BG ST Eng Proc 012 - 3.1 BG STD Hipps Systems

Unclassified
BG Group Standard
High Integrity Protection Systems (HIPS)
BG-ST-ENG-PROC-012
BG Group Standard
Document and Version Control

Version
Author
Issue Date
Revision Detail
01
T. Arnold
09 November 2007
Issued for use
01a
T. Arnold
10 March 2008
Updated/Issued for use
02
W Dunning
31 March 2008
Revised and re-issued
02a
W Dunning
13 November 2008
3.0
T. Arnold
01 January 2011
3.1
HSSE Assurance
Manager
(Antony Mullin)
05 March 2012
Approvers changed
Revised with Subsea HIPS included and
to reflect updated Standards template.
Revisions detailed in Appendix D
Changed to unclassified
2 of 63
Doc Ref: BG-ST-ENG-PROC-012
Author: T Arnold
Version: 3.1 (05 March 2012)

BG Group 2012
BG Group Standard
Contents
1.0 ExecutiveSummary ................................................................................ 5
2.0 Ownership ............................................................................................... 6
3.0 Objectives ............................................................................................... 6
4.0 Scope and Application ........................................................................... 7
5.0 Links to Other Controls ......................................................................... 8
6.0 Standard Requirements ......................................................................... 9
7.0 Why do we need HIPS? ........................................................................ 10
8.0 Relief / HIPS Selection ......................................................................... 11
8.1
Code Provisions ........................................................................................................................... 11
8.2
HIPS Selection in BG ................................................................................................................... 12
9.0 HIPS Justification and Design............................................................. 14

9.1
Basis for HIPS Design ................................................................................................................. 14
9.2
Analysis Requirements ................................................................................................................ 14
9.3
HIPS Configurations .................................................................................................................... 16
9.4
Hazard Analysis ........................................................................................................................... 24
9.5
Safety Integrity Level (SIL) Targeting .......................................................................................... 25
9.6
Reliability Analysis ....................................................................................................................... 30
9.7
Functional Performance Requirements (Dynamic Analysis) ....................................................... 33
9.8
HIPS Valve Leakage .................................................................................................................... 36
9.9
Diagnostic Capability ................................................................................................................... 36
9.10
Common Cause Failures ............................................................................................................. 37
9.11
Performance Standards ............................................................................................................... 37
9.12
HIPS Dossier ............................................................................................................................... 39
9.13
HIPS Commissioning ................................................................................................................... 39
9.14
Testing Requirements .................................................................................................................. 40
9.15
Third Party Verification................................................................................................................. 42
10.0Subsea HIPS ......................................................................................... 48

10.1
The Case for Subsea HIPS ......................................................................................................... 48
10.2
Subsea HIPS Requirements ........................................................................................................ 48
11.0HIPS Operation and Maintenance ....................................................... 56

3 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
11.1
Training and Competence............................................................................................................ 56
11.2
Maintenance ................................................................................................................................ 56
11.3
Change Management .................................................................................................................. 56
12.0Appendices ........................................................................................... 59
12.1
Appendix ADefinitions / Abbreviations ....................................................................................... 59
12.2
Appendix BUnits ........................................................................................................................ 60
12.3
AppendixC Referenced / Associated Documents..................................................................... 61
12.4
Appendix D Revision Record .................................................................................................... 61
4 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
1.0 Executive Summary

This document sets out mandatory requirements for the adoption and design of high integrity
protection systems (HIPS) for prevention of overpressure or unsafe excursions of other process
variables such as temperature, level, composition etc. This document applies to the design and
operation of new green field facilities and brown field modifications. Existing HIPS arrangements
shall also be reviewed against this standard.
This Standard defines the minimum requirements for conducting the activities covered by this
Standard within BG Group. The controls within the framework set the requirements for how BG
Group must operate to achieve compliance with its Business Principles.
Application of the Internal Control Framework is mandatory and this Standard details the
implementation requirements which must be followed. Breach of BG Group mandatory controls by
those to whom they apply may result in disciplinary action, up to and including dismissal.
5 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
2.0 Ownership
Owning Function
Standard owner
Expert advisor
Dispensation
Engineering
Head of Engineering
Phil Tudhope
Head of Engineering
3.0 Objectives
This document sets out the mandatory Company requirements for the adoption and design of High
Integrity Protection Systems (HIPS) for offshore and onshore assets for both new green field
developments and brown field modifications.
The document is also intended to provide guidance on the application of safety instrumented
systems (i.e. HIPS) as an alternative to conventional relief protection and to identify the mandatory
steps necessary to justify and support such a selection. The main focus of this document relates
to the use of HIPS for prevention of overpressure but the general principles within this document
also apply to the use of HIPS for prevention of unsafe excursions of other process variables such
as temperature, level, composition etc.
Whilst this document provides general guidance as to design and specification aspects of HIPS, it
is not the intent to provide detailed design requirements for such systems these are
encompassed in the referenced industry codes.
This standard is deemed necessary for the following reasons:
So as to provide a consistent basis across BG assets for establishing when HIPS may
reasonably be adopted as a viable alternative to conventional relief or to inherently safe
design;
For ensuring that appropriate factors are considered in the analysis and selection phases;
For ensuring that appropriate calculations are conducted to confirm the required
performance targets for the HIPS and that these are achieved;
To identify the steps and documentation required in order to justify and support adoption of
such systems;
To incorporate lessons learned and to avoid some of the mistakes made with HIPS
historically within BG and within the industry as a whole.
This document applies to the following facilities:
Onshore and offshore gathering and processing facilities from downstream of the wellhead
Christmas tree wing valve to the export or sales battery limit or boundary;
Onshore and offshore pipelines (including flowlines);
LNG liquefaction, export and import facilities;
Temporary plant and piping.
Whilst the principles within this standard are applicable for the transmission and distribution
business segment, the Institute of Gas Engineers Recommendations on Transmission and
Distribution Practice, Pressure regulating installations for transmission and distribution systems,
IGE/TD/13 code is the generally recognised standard for the design of pressure letdown stations
and overpressure protection within this sector and this is considered accepted practice in place of
this standard. The use of this standard in such applications is considered optional12.
6 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Drilling and well completion equipment is excluded from the scope of this document.
The range of Business segments and Value Funnel lifecycle stages to which this Standard applies
are identified below:
4.0 Scope and Application

A High Integrity Protection System (HIPS) is a safety instrumented system (SIS) designed to
prevent an unsafe condition from arising. This usually relates to excess pressure but HIPS may
also act to prevent high/low temperature, high/low level, high / low composition (e.g. concentration
of a component) and so on.
In the case of over-pressure protection, HIPS is applied where the plant or system is not fully rated
to the pressures to which it might be exposed in a mal-operation, shutdown or fault condition and
either there are no mechanical protective systems (e.g. bursting disc, relief valve) to prevent
overpressure and potential loss of containment or, whilst these systems are present, they are
inadequate alone to prevent loss of containment in certain reasonably foreseeable circumstances
(e.g. they are not sized for the worst case).
HIPS typically sense attainment of a critical value for the relevant process parameter (e.g. high
pressure) and act via a logic solver to take actions to prevent this value rising (e.g. in the case of
pressure) further towards an unsafe condition (e.g. exceeding design pressure) by isolating flow,
tripping pumps, compressor or whatever is appropriate for the particular application.
A HIPS will therefore typically involve field instruments (e.g. sensors), logic solver, final control
elements (e.g. valves), power supply as well as associated inspection, testing and maintenance
procedures (although it could be configured for field sensors to act directly on final elements). The
boundaries of HIPS incorporate all aspects from the sensor to the final element.
Whilst safety instrumented systems (SIS) are applied widely in the onshore and offshore sectors
(e.g. the usual suite of process trips deployed in accordance with API RP 14C or BS EN ISO
10418), high integrity in this context relates specifically to those safety instrumented systems (SIS)
that would typically require a higher degree of integrity as they replace the protection otherwise
provided by relief valves (see Section 7.0).
Although for simplicity this standard refers throughout to generic HIPS, some industry references
may describe a High Integrity Pressure Protection System (HIPPS) or an Over Pressure Protection
System (OPPS). Whilst specifically referring to a system protecting against overpressure, this is
identical to a HIPS. The designation HIPS is used throughout this standard.
7 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
The remainder of the document refers to HIPS primarily in the context of over-pressure protection
as an example, although the same principles apply to HIPS for temperature, level, composition and
so on.
5.0 Links to Other Controls

Governing Policies:
Governance & Stewardship
Complementary and linked

Standards:
Relief, Blowdown and Flaring (BGA-ENG-PROC-TS-0003)
Supporting Guidelines:
Specifying and Achieving Functional Safety3, BGA-ENG-INSTGL-0002
Other Supporting Documents:
8 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
6.0 Standard Requirements

Company requirement for the design of relief, blowdown and flaring systems is set out in the BG
Standard Relief, Blowdown and Flaring2, BGA-ENG-PROC-TS-0003 and, except where noted
otherwise in that standard, is to follow the latest versions of:
API STD 520 part 1 and API RP part 2 (Relief)

API STD 521 (Relief and Disposal Systems)
API STD 526 (PSVs)
API RP 14C (Offshore)
API RP 170 (Recommended Practice for Subsea High Integrity Pressure Protection
Systems (HIPPS))
API STD 2000 (Tank Venting)
EN 1473 (European LNG Facilities)
NFPA 59A (LNG Facilities where EN1473 is not used)
ASME VIII (Pressure Vessels), particularly Code Case 2211-1
ASME B31.3 (Facility Piping)
ASME B31.4 (Liquid Pipelines)
ASME B31.8 (Gas Pipelines)
BS EN ISO 10418 (Basic Surface Process Safety Systems)
BS PD 5500 (Pressure Vessels)
PED 97/23/EC (Pressure Equipment)
IGE TD codes (Transmission & Distribution)
DIN 3381 (Safety Devices for Gas Systems)
IP Guidelines for the Safe and Optimum Design of Hydrocarbon Relief and Blowdown
Systems (ISBN 0 85293 287 1)
The above mentioned BG Standard makes reference to the choice between relief and HIPS and
provides high level guidance in this respect. This document provides more detailed Company
requirements for determining when HIPS is appropriate and the steps required to then specify,
design and implement a HIPS based design.
Company requirement for ensuring the functional safety of all safety instrumented systems (SIS) is
set out in the BG Guideline Specifying and Achieving Functional Safety3, BGA-ENG-INST-GL0002. This provides guidance in achieving compliance with the following international standards
pertinent to the specification of HIPS designs:
BS IEC 61508 Functional safety of electrical/electronic/programmable electronic safetyrelated systems;
BS IEC 61511 Functional safety safety instrumented systems for the process industry
sector.
Company wishes to make it clear it regards the APIstandards and recommended practices and BS
IEC standards mentioned above as mandatory, except where noted in this Standard.These are
not merely recommended practices which a Project or Contractor can elect to follow or not.
Company also has a number of deviations and supplementary requirements applicable to the
above industry recognised practices which are documented in this Standard.
Deviations within this Standard are where the Company believes an alternative approach is more
appropriate and achieves at least the same level of safety and good practice or better. Deviations
have also been added where the Company has learned specific lessons from past developments
or operations.
9 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Supplementary measures within this Standard are those which either build on the principles
contained in industry practices above or aim to fill in gaps not covered by them.
7.0 Why do we need HIPS?

Typical industry standards from the American Petroleum Institute (API) and American Society of
Mechanical Engineers (ASME) provide criteria for the design and protection of vessels and
equipment from rupture or damage caused by excess pressure. In conventional design, pressure
relief devices such as pressure relief valves (PRV) or pressure safety valves (PSV) are used as the
principal means of pressure protection.
The design of each pressure relief device is based on an assessment of the overpressure
scenarios, caused by events such as blocked discharge, HP / LP breakthrough, loss of cooling or
power supply, fire and so forth.
Conventional pressure relief system design, including relief header and vent or flare sizing, does not
examine the reduction in potential loading due to hazard mitigation provided by operator response
to alarms or the initiation of instrumented protection systems, including basic process control
systems or safety instrumented systems (SIS).
However, in some applications, the use of conventional pressure relief valves is either impracticable
or may not be suitable. This is particularly the case for reactive applications but may also apply in
situations common within the oil and gas industry, such as:
Chemical reactions so fast that the rate of pressure propagation could result in loss of
containment prior to the relief device opening;
Chemical reactions so fast or generating uncontrollable rates so as to result in impracticably
large design requirements for vent or flare systems;
Instances where plugging or deposition in relief devices may hinder effective operation (and
where bursting discs may be more appropriate);
Multi-phase venting where the vent rate is difficult to predict;
Where a pressure relief device creates additional hazards due to its vent location;
Where the HP / LP breakthrough relief load through a PCV may be much higher than normal
throughput and result in an unfeasibly large relief system design (e.g. the receiving end of a
gas / liquid pipeline);
Where modifications to existing facilities create new potential relief loads beyond the
practical capacity of existing relief systems, e.g. tieback of additional production systems
(flowline / pipeline) such as above;
For subsea tiebacks where it is either impracticable or too costly to fully rate pipelines back
to a host facility.
In applications such as these, the installation of pressure relief devices may provide limited risk
reduction, not be the optimal solution or be completely impracticable. Other methods of preventing
overpressure may be necessary in these instances in order to achieve a practicable, measurable
risk reduction. This standard deals with the adoption of high integrity protection systems (HIPS) as
one such method.
There are five principal uses for HIPS:
To eliminate a particular relief sizing scenario from the design basis;
To eliminate a particular relief device;
To provide system overpressure protection where a relief device is ineffective or is
impracticable;
10 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
To reduce the probability that several relief devices will have to operate simultaneously,
thereby allowing a reduction in the size of the disposal system;
To reduce the demand rate on a relief device and consequently the risk.
Commentary: HIPS are most commonly applied at HP / LP interfaces to avoid having to design
relief systems for full flow in a blocked outlet condition or loss of interface control. In such cases
they act by sensing high pressure and subsequently isolating in-flow from wells, pipeline etc., or
closing liquid outlets to prevent gas blowby. However, HIPS are not limited to overpressure
protection, at least not directly. HIPS may act to prevent other parameters reaching beyond the
design envelope, such as:
High or low temperature exceeding design due to upstream cooler maloperation / failure,
excessive Joule-Thompson effect, high heater temperature etc.;
High level in a vessel which could lead to excess pressure (in liquid dominated systems,
detection of rising level may be more effective at preventing ultimate overpressure than
relying on high pressure detection due to the respective response times / rate of change) or
high level in a vessel or tank where the consequence of liquid overflowing would be severe;
Low level in a vessel that could lead to loss of level and high pressure gas blowby to a lower
pressure system (level HIPS in this context might replace gas blowby relief on the
downstream system where the latter is considered impracticable for good reason);
High concentration of a key contaminant like H2S, H2O etc.
Notwithstanding the above, adoption of HIPS should only be considered if either protection
by inherent design or conventional relief is impracticable or HIPS offers a substantial benefit
over relief refer to Section 8.0
8.0 Relief / HIPS Selection

8.1
Code Provisions
Although the typical industry standards and codes (refer to Section 6.0) primarily cover the provision
and design of relief systems to protect against overpressure, these codes do make allowances for
the possible use of alternatives to relief valves such as instrumented protection systems. Where
used, such an instrumented system shall meet or exceed the protection that would be provided by a
suitable pressure relief device.
API STD 521
Although API STD 521 provides guidance primarily on the design of relief systems to protect against
overpressure, the Fifth Edition (Addendum, May 2008) allows consideration of instrumented
systems for protecting against overpressure or reducing the probability of an overpressure event to
such a low level that it is no longer considered to be a credible case. This standard notes that whilst
instrumented systems or HIPS can be designed to achieve a level of availability equal to or greater
than a mechanical relief device, a great deal of caution and due consideration should be applied to
selection of HIPS solutions given the special procedures necessary within the design process and
particular attention required during operational life to maintenance, testing and inspection of these
systems.
ASME Section VIII / Code Case 2211-1
Similar allowances are made within the ASME Section VIII, Division 1 and 2 code, which until 1996
required the use of pressure relief devices for pressure vessels. The subsequent approval of Code
Case 2211 (August 1996) and 2211-1 (1999) indicate conditions under which overpressure
protection (against some overpressure hazards) may be provided by a safety instrumented system
(SIS) instead of a pressure relief device.
11 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Code Case 2211-1 allows a vessel to be protected against overpressure by system design rather
than a mechanical relief valve under the following conditions:
The vessel or equipment is not exclusively in air, water or steam service;

