GS Ep Tec 260 en PDF

Exploration & Production
GENERAL SPECIFICATION
TECHNOLOGY
GS EP TEC 260
HIPS Design, Implementation and Life Cycle
00 01/2012 First issue

Rev. Date Notes
Owner: DEV/TEC Managing entity: DEV/TEC
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
General Specification Date: 01/2012
GS EP TEC 260 Rev: 00
Contents
1. Scope ....................................................................................................................... 5
2. Reference documents ............................................................................................. 5
3. Definitions................................................................................................................ 7
3.1 Parties ............................................................................................................................ 7
3.2 Abbreviations .................................................................................................................. 8
4. Obsolescence and lifetime cycle management .................................................... 9
5. Cyber security ....................................................................................................... 10
6. Service conditions ................................................................................................ 10
7. General design & construction requirements .................................................... 10

7.1 Hazardous area classification and EMC certification ..................................................... 10
7.2 Materials of construction ............................................................................................... 11
7.3 Standardisation ............................................................................................................. 11
7.4 Electrical links ............................................................................................................... 11
7.5 Earthing ........................................................................................................................ 12
8. Performance requirements................................................................................... 12
8.1 HIPS reliability criteria ................................................................................................... 12
8.2 HIPS availability criteria ................................................................................................ 13
8.3 HIPS reaction and response times ................................................................................ 13
9. HIPS sensors ......................................................................................................... 14

9.1 General ......................................................................................................................... 14
9.2 Pressure sensors .......................................................................................................... 16
9.3 Flow sensors ................................................................................................................. 16
9.4 Level sensors ................................................................................................................ 17
9.5 Sensor isolation valves and interlocking arrangements ................................................. 19
9.6 Heat tracing and winterisation requirements ................................................................. 21
9.7 Sensor protection enclosures ........................................................................................ 22
9.8 Sensor engineering documents..................................................................................... 23
Page 2/61
10. HIPS logic solvers ................................................................................................. 24

10.1 General ......................................................................................................................... 24
10.2 Logic solver reliability .................................................................................................... 25
10.3 Logic solver availability ................................................................................................. 25
10.4 Cyber security ............................................................................................................... 26
10.5 I/O modules and logic modules ..................................................................................... 26
10.6 Discrepancy monitoring................................................................................................. 27
10.7 Voting arrangements and downgraded modes .............................................................. 27
10.8 Operator interface ......................................................................................................... 27
10.9 Reset and black-start .................................................................................................... 29
10.10 Inhibit and override functions ........................................................................................ 29
10.11 Testing facilities ............................................................................................................ 30
10.12 Sequence of event ........................................................................................................ 30
10.13 Interfaces with other systems ........................................................................................ 31
10.14 Functional logic and troubleshooting loop diagrams ...................................................... 32
10.15 Spare capacity .............................................................................................................. 33
10.16 HIPS cabinet ................................................................................................................. 33
11. HIPS final elements ............................................................................................... 34

11.1 HIPS valves .................................................................................................................. 34
11.2 HIPS Actuators and valve control panels ...................................................................... 36
11.3 Valve and actuator installation and handling requirements ............................................ 40
11.4 Valve and actuator painting ........................................................................................... 40
11.5 Electrical switchgear for HIPS functions ........................................................................ 41
12. Testing requirements ............................................................................................ 41

12.1 Testing methodology ..................................................................................................... 41
12.2 Test procedures ............................................................................................................ 42
12.3 Test preparation ............................................................................................................ 42
12.4 Test witnessing ............................................................................................................. 42
12.5 Test recording and corrections follow-up ....................................................................... 43
12.6 Design Validation Test (DVT) ........................................................................................ 43
12.7 Factory Acceptance Tests (FAT) ................................................................................... 44
12.8 Integrated Factory Acceptance Test (IFAT)................................................................... 51
12.9 Yard & On-Site Acceptance Tests (SAT)....................................................................... 52
Page 3/61
12.10 Operational Test Procedure (OTP)................................................................................ 53

12.11 Wet HIPS performance tests ......................................................................................... 54
13. HIPS design validation.......................................................................................... 54
14. Preservation, storage and installation requirements ......................................... 56
Bibliography................................................................................................................. 58
Appendix 1 Typical logic solver power supply and earthing diagram .................................. 59
Appendix 2 Example of a typical integral HIPS mimic panel ............................................... 60
Appendix 3 Typical 5-step reliability methodology .............................................................. 61
Page 4/61
1. Scope
This General Specification describes the minimum requirements for the design, implementation
and life-cycle of all parts of a High Integrity Protection System (HIPS), comprising:
• Sensors
• Logic solver
• Final elements
• Interfaces with other systems
and associated project execution and SIL demonstration requirements.
This General Specification applies to surface oil & gas processing and transport facilities.
This General Specification shall be applied in conjunction with GS EP SAF 260, which serves as
the governing specification defining the basic configuration of any HIPS.
A HIPS is a complex system involving multiple technical and safety engineering disciplines. This
General Specification represents the consensus of multiple corporate technical and safety
departments and shall be strictly adhered to. Eventual Derogation Requests must be fully
motivated and provide fully worked-out detailed solutions which do not reduce the reliability and
availability of the HIPS, and which shall be subject to review and approval by Company’s HIPS
Committee and/or corporate engineering discipline manager(s).
This General Specification shall be complemented with a project specification providing the
project specific details, without altering the requirements defined in this specification.
This General Specification also serves as a Safety Requirement Specification, required by
IEC 61508/IEC 61511 for safety instrumented systems for the process industry. In case of
conflict or discrepancy between IEC 61508/IEC 61511 and this specification, then the most
stringent requirement to Company’s judgement shall be applied.
HIPS shall be a complete autonomous Safety Instrumented System (SIS), being a fully stand-
alone system with dedicated sensors, logic solver and final elements, and which shall not rely or
depend on other control/safety systems present (other systems may also actuate HIPS final
elements, but the final elements remain part of the HIPS).
As such, a HIPS cannot be broken into individual components processed by different parties;
nor can it be integrated inside another safety system.
The HIPS shall be single supply by a Company approved HIPS Integrator.
2. Reference documents
The reference documents listed below form an integral part of this General Specification. Unless
otherwise stipulated, the applicable version of these documents, including relevant appendices
and supplements, is the latest revision published at the EFFECTIVE DATE of the CONTRACT.
Page 5/61
Standards
Reference Title
ASME B16.34 Valves - Flanged, Threaded, and Welding End
EN 10204 Metallic Products - Type of Inspection Documents
IEC 60331 Fire resisting Characteristics of Electric Cables
IEC 60529 Degrees of Protection Provided by Enclosures (IP code)
IEC 60617-12 Graphical Symbols for Diagrams - Part 12: Symbols for Binary
Logic, Analogue and Hybrid Elements
IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-related Systems
IEC 61511 Functional Safety - Safety Instrumented Systems for the Process
Industry Sector
IECEx IEC System for Certification to Standards relating to Equipment for
use in Explosive Atmospheres (IECEx System)
ISO 4406 Hydraulic Fluid Power - Fluids - Method for Coding the Level of
Contamination by Solid Particles
ISO 10497 Testing of Valves - Fire Type-Testing Requirements
Professional Documents
Reference Title
API 607 Fire Test for Quarter-turn Valves and Valves Equipped with Non-
Metallic Seats
Regulations
Reference Title
European Directive Directive of the European Parliament and of the Council on the
94/9/EC dated approximation of the Laws of the Member States concerning
23 March 1994 equipment and protective systems intended for use in potentially
explosive atmospheres (ATEX)
European Directive Directive of the European Parliament and of the Council on the
2004/108/EC dated approximation of the Laws of Member States relating to electro-
15 December 2004 magnetic compatibility (EMC)
Page 6/61
Codes
Reference Title
Not applicable
Other documents
Reference Title
OREDA Offshore Reliability Database
Total General Specifications
Reference Title
GS EP COR 350 External protection of offshore and coastal structures and
equipment by painting
GS EP COR 354 External protection of onshore structures and equipment by
painting
GS EP ELE 161 Electrical cables
GS EP EXP 405 Standard reliability data report
GS EP INS 101 Instrumentation engineering, supply and construction general
requirements
GS EP INS 107 Design and installation of instrumentation links
GS EP INS 137 On/off valve control panels and actuators functional and
construction requirements
GS EP PVV 142 Valves
GS EP SAF 361 SIL assignment
GS EP SAF 260 Design of High Integrity Protection Systems (HIPS)
GS EP SAF 261 Emergency Shutdown and Emergency De-Pressurisation (ESD &
EDP)
GS EP SAF 337 Passive fire protection: Basis of design
GS EP TEC 007 Obsolescence and Lifetime Cycle Management
3. Definitions
3.1 Parties
Company TOTAL E&P or any TOTAL E&P subsidiary.
Contractor Any company TOTAL E&P has signed a contract with for the Engineering,
Procurement, Construction and Installation of a part of a project.
Page 7/61
Manufacturer Any company being the original manufacturer of a HIPS component, not
necessarily being the supplier of the component(s).
HIPS Integrator The designated company having received a Purchase Order by
Contractor or by Company for the design and supply of a complete HIPS
package.
3.2 Abbreviations
AISI American Iron and Steel Institute
ASME American Society of Mechanical Engineers
CCR Central Control Room
DB&B Double Block & Bleed
DVT Design Validation Test
EMC Electro-Magnetic Compatibility
ENP Electroless Nickel Plating
ESD Emergency Shut-Down system
FAT Factory Acceptance Test
HART Highway Addressable Remote Transducer protocol
HIPS High Integrity Protection System
HMI Human-Machine Interface
HVAC Heating Ventilation and Air Conditioning system
I/O Input/Output
ICSS Integrated Control and Safety System
IFAT Integrated Factory Acceptance Test
IMS Instrument Maintenance System
IP Ingress Protection
IT Information Technologies
ITP Inspection & Test Plan
LOPA Layers Of Protection Analysis
MCC Motor Control Centre
MTTR Mean Time To Repair
MUX Multi-Plexer
NPS Nominal Pipe Section
NPT Nominal Pipe Thread
OPC OLE for Process Control protocol
OREDA Offshore REliability DAta organisation
Page 8/61
OTP Operational Test Procedure

PC Personal Computer
PCS Process Control System
PDS Process Data Server
PFD Probability of Failure on Demand (IEC 61508, IEC 61511)
PFH Probability of dangerous Failure per Hour
PFP Passive Fire Protection
PSS Process Safety System
SAT Site Acceptance Test
SB&B Single Block & Bleed
SIF Safety Instrumented Function (IEC 61508, IEC 61511)
SIL Safety Integrity Level (IEC 61508, IEC 61511)
SIS Safety Instrumented System (IEC 61508, IEC 61511)
SMART Self Monitoring And Reporting Technology
SVTS Smart Valve Testing System
SOE Sequence Of Event
TCP/IP Transmission Control Protocol/Internet Protocol
UPS Uninterruptible Power Supply
VCP Valve Control Panel
VDU Video Display Unit
VSD Variable Speed Drive
4. Obsolescence and lifetime cycle management

A dedicated obsolescence and lifetime cycle management plan shall be established for the
HIPS package in accordance with GS EP TEC 007, starting at Basic Engineering, meeting the
specified HIPS lifetime including future migration (revamp) and decommissioning stages.
As per GS EP TEC 007, Contractor and HIPS Integrator have both separate tasks and
deliverables to fulfil in the Obsolescence Plan, Dossier and Strategy Development. Therefore,
the HIPS Integrator shall establish and issue his own dedicated obsolescence and lifetime cycle
management philosophy and associated data for the complete HIPS package.
Besides technology, the support and commitment of any component Manufacturer, knowledge
transfer and knowledge management are key issues to be addressed in the obsolescence and
lifetime cycle management philosophy for the HIPS package, and shall as well define the
selection of individual package components.
A number of specific design requirements for HIPS components, as defined here-after in various
sections, are also driven by low-obsolescence requirements, such as solid state technology,
4~20 mA sensors, hard-wired/ModBus links and interdiction of IT-based equipment/links.
Page 9/61
5. Cyber security
One of the key design objectives for the HIPS package shall be that the integrity (i.e. availability
and reliability) cannot be affected by software alterations or via software interfaces with other
systems, as the consequences of a failure on demand are potentially catastrophic and/or may
cause significant production loss/stop.
Despite the use of solid state technology, cyber threats can still pose a direct or indirect threat to
the integrity of a HIPS package, and a number of important HIPS design topics are related to
cyber security as further detailed in section 10.4.
6. Service conditions
The HIPS dossier, HIPS design specifications and HIPS equipment data sheets by Company,
Contractor and HIPS Integrator shall clearly identity and describe all possible process and
ambient service conditions, such as (but not limited to):
• Process fluid compositions (all possible production scenarios)
• Possibility of slugging flow
• Rate of change in process pressure, temperatures, flows
• Presence & worst case concentrations of H2S, CO2, solids, sand, paraffin, etc.
• High & low extreme process pressure, temperatures, flows
• Change of process fluid composition & properties over the facility’s lifetime
• Presence & worst case concentrations of injected chemical products
• High & low extreme ambient outdoor and indoor conditions.
For any of the conditions, it shall be clearly defined when they occur and what their impact is
during the various operational situations, e.g. shut-in, cool-down, start-up, normal production.
This will also be required to define the needs for heating and winterisation of HIPS components.
The fact that some conditions only occur temporarily (such as methanol injection, or cool-down)
does not relief the design of the HIPS to be able to deal with these temporarily situations: the
HIPS shall be suitable for any given situation/condition regardless its duration.
The presence of injected chemicals (notably methanol) and fluid elements such as H2S is
important as it has a direct impact on the selection of non-metallic components of sensors and
final elements. Therefore, they must be clearly defined in the HIPS project specification.
7. General design & construction requirements

All the General Specifications as listed in section 2 apply if full, being complemented with the
more restricted requirements as per following sections.
7.1 Hazardous area classification and EMC certification

All outdoor electronic/electrical equipment shall be certified, regardless of the area:
Ex d / e / de / ia, II-2G, IIB, T4
to ATEX (mandatory for European facilities) or to IECEx standards by a Notified Body, approved
by Company, unless defined differently by the project specification. Certification to product
Page 10/61
category ‘3G’ or gas group ‘IIA’ is not permitted. Additional certifications, such as GOST, may
apply as per project specifications.
Intrinsic safe instruments shall be only be used if other protection methods are not available.
Local field junction boxes shall be Ex ‘e’.
All electrical equipment shall be CE labelled for compliance with the European ATEX and EMC
Directives. ATEX/IECEx and EMC certificates for each HIPS component shall be included in the
final vendor documentation.
7.2 Materials of construction

All outdoor HIPS sensors and control elements, including process isolation valves/manifolds,
associated mounting accessories and protection equipment, shall be fully made of AISI 316
stainless steel, or better for process wetted parts as per applicable piping class.
Position detection switches may be made of non-metallic material if they are installed inside a
protective enclosure, but first preference shall be metallic material.
For the process wetted parts of sensors and process isolation valves/manifolds, a material
traceability certificate 3.1 as per EN 10204 shall be provided.
Local field junction boxes, internal and external supports, earth bosses, shall all be AISI 316.
7.3 Standardisation
The HIPS system cabinets will preferably have identical colour and size as the ICSS system
cabinets. Double-width cabinets shall not be used.
The brand and sizing system (i.e. metric or imperial) for instrument tubing and fittings shall be
standardised throughout the whole facility.
It is the responsibility of the Contractor to specify these standardisation details to the HIPS
Integrator, valve supplier, etc.
7.4 Electrical links

