HIPS Report

SAER-6043

High Integrity Protection System (HIPS) Evaluation Team Report

December 2005

4/12/2006

Page 1 of 27

HIPS Report

SAER-6043
Executive Summary

The High Integrity Protection System (HIPS) Evaluation Team was established to conduct a comprehensive assessment of the usage of HIPS in Saudi Aramco pipelines. The mission of this team is to provide recommendations for the application of HIPS on Saudi Aramco pipelines. Typically, conventional piping design prefers mechanical protection against overpressure. The general SA philosophy for protecting piping system is that the piping system shall be mechanically capable to withstand design condition within the applicable Code requirement. Practical, environmental, and economical considerations have led to the introduction of HIPS high-integrity protective/safety instrumented systems – which could potentially be used in lieu of mechanical protection. HIPS are designed to operate independently from the basic process control systems and from other protection layers. The committee concluded that mechanical protection is the primary protection for pipelines in Saudi Aramco and HIPS should only be considered when mechanical protection is impractical, involves substantial economic impact or credit, or can have potential environmental impact. After careful consideration of conventional mechanical alternatives for system protection and HIPS is considered, the recommendations of this report and requirements of existing standards governing the usage of HIPS must be followed. One of the critical findings of this committee was that there are not yet clear procedures for commissioning, operation, maintenance, inspection and testing, and decommissioning. Also, there is a lack of effective administrative controls and management of change procedures for existing HIPS. Without such measures, the protection provided by the HIPS cannot be assured. Documentations for each HIPS system should be maintained and should be available for review by an independent committee from different organizations. The findings/records of maintenance, testing, inspection and earlier reviews need to be reported and tracked. Various risk and economic analyses are required early in the development of a project to determine the viability of using HIPS. The procedures must be followed and the analyses must be verified to ensure that the HIPS design and installation provide the required level of protection. While Standard projects provide the time needed for planning HIPS starting with the DBSP phase, Maintain Potential projects do not have DBSP and Project Proposal phases. Maintain Potential projects require planning well ahead of field development and the use of modified procedures for development and authorization. Existing standards and procedures governing the use of HIPS, such as SAES-J-601, SAEP-354, etc., should be reviewed and updated in accordance with the conclusions and recommendations of this committee.

4/12/2006

Page 2 of 27

HIPS Report

SAER-6043

TABLE of CONTENTS
1.0 2.0 3.0 3.1 3.2 3.3 4.0 5.0 5.1 5.2 5.3 5.4 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 7.0 7.1 7.2 Scope................................................................................................................................... 4 Objective ............................................................................................................................. 4 Background ......................................................................................................................... 4 Conventional design standards ....................................................................................... 4 HIPS Application ............................................................................................................ 4 Level of Protection.......................................................................................................... 5 Evaluation Team Activities................................................................................................. 5 Findings............................................................................................................................... 5 Issues Associated with Using HIPS................................................................................ 6 Cost/Benefit Analysis ..................................................................................................... 6 Basic Design Requirements ............................................................................................ 6 Other Findings ................................................................................................................ 6 HIPS Implementation Process ............................................................................................ 7 Overview......................................................................................................................... 7 SIL Assignment Process. ................................................................................................ 7 HIPS Design Process. ..................................................................................................... 8 HIPS Verification Process .............................................................................................. 8 Testing and Maintenance Process................................................................................... 9 Management of Change Process................................................................................... 10 Decommissioning Process ............................................................................................ 10 Conclusion and Recommendations................................................................................... 13 Conclusions................................................................................................................... 13 Recommendations......................................................................................................... 13

Appendix A, Description and Examples of HIPS......................................................................... 15 Appendix B, Excerpts from Saudi Aramco Standards Concerning HIPS .................................... 21 Appendix C, Excerpts from International Standards Concerning HIPS....................................... 22 Appendix D, Questions to Industry Concerning HIPS ................................................................. 23 Appendix E, Abbreviation & Definitions of Important Terms..................................................... 25

4/12/2006

Page 3 of 27

HIPS Report

SAER-6043

1.0 Scope
The High Integrity Protection System (HIPS) Evaluation Team was established to conduct a comprehensive assessment of the usage of HIPS in Saudi Aramco pipelines. The mission of this team is to provide recommendations for the application of HIPS on Saudi Aramco pipelines.

2.0 Objective
The HIPS Evaluation Team purpose is to evaluate the application and implementation of HIPS on Saudi Aramco piping and to define the requirements for such application. These requirements include conditions and requirements for the design, maintenance, testing, and management of change over the lifetime of a HIPS. These requirements shall be reflected in existing and new Saudi Aramco engineering standards and procedures.

3.0 Background
3.1 Conventional design standards
Typically, conventional design prefers mechanical protection against overpressure. Saudi Aramco has designed and constructed piping system in accordance with ASME Codes requirements. Therefore, the general Saudi Aramco philosophy for protecting piping systems is they shall be mechanically capable of withstanding design conditions within the applicable Code requirements. Industry standards from the American Society of Mechanical Engineers (ASME) and the American Petroleum Institute (API) provide criteria for the design and protection of pipelines from rupture or damage caused by excess pressure. In conventional design, pressure relief devices, such as safety valves, are used as the primary means of pressure protection.