The decision to utilize overpressure protection by system design is the responsibility of the
user (the manufacturer being responsible only for verifying that the user has specified
overpressure protection by system design and listing Code Case 2211-1 on the data report);
The user shall ensure that the maximum allowable working pressure (MAWP) of the vessel
or equipment is higher than the highest pressure that can reasonably be achieved by the
system;
A quantitative or qualitative risk analysis of the proposed system must be made by
addressing credible overpressure scenarios, demonstrating system independence from the
potential causes of overpressure and confirming capability for mitigating the overpressure
event;
The analysis must be fully documented.
API RP 170
API RP 170 covers recommended practice for the application of subsea HIPS, although many
aspects of this will be applicable to any HIPS design. Reference should be made to Section 10
Subsea HIPS of this standard with regard to subsea HIPS requirements.
IP Guidelines for the Safe and Optimum Design of Hydrocarbon Pressure Relief and
Blowdown Systems
The Institute of Petroleum guidance on the design of pressure relief systems also allows
instrumented protection systems to be used to eliminate or reduce a relief load when such a load
would be excessively large. This guidance stipulates that any such HIPS should be at least as
reliable as the relief valve which it is effectively replacing. Importantly, the guidance also indicates
that it is not unusual to find HIPS installed to a level of reliability which is typically a factor of 10
greater than a relief valve, this being intended to cover the differences in failure mode associated
with the two systems, e.g. a relief valve failing open still offers some protection whereas when a
HIPS has failed to function it provides no protection.
Fire relief shall always be provided by relief valve.
8.2
HIPS Selection in BG
Reference should also be made to the BG Standard for Relief, Blowdown and Flaring (BGA-ENGPROC-TS-0003)2 regarding the choice between relief and HIPS.
The use of HIPS for any particular application has both advantages and disadvantages. Therefore,
for a given case, it is necessary to weigh the risk versus the benefit and make a well considered,
informed decision as to whether HIPS is the best option.
In line with the requirements of the referenced industry standard codes and recommended practices
as above, HIPS is considered a viable and workable alternative to relief but it shall only be applied
where it can be demonstrated there is a clear life cycle advantage over a conventional relief system.
Demonstration of this shall evaluate environmental differences as well as safety, e.g. HIPS may
prevent a release compared to a relief.
Instances where HIPS may be justified are described above, but there are also situations where
HIPS may be difficult to justify:
12 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Where a system ties into a relief / flare system which already has adequate relief capacity
set by other reasons to cope with the additional load and where there is little environmental
benefit;
Where it is difficult to provide the ongoing skilled maintenance and testing required for an
instrumented system (lack of resources, suitable skills, inaccessible locations inconsistent
with the required testing and maintenance frequency etc.);
Where required HIPS valve closure times are extremely short and difficult or impossible to
achieve (e.g. for the valve sizes required);
Where a proliferation of HIPS is proposed as a way of avoiding reasonable relief system
design capacity.
The use of HIPS shall be in moderation. Proliferation of HIPS arrangements on an installation shall
be avoided in services that might be termed routine relief cases and readily accommodated using
a PSV.
For gas transmission and distribution systems, pressure reduction and relief systems designed in
accordance with the Institute of Gas Engineers Recommendations on Transmission and Distribution
Practice, Pressure regulating installations for transmission and distribution systems, IGE/TD/1312
is acceptable in place of the requirements in this standard.
Where consideration is given to the adoption of an instrumented protection system, a number of
steps shall be followed to develop and document a full justification for its selection and design. An
outline of requirements in this respect is detailed in the following sections within this standard.
API RP 14C
It should be noted that whilst API RP 14C is strictly applicable for offshore production platforms, BG
requires that the layers of protection principles embedded in this code (as well as in BS IEC 61511)
shall be applied across all BG projects, whether off or onshore.
API RP 14C stipulates that the safety system should provide two levels of protection (primary and
secondary) to prevent or minimize the effects of an equipment failure within the process and that the
two levels of protection should be independent of and in addition to the control devices used in
normal process operation. Where HIPS is applied as the secondary level of protection (usually in
place of a PSV, or to reduce the sizing load on such a PSV), this does not mean that the primary
protection (such as an ESD system activated pressure trip) can be deleted. Both primary and
secondary protection systems shall be provided where necessary in accordance with API RP 14C.
Commentary: The UK / European standard BS EN ISO 10418 effectively replicates the principles of
API RP 14C and applies equally.
It is important to recognise that consistent with the principles of API RP 14 C / BS EN ISO 10418
and the provision of layers of protection, the HIPS shall be able to prevent the unsafe condition
arising without any other protective system (e.g. ESD) operating. In a similar manner, these other
protective systems (e.g. ESD) shall also be able to prevent the unsafe condition arising without the
HIPS operating. Ideally, the lower level of protection (e.g. ESD) should operate such that the
process excursion does not increase to the point at which the second level of protection (e.g. HIPS)
is triggered.
This document describes HIPS requirements pertinent to both surface (offshore on onshore) and
subsea facilities. Sections 8, 9 and 11 describe general requirements applicable to all HIPS.
Requirements specific to subsea HIPS are described in Section 10.
13 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
9.0 HIPS Justification and Design

9.1
Basis for HIPS Design
In accordance with both the intent implicit or stated within the referenced industry codes/standards
and general industry best practice, HIPS shall be designed to have a probability of failure on
demand as good as or better than that of a comparable relief system.
Any safety instrumented system (SIS) or HIPS installed as an alternative to conventional relief (i.e.
mechanical protection) shall achieve a default integrity standard of SIL 3, i.e. the achieved
probability of failure (PFD) on demand of any HIPS shall in all cases be lower than 1 x 10-3.
Adoption of a less stringent integrity standard shall only be considered where this is established on
the basis of BS IEC 61508 / IEC 61511 and where it can be fully justified through quantified risk
analysis as meeting both the Company maximum tolerable risk target (refer to Section 9.5.2) and As
Low as Reasonably Practicable (ALARP) criteria (refer to Section 9.5.3).
In complying with the spirit of API RP 14C (or BS EN ISO 10418), the HIPS shall provide a totally
independent layer of protection from other mitigations such as ESD and should primarily be
assessed in that context, i.e. whilst other mitigations may be considered as a means of achieving a
viable SIL target, they should not be used to justify adoption of a target that falls short of that offered
by the completely independent mechanical protection that the HIPS is replacing, e.g. the relief
valve.
All proposals to implement HIPS with integrity requirements of less than SIL 3 (PFD equal to
or greater than 1 x 10-3) shall require review by, and a dispensation to be approved in
advance of implementation from, BG Advance Engineering.
Commentary: With reference to the discussions on the reliability of relief valves (Section 9.6.1, in
terms of probability of failure on demand) and on the corresponding Safety Integrity Level (SIL)
targeting (Section 9.5, also reflecting probability of failure on demand), HIPS would be designed to
meet either a SIL 2 or SIL 3 requirement, depending on the type of relief valve. However, it should
be recognised that a relief valve that fails to operate at the set pressure (but whose failure is
nevertheless captured in overall failure rate data) may still operate at a higher pressure, and so
continue to provide some level of overpressure protection. In contrast, a HIPS failure is more likely
to represent a total loss of overpressure protection, i.e. it has less diversity than the relief valve.
The failure to open on demand uncertainty for relief valves coupled with the difference in the failure
modes prompts many in the industry to stipulate a level of reliability for HIPS one order of
magnitude better than that of a relief valve. As such, the vast majority of industry users set a SIL 3
target for HIPS.
Commentary: Note also that some HIPS (e.g. the integral Mokveld system described in Section
9.6.3, which is purely hydraulic) do not attract a SIL target as would a safety instrumented system,
but merely a PFD, i.e. probability of failure on demand.
9.2
Analysis Requirements
Any project considering the adoption of a HIPS solution for a potential overpressure scenario shall
undertake a comprehensive analysis that supports and justifies the selection of HIPS over
conventional relief for overpressure protection. The analysis shall also support the HIPS
configuration, design and performance requirements necessary to achieve the system protection.
14 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Justification for a HIPS solution shall give due consideration to all pertinent factors, including safety
and environmental as well as life cycle cost (e.g. such as the HIPS solution being cheaper to
implement).
At a high level, consideration shall be given to the following aspects in analysing potential HIPS
applications:
Why is HIPS appropriate in this instance, why is conventional relief inappropriate?

Can existing systems accommodate an additional or new relief flow and would it be practical
to modify them to do so?
Are there significant environmental factors / benefits to be taken into account in favour of
HIPS?
Are the systems available and resources / skills at hand to implement and maintain the
HIPS?
What potential configurations are feasible for the HIPS?
Is it appropriate to rely on a combination of instrumented protection and conventional relief
(e.g. in analysing the reliability of the instrumented system, one or more wells not being
satisfactorily isolated may be tolerated by virtue of relief protection being provided for the
maximum flow from these one or two wells, thereby not requiring relief sizing for the full
facility throughput from all wells)?
A hazard analysis shall be implemented to systematically examine the overpressure
scenarios and the combinations of equipment and / or controls failures which may lead to
hazards;
Viable HIPS configurations and / or HIPS / relief combinations should be developed;
Both functional and integrity requirements for each HIPS should be established;
Quantified risk analysis shall be conducted for the proposed protection system
configuration(s) to establish overall probabilities of failure on demand;
Option selection can then reflect those permutations that meet the target reliability
requirements derived from BG tolerable risk criteria and set safety integrity level (SIL) targets
for the system;
A check should be made to ensure that environmental, economic or reputational loss factors
do not merit a more onerous SIL target for the system;
The overall system to be protected by the HIPS shall be dynamically modelled in order to
establish the speed of response necessary (e.g. sensing element response, valve closure
time etc.) in order to prevent overpressure or the unsafe condition arising;
Such dynamic analysis shall be extended to confirm the performance of other layers of
protection (e.g. such as ESD) in independently preventing the unsafe condition arising;
Is the required response time achievable with the existing / proposed sensing system,
existing / proposed valves, new / replacement valves or actuation etc.?
Performance standards shall be developed to fully define the basis for design, functional,
performance and testing requirements for the HIPS.
Commentary: Note that hazard analysis and SIL targeting exercises may typically be conducted
sequentially (e.g. HAZID / HAZOP followed by SIL). Note that the skills required to chair these two
reviews differ and are likely to require different chairmen.
Figure 9.1 presents a simplified decision tree showing the key steps in assessing and designing a
HIPS. More detailed requirements are specified below. Reference should also be made to the BG
Guideline Specifying and Achieving Functional Safety3, BGA-ENG-INST-GL-0002 in respect of
reliability and integrity analysis required for SIL 3 / HIPS systems.
The basic methodology for determining the integrity requirements for HIPS shall be as follows:
15 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Establish proposed HIPS configuration options (refer to Section 9.3);

Conduct a hazard analysis / identification exercise to establish all the anticipated hazard
scenarios for the proposed system that the HIPS is to protect (refer to Section 9.4);
A default SIL target of SIL 3 shall be initially adopted for the HIPS;
Quantified analysis shall be conducted to support every HIPS application, i.e. in which an
instrumented protection system is replacing, or reducing the capacity of, some form of
mechanical protection, such as a relief valve for overpressure risk, possibly inherent
mechanical design for other risks etc. (refer to Section 9.5);
The quantified analysis shall utilise fault tree methodology to establish overall probabilities of
failure on demand for the proposed HIPS configurations (refer to Section 9.6);
In the quantified analysis, the maximum tolerable probability of failure on demand for the
HIPS shall be derived from the Company tolerable risk criteria and the corresponding SIL
target established for the system;
This approach shall be used to analyse alternative HIPS configurations or system
redundancy to confirm the option most suitable for meeting the risk target;
Where a SIL target of less than SIL 3 is established and desired, this shall be subject to
review and approval by BG Advance (a dispensation shall be required before
implementation for any SIL < 3 and / or PFD 1 x 10-3);
The BG Risk Graph methodology3 shall be used to confirm that environmental, economic or
reputational loss factors do not in fact set the determining SIL target for the system;
An As Low as Reasonably Practicable (ALARP) assessment shall be conducted to
demonstrate that no further improvement in the integrity of protection is justified (refer to
Section 9.5.3).
Commentary: It is envisaged that initial evaluation of HIPS selection relative to conventional

mechanical protection, full rating etc. will be conducted during the Select phase in order to establish
the impact on option configurations and to support option selection. Initial design of any selected
HIPS option would typically be conducted during the FEED stage, from justification through
preliminary hazard analysis, SIL targeting and dynamic analysis in order to confirm that the design
is workable and to establish impacts on flare / vent design, key components, design implications
and initial SIL target. This work will be firmed up during the Detailed Engineering phase to include
performance standards and a HIPS Dossier.
Commentary: Note that only those scenarios that can be successfully mitigated by a safety
instrumented system should be considered for removal from the pressure relief and vent / flare
loading. The most common example of overpressure scenario that cannot be effectively mitigated
by a HIPS is that pertaining to the fire case. As such, even if a vessel or section of plant were
protected against a blocked discharge event by HIPS, it would still require conventional relief
protection sized for the fire case loads (as well as typically any leakage across HIPS valves, surge
flow on HIPS valve re-opening etc.).
No credit shall be taken for control system actions in HIPS analysis.
9.3
HIPS Configurations
It is important to recognise that the HIPS include all devices required to reach the fail-safe condition
for the process. This includes the entire instrument loop from the field input devices (e.g. pressure
transmitters) through the logic solver (if applicable) to the final elements (e.g. solenoids, valves),
along with other devices required for successful functioning, such as safety instrumented system
interfaces, communications, power supplies etc.
Most HIPS require some form of voting system in order to achieve the desired reliability target whilst
minimising spurious trips, from the field inputs through the logic to the final elements. The ease with
which the assessed target probability of failure on demand can be achieved will typically determine
16 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
the extent of voting, configuration of voting (e.g. 1oo2, 2oo3 etc.), number of final elements and so
on.
Commentary: In general, SIL 3 HIPS utilise 2oo3 voting transmitters and, where protection is via
isolation of the upstream source of high pressure, typically two valves as final elements, i.e. 1oo2
(although single valve configuration may be credible subject to selection of valves with appropriate
integrity and demonstration of reliability). Final elements may also include duplicated trip signals
onto pumps or compressors. Note that 2oo3 is used to protect against two failure modes (i.e.
spurious trip and no trip). Common cause failure should be considered when modelling these
cases, since this is likely to dominate the analysis and may be slightly less for 2oo3 redundancy.
More onerous reliability and diagnostic requirements will typically apply where HIPS are located
subsea, given the constraints on system testing in comparison with surface located HIPS. Specific
requirements in respect of subsea HIPS are discussed in Section 10.
9.3.1
Field Inputs
Most HIPS applications (to achieve SIL 3) require voting sensors (normally 2oo3) on all field inputs,
such as those measuring pressure, although this might conceivably be some other parameter such
as temperature, level or composition. The use of redundant inputs enables incorporation of
diagnostics into the HIPS which significantly reduce the probability of failure on demand for the field
inputs.
Transmitters shall be used for all field inputs to HIPS loops to enable input diagnostics to be
implemented. Switches shall not be used.
Commentary: The only exception to the above (permitting the use of switches) is where the
Mokveld integrated HIPS solution is adopted, each switch acting directly on its dedicated valve
(refer to Section 9.6.3).
Separate process connections shall be provided for HIPS sensing devices such as pressure
transmitters so as to decrease common cause faults such as plugged inlet lines, valves.
Commentary: Where there is an increased risk of blockages due to hydrates, ice, wax, sand and
the like, then it is essential that sensing connections are made self-draining and that consideration
be given to provision of suitable heat tracing to reduce the risk of such blockages (i.e. to prevent
and / or melt hydrates and / or wax).
Commentary: In a similar vein, adoption of diversity in the specification of process measurement
(e.g. adoption of transmitters from different vendors), together with adequate spacing between
sensing points, is recommended in order to further reduce common cause failures and therefore the
probability of failure on demand.
Commentary: In some instances HIPS may be triggered by a valve in the system opening or
closing. As an example, the latter scenario typically applies where closure of a downstream valve
generates the blocked outlet that causes the overpressure that the HIPS must protect against. In
such cases, the required overall system response to prevent overpressure may be improved by
initiating the HIPS on detection of partial closure of the valve in question, i.e. the ultimate system
pressure reached may be reduced by the early triggering of HIPS, although system protection
should not rely on this action. Note also that in some cases where limited response time is
available for the system to protect against overpressure, HIPS initiation may be better achieved by
detection of rate of change of pressure rather than absolute pressure.
17 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
HIPS field input devices shall be fully independent of the normal emergency shutdown (ESD) field
input devices, e.g. separate dedicated sensors / transmitters shall be employed. Consistent with
the above objective, HIPS transmitters shall be on separate connections / branches on the main
process line to those associated with control or ESD functions.
HIPS field input devices shall be located in the system being protected, unless that system is a
downstream pipeline (see below). For HIPS protecting against overpressure, this means that the
HIPS pressure transmitters shall be located downstream of the HP / LP interface or specification
break, i.e. in the LP system, but as close to the interface as is reasonably possible (i.e. HIPS is
effectively a reactive system).
Commentary: If HIPS pressure transmitters are located upstream of the HP / LP pressure break (in
a preventative mode), the pressure on the upstream side (e.g. of the HIPS valve(s) must be
reduced to below the set-point before the HIPS can be reset. This would typically require
depressurisation (and consequently environmental loss of hydrocarbons) of the upstream piping or
else pressure equalisation across the HIPS valve (by bleeding off pressure into the downstream
system, usually via a bypass) prior to re-start. Safe operation and retention of overpressure
protection can be dependent in this arrangement on the integrity of interlocks preventing the HIPS
valve(s) re-opening at high differential pressure, as well as operator actions with respect to reset of
the HIPS. Note also that HIPS pressure transmitters should be located downstream of any device
liable to generate pressure spikes in the system, i.e. potentially increased risk of spurious HIPS
demands. One such example would relate to the provision of choke / throttling valves on subsea
pipelines arriving onto a platform facility, where such valves typically serve to help manage liquids
during start-up or ramp-up operations.
Figures 9.2 and 9.3 illustrate typical 1oo2 and 2oo3 transmitter configurations respectively.
For HIPS that protect a downstream pipeline (rather than a section of process plant), it may be
impracticable to locate HIPS input devices (e.g. transmitters) downstream of the HP/LP interface
since this would place them outboard of system isolation (e.g. riser or boundary isolation). In such
circumstances, it is acceptable to configure HIPS with input devices upstream of the boundary
isolation. Example of this kind of application include a fully rated wellhead platform exporting to a
de-rated pipeline tieback or the adoption of subsea HIPS (which is covered in greater detail in
Section 10).
9.3.2
Logic Solver
The logic solver (where applicable) shall be designed to meet the assigned SIL.
Commentary: Where the HIPS is designated as SIL3, this means that the logic solver must be
independently certified compliant with SIL3 performance requirements in accordance with BS IEC
61508.
The logic solver shall be a solid state hardware based or programmable electronic system (PES). If
a PES is selected then the HIPS logic solver must be both functionally and physically separate, i.e.
a separate processor shall be used for the HIPS function only. Note, however, that some regulatory
parties (e.g. the UK Health and Safety Executive, prefer HIPS logic solvers to be nonprogrammable).
Commentary: The use of relays for the logic solver shall be avoided. Programmable electronic
devices require a high level of self-diagnostics and fault tolerance. In order to meet independent
testing and certification of SIL 3, a logic solver has to demonstrate this. Redundancy of signal path
and logic processing is desirable and the trip output function shall be configured as de-energize to
trip (i.e. fail-safe).
18 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Consistent with the requirements of BS IEC 61508 and BS IEC 61511, IP recommendations etc.,
the hardware and software for HIPS shall be fully independent from the basic process control (i.e.
DCS) and emergency shutdown (ESD) system logic. Under no circumstances shall software
controlling ESD logic also control HIPS logic in the same processor / controller.
Commentary: Independence of the HIPS logic eliminates the risk that a loss of process control or
ESD system hardware will also result in a loss of HIPS function as well as reducing the possibility of
inadvertent changes to HIPS functioning arising during modification of process control or ESD
functions. Some ESD logic solvers carry the SIL 3 rating and so there may be a temptation to
combine the ESD and HIPS within the same hardware - this shall be avoided. The safety lifecycle
(BS IEC 61508 / 61511) requirements pertaining to SIL 3 are significantly more onerous than those
of SILs 1 and 2. This means that the programming of a HIPS is a significantly more tortuous
process than programming of an ESD.
9.3.3
Final Elements
The majority of HIPS use dual final elements in a 1oo2 configuration to achieve fault tolerance and
the required PFD target, although this is obviously dependent on the HIPS configuration adopted,
the reliability of the final element(s) and the corresponding SIL applicable.
Commentary: For example (e.g. with reference to Section 9.3.5), provision of separate HIPS loops
on individual well flowlines might not require dual final elements if some conventional relief capacity
is provided to account for one or more wells not being satisfactorily isolated.
The final elements are typically:
Relays in a motor control circuit for shutdown of motor operated valves, compressors or
pumps, or
Fail safe valves opened or closed using solenoids in an instrument air (or hydraulic) supply.
Use of control valves as HIPS final elements shall be avoided, but these may be used as a
supplemental measure where other protective elements are provided.
Figures 9.4, 9.5 and 9.6 illustrate typical configurations for when fail safe valves are employed as
final elements. These reflect 1oo2 valves with 1oo1 solenoids, 1oo2 valves with 1oo2 solenoids
and 1oo2 valves with 2oo2 solenoids respectively. Clearly the actual configuration will be
determined as necessary to satisfactorily meet the reliability target for the overall HIPS (whilst
considering required plant availability).
Solenoid operated valves (solenoids) shall be used to actuate fail safe valves and configured as deenergize to trip.
Commentary: Solenoids may by configured as 1oo1 or 1oo2, but spurious closures (e.g. due to coil
burnout) may cause loss of production and downtime. Configuration as 2oo2 to reduce spurious
trips is not recommended due to the risk of stuck valves (e.g. welded open), plugged vent ports
etc.
The required valve closure time and hence port size shall be determined via dynamic analysis so as
to prevent overpressure before final closure of the valve (refer to Section 9.7). Use of quick exhaust
valves (QEV) may be required to attain the necessary closing times.
Commentary: For fail safe valves acting as the final elements of HIPS, the solenoids should be
mounted as close to the valve actuator as possible to reduce the required transfer volume for valve
actuation. The size of solenoid exhaust ports should generally be as large as possible since this will
19 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
determine the speed of valve response. Care should be taken to ensure that rapid closure of a final
element will not give rise to intolerable surge pressures and reaction loads. This may be important
where HIPS valves are located on or close to wellhead Christmas trees, in which case checks
should be made with production technologists to confirm that rapid valve closure cannot generate
risks to the formation.
Reference should also be made to Section 9.3.4 regarding mandatory criteria relating to which
process valves are permitted to be used as HIPS valves (or HIPS final elements).
9.3.4
HIPS Valves
Where a HIPS loop relies on one or more valves as the final element, these shall be dedicated
valves provided purely for the purpose of the HIPS.
ESD valves in general, boundary isolation valves (e.g. the riser valve on a platform), valves forming
part of double block and isolation and subsea valves provided for other purposes, such as the
subsea isolation valve (SSIV), shall not be used as HIPS valves.
Commentary: Whilst it is notionally feasible to utilise ESD or boundary isolation valves as one
element of a HIPS loop (e.g. riser valves, wing valves) by ensuring that the HIPS function onto such
valves remains completely independent of the ESD function via dedicated solenoids, there is still a
risk that the independent functions and roles of the valves may be compromised by the dual role
and / or inadequately reflected in the quantified analysis (e.g. increased demands on the system). It
is also likely that any combined role for HIPS valves in this manner would be subject to challenge
and approval by appropriate regulatory authorities (e.g. the Health & Safety Executive in the UK
sector). It should be noted that if a well is remote from the host being protected, then closure
of wellhead valves may not provide sufficient protection if there is a pipeline at pressure in between.
All proposals to implement HIPS that utilise ESD, boundary isolation / riser valves or SSIVs
shall require review by, and a dispensation to be approved in advance of implementation
from, BG Advance Engineering.
9.3.5
Overall HIPS Configuration
A wide range of permutations are possible in respect of overall HIPS configurations, both in terms of
the system architecture itself and the way in which the system is deployed, say acting on multiple
feed streams etc.:
Voting arrangements for field input devices;