All HIPS field devices shall be hard-wired directly into the HIPS cabinet via individual armoured
fire-resistant instrument cables as per IEC 60331, without intermediate junction boxes or
intermediate marshalling facilities. This rule also applies for cables towards MCC switchgear.
Exception to the direct-cable rule is given to particular field devices which have by design a
short length of cable encapsulated (moulded) into the device, such as limit switches or heater
blocks. In those cases, multiple devices of the same type might be hooked-up to a joined local
junction box, but individual cables to the HIPS system cabinet shall be run. Segregated junction
boxes for power and for signals in accordance with GS EP INS 107 referential shall be retained.
Cables shall be in compliance with GS EP ELE 161 with armouring in compliance with
GS EP INS 107.
Internal cabinet wiring, as well as all other plastic cabinet components such as ducting, circuit
breakers, etc., shall have low smoke and non-toxic smoke properties.
Terminals shall be spring-loaded type, DIN-rail mounted, for all indoor and outdoor junction
boxes and cabinet terminals (Ex-rated where required), both for signal and power cabling.
Screw type terminals are only permitted inside final field devices (e.g. sensors, solenoids), earth
bars, and for the power feeders & distribution inside the HIPS system cabinet.
Page 11/61
7.5 Earthing
As strict segregation in earthing systems (i.e. IE, IPE, ISE) as per GS EP INS 107 shall be
applied. All design specifications, drawings and equipment itself shall clearly indicate and use
the IE, IPE, ISE terminology, including junction boxes and field cabinets/enclosures.
Particular care shall be given to yellow/green DIN-rail earth terminals in junction boxes and
marshalling compartments, because they provide a direct internal connection to the DIN rail
itself. As such, it might be required that the DIN rail is isolated from the chassis or enclosure, to
ensure that cable screens remain isolated from the local PE network. This shall be clearly
identified during design, at design drawings and be duly verified during FAT.
By default, unless the facility’s instrument earthing philosophy stipulates differently, cable
screens shall be earthed only on the system cabinet side (i.e. isolated on field side), while cable
armouring shall be earthed on both sides, in accordance with GS EP INS 107.
The HIPS project specification shall clearly define if the 0 Vdc shall be floating or earthed, in
strict coherence with the facility’s instrument earthing philosophy. In the absence of any
specification, the 0 Vdc shall be floating (i.e. not connected to earth). In case of floating 0 Vdc,
an earth leak detector shall be installed with a single-pole double throw (SPDT) volt-free alarm
contact, to be grouped with other general system alarms (refer to section 10.13).
Refer to Appendix 1 for a typical cabinet earthing and power supply diagram.
8. Performance requirements
8.1 HIPS reliability criteria
Each HIPS component, signal, logic and final elements shall be designed as fail-safe, i.e. failure
of any component / signal / logic / power supply / motive fluids shall cause that part of the HIPS
to automatically change to safe state.
A dedicated SIL assessment in the form of a LOPA as defined by IEC 61511, and in
accordance with GS EP SAF 361, shall be performed at the earliest stage of the HIPS design
as an integral part of the HIPS Dossier.
The reliability criteria (PFDavg or PFH, which ever applies according to the demand rate) of all
HIPS related components or sub system shall be specified and included in the component or
sub-system datasheets. All HIPS related components or sub-systems shall be specified and
selected with a PFDavg (or PFH) which satisfies the SIL requirements of the HIPS function (SIF).
Utility supply and distribution shall be such that it meets the availability requirements and allows
maintenance without production shutdown.
This General Specification stipulates a default SIL for certain HIPS components, which shall be
adhered to regardless if a lower SIL is required for the HIPS function by the SIL assessment.
Only highly reliable and proven-in-use components or sub-systems shall be used, based on
Company’s GS EP EXP 405 and Company recognised end-user reliability databases such as
OREDA. Otherwise, as per IEC 61508, an additional hardware fault tolerance level must be
implemented for the particular component or sub-system.
Reliability of components or sub-systems shall be demonstrated through extensive use in
similar service and in similar environment during their useful lifetime. Prototype or non-proven-
in-use components shall not be used.
Page 12/61
8.2 HIPS availability criteria

Design of the overall HIPS shall include fault tolerance and redundancy arrangements for
sensor, logic modules, I/O modules, power supply and any other component, in order to avoid
spurious trips and provide high system availability (i.e. greater than 99.99%). All active
components inside the system cabinet shall be hot-swappable and self-configuring to allow for
online replacement. Refer to sections 9 and 10 for more details.
Unless specified differently, the Mean Time To Repair (MTTR) shall be taken as 8 hours.
8.3 HIPS reaction and response times

The HIPS reaction time is defined as the maximum allowable time in which the HIPS shall
prevent a hazardous operational condition. The required HIPS reaction time is defined by
dedicated studies being part of the HIPS dossier, in accordance with GS EP SAF 260, subject
to review and approval by Company’s HIPS Committee prior to any implementation.
The HIPS response time is defined as ‘’the time between the process threshold value occurs
until the final element has reached its safe state’’.
By definition, the HIPS response time shall not exceed the required HIPS reaction time, i.e.:
TRESPONSE ≤ TREACTION
The HIPS response time is the summation of the time each of the following parts requires:
• Sensor response time
• Logic solver response time, incl. input cards
• Final element response time, up to final safe state
and which are further defined in the following sections.
8.3.1 Sensor response time

The sensor response time is defined by summation of the following parts:
• Lag time of the process tapping, e.g. thermal inertia of a thermowell (note 1)
• Lag time of the sensing element
• Processing (cycle) time of electronic instrument/transmitter
• Signal conditioning, e.g. dampening or filtering (note 2).
Note 1: In case of thermowells, a dynamic simulation shall be provided to calculate the lag time
caused by the thermal inertia of the thermowell.
Note 2: Dampening shall be disabled (0 msec), refer to section 9.1.
8.3.2 Logic solver response time

The logic solver response time is defined by the summation of the following parts:
• Worst (longest) processing (cycle) time of any input card
• Processing time of the logic part and output.
In general, the processing time of the logic part and output is considered negligible (0 msec) for
solid state technology; all of the logic solver response time will depend on the processing (cycle)
Page 13/61
time of the analogue input cards which contain a microprocessor for signal conversion, derive
threshold values, etc.
However, the overall logic solver response time shall be multiplied by a factor 2 for the final
calculation of the HIPS response time, because if a process threshold value occurs just after a
cycle has started, it will only be processed during the next cycle. This also referred to as ‘Safety
Time’ in IEC 61508.
In any design case, for solid state HIPS systems, the logic solver response time shall never be
defined less than 250 msec (which includes the double cycle time) in the HIPS response time
calculations.
8.3.3 Final element response time

The final element response time is defined by the summation of the following parts, split in two
possible types of final elements:
Actuated valves:
• The response time off all control circuit components (e.g. solenoid valves, pilot valves,
quick exhaust valves, etc.) of the motive fluid feeding the actuator
• The time required to depressurise the motive fluid before the actuator starts to move
• The inertia and mechanical slack of the moving parts in the actuator and valve (i.e.
stroking time), until the valve has reached its safety position.
Electrical equipment:
• The response time off all control circuit components (e.g. interposing relay, switchgear
relay, switchgear drawer, etc.)
• The inertia of the machinery, until it has fully stopped.
9. HIPS sensors
9.1 General
All HIPPS sensors shall be certified in compliance with IEC 61508 as SIL-2 for single transmitter
use and SIL-3 capability for dual transmitter use. This does not relief the mandatory requirement
for SIL assessment and certification for the complete HIPS package (refer to section 13), not
even when the HIPS function (SIF) requires a lower SIL.
SIL certifications for components and sub-systems shall be provided by Company recognised
third party (e.g. TUV, EXIDA, SIRA). Components or sub-systems being self-certified by the
Manufacturer are not permitted.
HIPS sensors shall be dedicated to the HIPS, being fully segregated from other systems,
including process tappings. They shall not have a secondary function like CCR HMI monitoring;
dedicated ICSS sensors shall be installed instead.
Pressure, level, flow, and temperature sensors shall be analogue 4~20 mA SMART
transmitters. Position sensors on final elements and sensor isolation valves shall be inductive
type proximity switches (detection = high signal), compliant with the logic solver input cards.
In any case, each measurement (input) part of the HIPS safety logic shall be triple sensors
installed in a 2oo3 voting configuration. The same type of sensor technology shall be used for a
Page 14/61
given process measurement, and with a guaranteed identical measurement location/elevation,

avoiding spurious trips due to different sensor characteristics and/or different sensor responses
and/or different process conditions.
Each of the three sensors is preferably from a different Manufacturer. In case three sensors
from the same Manufacturer are used, then it shall be duly taken into account in the CCF factor
attributed to the sensors in the SIL demonstration.
The Manufacturer and model for sensors and isolation valves/manifolds shall be approved by
Company.
The following sensors do not require triplication:
• On-off valve position detectors providing only a status indication on the mimic panel
• The position detection of sensor isolation valves
• Pressure switches inside the valve control panel detecting a solenoid valve test.
Voting analogue sensors (transmitters) shall be installed on interlocking isolation valves, or
integral interlocking manifolds, allowing online replacement/testing/calibration without disrupting
production and without degrading the safety level of the protection loop during this maintenance
operation. For this, each sensor isolation valve shall be equipped with a position detector which
will initiate the voting logic to change from the 2oo3 to a 1oo2 configuration for the sensors
remaining in service (refer to section 10.7).
As per IEC 61508/IEC 61511, the potential alteration of sensor configuration (which is possible
via the superposed HART signal) is not permitted on safety instrumented functions. Therefore,
all SMART sensors shall be equipped with a hardware write protection (i.e. switch or jumper)
inside the transmitter. The use of sensors with only a ‘soft’ write protection, such as passwords
or enable/disable functions controlled from HART terminals, is not permitted.
The HART data from HIPS sensors will not be collected and transferred to the facility's IMS; the
installation of HART multiplexers is not permitted.
The failure output signal of analogue SMART sensors shall be set to the extremity which would
initiate a trip; typically set to HIGH (i.e. 20 mA) for pressure transmitters.
Dampening or filtering shall be completely disabled inside electronic instruments. This shall be
clearly stated on the instrument datasheets and be duly verified during FAT, as most
Manufacturers activate a certain dampening time by default.
All analogue electronic transmitters shall be equipped with an integral LCD display.
The data sheets for analogue sensors shall clearly indicate:
• Sensor failure output signal (HIGH or LOW)
• Dampening (DISABLED)
• Hardware write protection
• Square-root output (for dP flow sensors only)
• Trip threshold value in process value and in sensor mA output value.
Page 15/61
9.2 Pressure sensors

The process tappings shall be a NPS 2 inch flanged connections, having a process connection
in accordance with the applicable piping class.
For gas service, the process tapping(s) and sensors shall be located in the upper plane of a
horizontal pipe, or on top of a vessel, avoiding liquid to be trapped in the sensing path. For liquid
service, the process tapping(s) and sensors shall be located in the lower plane of a horizontal
pipe, avoiding gas and solids to be trapped in the sensing path.
Process tappings on vertical pipes requiring horizontal piping extension shall be avoided; they
shall only be used when it can be demonstrated that no other suitable solution is possible.
Pressure sensors using impulse tubing shall be avoided; they shall be direct mounted at an
integral interlocking valve/manifold (refer to section 9.5).
The final selection of pressure sensor implementation shall be decided and approved by
Company’s HIPS Committee. Therefore, the Contractor and/or HIPS Integrator shall provide a
full detailed design specification with full hook-up details for Company approval.
9.3 Flow sensors

Flow sensors shall measure the flow from the same (single) flow element (e.g. orifice, venturi
tube, spool piece for ultrasonic), as it is considered impossible to achieve identical
measurements from 3 different flow elements.
A HIPS based on flow sensors shall not be considered:
• In case a single flow element is not possible (for reasons of measurement principle,
process conditions, or turn-down ratio)
• In case failure of the single flow element (e.g. orifice erosion) can occur, creating a
common cause failure.
Although a single flow element is used, fully segregated process tappings and sensor
electronics shall be used.
The 3 sensors shall be interlocked using interlocking facilities as described in section 9.5.
The required turn-down ratio (i.e. the minimum/maximum flow ratio) for orifice and venturi tube
flow meters shall not be set larger than 1:3.
All HIPS flow sensors shall be tested and calibrated under real process conditions in a
calibrated flow loop as for fiscal metering, by a Company recognised third party.
Pressure & temperature compensation computing is not possible with solid state logic systems,
and therefore not required.
For this reason, for dP based flow sensors, the transmitter output shall be the square root
extraction of the measured differential pressure. The HIPS Integrator shall provide a carefully
calculated graph representing the flow versus transmitter output signal, defining the trip
threshold values in mA (required to set and test the logic solver input cards and voting blocs).
In addition, the actual flow versus transmitter output shall be accurately registered during the
flow calibration tests, to define the corresponding trip threshold value in mA, otherwise the real
trip threshold value is unknown and such HIPS cannot be realistic tested during lifetime.
Page 16/61
For gas service, the process tapping(s) and sensors shall be located in the upper plane of a
horizontal pipe, or on top of a vessel, avoiding liquid to be trapped in the sensing path. For liquid
service, the process tapping(s) and sensors shall be located in the lower plane of a horizontal
pipe, avoiding gas and solids to be trapped in the sensing path.
Process tappings on vertical pipes shall be avoided; they shall only be used when it can be
demonstrated that no other suitable solution is possible.
Permitted flow meter types are orifice, venturi and ultrasonic type flow meters. Other flow meter
types such as Pitot tube, V-cone, turbine, vortex, coriolis and displacement are not permitted.
Ultrasonic flow meters can only be used if all the following requirements are applied:
• The process fluid is >99.5 % pure single phase at any time, without any contamination
• A single spool piece with intrusive type flow meter; clamp-on type is prohibited
• Sensor removal without production shut down; i.e. sonic transducers are to be used
• Accuracy shall be ≤ 2%; multi-path meters shall be used as required.
The final selection of flow meter type and implementation shall be decided and approved by
9.4 Level sensors

Level sensors shall be installed in one of the two following ways:
• Direct individual sensor connection at the vessel, hence 3x dedicated vessel tappings
or:
• A single common standpipe with 3 level sensors, hence 1x dedicated vessel tappings.
The second solution using a standpipe is not preferred, as it may introduce a common cause
failure. However, a standpipe may provide an improved (calm) environment, avoiding fluid
turbulence, reducing foam, etc. Therefore, standpipes shall only be used if a direct vessel
measurement would cause different measurement values or disturb the measurement itself.
Stand pipes shall not be used if there is an inherent risk of clogging, e.g. by hydrates, solids or
paraffin. The use of heat tracing cannot be considered as a risk reduction factor for this.
By definition, there shall not be any valve between vessel and standpipe.
Standpipes shall be at least NPS 4 inch in diameter and have NPS 3 inch process (vessel)
tappings, for reasons of adequate liquid displacement and the fact that the weight of the
standpipe and HIPS sensor assembly must be supported by the vessel.
Process tappings for level sensor process isolation valves (at standpipe or at vessel) shall be
NPS 2 inch, equipped with full-bore NPS 2 inch block & bleed, or double block & bleed as per
piping specification, for non-membrane type level sensors. This shall be NPS 3 inch for
membrane type dP level sensors, or NPS 4 inch in case high accuracy is required.
In case individual sensor chambers are used (e.g. for probe and displacer type sensors), then
the chamber shall be at least NPS 3 inch with top flange for sensor mounting.
dP type level sensors using impulse tubing are not permitted; they shall either be membrane
type or thread mounted on an integral interlocking manifold (refer to section 9.5).
Page 17/61
The location of the vessel tappings is deemed critical:

• For gas-liquid level measurement: the lower vessel tapping shall be located at least 2 inch
below the lowest trip threshold level, while the upper vessel tapping shall be located at
least 4 inch above the highest liquid trip threshold level.
• For liquid-liquid interface level measurement:
- In case of direct sensor to vessel connection:
. Lower tapping: min. 2 inch below the lowest interface trip threshold level
. Upper tapping: min. 2 inch below the weir plate elevation and min. 2 inch above the
highest interface trip threshold level.
- In case of standpipe or chamber: 3 tappings shall be used:
. Lower tapping: min. 2 inch below the lowest interface trip threshold level
. Middle tapping: min. 2 inch below the weir plate elevation and min. 2 inch above the
highest interface trip threshold level
. Upper tapping: at least 4 inch above highest vessel liquid threshold level.
- In any case, there must be at least 4 inch between highest interface level and the weir
plate, with the vessel tapping in the middle of the 4 inch elevation.
The vessel tapping elevations of the 3 level sensors for a given HIPS measurement shall be at
exactly the same elevations and not be influenced by vessel motions. Retrofitting an existing
vessel with a level HIPS using a mixture of tapping elevations is not permitted.
Vessel/process tapping(s) for level instruments shall be in static process condition, i.e. level
measurement tapping(s) on the vessel’s incoming or outgoing piping is strictly not permitted,
because the process flow creates a venturi effect and/or the measurement section(s) may
become polluted by foam and solids and/or sensor erosion may occur as a result.
Stilling wells inside the vessel shall not be used if the sensor cannot be isolated during
production. Top-mounted on the vessel without stilling well is not permitted.
Accurate and reliable level measurement can be difficult to achieve, notably on 3-phase
production separators where foaming may occur and where fluid properties can vary over time
or as a function of which wells are in operation. The following rules are to be considered as
general rules: a careful assessment shall be made for each level HIPS case:
• Differential pressure (dP) type sensors shall not be used if the fluid density can vary for
more than 5% (typically observed for multi-reservoir developments)
• Capacitive probe and guided radar type sensor shall not be used if foaming may occur,
not even in case of very little foaming, or when build-up on the probe may occur
• Buoyancy displacer type sensors shall be considered if foaming (>1 inch) or if varying fluid
density (>5%) may occur
• Parabolic radar type sensors shall only be used for gas-liquid levels without risk of
foaming.
Single-point nucleonic density type sensors may be used for level HIPS; either to detect a gas-
liquid level or liquid-liquid interface level. They can be a suitable solution in case of high solids
content, excessive foaming, viscous fluids, or when vessel/tank tappings are impossible to
Page 18/61
realise. However, the requirement that only one sensor out of three can be isolated (i.e. out of
operation) will require a special operational procedure and hardware means, as normally no
valves/manifolds are involved in such measurement. A 1oo3 interlock key at the HIPS mimic
panel to disable a particular sensor shall be part of the solution.
The following types of level sensors are not permitted for HIPS applications:
• Magnetic displacer type sensors
• Nucleonic density profiler type sensors
• Any type which cannot be calibrated or tested on site.
Like any other type of analogue HIPS sensor, level sensors must be tested/calibrated under
reality process conditions during FAT to verify the sensor’s output (in mA) at process threshold
value. Levels sensor types which cannot be tested during FAT, or during operational life, are not
permitted. This may require the provision of a test vessel/standpipe during FAT.
The required provisions for periodic calibration and testing of individual level sensor (one out of
three at the time) shall be studied and be a dedicated section of the HIPS project specification.
The final selection of level sensor type and implementation shall be decided and approved by
9.5 Sensor isolation valves and interlocking arrangements
9.5.1 Process isolation principles

HIPS sensors shall be installed using only a process isolation valves/assembly, either single
block & bleed (SB&B), or double block & bleed (DB&B) in accordance with the applicable piping
class specification. Hence, no separate ‘piping’ and ‘instrument’ valves as for other instruments.
Pressure HIPS sensors shall have separate and dedicated process connections; hence 3
process tappings are required for a HIPS pressure measurement. The use of a single process
tapping for 3 sensors is not permitted, except for very clean and stabilised single-phase fluids
which have inherently zero risk of clogging under any given condition.
It is not permitted to have any piping between process connection and sensor isolation
valves/manifold: it shall be mounted directly on the pipe branch or on a vessel (or standpipe).
For pressure HIPS, the inlet (process) connection of the sensor isolation valves/manifolds shall
be NPS 2 inch flanged, ball or needle type, with minimum 14 mm internal diameter flow path,
while the outlet connection shall be NPT threaded for direct pressure sensor mount.
The passage through a needle valve seat shall be at least equivalent to a 7 mm diameter path.
For level HIPS: the inlet and the outlet connection of the sensor isolation valves/manifold shall
be NPS 2 inch flanged (3 inch for membrane type dP sensors), full bore ball valves. In case
DB&B valves are required as per applicable piping class specification, then an integral double
full bore ball valve shall be used. In case membrane type dP sensors are used, then reduced
bore valves with minimum 14 mm internal diameter flow path can be used.
Any sensor isolation valve/manifold shall be suitable for integral mounted interlock facilities, with
isolation detection sensor, as per sections 9.5.2 and 9.5.3.
Page 19/61
The HIPS sensor process isolation valves/assembly shall be certified:

• Up to SIL-4 application in accordance with IEC 61508/IEC 61511.
• Fire-safe to API 607 / ISO 10497.
Furthermore, ball valves shall be in compliance with GS EP PVV 142.
The SIL certification shall be provided by Company recognised third party (e.g. TUV, EXIDA,
SIRA). Self-certification by the Manufacturer is not permitted.
The fire-safe certification shall be issued by Company recognised third party (e.g. API, BV,
DNV). Compliance statements by the Manufacturer are not permitted. For integral SB&B and
DB&B manifolds, the fire-safe certification applies to the primary isolation valve; and to all
primary isolation valves in parallel for multi-sensor manifolds.
HIPS sensor isolation valves/assembly shall be a Company approved Manufacturer.
The HIPS process isolation valves are an integral part of the HIPS package, i.e. they are not
part of the piping/valve discipline, and therefore in the scope of supply of the HIPS Integrator.
The HIPS process isolation valves/manifolds are to be part of the sensor FAT, duly testing all
the interlocking arrangements, isolation detection sensors, calibration provisions, etc.
9.5.2 Bleed and calibration requirements

Each sensor shall have a dedicated (individual) bleed and calibration facility, to allow for sensor
test and calibration without the need for sensor dismantling.
The bleed outlets shall be routed to closed drain (liquid) or to a safe venting area (gas). In case
of a single 1oo3 interlocking manifold, the 3 drain connections shall be joined together into one
drain/vent line, outside the manifold.
Pressure and differential pressure isolation valves/manifolds shall have integral dedicated
(individual) calibration/test connection to connect a standard dead-weight tester.
Level sensors using a chamber will require additional chamber connections to connect a test
level gauge/glass covering at least the sensor’s full sensing range. The chamber’s vent and
drain connections are not to be used for this.
Membrane type dP sensor will require a flushing ring assembly between membrane flange and
isolation valve.
9.5.3 Isolation detection and interlocking requirements

By definition and in any case:
• It shall be impossible that a HIPS sensor can be isolated freely from the process, meaning
that each valve (lever) is mechanically locked
• It shall be impossible that more than one sensor at the time is isolated / out of operation,
meaning a mechanical interlock between the isolation valves of the 3 sensors
• The isolation of a sensor must be detected by an isolation sensor, being directly
connected to the HIPS logic solver to force an automatic changeover of the voting logic
from two-out-of-three (2oo3) to one-out-of-two (1oo2)
Page 20/61
• In case of a double isolation valve (DB&B), it shall be impossible to close the second
isolation valve before the first valve is fully closed (first = process side) and before the
bleed valve is open.
Therefore, a comprehensive interlocking facility must be provided, for each HIPS measurement.
A single-key system shall be implemented, which ensures that only one sensor out of three
(1oo3) can be isolated, and in the right sequence, i.e. block-bleed for SB&B, or block-bleed-
block for DB&B. The isolation detection sensors shall be installed at the first isolation valve,
detection a status change if the isolation valve is less than 90% open or less than 1 turn from
fully open for needle valves.
For pressure and differential pressure measurements other than membrane type sensors, the
use of a ‘gearbox’ type isolation and bleed manifold shall be selected. The ‘gearbox’ consists of
a forced path to be followed by a unique key (being a shared single key for the 3 sensors),
enforcing the block-bleed sequence, and shall include an integral isolation sensor.
In case of individual sensor process connections, three 1oo1 gearbox manifolds shall act
together creating a 1oo3 isolation configuration. In case of a single collective process
connection, a single integral 1oo3 interlocking gearbox manifold shall be used, with 3 integral
isolation detection sensors.
9.6 Heat tracing and winterisation requirements

Two different kinds of heating might be required, depending on the particular HIPS application
as defined in the HIPS dossier, and as agreed/instructed by Company’s HIPS Committee:
• Heat tracing of HIPS sensor assembly, process tapping, standpipe
• Winterisation of the HIPS sensor assembly.
These two heating options serve very different purposes and shall not be mixed, though both
might be required simultaneously.
In general, heat devices shall be 220~240 Vac. Each heating device shall have its own
dedicated power supply feeder and circuit breaker in the HIPS system cabinet, though the
multiple feeders to the field may be combined into one cable towards a collective junction box.
Heating devices shall normally be powered by the normal power feeder (not UPS) from the
HIPS system cabinet. However, it shall be powered by the UPS feeder from the HIPS system
cabinet if heating has been assessed to be critical in the HIPS Dossier, and if low temperature
detection would initiate an automatic activation of the HIPS.
The HIPS Integrator shall provide power loss calculations to define the required cable sections.
9.6.1 Heat tracing

The principle purpose of heat tracing is to ensure that the process fluid inside the HIPS sensor
assembly and process tapping (and standpipe if any) remain adequately fluid, i.e. avoiding
potential clogging due to fluid cool-down. In this case:
• Two self-regulating resistive block heaters shall be fixed on the integral interlocking
manifolds, i.e. contact heaters; one on each end of the central bar or block to which the
sensors are mounted
Page 21/61
• Self-regulating heat tracing wire under thermal insulation around quarter-turn ball valves,
process tappings, level sensor chambers (and standpipe if any), including liquid drain
lines
• Electronic sensors/transmitters do not require individual block heaters.
In case a HIPS sensor assembly must be heat traced, then the following monitoring and alarm
facilities shall be provided:
• One analogue 24 Vdc, 4~20 mA, 3-wire PT-100 temperature sensor monitoring the
external body (skin) temperature of integral interlocking manifolds or isolation ball valves.
This temperature sensor is typically installed inside the protective enclosure (refer to
section 9.7)
• In case of a standpipe, one analogue 24 Vdc, 4~20 mA, 3-wire PT-100 temperature
sensor monitoring the external body (skin) temperature of standpipe
• One volt-free contact monitoring that electrical power is applied to the heat tracing wire,
located at the feeding circuit breaker inside the HIPS system cabinet.
The HIPS Dossier shall clearly define the low body temperature alarm threshold value, and to
which temperature the HIPS sensor assembly must be heated up.
It is the responsibility of the HIPS Integrator to calculate the required heat tracing capacity
(power rating, cable sections, etc.), and all heat tracing equipment will be in the scope of supply
of the HIPS Integrator. Block heaters on integral interlocking manifolds are typically an integral
part of the manifold, therefore supplied by manifold Manufacturer.
Both temperature monitoring devices shall be connected to the HIPS system cabinet, causing
each a specific alarm. These alarms shall be high priority alarms made available on the ICSS
HMI in the CCR.
In general, no automatic HIPS activation shall be associated to these temperature alarms,
unless defined otherwise in the HIPS Dossier.
9.6.2 Winterisation
The principle purpose of winterisation is to ensure that the process fluid, sensor assembly and
electronic devices remain above a certain minimum temperature above freezing point, e.g.
5 degrees Celsius.
Besides self-regulating resistive heating blocks and heat tracing wire as per previous section,
this will also include an ambient block heater inside the protection enclosure.
The same temperature monitoring and alarm facilities shall be provided as per previous section,
except that the sole purpose is to maintain and monitor a certain temperature above freezing
point.
The general rule shall be to implement this winterisation requirement by default for facilities
where freezing environmental conditions may occur.
9.7 Sensor protection enclosures

All HIPS sensors, including their process isolation valves/manifold, must be protected against
impact and against environmental conditions degrading the integrity of the assembly.
Page 22/61
Therefore, the entire HIPS sensor assembly shall be installed inside an AISI 316 enclosure,
rated IP55 as per IEC 60529, typically equipped with a shatterproof safety glass inspection
window, and a gas-spring operated enclosure access door.
All connections/passages shall be on the bottom of the enclosure only. Sensor cables shall
penetrate the enclosure via AISI 316 stuffing glands maintaining the IP rating; the final
termination and cable stripping shall be done via the Ex-rated cable gland at the device itself.
Eventual junction boxes (limited to isolation valve sensors, heat tracing and heating blocks)
shall be installed on the back outside of the enclosure. All cable entries shall be on the bottom
only. Routing of non armoured or non fire-resistant cables (if any) from inside to outside may be
realised using AISI 316 tubing ending within 5 cm from the junction box, using heat shrink on
both tubing ends to seal the cable.
To avoid too many penetrations, a dedicated PE earth bar shall be installed inside the enclosure
for earthing all electrical components inside the enclosure, connected to an M10 threaded PE
earth boss on the outside of the enclosure via a 16 mm2 earth cable. The enclosure itself shall
not be used as a central earthing point, but also be connected to the PE earth bar.
Adequate instrument location tag plates shall be installed:
• Close to the instruments inside the enclosure
• Including one to identify the internal PE earth bar and external PE earth point
• On the outside of the enclosure showing enclosure tag
• Above junction boxes for junction box identification
with the tag plate colours in compliance with GS EP INS 101.
Junction boxes with mains voltage levels (e.g. heating power supply) shall have additional
yellow/black warning tag plates indication danger + voltage level, e.g. ‘DANGER 230 VAC’.
The sensor protection enclosures shall be robust quality enclosures, with adequate key lock.
Typically, the enclosure support is spot welded to the process connection flange, providing the
possibility to remove the enclosure during installation works. This may require some cables to
junction boxes to be disconnected from the junction box before shipment.
9.8 Sensor engineering documents

The Contractor and/or HIPS Integrator shall issue various engineering documents providing
detailed instrument hook-ups and process data, showing at least:
• Pipe/vessel orientation
• Process connections
• Elevations (level HIPS) and/or distances from pipe/vessel
• Isolation valves/manifolds
• Interlock equipment
• HIPS sensors and isolation detector sensors
• Test/calibration connections, including test gauge connections for level sensors
• Bleed/vent connections, tubing
Page 23/61
• Valve/manifold heating blocks, enclosure heating blocks

• Temperature sensors for valve/manifold and/or enclosure
• Protective enclosure with all internal and external components (multiple views)
• Local junction boxes
• Detailed manifold assembly
• Isometric drawings, vessel/standpipe layout drawings
• Weight of complete assembly (sensor + isolation valves + enclosure+ accessories)
• Weight of standpipe (if any)
• And whatever other component being part of the HIPS sensor assembly.
In addition, for level HIPS, dedicated vessel level sketches showing all PCS, SIS and HIPS
normal/alarm/trip levels, baffles, weir plates, etc. shall be provided.
10. HIPS logic solvers