3.2

HIPS Application
Practical, environmental, and economical considerations have led to the introduction HIPS - high-integrity protective/safety instrumented systems – which could potentially be used in lieu of mechanical protection. HIPS are designed to operate independently from the basic process control systems and from other protection layers. In some industrial applications, the use of a pressure relief valve (PZV) could be impractical. Therefore, accepted alternative methods of preventing overpressure must be utilized to achieve measurable risk reduction. American Petroleum Institute API 521 “guide for pressure relieving and depressurizing systems” provide an alternative to PZV's – such as the use of a SIS. Also a US standard (ANSI/ISA S84.01-1996 Application of safety Instrumented Systems for the

4/12/2006

Page 4 of 27

HIPS Report

SAER-6043

Process Industry) and the European standard IEC 61511 (Lifecycle Safety for the Process Industry) have been established to define requirements for the design and validation of safety related instrumented systems. Since these safety instrumented systems must achieve a high level of safety availability, they are often referred to as high integrity protection systems (HIPS).

3.3

Level of Protection
A HIPS must provide at least the level of pipeline protection as determined during the risk analysis and SIL determination. This protection is measured in terms of safety availability or Probability of Failure on Demand (PFD). PFD is the probability that the HIPS will not work when a demand such as overpressure occurs.

4.0 Evaluation Team Activities
The HIPS Evaluation team performed the following activities in its evaluation of the use of HIPS in Saudi Aramco pipelines. • Review Saudi Aramco requirements as they exist today. SAES-L-100, SAES-J-601, and SAEP-354 were all reviewed. See the excerpts in Appendix B. In general, Saudi Aramco’s position is that HIPS can be considered on a case-by-case basis and the vehicle for that consideration is the Waiver process. Review previous waivers and acceptance conditions. Then, review two existing HIPS applications within Saudi Aramco that were installed under those waiver conditions. One was offshore and one was an onshore application. Review the operations and maintenance (O&M) processes and testing associated with those existing HIPS. Review published industrial codes and technical papers concerning HIPS. API RP 524, ASME B31.4 and B31.8, as well as technical papers were reviewed. Some excerpts from the codes are provided in Appendix C. Communicate with other operating companies on their experience with using HIPS in their pipeline systems. See the questions posed in Appendix D. Identify findings and issue recommendations in this final report.

• • • • •

5.0 Findings
The findings resulting from the activities described in Section 4.0 are compiled and listed below by topic.

4/12/2006

Page 5 of 27

HIPS Report

SAER-6043
There are no clear procedures (other than the waiver process) for commissioning, operation, maintenance, inspection and testing, and decommissioning established. Also, there is a lack of effective administrative controls and management of change procedures for such safety critical systems. Without measures equivalent to what we use today for PZV's, the protection provided by the HIPS cannot be assured. Spurious trips (process shutdowns) are more likely in an instrumented system and are a rare occurrence which is accounted for in Cost/Benefit analyses and risk assessments. Various risk and economic analyses are required early in the development of a project to determine the viability of using HIPS. The procedures must be followed and the analyses verified to ensure that the HIPS design and installation provide the required level of protection.

5.1

Issues Associated with Using HIPS

5.2

Cost/Benefit Analysis
The Cost/Benefit analyses performed that validates the use of HIPS must include Life Cycle costs including costs associated with the risk of lost or deferred production, additional testing requirements, and risk associated with the performance of the additional testing. Otherwise, a true and complete comparison of the alternatives for reducing risk cannot be properly performed.

5.3

Basic Design Requirements
• HIPS shall be designed to meet or exceed the PFD determined in the SIL analysis. That level of protection that closes the risk gap between HIPS and the same system designed with conventional requirements shall define the target level of protection which will define the SIL required. HIPS shall have a minimum fault tolerance as allowed by IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector. HIPS shall be protected against, or minimize the possibility of, bypassing, overriding, disabling, or inhibiting the HIPS shutdown function. A pipeline installation, for instance, shall use smart pressure transmitters, process connections car sealed opened, and the installation fenced. The HIPS design shall adhere to the requirements of SAES-J-601 & SAEP-354. Two out of three voting of pressure transmitters and DCS communications of field data associated with HIPS are two issues that should be considered in the development of the HIPS design.

• •

• •

5.4

Other Findings
• SAEP-354 provides a good set of procedures for developing and approving HIPS for use in Aramco facilities.

4/12/2006

Page 6 of 27

HIPS Report • • • •

SAER-6043
Appendix A provides a comprehensive description and examples of HIPS Appendix B provides excerpts from current Saudi Aramco Standards governing HIPS application. Appendix C provides excerpts from International Standards governing HIPS. Appendix D provides the questions the Team asked other professionals in the industry

6.0 HIPS Implementation Process
See the two flowcharts at the end of this section.

6.1

Overview
This section establishes the conditions required to implement HIPS for pipelines designed, built, and operated by Saudi Aramco. These conditions are basically derived from the application of SAES-J-601 and some international standards such as ANSI/ISA 84.00.01 and IEC 61508/61511. The application of these standards requires a safety life cycle approach as the fundamental concept for the design, operation, maintenance and decommissioning of HIPS. The safety life cycle represents the application of good engineering practice to HIPS. Good engineering practice for HIPS will be accomplished based on four fundamental aspects: i) Applying the SIL concept to HIPS will, among others, allow an adequate selection and design of safety and mitigation systems to meet Saudi Aramco risk reduction objectives. In addition, this approach will also ensure opportunities to reduce maintenance and testing costs, production deferment and avoidance of false trips. SIL concept will also involve the application of Design by Layers of Protection. ii) The second fundamental aspect of the safety lifecycle process is that it includes design verification. The Probability of Failure on Demand (PFD) for the HIPS is calculated, and evaluated together with other parameters. This aspect provides a control and verification process that ensures that designs are optimal for the need. HIPS over-design can be easily and clearly identified and consequently changed. On the other hand, HIPS designs not fully covering the risk reduction needed can be identified as well, and improved to meet the risk target. iii) In third place, the safety life cycle includes inspection, testing and maintenance planning, which address among others, testing intervals and testing schedules. iv) Management of change (MOC) and decommissioning will be included as they are also a very important part of the safety life cycle.