Number of and voting arrangement for final elements (e.g. one or two valves);
Voting extended to intermediate elements such as solenoids, relays;
HIPS on individual feed streams or combined headers;
HIPS completely or only partly replacing a conventional relief load.
The actual configuration shall be determined on a case-by-case basis to best fit the requirements
and reliability target at the time.
Commentary: Figures 9.7 and 9.8 are provided to illustrate the options in one specific example
where HIPS is commonly applied, namely protection of the HP / LP pressure interface between
wellheads and the process separation system. Both figures show a 2oo3 pressure transmitter
arrangement acting on 1oo2 valves (via 1oo1 solenoids).
20 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
In a conventional arrangement, the specification break would be at the last valve or potential
obstacle (e.g. spectacle blind on the separator inlet nozzle) before the separator. The lower
pressure separator would be protected by a relief valve sized not only for duties such as fire relief
but, critically, for full flow relief in the event of inadvertent blocked outlet, whether this be via system
control / ESD failure, mechanical valve failure or operator error. If the wells are remote from the HP
/ LP interface being protected (e.g. a subsea tieback) the closure of remote valves in the vicinity of
the tree or a SSIV may be of little value as the system between the wells and the interface may be
at a high pressure. In such cases, HP / LP breakthrough by inadvertent opening of any valves local
to the interface must be considered.
Where HIPS is employed, the safety instrumented system senses increased pressure in the system
and acts to isolate the source of inflow / pressure by shutting one or more valves in the feed from
the wells. There is a choice as to whether this arrangement acts on the combined feed to the
separator or on individual wellstream feeds. The former results in a simpler system, less individual
loops, but larger faster acting valve(s) and the HP rating carried further in the system. The latter
requires separate loops and / or final elements on each well flowline but HIPS valve sizes are
smaller and the HP rating need not extend to the manifold and production header (provided there
are no further valves or blockage risks in that piping). Obviously the greater the number of wells the
greater the number of loops and the less attractive this approach may become.
Provision of separate HIPS loops on each flowline in this example does potentially offer the
opportunity to adopt lower integrity architecture (e.g. reduced redundancy, say 1oo2 rather than
2oo3) if some interim level of relief capacity is also provided. This means that rather than
completely avoiding the full flow relief case by requiring every single well to be successfully isolated,
limited relief capacity may be provided on the assumption that only a limited number of wells might
reasonably not be isolated satisfactorily in a HIPS event, i.e. relief sizing limited to the maximum
rate from one or more wells. This is ultimately a balance of complexity and operating cost against
initial capital cost. This interim solution may be considered, however, in cases where the
implications of reduced flow relief can be accommodated but where full flow relief has major impact.
It may be particularly pertinent to modification and debottlenecking work once a facility is
operational. It should be recognised from an environmental perspective that this hybrid solution is
less effective at minimising released hydrocarbons through the plant lifecycle.
Figure 9.7 shows the typical arrangement where a single HIPS loop is provided on the common
manifold / production header. By default, satisfactory operation of this system completely isolates
the source of high pressure in-flow.
Figure 9.8 shows the alternative arrangement where a separate HIPS loop is provided on each well
flowline. Final elements on each flowline could equally be triggered by a single 2oo3 set of
transmitters on the common manifold / production header, although this would result in reduced
reliability. Similarly, and subject to the required overall loop reliability, single HIPS valves on each
flowline may suffice in this arrangement.
There is no single correct configuration, although the general principle should be to limit the
complexity of HIPS wherever possible. The important point in so far as this standard is concerned
is that the range of possible configurations shall be duly assessed before selecting the final
arrangement.
All HIPS shall be designed to be fail-safe, such that the system will revert to a pre-determined safe
state in the event of failure of its components or its power supplies.
21 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
9.3.6
Re-Start after a HIPS Trip
In the design of HIPS, consideration shall be given to the requirements for facilitating safe re-start
after a trip. For pressure protection systems, this usually means preventing the HIPS valves being
opened when there is still a high upstream pressure, and where high pressure differential across the
valve(s) might generate valve wear / damage that may compromise future performance. It shall
also be recognised that quickly opening the HIPS valves with a high differential pressure across
them can give rise to a very high surge / relief load in itself. The design shall prevent this wherever
feasible but ultimately shall also ensure that surge pressures on re-opening against high differential
can be safely managed by the downstream system. Depressurisation of the upstream section shall
not be to the flare or vent but to the lower pressure process system wherever reasonably
practicable. From an environmental perspective, this is obviously more important for larger lines
and / or significant volumes to be depressured.
One means of managing re-start after a HIPS trip that may block in high pressure upstream of the
HIPS valve would typically be via the provision of abypass arrangement around the HIPS valve(s).
This would facilitate controlled pressure equalisation and therefore HIPS valve re-opening against
an acceptable pressure differential.
Figure 9.9 provides a generic illustration of a typical HIPS set-up incorporating such a bypass.
Adoption of such a design shall ensure that the following factors are accommodated:
In addition to an on / off bypass valve, a globe valve will typically also be provided to assure
controllable depressurisation and to avoid potential problems due to rapid depressurisation
downstream, although this is optional;
It is important that provision of a bypass around a HIPS valve or valves does not
compromise the protection / isolation afforded by the HIPS;
In configuring a bypass, it is therefore essential to ensure that either the bypass is
automatically isolated if the hazard arises that triggers the HIPS (e.g. blocked outlet), or else
a downstream relief valve can accommodate the maximum flow that might arise should the
bypass be open;
Where an actuated bypass valve is provided, it would be preferable for the HIPS action,
either directly or via the ESD, to also close the bypass valve;
The potential capacity of the bypass shall be limited by the provision of a restriction orifice
(RO);
A downstream relief valve (e.g. for HIPS protecting against high wellhead pressures this is
commonly on the production separator) shall be provided that is able to handle the
maximum bypass flow (e.g. restriction orifice breakthrough flow) together with the maximum
HIPS valve leakage (refer to Section 9.8), on the basis that there are no valves or
obstructions between the specification break and the relief valve unless such valves are
securely and demonstrably locked open;
With this relief valve protection, the HIPS overpressure protection does not rely on isolation
of the bypass and as such the bypass should not form part of the HIPS reliability (i.e.
thereby simplifying the design); automatic closure of the bypass in the event of a HIPS trip is
then merely aimed at preventing a potential relief event;
Where a manually operated bypass valve is provided, this shall be securely key locked
closed in normal operation, and operable only under a permit to work;
It should be noted that the bypass arrangement is usually a HP / LP interface in its own right
(depending where the specification break is located as an example shown at the HIPS
valve / bypass RO in Figure 9.9) and, as such, if it were in normal continuous operation the
LP system would typically require protection as per API RP 14C or ISO 10418 (i.e. two
layers of over pressure protection). Commentary: In the normal course of events with no
valves or obstructions downstream of the specification break as far as the relief valve,
22 of 63

Author: T Arnold

BG Group 2012
BG Group Standard
ultimate protection would be afforded by the downstream relief capacity (although any HIPS
/ ESD trip of the bypass valve as above will also protect the interface). For systems not
normally in use, reliance on primary protection being provided via the permit / procedural
controls in place would generally be acceptable, e.g. in this case constraints on operation of
the bypass (refer to Figure 9.9). In this example, the normal high pressure ESD trip on the
downstream separator would also be expected to isolate inflow (e.g. from wells) and
therefore limit continued flow via the bypass.
Provision shall be made for a high pressure inhibit to stop the HIPS valve(s) being opened
with high differential pressure across them, but still allow the bypass valve to be operated
(where this is actuated). The configuration in terms of number of pressure transmitters and
voting required to achieve this inhibit shall be established on a case by case basis to
achieve suitable integrity;
Consideration shall be given in all such arrangements to the risk of low temperatures
occurring across the bypass valve or orifice during pressure equalisation. Low temperature
materials shall be selected where appropriate to cater for cold creep back from the valve /
orifice, usually for a minimum of 1 meter upstream.
The implications of surge flow on re-opening HIPS valves shall be evaluated via dynamic analysis to
ensure that downstream piping and relief capacity can safely accommodate any surge flow /
reaction loads that result. This analysis shall also consider the consequences and system response
requirements should the pressure inhibit on HIPS valve re-opening be defeated (by equipment
failure or operator error).
The system analysis shall take into account the reduction in protection afforded when the cause of
the hazard (i.e. inadvertent opening of a HIPS valve with high upstream pressure giving rise to
excessive surge flow) may also form part of the protective system. Credit shall not be taken for a
HIPS valve that inadvertently opens also then closing as part of the HIPS being initiated, since the
cause of the initial opening could also be the cause of a failure to re-close (and thereby effectively
reduce the number of final elements available to prevent overpressure). This scenario should be
reflected accordingly in the quantified analysis, as one failure mode for the valve for which it cannot
then contribute to the system protection. This analysis must demonstrate that the demands on the
system offset by the various protective elements and mitigation measures such as pressure inhibits
still allows the required overall system probability of failure on demand to be met (refer to Section
9.5.2).
Particular attention shall be given to any HIPS configured in preventative mode, such as protecting
a downstream pipeline, since inadvertent opening of HIPS valves may infer failure of the HIPS
function itself (which should normally keep the valves closed until the high upstream pressure had
been reduced).
Commentary: For a design to rely purely on a pressure inhibit to protect against overpressure
arising from HIPS valve re-opening in the worst condition (highest upstream pressure or highest
pressure differential), then it must be demonstrated that the integrity of the inhibit is appropriate for
this purpose, and such justification be subject to review and approval by BG Advance
Engineering.
Where the design of HIPS systems is critically dependent on the opening (or closing time) of valves,
it is essential that the reliability of the systems controlling the speed of opening (or closing) is fully
understood. In cases where the available response time for the HIPS is tight, it may become
necessary to adjust the opening (or closing) time of valves, e.g. in the re-start scenario above, an
attempt may be made to slow down the opening time of the HIPS valve(s) by restricting air /
hydraulic flow to open. This relies both on the security of the restriction (whether limiting air /
hydraulic fluid to open or to exhaust in a closure scenario) and the characteristic of the valve
response as opening / closing times are modified. Where needle valves are used as part of this
23 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
control, the integrity of the system protection may depend entirely on how these are adjusted and
maintained. Wherever there is a need to rely on such control methods to adjust an opening (or
closure) time to satisfy HIPS response requirements for preventing overpressure, then a full
justification shall be developed as part of the HIPS design to support this approach and
demonstrate how the integrity of the protection will be assured.
It should be noted that recovery from high pressure events may leave boundary or riser ESD valves
with high pressure on the upstream side. Unlike the HIPS arrangements described above,
bypasses around riser ESDVs are not permitted and re-opening of these valves is usually achieved
by back-pressuring the valve (e.g. with methanol, nitrogen or suitable source of available gas/fluid
i.e. human intervention) to then allow re-opening at low differential pressure, after which pressure
across any downstream HIPS valves can then be reduced via a bypass configuration. However, if
such procedures are not followed correctly and boundary/riser valves are re-opened at high
differential, there is a risk of generating low temperatures that may be below the minimum design
temperature of the valve and piping downstream. In such situations, the adopted design and
operational approach (which may typically encompass a combination of procedure and valve
opening inhibits) shall be shown to be As Low as Reasonably Practicable (ALARP). Where ALARP
cannot be demonstrated, then the design shall cater for the lowest temperatures that may arise with
inadvertent opening of the boundary/riser ESD valve.
9.3.7
Power Supply
Given the high integrity requirements for HIPS, consideration shall be given to how HIPS are
powered, in order to ensure sufficient redundancy so as to not compromise the reliability of the
overall system.
The default arrangement shall be to provide two electrical feeds to the system, with two high
integrity uninterruptible power supplies (UPS) as back-up in order to reduce the risk of spurious
HIPS trips and to maintain availability.
Any proposal to adopt alternative approaches for achieving the required system integrity
and availability shall require a full supporting justification and shall be subject to review and
approval by BG Advance Engineering.
9.3.8
HIPS Reset
Only manual / operator reset only shall be permitted for HIPS after a trip has been initiated, i.e. the
HIPS shall not be reset (automatically) purely by falling pressure (or other criteria) to below the trip
value. Reset of HIPS shall only be considered once operators have fully assessed the situation,
identified the causes and system impacts and confirmed it appropriate and safe to reset.
9.4
Hazard Analysis
Consideration of a HIPS solution for overpressure protection (or protection against any other
parameter exceeding the design envelope) requires a quantitative risk analysis of the potential
scenarios that could cause overpressure (or any other parameter to exceed design).
The hazard analysis shall follow a structured, systematic approach, using a multidisciplinary team.
The team shall typically include process, HSSE, instrumentation, electrical and
operations/maintenance representation. Other disciplines may be necessary depending on the
system under consideration. It shall document the event propagation from the initiating cause to the
final consequence or overpressure / design excursion. The analysis shall examine both operating
and upset conditions in addition to equipment failure that may result in overpressure or design
excursion. This shall include a thorough examination of each step involved in start-up and
24 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
shutdown, in addition to the normal condition. For processes in which reactions may occur or
propagation risks may apply, it is necessary to brainstorm all potential reaction paths, including the
need for multiple errors or failures to generate propagation, to fully understand the potential for
overpressure / design excursion.
The information typically necessary to facilitate this hazard analysis would include the following:
Process flow diagrams;

Heat and material balances;
Equipment sizing, data sheets etc.;
Piping and Instrumentation Diagrams (P&IDs);
Cause and Effects (and alarm and trip schedule if available).
For green field developments it is essential that pressure relief requirements and HIPS requirements
are examined at the earliest opportunity, not when the design is nearly complete (refer also to
Section 9.2 and Figure 9.1). This may require the hazard analysis to be conducted before final
P&IDs are available in order to fully understand overpressure and design excursion scenarios and
establish the need for HIPS at a stage when this may be incorporated into the design with the least
impact on project documentation, schedule and cost.
For brown field modifications, a comprehensive examination of all aspects of the existing design as
well as the new requirements shall be conducted as part of the hazard analysis process. This may
include some of the following elements:
Coincident relief cases, potential increased relief load;