This section covers the ‘logic solver’ part as defined in IEC 61508/IEC 61511, covering as such
the complete HIPS system cabinet which contains the electronic logic solver, associated
hardware, operator interface, utilities, and specifies operational and maintenance functionalities.
The design requirements of the HIPS logic solver as detailed in this section are combined
criteria resulting from:
• Reliability
• Availability
• Cyber security
• Obsolescence
• Maintainability.
10.1 General
The HIPS logic solver shall be fully segregated and independent of other facility safety
instrument systems. It shall be housed in dedicated HIPS cabinets; integration with/inside other
systems is not permitted.
Each HIPS logic solver shall be dedicated to one process system or one pipeline/flowline/riser.
In case multiple HIPS are present in the facility (i.e. multiple vessels, flowlines, risers), then a
dedicated HIPS system for each one shall be provided.
In case of a single HIPS function, such as a single pipeline, but being provided with full
redundant bypass HIPS valves to allow for periodic inspection and maintenance of main valves,
a second independent HIPS logic solver for the bypass valves may be considered to ease
maintenance and inspection of the valves, logic solver and sensors.
The HIPS logic solver shall be a solid state (i.e. non-programmable) electronic system, located
inside an acclimatised technical room. The use of other technologies/media, or being located
outside a technical room, is not permitted.
Page 24/61
The ‘solid state’ requirement does not apply to analogue input cards, which by nature require a
microprocessor for signal conversion, nor for non-safety components such as communication
cards, though they shall meet the same availability requirement as of the safety logic part.
All equipment will be independent of HVAC status; it shall be designed for outdoor temperature
and relative humidity conditions corresponding to a HVAC failure of the technical room.
Electronic system components shall be tropicalised.
HIPS logic solver shall be a Company approved Manufacturer.
10.2 Logic solver reliability

The logic modules, digital I/O modules and system rack of the logic solver shall be certified as
SIL-4, while analogue input cards shall be certified as SIL-3, in compliance with IEC 61508.
The implementation of the SIL-3 analogue input cards in a 2oo3 voting configuration shall
provide an overall SIL-4 rating.
This does not relief the mandatory requirement for SIL assessment and certification for the
complete HIPS package (refer to section 13), not even when the HIPS function (SIF) requires a
lower SIL.
The logic solver shall be designed as ‘fail-safe’, i.e. failure of any component, including power
supply, shall cause automatic de-energising of the final element(s). Therefore, fault tolerance is
of primary importance to ensure that the HIPS logic solver shall be able to continuously operate
without any spurious/dangerous action during failure and/or replacement of a logic solver
component. Refer to section 10.3.
10.3 Logic solver availability

The HIPS logic solver shall be fault tolerant by means of an independent redundant
configuration, requiring at least a double fault to initiate an automatic shutdown of the system to
a safe state, i.e. all outputs to de-energised state.
Availability shall be 99.99% minimum.
The HIPS logic solver shall be designed such that any single fault or component failure either
within hardware, firmware or software (if any) does not cause a logic solver spurious trip or
dangerous action. A single fault shall also not reduce the HIPS reliability.
Therefore, the logic solver shall be a fully redundant system, allowing hot replacement of any
failed component without loss of HIPS reliability and without reduction of the facility’s safety
level. Starting and re-initialisation of newly installed modules shall be automatic without the
need for maintenance/override switches (which are not permitted as per section 10.10).
Analogue input cards do not require to be redundant, based on the fact that each measurement
has triple sensors, which shall each be connected to a different input card. Removal of one
input card shall be handled as a trip of that sensor by the system, but shall not cause a system
shutdown.
Hence, depending on the logic solver Manufacturer, either redundant or simplex input cards can
be chosen. However, the remaining parts/components of the logic solver, including voting
Page 25/61
blocks, shall be fully redundant, typically housed in separate system racks creating two separate
independent outputs.
The logic solver Manufacturer shall demonstrate that a single fault, notably in the rack housing
the simplex input cards, cannot cause a system shutdown.
Continuous self-monitoring and diagnostics of the logic solver system shall be considered of
primary importance. All cards, modules, buses, power supply, etc. shall incorporate self-
diagnostic health check features. Health status and failures shall be displayed locally on the
component (card) itself, on the mimic panel as a general alarm, and remotely on the ICSS HMI
in the CCR, without affecting the HIPS reliability and availability.
10.4 Cyber security

Despite the use of solid state technology, cyber threats can still pose a direct or indirect threat to
the integrity of a HIPS package, and the following design requirements shall therefore be
applied:
• The HIPS may only be interfaced with ICSS through hard-wired or ModBus link.
• Remote maintenance/engineering and associated networks are not permitted.
• The SOE function shall be embedded inside the HIPS; hard-wired signals to PCS/SIS
input cards shall be used for time-critical events.
• Data storage is not required; main data, alarms and trips shall be registered by the
facility’s PDS and historian server through serial bus and/or hard-wired links.
• The logic solver shall not be interfaced with any support system (e.g. PDS, IMS, etc).
• The use of IT-based equipment for package HMI and/or communication links is not
permitted; package HMI shall be solid state mimic panels, as per section 10.8.1. A
PC-based maintenance work station (to be installed inside the system cabinet) is only
permitted if it cannot alter the system.
Furthermore: HIPS system cabinets (containing the logic modules, I/O cards, mimic panel, etc)
shall be locked cabinets, located inside a secured room, preventing unauthorised access.
10.5 I/O modules and logic modules

Besides health status indication, each module (card) shall have status indication for each output
signal.
Analogue input cards shall be equipped with an alphanumerical display which can indicate
actual and threshold values, either as a percentage value or in process units.
Power supply distribution modules containing fuses shall be equipped with fuse failure
indication. Fuses shall be direct accessible for replacement. Furthermore, separate fuses must
be addressed to the input and voting cards of triplicated sensors to avoid common cause failure.
Timer (delay) cards shall be equipped with an alphanumerical display which indicates timer
setting and output status.
All input and output signals shall be equipped with line monitoring; an error shall be handled as
a trip or as a sensor failure (causing the first trip in a 2oo3 voting bloc).
All field sensors and final elements shall be galvanic isolated from the logic solver modules.
Page 26/61
NAMUR type intrinsic-safe limit/position sensors and associated digital input cards are permitted
if the intrinsic safe barriers do not degrade the reliability and availability of the logic solver.
All failures (errors) shall be collected and reported to the internal sequence of event recorder;
though there is no need to transmit individual failures/errors to the ICSS: grouped alarms shall
be used instead (refer to section 10.12).
10.6 Discrepancy monitoring

Discrepancy monitoring between analogue sensors shall not be implemented, because such
functionality is difficult to achieve in a solid state system and it would add a lot of additional
unwanted hardware. Furthermore, the triple sensor philosophy with 2oo3 voting is also defined
to account for a sensor failure while maintaining HIPS reliability.
However, a ‘first trip’ alarm shall be created to indicate that the first fault has occurred in the
2oo3 voting logic bloc, or when a line monitoring fault occurs (sensor loss). This alarm shall
have no safety function assigned to it, and it has therefore no particular SIL requirements. It
shall be logged by the SOE and be transmitted to the ICSS HMI in the CCR.
10.7 Voting arrangements and downgraded modes

Deliberate downgrading modes shall always be related to ‘downgraded availability’, they are not
permitted for ‘downgraded reliability’.
HIPS activation shall be automatically initiated in case 2 out of 3 (2oo3) sensors reach the trip
threshold value, or if 1 out of 2 (1oo2) sensors reach the trip threshold value in ‘downgraded
mode’.
The logic solver shall automatically switch to downgraded mode (i.e. 1oo2) by itself when either:
• The moment that the process isolation valve of a HIPS sensor is not fully open (i.e. the
isolation valve position detector switches to low value)
• In case a sensor isolation key switch on the mimic panel is activated (see note)
• In case a line monitoring fault for a HIPS sensor is detected
• In case an input card failure/error occurs.
Switching to downgraded mode shall initiate an alarm locally on the HIPS logic solver and
remotely on the ICSS HMI in the CCR, and be stored by the HIPS SOE.
Dedicated status lights with sensor description on the mimic panel shall indicate when the final
output (not the individual inputs) of a voting bloc has tripped (light ON means trip due to 2oo3 or
1oo2 activated).
Note: Only in case of special instruments which do not have sensor isolation valves, e.g.
nucleonic instruments, then a dedicated interlocking sensor isolation key switch on the mimic
panel shall be used to disable 1oo3 sensors with automatic voting change-over.
10.8 Operator interface
10.8.1 Integral mimic panel

The logic solver cabinet shall be equipped with a solid state mimic panel; the use of IT based
VDU HMI is not permitted.
Page 27/61
The mimic panel shall be a solid aluminium plate mounted integral within the logic solver system
rack, representing a simplified process flow diagram with sensors, valves, pipes, vessel, etc
engraved in the aluminium, which adequately enables operators to recognise the equipment.
The mimic panel should not be a graphical representation of the safety logic; exception can be
granted in case of a single final element which has complex safety logic.
The mimic panel shall provide a graphical overview of all HIPS sensors and final elements, as
well as the output status of voting blocs and of final elements using red and green status lights:
• Green: healthy operational condition, i.e. solenoid energised, HIPS valve open
• Red: non-operational condition, or HIPS trip activated, i.e. solenoid de-energised, valve
closed, voting bloc output low (tripped),degraded mode (sensor isolated)
• Red: solenoid valve test or partial stroke test ongoing.
Furthermore, the HIPS mimic panel shall contain (as applicable):
• HIPS safety logic reset button
• Light (LED) test button
• Particular status light, such as interlock or override delay active.
• Sensor isolation interlocking key switch (if any).
Push buttons shall be non-latching (latching push buttons or latching rotary switches are not
permitted), and may have integral status light when deemed useful for operator comprehension.
Additional system status indication, either at the mimic panel or using a dedicated system status
panel (visible through the cabinet door window) shall be provided showing relevant system
information such as:
• Power supply status (one for each UPS and normal power feeder)
• 24 Vdc power supply status (one for each 24 Vdc power supply)
• General (grouped) heat tracing fault
• General (grouped) system fault
• General (grouped) cabinet heating/ventilation fault
• And other status information as deemed necessary for the particular HIPS.
Refer to Appendix 2 for a typical example of a mimic panel and a system status panel.
10.8.2 ICSS HMI in the CCR

The principle philosophy is that eventual HIPS activation and HIPS system alarms are being
investigated from the HIPS logic solver cabinet and in the field, not from the CCR.
Only few basic HIPS status information shall be transmitted for ICSS HMI, being limited to:
• HIPS status (healthy/activated)
• Interlock override active (if any)
• Individual voting logic output status, i.e. the HIPS trip healthy/activated
• (grouped) Sensor isolation alarm, i.e. degraded mode alarm
Page 28/61
• (grouped) Various system alarms (power supply, heat tracing, system fault, etc)
• (grouped) Test status (solenoid test / partial stroke test ongoing).
It shall be reminded that dedicated ICSS (PCS and SIS) sensors ought to be installed for ICSS
HMI in the CCR. HIPS sensors are not permitted for ICSS functions.
Therefore, HIPS valves shall be equipped with dedicated ICSS limit switches for CCR HMI.
The following status information shall not be transmitted to the ICSS:
• Individual sensor values
• Intermediate safety logic values.
The reset of the HIPS safety logic is not permitted from CCR; the HIPS shall remain a full stand-
alone system. Reset and other operator interventions will be at the HIPS cabinet.
Furthermore: Company’s typical SIS safety logic bar representation is not compatible with the
safety logic configuration of solid state technology. Therefore, there shall be no ‘internal HIPS
safety logic bar’ inside the ICSS HMI graphic displays; there shall only be single HIPS status
input at the overall topside safety logic bar graphics.
10.9 Reset and black-start

The safety logic shall require a manual reset upon each HIPS activation or upon a power black-
out, i.e. the safety logic shall not re-initiate itself when process conditions have become safe,
nor upon power-up after a black-out.
This safety logic reset shall only be possible from the integral mimic panel inside the HIPS
cabinet; it is not permitted remotely from the CCR or elsewhere.
The restart of the HIPS must be done without the need to by-pass or inhibit its function.
Attention shall be paid to the fact that the HIPS solenoid valve at HIPS valve will open
automatically in case of safe process conditions, while the same HIPS valve will normally be
opened by the CCR operator through dedicated SIS solenoid valves. A logic interlock inside the
SIS safety logic inhibiting the SIS solenoid to be energised before the HIPS solenoid is
energised shall be studied and implemented by Contractor. Otherwise, there is a risk that the
HIPS valve opens upon a reset from the HIPS cabinet.
The HIPS logic solver shall automatically restart upon a facility power black-out without the need
for operator intervention, reminding that the above manual reset shall be required to re-initiate
the safety logic.
In case of a logic interlock in the safety logic, which disables one process valve to open before
another one, then a local interlock reset shall be integrated in the valve control panel of the
valve(s) concerned. This shall be a non-latching spring-opposed key switch.
10.10 Inhibit and override functions

Inhibit and override functions are not permitted, as they would cause a downgraded reliability.
The sensor triplication, logic solver redundancy and final element bypass facilities are partly
defined for this reason.
The only override function which can be proposed will be an override of a safety logic
interlocking condition, which would otherwise make it impossible to re-open a HIPS valve.
Page 29/61
Such ‘interlock override’ shall be implemented using an integral timer inside the safety logic.
The timer duration shall be carefully calculated based on worst case operating scenarios, and
the override duration shall be set to less than the shortest duration which would cause a
hazardous condition. Interlocks shall never be on-off non-latching switches.
The activation of an interlock override shall be visually indicated at the mimic panel and on the
ICSS HMI in the CCR, and be stored by the SOE of both HIPS and ICSS.
The interlock override, associated override timer duration and location of the activation push
button shall be clearly defined in the HIPS Dossier, subject to approval by Company’s HIPS
Committee
10.11 Testing facilities

The logic solver and safety logic must enable the periodic testing of sensors and final elements
such as solenoid valves and partial stroke testing of HIPS valves:
• Without interrupting the production
• Or without causing the HIPS function to be activated
• Or without causing the safety logic to engage in an interlocking condition.
The design requirements for testing sensors have been covered by the previous sections
defining triplication of sensors, isolation detectors and the automatic change-over of voting logic
facilities.
However, different measures will be required to enable testing of final elements, which will
merely depend on temporarily bypassing the final element during the test of the final element
and the safety logic to initiate a de-energising of the final element. Refer to section 11.2.6.
Furthermore, special HART pass-through filters at the logic solver outputs to actuated valves
might be required to interface smart valve testing systems with the facility’s IMS. Such filters
shall be SIL-3 certified passive device, which can under no condition interrupt the 24 Vdc fail-
safe signal to the final element. Refer to section 11.2.7.
The overall performance of the entire HIPS will be monitored by using the maintenance work
station connected to the HIPS SOE, recording the time from trip initiation until final element safe
state position.
Trip initiation will be done by creating a trip condition at a sensor isolated from the process, or
alternatively by manipulating the 4~20 mA signal(s) to the logic solver in case the creation of a
trip condition at the sensor is not possible.
10.12 Sequence of event

A sequence of event (SOE) shall be implemented inside the HIPS logic solver. It shall capture
and store all events:
• Required to analyse a HIPS activation, i.e. all input and output changes
• Required to analyse system alarms/errors
• Related to downgraded mode (sensor isolation, final element test, etc.)
• Related to certain values of the safety logic considered important for future analysis, such
as interlocks, override timer status, manual inputs, reset, etc.
Page 30/61
The solid state logic solver SOE typically only records events when there is a change of a signal
value, with a time stamp; it is not a continuous cycling and data value storing device.
The logic solver’s SOE data will require a PC based maintenance workstation, being either a
dedicated laptop or dedicated permanent workstation integrated inside the logic solver cabinet.
External and remote located workstations are not permitted.
The SOE workstation shall not be interfaced with any other system, and it shall not be able to
write to or modify any part of the logic solver system (i.e. read only). It shall not serve as an
interface with the facility’s ICSS SOE recorder.
A secondary function of the SEO recorder and workstation will be logic solver maintenance and
periodic performance testing, as no other device will be capable of doing this.
The SOE workstation shall be in the scope of supply of the HIPS Integrator. When cabinet
space permits, it shall be permanently build inside the HIPS cabinet (not outside as part of the
cabinet door); else it shall be supplied as a dedicated laptop.
10.13 Interfaces with other systems
10.13.1 Interface with ICSS for CCR HMI