6.2

SIL Assignment Process
The application of HIPS to any pipeline in Saudi Aramco will be justified based on a fully quantitative SIL study. The planning, criteria, and methodology to carry out this study will be provided in a technical document.

4/12/2006

Page 7 of 27

HIPS Report

SAER-6043

This document should address, among others, the following fundamental aspects for SIL determination and application: • Application of SIL concept has shown to be significantly useful in formulating a decision-making basis that may contribute to selecting risk control measures on a sound technical and structured basis. In this sense it is important to follow a sound and well planned process to apply the SIL concept. To achieve this, a series of aspects should be covered in the document. These aspects are basically: Pre-planning, Scoping of the Study, Implementation, Personnel, Documentation, Updating of the SIL Study, Verification, etc • Establish risk tolerability criteria, so that the necessary risk reduction for each safety functional requirement can be quantitatively ascertained. • Introduce the concept of “design by layers of protection” starting with inherently safer design and mechanical integrity and continuing with the consideration of the Basic Process Control System (BPCS). Include protective systems based on other technologies (mechanic, pneumatic, etc) in the SIL estimation process and give credit for these systems. • Establish the methodology and criteria to perform Cost-Benefit Analysis (CBA) based not only on design options and their lifecycle costs, but also on risk imposed by each option. • Define life cycle stages of facilities in which SIL assessment should be performed. • Define roles and responsibilities, especially for CSD, Proponent Department, Project Management, LPD and P&CSD, for the application, maintenance and decommissioning of HIPS through the safety life cycle.

6.3

HIPS Design Process
The Saudi Aramco HIPS design process is defined in SAEP-354. This process is required in SAES-J-601 for HIPS development. The process and the requirements refer to ISA S84.01/IEC 61511, the international performance based standard for safety instrumented systems (SIS).

6.4

HIPS Verification Process
This document should clearly address the requirements to determine whether the HIPS design provides the risk reduction required by the process as determined by the QRA, while maintaining design consistency. Methodologies, criteria, etc to achieve this task should be covered by this document; therefore it should elaborate on aspects such as: • A review of the architecture of the HIPS to make sure that it is adequate for the SIL requirements. Also, a review of the type failure of the HIPS (fail-safe, etc.) • Calculation of the Probability of Failure on Demand (PFD) of the HIPS to make sure that it does comply with the SIL requirement. In this case, it is needed a clear determination of the Diagnostics Coverage Factor and the Common Mode

4/12/2006

Page 8 of 27

HIPS Report

SAER-6043
Failure Factor used in the calculations, as well as the failure rates used for the different components of the HIPS and the sources from which they were taken. Determination the Safe Failure Fraction (SFF) for each component of the system to be used in the assessment of the architectural constrains. Demonstration of the “proven in use” criteria for the components used. Determination of the spurious trip rate (STR) for the HIPS, and assess its adequacy as compared to the SIL requirements and the particular operating circumstances of the facility being protected A revision of the degradation designed for the HIPS, and assessment of its adequacy for the functionality and for compliance with the SIL application. Assessment of the independency of the HIPS from any other ESD system or Basic Process Control System. Cause and effect matrix. Assessment of the maintainability and testability provided for the design. Revision and assessment of the adequacy of the following procedures related to the HIPS and provided by the design: Operating procedure. Testing procedure. Management of Change Procedure

• • • • • • • •

6.5

Testing and Maintenance Process
As outlined in SAEP-354, Sections 4.11 and 4.12, HIPS like any SIS require prooftesting and maintenance over the installed life of the system to ensure the desired risk reduction is provided. As this burden must be carried by the operations and maintenance personnel, the HIPS must be designed up front with functional proof testing and maintenance in mind. The functional testing of HIPS must account for the entire system, from the field sensors to the final elements (pipe to pipe). Testing of the individual components in isolation is not enough to ensure they communicate properly with each other and work together to accomplish the intended safety function. If it is not possible to test completely from the sensor to the final element all at once, then there needs to be multiple tests that exercise the components with enough overlap to ensure the safety loop (HIPS) will work as a whole. The testing must also ensure the HIPS is not in a degraded mode. Simply doing one successful test is not enough for fault tolerant architectures like SIL 3 HIPS. A proof test is intended to ensure that all paths to successful operation are in working order. As there is no standard template design for a HIPS, there is also no standard “onesize-fits-all” testing procedure. It is recommended that once the HIPS preliminary design is completed and the time interval between functional testing is defined for the target SIL, that the proponent review the design carefully to see that it will be practical for him to meet the functional testing requirements over the life of the

4/12/2006

Page 9 of 27

HIPS Report

SAER-6043

system. Once the design is reviewed and modified for alignment with the proponent requirements and checked against the SIL target, the testing and maintenance procedures can be developed for the HIPS. Reference ISA Technical Report ISA-TR84.00.03-2002, “Guidance for Testing of Process Sector Safety Instrumented Functions (SIF) Implemented or Within Safety Instrumented Systems (SIS),” for examples that may be useful in the development of the HIPS testing procedures.