Capacity in existing relief systems;
Practicality of accommodating new loads;
Existing elements that may form part of the HIPS;
New components / valves potentially required for a HIPS solution;
Implications on the existing ESD system.
Commentary: The hazard analysis process may frequently be combined with the SIL review
process for safety instrumented systems, with the SIL requirements assessed for each identified
hazard scenario in turn to establish the dominant (safety related) SIL target for the system, but note
that for high integrity systems (i.e. HIPS) that require quantified analysis, the hazard analysis is
primarily aimed at identifying all appropriate hazards to reflect in that quantified assessment.
9.5
Safety Integrity Level (SIL) Targeting
Reference should be made to the BG Guideline Specifying and Achieving Functional Safety3, BGAENG-INST-GL-0002 for greater detail on SIL targeting but the broad requirements relevant to HIPS
are repeated here.
Safety Integrity Level (SIL) analysis or targeting relates to the process of ascribing a required
integrity target to a safety instrumented system (SIS), in this case a HIPS, in terms of its reliability or
probability of failure on demand (PFD) and the safety lifecycle requirements.
This process involves establishing the combinations of failures of equipment and controls which
may lead to hazards (via the hazard analysis described in Section 9.4) and then analyzing these
hazardous failures in order to establish the overall integrity target for the proposed protection
system for alleviating those hazards.
25 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
The three recognised approaches to SIL targeting are as follows:

Qualitative - Risk Graph;
Semi-Qualitative - Layers of Protection Analysis (LOPA);
Quantitative or Quantified Analysis (apportioning failure rates and failure probability targets).
In terms of high integrity safety instrumented systems (i.e. HIPS), the first two methodologies above
are not applicable. SIL targeting for HIPS shall adopt quantified analysis in every case to determine
the target safety SIL and confirm system configuration requirements. However, the risk graph
methodology (or LOPA) shall be used in every case to check that environmental, economic or
reputational loss factors do not set the determining SIL requirements (refer to Section 9.5.1 below)
and the BG Guideline Specifying and Achieving Functional Safety BGA-ENG-INST-GL-0002 for
further details3.
Commentary: In the context of the above, high integrity is intended to represent any proposed
protection system that replaces either inherently safe design (e.g. suitable for the over-pressure,
over-temperature, under-temperature risk etc.) or else replaces the provision of (or reduces the
sizing capacity of) some form of mechanical protection (e.g. a relief valve).
Table 9.1 below illustrates the relationship between SIL and the probability of failure on demand
(PFD).
Table 9.1: Safety Integrity Levels
SIL
PFD
SIL1
SIL2
SIL3
SIL4
10-1 to 10-2
10-2 to 10-3
10-3 to 10-4
10-4 to 10-5 (Not allowed)
Commentary: The PFD ranges presented in the Table 9.1 above reflect the low demand failure
events pertinent to protective functions (as opposed to the high demand events pertinent to
continuous operations, such as control system failure etc., refer to BS IEC 61508).
9.5.1
SIL Review Process
The SIL review process for safety instrumented systems (SIS) described in theGuideline Specifying
and Achieving Functional Safety3 BGA-ENG-INST-GL-0002using the risk graph method is, as
indicated above, not to be used for the safety analysis of HIPS.
It should, however, be noted that this methodology also extends to environmental and financial
consequences as well as the primary safety consequences above. Separate evaluation of the
environmental consequences is included in the BG Risk Graph for which an environmental SIL
rating is established on the basis of whether the event could generate a reportable release, major
temporary environmental impact or major permanent environmental impact. In a similar manner,
evaluation of the financial consequences is included, for which a financial SIL rating is established
on the basis of financial impact (e.g. impact < US$ 1MM, US$ 1MM-10MM, >US$ 10MM).
26 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
There may also be instances when the most serious implications of an event / hazard might relate
to Company reputation rather than significant safety or environmental concerns. Although there is
not a separate risk graph to cover this category, the implications on reputational loss shall be
recognised in applying the financial risk graph methodology.
The most onerous SIL target established across the range of safety, environmental, economic or
reputational scenarios for a particular system shall set the overall target for that system. The BG
Risk Graph methodology (or LOPA)3shall be employed for all HIPS to establish if factors other than
safety are determining.
Commentary: It is feasible that a safety hazard could be determined, and justified, as requiring a
SIL 2 target via quantified analysis (refer to Section 9.5.2) and yet require SIL 3 for environmental,
economic or reputational loss reasons. An example might be where the risk of fatalities arising from
the overpressure event is considered low (say where operators are rarely present or where peak
overpressure might be below the test pressure of the LP system), but where any release arising
(even if small) could have significant reputational implications, say for sour service applications local
to public communities, discharge of pollutants etc..
SIL4 targets are generally considered to involve unrealistic requirements and shall not be permitted.
Where such targets arise from a safety perspective, the required quantified analysis shall be used to
better understand the risks and/or prompt implementation of additional layers of protection or
increased redundancyto reduce the target to SIL 3. Failing this, consideration shall be given to
alternative / conventional protection, i.e. to whether system protection is best served by HIPS at all.
Commentary: In some extreme cases, a SIL 4 target for HIPS may be unavoidable, perhaps where
there is high demand, extreme consequences and / or limited alternatives to adopting a HIPS
design. Any proposed HIPS with a target SIL in excess of 3 shall be subject to review by, and
a dispensation to be approved in advance of implementation from, BG Advance Engineering.
9.5.2
Quantified Analysis
Quantitative (or quantified) analysis shall be carried out for all HIPS and shall reflect all the hazards
identified during hazard analysis.
Whereas the maximum tolerable risk for a hazard is expressed as an individual risk (of fatality) per
annum (IRPA), the related integrity requirement is expressed as either a failure rate of a continuous
process or a probability of failure on demand (PFD) of a safety related system.
The quantified analysis shall establish a maximum probability of failure on demand (PFD)target for
the safety protective system, derived from the Company maximum tolerable individual risk target
and confirm the system architecture / configuration required to meet this target. This involves
conducting reliability or event tree analysis that considers both causes / demands on the one hand
and mitigation / prevention on the other to derive an overall PFD that achieves the target (refer to
Section 9.6).
The BG IRPA (maximum tolerable risk) target (for new facilities and activities / modification) shall be
10-4. This applies to voluntary (employee) process risk. A reduced target of 10-3 applies to existing
assets (reference should be made to the BG Safety Case Standard, BGA-HSSE-SAF-ST-15267).
For non-voluntary (i.e. public) risk, the target shall be 10-5.
The required integrity target for the HIPS is derived from the above as follows:
27 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
The number of simultaneous risks to which an individual on site is at risk shall be estimated;
The maximum tolerable risk per scenario (i.e. for the HIPS) shall be calculated from the
IRPA target above divided by this number of simultaneous risks;
Commentary:
As an example, with an overall risk target of 10-4 and an estimated individual
exposure to 10 risks simultaneously on a facility, a risk per target of 10-5 per risk would apply.
A similar analysis shall be conducted for off-site risks (i.e. risks to the public, at or beyond the
boundary fence for instance).
The following factors or probabilities shall then be estimated (as fractions) to determine the
likelihood of the hazardous event resulting in a fatality:
Likelihood of the plant being operational (and thus in a position for the hazard to occur);
Likelihood of individuals / operators being present and at risk;
Likelihood of vessel or equipment rupture / leak (i.e. significant loss of containment);
Likelihood of ensuing ignition;
Likelihood of propagation to one or more fatalities and likelihood of propagation to adjacent
facilities.
(i.e. Domino effect)
The impact of multiple trains (i.e. duplicated similar risks) shall be taken into account in this analysis.
Commentary: Note that where future plant modifications result in changes to the configuration,
additional equipment / trains etc., the basis and justification for the HIPS shall be revisited (refer to
Section 11.3). Where future trains are planned, either the existence of these should be included in
the analysis or a clear strategy for how this will be managed must be documented.
The maximum tolerable failure rate (as failure rate per annum) shall be calculated as the maximum
tolerable risk per scenario divided by the product of the factors above. The maximum tolerable
probability of failure on demand (PFD) of the HIPS protection (i.e. the mitigation) is the maximum
tolerable failure rate divided by the frequency of demand on the protection, e.g. from the demand
gate in the fault tree (refer to Section 9.6).
The above is only an outline of this process. Reference should be made to the BG Guideline
Specifying and Achieving Functional Safety, BGA-ENG-INST-GL-0002, for further detail (including
guidance on the values that should be applied for the modifying factors listed above)3.
Quantified assessment shall only be performed by an independent expert as the techniques
involved require specialist knowledge and training.
It is important to note that a quantified analysis will deliver a very precise answer, but will be highly
sensitive to the nature of the initial assumptions, not least the factors estimated in the process
above. It is therefore essential that appropriate project and operations personnel are involved in
supplying input data and liaising with the independent expert conducting this work to ensure that a
true reflection of the situation is achieved. Given the uncertainties that will be involved in applying
some of the probabilities and assumed component failure rates in quantified analysis, due
consideration shall be given to the sensitivity of the conclusions (and the SIL target established) to
adopting a conservative range of values for assumed probabilities, component failure rates etc. It is
important that all assumptions in this respect are fully documented.
Analysis of HIPS integrity shall reflect the fundamental layers of protection approach inherent in
API RP14C (or BS EN ISO 10418) (refer to Section 8.2) and, in particular, recognise that the HIPS
is replacing the completely independent relief valve (i.e. in an over-pressure application, perhaps
28 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
inherent safety in other cases), and not the primary (ESD) trip protection, and as such should
independently achieve a level of reliability that is equal or better than that of a relief valve (refer to
Sections 9.1 and 9.6.1).
As such, whilst SIL targeting (quantified analysis) may take credit for an ESD protective device
reducing demand on the HIPS, this shall not be used as a means of justifying adoption of a SIL
requirement for a HIPS that is less than the default SIL 3 (refer to Section 9.1). Where initial
evaluation suggests a very challenging SIL requirement (such as SIL 4, or SIL 3 with onerous
testing requirements, it is acceptable to take credit for all mitigations in order to achieve a realistic
design. Note that where mitigations such as ESD are taken credit for in the analysis, this shall only
be permissible provided that dynamic analysis is conducted to confirm that it acts fast enough to
prevent the hazardous scenario should the HIPS not function (refer to Section 9.7).
Commentary: There may be circumstances where it is not practicable to employ such layers of
protection, for instance where limited pressure margins are available to set the various trip levels.
Where it can be justified for HIPS alone to provide protection then this shall be subject to
review by, and approval in advance of implementation from, by BG Advance Engineering.
Commentary: It is important to emphasise that a given system (e.g. ESD) cannot be shown as
mitigating an event via one set of outputs when it has caused the event as a result of failure of some
other output function. Although possible, it is important not to take credit for it in making a safety
argument. An example might be where a (HIPS) valve failing to the open position (just one of a
number of failure modes, most of which would otherwise be to fail safe) should not then be
considered as subsequently closing as part of the protective system.
Commentary: The response time of a primary protection system such as ESD is a crucial factor.
Credit is often taken for layered protection systems in the analysis (e.g. the usual ESD pressure
trips in line with API RP14C), without recognising that this is only valid provided that they too, like
the HIPS, function fast enough to prevent the unsafe condition arising (e.g. overpressure). On plant
revamp or debottlenecking applications particularly, this may not be the case and response times
for ESD trips may often have to be speeded up if they are to be credited as part of the protection
system, e.g. faster closing wing valves. Note that in all cases it is preferable (from an operability
perspective) to have the ESD device close in sufficient time that the HIPS set-point is not attained.
For failure rate data to be used in conducting quantified (fault tree) or LOPA analysis, reference
should be made to the BG Guideline Specifying and Achieving Functional Safety, BGA-ENG-INSTGL-00023.
9.5.3
ALARP
In the context of the IRPA assessment above (refer to Section 9.5.2), it shall be recognised that the
Company maximum tolerable risk target is just that, a maximum. In respect of the As Low as
Reasonably Practicable (ALARP) criteria, the broadly acceptable risk level at which ALARP is
deemed to be satisfied is 10-6 (employee risk) or 10-7 (public risk), two orders of magnitude lower
than the (Company) maximum tolerable. This should be carried forward to establish a parallel
broadly acceptable failure rate for the HIPS.
Therefore, any assessment of HIPS requirements via quantified analysis shall consider the risk
reduction options available to reduce risk to the broadly acceptable level. This is typically achieved
via an analysis of the cost and time involved in any proposed risk reduction to establish whether this
is grossly disproportionate to the safety benefit gained. The cost per life (or non-injury) criterion
applied as part of this analysis may vary depending on whether the application is onshore or
offshore. Reference should be made to the BG Guideline Specifying and Achieving Functional
29 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Safety, BGA-ENG-INST-GL-00023, for establishing a cost per life saved value to be used in
quantified cost-benefit analysis and for further information relating to ALARP assessment.
The ALARP assessment shall include the following steps:
Establish the maximum tolerable risk per scenario per annum (refer to Section 9.5.2);
Establish the broadly acceptable risk per scenario per annum (two orders of magnitude
lower than the maximum above);
Establish the maximum tolerable failure rate per annum (refer to Section 9.5.2);
Identify the achieved failure rate per annum (from fault tree analysis refer to Section 9.6);
Calculate the achieved risk per annum (pa):
Achieved risk pa = maximum tolerable risk per scenario pa x achieved failure rate pa / maximum
tolerable failure rate per annum
Adopt the appropriate cost per life saved figure3;
Calculate the ALARP cost:
Cost per life saved = cost of proposal / [(achieved risk pa broadly acceptable risk per scenario pa)
x life of operation x number of fatalities]
Any proposal for reducing risk costing at or below the cost of proposal identified above shall be
implemented.
It shall not be acceptable to simply accept a risk level that meets the maximum tolerable target
without considering opportunities to further reduce the risk to ALARP.
9.6
Reliability Analysis
Reliability analysis shall be conducted to establish the predicted reliability (in terms of the probability
of failure on demand or achieved failure rate) of the HIPS and demonstrate that this meets the
assessed safety target, relative to the default SIL target (refer to Section 9.1) and the target derived
from the maximum tolerable risk / failure rate criteria or from BG Risk Graph evaluation of
environmental, economic or reputational loss criteria etc. (refer to Sections 9.5, 9.5.1 and 9.5.2).
Comment: The reliability assessment is a statistical process for applying historical failure data to
the proposed design and system configuration. It therefore provides a credible target / estimate of
the likely reliability of equipment assuming manufacturing, design and operating conditions similar to
those under which the data was collected. It is therefore a valuable design review technique for
comparing alternative configurations, establishing order of magnitude targets and evaluating the
potential effects of design changes, different degrees of component redundancy etc. The actual
predicted values cannot, however, be guaranteed since forecasting the precise number of field
failures which will eventually occur depends on many factors outside of the control of a predictive
exercise. As such, care should be taken in the interpretation and use of reliability analysis results.
Such reliability analysis is typically undertaken by external consultant companies. As indicated
above (refer to Section 9.5.2) quantified assessment shall only be performed by an independent
expert as the techniques involved require specialist knowledge and training.
The reliability analysis shall adopt a fault tree methodology to examine all elements of the HIPS
from sensor through the logic solver to the final elements and establish the top level probability of
failure on demand (or failure rate) from the individual component contributions, failure rates etc. In
30 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
constructing the fault trees, the causes of overpressure and demand frequency on the protection
should be considered as one gate with the mitigations (i.e. the HIPS) as the other gate to generate
the top level PFD.
Commentary: The use of reliability block diagrams may be considered as an alternative reliability
analysis method to fault trees, provided that appropriately qualified and experienced parties are
employed for this analysis.
Since all devices used in the HIPS contribute to the potential probability of failure on demand of the
protection, the structure of the instrumented loop shall be defined and evaluated as a system so that
the entire loop meets the target.
The uncertainty in reliability data shall be taken into account in performing the analysis and the
sensitivity to alternative data duly assessed. Since available reliability data is often limited, it
becomes essential that field availability data is sought and collected in a suitable manner, as a
minimum post start-up or implementation of the HIPS in question, i.e., as an ongoing validation of
the basis of design for the HIPS (refer to Section 11).
Commentary: Care shall be taken in the use of industry reliability data typically used in reliability
analysis, e.g. OREDA, FARADIP. The user should recognise where reliability data derives from
either a very large sample (and is therefore more representative) or, as is often the case, from a
mere handful of cases (for which its representability may be more questionable). Finding data for a
particular component type in the specific relevant service may not be straightforward and the extent
of the available reliability data may be severely limited. It may also not be possible to discern from
the failure data what percentage of failures arose from the specific failure cause pertinent to the
HIPS component under study (i.e. that would lead to the unsafe condition). Where suitable data is
limited, it may be appropriate to take a conservative view in respect of the values adopted for the
fault tree analysis but to then instigate a programme for reporting and documenting component
failures through the plant life-cycle to enable the basis for HIPS design(s) to be adapted in future,
e.g. a high frequency test interval might be necessary initially, based on conservative failure rate
data, that might be reduced to a lower frequency after several years collection and reporting of
actual field data if this justifies better failure rate assumptions. It is worth recognising that in the
case where failure of valves to close, transmitters to sense / transmit etc. dominates the overall
HIPS reliability, there may be numerous valves or transmitters across the facility with similar
characteristics that may contribute to building a failure data archive. It is essential in such cases
that the nature of the individual failures is recorded (partial, total, failure to open or to close etc.).
Reference should be made to BG Guideline Specifying and Achieving Functional Safety, BGAENG-INST-GL-0002 for further detail on the analysis process3.
9.6.1
Reliability of a Relief Valve
As indicated in Sections 8.1 and 9.1, the basic criterion against which any proposed (high pressure)
HIPS shall be assessed is whether it achieves a reliability (or probability of failure on demand) that
meets or exceeds that of the mechanical relief protection that it replaces (or the sizing case for that
protection that it negates).
For the purposes of determining the default configuration requirements and integrity of any
proposed HIPS (notwithstanding the outcome of SIL targeting and quantified analysis results refer
to Section 9.5), it is necessary to assume a number for the typical reliability of a relief valve.
Industry data3,6 suggests that this is in the range of 3 x 10-3 (failures to open) to 1 x 10-2 (total
failures) per annum, broadly applicable to conventional spring operated relief valves. Pilot operated
relief valves could be taken to be typically one order of magnitude worse than this.
The default probability of failure on demand for a typical relief valve shall be taken as better than 103
for the purposes of evaluating minimum HIPS requirements.
31 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Commentary: The range of reliability data available in the public arena for relief valves lends itself
to adopting a single reasonable figure for presumed reliability as above, rather than simply
assuming the worst reliability predicted (given that we are seeking an instrumented system that is
equal to or better than the mechanical protection). Alternative sources of user supplied process
equipment reliability data such as available from the US Center for Chemical Process Safety (i.e.
the American Institution of Chemical Engineers9,11 for this kind of analysis (i.e. not manufacturers
data) would suggest that relief valve reliability may be substantially better than indicated by the UK
sources above. In setting the minimum integrity target for HIPS replacing a relief valve, the HIPS
should therefore meet at least a SIL2 standard, and more likely a SIL3, depending on the type of
valve.
9.6.2
Reliability of Mokveld Valves
One of the dominant factors dictating the overall reliability of HIPS loops is the historical failure rate
data associated with typical ball (or gate) type shutdown valves forming the final element(s) of the
system.
Mokveld Valves is one supplier that offers a more reliable axial flow valve having tight shut-off
capabilities and suitability for high integrity applications (e.g. in SIL3 service).
Commentary: Mokveld themselves highlight a number of factors that purportedly justify the
improved reliability claimed for their valve over conventional ball / gate valve designs:
The design of the Mokveld HIPS valve does not need the high seating torques for open and
closed positions like ball valves. Instead, the required valve thrust is fairly constant over the
full valve stroke. Valve failure, sometimes caused by unpredictable high initial opening
(breakaway) torque, is therefore avoided, making the valve very reliable;
The design results in less change to valve friction caused by pressure differentials, scaling,
debris and corrosion on the closing elements;
The design allows for fast operation, typically slam-shut closing times of 2 seconds or less
being achievable;
The design allows for an actuator oversize factor of 5 and the capability of opening or
throttling against full design pressure (note that this does not preclude having to make
provisions for safe re-pressurisation after a HIPS trip, refer to Section 9.3.6);
In addition to valve diagnostics, the Mokveld HIPS can be equipped with online monitoring
capability to achieve a smart system;
Mokveld claim independent derivation of the claimed failure data by Serco (formerly the
Atomic Energy Agency Technology) based on a database collection of 30 years experience
in applying these valves.
Further details can be found on the company websitewww.mokveld.com
Key to specifying Mokveld type valves is the improved failure rate data that can be adopted for
reliability analysis, which can greatly improve the predicted probability of failure on demand of the
overall HIPS. If Mokveld valves are specified, the failure rate data (i.e. failure to close) that shall be
used is as follows:
Failure rate per annum = 0.0035 (equivalent to 0.4 failures per million hours)3
Commentary: The above failure rate number for Mokveld valves failure to close has been derived
from a field study of Mokveld valve reliability6 10. Note that this links to an overall failure rate for
such valves of around 0.07 per annum (equivalent to 8 failures per million hours). Whilst there is
general industry acceptance that Mokveld valves offer enhanced reliability in HIPS service
compared to more conventional valve designs, the manufacturers claim that a failure rate of 4.4 x
10-4 failures per annum is achievable for their valve is not supported by such actual reliability data
as is available, hence the adoption above of a more conservative value.
32 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
For clarity, HIPS loops do not have to utilise Mokveld valves as the final elements. These are just
one type of shut-off valve the design of which supports the use of better failure rates than some
more conventional designs. Whilst the use of Mokveld valves is encouraged due to their higher
reliability, any design of final element can be selected so long as the failure rate data used in the
reliability analysis is pertinent to that type of valve and the system as a whole meets the SIL 3
requirement.
If there is deemed to be due reason and supporting justification for adopting a more
optimistic failure rate than the above for Mokveld or any other valves in the HIPS reliability
analysis for a given application, this shall be subject to review and approval by BG Advance
Engineering.
9.6.3
Integral Mokveld Solution
Mokveld Valves also offer an alternative configuration to the more usual initiator - logic solver - final
element arrangement where the transmitters and logic solver are most often supplied by other
parties. This is based on mechanical (pressure) switches directly (hydraulically) actuating a
Mokveld shut-off valve, with no external energy, wiring or cabling required. This configuration is
hydraulically unbalanced across the actuator. High pressure detection via the pressure switch
releases the hydraulics, balancing pressure and rapidly closing the valve.
By design this represents a much simpler configuration, avoiding the typical voting and logic solver
elements of a HIPS, and may therefore be worthy of consideration by projects where this feature
offers key advantages, e.g. where local factors, skills etc. might promote adoption of simpler
designs (i.e. operators do not require training for a complicated safety system). The voting
arrangement conferred by this approach is set by the number of pressure switch / valve
combinations provided (e.g. 1oo2, 1oo3) and as such overall plant availability might be impacted
(e.g. compared to the 2oo3 typically possible with conventional HIPS). This shall be taken into
account in determining requirements, number of elements etc. in adopting and justifying this kind of
protection system.
Commentary: Given the limited historical application of this technology, reliability data may need to
be sought from Mokveld. The vendor claims TUV certification suitable for SIL 3 application. Any
data used should ideally have been validated by such third parties or, failing that, validated by the
project against typical component reliability data held in industry databases. An assessment of the
overall probability of failure on demand of an electronic Mokveld HIPS in contrast to the hydraulic
design has been completed in Technis Report No. T392.10
9.7
Functional Performance Requirements (Dynamic Analysis)
When specifying the process performance of a HIPS, the process dynamics shall always be
evaluated to ensure that the HIPS response time, from initial sensor response to a high process
parameter measurement through to completed closure of relevant valves, trip of rotating machinery
etc., is fast enough to prevent the unsafe condition (e.g. overpressure) arising in the vessel/system
protected.
The response time shall be evaluated by considering the time it takes to sense that there is an
unacceptable process condition, the scan rate and data processing time of the logic solver and the
time taken to isolate/trip or close the final element(s).
In most HIPS applications, the critical element in this response time is usually the closure time of
valve(s) forming part of the HIPS. The required closure time for the HIPS valves must be
established for each individual HIPS installation. The valve specification shall ensure that the
actuator provides sufficient driving force to close the final element under the worst case upset
pressure condition.
33 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Dynamic simulation shall be employed in order to establish required closure times for valves within
HIPS loops or, where the HIPS relies on a device stopping (e.g. a pump, compressor etc.), then the
time to completed trip. Such simulation will typically require detailed knowledge of the system being
protected, such as:
Normal / starting operating conditions, trip set points;

