards include API 607, API 608, API 6D, and ISO 10497.  Per the API 553 guidance on emergency block valves:

“Generally, metal-seated isolation valves (such as gate, ball, high-performance butterfly, etc.) are tested to API 608, Metal Ball Valves—Flanged, Threaded, and Welding Ends. […] Soft-seated valves require testing to API 607 or equivalent standard.”

Clear enough, right?  Until you actually check API 608, and it says valve should be tested per API 607.  And apparently API 607 is nearly identical to ISO 10497 (at one time the were exactly identical).  The API 6D standard on pipeline valves is even less specific, allowing the reader to choose between four different standards.  As a result of all this ambiguity, it is common to see API 607 specified for metal seated valves even though it is technically a standard for soft-seated valves.  Bottom line:  all of these standards are pretty similar, so unless you have very specific performance requirements, it likely will not make a difference which standard is chosen

A common error you will hear (from both vendors and users) is that “this valve has a metal-to-metal seat, so it is inherently fire-safe”.  While there is some truth that a metal-to-metal seat is generally more robust to fire than a soft seated valve, no valve is inherently fire safe.  API 553 is quite clear that no valve is inherently fire-safe, and all fire-safe valves should be type-tested to confirm performance:

“It is not sufficient for the valve to have an inherent design to be fire safe such as fitted graphite packing and seal. Additionally, this “inherent design” does not ensure that the other metallurgical parts of the valve will survive a fire.”

SIS Valves vs. EBVs

Let me be clear: Emergency Block Valves (EBVs) are not the same as SIS valves.

Let me be less clear: Sometimes EBVs can be used as SIS valves and vice versa. Got it?

API 553 defines EBVs as:

“An emergency block valve (EBV) is used as a means of isolating flammable or toxic substances in the event of a leak or fire.”

The key conceptual difference is that while a SIS valve is typically part a preventive measure to avoid loss of containment, an EBV is (by definition) a mitigative measure intended to be activated after the start of a leak or fire.  Unlike SIS valves that are determined based on process risk assessments (e.g. LOPA) and designed with performance-based targets (i.e. SIL), EBVs are located and designed based on prescriptive requirements in API 553 or company standards.  Other characteristics of an EBV include:

  • Often located in the fire zone close to potential leak sources
  • Often manually initiated either by a handwheel (type A,B) or a button (type C,D)
  • Often not fail-safe (de-energize to trip) design and may require fireproofing
  • Often have longer response times than SIS valves since they are manually initiated

That said, sometimes valves in SIS service are in appropriate locations to be used as EBVs, or vice versa.  It is important to remember that this single valve would be serving two distinct purposes. The responsible engineer must ensure that any conflicting requirements are resolved.  For example, a fail last-position EBV may not meet SIL targets if used as an SIS valve.  Conversely, an SIS valve may be on the correct line, but not as close to the leak source as the EBV should be (per prescriptive guidance).

An interesting side note, motor operated valves (MOVs) are sometimes used as type C and type D EBVs.  API 553 requires that when an MOV is used in EBV service, then the motor overloads are to be disabled to improve the reliability of valve closure.  This change invalidates any hazardous area certification (e.g. ATEX) and makes the actuator a potential ignition source in the classified area.  This trade-off is justified in the standard with the logic that the EBV is expected to be activated after the fire has started, negating any concerns about ignition sources.  An excellent example of conflicting requirements!

Fire Safety vs. Economics

Most of the above requirements and standards are primarily aimed at fire safety, i.e. preventing death and serious injury from a fire.  However, fire is a also a serious economic risk to a facility, in terms of equipment damage, lost production, and loss of reputation.

The economic risk of fire is a broad topic, and I will not attempt to cover it here.  Instead, I will just highlight some common SIS and instrument practices that are primarily aimed at reducing economic risk rather than safety:

  • Fire protection for home run cables (e.g. burial, fireproofing)
  • Coiling of underground cables before coming above ground
  • Routing aboveground cables away from fire zones, when possible
  • Smoke detection and fire suppression in rack rooms, RIE’s, and control rooms
  • Fireproofing of fail-safe automatic depressuring systems
  • Separate routing of network cabling

Bottom line: Much of the fire safety applied to SIS may actually be driven by economic concerns, so it is completely appropriate to perform a cost-benefit analysis to justify a decision.  Don’t fall for the “it’s safety critical, so it must always be fireproofed” canard!


I hope this post has been informative, even if you have heard some of it before.  The subject of fire safety suffers from multiple standards with different terminologies.  However, the standards can be made to fit together into a coherent whole, with some effort.  I know this post was a mile wide and an inch deep, but hopefully there is enough information to reduce the learning curve for those new to the topic.

Finally, I would not claim to be an expert in refinery fire safety.  Did I miss anything?  Any errors?  Please let me know.  Until next time, thanks for reading!

If you enjoyed this article, you might also like our article about Overpressure Protection Pitfalls or one of our other posts.

Stephen Thomas, PE, CFSE
Stephen Thomas, PE, CFSE

Stephen is the founder and editor of He is a functional safety expert with over 26 years of experience.  He is currently a system safety engineer with a leading developer of autonomous vehicle technology. He is a member of the IEC 61508 and IEC 61511 functional safety committees. He is a member of the non-profit CFSE Advisory Board advising the exida CFSE program. He is the Director of Education & Professional Development for the International System Safety Society and an associate editor for the Journal of System Safety.

3 thoughts on “SIS Survivability and Fire Safety

  1. Nigel Lander says:

    Stephen, Nice overview of a subject often with conflicting requirements and number of difficult design choices.

  2. ravisankar k says:

    Stephen Thomas

    (1) Can I provide link to your website articles when I post in Linkedin?

    (2) This article mentions ” most SIS systems are fail safe (i.e. de-energize to trip) ”

    This is correct with reference to functional safety.

    In addition , the valve must move to safe state .

    API 2218 – ” Valves that fail to the safe position need not be fireproofed (but should be able to fail to their fail safe position when under a fire challenge)”

    API 553 – ” SIS valves shall be fail-safe (e.g. spring return) and shall remain in their safe state position until safe conditions
    are present”

Leave a Reply

Your email address will not be published.