6.6

Management of Change Process
This document should include the methodology and criteria to control all the engineering work on plant and/or on the HIPS that goes beyond mere maintenance and constitutes a modification. Such modification involves a change in the plant and/or process, and/or HIPS and can introduce a hazard. Along these lines, the system should cover the elements for the control of modifications such as: procedures, assessment, inspection, documentation and training. In addition, the document should clearly establish what is meant by a change/modification both to the process which could affect the HIPS and to the HIPS itself, and should elaborate on the control of these changes.

6.7

Decommissioning Process
This document should develop the means and controls to isolating and ultimately removing HIPS once they are no longer required in particular system. It should elaborate in the management of change procedures and controls to be applied as needed, in this sense it should refer to the Management of Change Process. Decontamination procedures and related waste disposal issues, in case they are needed, should be developed considering the hazards involved.

Flowcharts follow:

4/12/2006

Page 10 of 27

HIPS Report

SAER-6043

HIPS IMPLEMENTATION PROCESS for Standard Projects
LIFE CYCLE STAGE
NO

PROCESS

DESCRIPTION
Study and provide justification for the need to install HIPS.

DBSP

END

HIPS
YES

Perform Quantitative SIL Study to determine the risk gap and define SIL

Project Proposal

Develop options to bridge the risk gap (e.g. PRVs, pipe thickness, HIPS, etc.

Validation Process
Perform Life-Cycle Cost-Benefit Analysis (CBA) for all options

HIPS?
YES

NO Continue to design project and option selected

- HIPS design in accordance with specs

Detailed Design
NO

Comply with Specs
YES

•Architecture •PFD •Safe Failure Fraction (SFF) •Proven in use demonstration •Spurious Trip Rate (STR) •Degradation •Independecy •Maintainability •Testability •Procedures: MOC /
Operating/ Testing

Design/ Verification Process Review:

Implement HIPS

Construction

NO

Comply with Specs
YES

Construction and Field Verification of HIPS “As Built”

O&M Modifications

-Testing and Maintenance -MOC -Auditing

- Provide tools, procedures, resources for testing maintenance MOC - Auditing of the entire system is carried out every year

Decommission

Develop means and controls to isolating and removing HIPS

4/12/2006

Page 11 of 27

HIPS Report

SAER-6043
HIPS IMPLEMENTATION PROCESS for Maintain Potential Projects

LIFE CYCLE STAGE
Production Area HIPS Survey

PROCESS
NO

DESCRIPTION
Study and provide justification for the need to install HIPS.

END

HIPS
YES

Perform Quantitative SIL Study to determine the risk gap and define SIL
Production Area HIPS Survey

Develop options to bridge the risk gap (e.g. PRVs, pipe thickness, HIPS, etc.

Validation Process
Perform Life-Cycle Cost-Benefit Analysis (CBA) for all options

HIPS?
YES

NO Continue to design project and option selected

- HIPS design in accordance with specs
Detailed Design

NO

Comply with Specs
YES

•Architecture •PFD •Safe Failure Fraction (SFF) •Proven in use demonstration •Spurious Trip Rate (STR) •Degradation •Independecy •Maintainability •Testability •Procedures: MOC /
Operating/ Testing

Design/ Verification Process Review:

Implement HIPS

NO
Construction

Comply with Specs
YES

Construction and Field Verification of HIPS “As Built”

O&M Modifications

-Testing and Maintenance -MOC -Auditing

- Provide tools, procedures, resources for testing maintenance MOC - Auditing of the entire system is carried out every year

Decommissioning

Develop means and controls to isolating and removing HIPS

4/12/2006

Page 12 of 27

HIPS Report

SAER-6043

7.0 Conclusion and Recommendations
7.1 Conclusions
The committee concluded that mechanical protection is the primary protection for pipelines in Saudi Aramco and HIPS should only be considered when mechanical protection is impractical, involves substantial economic impact or credit, or can have potential environmental impact. After careful consideration of conventional mechanical alternatives for system protection and HIPS is considered, the recommendations of this report and requirements of existing standards governing the usage of HIPS must be followed.

7.2

Recommendations
• SAEP-354 is a good starting point for a new Saudi Aramco Engineering Standard that would define how HIPS are developed and approved. Tied to SAES-J-601, SAES-B-058, and certain SAES-L’s, the new standard would be used for approving and designing HIPS instead of using waivers as we do today. The new Standard should address as a minimum: o Improving the HIPS design process o Improving the way testing and maintenance of HIPS o Establish MOC and decommissioning processes o Alignment of Saudi Aramco standards better with risk based approaches and international standards such as IEC, ISA, etc. Prior approval is required for all HIPS proposals (P&CSD, LPD, CSD, and FPD). FPD will provide the cost justification for considering the use of HIPS at the DBSP stage for Standard projects. The Production Area HIPS Surveys will be developed for onshore Maintain Potential projects that will provide the cost justification and planning for considering the use of HIPS and future flowline upgrades. A quantitative SIL assessment and a life-cycle cost-benefit analysis is required to establish the SIL target for each HIPS proposal. The assessment needs to be provided by a safety consultant and shall be reviewed by P&CSD, LPD, and the Proponent. This step will provide a way to look at Saudi Aramco’s risk criteria to determine whether a HIPS is appropriate for the application. This shall be accomplished during the Project Proposal phase for Standard projects and in the Production Area HIPS Survey for Maintain Potential projects. Preliminary and detailed design reviews shall be performed by P&CSD, LPD, and the Proponent. Once the decision is made to use HIPS (during the Project Proposal phase or at the end of the Production Area surveys), the design of the system can proceed with input from the parties listed. The proposed HIPS design shall be verified early in the Detailed Design phase to ensure the risk reduction required by the SIL assessment was met. Page 13 of 27

