Comprehensive design, maintenance keys to HIPS reliability

April 17, 2000
Reducing cost without jeopardizing overall safety of an oil and gas processing facility can be achieved by careful application of state-of-the-art, unconventional design that uses high-integrity protective systems (HIPS).

High-Integrity Protective Systems-1

Reducing cost without jeopardizing overall safety of an oil and gas processing facility can be achieved by careful application of state-of-the-art, unconventional design that uses high-integrity protective systems (HIPS).

These systems are useful for new production schemes as well as for debottlenecking existing plants.

This series of two articles focuses on the importance of a comprehensive design for HIPS installation and the importance of maintenance so that reliability and integrity of protection will not suffer.

This first article gives guidelines for design of HIPS based on Total's experience and suggestions for a successful development of HIPS.

The second article will offer a detailed description of the typical HIPS applications that have been installed for QatarGas and will publish May 8, 2000, in OGJ's Process Control Report.

Alternative protection

High-integrity protective systems came onto the scene in the early 1980s as an alternate means of protection to that presented by API RP14C (Recommended Practice for analysis, design, installation, and testing of basic safety system on offshore production platform).

This document qualifies the protection required on offshore process facilities. Its principles are also used in many onshore projects.

In brief, API RP14C calls for two distinct protective barriers against over pressure.

The first barrier of safety consists of the emergency shutdown (ESD) system, which suppresses or at least mitigates the risk: for example, shutdown of a unit (closure of emergency safety valves, shutdown of the motors) if abnormal and dangerous operating conditions are detected.

Most generally, the second barrier of safety consists of the pressure safety valves (PSVs) that protect the unit against excessive flow rate or pressure and direct the excess flow to a flare or a vent.

A HIPS is an unconventional system that may be installed as the second barrier if installation of PSVs or corresponding flare system is not feasible where very large flow rates are involved.

Alternatively, HIPS may be installed if there is a significant economical incentive.

A HIPS is an instrumented system consisting mainly of one or two sets of several sensors (usually three sensors per set), a redundant solid-state logic in a dedicated HIPS cabinet with the power supplied from a redundant uninterruptible power supply (UPS), associated emergency shutdown valves (ESVs).

To increase the availability of the protective system, a voting of the sensors signals is recommended (two trip signals out of three or one trip signal out of two).

Feasibility, safety, and risk

The primary criterion to be considered for selecting a HIPS is the response time. This time is driven by the sizes of the valves to be closed.

Straightforward calculations, those based on mass balance with no consideration of dynamics, can be used as a first approach. Note that valves with short closure times may be used (for example, piston valves manufactured by Mokveld Valves BV, Gouda, The Netherlands).

At the design stage, a dynamic simulation might be performed to compare and confirm the specified valve closure time with the rate of pressure escalation from, for example, a process upset.

The design of the HIPS depends on the level of risk the operator is ready to accept when protecting a unit. In terms of HIPS design, this level of risk translates to the reliability of the overall protective system.

For most of the early HIPS designs (before the issuance of International Electrotechnical Commission, IEC Code 61508), the reliability target was set by the hazard probability per year (F), which can be explained as follows:

F = P * D

where:

P = Probability of the valve's failure to perform its design function on demand.

D = Rate of demand for the system safely to close (number of demands/year).

Experience has shown the demand rate is difficult to evaluate because it implies consideration of the process control system, of the emergency shutdown system, and, more importantly, of the operating conditions.

Currently, IEC Code 61508 recommends a new approach to be followed based only on the probability of failure of the protective system to perform its design function on demand (probability of failure on demand, PFD).

A safety integrity level (SIL) is defined as the following:

SIL3 = PFD between 1x 10-3 and 1x 10-4

SIL4 = PFD between 1 x 10-4 and 1 x 10-5; etc.

In design of a HIPS, an SIL must be selected following the conclusions of a risk assessment that in turn will refer to the operator's internal criteria for risk assessment.

On QatarGas' North field platform, process equipment is protected against overpressure by a high-integrity protective system (HIPS). Photograph by Marc Roussel, courtesy of TotalFina.
Click here to enlarge image

In general terms, the reliability of the HIPS should be at least equal to or greater than the reliability of a conventional system that uses relief valves. Most generally, the second barrier of safety consists of the pressure safety valves (PSVs) that protect the unit against excessive flow rate or pressure and direct the excess flow to a flare or a vent (Fig. 1).