In-flow rates;
Vessel / equipment details / sizes;
Piping isometrics and system volumes;
In-line component data, valve size / characteristic / time to close/ time to open data;
Details of the HIPS configuration;
Sensing time data for the initiating transmitters;
Lag time data for the instrumentation / HIPS logic systems.
Evaluation of HIPS response behaviour shall always consider the most extreme scenario, such as
the maximum envisaged flowrate condition, the worst case system blockage event and so on.
Where inadvertent closure of a valve serves as the trigger for a HIPS event, determination of HIPS
response requirements shall be established on the basis of the shortest conceivable closure time for
the valve.
For HIPS applications where a blocked outlet generates the hazardous condition, consideration
shall be given to all potential causes that might result in either blockage or closure, not just the
normal closure time for a valve on utility supply failure (e.g. air, hydraulics, power) and reflect these
accordingly in the functional performance evaluation (i.e. dynamic analysis).
The designer shall consider whether mechanical failure modes apply to the valve types in the
system that could result in very rapid blockage of flow. This is liable to represent the worst case
scenario where surge is likely to be a factor in the rate of pressure rise and this may influence the
set pressure for the HIPS trips etc. This may typically require contact with vendors to confirm
design details of the components and their potential for such failures. Where mechanical failure
giving rise to rapid flow blockage is deemed physically feasible, this shall not be omitted as a case
for the dynamic analysis on the basis of presumed low probability alone, particularly so where the
consequences of failure are high.
Commentary: It is recognised that some valve types will not be susceptible to any mechanical
failure mode that could result in very rapid blockage of flow (say within a second or so), e.g. ball
valves. In contrast, some other designs (e.g. certain types of butterfly valves) are known to be
susceptible to stem shear or loss of the pin(s) that retain the disc to the stem. Such failures in
valves where the action is flow to close could cause extremely rapid cessation of flow. It is
incumbent on the designer to establish these risks on a case-by-case basis.
In a similar manner, the designer shall give due consideration to process related properties that may
generate blockages. The most obvious of these is the potential formation of hydrates. Even where
it may be considered unreasonable that such blockages could occur rapidly, the risk of hydrates
subsequently being dislodged and then rapidly blocking any downstream flow constriction, orifice,
valve etc. shall be evaluated and reflected in the dynamic analysis where appropriate. This risk is
prominent where methanol is deployed operationally in an attempt to clear any such blockage
(which would be the usual approach).
Commentary: It is common for special (quick exhaust) valves and / or actuator dump systems to be
necessary in order to achieve the fast closure times often required for HIPS valves. Where the
closure time calculated is deemed impracticable, however, HIPS may not provide a suitable method
of preventing overpressure.
34 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Commentary: In most oil & gas industry HIPS applications, there is just a single process variable of
interest, usually pressure, i.e. the HIPS responds to a high detected pressure and acts to isolate the
source of high pressure / in-flow. It is worth noting, however, that this may not be the case in more
complex process operations, where more than one process variable may be involved (e.g. where
there are reactions, flow / mass or pressure / temperature relationships). In such cases, both the
HIPS complexity and the dynamic modelling complexity will escalate.
Commentary: It is possible that in some circumstances neither HIPS nor conventional PSVs will be
capable of preventing overpressure, in which case some other more appropriate protection is
required, e.g. tube rupture on a shell and tube exchanger where PSVs and HIPS would be too slow
and a bursting disc may be needed, surge pressures requiring specialised surge relief valves etc.
Whilst provisional assessments of HIPS dynamic response times, and hence required valve closure
or trip times, may be conducted by necessity based on early design information (perhaps isometrics
not being available, so estimated system volumes), these shall be confirmed at the earliest
opportunity based on firm data (refer to Section 9.2 and Figure 9.1).
Commentary: It is essential that reasonable estimates of HIPS requirements be made during the
FEED stages of a project in order to fully understand the design implications and options available.
Whilst this will be further engineered during detail design, it is crucial that the confirmed design
configuration is incorporated in the bid documents for that phase of work, the more so when this is
let as lump sum rather than reimbursable.
For brown field modifications, a thorough analysis of existing safety and overpressure protection
systems shall be undertaken in order to establish suitability and confirm validity for the new
operating conditions, flows etc. HIPS designs, and their inherent performance/response times,
reflect the initial set of process operating data appropriate at the time of design. Whenever any of
this initial data changes (e.g. increased plant throughput, changed trip settings etc.), it is essential
that dynamic modelling is conducted to confirm that the response times of installed systems/valves
etc. continue to prevent overpressure.
Consideration shall be given in the dynamic analysis to the impact of a system re-start after a HIPS
trip and, in particular, the risk of high surge pressures potentially incurred should a HIPS valve be
re-opened with a high upstream pressure. Reference should be made to Section 9.3.6 in respect of
how this risk shall be normally mitigated / prevented, but in order to achieve the most inherently safe
design, the HIPS shall respond sufficiently fast to prevent overpressure should the controls /
safeguards against valve re-opening on high upstream pressure be defeated. As such, dynamic
analysis will need to identify the implications on the required closure times of the HIPS valves as
part of overall HIPS response and, potentially also the fastest re-opening times of the HIPS valve(s).
Commentary: It may be necessary in some instances to slow down opening times of HIPS (or other
actuated) valves to ensure that the HIPS can provideacceptable system protection, where this is not
otherwise provided by downstream relief capacity. This approach shall not, however, obviate the
need to provide system interlocks and inhibits of an appropriate integrity to help prevent this unsafe
condition from arising (number and voting arrangements to be determined to meet the assessed
integrity requirements).
Activation of the first level of protection (e.g. an ESD) should not ideally cause the second level of
protection (i.e. the HIPS) to activate. Both ESD and HIPS levels of protection shall function in
sufficient time to prevent the hazard if the other one were to fail. Dynamic analysis of the response
time and set points for the ESD and HIPS shall be performed to ensure that this objective is
satisfied.
Commentary: This is particularly pertinent where credit is taken for either the ESD trip reducing
HIPS demand or for the ESD system in tandem with HIPS meeting the overall target integrity (refers
to Section 9.5.2). Where dynamic analysis indicates that the ESD is unable to prevent overpressure
35 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
alone and system protection relies only on the HIPS, then it is essential that the reliability analysis
reflects this (refer to Section 9.6). Such proposed designs shall be subject to review by, and
approval in advance of implementation from BG Advance Engineering.
The calculated set point and response time for the HIPS shall then form part of the performance
standard for the system (refer to Section 9.11) and shall be validated by system test in accordance
with the test interval integral to the reliability analysis for the system (refer to Section 9.14).
9.8
HIPS Valve Leakage
In HIPS applications where a source of high pressure/in-flow is isolated in order to prevent

overpressure (i.e. by provision of HIPS valve(s)), then due allowance shall be made for the potential
of such valve(s) to leak. Where the protected system is closed in, leakage across HIPS valves may
still lead to overpressure in the downstream system. Provision shall be made in such cases for
relief valve(s) to protect the low pressure system against the maximum leakage rate.
Commentary: For many systems, there will already be a relief valve downstream of the HIPS valves
(e.g. fire relief on a production separator) and it will simply be necessary to confirm that this can also
handle the potential leakage rate across the HIPS valve(s). Where no such relief valve is provided
for other reasons, a dedicated relief valve(s) shall be provided to cater solely for HIPS valve
leakage.
The valve specification for HIPS valves shall always include the required or limiting leakage rates.
Relief valve sizing shall take into account the highest leakage rates identified by valve suppliers with
reasonable margins added. The leakage rate acceptable given the proposed / installed relief
capacity shall form an element of the performance standard for the HIPS (refer to Section 9.11).
The minimum allowance for valve leakage in sizing downstream relief shall be 1% of the rated flow
through the HIPS valve12.
Where there is a start-up bypass around the HIPS valve (refer to Section 9.3.6), the downstream
relief valve sizing shall, as a minimum, cater for the bypass flow in the fully open position (or
alternatively the maximum flow limited by a restriction orifice if fitted) with the HIPS valve closed,
plus leakage of up to 1% of rated flow through the HIPS valve or its performance leakage
specification, whichever is the greater.
9.9
Diagnostic Capability
Diagnostic capability shall be designed into all HIPS in accordance with BS IEC 61511 as
necessary to achieve the required SIL, with the single exception of the integral Mokveld
configuration (refer to Section 9.6.3). The ability to detect failures of devices on-line also
significantly improves the availability of the HIPS.
Commentary: One example would be the use of signal comparison on analogue inputs which allow
transmitter failures to be detected and alarmed in the control room.
Consideration shall be given to the use of advanced diagnostic capability for valves / systems (e.g.
such as that supplied by Mokveld) that may serve to achieve better reliability for a HIPS.
Commentary: Note that diagnostic coverage will affect the safe failure fraction which, in turn, will
affect the SIL which can be claimed.
To support the claimed risk reduction associated with diagnostics (in the reliability analysis),
operational procedures shall require that these alarms be responded to promptly with a work order
to repair within the mean time to repair period specified in the performance standard (and as used in
the reliability analysis).
36 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Maintenance procedures shall place high priority on the repair of HIPS related devices.
For a more comprehensive discussion of issues associated with diagnostic capability, reference
should be made to BS IEC 61511.
9.10
Common Cause Failures
A common cause failure occurs when a single failure results in the failure of multiple devices. The
application of HIPS designs shall ensure sufficient independence and diversity of devices to achieve
the reliability required for the HIPS.
Whilst common cause factors should be incorporated into the fault tree analysis (typically via the
beta factor), it is important that common cause failures are minimised by design. In the course of the
hazard analysis (refer to Section 9.4), all causes leading to each possible design excursion or
overpressure should be documented. Specification of the HIPS shall then ensure that the system
functions independently from these initiating causes.
Commentary: For example, if a control transmitter were identified as an initiating cause of an
overpressure scenario (say by triggering closure of an outlet valve, thus blocking the discharge), the
control transmitter cannot be the sole means for also detecting the potential overpressure incident.
At least one additional transmitter would be required for the HIPS function.
The following examples (as a minimum) of common cause faults shall be considered when
analysing HIPS requirements:
9.11
Miscalibration of sensors;
Fabrication flaws;
Blockage of common process taps for redundant sensors (e.g. hydrates, wax);
Flawed maintenance;
(Unexpected) bypassing;
Environmental impact on devices (e.g. solar radiation);
Process fluid, contamination, solids etc. preventing action / closure (e.g. hydrates, wax);
Utility failure, air, hydraulics, power.
Performance Standards
A performance standard (sometimes referred to as a safety requirement specification (SRS)) shall