4/12/2006

HIPS Report

SAER-6043
HIPS installation shall be verified by P&CSD, the appropriate Plant Inspection Unit, and the Proponent. This stage is a hands-on, walking through the plant, type process that will verify that the final design was implemented as intended. Maintenance and testing shall be performed by Proponent as prescribed in the detailed design. Management should understand that the Proponents who use HIPS will need extra technical support by P&CSD, and the appropriate Plant Inspection Unit to enable the Proponent to perform required HIPS testing. HIPS owners should be aware that special attention is needed for such critical systems and to have an equivalent or better management, administrative controls and management of change procedures to other safety critical systems, e.g. relieve valves. Review of HIPS testing, maintenance and operation and Management of Change Process should be conducted to ensure compliance. HIPS packages shall comply with Saudi Aramco Standards and be developed following Saudi Aramco Procedures (see SAES-J-601 and SAEP 354 for details), to include, but not be limited to, material specifications, spare parts, non-material requirements (NMR’s), approved procedures for commissioning, operating, maintenance, testing, evaluating, and decommissioning. The appropriate responsible engineering entity, other than the operating facility, shall have the authority to write official warning letter and ultimately shutdown a facility using a HIPS should that facility fail to comply with approved operating, maintenance, MOC, and/or testing procedures. For Maintain Potential projects, long range planning (Production Area Surveys) for high pressure wells that are being added to existing networks must be accomplished and a pro forma set of HIPS documentation for these wells should be established well prior to drilling. With that early plan and approved documents, a short form of HIPS development and authorization procedures may be developed and used that allow faster responses to the drilling schedule and its changes. Documentations for each HIPS system should be maintained and should be available for review by an independent committee from different organizations. The findings/records of maintenance, testing, inspection and earlier reviews need to be reported and tracked.

• •

4/12/2006

Page 14 of 27

HIPS Report

SAER-6043

Appendix A, Description and Examples of HIPS HIPS Systems Components:
The three HIPS major components are Initiator, Logic Solver and Final Element(s) • • • Initiator: The element(s) measuring the (over/under)pressure. The initiators may be mechanical pressure switches or electronic pressure transmitters. Logic Solver: Voting Logic, determining if a situation is safe OR unsafe based on the output of the initiators, then acting on the final element. Final Element(s): The complete unit valve/actuator/solenoids which isolates the overpressure. Another common form of a “final element” is a motor contactor that removes power from a pump or compressor that is the source of the high pressure.

4/12/2006

Page 15 of 27

HIPS Report

SAER-6043

Protection Layers The figure above with the seven red circles, shows how layers of protection can be used to reduce unacceptable risk to an acceptable level. The amount of risk reduction for each layer is dependent on the specific nature of the safety risk and the impact of the layer on the risk. Economic analysis should be used to determine the appropriate combination of layers for mitigating safety risks. When an SIS is required, one of the following should be determined: • • Level of risk reduction assigned to the Safety Instrument System (SIS) Safety integrity level (SIL) of the SIS

SAES-J-601 requires ALL HIPS to be designed to meet SIL 3 performance targets. Alternatively, a Quantitative Risk Assessment (QRA) may be performed to define more precisely what risk reduction is required by the HIPS. Typically, a determination is made according to the requirements of the ANSI/ISA S84.01 or International Electro-technical Commission (IEC) 61508/61511 standards during a process hazard analysis (PHA). A process demand is defined as the occurrence of a process deviation that causes an SIS to transition a process to a safe state. In general all SIS provide a safety control function that is completely separate in function from the Basic Process Control System (BPCS) or DCS system. HIPS are no exception to this fundamental design requirement. According to the ANSI/ISA S84.01 and IEC 61508/61511 standards, the scope of an SIS is restricted to the instrumentation or controls that are responsible for bringing a process to a safe state in the event of a failure. The probability of failure on demand (PFD) availability of an SIS is dependent upon: • Failure rates and modes of components • Installed instrumentation • Redundancy • Voting • Diagnostic coverage • Testing frequency SIL Factors A SIL can be considered a statistical representation of the (probability of failure on demand, PFD) availability of a SIS to respond at the time of a process demand. A SIL is the litmus test or a performance target of acceptable SIS design which related to the risk of the equipment to be protected and includes the following factors: • System Architecture • Device integrity and diversity • Diagnostics

4/12/2006

Page 16 of 27

HIPS Report • • • • Systematic and common cause failures Testing Operation Maintenance

SAER-6043

Current HIPPS Applications in Pipeline Systems
Saudi Aramco: Currently, HIPS has been implemented in the following Saudi Aramco Areas under waiver conditions. The committee has visited two areas the first is onshore and the second is offshore: Southern Area onshore oil/gas wells (high pressure gas cap and ESP) the measured well head pressure of these wells is (>2000 psi) above the MAOP (1300 psi) of their flowlines and trunklines. HIPS were implemented to protect the subject pipelines. The system hardware has been installed and tested, however the system is lacking an approved procedures for commissioning, operating, maintenance, testing, evaluating and decommissioning. ABUSAFAH Offshore Field an electric submersible pumps (ESP’s) were installed in all production wells. The design pressure of the existing flowlines is 850 psi. The subject ESP’s are capable of developing pressure in the region of 2000 psi if they are run (or started) against closed valves down stream of the wellhead manifold. HIPS were implemented to protect the manifold and associated pipelines. Each of the platforms has an ESD system in place in addition to the HIPS; both systems are controlling the shutdown of Subsurface Safety Valves (SSSV), Surface Safety Valves (SSV) and Battery limit ZV valve. Both systems have independent sensors with pre- determinate settings. Likewise the HIPS system is lacking approved procedures for commissioning, operating, maintenance, testing, evaluating and decommissioning. In order to prevent the above situation from re-occurring, one of the goals of this committee is to recommend enhancements to Saudi Aramco engineering standards and procedures to ensure that, HIPS package include complete verified and approved HIPS design including material specification, spare parts, non-material requirements (NMR’s), approved procedures for commissioning, operating, maintenance, testing, evaluating and decommissioning. Worldwide: Based on other operating companies feed pack on the HIPS questions; HIPS is used where the use of a mechanical pressure relief system is impossible or very impractical and/or expensive. E.g. it is used to protect pipelines against overpressure from wells where the alternative would be to start flare or venting an entire reservoir. HIPS are rarely used in downstream (refineries and chemical plants) facilities. Sometimes the protection systems that prevent flare overload are also called HIPS. These companies have been implementing HIPS in their facilities for more than 10 years.

