HIPPS - aisisa

Instrumented Safety Systems
Engineered Valve Systems for
Control and Safety Applications
HIPPS Definition
DINO OLIVIERI
Mokveld Agent
AIS – ISA Giornata di studio HIPPS
Agenda
•
•
•
•
•
Foreword
Definition
Safety Requirement Specification
Reliability Criteria
Reliability Data
slide 3
Foreword
High integrity protection systems (HIPS) and especially
high integrity pressure protection systems (HIPPS) are
an increasingly common feature of oil and gas
facilities worldwide.
They can provide an alternative to conventional
mechanical protective devices (e.g. relief valves) or
reduce the load upon them.
In some cases, they present the only practical option to
facilitate field development and/or expansion.
Mokveld has started HIPPS B.U. in 1972
Definition- HIPS High Integrity Protection System
Within the oil and gas industry, there are various
company-specific definitions as to what constitutes
a HIPS.
According to the ISO/TR 12489 definition, a nonconventional, autonomous, safety instrumented
system with sufficiently high safety integrity to
protect equipment against exceeding the design
parameters is considered a HIPS
Definition- HIPS High Integrity Protection System
Examples:
- Deviations from industry standards describing
mechanical protection systems (e.g. ISO 23251 =
API Standard 521, ISO 10418, API RP 14C) are
treated as HIPS
- An ultimate protection relying principally, but not
necessary solely, on Safety Instrumented Systems
(SIS) is qualified as HIPS, irrespective of its
required Safety Integrity Level (SIL).
Definition- HIPS High Integrity Protection System
Examples:
- a final protection layer comprising a combination
of partial mechanical and instrumented protective
function
- an instrumented protection layer having an
integrity requirement of SIL 3 or more
- an instrumented protection layer where the
consequence of non-operation is major to
catastrophic or disastrous
Definition- HIPPS High Integrity Pressure
Protection System
ISO/TR 12489 also defines HIPPS or OPPS as, “a
HIPS exclusively devoted to protection against
overpressure”.
Definition- HIPPS - summary
Safety Instrumented System (SIS -IEC61508-61511)
Autonomous
Final, instrumented protection layer
Dedicated to protect equipment from overpressure
by isolating the pressure source
Definition- HIPPS – SYSTEM
Instrumented protection systems rely on instruments
to provide a safety function for a given process.
Such a function is performed by a Safety Loop
consisting of one or more initiators (eg. Switches
or transmitters), a logic solver (eg. a Safety Rated
PLC) and final elements (eg. relays or valves).
Typical safety
Loop
Definition- HIPPS – INDEPENDENT LAYER
HIPPS
INSTRUMENTED ESD
Second Safety Layer
First Safety Layer
ALARMS
CONTROL
SYSTEM
PROCESS
Levels of Defense
API RP requires 2 independent safety layers
Definition- HIPPS – RISK PROTECTION
ACTUAL
REMAINING RISK
Risk with the addition of
other risk reduction
facilities and SIS
TOLERABLE
RISK
INTERMEDIATE
RISK
Risk with the addition
of other risk reduction
facilities
INITIAL RISK
Risk without the
addition of any
protective features
Conceptual Process Design
NECESSARY MINIMUM RISK REDUCTION
ACTUAL RISK REDUCTION
PARTIAL RISK
COVERED BY
SAFETY
INSTRUMENTED
SYSTEM
PARTIAL RISK COVERED BY:
- OTHER TECHNOLOGY
- EXTERNAL RISK REDUCTION
FACTORS
RISK REDUCTION ACHIEVED BY ALL SAFETY RELATED
SYSTEMS AND EXTERNAL RISK REDUCTION FACILITIES
Apply Non-SIS Layers
Apply SIS Layers
Determination
of Tolerable
Risk according
IEC 61508
Definition- HIPPS – PROCESS DESIGN
ESD
1500#
900#
“Conventional”
API RP14C
NO PROTECTION
DESIGN PRESSURE = CLOSED IN TUBING HEAD
PRESSURE
DESIGN PRESSURE < CLOSED IN TUBING HEAD
PRESSURE
SRV SIZED FOR TOTAL WELL CAPACITY
DESIGN PRESSURE < CLOSED IN TUBING HEAD
PRESSURE
HIPPS
ESD
1500#
Well trip
900#
HYBRID
SRV SIZED FOR ONE WELL CAPACITY
ESD
1500#
SIS
900#
Definition- HIPPS – WHY?