Generally a limited amount of HIPS information will be shown on the ICSS HMI in the CCR, also
because dedicated ICSS sensors shall be installed for process and equipment monitoring. Each
project will define which HIPS information shall be transferred and displayed on the ICSS HMI.
It shall be reminded that Company’s safety logic bar (tree) representation does not comply with
functional logic block set-up of a solid state system. Therefore, it shall not be attempted to
represent the internal status of the HIPS safety logic into Company’s safety logic bar format.
Instead, the status representation of HIPS safety logic shall be limited to the HIPS output status,
being a simple input status on the facility’s process safety logic bar graphics.
HIPS monitoring information can be transferred through either hard-wired or serial bus
communication links, being non-IT based such as ModBus or Profibus. IT-based communication
links such as OPC are not permitted. In case of a ModBus link, TCP/IP will be the default type.
Serial bus communication links with the ICSS do not require to be redundant, unless the HIPS
status information is considered to be critical for facility operation. It shall be reminded that
redundant serial communication links are difficult to implement with solid state systems. It
requires a purpose-built data handling application in the PCS, which is preferably avoided.
Communication cards shall have self-diagnostics and data integrity control, being equipped with
health/error status indication at the card. Faults and failures of the communication cards shall
not affect HIPS reliability and availability. It shall be possible to replace communication cards
without interrupting the HIPS, and newly installed cards shall have automatic re-initialisation.
All HIPS data retrieved by the ICSS shall be transmitted to the facility’s process data server
(PDS).
10.13.2 Interface with ICSS SOE recorder

The need to have HIPS event data available in the ICSS SOE shall be reviewed and defined
with care and caution. Being a small reactive system, a HIPS will be activated due to a major
process or subsea upset, and it will not provide much information to analyse the cause of the
process/subsea upset.
Page 31/61
In addition, dedicated ICSS PCS and SIS instrumentation will exist and provide much wider
historical information, being the first layer(s) of protection.
A primary function of transferring SOE data to the ICSS will be to have a trace of testing dates,
downgraded modes and system failures, which are typically stored in the HIPS’s SOE.
Therefore, some basic HIPS event data shall be transferred the facility’s ICSS SOE to identify
and timestamp HIPS events for future incident analysis, such as:
• HIPS status (activated/healthy)
• Output status of voting blocs (the HIPS function)
• Output status to final elements
• Any event/status causing downgraded mode, e.g. testing activation
• Sensor isolation / final element bypass
• Logic solver system alarms/errors (e.g. logic modules, power supply. etc)
• Heat tracing alarms.
It shall be reminded that a solid state logic solver has no internal clock, and it has no
synchronising with other systems. Time stamping will be done by the ICSS upon reception of
the data. Those events for which the time stamp is considered critical shall be hardwired to
ICSS input cards. All other non-time-critical events and status monitoring information can be
transmitted through either hardwired or serial communication link, as per previous section.
Finally, all HIPS event data retrieved by the ICSS (PCS and SIS) shall be transmitted by the
ICSS to the facility’s process data server (PDS) and facility’s sequence of event recorder.
10.14 Functional logic and troubleshooting loop diagrams

The HIPS Integrator shall provide fully detailed functional logic diagrams (FLD) in accordance
with drawing standard IEC 60617-12, representing the safety logic design in block diagram
format. These diagrams typically show the signal path from the logic solver’s inputs to outputs in
a format close to how a solid state system is physically build.
These drawings shall also serve for the purpose of FAT, SAT, commissioning, future testing and
troubleshooting. As such, they shall be very complete in terms of module identification, tag
numbers and description of sensors/final elements/alarm/trips/etc. and a clear identification and
location of status lights, push buttons, etc.
This is not to be confused with troubleshooting loop diagrams, which shall represent reality loop
wiring data from the sensor/final element terminals to the logic solver module, including
complete details on sensors, cables, marshalling terminals, cross wiring, logic solver
rack/slot/module, etc. and which are equally important for FAT, SAT, commissioning, future
testing and troubleshooting.
Although these documents shall be the responsibility of the HIPS Integrator, it shall be reminded
that the Contractor has the responsibility to provide all necessary information and data such as
tag numbers, cable types, interfacing systems, functional analysis, etc, required to complete
these documents, and in due time to have these documents approved by Company to initiate
the FAT of the various HIPS components.
Page 32/61
10.15 Spare capacity

Little to no spare capacity will be required in the logic solver cabinet, unless future modifications
are foreseen in the HIPS dossier, because a HIPS is considered a purpose built system.
All unused wires shall be terminated at individual terminals, and then be bonded together to
earth.
10.16 HIPS cabinet

Marshalling of cables for HIPS sensor and final elements shall be done directly inside the HIPS
system cabinet. Separate marshalling cabinets with cross-wiring shall be avoided.
For this reason, HIPS system cabinets shall not be mounted against a wall; they shall be
positioned with adequate free front and back entry space to allow for a marshalling section in
the back site of the cabinet.
For this reason, cabinets with internal swing frame are permitted to allow for a dual section
cabinet, optimising internal cabinet space.
However, swing frames can be only be used when:
• The swing frame is securely locked, without any free space which could allow frame
vibration (i.e. a soft dampening material between cabinet frame and swing frame)
• The cabinet shall stand on a vibration dampening mat. The thickness and material type of
the dampening mat depends on the actual footprint and cabinet weight. The HIPS
Integrator shall demonstrate that the cabinet or dampening mat Manufacturer has
calculated the required material type and thickness as a function of the actual cabinet.
HIPS cabinets front door shall have a large safety glass window to enable status indication of
system components and of the mimic panel without the need for opening the cabinet door.
Two half-wide doors on the back side to access the marshalling section are preferred.
Cabinet ventilation typically consists of air extraction on the top with air inlet filters on the bottom
of the front doors.
The cabinet sides shall not be used, allowing other cabinets to be positioned directly adjacent to
them.
Cable entry shall be from the bottom, unless stated differently in the project requirements. Brush
type bottom plates shall be used to pass cables through to avoid an air draught from the false
floor area into the cabinet.
Cabinets shall be equipped with the following accessories, powered from normal power feeder:
• Internal lighting, automatically detecting a presence and switching off
• Thermostat(s) for ventilation control
• Two earthed power sockets, with actual voltage level tags:
- One socket to local standard
- One socket to French type E or German type F standard.
All electrical power circuit breakers and distribution components shall be individually tagged and
be identified on electrical single line diagrams. Furthermore, all components with terminals at
Page 33/61
mains voltage level (i.e. at 110 or 240 Vac) shall be have adequate protective covers with
yellow-black warning stickers with voltage level indication.
Electrical mains power components and cabling shall be segregated from other cabinet
components. Signal and 24 Vdc signals shall be further segregated as per GS EP INS 107.
11. HIPS final elements

This section is split in two different types of final elements:
• Actuated process valves
• Electrical equipment.
The principle difference between actuated valves and electrical equipment is that the SIL
requirement for electrical equipment is up to and including the electrical switchgear in the MCC;
it does not include the electrical powered process equipment.
However, the SIL requirement for actuated process valves includes the process valve itself.
All valve components or sub-systems shall be specified and selected with a PFDavg (or PFH)
which satisfies the SIL requirements of the specific HIPS function (SIF).
The following components shall have a default SIL for single use, or better when required for
the HIPS function (SIF):
• Solenoid valves: minimum SIL-3
• Relays: minimum SIL-3
• Smart valve testing systems: minimum SIL-3
• HART pass-through filters: minimum SIL-3
• Actuators: minimum SIL-3
• Valves: minimum SIL-3
• Limit switches: minimum SIL-2 if used for safety logic purpose
Any final element component shall be of a Company approved Manufacturer.
11.1 HIPS valves
11.1.1 Valve design

HIPS valves shall be in strict compliance with GS EP PVV 142, and to other PVV General
Specifications as referred there-in as applicable.
By default, HIPS valves are classified Service Class E, regardless if they are also used by the
process safety system (PSS) or emergency shut-down system (ESD).
Consequently, metal seal with tungsten carbide coating design must be provided, soft seals are
not permitted.
Page 34/61
HIPS valves shall be either quarter-turn ball valves or axial flow valves. Axial flow valves shall
be preferred in case of fast stroking times, i.e. ≤ 0.2 sec/inch diameter, and when no pigging is
required.
RTJ type flanges shall be used in case of flanged end connections.
Valves installed in horizontal position shall have the stem in vertical position, with the actuator
on top of the valve.
11.1.2 Particular design requirements for quarter turn HIPS ball valves
The following requirements for HIPS ball valves are additional to GS EP PVV 142.
Ball valves shall be designed as full bore valves in any case; the internal diameter shall be
accurate identical to the internal diameter of the adjacent piping. No erosion and cavitation
effects shall be possible to occur under any given operational conditions due to differences in
diameters or due to cavities.
Ball valves shall be designed with two seats of the simple piston effect type.
Seat to ball contact shall be metal to metal with tungsten carbide coating.
An equalizing hole in the ball is prohibited.
11.1.3 Market availability and lead times for large bore valves
Availability and associated delivery times for large bore and/or high pressure valves, and/or
particular material, shall be assessed during FEED/Basic Engineering phase. The assessment
shall include casting and forging capabilities of the approved HIPS valve Manufacturers.
The final HIPS design may be significantly impacted by the availability and maximum diameters
as a function of the particular material.
In no case shall the final selection of valve Manufacturer or valve material be imposed by these
limitations, and the HIPS valves shall if so required be handled as a long lead item.
11.1.4 Valve leakage rate definition and leakage testing requirements

Valve leakage rates shall be in compliance with GS EP PVV 142.
However, the HIPS function (SIF) can be at one or more pressure levels being different from the
valve design pressure. Therefore, for HIPS valves, the valve leakage rate shall be defined:
• At valve design pressure as per ASME B16.34
• At each HIPS function (SIF) pressure level(s).
Consequently, HIPS valves shall be seat leakage tested as per GS EP PVV 142 and at all SIF
pressure levels (HIPS/ESD/PSS). The valve data shall clearly indicate the HIPS pressure levels.
Furthermore, HIPS valves shall be leakage tested in on-site final position, and in both flow
directions. The valve Manufacturer shall provide a special test bench for vertical mounted HIPS
valves.
Vertical mounted HIPS valves shall be leakage tested with their actuator mounted to the valve.
A dedicated inspection and test plan (ITP) and associated pressure & leakage test procedures
shall be issued for all HIPS valves (for each size and for each pressure class) for Company
review and approval, in strict compliance with GS EP PVV 142.
Page 35/61
11.1.5 Valve stroking times

The HIPS valve stroking time to fail-safe position shall meet the HIPS final element response
time as defined by the HIPS dossier.
However, different stroking times may be defined for the opposite stroke direction (e.g. the
opening stroke time of a fail-safe valve) as a function of operational requirements and/or as to
protect the technical integrity of the valve as per valve Manufacturer’s recommendations.
The valve/actuator datasheets shall clearly define separately the open and closure stroke times.
11.1.6 Fire-proofing
As per GS EP SAF 337, all emergency shutdown valves (ESDVs) which serve as a battery limit
of facility connections that can be exposed to a fire and cannot be depressurized, shall be
protected with passive fire protection (PFP). For offshore applications, PFP is also mandatory
for the actuators of riser ESDVs.
Hence, PFP for valve body and actuator is mandatory for offshore HIPS valves acting as a riser
isolation valve. Depending on the location and function (i.e. fire zone battery limit, facility
connection), and in accordance with the facility's safety philosophy, other HIPS valves will or will
not require PFP.
The PFP systems shall ensure the integrity of the protected part under fire conditions.
Maintenance, test and inspection tasks of the valve and actuator must remain possible during
the facility's lifetime. Hence, PFP shall exist of a removable AISI 316 enclosure around the valve
and/or actuator; it shall not consist of a fire-proofing coating. Refer to GS EP SAF 337 for more
details on fire-proofing type and performance.
Fire-proofing of valve body shall include adequate leak detection monitoring facilities, while the
vent must be routed to a safe venting area.
The design and supply of the PFP equipment will be in the scope of supply of the valve
Manufacturer, who shall issue multi-angle 3-dimensional valve + PFP assembly drawings during
design phase for Company and Contractor review and approval.
11.2 HIPS Actuators and valve control panels

The following requirements for HIPS actuators and valve control panels are in addition to the
general requirements to be followed as per GS EP INS 137.
11.2.1 Actuator types

HIPS actuators shall be single-acting spring-return actuators, helical spline or scotch yoke
design. Double-acting actuators, or designs requiring external reservoirs, are not permitted.
Compact helical spline actuators are the preferred type of HIPS actuators for quarter-turn
valves, being the mandatory type of actuator for valves ≥ NPS 10 inch.
Internal components shall be resistant against corrosion, such as ENP plating and corrosion
resistant materials. The use of painted components is not permitted for components in contact
with the motive fluid. The actuator Manufacturer shall provide detailed cross sectional actuator
drawings listing component materials and corrosion protection measures.
The design pressure of the actuator shall exceed the facility’s maximum motive fluid supply
pressure. The use of pressure relief valves to reduce the actuator design pressure is not
Page 36/61
permitted, despite the requirement that a fail-safe pressure regulator shall be used to set the
actuator to operate at minimum facility supply pressure.
11.2.2 Actuator motive fluids

The actuator motive fluid can either be pneumatic (default) or hydraulic (special cases).
All fluid outlets to atmosphere shall be adequately protected against ingress (dust, insects, etc),
but also against plugging in the long term (corrosion, salt-growth, freezing, etc.). Outlets shall be
pointing downwards; short length tubing shall be used if so required, or at Company request.
The dimensioning of hydraulic systems and distribution network shall take into account the
particular fluid properties of the selected hydraulic fluid. The (dynamic) hydraulic back pressure
in the return system shall be carefully assessed.
Hydraulic systems shall be designed to ensure that the fluid retains at least cleanliness code
17/15/12 as defined by ISO 4406. Contractor and/or HIPS Integrator shall develop dedicated
procedures for installation, cleaning and filling, subject to Company review and approval prior to
construction and installation.
By default, the fluid return path (depressurisation path) shall be routed through the opposite side
of the actuator piston to avoid humidity and/or dirt ingress on the piston’s atmospheric side. This
rule may be altered for helical spline actuators with hermitically closed piston compartments.
11.2.3 Protection of control components

The integrity of pneumatic and hydraulic links, i.e. tubing between actuator and local valve
control panel as well as hydraulic return network to return tank, are considered highly critical for
the availability of the HIPS, and must therefore be protected against mechanical damages.
All pneumatic and hydraulic links shall be installed in a metallic enclosure environment, such as
covered cable trays. As far as reasonable possible, the local valve control panels shall be
directly mounted on the HIPS actuator, to minimise exposure and the lengths of the links. If not
possible, e.g. in case of fire proofing or outboard installed valves, then the local valve control
panel shall be as close as possible to the valve, not exceeding 3 meters distance.
All pneumatic/hydraulic actuator control components shall be installed inside a solid closed
cabinet, refer to the next section(s).
In case there is no other option than to install individual control components directly at the
actuator, in order to ensure the required response time, e.g. quick exhaust valves, then these
components must be adequately protected against damage by impact, fire and environment.
11.2.4 Local valve control panels