4/12/2006

Page 17 of 27

HIPS Report

SAER-6043

Following are examples of different HIPS applications at different companies in different parts of the word. North Sea JADE OIL AND GAS PLATFORM, NORTH SEA CENTRAL, UNITED KINGDOM The fully pressure-rated topsides and piping are designed to accommodate a 160°C flowing wellhead temperature and a 11,000psi wellhead-design shut-in pressure. The pipeline design pressure is 150barg (2175 psig). There is also a high-integrity pipeline pressure system (HIPS) for protecting the pipeline.

HIPS in Qatar SIL 3, 30 in ASME Class 900

4/12/2006

Page 18 of 27

HIPS Report

SAER-6043

On unmanned offshore platform in Malaysia. HIPS-SIL 3, 12-in Class 900

Zero Flaring in Abu Dhabi-EPC project.

4/12/2006

Page 19 of 27

HIPS Report

SAER-6043

Trans-Alaska Pipeline System (TAPS) The project is one of the most significant investments ($250 million) since the construction of the Trans-Alaska Pipeline System (TAPS) and involves installing electrically driven crude oil pumps at four critical pump stations combined with increased automation and upgraded control systems. The 800 mile trans-Alaska pipeline currently transports nearly 1 million barrels of crude oil per day across the Alaskan wilderness to the port of Valdez. To date it has a total throughput of over 14 billion barrels. The HIPS will operate even when the TAPS’ normal control systems shutdown and will have the potential for only one “failure” indication every 100 years

References:
SAEP-354 High Integrity Protective Systems Design Requirements SAES-L-100 Applicable Codes and Standards for Pressure Piping Systems SAES-J-601 Emergency Shutdown and Isolation System IEC-61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems IEC 61511-SER Functional safety - Safety instrumented systems for the process industry sector ANSI/ISA-S84.01-1996 Application of Safety Instrumented Systems for the Process Industries ISA-TR84.00.03-2002, Guidance for Testing of Process Sector Safety Instrumented Functions All pictures depicted above were taken from public sources, namely the Internet.

4/12/2006

Page 20 of 27

HIPS Report

SAER-6043 from Saudi Aramco Standards

Appendix B, Excerpts Concerning HIPS

Fallowing are the related Saudi Aramco standards associated with Safety Instrumented Systems and HIPS implementations. SAES-L-100 Applicable Codes and Standards for Pressure Piping Systems In this standard the general Saudi Aramco philosophy for protection piping system is that the piping system shall be mechanically capable to withstand design condition within the applicable Code requirement. This requirement may be exempted if economically and technically justified to allow protecting the piping system by redundant instrumentation devices or provisions. The standard also required that these devises shall be fully independent and designed such that failure risk disabling is negligible and should be reviewed and approved on a case by case basis by CSD, LP, P&CSD and Proponent through the waiver process per SAEP-302. SAEP-354 High Integrity Protective Systems Design Requirements This Saudi Aramco Engineering Procedure (SAEP) establishes the guidelines and procedures for the proper application, design, and documentation of High Integrity Protection Systems (HIPS) used to provide overpressure protection and/or flare load mitigation for process equipment, pipelines, wellhead flowlines, gas manifolds, or other special purpose applications. The procedure emphasize, that HIPS shall not applied to new or grass-roots construction unless there is a compelling reason to do so. Moreover a process hazard and life-cycle cost analysis shall be conducted on the candidate HIPS system. Also the HIPS system shall be evaluated versus the cost of implementing a conventional flare/relief system; or upgrading equipment and piping to meet or exceed new MAWP and/or flaring requirements as per API RP 520 / API RP 521 sizing requirements and implementation guidelines. SAES-J-601 Emergency Shutdown and Isolation System This standard establishes the criteria for the design, implementation, validation and testing of Emergency Shutdown Systems (ESD), emergency isolation and depressuring systems, and equipment protection systems. Included within these criteria are the definitions of ESD hierarchical layers and the acceptable methods for determining safety integrity levels for representative ESD loops. This standard define High Integrity Protective Systems (HIPS): High availability, fail-safe SIL-3 ESD systems, designed to augment safety relief devices or mitigate worst-case relieving loads, or that function in lieu of over-pressure protective devices in wellhead, flare, or off-sites pipelines. The standard also required that, all proposed SIL-3 applications must include a quantitative fault tree analysis that examines the probability of failure on demand for the worst case, risk scenario - for the particular process application. The standard require that, this analysis to be reviewed and approved by the Proponent Operating Department, Chief Fire Prevention Engineer, LPD, and General Supervisor, PCSD/IT prior to proceeding with the implementation of the proposed solution.