Click here to enlarge image

A typical target for a HIPS is SIL3 or 4, depending on the site and the specifics of the process system.

Reliability; design

Following preliminary design of a typical HIPS system, the reliability is calculated in an iterative mode. The reliability calculation is performed by a specialist using a fault-tree analysis and is based on the individual reliability of the different components of the system.

Following are the main steps for calculating reliability:

  • Selection of target SIL level (recommended by a risk-assessment study).
  • Establishment of the fault trees, taking into account all the elements of the HIPS instrument loops.
  • Selection of the individual failure rate of the different components since significant discrepancies exist in the databases available.
  • Modification of the HIPS system if required to meet target reliability.

When the reliability target has been set according to company policy, some main design issues should be considered to improve the HIPS reliability:

  • Separate safety system. The HIPS must be totally independent of the unit process-control system and the ESD system except for the ESD valves, for which a solenoid valve dedicated to the HIPS can be installed.

By the same token, dedicated cables to transmit various signals related to the HIPS are required.

  • Common modes of failure. The common modes of failure of the proposed protective system must be identified. They can range from harsh environment to common PLC trip signal.

Designing a separate safety system will usually reduce the common causes of failures, but these should not be ignored. Each common mode of failure must be evaluated and controlled.

  • Testing. The reliability of the HIPS directly depends on the test frequency. Consequently, this frequency should be defined as a part of the reliability calculation, and a proper testing program enforced during operation of the plant to meet the specified test frequency.

The entire HIPS loop must be tested regularly.

All the elements of this loop must be tested and the functionality test of this entire loop shown to be feasible (on line or during shutdown).

In particular, the valve or valves should be able to be tested on line. (Either partial stroking or full by-pass may be required.) The solenoid valves will also be function-tested.

The reliability study should recommend a typical scope for the test of HIPS system.

Project scope

During the course of a project, development of HIPS must progress with the knowledge that faulty design or lack of proper testing could jeopardize human life and industrial assets.

For screening and feasibility studies, the project will concentrate on the possible application of HIPS. Such investigation will be based on the potential cost reduction of applying an unconventional protection system and the response time that can be guess-estimated by straightforward methods.

Requirement for a too-short response time should lead to a rejection of the HIPS application.

At a preproject level, a coarse reliability study or a comparison using similar applications is required as a minimum to confirm that HIPS can be considered for further studies.

Front-end engineering will include a full reliability study, which should confirm that the design as developed is consistent with the target reliability figure.

During detailed engineering, this reliability study must be confirmed using the reliability data of the selected equipment components.

In addition, during detailed engineering, a specific action plan is required and should cover design philosophy, engineering implementation, procurement, inspection and quality assurance-quality control, installation, and operation and maintenance.

This plan should improve the follow-up of the HIPS system within the project.

Company experience

Since the early 1980s, Total Oil Marine in the North Sea has installed several HIPS. As early as 1985, the following offshore and onshore projects were completed:

  • Frigg system: A connection of a subsea pipeline from Alwyn field to the main system that is designed for a lower pressure.
  • MCP 01, an intermediate compression platform: A HIPS was installed to stop the compressors in case of overpressure because conventional protection with a full flow relief valve would not have been feasible on the existing platform.
  • St. Fergus gas terminal: A HIPS was installed downstream of the pressure-letdown station to minimize the risk of lifting the existing relief valves.

Since this era, other HIPS have been installed on different developments, which extended the range of application.

A joint industry project in 1993 led by the SINTEF Group, Trondheim, Norway (the Foundation of Scientific & Industrial Research at the Norwegian Institute of Technology) determined the feasibility of installing subsea HIPS.

The Authors

Click here to enlarge image

Christophe Thomas has been working with TotalFina since 1983 in various design, project, commissioning, and operation activities. He is currently in charge of research and development programs for the valorization of gas within the business development division of TotalFina.

From 1995 until 1997, he managed start-up of the QatarGas LNG facilities. Thomas holds a masters degree in chemical engineering from ENSIC, Nancy, and a post-graduate degree in economics from IFP, France.

Click here to enlarge image

Philippe Bourgeois has been working with TotalFina since 1968. He is a graduate from ENSIC, Nancy, and holds an MSc from Laval University, Quebec.