Each HIPS valve shall be provided with a dedicated closed key-locked local valve control panel
(VCP), in accordance with GS EP INS 137.
All functions related to normal operations, e.g. ESD reset push buttons and regular pressure
gauges, shall be direct accessible/visible from the outside, being flush-mounted on the outside,
while all functions related to maintenance and component testing shall be located inside the
panel. As per GS EP SAF 261, the local open/close button shall be located inside the panel.
Page 37/61
11.2.5 Control components

All pneumatic/hydraulic actuator control components shall be installed inside an enclosed key-
locked local valve control panel (VCP), except for those components which must be direct-
mounted on the actuator to ensure the response time.
The use of compact manifolds shall be avoided; the use individual components connected by
tubing are strongly preferred, and which allow easy troubleshooting.
In general, all pneumatic or hydraulic control components with moving parts shall be proven in
use and SIL-3 certified for single use. In the absence of a 3rd party SIL certification, an
additional level of fault tolerance must be provided. For example, additional quick exhaust
valves. Electric control components shall be SIL-3 certified for single use by a Company
recognised 3rd party in any case; alternatives are not permitted.
The use of two HIPS solenoid valves in series is not preferred as it increases the reliability very
little while significantly decreasing the availability. In case this solution is applied, then dedicated
logic solver output modules shall be used.
Pilot-operated valves shall only be used if the required air flow capacity (component Cv value)
really requires it, while maintaining the requirement for low-power (< 0.5 Amp) solenoid valves.
It shall be reminded that the response time of the HIPS valve is related to the valve’s fail-safe
stroking direction upon de-energising, and not to the opposite stroking direction upon
energising. Depending if the actuator depressurisation path goes through the control
components or not, the Cv value of control components can be relaxed, potentially allowing low-
power non-pilot operated solenoid valves.
In case of multiple solenoid valves from different systems, then all solenoid valves shall be
dedicated and be identical to the HIPS solenoid valve.
Adjustable components, such as flow regulators and quick exhaust valves, shall have a locking
feature which disables to possibility to alter the setting of the adjustable component.
The fluid return path (depressurisation path) shall remain free from potentially blocking
components such as manual valves, check valves, etc. The use of locking devices will not be
accepted to install any component inside the return path. The fluid outlet protection against
ingress, as defined in section 11.2.2, shall be carefully designed.
11.2.6 Solenoid valve testing

A safe and dedicated provision must be provided to allow for periodic testing of the solenoid
valve(s), while the HIPS valve itself remains fully open. This test must be performed by the
operator from the local valve control panel nearby the HIPS valve itself.
The purpose of this solenoid valve test shall be to verify that the outlet of the solenoid valve
depressurises upon de-energising of the logic solver’s output.
As per Appendix 1 of GS EP INS 137, this solenoid valve test shall be implemented by using a
dedicated manual operated pneumatic valve in series with the solenoid valve, when operated:
• Creates pneumatic bypass around the solenoid valve under test
• Creates an electronic signal to the logic solver, using a pressure switch connected to the
outlet of the manual operated valve
Page 38/61
• The logic solver will de-energise the output to the solenoid valve under test upon the
signal of the pressure switch (signal from switch to LOW, i.e. open contact)
• The operator shall monitor the pressure gauge at the outlet of the solenoid valve under
test to verify that the solenoid has closed and depressurises its outlet line.
The manual operated pneumatic valve shall be:
• A turning key-locked valve: this shall be a one unique key for each valve control panel
• Non-latching and spring-opposed: the operator performing the solenoid test must keep the
key turned in the test position (against the spring force) during the entire test duration; the
test shall be immediately and automatically abandoned if the operator lets the key go (i.e.
pneumatic bypass ended and logic solver output back to normal state).
The use of latching switches/push buttons and/or non-key operated valves is not permitted.
In case of multiple solenoid valves inside one VCP, e.g. one HIPS and one ESD or PSS
solenoid valve, then all solenoid valves shall be equipped with an individual solenoid valve test
provision. A single manual valve creating a collective bypass is not permitted: any of the
solenoid valves being not under test shall remain in full function to ensure that the HIPS valve
will be de-energised upon command while another solenoid valve is under test.
One unique ‘SOV test key’ shall be implemented per valve control panel, being a different key
for each valve control panel in order:
• To avoid that the solenoid valves of the wrong HIPS valves are being tested
• To avoid that more than one solenoid is tested at the time.
Each solenoid valve shall have a dedicated pressure gauge at its outlet to enable the required
verification of output depressurisation.
11.2.7 Partial stroke testing

HIPS valves shall be equipped with a partial stroke test function, refer to GS EP INS 137 for
partial stroke test implementation.
Partial stroke system can be either ‘smart’ or ‘manual’ type. In case the valve position (i.e. limit
switches) is part of the safety logic or interlock logic, then smart systems cannot be used
because a temporarily override of the position detection must be created in the same fashion as
the solenoid valve test provision in section 11.2.6. In case of a manual system, being
implemented in the local valve control panel, then the partial stroke design shall avoid to
activate the quick exhaust valve(s), if any.
The use of a smart valve testing system (SVTS) will require the following subjects to be taken
care of:
1. It will require a HART pass-through filter on the output signal to HIPS valve concerned.
This filter shall be located in the marshalling section inside the HIPS logic solver cabinet,
and therefore be in the scope of work of the HIPS Integrator. This HART pass-through
filter shall be a passive solid state device not jeopardising the fail-safe configuration of the
HIPS function (SIF). Filters grouping multiple logic solver outputs shall not be used.
2. A software tool (application software with user license) installed on either a dedicated
workstation (not preferred), or integrated in the facility’s IMS (preferred). Consequently, a
communication link between the HIPS logic solver cabinet and a workstation or the IMS is
Page 39/61
required, which shall be a simplex serial bus link, and being a non-IT based
network/protocol. The software tool (and dedicated workstation if any) will be in the scope
if supply of the actuator Manufacturer, while the integration, testing and commissioning is
in the scope of work of the HIPS Integrator.
3. A loose air reservoir is required for SVTS having a continuous air consumption, which
shall ensure HIPS valve autonomy of 20 minutes in case of an air supply failure. This air
reservoir shall be located directly adjacent to the VCP, without any manual isolation
valves between the reservoir and VCP. The reservoir and all accessories shall be fully
made of AISI 316, being pressure tested and stamped according ASME pressure vessel
code, having a design pressure higher than the facility’s maximum air supply pressure. It
shall also be equipped with its own pressure gauge to provide indication of pressurisation
and safe depressurisation through dedicated bleed/drain valve at the bottom of the
reservoir. The reservoir shall be connected downstream of the VCP’s inlet check valves.
This reservoir will be in the scope of supply of the actuator Manufacturer.
4. The smart valve test system shall be fully tested during actuator FAT, valve FAT, SAT and
commissioning. This will require a laptop, HART filter and software tool during the factory
tests in the actuator and valve factories, and which shall be in the scope of supply of the
actuator Manufacturer.
11.3 Valve and actuator installation and handling requirements

Separate lifting lugs shall be provided for any valve body and actuator assembly heavier than
50 kg. The lifting lugs on the valve shall be designed for the complete weight of valve + actuator
assembly, while the lifting lugs on the actuator assembly shall be designated for actuator lifting
only (for maintenance or replacement).
Lifting lugs shall be permanently installed at valve and actuator, but they might not be welded
type. Lifting lugs on actuators shall have clear warning labels stating ‘actuator lifting only’, being
made of AISI 316.
Lifting lugs shall be positioned in such a way that the valve body or actuator assembly is in
proper position for installation while being lifted.
However, two different lifting lug sets might be required:
• One set of lifting lugs for valve and actuator handling position in factory and on-site
• One set of lifting lugs for valve and/or actuator handling particular to final installation
position of the valve and/or actuator (in case the final installation position is different from
normal handling position).
It is not permitted to detach the actuator from the valve after the valve FAT. Hence, the valve
and actuator shall be shipped and installed as a single assembly. Dedicated lifting plans, and
demonstration that the valve can be adequate lifted and handled in regular and final installation
position will be in the scope of supply of the valve Manufacturer.
11.4 Valve and actuator painting

All valve parts and accessories, which are not corrosion resistant by choice of material, shall be
prepared and painted in accordance with GS EP COR 350 and/or the complementary project
painting specification for offshore and coastal facilities, or in accordance with GS EP COR 354
and/or the complementary project painting specification for onshore facilities.
Page 40/61
Final painting colour of painted equipment shall be identical to the painting colour of the
associated piping. However, painted parts of HIPS actuator shall be RED as the final painting
colour. In addition, clear "HIPS" markings shall be put on HIPS actuators. This text shall be in
horizontal position, at two opposite sides; min. 10 cm height, white coloured and be painted
(stickers are not allowed). In case the actuator is provided with a fire-proofing enclosure, then
the HIPS markings shall also be provided on the fire-proofing enclosure.
Considering that the actuator FAT is based on the integrity of the installed control components
and tubing, the final painting of the actuator shall be applied before the control components and
tubing will be installed, though after successful pressure/leakage testing of the actuator.
Fire-proofing AISI 316 enclosures shall be painted or not as per project painting requirements.
11.5 Electrical switchgear for HIPS functions

As stated in the beginning of section 11, the SIF for electrical equipment is up to and including
the electrical switchgear in the MCC; it does not include the electrical powered process
equipment.
The MCC switchgear usually consists of dedicated drawers housing the control relays and
circuit breakers controlling the feeder to the electrical equipment.
The electrical components being part of switchgear with HIPS function shall be carefully
selected considering their characteristics and for best possible reliability; their reliability data
shall be validated by a Company recognised party.
Furthermore, only particular components of an electrical assembly might be available as SIL
rated; a complete SIL-rated switchgear assembly and/or variable speed drive might not be
possible. Also, periodic loop testing without stopping the electrical process equipment is
considered not possible. This, and the fact that electrical switchgear is often not fail-safe by
design, must be taken into account in the HIPS dossier.
In case of HIPS activation, the following actions shall be automatically executed:
• An ‘open’ command to the main breaker of the electrical equipment concerned
• An ‘emergency stop’ command to unit control panels or variable speed drives of the
electrical equipment concerned.
The fact that fail-safe and/or SIL certified electrical assemblies are difficult to achieve does not
relieve the Contractor and electrical equipment Manufacturers to design and select as far as
possible a fail-safe design using SIL certified components.
The output signals from the logic solver to the MCC switchgear, unit control panels and/or
variable speed drivers will be fail-safe, i.e. de-energized means HIPS activation. All such links
will be hardwired.
12. Testing requirements

12.1 Testing methodology
The testing activities shall be performed in the following sequence of project phases:
• Design Validation Test (DVT)
• Factory Acceptance Tests (FAT) of each HIPS component
Page 41/61
• Integrated Factory Acceptance Test (IFAT)

• Yard & On-Site Acceptance Tests (SAT)
• Operational Test Procedure (OTP)
• HIPS Performance Tests.
The HIPS integrator shall demonstrate that the HIPS supply and configuration meets the project
and HIPS Dossier requirements at each of the above testing stages.
12.2 Test procedures

A dedicated test procedure for each phase of each HIPS component, i.e.:
• Sensors, including isolation valves, heating and protective enclosures
• Logic solvers
• Valve control panels, including smart valve testing systems
• Valve actuator
• HIPS valves
• Electrical switchgear.
They shall be prepared by the component Manufacturer, under the responsibility of the HIPS
Integrator. Test procedures shall clearly indicate the test criteria (values) which are to be met,
and against which standard and/or Company’s referential.
All test procedures will be subject to Company review and approval prior to any testing.
12.3 Test preparation

The HIPS Integrator shall give Contractor and Company a notification of readiness of any test
one calendar month prior to the test.
Before commencement of witnessed tests, the HIPS Integrator shall provide evidence that the
internal Manufacturer tests have been carried out successfully.
The HIPS Integrator shall prepare a comprehensive Inspection & Test Plan (ITP), including:
• Full set of test procedures for Company review and approval
• Testing schedule, including Manufacturer’s internal tests
• Resources and equipment list
• Predefined test report and correction (punch) list for each test
• HIPS test log (refer to section 12.5)
The FAT and IFAT programs shall be organized as per project requirements; however no HIPS
component shall be shipped to yard before Company approved IFAT completion.
12.4 Test witnessing

None of the listed tests in this section might be conducted without the presence of a Company
instrument discipline engineer. In addition, all HIPS valve related tests must also be witnessed
by a Company valve discipline engineer.
Page 42/61
The Contractor shall equally send for each test a project engineer assigned to the particular
HIPS. Local/overseas agencies representing the Contractor, or Contractor personnel not
assigned to the particular HIPS, will not be accepted.
Furthermore, all tests must be witnessed by the HIPS Integrator, and by the nominated
certifying party as per section 13.
All individual tests shall have a witness presence list, signed off by all participants, as part of the
individual test report. Any test not being witnessed as defined here-above will be rejected.
12.5 Test recording and corrections follow-up

The HIPS Integrator shall establish and maintain a HIPS test log, which shall include all test
documents of:
• Any Manufacturer test procedure
• Any Manufacturer test results/report
• Correction (punch) lists
• IFAT, SAT, OTP, Performance Test procedures
• IFAT, SAT, OTP, Performance Test results/reports.
It will be the responsibility of the HIPS Integrator to create a single HIPS test log and to ensure
that documents are revised and followed-up as required. The HIPS Integrator shall provide a
regular test log status report to Contractor and Company, and to the satisfaction of the certifying
party.
Each test shall have a dedicated test report and associated correction (punch) list, according to
pre-defined format, listing all participants and be signed off by all participants.
All errors/discrepancies detected during the test shall be corrected during the test if possible.
Even when corrected and closed, they shall still be noted in the test report / punch list. In case
of a major finding, the testing may be stopped until the correction has been implemented.
In any case, any outstanding correction (punch) item shall be closed before the next phase,
subject to Company approval and acceptance signature for each item. Impacted design
documents shall equally be updated before the next phase.
12.6 Design Validation Test (DVT)

Design validation testing applies to the logic solver(s) and smart valve testing systems only.
It is a validation test of the interface principles and technologies between the logic solver
cabinet and other systems (ICSS, IMS, etc.) including smart valve testing systems, prior to the
final design and construction of the logic solver. The purpose is not which data is transferred
between the systems, but to define and test how it is transferred (hardware and protocol).
It will require that the suppliers/manufacturers of all involved system (i.e. HIPS, ICSS, IMS,
SVTS, etc) reunite together with reality hardware and software. It will be in the scope of work of
the logic solver Manufacturer, typically conducted at his premises.
The DVT must be performed at the very early stage of the logic solver design stage, before
freezing the logic solver design. Performing this test around FAT will be rejected.
Page 43/61
The DVT might not be required in case of only hard-wired communication links, though the
SVTS interface/communication test with the IMS (if applicable) will still be required.
12.7 Factory Acceptance Tests (FAT)

Separate factory acceptance tests (FAT) shall be conducted for all HIPS components in the
premises of the component Manufacturer, prior to the IFAT.
All test and measurement equipment shall have valid calibration certificates and labels from a
certified laboratory. Any FAT will be cancelled otherwise.
It goes without saying that any design document applicable to the particular FAT shall be duly
verified for any detail during FAT, and be marked-up for any error or missing information found.
Therefore, a complete set of any applicable design documents stamped ‘FAT MASTER COPY’
shall be ready at the start of the FAT, and a general remark on the punch list will be made when
a document is subject to comments.
12.7.1 HIPS sensors

For clarity, ‘HIPS sensor’ will mean the entire assembly of the interlocking valve assembly or
flow element, sensors/transmitters, protective cover, and any other accessory attached to this
assembly. It will also include the standpipe, if any.
12.7.1.1 General requirements for sensor FAT