4/12/2006

Page 21 of 27

HIPS Report

SAER-6043 from International Standards

Appendix C, Excerpts Concerning HIPS

API RP 521 guide for pressure relieving and depressurizing systems Paragraph 2.2 overpressure criteria states: “Some relieving scenarios require the installation of high-integrity protective instrument systems to prevent overpressure and/or over-temperature. If this approach is used, the protective instrument system shall be at least as reliable as a pressure-relief device system, and shall be used only when the use of pressure relief devices is impractical.” ASME B31.4 This Code prescribes requirements for the design, materials, construction, assembly, inspection, and testing of piping transporting liquids hydrocarbons and other liquids. Paragraph 452.2 Controls and Protective Equipment state; “(a) Controls and protective equipment, including pressure limiting devices, regulators, controllers, relief valves, and other safety devices, shall be subjected to systematic periodic inspections and tests, at least annually, except as provided in paragraph 452.2(b), to determine that they are: (1) In good mechanical condition; (2) Adequate from the standpoint of capacity and reliability of operation for the service in which they are employed; (3) set to function at the correct pressure; (4) Properly installed and protected from foreign materials or other conditions that might prevent proper operation. (b) Relief valves on pressure storage vessels containing LPG, carbon dioxide, or liquid anhydrous ammonia shall be subjected to tests at least every 5 years.” ASME B31.8 This Code covers the design, fabrication, installation, inspection, and testing of pipeline facilities used for the transportation of gas. This Code also covers safety aspects of the operation and maintenance of those facilities. Under section 805 DESIGN, FABRICATION, OPERATION, AND TESTING TERMS subsection 805.217 the code states “Overpressure protection is provided by a device or equipment installed in a gas piping system that prevents the pressure in the system or part of the system from exceeding a predetermined value.”

4/12/2006

Page 22 of 27

HIPS Report

SAER-6043

Appendix D, Questions to Industry Concerning HIPS
A. DESIGN & APPLICATION: 1. Provide a brief description of the plant or process in which HIPS are installed and what functions HIPS are performing. 2. Were HIPS applied to protect existing piping systems or were they included within the scope of new project designs? 3. Are HIPS designed as stand alone, independent Safety Systems, or are they integrated into a common ESD system and segregated in a different manner such as separate controllers, separate chassis, etc.? 4. How long have your installed HIPS been operating? 5. What type of Risk Analysis was performed to determine the adequate level of protection for the HIPS? If SIL assignment was used, what type of analysis was performed? PHA/HAZOP Quantitative Semi Quantitative Qualitative Can you provide more information on the type of risk assessment completed? E.g. LOPA, Risk Graph etc. _____________________________________________________ 6. What work process do you have in place to review requests to use HIPS as alternatives to conventional piping design requirements? How do your piping standards allow for the use of HIPS? In what specific applications are you using HIPS to protect piping systems (upstream and downstream)? 7. What are the biggest issues with regard to HIPS and how did you overcome them? 8. Have you recorded an instance when the HIPS system did operate when required? Can you comment on how effective the system was or problems encountered. How many HIPS initiated trips have you experienced?

4/12/2006

Page 23 of 27

HIPS Report

SAER-6043

B. HARDWARE/SOFTWARE ISSUES: 1. Has a HIPS ever failed to operate when called upon to protect the plant/equipment from either an initiator or a manual operation (pushbutton)? How many times has a HIPS failed to operate? 2. If you could suggest a hardware or software change which would make the HIPS more robust or reliable, what would that be? C. MANAGEMENT OF CHANGE PROCEDURES: 1. What are the key elements of your HIPS Management of Change procedure? D. MAINTENANCE RECORDS, PROCEDURES AND TOOLS: 1. Are the results of proof-testing performed on installed HIPS verified against the original HIPS design requirements? How often are HIPS proof-testing records audited? 2. Are HIPS components (valves, etc.) removed from service and thoroughly overhauled on a scheduled basis? If so, how frequently? 3. What special tools or procedures are used for HIPS device proof-testing? 4. Has testing of the HIPS caused a plant shutdown? 5. Is proof-testing performed by certified technicians? If so, how are they trained/certified? E. ORGANIZATIONAL SUPPORT & TRAINING REQUIREMENTS 1. How does your organization support HIPS? How much formal training is required before an engineer or technician is considered as qualified to design, program, reprogram, maintain, or troubleshoot the HIPS system? What qualifications are required? 2. Who supports HIPS design, engineering and maintenance within your organization? Do you have centralized staff dedicated to HIPS? F. AUDITING HIPS 1. Does your company perform internal audits of HIPS to ensure compliance with design requirements once HIPS are installed within operating facilities? What organizations perform this audit function? 2. What procedure do you follow to de-commission HIPS?

4/12/2006

Page 24 of 27

HIPS Report

SAER-6043

Appendix E, Abbreviation & Definitions of Important Terms
API ASME BPCS DBSP ESD FTA HAZOP HIPS IPL LCC MOC OSHA PFD PHA SIL SIS : : : : : : : : : : : : : : : : American Petroleum Institute American Society of Mechanical Engineers Basic Process Control System Design Basis Scoping Paper Emergency Shutdown System Fault Tree Analysis Hazards and Operability Study High Integrity Protective Systems Independent Protection Layer Life Cycle Cost Management of Change Occupational Safety and Health Administration Probability of Failure on Demand Preliminary Hazard Analysis Safety Integrity Level Safety Instrumented System