be developed to cover each HIPS application. Performance standards are required to both ensure
that the basis of design of the HIPS is clearly documented and to provide a reference point for
ensuring that the system continues to meet its protection objectives and target integrity (SIL)
throughout its lifecycle.
Each performance standard shall include all aspects pertinent to the design and implementation of
the HIPS. For the purpose of achieving a consistent approach to documentation, it is recommended
that the format described in UKOOA guidelines8should be followed, with components/sections
relating to Functionality, Availability, Survivability, and Interdependencies (FASI) as indicated below.
As a minimum, the information listed below shall be included in the performance standard.
Functionality
This should document each overpressure scenario that will be addressed by the HIPS. It should
include the functional requirements for the HIPS and describe how and under what conditions the
HIPS will mitigate each overpressure scenario.
37 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Role statement summarising the overpressure risk and the functionality required of the HIPS
to reduce the risk;
Reference to controlled document(s) that relate to the HIPS (e.g. relevant P&IDs, cause &
effects);
A definition of the boundaries protected by the HIPS;
Logic;
Set point and tolerance (i.e. acceptable variation on the setting);
Response time;
Maximum valve leakage rate (where this is a significant factor in HIPS performance /
downstream PSV sizing).
Availability
Integrity specification;
Integrity assessment assumptions (if a quantitative method has been used, the assumptions
shall also be listed, together with the accepted probability of failure on demand (PFD) and
frequency of overpressure);
Test interval;
Assumed mean time to repair of components.
Survivability
Where survivability is an issue it should be elaborated on here;
This might include, for example, indications of where key components / valves etc. are
specified as fire-safe.
Interdependencies
The required performance of the HIPS will be based on a set of assumptions relating to the
process/facilities at the time of the analysis. These shall be clearly identified so that validity can be
checked and so that the HIPS can be readily assessed or re-validated against changing
assumptions, conditions etc. during the plant lifecycle. Dependencies will include such items as:
Process conditions;
Production rates;
Plant line-up;
Action time of the device causing the overpressure risk (e.g. assumed closure time of a
valve blocking in a section of plant);
Key assumptions used in the hazard analysis;
Action of other protective systems to reduce the demand rate.
Commentary: Key assumptions relating to the hazard analysis and HIPS performance specification
that should be documented in the above may include:
Blockage scenarios not considered credible at the time, e.g. such as wax blockage of a
component (this may change over time, or perhaps as new reservoirs are tied back and
therefore materially impact the validity of the HIPS through plant lifecycle);
Interlocks / inhibits or defeat of interlocks / inhibits critical to the performance of the HIPS;
Procedures relating to the re-instatement of spectacle blinds and the like that would defeat
the HIPS protection if incorrectly applied;
Assumptions on revealed or un-revealed failures;
38 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Where multiple overpressure scenarios help define the HIPS performance requirements,
these shall be clearly identified for future reference (i.e. it is not good enough to simply list
the determining case since this could change with future plant modification or changing
process conditions), e.g. HIPS response times determined by HIPS valve re-opening with
high upstream pressure rather than necessarily by inadvertent blocked outlet, how such may
set required opening time limits on the HIPS valves etc.
The performance standard shall specify exactly how the HIPS shall be configured to achieve the
target SIL. The high availability requirements for HIPS drives the choices to be made concerning
device integrity, diversity, redundancy, voting, common cause concerns, diagnostic requirements
and testing frequency. Where credit is taken for supporting systems such as ESD in meeting the
system protection integrity target, then these requirements shall be fully reflected in the
performance standard as an integral component of the system design, performance and testing.
All HIPS elements shall be added to the safety critical items register.
9.12
HIPS Dossier
Whilst the HIPS performance standard provides a summary of the key elements and basis
for each HIPS, it is also important to develop and retain concise documentation covering all
aspects of the design for each HIPS, both as a record of the work done and a basis for life
cycle maintenance and update of the HIPS.
A HIPS Dossier shall therefore be compiled which covers all HIPS on a particular
installation or facility. It is expected that this Dossier shall contain the following as a
minimum:
The HIPS assessment methodology;
Description of each HIPS application, incorporating plant basis of design and basic
requirement for the HIPS;
Justification for HIPS selection, design and configuration;
HIPS schematic;
Hazard and consequence analysis studies / reports;
Quantified / reliability analysis supporting selection of PFD / SIL and relevant test intervals
and capturing assessment of diagnostic coverage of failures, common cause / mode failure
analysis;
Risk graph analysis reports checking environmental, economic and reputational loss SIL
targets;
Pertinent P&IDs;
Pertinent cause and effect charts;
Process calculation and dynamic analysis studies / reports;
HIPS valve leakage contingencies;
HIPS operating philosophy, including re-start constraints;
HIPS maintenance, testing and repair plans / procedures;
HIPS performance standards;
HIPS lifecycle design plans.
9.13
HIPS Commissioning
Implementation and commissioning of HIPS shall be conducted in accordance with the parameters
specified in the performance standard and of course in line with the system design intent itself.
39 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Any deviation from these documents identified during the commissioning process shall be
documented and commissioning suspended until such time as the implications on the achieved
system integrity (SIL) and performance have been fully analysed and either the HIPS confirmed as
still providing satisfactory protection or else modifications are implemented to ensure that it does so.
Commentary: One example might be where during commissioning the closure time of a HIPS
related valve is tested and found to be outwith the required time set by the performance standard.
Resolution of this problem might involve re-examination of the dynamic analysis setting overall
system response time, reduction of the set-point and / or speeding up of the valve closure time (or
slowing down of a valve re-opening time).As below, such changes shall be fully justified and
documented before implementation.
HIPS performance requirements and performance standard, including all relevant factors such as
set pressures etc. shall always be defined and documented during the design stage, except where a
new requirement arises during production due to changes and so forth. These fixed requirements
shall then apply during commissioning and operation. Under no circumstances shall HIPS design
parameters or settings be adjusted during commissioning, unless justified and supported by a
complete formal reassessment and update of the performance standard as part of the usual
management of change process (refer to Section 11.3).
9.14
Testing Requirements
If all failures were self-revealing, there would be no need to test safety system devices. Shutdown
valves not closing completely, solenoid valves stuck in position, pressure switches with stuck closed
contacts are examples of covert, dangerous failures. If safety system devices are not tested,
dangerous failures may only reveal themselves when a process demand occurs, perhaps resulting
in the unsafe event the system was designed to prevent. Testing is performed solely to identify
failures.
The appropriate testing of HIPS is fundamental to ensuring that the availability requirements for the
safety protection are satisfied. Architecture, redundancy and device integrity have a significant
effect on the probability of the system to fail on demand and therefore the necessary testing
requirements.
The required test interval for all HIPS loop components shall be established via the reliability
analysis of the installed HIPS loop.
Commentary: In general, HIPS components are tested at intervals ranging from between 3 to 12
months but in practice this will be whatever is required to meet the target system probability of
failure on demand. Whilst operationally longer (e.g. annual) testing is preferred, this may not
always be achievable.
Unrealistically short test intervals shall be assessed for practicality (the more frequent testing
becomes the greater the impact on production availability for components that cannot be tested offline). This may become a particular issue in assessing the suitability of existing systems for brown
field modifications. Where it is feasible to do so, a capability for on and off-line testing shall be
provided.
Commentary: There are other important aspects that should be assessed in setting test intervals.
Firstly, it is essential that the site capability enables the test frequency proposed (i.e. adequate
resources are available). Secondly, testing by its very nature may potentially introduce faults and
spurious shutdowns due to human error, thereby increasing the risk of hazardous events. Every
40 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
effort should therefore be made to design a system that requires the minimum of off-line testing.
Adoption of supervised circuits, built-in diagnostics and built-in redundancy (enabling on-line testing
of components and circuits) all contribute to minimising the frequency of off-line testing.
Whatever test frequency is established by the quantitative analysis, this becomes integral to the
safety design and testing shall be performed throughout system life in accordance with this
frequency. It is essential that operations and maintenance implement this testing regime. If it
changes, so does the QRA model. Any changes in test frequency shall be validated by quantitative
methods to ensure that the integrity is not lowered to an unacceptable level.
Extending a test interval for operational convenience, even if on the basis that the next interval
would be reduced, is not an acceptable practice. Within reason, all HIPS testing shall be in
accordance with the performance specification.
Whilst the operation of individual HIPS loop components may be tested separately, often off-line, an
overall system performance test shall be conducted in line with the test interval embedded in the
performance standard, i.e. in the reliability analysis. This test shall not only demonstrate completion
of the HIPS function from sensor detection of high signal to completed trip of the final device or
closure of the HIPS valve(s), but it shall also confirm the response time for this total process
(sensing to completed trip/closure). This response time must remain within that specified in the
performance standard, i.e. as included in the basis of design for the HIPS (refer to Section 9.11).
Nudge, jog or partial stroke tests (i.e. just checking the movement against the seat) may avoid
a shutdown but shall not be employed without good justification and approval by BG Advance
Engineering. Even where such an approach is justified and agreed, a full closure test shall be
conducted periodically, say every three tests (basis to be reviewed and agreed by BG Advance
Engineering). In many cases these are not practical due to the fast operating times of the HIPS
final elements. System response times shall be verified by personnel attendance in situ, e.g. to time
and report completed valve closure (not simply relying on a signal from limit switches back in the
control room).
Should a test demonstrate that the required response time is not met, a complete re-analysis of the
HIPS design shall be undertaken to confirm current input data, system configuration, system
volumes, operating conditions, flows, component function / performance (e.g. achieved valve
closure times against original design / intent) etc. This exercise shall establish if any modifications
(e.g. such as reduced set-point) are necessary to enable the HIPS to satisfactorily provide the
required overpressure protection.
Under normal circumstances, it is not acceptable to continue operation if a test has shown that a
required HIPS performance target has not been met. Each such circumstance may be subject to
individual risk assessments to allow production to continue whilst remedial steps are taken
but this shall only be with review by, and approval in advance of implementation from, BG
Advance Engineering.
System testing shall extend to all elements that deliver the system protection in accordance with the
SIL targeting and reliability analysis. If a HIPS design should be justified that also takes credit for
the ESD system in meeting integrity targets or Company maximum tolerable risk criteria, then these
systems shall also be subject to the same level of testing and verification as the HIPS, in
accordance with the reliability analysis and performance standard.
Test protocols for HIPS shall be imbedded in the facility electronic operation/recording system and
aligned with the requirements set out in the performance standards. It is essential that HIPS testing
is not only conducted in accordance with these protocols but that results are recorded in full and
examined against the required performance targets stored in the system. Automatic alerts shall be
41 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
raised where a target is not met. It is not acceptable to simply record results without the check to
ensure that those results meet the performance standard requirements.
9.15
Third Party Verification
Independent third party verification shall be carried out for every HIPS application in order to confirm
the system requirements and design.
Such verification shall only be conducted by functional safety specialists with appropriate expertise.
This verification shall be required both for the system architecture to be provided (to confirm that it
meets the required integrity target) as well as for the design work underlying the HIPS, e.g. the
quantified analysis setting the integrity target in the first place.
Commentary: Verification of all HIPS designs shall be subject to quantified random hardware failure
analysis. Note that this may be particularly pertinent where methods other than fault tree analysis
(in which the probability of failure on demand is predicted) are used for reliability analysis.
42 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Figure 9.1: Simplified HIPS Decision Tree

Can HIPS be applied to prevent an unsafe condition
occurring, reduce the sizing basis for a relief valve or
replace the relief valve altogether?
YES
Applicability of ASME Code Case 2211: Is the

vessel / equipment exclusively in air, water or steam
service?
NO
Use
conventional
pressure
relief
YES
Does any local code, regulation or authority require relief

valve protection?
NO
NO
INITIAL JUSTIFICATION FOR HIPS

HIPS .v. Relief pros / cons
Environmental factors
Availability of skills / resources
Life cycle benefits
Is HIPS the optimal solution?
YES
HAZARD ANALYSIS
Document unsafe conditions / overpressure scenarios
Assess merits of HIPS as mitigation
Define functional requirements
QUANTIFIED ANALYSIS / SIL TARGETTING

Scenarios / configurations for analysis
Fault tree analysis for selected configurations
Selection of design meeting tolerable risk targets
Confirm SIL target for the system
Conduct ALARP assessment
DESIGN ISSUES
Independence
Device integrity
Architecture
Testing frequency
Diagnostics
Common cause considerations
Confirm via BG Risk Graph that environmental, economic

or reputational loss criteria do not dictate higher SIL
BGA
review of
quantified
analysis
required
YES
DURING SELECT PHASE:

HIPS .v. relief .v. full rating review
Impact on option configurations
Support for option selection
Is the target SIL < 3?
NO
DURING FEED:
Confirm workable
Confirm impact on flare / vent design
Establish key components
Identify design implications
Establish SIL
DURING DETAILED ENGINEERING:

Firm up hazard analysis
Complete quantified analysis
Finalise design details
Develop performance standard
Compile HIPS Dossier
Establish test / maintenance plans
FUNCTIONAL PERFORMANCE (DYNAMIC ANALYSIS)

Confirm that the required system response requirements
can be met for the HIPS and any other layers of protection
taken credit for in the reliability analysis (e.g. ESD)
RELIEF SIZING
Confirm reduced sizing basis for relief valve
Modify vent / flare design basis accordingly
PERFORMANCE STANDARD
Document rationale for the HIPS
Specify functional / logic requirements
Specify target SIL
Provide supporting quantified / reliability analysis
Specify system response time requirements
Identify system testing requirements
Compile all HIPS documentation into a HIPS Dossier
INSTALLATION / TESTING
Verify loop response time
Verify functionality
Validate performance
OPERATION / MAINTENANCE / TESTING

Test at designated frequency
Follow change management procedures
43 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Figure 9.2: Typical 1oo2 Field Input Configuration
1oo2
PT
PT
Figure 9.3: Typical 2oo3 Field Input Configuration
2oo3
PT
PT
PT
44 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Figure 9.4: Typical Configuration of Final Elements with 1oo2 Valves and 1oo1 Solenoids
IA
IA
IA
IA
IA
IA
S
S
45 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Figure 9.7: Typical Wellhead / Production HP / LP Interface HIPS with Single Common HIPS Loop
IA
WELL
(TYP.)
2oo3
IA
PT
PT
PT
VENT / FLARE
GAS
HP LP
OIL/CONDENSATE
WATER
WELL
(TYP.)
Figure 9.8: Typical Platform Wellhead / Production HP / LP Interface HIPS with HIPS Loop Per Well
/ Flowline
IA
2oo3
IA
WELL
(TYP.)
PT
PT
PT
VENT / FLARE
GAS
HP LP
IA
2oo3
IA
OIL/CONDENSATE
S
WATER
WELL
(TYP.)
PT
PT
PT
HP LP
46 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Figure 9.9: Typical HIPS Bypass Arrangement to Facilitate Re-Start after a HIPS Trip
DIFFERENTIAL
PRESSURE INHIBIT
DPT
ESD (TRIP OF BYPASS VALVE)
HIPS
PT
PT
PT
PT
PT
VENT / FLARE
FEED
GAS
HP LP
HIPS / ESD
RO
OIL/CONDENSATE
LC
HP LP
WATER
BYPASS
47 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
10.0 Subsea HIPS

10.1
The Case for Subsea HIPS
The general requirements for HIPS described in Section 8, 9 and 11 relate to all HIPS applications.
This section, on the other hand, describes requirements specific to the application of subsea HIPS.
For offshore developments where HIPS is applied to protect lower rated processing facilities against
potential overpressure from the wells this results in the pipelines between the wells and processing
having to be designed for the full wellhead shut-in pressure. This has significant cost implications
and in some cases (such as for high pressure high temperature (HPHT) developments) may even
be impracticable due to constraints on the availability of components having a suitable size/pressure
rating. Even where physically possible to fully rate such pipelines, the cost may make the project
uneconomic. There are also flow assurance implications of operating pipelines at potentially
elevated pressures.
Application of subsea HIPS where the protection system is located close to the wells allows the
tieback pipeline (and risers where applicable) to be substantially de-rated, with both economic and
safety benefits, since the higher pressure hydrocarbon risk is kept away from the topsides/surface
facilities. Reference should be made to Section 10.2 regarding the implications of subsea HIPS for
remote risers.
The use of subsea HIPS is therefore attractive for deepwater developments, long tie-backs and/or
where wellhead shut-in pressures (and hence fully rated pipeline design pressures) are high.
The requirements for subsea HIPS are, however, more onerous than for surface located HIPS given
the additional elements that have to be incorporated to achieve fully remote testing and integrity
assurance and the difficulties associated with repair or component replacement. Pre-qualification,
design effort and quality control are likely to be integral factors in achieving successful subsea HIPS
application.
10.2
Subsea HIPS Requirements
For general requirements related to the application of subsea HIPS, reference shall be made to API
RP 170 Recommended Practice for Subsea High Integrity Pressure Protection Systems (HIPPS)14
Whilst subsea HIPS have obvious benefits, their use requires a significantly higher focus on
reliability and availability. Design of subsea HIPS shall consider both the cost and difficulty in
replacing defective components and the increased complexity involved in testing the systems to
ensure that performance requirements are met. At the same time, system design must minimise the
potential for spurious trips and resultant production loss. This may often be a balancing act increased integrity and nuisance failures reduce availability, whilst increased redundancy may
improve availability and reliability but requires more components that may fail.
Consideration should be given to a number of factors in selecting and designing subsea HIPS,
including the following:
Diversity of control functions;