The FAT workshops shall have all equipment, resources and provisions:
• To safely perform hydrostatic pressure and gas leakage tests
• To safely apply a hydrostatic pressure to the interlocking valves/manifold, in smooth steps
to verify the sensor output ranges and to simulate HIPS threshold pressures
• To safely apply a liquid level or liquid interface level, in the actual standpipe or in a test
standpipe, in smooth steps to verify the sensor output ranges and to simulate HIPS
threshold levels
• To safely apply 24 Vdc power supply and distribution to sensors and switches
• To safely apply 230 Vac power supply to heating elements
• To test/detect the actuation of position sensors (NAMUR type or as per input card)
• To read-out 4~20 mA output signals and access SMART sensor configuration (verification
of dampening cancellation, etc.), i.e. handheld HART terminals
• To detect digital (on-off) signals, voltage levels, etc., i.e. multi-meters
• To measure skin temperature.
For SMART sensors, it shall be duly verified, using a handheld HART terminal, that:
• Dampening is DISABLED
• Setting of the sensor failure output signal is set to HIGH or LOW as per HIPS function.
This will require that hardware writing is enabled during the FAT, and which shall be set back to
DISABLED at the end of the FAT.
Page 44/61
Position sensors detecting sensor process isolation shall be tested to demonstrate that a digital
input card of the logic solver would trip (signal to LOW), detection a status change if the
isolation valve is less than 90% open or less than 1 turn from fully open for needle valves.
Heating blocks at interlocking valves/manifolds shall be powered up to verify the heating
capacity of the heating element to the required manifold temperature. The output signal of the
associated temperature sensor will be verified against a portable skin temperature sensor, and
the sensor’s output signal in mA value shall be verified and recorded at the defined low
temperature alarm threshold value (which is required later to set and test the logic solver
analogue input cards).
In case winterization requirements apply, then the performance of the air heating element inside
the protective enclosure as well as the insulation performance of the protective enclosure must
be demonstrated. For this, a witnessed heating and insulation performance test shall be
performed in a cold storage room at lowest specified temperatures and using fans to simulate
wind chill. A single test to demonstrate the heating and insulation performance will be sufficient.
Besides the specific functional tests below, a number of other default visual inspections such as
tag plates, junction box internals, hook-up, etc. shall be performed as per test procedures.
12.7.1.2 Pressure sensors

The FAT of the pressure sensors is typically conducted in the premises of the interlocking
valves / manifold Manufacturer.
The HIPS pressure sensors shall be pre-calibrated by the pressure sensor Manufacturer, with
dedicated calibration reports available during FAT. A witnessed calibration of the pressure
sensors is not required, unless defined otherwise by Company at testing preparation phase.
A smoothly ramped-up hydrostatic pressure shall be applied to the process connection of the
interlocking valve/manifold over the full measuring range of the pressure sensors. The output
signals of the pressures sensors shall recorded in mA every 10 % pressure increase from 0 to
100%, and the exact mA output value vs. pressure shall be listed separately at the HIPS trip
threshold values (which are required later to set and test the logic solver analogue input cards).
This test shall also be used to demonstrate that the 3 pressure sensors have identical values
within the allowable tolerance (i.e. ± 1%).
12.7.1.3 Flow sensors

The witnessed FAT of flow sensors is twofold:
1. A dedicated witnessed flow meter calibration under reality process conditions in a
calibrated flow street of a Company recognized third party.
2. A functional test of the flow element with the interlocking isolation valves/manifold and
pressure sensor installed, at the sensor Manufacturer’s premises.
During calibration, and accurate graph of flow vs. sensors output signals in mA value shall be
recorded over the full measuring range, and at the defined flow trip threshold value (which is
required later to set and test the logic solver analogue input cards). Furthermore, the calibration
will be used to demonstrate that the 3 flow sensors have identical values within the allowable
tolerance (i.e. ± 1%).
It shall be reminded, for dP based flow sensors, that the transmitter output shall be the square
root extraction of the measured differential pressure, as the logic solver input cards are not
capable of performing this function. Hence, this is to be verified and confirmed during FAT.
Page 45/61
The functional test at the sensor Manufacturer’s premises will comprise all other tests related to
interlocking valves/manifolds, heating, sensor configuration, etc.
12.7.1.4 Level sensors

The FAT of the level sensors is typically conducted in the premises of the interlocking valves /
manifold Manufacturer.
The HIPS level sensors shall be pre-calibrated by the level sensor Manufacturer, with dedicated
calibration reports available during FAT. A witnessed calibration of the level sensors is not
required, unless defined otherwise by Company during testing preparation phase.
A collective standpipe (actual or test standpipe) with see-through level glass will be required to
apply an identical liquid level or liquid interface level to the 3 level sensors simultaneously,
required to demonstrate that the 3 level sensors have identical values within the allowable
tolerance (i.e. ± 1%), and to record the sensor output signals vs. liquid level.
In case of dP type and nucleonic type level sensors, testing liquid(s) with identical density as in
normal operating conditions must be provided.
12.7.2 HIPS logic solver

The HIPS logic solver FAT shall not commence before the FATs of the sensors and final
elements have been successfully terminated and accepted by Company, because a number of
logic solver configurations and entries will be defined during those FATs.
12.7.2.1 General requirements for logic solver FAT

• To safely apply multiple power supplies to the HIPS cabinet
• To safely apply other power supplies to testing and simulation equipment
• To simulate hard-wired inputs and outputs, i.e. hard-wired simulation panels with switches
and variable analogue 4~20 mA signals
• To simulate process or field equipment status/interlocks, i.e. a simulation computer
• To create a serial link with the ICSS, and IMS in case of a smart valve testing system
• To calibrate analogue input cards, trip threshold values and to test voting blocs, i.e. at
least 3 calibrated 4~20 mA loop testers
• To detect digital (on-off) signals, voltage levels, etc., i.e. multiple multi-meters.
Furthermore, The ICSS Vendor shall provide all ICSS testing equipment to enable full interface
testing of any serial link between HIPS logic solver and the ICSS (and IMS if applicable), using
identical ICSS/IMS hardware as being used in reality (simulated links by PC/laptops are not
permitted).
12.7.2.2 Simulation requirements

All hardwired inputs and outputs shall be tested through a hardwired simulation panel providing:
• Status indication of digital outputs
Page 46/61
• Status and actuation of digital inputs

• Actuation of analogue 4~20 mA inputs.
The functional testing of the safety logic will require a simulation computer which can simulate
realistic process/equipment responses as for the particular HIPS application (purpose made
programming), connected to the hardwired simulation panel. The simulation program will allow
any field part of the HIPS to be tested, including solenoid valve tests inside valve control panels.
The logic solver Manufacturer and HIPS Integrator shall be jointly responsible for defining and
configuring the simulation program for the particular HIPS application, and which shall be duly
tested and functioning before FAT commences.
12.7.2.3 Mechanical inspection

A mechanical inspection shall be carried out at the start of the FAT to verify and validate:
• Quality of construction (cabinet, panels, wiring, painting, ducting, etc)
• Heating (if any), ventilation, lighting
• Power distribution system and hook-up
• Earthing bars and hook-up
• Tagging and labeling of all individual components
• Conformity to documents.
The following tests shall be performed:
• Power failure alarm (grouped alarm contacts of individual circuit breakers, 24VDC power
convertors, heat tracing power feeders, etc.)
• Cabinet ventilation alarm and cabinet heating/temperature alarm, thermostat setting
• Adequate isolation of IPE and ISE earthing bars, by disconnecting the floating bars and by
measuring infinite resistance between bars and cabinet chassis
• Resistance values between interconnected earth bars
• Earth leak fault test by tripping the earth leak detector (when applicable).
12.7.2.4 I/O validation test

Prior to any functional testing, all inputs, outputs and any other communication link shall be
tested from I/O card (or communication card) up to the marshalling terminals to demonstrate the
wiring, polarity, fail-safe design, loop monitoring, etc. is properly implemented and built.
This will include any signal to/from the integral mimic panel.
At the same time, an accurate verification of loop diagrams, system drawings, tag numbers on
drawings and equipment, etc. shall be performed, and marked-up for correction as required.
12.7.2.5 Calibration of analogue input cards and trip threshold values

Testing/calibration of analogue input cards, as well as testing the setting of trip threshold values,
shall be performed using calibrated 4~20 mA loop testers.
Page 47/61
The HIPS trip threshold values shall be entered as a function of the corresponding sensor
output value as defined by the FAT reports of the sensors, while the full sensor measuring
range shall be validated against the measuring range of the input card. Therefore, the sensors’
FAT reports must be an integral part of the logic solver FAT procedure.
Before functional testing of the safety logic using the hardwired simulation panel, the voting
blocs shall be functional tested using 3 calibrated 4~20 mA loop testers.
12.7.2.6 Functional testing of safety logic and test functions

The safety logic shall be 100% functional tested, including possible interlock functions, using the
hardwired simulation panel and simulation computer.
All status information and functionality of the mimic panel shall be fully tested.
All events and commands from HIPS sensors and final elements shall be 100% tested, such as
sensor isolation, sensor fault, voting blocs, solenoid valve test, partial stroke test, etc.
12.7.2.7 Testing of interfaces with other systems

All interfaces, other than the hard-wired links already tested in the section above, shall be duly
tested for the physical link itself, all individual data exchanged as per data table (label, value,
type, range, etc), communication link cycle time, etc, for:
• The serial communication link between logic solver and the ICSS
• The serial communication link between SVTS HART filter/MUX and the IMS.
It will be in the scope of work of the ICSS vendor to provide all ICSS testing equipment and test
engineer to enable these interface tests, being identical ICSS/IMS hardware as used in reality
(simulated links by PC/laptops are not permitted). A real SVST unit and SVTS software tool will
be required as well, either provided by the actuator Manufacturer or by HIPS Integrator.
The HIPS Integrator will be responsible for organizing the required ICSS and SVTS test
equipment and personnel.
12.7.2.8 Black-out and black-start tests

A dedicated black-out and black-start test shall be carried to demonstrate that:
• Upon black-out: all logic solver outputs are immediately in the fail-safe state, as if it were a
HIPS activation
• Upon black-start: the system automatically restarts itself without the need for any operator
intervention, but the logic solver outputs remain in the fail-safe state, i.e. only at pushing
the reset button the safety logic may re-engage.
The black-out and black-start test shall be performed in an abrupt way, no special preparation
or precaution shall be made. For the black-out test, the HIPS valve shall be in the energized
position (energized logic solver output), then the main power supply circuit breaker shall be
tripped while the logic solver outputs are being monitored.
Page 48/61
12.7.3 HIPS final elements

• To safely perform hydrostatic pressure and gas leakage tests
• To safely perform torque tests
• To safely perform dielectric voltage withstand tests
• To safely apply instrument air at adequate pressure
• To safely apply 24 Vdc power supply and distribution to sensors and solenoid valves
• To test/detect the actuation of position sensors
• To read-out 4~20 mA output signals and access SMART sensor configuration (verification
of dampening cancellation, etc.), i.e. handheld HART terminals
• To test/configure SVTS units, i.e. a HART pass through filter and laptop with SVTS
software tool
• To detect digital (on-off) signals, voltage levels, etc., i.e. multi-meters.
A mechanical inspection shall be carried out at the start of each FAT to verify:
• Quality of construction (painting, supports, position beacon, SVTS mounting, etc)
• Hook-up of control components, tubing support, protection covers, etc.
• Tagging and labeling, identification of connection points in case of loose panels
• Earthing connections.
12.7.3.1 HIPS Actuators

The actuator FAT shall be conducted in the premises of the actuator Manufacturer, combined
with the FAT of the valve control panel, as per next section.
Actuators torque test shall be performed in accordance with Appendix 11 of GS EP PVV 142,
while actuator inspection and functional test shall be performed as per GS EP INS 137, all being
translated into a dedicated actuator test procedure and associated test report.
It is strongly preferred to perform torque tests producing a graphic by measuring the torque over
the full stroking range in lieu of a few fixed positions.
Actuator pressure and leakage tests shall be performed by the actuator Manufacturer
beforehand, and do not need to be witnessed unless defined differently by Company during test
preparation phase. However, the in-house actuator pressure and leakage test are considered
mandatory, and their certificates shall be available during FAT and be part of the final HIPS data
book.
As per section 11.4, the final painting of the actuator shall be applied before installation of the
control components and tubing, because the actuator FAT is based on the integrity of the
installed control components and tubing. Hence, the FAT shall be based on the final product,
without eventual fire proofing, not requiring any dismantling of control components/tubing
afterwards other than interconnecting tubing in case of loose valve control panels.
The limit switches shall be ‘functional’ tested; their exact positioning and testing can only be
finalized during the combined valve + actuator functional test.
Page 49/61
The partial stroke functionality shall be duly tested, recording the actuator torque during the
partial stroke test. The actuator Manufacturer shall demonstrate that there is no loss of torque
during a partial stroke test, and that the partial stroke passes smooth without overshoot.
Furthermore, it shall be monitored and recorded that the partial stroke test is not causing any
pressure fluctuations and abnormalities in the filter/regulator and other control components.
In case of smart valve testing systems (SVTS), a laptop with the software tool as used later at
the facility shall be used to monitor correct functioning of the SVTS unit. A test report by the
SVTS software tool shall be printed out as a proof of successful partial stroke testing, included
in the FAT report.
The actuator(s) and valve control panel(s) will only be allowed to be shipped to the premises of
the valve Manufacturer after successful FAT completion and closing out of outstanding
correction (punch) items, both approved by Company
12.7.3.2 HIPS valve control panels

The FAT of the valve control panels shall be conducted in the premises of the actuator
Manufacturer, combined with the actuator FAT, as per previous section.
All actuated and manual control functions shall be tested and inspected, including pneumatic
and electronic devices such as reset buttons, pressure switches, key switches, etc. and if the
wiring diagrams reflect correct terminals corresponding to normally open or closed as required.
Pressure switches detecting a solenoid valve test shall be verified for switching when activated.
In case SMART sensors are installed, e.g. actuator pressure sensors, then it shall be duly
verified, using a handheld HART terminal, that:
• Dampening is DISABLED
• Setting of the sensor failure output signal is set to HIGH or LOW as per HIPS function.
12.7.3.3 HIPS valves

The HIPS valve FAT shall be conducted in the premises of the valve Manufacturer.
The HIPS valve FAT shall consist of two dedicated FATs:
• The FAT for the ball valve or axial flow valve, before painting
• The FAT for the complete valve + actuator + control panel assembly, after painting.
Both FATs shall take place at the valve Manufacturer’s premises, however at different dates to
allow for valve painting, complete assembly mounting and in-house pre-testing.
In any case, the complete assembly FAT shall not take place prior to Company’s approval of the
valve FAT results.
Valve FAT:
All pressure testing and functional testing of the valve shall be performed in accordance with
Appendix 7 of GS EP PVV 142, of which the pressure levels, leakage rates and test durations
defined therein will also apply to pressure testing of axial flow valves.
However, HIPS valves shall be seat leakage tested at design pressure and at all SIF pressure
levels (HIPS/ESD/PSS). A dedicated test report for each seat leakage test shall be issued.
Page 50/61
HIPS valves shall be seat leakage tested in the on-site final position, and in both flow directions.
If so required, the valve Manufacturer shall provide a special test bench for vertical mounted
HIPS valves. Vertical mounted HIPS valves shall be seat leakage tested with their actuator
mounted to the valve.
Valve + actuator + valve control panel FAT:

The HIPS valve assembly FAT shall perform the following functional tests, based upon
GS EP INS 137 and adapted to this General Specification:
• Mechanical inspection (installation, hook-up, painting, supports, etc)
• Actuator and limit switch adjustments (to be recorded in test report)
• Complete functional tests as per test procedures
• Partial stroke test, with print-out of SVTS software tool when applicable
• Dry stroking performance test (closure and opening times, recorded by limit switches)
• Wet stroking functional test to open the valve at maximum shut-off differential pressure.
It is not permitted to detach the actuator from the valve after the assembly FAT; the valve and
actuator shall be shipped and installed as a single assembly.
Detaching the actuator from the valve after valve FAT will void the assembly FAT. A complete
new functional assembly FAT shall be performed in the yard or on-site by the Contractor if the
actuator has been detached, under supervision of the valve Manufacturer, Company
representatives and to the satisfaction of the HIPS certifying party. (Pre-) commissioning will not
be accepted as an alternative.
12.7.3.4 Electrical switchgear

The FAT of electrical equipment shall be conducted in the premises of the Manufacturer.
The FAT of electrical equipment shall performed according the dedicated FAT procedure jointly
developed by the electrical equipment Manufacturer and HIPS Integrator.
A purpose-built hardwired simulation panel, and simulation computer, shall be used to simulate
the hard-wired logic solver interfaces with the electrical equipment concerned, typically provided
by the logic solver Manufacturer.
12.8 Integrated Factory Acceptance Test (IFAT)

An IFAT shall be performed after successful completion of the individual components FATs.
The HIPS arrangement during IFAT will reflect the final HIPS configuration on-site, i.e. all HIPS
components being hooked-up and connected together, including all interfaces with other
systems, and the possibility to actuate pressure and level sensors.
The HIPS IFAT will be in the scope of supply of the HIPS Integrator, and shall be conducted
prior to shipment of HIPS components to yard or site. Typically, the IFAT is performed at the
premises of the HIPS valve Manufacturer or of the HIPS logic solver Manufacturer.
Therefore, a dedicated IFAT test location shall be identified as early as from the initial HIPS
tender stage in the proposals of the bidding HIPS Integrators, in order to ensure that all required
facilities and resources are identified and accounted for.
Page 51/61
Performing the IFAT on-board in the yard or site is not permitted

The IFAT shall demonstrate that all components have been adequately designed, tested,
calibrated and adjusted, creating a HIPS which meets the design criteria.
The IFAT plan and IFAT procedure shall include as a minimum:
• A complete HIPS functional test
• A dry HIPS performance test, by creating real process conditions at sensors, and using
the HIPS SOE recorder via the HIPS maintenance work station
• A partial stroke test
• Solenoid valve test
• Reset functions, interlocking functions
• SOE recording (via the HIPS maintenance work station)
• Mimic panel validation
• Redundancy tests and downgraded operation tests
• Etc.
Again, all these tests shall be performed with the HIPS valve and actuator installed in the
on-site final position.
The IFAT workshops shall have all equipment, resources and provisions as listed for the FAT of
individual components in the previous sections, requiring notably:
• Pressure benches to create a variable pressure to the pressure sensors simultaneously
• A (test) standpipe to create a variable level to level sensors simultaneously, and requiring
test liquid(s) with reality density in case of dP, buoyancy or nucleonic level instruments.
The HIPS integrator shall prepare the IFAT procedures, assisted by the logic solver and valve
Manufacturers.
12.9 Yard & On-Site Acceptance Tests (SAT)

Two different site acceptance tests (SAT) shall be typically performed:
• Yard SAT
• On-site SAT.
The HIPS Integrator shall prepare the SAT procedures.
Yard SAT:
Once the HIPS components have arrived in the yard after IFAT, the HIPS Integrator shall assist
with unpacking, installing and hook-up of HIPS components. The HIPS Integrator shall provide
all resources required to permanently supervise these activities and to notify Contractor and
Company of any degrading conditions/works and of any damage to HIPS components.
The yard site acceptance tests (SAT) will consist of a series of tests to demonstrate that:
• The modularization (all HIPS combined) has been successfully done
• The integrity of HIPS components has not been affected in transport
Page 52/61
• The components are installed in the correct way, segregated from other systems, etc.
• Field components are adequately protected against impact, flooding, etc.
• Interconnections between actuators and VCPs are adequately (length, protection, etc.)
• Power supply to cabinets and heat tracing is adequately installed, segregation, etc.
• Heat tracing and thermal insulation is adequately applied, etc.
• Interfaces with other systems (e.g. ICSS, IMS) are fully functional
• Cabling of installed sensors and final elements is adequately installed and functional.
The SAT will therefore demonstrate that the HIPS components have been correctly installed,
powered up and are fully operational to allow (pre-) commissioning activities to start.
On-site SAT:
Once the facility has been installed on its final location, an on-site SAT will be required for the
HIPS components which could not be installed for yard SAT (e.g. HIPS valves on risers) and for
HIPS components which could not be finalized during yard SAT (e.g. valve control panels of
non-installed HIPS valves).
The on-site SAT shall be performed identical to the yard SAT.
12.10 Operational Test Procedure (OTP)

Once the on-site SAT and facility commissioning has been completed, the following mandatory
operational test shall be performed prior to facility start-up.
The objective and purpose of the OTP is to verify and test:
• That the HIPS has been installed, commissioned and tested in a safe manner
• The links with other systems (e.g. ICSS, IMS) in reality
• The safety logic, and eventual interlocking logic, in reality
• The energizing authorizing logic of final elements by the HIPS and ICSS
• The interaction between HIPS and ICSS, and subsea control system (if any)
• That the ICSS HMI in CCR is fully working
• That the ICSS adequately stores HIPS data in the ICSS’ SOE and PDS
• The HIPS trip functions (sensors)
• A dry HIPS performance test.
The HIPS performance test must be performed before facility start-up to provide a physical
proof that the HIPS is performing as per project and HIPS Dossier requirements. It shall
demonstrate the HIPS response time of the final installed system.
The test shall be performed by creating real process conditions at sensors, hence requiring
multiple dead weight testers for pressure sensors, and liquids inside vessels or standpipes for
level sensors. Again, the HIPS performance shall be recorded using the HIPS SOE recorder via
the HIPS maintenance work station.
The HIPS integrator shall prepare the OTP, assisted by Contractor and Company.
Page 53/61
12.11 Wet HIPS performance tests

It is mandatory to perform a reality (wet) HIPS performance test after facility start-up with real
process fluids flowing under normal operating conditions.
Again, the wet HIPS performance shall be recorded using the HIPS SOE recorder via the HIPS
maintenance work station.
Furthermore, it is also mandatory to perform one or more partial stroking tests after start-up to
obtain a proof of adequate functioning in reality and to familiarize/train operating personnel with
this function which will become an important periodic activity for them.
13. HIPS design validation

The complete HIPS design, manufacturing, installation and testing shall be validated to
demonstrate compliance with the required reliability and performance criteria as defined by the
HIPS Dossier, and to demonstrate compliance with the availability target of 99.99%. This
validation program will be in the scope of supply of the HIPS Integrator, performed by a
specialized independent Third Party approved by Company.
It will confirm that the HIPS has been designed, built, installed and tested in accordance with
rules and requirements described by IEC 61508/IEC 61511 and this General Specification.
Existing SIL certificates for individual parts shall also be fully analyzed for completeness,
reliability analysis model used, and consequent fitness for the particular HIPS. Any HIPS part
found unsuitable or found inadequately SIL certified, as per Third Party's or Company’s opinion,
shall be replaced by a suitable replacement. For that reason, all parties involved in the HIPS
supply shall issue their list with selected parts and associated SIL certificates to Third Party at
design stage.
Page 54/61
The role and presence of the Third Party during the HIPS development phases is as follows:
Phase 1 Phase 1.1
Design document analysis
Design Engineering
Documentation Phase 1.2
Analysis Reliability and availability analysis
Sensors Logic Final

Solver Elements
Phase 2.1
Phase 2 Manufacturer documentation review
Inspection Phase 2.2

Manufacturing
& Manufacturer reliability documentation review
Documentation
Analysis Phase 2.3
FAT + IFAT
Sensors Logic Final

Solver Elements
Phase 3.1
Phase 3 Testing procedure documentation review
Installation
Inspection Phase 3.2
&
& Yard SAT
Testing
Documentation
Analysis Phase 3.3
On-site SAT & OTP
Figure 1 - HIPS validation process

The Third Party shall issue ‘Validation Comment Sheets’ against Manufacturer documentation
at each phase of the process. At the end of Phase 3, all Comment Sheets shall be closed.
The Third Party shall witness any of the individual components FAT at Manufacturers premises,
the IFAT, the yard and on-site SATs, and finally the OTP with reality HIPS function and
performance testing.
As part of the HIPS validation process, the Third Party shall perform and provide a fully detailed
reliability and availability study. This study shall also define the proof test intervals for all HIPS
components. The methodology for the reliability and availability study typically consists of the
following 5 steps approach:
Step 1: Identification of the modes of operation of the system and identification of component
dangerous failure modes.
Step 2: Building of the mathematical reliability model (fault tree analysis or equivalent).
Step 3: Selection of the reliability data and collection of proof test characteristics.
Step 4: Calculation of the reliability using a specific (Company approved) software package.
Step 5: Analysis of the results of the calculations, and issue of conclusions and
recommendations based on these results.
Refer to Appendix 3 for more details.
Page 55/61
The results of this study shall serve as a direct input to the facility’s operation and maintenance
philosophies, in which the HIPS periodic proof test and inspection requirements will be defined.
The Third Party shall issue a ‘Statement of Compliance’ once the final on-site OTP and all
associated documentation have been successfully completed.
14. Preservation, storage and installation requirements

From factory until final installation, the HIPS equipment must be adequately protected against
damage and environmental conditions impacting the integrity.
Consequently, the following preservation and storage requirements shall be applied:
• All HIPS equipment shall always be stored indoors, inside their shipping crate until
installation, unless the storage location is acclimatised or shipping damage is expected
• All electrical/pneumatic/hydraulic connections shall be blinded of with threaded plastic or
metallic plugs, the use of push-in plugs is not permitted. This rule applies also for all
connections for equipment inside the sensor enclosures and valve control panels
• Sensor enclosures and valve control panels shall have open penetrations blinded off by
plastic or metallic plugs until the moment the penetration is opened for hook-up
• A number of silica gel bags shall be put inside the sensor enclosures and valve control
panels ensuring a low-humidity environment.
The following particular measures shall be taken for the HIPS valves:
• The HIPS valves shall be blinded of with metallic plates and using soft gaskets, to ensure
an IP65 rated protection of valve internals. These blind plates shall only be removed at the
moment of installation. A number of silica gel bags shall be put on each valve site
ensuring a low-humidity environment inside the valve. A warning text shall be written on
the blind plates to remove the silica gel bags before installation.
• Corrosion of flange faces shall be avoided by using a special removable preservation
coating, or other suitable method, as per valve Manufacturer recommendations.
The following particular measures shall be taken for the logic solver cabinet(s):
• Any loose component (if any) shall be removed from the cabinet(s) and be packed
separately
• The cabinet(s) and loose packed electrical/electronic parts (e.g. maintenance laptop) shall
be packed using hermitically sealed foil with silica gel bags inside the foil
• The cabinets shall be equipped with shock/impact force detectors inside the cabinet; the
HIPS Integrator shall verify and archive the detector recordings during unpacking, and
notify Contractor and Company in case shock/impact limits have been exceeded.
All equipment shall be fully enclosed by a wooden crate or box, being marked as per projects or
affiliates expediting and shipping procedure, clearly marked which parts are inside.
It is not permitted to install any HIPS valve or sensor (including isolation valves/manifolds)
before the hydrostatic pressure testing and internal flushing/cleaning activities of the adjacent
piping have been finalized to Company satisfaction.
From the moment that a HIPS valve or sensor has been installed, it shall be duly protected
against surrounding construction works (e.g. impact, welding, grinding, sand blasting, painting)
Page 56/61
and against wetting by cleaning or deluge testing. Therefore, high quality dust and water tight
protective covers shall be provided for HIPS field equipment, with possible scaffolding to provide
protection against impact. Contractor shall provide these protective measures to Company’s
satisfaction.
It is also not permitted to install the HIPS system cabinets in the designated technical room
before the room has been fully finalized; hence all construction works including flooring, cable
trays, lighting, painting and HVAC must have been finalized, subject to Company approval.
Page 57/61
Bibliography
GS EP INS 102 Instrumentation identification

GS EP INS 146 Design of generation and distribution of hydraulic energy
ISO 10418 Analysis, Design, Installation and Testing of Basic Surface
Safety Systems
Page 58/61
Appendix 1
Appendix 1 Typical logic solver power supply and earthing diagram
UPS-A UPS-B
Non-differential circuit breakers

suitable for isolation Cabinet frames/plates, cable armouring,
VDU & PC earthing
(one for each consumer in case
(for protection of personnel)
of multiple consumers per feeder)
AC-DC or DC-DC E E
power converters 24 VDC 24 VDC
(100% per feeder)
+ - IPE Earth Bar + -
(non-isolated support)
Non-differiential
circuit breakers
suitable for disconnection IPE
Decouple diodes
24 VDC RAIL (isolated support)
Earth Leak 0 VDC RAIL (isolated support)

Detector
DC power distribution rails

(isolated support)
24 VDC Equipment
(PLC, instruments, etc.)
Voltage reference link for I.S. ISE Earth Bar IE Earth Bar
equipment (only if required) (isolated support) (isolated support)
ISE IE
Screens/Shields Screens/Shields
IS Cables non-IS Cables
Voltage reference link in case zero volt has to be

earthed, by default not connected
Page 59/61
Appendix 2
Appendix 2 Example of a typical integral HIPS mimic panel
Page 60/61
Appendix 3
Appendix 3 Typical 5-step reliability methodology
P&IDs, ESD logic diagrams,

System description
HIPS Dossier
STEP 1
System Analysis
FMEA
System reliability modelling

GRIF software
(fault tree analysis)
STEP 2
Reliability Modelling
Common cause failure
analysis
OREDA, GS EP EXP 405

Reliability data selection
STEP 3 Component SIL certificates
Reliability and Test

Data Selection Common cause failure
Define β
quantification
STEP 4
Reliability calculations GRIF software
Quantitative Analysis
Results, conclusion and

Sensitivity studies
recommendations
STEP 5
Synthesis
Proof test intervals
Page 61/61

GS Ep Tec 260 en PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GS Ep Tec 260 en PDF

Uploaded by

Copyright:

Available Formats

Exploration & Production

HIPS Design, Implementation and Life Cycle

00 01/2012 First issue

Owner: DEV/TEC Managing entity: DEV/TEC

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

2. Reference documents ............................................................................................. 5

4. Obsolescence and lifetime cycle management .................................................... 9

5. Cyber security ....................................................................................................... 10

6. Service conditions ................................................................................................ 10

7. General design & construction requirements .................................................... 10

9. HIPS sensors ......................................................................................................... 14

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

10. HIPS logic solvers ................................................................................................. 24

11. HIPS final elements ............................................................................................... 34

12. Testing requirements ............................................................................................ 41

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

12.10 Operational Test Procedure (OTP)................................................................................ 53

13. HIPS design validation.......................................................................................... 54

14. Preservation, storage and installation requirements ......................................... 56

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

Total General Specifications

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

OTP Operational Test Procedure

4. Obsolescence and lifetime cycle management

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

7. General design & construction requirements

7.1 Hazardous area classification and EMC certification

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

7.2 Materials of construction

7.4 Electrical links

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

8.2 HIPS availability criteria

8.3 HIPS reaction and response times

8.3.1 Sensor response time

8.3.2 Logic solver response time

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

8.3.3 Final element response time

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

given process measurement, and with a guaranteed identical measurement location/elevation,

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00

9.2 Pressure sensors

9.3 Flow sensors

General Specification Date: 01/2012

GS EP TEC 260 Rev: 00