Definitions of Important Terms
Consequence: Outcome from an event. There may be one or more consequences from an event. Consequences may be positive or negative. However, for the purpose of this document consequence will mean the negative outcome of any event. Consequences may be expressed qualitatively or quantitatively. Demand: Unmitigated frequencies of a potential load (in this document exceeding predetermined conditions) on a system. Normally, if the predetermined conditions exceed the system design limits, the system is required to perform an action protecting the equipment(s) and/or the process. Emergency Shutdown System (ESD): A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process, or specific equipment in the process, to a safe state when predetermined conditions are violated, i.e., to isolate, deenergize, shut down or depressure a process unit or process equipment. Other terms commonly used throughout the hydrocarbon and petrochemical industry include Safety Instrumented and Safety Interlock Systems (SIS & ZC). Event: Occurrence of a particular set of circumstances. The event can be singular or multiple. The probability associated with the event can be estimated for a given period of time. Fail-Safe System: Fail safe system, is a system design or condition such that the failure of a component, subsystem, or system or input to it, will automatically revert to a predetermined safe state of least critical consequences. "Systematic failures include 4/12/2006 Page 25 of 27

HIPS Report

SAER-6043

failures within component parts, basic operating system failures, or signal or power failures". Failure: Termination of the ability of a system, structure, or component to perform its required function. Failures may be unannounced and undetected until the next inspection (unannounced failure), or they may be announced and detected by any number of methods at the instance of occurrence (announced failure). Fault-Tolerant System: A system incorporating design features which enable the system to detect, discriminate, and log transient or steady-state error or fault conditions and take appropriate corrective action while remaining on-line and performing its specified function. Hazard: A physical condition or a release of a hazardous material that could result from component failure and result in human injury or death, loss or damage, or environmental degradation. The hazard is the source of harm. Components that are used to transport, store, or process a hazardous material can be a source of a hazard. Human error and external events may also create a hazard. Hazard Identification: a process of systematic identification of material, system, process, and plant characteristics that can produce negative consequences through the occurrence of an accident.
Commentary Note: There are various hazard identification techniques including checklists, What-if, HAZOP, etc., each of them having a specific application with hazard identification process. Different situations may require one or more of these techniques.

Hazard Analysis: the identification of undesired events that lead to the realization of a hazard, the analysis of the mechanisms by which these undesired events could occur and usually the estimation of the extent, magnitude and likelihood of any harmful effects. (Synonyms for Hazard Analysis: Process Hazard(s) Analysis, Hazard Assessment, Hazard Evaluation, etc.) HAZOP: A systematic, detailed hazards analysis technique applied to processes to identify and qualify deviations from design or normal operation which have the potential to place the process plant, environment or personnel at risk. The HAZOP study will assist in identifying abnormal process deviations or operating scenarios that may require remedial process design, or an appropriate ESD (instrumented safety/protective) layer in addition to a mechanical safety-relief valve layer. High Integrity Protective Systems (HIPS): High availability, fail-safe SIL-3 ESD systems, designed to augment/replace safety relief devices or mitigate worst-case relieving loads, or systems that function in lieu of over-pressure protective devices in a process, wellhead, flare, or off-sites pipelines. Life Cycle: Sequence of activities involved in the implementation of HIPS from initial conception through decommissioning (Refer to ANSI/ISA S84.01 and IEC 61511). Life Cycle Cost: Total initial construction cost of the system plus the cost of operation, testing, inspection, maintenance, administration, etc., through the expected life of the system.

4/12/2006

Page 26 of 27

HIPS Report Mitigate: Limit any negative consequences of a particular event.

SAER-6043

Production Areas HIPS Survey : a comprehensive risk analysis and SIL assessment for production areas to determine the number of high pressure wells that can be safely added to existing flowlines and trunklines using HIPS for protecting the lower pressure lines. These surveys will also determine when and where new high pressure flowlines and trunklines may be needed in the future. Proponent: The client or customer who can undertake the study or for whom the study is being undertaken. Risk: a measure of economic loss, environmental degradation or human injury in terms of both the incident likelihood and the magnitude of the loss, degradation or injury. Risk Assessment: describes a detailed qualitative or quantitative analysis to estimate the potential likelihood and consequences of site-specific events, and to then compare the risk with acceptance criteria. Safe-State: The predetermined safe position of the process equipment or equipment under control, as determined by operational experience, a preliminary hazards analysis, or formal HAZOP analysis. Unless otherwise specified, the safe-state for a normallyenergized safety system shall be the "de-energized" state, with no utility supply (e.g., air, hydraulics), power or logic voltage being applied to a primary element, sensor or final operator. Safety Instrumented System (SIS): Same definition as an ESD system, but represents the safety system definition used within ANSI/ISA S84.01 and its Annexes. Safety Integrity Level (SIL): ANSI/ISA S84.01 definition of three possible discrete integrity levels (SIL 1, SIL 2, SIL 3) for Safety Instrumented or ESD systems. SIL's are defined in terms of overall system availability or probability of failure on demandaverage (PFD avg).
Commentary Note: The Safety Integrity Level (SIL 3 in this case) is allocated based on a process hazard and risk assessment. It forms the basis for the risk reduction target for the Safety Instrumented System (HIPS in this case). For "on-demand" systems such as a HIPS, the SIL defines the PFD avg target for the SIS. Once the SIS is designed (overall architecture defined, test intervals established, and components selected), a check is made to ensure that the proposed SIS's probability of failure to perform the safety instrumented function meets the SIL defined by the process (SIL 3 in this case).

This dimensionless number is calculated for an entire ESD loop(s) consisting of input device(s), the logic solver and final output device(s). The required availability for SIL-3 is 0.9999 or better.

4/12/2006

Page 27 of 27

Sign up to vote on this title
UsefulNot useful