In-built remote communications;
Autonomous shutdown functions;
Remote testability;
Remote diagnostics;
Space (inclusion within the subsea control module (SCM));
Weight (SCM must be ROV friendly);
Power (within standard SCM design, no batteries);
Functionality under all operating conditions, including cold start-up.
48 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
General requirements relating to the design and specification of subsea HIPS shall be in
accordance with other sections in this standard. Specific requirements relating to subsea HIPS are
described below.
10.2.1 HIPS Configurations
The principal benefit of subsea HIPS lies in the ability to subsequently rate the pipeline, and risers
where applicable, for a lower pressure than the maximum wellhead shut-in pressure of the wells.
For all subsea HIPS, consideration shall be given to the requirements for a transition or fortified
zone rated for a higher pressure than the pipeline, but less than wellhead shut-in pressure. The
length of the fortified section shall be established on a case-by-case basis. Dynamic assessments
shall be conducted to support this design the length of the fortified zone is a function of how far
the pressure wave travels before the HIPS has time to sense the rise in pressure and close the
HIPS valves (refer also to Section 10.2.6).
The HIPS modules can be located on the wells/trees, pipeline end terminations or manifolds
depending on the subsea architecture.
The general architecture of the overpressure protection is expected to be similar in nature to that for
topsides HIPS, i.e.
Process (ESD) shutdown via pressure transmitter(s) closing wellhead wing and master
valves;
The subsea HIPS itself;
Protection against HIPS valve leakage.
It should be emphasised that the process/ESD shutdown shall also prevent overpressure of the
low rated pipeline. System design (incorporating dynamic analysis) shall demonstrate that the
normal ESD trip of the wells acts sufficiently fast to provide this protection. This may influence the
length of any fortified zone.
In a similar manner to topsides HIPS, all subsea HIPS shall be designed to be SIL 3. However,
integrity requirements shall be assessed for each application in the usual manner, in this case
taking into account the proposed pipeline and remote riser design and commercial and
environmental factors. As for topsides HIPS, BG does not allow application of SIL 4 systems and
should this be considered necessary then it should be addressed by providing additional layers of
protection in addition to a SIL 3 HIPS.
Overall system architecture shall be established (HIPS plus process/ESD shutdown) so as to meet
company risk targets, including financial and environmental targets (as per the BG Safety Case
Standard7).
The enhanced requirements for remote testability and fault diagnosis implicit with subsea HIPS
influences the ideal system configuration that should be adopted. It may also be impracticable to
locate pressure transmitters in de-rated piping downstream of any fortified zone, and potentially
remote from the HIPS valves. The requirement in Section 9.3.1 to locate HIPS pressure
transmitters only in the lower rated piping shall not apply for design of subsea HIPS. In this case,
the location of transmitters shall be established so as to best enable remote testing of the system
and regular diagnostic tests on individual components. Consideration must also be given to the
need to use pressure readouts to help confirm closure action of valves, monitor pressure build-up
or decline etc. More detail is provided in the sections below.
Commentary: For subsea HIPS where reliance is placed entirely on remote testing and the
requirement to verify successful operation must be assured remotely from field devices, pressure
signals, valve positions etc., it becomes even more critical that function testing of the HIPS can be
49 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
achieved and success assured at pressure initiated set point. There would be issues with
achieving this for transmitters located in the lower rated piping (not least the impracticality of
pressurising the pipeline section for such a test). This promotes location of transmitters upstream
of the HIPS valves in the case of subsea HIPS.
Commentary: The required transmitter/valve configuration and redundancy should be established
for each application. Adoption of twin banks of 2oo3 voting transmitters with redundant solenoids
closing multiple (two or more) HIPS valves is a commonly adopted approach for subsea HIPS.
Either bank tripping would close the HIPS valves. The system may have more or fewer
transmitters or HIPS valves but the logic arrangement is much the same. A variation on this
subsea HIPS which has proved successful for one HPHT subsea HIPS included a suite of four
pressure transmitters, acting on two HIPS valves, with two transmitters located upstream of the
first valve and two between the valves. All four transmitters may trigger HIPS valve closure based
on 2oo4 voting. Loss of one transmitter leaves HIPS initiation based on 1oo3. The location of
transmitters in this arrangement allows both diagnostic checks between the transmitters and leak
testing for the two HIPS valves.
Remote manual shutdown capability shall be provided for subsea HIPS, together with the ability to
override inputs and test outputs remotely, including partial closure testing of valves (refer to
Sections below).
Subsea HIPS shall be failsafe on loss of electrical power or electrical control signal. Fail safe
solenoid valves should be used to help achieve this. Failsafe functionality shall be retained on
loss of communications with the platform/control centre or beach, but loss of communications
should not automatically generate a HIPS trip.
Consideration shall be given to where provision of installed spare components/redundancy may
help meet system availability requirements, allowing for testing (refer to Section 10.2.9) without
loss of overpressure protection.
10.2.2 Field Inputs
A key element in designing any HIPS is maximising diversity between components to reduce the
risk of common mode failures either leading to spurious trips or reducing the integrity of the system.
Consideration should be given to using different types of transmitters in a similar manner to topsides
HIPS, but in the case of subsea HIPS additional consideration shall be given to design approaches
that best meet the above objectives, e.g.
Combination of digital and analogue transmitters;
Use of transmitter designs/suppliers with proven designs in subsea service and with
pertinent reliability data available;
Location of transmitters to minimise common mode risks such as blockage, i.e. spatial
diversity;
Location of transmitters on top of pipe to reduce risk of hydrate or sand clogging (although
this is beneficial for all HIPS);
Commentary: Note that in the typical field configuration discussed above, the HIPS transmitters
were selected as analogue type so as to offer diversity in comparison with the digital transmitter(s)
triggering the process/ESD shutdown of the wellhead valves, thereby reducing the probability of
common mode failures between ESD and HIPS. In addition, the two upstream transmitters were
located several meters upstream of the valves to further reduce the probability of more than two
sensors failing simultaneously from a common cause.
50 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
10.2.3 Logic Solver

Logic solvers for subsea HIPS shall be certified for SIL3 by an independent competent body (e.g.
TUV, Exida)
Commentary: The Pro Safe-SLS system supplied by Yokogawa for many subsea HIPS has been
certified up to safety integrity level (SIL) 4.
It is essential to ensure that whilst the HIPS status and features to facilitate remote testing are
available in the surface/topsides control room (via the subsea control system), this is entirely
separate from the HIPS itself and cannot compromise the safety function.
Modification or repair of the logic systems will typically require retrieval of the SCM.
10.2.4 Final Elements
Given that valves may sometimes be the least reliable components of any HIPS, and given that
component replacement for a subsea system is both difficult and costly, it is essential that high
integrity valves are utilised as part of subsea HIPS.
Valves shall be selected that are able to seal against pressure from either direction. As for topsides
HIPS valves, loss of hydraulic pressure shall force the valve to close in a failsafe manner.
Consideration shall be given to independence and redundancy for hydraulic supplies serving HIPS
compared to ESD in order to achieve the required system integrity and availability.
In comparison with topsides systems, valves for subsea applications may require a greater degree
of testing in order to suitably qualify them for the combinations of pressure, temperature and
potentially solids production that they may have to operate under. Failure mode effect consequence
analysis (FMECA) shall be considered in order to improve reliability of valve/actuation and ensure
that the arrangement is failsafe.
In multi-well arrangements (e.g. linking to a common manifold), design of hydraulic systems shall
ensure that the required opening time of valves is not impacted by potential pressure differences
between the wells.
10.2.5 Cold Re-Starts
The situation with respect to managing cold re-starts is largely the same as for any subsea tieback,
whether the HIPS is subsea or topsides. However, locating HIPS subsea imposes particular
requirements on the design of the HIPS components.
Due consideration shall be given in subsea HIPS designs to cold re-start operations and how these
will be managed. HIPS valves and piping (both upstream and downstream) shall be designed to
handle the lowest temperatures possible due to a combination of ambient conditions and high
pressure drop temperature loss across both the subsea choke and potentially opening HIPS valves
on re-start. Provision of methanol (or similar) shall be made as necessary to help manage such restarts.
Cold re-start operations shall not be allowed to compromise the reliability of subsea components
forming part of the HIPS, and this must be recognised during the design, reliability analysis and
testing (i.e. quality assurance) process. In particular, consideration must be given to how high
differential pressures are to be managed on re-starts (hot or cold).
51 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
For topsides HIPS, bypass arrangements are proposed to bleed off upstream high pressure until the
differential is low enough to allow HIPS valve re-opening without risking valve seat damage (even
where rated to open on maximum differential) refer to Section 9.3.6. Such arrangements may be
impracticable subsea due to the increased complexity incurred, in which case it is particularly
important to ensure that the selected materials and reliability of components impacted by the
operation (e.g. HIPS valve re-opening at potentially high differential pressure) are not compromised.
For subsea systems, consideration should be given to the benefits and environmental implications
of venting locally to facilitate HIPS valve re-opening at reduced pressure differential (i.e. venting the
section between well valves/chokes and HIPS valves).
10.2.6 Dynamic Analysis
Some references have been made in the paragraphs above to the particular requirements for
dynamic analysis to support subsea HIPS designs.
Whilst performance requirements may be less severe than for topsides HIPS where the high
pressure interface is much closer to the low pressure processing systems, subsea HIPS must still
be designed for the worst case blockage scenario and due consideration shall be given to such
events. The most onerous case is typically an assumed hydrate lockage located just downstream
of the HP/LP interface. In cases where a fortified zone is included, this worst blockage may be a
blockage at the transition to lower rated pipeline.
Dynamic modelling shall be used to support the adopted design pressures for the pipeline and
requirements for a fortified zone (design pressure and length).
It is even more critical for subsea HIPS that are difficult and costly to access and/or repair that
sufficient attention is paid to the risks of shock loads and vibration during HIPS operations, re-starts
etc. Design of subsea HIPS shall include shock loading and vibration analysis in tandem with
dynamic response assessments to ensure that system design is robust against these risks.
10.2.7 HIPS Valve Leakage
Whilst leakage past HIPS valves is liable to take a significant time to pressurise the downstream
pipeline in subsea applications, dependent on pipeline length and leakage rate, consideration shall
be given in all subsea HIPS applications to the implications of such leakage and the need for
protection against this event.
10.2.8 Diagnostic Capability
Design of subsea HIPS shall utilise intelligent or smart devices (e.g. transmitters) with
programmable failure modes based on internal diagnostics. Diagnostic capability, to detect and
respond to potential abnormal function/reading of a transmitter as an example, is particularly
important for subsea HIPS given the enhanced reliability requirements, even greater need to assure
failsafe operation etc.
10.2.9 Testing
For any HIPS, testing in order to confirm functionality and performance is fundamental to the
lifecycle maintenance of the protection system, but for subsea HIPS the requirements for testing
become even more onerous given the need to fully conduct this remotely and the likely
impracticalities of repair or replacement. Local manual (whether diver, where possible, or ROV)
intervention to assist testing is generally impracticable and so system design shall provide the
flexibility to allow all component tests and diagnostic checks to be readily implemented remotely.
52 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
In order to demonstrate system functionality and performance and improve the reliability of the
system, the following elements shall be incorporated into test routines for subsea HIPS:
Full functional test of the complete system (as required by IEC 61508/511);
Leak test of the HIPS valves;
Test that HIPS valves start to close on demand (i.e. partial stroke test);
Pressure sensor verification test.
Test intervals required for the complete system test (typically annual) and the secondary tests
(typically more frequent) shall be established as part of the reliability analysis of the system (as with
any HIPS). It should be understood, however, that more testing may be justified for subsea HIPS
simply because of the implications of component failure on availability.
As with any HIPS, complete system testing (i.e. to full valve closure) is usually conducted at
operating pressure and not at the actual maximum (wellhead shut-in) pressures that apply. This
may be even more the case for subsea HIPS where extreme well shut-in pressures has helped
drive selection of subsea HIPS. Where there is a substantial difference between operating (i.e.
HIPS test) pressure and the maximum shut-in pressure, procedures shall be developed to form part
of performance standards and testing routines that verify closing time at test pressure on a curve (to
establish closing time at maximum well pressure).
Commentary: The following lists some typical test elements that could apply for the kind of HIPS
configuration described above (two pressure transmitters (PT) upstream of the first HIPS valve and
two between the HIPS valves). This should be taken as indicative only actual requirements will
depend on the configuration selected for a given application and the reliability demands for that
system. In all cases, procedures should be developed that enable full testing of all system
components:
Electrical isolation of one PT upstream of the HIPS valves and one PT between the valves;
This initiates shutdown due to loss of 2oo4 signals and HIPS valves should close;
The remaining PTs are available to monitor pressure upstream and between the valves as
they close;
Pressures and valve positions should be monitored and logged during this process to verify
that the valves close as intended;
The pressure build-up upstream of the HIPS should also cause a test of the ESD shutdown
of wellhead valves as part of the same test;
To test that the transmitters trip at the set-point, the pressure is relieved in the system and
between the valves allowing the system to be reset, at which point the upstream HIPS valve
can be re-opened;
Methanol (or MEG or similar) can then be injected to increase pressure beyond the set point
of the HIPS, which should result in all four pressure sensors signalling to trip and the open
valve should close (total time from set-point initiation to completed valve closure being
recorded as per usual for HIPS);
To verify leakage, pressure can be reduced to a specified value between the valves (but
above the downstream settled-out pipeline pressure) and stabilisation of pressures
monitored if the pressure is then increased upstream of the first HIPS valve and left to
stabilise, increasing pressure between the valves would indicate leakage across the first
valve and decreasing pressure would indicate leakage across the downstream valve;
Partial function tests may also help demonstrate valves moving to close of demand to
improve reliability a simulation of a trip signal from the control room triggering closure of
the valves, but with the system resetting automatically after only a few seconds, opening the
valves with correct timings, valves should not fully close during this process (thereby
53 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
maintaining production) but allow verification that they are not stuck open. As well as
avoiding production loss, this test has no negative impact on the safety function and is
readily performed from the control room;
Common cause failure of pressure sensors should also be tested, via a procedure that
verifies that all transmitters are active and reading the same pressure reference may be
made to the pressure downstream of the choke and changes to all HIPS transmitters
confirmed where this is modified slightly by adjustment of the choke.
One particular concern with pressure transmitters (whether topsides or subsea) is the potential for
blockages to occur in the impulse lines. As already noted, separating banks of transmitters may
help reduce the risk of coincident impact on multiple devices, as would locating instrument
connections on the top of pipes, but there remains a need to assure the correct functionality of
safety critical trip devices. Consideration shall be given to providing online capability for clearing
impulse lines, particularly in respect of hydrate blockage risk (e.g. provision of appropriate methanol
(or similar) injection facilities). Consideration shall also be given to the potential for wax blockages
in waxy fluid service and the possible need for solvent injection to deal with blockages.
Commentary: One technique which has been applied uses injection of methanol to clear impulse
lines also acting as a sensor test, since the methanol injection is expected to introduce an
instantaneous overpressure (for that instrument) and generate a trip condition, thus testing the
device. This test produces an alarm but no overall trip since only one channel has tripped.
The design of subsea HIPS and test routines shall ensure that genuine trip demands are not
disabled during test cycles.
10.2.10
Maintenance Implications
The design of subsea HIPS must take into account the difficulties in repairing or maintaining
components as indicated in the paragraphs above. Consideration shall be given in all cases to how
the subsea systems are configured in a manner that most readily supports intervention for repair
and retrieval should this prove necessary.
Consideration should be given to making as many components as possible reasonably replaceable
by diver or ROV intervention should the need arise. Maximising HIPS components incorporated
into a SCM which would typically be retrievable to surface would be one means of achieving this
intent. It would also encourage provision of suitable isolation for components (e.g. instruments),
even where this in itself may pose a potential cause of failure for that device.
10.2.11
Remote Risers
For many applications of subsea HIPS, the HIPS will be protecting a high inventory pipeline and
remote riser, the failure of which would constitute a major hazard. Whilst the subsea HIPS enables
a reduced design pressure to be applied to the pipeline system rather than fully rating this, special
attention must be paid to remote risers where any system failure would pose a greater personnel
hazard (than subsea).
For systems encompassing a subsea HIPS, particular consideration shall be given to the design
pressure adopted for remote risers, and any adjacent fortified zone (at the riser end). This might
need to be greater than that for the pipeline in order to provide greater assurance against loss of
containment, e.g. should the HIPS valves leak. Design of the fortified zone and riser up to and
including at least the riser ESD valve shall at least be to a no-burst condition (whereby an
engineering assessment confirms a low probability of leak or rupture when subjected to the
maximum possible pressure, typically <0.05). Other factors such as application of an SSIV,
available time for manual intervention etc. should be taken into account in the analysis.
54 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Consideration shall also be given to adopting a no yield approach (whereby an engineering

assessment confirms that the pipework is not expected to be stressed beyond yield, and not to leak,
when subjected to the maximum possible pressure). The selected approach shall be supported by
appropriate ALARP justification.
Commentary: The UK Health and Safety Executive, for example, prefer to see remote risers in
subsea HIPS installations designed to be inherently safe, i.e. fully rated, even where the pipeline is
de-rated13. Where the inherently safe design is deemed impracticable, mechanical pressure relief is
preferred. Only when this is also impracticable is reliance on HIPS considered justifiable, this as a
back-up to the ESD. The UK HSE require that a no-burst riser is applied for subsea HIPS, as well
as considering inclusion of options such as topsides relief, provision of an SSIV or subsea relief
(e.g. effectively inclusion of a weak, or sacrificial pipeline section, remote from the manned
facilities). It must be shown that each option is demonstrated to be not reasonably practicable
before an option with less inherent safety is adopted.
Where a no-burst approach is adopted for remote risers protected by subsea HIPS, no credit shall
be taken for a corrosion allowance contribution to preventing burst unless a rigorous in-service
inspection regime is implemented. The design strength of the riser (and any fortified zone) shall be
sufficiently greater than that of the main pipeline such that in the event of a HIPS failure, the main
pipeline section (at a safe distance from the installation, typically at least 500m) would fail rather
than the riser.
Note that in avoiding connections outboard of riser valves1, there is unlikely to be a pressure
detector on the riser. If there were a communications link failure with the subsea control module
then the pressure condition in the pipeline and riser would be unknown. Consideration should be
given to implementing an autonomous well ESD trip after an appropriate time-out period for loss of
communications.
55 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
11.0 HIPS Operation and Maintenance

11.1
Training and Competence
It is a requirement of BS IEC 61508 that any persons involved in any overall electrical / electronic /
programmable electronic systems or software safety lifecycle activity, including management
activities, should have the appropriate training, technical knowledge, experience and qualifications
relevant to the specific duties they have to perform.
It is therefore essential that adequate competence based training shall be provided to all operating
and maintenance personnel so as to ensure the integrity of all HIPS is maintained as designed.
Such training shall encompass awareness of all aspects of the HIPS function and performance
standard, but in particular with respect to the test and maintenance requirements pertinent to each
system.
Operator training should aim to raise awareness amongst operators of factors that might impact on
the validity of the HIPS design and its performance, whether in terms of integrity (reliability of
components, assumptions on failure modes etc.) or response (changing process conditions, plant
throughput, fluid properties etc.).
Routine assessment by an independent verification party shall be employed to ensure that training /
competence is being maintained through the plant lifecycle.
11.2
Maintenance
Every HIPS shall be operated, maintained and tested in accordance with its performance standard
throughout the lifetime of the plant, so long as the overpressure risk (or similar) still applies. The
frequency of testing shall not be allowed to fall short of the set requirement.
It is important to recognise that for safety critical systems such as HIPS, it is necessary to ensure
both maintenance of the achieved reliability (i.e. SIL in this context) and system functional
performance (i.e. response time) throughout the plant lifecycle. Aspects integral to the design of the
HIPS such as voting configuration, diagnostics, set point, response time, test interval, plant line-up,
demand reducers etc. (as indicated in the performance standard) must be preserved throughout the
life of the facility.
It is crucial that maintenance and testing activities ensure that these parameters remain as originally
defined. Where differences from the original specification are identified then steps shall be taken to
rectify this.
Commentary: One physical example might be lengthening valve closure times, in which case
prevention of overpressure may not be guaranteed. Shortening closure times may also generate
surge effects outwith the design. A less apparent example might be actual plant component
reliability differences from that assumed in the original reliability analysis.
11.3
Change Management
All management of change shall be subject to the BG Management of Change Standard4.

The other aspect of maintaining the HIPS design and operation in line with its performance standard
relates to material changes in the plant operation or configuration that might impact the protection
afforded by the HIPS. Two principal elements of lifecycle design shall be considered:
Changes that affect the HIPS response performance;
Changes that affect the HIPS reliability / integrity.
56 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
HIPS Performance
Changes that could impact the response time performance of the HIPS can be established from the
performance standard for each HIPS. These would encompass factors that determine the rate of
pressure rise in the system (or deviation of any other critical feature such as temperature, level,
composition) and those that establish how quickly the system can respond to prevent overpressure
(or any other pertinent out of the design envelope condition). They may include, but are not
necessarily limited to, the following:
Changes in process conditions;

Changes in fluid properties;
Changes in production rates, GORs, CGRs, water cuts;
Changes in plant line-up;
Changes in system boundaries;
Changes in system architecture or configuration;
Changes to HIPS set-point;
Changes in system logic or cause and effect modifications;
Changes in system design new equipment, piping changes etc.;
Changes in valve specification control valve trims, opening / closing times etc.;
Deterioration in valve closure (or opening) performance;
Changes to other elements that may be integral to the overall system protection (such as
relief valve set pressure / capacity, restriction orifice size etc.).
Whilst HIPS designs are typically engineered to be as flexible as possible to cover a range of
expected operations they are, for the most part, relatively restrictive given often tight margins
available between design response requirements and that achievable by the installed systems for
the production rates required.
Commentary: This depends to a large extent on the system protected by the HIPS. HIPS
protecting topsides systems from platform wellhead pressures may have limited time margins
available for HIPS response whereas HIPS protecting the entry to a long pipeline sections may
have greater margins by virtue of a larger system capacity and therefore slower rate of pressure
rise.
Every asset shall regularly review the design basis for HIPS to ensure that nothing has changed
relative to the original assumptions. Production/fluid behaviour/conditions at variance from the
design expectations or varying over time would be one such example that might escape the more
rigid management of change process (as not reflecting a material change) see below.
The normal management of change processes shall encompass a formal review of the possible
impacts on HIPS designs of any proposed change to plant operation or configuration. The most
obvious of these would be plant throughput changes, but anything from the list above might apply.
Such changes shall not be implemented until the HIPS performance has been confirmed as still
acceptable and/or system modifications completed to ensure this is the case. This may necessitate
revised calculations to confirm the HIPS design (e.g. dynamic modelling).
HIPS Reliability
Equally important is the reliability achieved by the installed HIPS. The required system reliability in
terms of the safety integrity level (SIL) and the inferred probability of failure on demand (PFD) would
have been assessed on the basis of both the nature of potential overpressure hazards and the
probable demand rate on the system. At the same time, the PFDs and SILs achieved for each
HIPS would have been determined on the basis of assumed failure rates for HIPS components (e.g.
transmitters, logic, valves etc.) and the frequency at which these systems would be tested.
57 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
Regular review of these underlying assumptions shall be conducted, both to confirm that they
remain valid and, where relevant, to potentially support adoption of less stringent test frequencies.
There is an inherent need to justify the continuing application of an instrumented protection system
by establishing that assumed demand and failure rate data continue to apply:
Demand rates should be recorded with plant monitoring and maintenance systems and
periodically compared to those used to set target SILs;
A continuing process of recording component performance data is necessary to confirm (and
potentially modify) the failure rate data originally applied, i.e. recording successful
component / system operation and detailing all component failures (and modes of partial or
total failure) that contribute to overall failure rate data (e.g. for valves, as well as failure to
close on demand this would include failure to completely close, delayed operation and
evidence of significant leakage after closure);
Statistical failure rate data accumulated over time should periodically be compared with that
used in the reliability analysis and the achieved SIL reassessed.
Commentary: In some cases, where conservative failure rate data might have been used in the
original analysis and where this resulted in an onerous test frequency, it may be possible to justify a
longer test period once sufficient data has been collected to support adoption of less conservative
failure rates in the analysis. It should be recognised that many HIPS components may be common
with other elements across the plant (e.g. shut-off valves,) hence extending the source of data for
the archive.
A programme shall be established for the periodic review of each HIPS application to confirm its
applicability to ongoing production conditions and requirements. Such system design reviews shall
be built into operator maintenance schedules.
Commentary: Such a review might be instigated on a checklist basis at a prescribed frequency. It
should be triggered automatically as part of management of change for any system modifications
deemed to have an impact on any HIPS operation or the assumptions integral to the HIPS design.
58 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
12.0 Appendices
12.1
Appendix ADefinitions / Abbreviations
Definitions
COMPANY
BG Group or a wholly owned subsidiary company or other client organisation;
CONTRACTOR
The person, firm or company undertaking to supply services plant, or

equipment to which this document applies;
SHALL
A mandatory term - no dispensation is permitted without written approval

using the formal dispensation procedure;
GROUP
The manager or principal discipline engineer responsible for
TECHNICAL
producing and maintaining a given Standard / Guideline;
AUTHORITY
Review and either approve or reject Dispensation Requests made against BG

Standards by Asset / Project.
Abbreviations
ALARP
As Low as Reasonably Practicable
API
American Petroleum Institute
API RP
American Petroleum Institute Recommended Practice
ASME
American Society of Mechanical Engineers
BS
British Standard
CGR
Condensate Gas Ratio
DCS
Distributed Control System
DIN
Deutsches Institut fur Normung
EN
European Norm
ESD
Emergency Shutdown
ESDV
Emergency Shutdown Valve
FASI
Functionality, Availability, Survivability and Interdependencies
FEED
Front End Engineering Design
GOR
Gas Oil Ratio
HIPS
High Integrity Protection System
HIPPS
High Integrity Pressure Protection System
HP
High Pressure
HPHT
High Pressure High Temperature
IEC
International Electrotechnical Commission

59 of 63

Author: T Arnold

BG Group 2012
BG Group Standard
IGE
Institution of Gas Engineers
IP
Institute of Petroleum
IRPA
Individual Risk (of Fatality) Per Annum
ISO
International Standards Organisation
LOPA
Layers of Protection Analysis
LP
Low Pressure
MAWP
Maximum Allowable Working Pressure
OPPS
Over Pressure Protection System
P&ID
Piping and Instrumentation Diagram
PCV
Pressure Control Valve
PD
Published Document
PED
Pressure Equipment Directive
PFD
Probability of Failure on Demand
PRV
Pressure Relief Valve
PSV
Pressure Safety Valve
QEV
Quick Exhaust Valve
QRA
Quantitative Risk Analysis
RO
Restriction Orifice
ROV
Remotely Operated Vehicle
RP
Recommended Practice
SCM
Subsea Control Module
SI
Systme International dUnits
SIF
Safety Instrumented Function
SIL
Safety Integrity Level
SIS
Safety Instrumented System
SRS
Safety Requirement Specification
SSIV
Subsea Isolation Valve
TUV
TechnischeberwachungsVereine
UKOOA
United Kingdom Offshore Operators Association
12.2
Appendix BUnits
Company requirements are that metric SI units shall be used throughout. If an asset requires
Imperial units to be used for clarity, then SI units shall be stated, followed by the local requirement
in brackets. The following exceptions shall apply:
Pressure shall be expressed as either gauge pressure in barg or absolute pressure in bara,
gauge pressure being referenced to Standard Atmospheric pressure of 1.01325 bara.
Temperature shall be expressed as degrees Celsius (oC)
Dynamic viscosity shall be expressed as centipoise (cP)
60 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
In addition, the following common industry units shall also be used (applying dual units where
appropriate):
Volume gas flow in million standard cubic feet per day (MMscfd)
Volume liquid flow in barrels per day (bpd) or US gallons per minute (gpm) as appropriate
Stock tank oil/condensate flow shall be expressed in stock tank barrels per day (stbpd) and
reflect the oil/condensate volumetric flow after flashing to stock tank conditions of 1.01325
bara and 15.5556 oC.
The definition of Standard Conditions for pressure and temperature that shall be applied is 1
atmosphere pressure (or 1.01325 bara) and 15.5556 oC (rather than 1 atmosphere and 273.15
degrees Kelvin (0 oC).).
Any deviations to this definition to be consistent with local standards shall be discussed and
agreed with BG Advance Engineering but shall, as a minimum, be fully defined in the project
Basis of Design.
12.3
AppendixC Referenced / Associated Documents
BG Standards / Guidelines:
1.
2.
3.
4.
5.
BG Standard Safe Plant and Equipment Isolation, BGA-ENG-PROC-TS-0002.

BG Standard Relief, Blowdown and Flaring, BGA-ENG-PROC-TS-0003.
BG Guideline Specifying and Achieving Functional Safety, BGA-ENG-INST-GL-0002.
BG Standard Management of Change (MOC), BGA-BGA-GEN-OS-0003.
BG Standard The Purpose, Development and Application of BG Standards and Guidelines,
BGA-ENG-GEN-OS-0001
6. Recommended Failure Rates for Use in Safety and Reliability Studies, Technis Report No.
T393, dated 19 February 2008.
7. BG Standard Safety Case, BGA-HSSE-SAF-ST-1526.
8. UK Offshore Operators Association (UKOOA) Guidelines for Instrument-Based Protective
Systems, Issue 2, November 1999.
9. American Institution of Chemical Engineers, Center for Chemical Process Safety, Guidelines
for Process Equipment Reliability Data.
10. Safety Integrity Assessment of Mokveld HIPP Systems, Technis Report No. T392, dated 19
February 2008.
11. High Integrity Protective Systems for Reactive Processes, SIS-TECH Solutions, Chemical
Processing, March 2004.
12. The Institute of Gas Engineers Pressure Regulating Installations for Transmission and
Distribution Systems, IGE/TD/13.
13. Health and Safety Executive, HID Semi Permanent Circular High Integrity Pressure
Protection Systems (HIPPS) for the Overpressure Protection of Pipeline Risers,
SPC/TECH/OSD/31, Version 3, November 2008.
14. API RP 170, Recommended Practice for Subsea High Integrity Protection Systems (HIPPS),
First Edition, October 2009.
12.4
Appendix D Revision Record
Issue No.
Description of Revision
61 of 63
Author: T Arnold

BG Group 2012
BG Group Standard
1.0a
2.0
2.0a
3.0
Source of cost per life value used in ALARP analysis updated in paragraph 6.5.3, failure to close
data for Mokveld valves updated in paragraph 6.6.2 and Reference 7 revised to reflect later
source of Mokveld failure rate data
Introduction revised to match updated standard template
Mark Nishapati added to approvers Michael Tousignant removed
Paragraph 1.0 New Executive Summary section (replaces Introduction).
Paragraph 2.0 New Ownership section added.
Paragraph 3.0 Clarification regarding the acceptability of applying IGE/TD/13 for
transmission and distribution systems (new Objectives section, previously
paragraph 1.1).
Paragraph 4.0 Minor text change regarding direct acting HIPS (new Scope and Application
sectionpreviously paragraph 3.0).
Paragraph 5.0 New Links to Other Controls section added.
Paragraph 6.0 Updated API RP/STD references, including reference to API RP 170 for
subsea HIPPS (new Standard Requirements section, previously paragraph
2.0).
Paragraph 7.0 Reference to subsea tiebacks clarified; other minor wording changes
(previously paragraph 4.0).
Paragraph 8.0 Previously paragraph 5.0.
Paragraph 8.1 Requirements of API STD 521 updated to reflect Fifth Edition (May 2008
Addendum); reference added to API RP 170 for subsea HIPS (previously
paragraph 5.1).
Paragraph 8.2 Clarification regarding the acceptability of applying IGE/TD/13 for
transmission and distribution systems; reference to new section on subsea
HIPS added(previously paragraph 5.2).
Paragraph 9.1 Minor wording changes (previously paragraph 6.1).
Paragraph 9.2 Minor wording changes (previously paragraph 6.2).
Paragraph 9.3 Clarification added regarding direct acting HIPS (no logic solver); clarification
added regarding single final elements; implications for subsea HIPS added
Paragraph 9.3.1 References to reactive and preventative HIPS added; allowance of HIPS
transmitters downstream of the HP/LP interface included for HIPS protecting
pipelines (e.g. subsea HIPS); wording clarified (previously paragraph 6.3.1).
Paragraph 9.3.2 Minor wording change regarding potential for direct acting HIPS (no logic
solver) (previously paragraph 6.3.2).
Paragraph 9.3.3 Minor wording change regarding reference to reliability of final element(s)
(previously paragraph 6.3.3).
Paragraph 9.3.4Previously paragraph 6.3.4.
Paragraph 9.3.6 Reference added to re-start for preventative HIPS configurations; paragraph
added regarding management of high differential pressure, and low
temperature risk, across riser ESDVs; some minor wording change
Paragraph 9.3.8 Previously paragraph 6.3.8.
Paragraph 9.5 Minor wording change, reference to LOPA (previously paragraph 6.5).
Paragraph 9.5.1 Minor wording change, reference to LOPA (previously paragraph 6.5.1).
Paragraph 9.5.2 Clarification added for IRPA target for new and existing facilities; reference
toBG Safety Case Standard added; Section references updated; references
made to BG Guideline Specifying and Achieving Functional Safety added for
modifying factors/probabilities and typical failure rate data to be used in
quantified analysis (previously paragraph 6.5.2).
Paragraph 9.5.3 Reference revised to only the BG Guideline Specifying and Achieving
Functional Safetyfor cost per life saved basis for use in ALARP justification
Paragraph 9.6 Section reference updated (previously paragraph 6.6).
Paragraph 9.6.1 Assumed reliability of a relief valve and application of this updated to be
consistent with the BG Guideline Specifying and Achieving Functional
Safety; references updated (previously paragraph 6.6.1).
Paragraph 9.6.2 Clarification added regarding the use of Mokveld valves as final elements;
references updated (previously paragraph 6.6.2).
Paragraph 9.6.3 Reference added for assessment of reliability for the hydraulic Mokveld
62 of 63

Author: T Arnold

BG Group 2012
BG Group Standard
HIPS solution (previously paragraph 6.6.3).

Paragraph 9.7 Very minor wording change (previously paragraph 6.7).
Paragraph 9.8 References updated (previously paragraph 6.8).
Paragraph 9.11 References updated (previously paragraph 6.11).
Paragraph 9.13 Section references updated (previously paragraph 6.13).
Paragraph 9.14 Requirements added regarding electronic capture of HIPS testing results
and recording compliance with performance standard requirements or not
Figure 9.1
Previously Figure 6.1.
Figure 9.2
Figure 9.3
Figure 9.4
Figure 9.5
Figure 9.6
Figure 9.7
Figure 9.8
Figure 9.9
Paragraph 10.0 New Section 10 added to cover subsea HIPS.
Paragraph 11.0 Previous Section 9.0 Feedback deleted; Paragraph number updated
(previously 8.0).
Paragraph 11.1 Paragraph number updated (previously 8.1).
Paragraph 11.2 Paragraph number updated; references updated (previously 8.2).
Paragraph 11.3 Paragraph number updated (previously 8.3).
Paragraph 12.0 Appendix A Definitions and Abbreviations updated (previously paragraphs
1.2 and 1.3).
Paragraph 13.0 Appendix B updated to be Units (previously paragraph 1.4).
Paragraph 14.0 Appendix C added as References /Associated documents (previously
Appendix A).
Paragraph 15.0 Appendix D added as Revision Record (previously following cover sheet).
3.1
Changed to unclassified
63 of 63
Author: T Arnold

BG Group 2012

BG ST Eng Proc 012 - 3.1 BG STD Hipps Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BG ST Eng Proc 012 - 3.1 BG STD Hipps Systems

Uploaded by

Copyright:

Available Formats

Unclassified

High Integrity Protection Systems (HIPS)

Document and Version Control

Issued for use

Updated/Issued for use

Revised and re-issued

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

Code Provisions ........................................................................................................................... 11

HIPS Selection in BG ................................................................................................................... 12

9.0 HIPS Justification and Design............................................................. 14

Basis for HIPS Design ................................................................................................................. 14

Analysis Requirements ................................................................................................................ 14

HIPS Configurations .................................................................................................................... 16

Hazard Analysis ........................................................................................................................... 24

Safety Integrity Level (SIL) Targeting .......................................................................................... 25

Reliability Analysis ....................................................................................................................... 30

Functional Performance Requirements (Dynamic Analysis) ....................................................... 33

HIPS Valve Leakage .................................................................................................................... 36

Diagnostic Capability ................................................................................................................... 36

Common Cause Failures ............................................................................................................. 37

Performance Standards ............................................................................................................... 37

HIPS Dossier ............................................................................................................................... 39

HIPS Commissioning ................................................................................................................... 39

Testing Requirements .................................................................................................................. 40

Third Party Verification................................................................................................................. 42

10.0Subsea HIPS ......................................................................................... 48

The Case for Subsea HIPS ......................................................................................................... 48

Subsea HIPS Requirements ........................................................................................................ 48

11.0HIPS Operation and Maintenance ....................................................... 56

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

Training and Competence............................................................................................................ 56

Change Management .................................................................................................................. 56

Appendix ADefinitions / Abbreviations ....................................................................................... 59

Appendix BUnits ........................................................................................................................ 60

AppendixC Referenced / Associated Documents..................................................................... 61

Appendix D Revision Record .................................................................................................... 61

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

1.0 Executive Summary

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

This document applies to the following facilities:

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

4.0 Scope and Application

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

5.0 Links to Other Controls

Governance & Stewardship

Complementary and linked

Relief, Blowdown and Flaring (BGA-ENG-PROC-TS-0003)

Specifying and Achieving Functional Safety3, BGA-ENG-INSTGL-0002

Other Supporting Documents:

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

6.0 Standard Requirements

API STD 520 part 1 and API RP part 2 (Relief)

Version: 3.1 (05 March 2012)

High Integrity Protection Systems (HIPS)

7.0 Why do we need HIPS?

Version: 3.1 (05 March 2012)