Reduction of the plant risk profile (insurance)
Reduction of Flare System and Piping Size
(or increase process system capacity without modifying flare system)
Regulations issues
Elimination of Separate Platform
Reduction in Weight
Environmental factors for IOCS
- no flaring
- reduced emissions
- perception of public
Production Separator with PSV
API Recommended Practice 14C
ESD system closes SDV on high
pressure
Full flow SRV
Gas out
PT
T
Wellhead
Separation
Wing valve
Unit SDV
Choke
ANSI 1500
•The outlet of the separator blocks,
•The choke does not close,
•The Unit SDV does not close,
•The SRV is sized for full flow of the well
ANSI 600
Liquid out
slide 15
Production Separator with HIPPS
Voting logic: closes final elements
in case of high pressure at 2oo3 PT
Small thermal SRV
Gas out
PT
PT
PT
Wellhead
Separation
Wing valve
Final elements
Choke
ANSI 1500
Initiators
ANSI 600
Liquid out
•The outlet of the separator blocks,
•The choke does not close,
•The SRV is sized for thermal relief / leakage only,
•The HIPPS SHALL close is 2 seconds to avoid overpressure in the separator.
slide 16
Design and Hardware considerations
Shorter stroking times allow tighter design pressures
Dynamic simulation is strongly recommended
System operation (valve closing) may not be fast enough
so the solution may be inadequate (check SRS!)
92.2
MAOP
90.00
85.00
83.7
MAOP
2.1 barg
81.6
PHIPPS set point
80.00
75.00
POPERATING
70.00
65.00
0.00
15.0
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
17.0
18.00
11.3 barg
85.00
80.9
80.00
PHIPPS set point
75.00
POPERATING
70.00
65.00
0.00
24.3
14.3
5.00
10.00
15.00
20.00
Time [sec]
Time [sec]
2 seconds
2 seconds
Pressure in Protected Volum e [bara]
Pressure in Protected Volume [bara
90.00
10 seconds
10 seconds
25.00
30.00
HIPPS - General recommendations
Safety Requirements Specification
HIPPS functions should be defined independently of
other safety systems in a specific HIPPS Safety
Requirements Specification (SRS), normally
produced by the end user.
This should consider the complete system
comprising sensing element(s), logic solver and
final element(s). The HIPPS should be developed
and implemented in a similarly complete system
manner.
HIPPS - General recommendations
IEC 61511 part 1: performance requirements relating
to:
- Functionality
- Availability
- Survivability
- Interdependencies
HIPPS - General recommendations
Additional common requirements:
• HIPPS should execute all safety functions in
automatic mode.
• HIPPS should be autonomous, with dedicated
sensors, logic and final elements.
• HIPPS should be a physically segregated
system, interfaced with the facility automation
system for monitoring only. Any communications
with HIPPS should not be able to impede or
override the safety function(s).
HIPPS - General recommendations
Additional common requirements:
• HIPPS should be designed according to fail-tosafe principles.
• Resetting should not be possible without a clear
understanding of the initiating cause and/or fault
(eg. Manual reset on SOVs)
• Signals between sensors, logic solver and final
elements should be hardwired.
HIPPS - General recommendations
Additional common requirements:
• HIPPS design should define and include
allowance for test and maintenance activities.
Bypass functions should be avoided. When
required, bypass functions should be subject to a
thorough assessment of the risk and
consequences for system integrity.
• HIPPS packages should be designated as ‘high’
focus with respect to quality management
HIPPS - General recommendations
Additional common requirements:
• HIPPS design should consider the full safety life
cycle.
Probability of Failure on Demand
Single Mokveld configuration
•
•
As component age the probability of
failure increases.
The component(s) lifetime
depends on the test frequency and
ability to detect dangerous failure
Less reliable systems will therefore
require higher test frequencies to
suit same SIL requirement!
Probability [-]
•
1,E-03
1,E-04
1,E-05
0
1
2
3
Proof Test Interval [hours104]
4
HIPPS - Reliability Criteria
HIPPS components, including sensors, logic solver
and final elements should each be designed as
fail-safe (i.e. failure of any component/
sensor/logic solver/power supply/motive fluids
moves final elements to the safe state).
HIPPS - Reliability Criteria
IEC 61511
SIL
assessment
PDFavg or
failure rate
HIPPS
SRS
HIPPS components or sub-systems are then
selected such that the overall integrity (SIL) target
of the HIPPS Safety Instrumented Function (SIF)
is achieved.
PFDsis = PFDI + PFDLS + PFDSOV + PFDSDV
Risk graph based on HAZOP defines SIL
CA
PA
CB
Start
CC
CD
FA
PB
FB
PA
FA
PB
FB
PA
FA
PB
FB
PA
PB
W3
W2
W1
a
0
0
1
a
0
2
1
a
3
2
1
4
3
2
b
4
3
C = Consequence parameter
CA = Minor injury
CB = Serious injury to one or more, death to one
CC = Death to several people
CD = Very many people killed
F = Frequency of exposure parameter
FA = Rare to more often exposure
FB = Frequently to continuously
P = Possibility of escape
PA = Possible under certain conditions
PB = Almost impossible
W= Likelihood of event
W1 = a relatively slight probability
W2 = a relatively medium probability
W3 = a relatively high probability
SIL required defines the design of safety loop
Safety Integrity
Level
Probability of Failure on
Demand
Risk Reduction Factor
SIL
PFD
RRF
0
No safety requirements (at all)
a
No special safety requirements (e.g. only a procedure)
1
≥10-2 to <10-1
> 10 to ≤ 100
2
≥10-3 to <10-2
> 100 to ≤ 1.000
3
≥10-4 to <10-3
> 1.000 to ≤ 10.000
4
≥10-5 to <10-4
> 10.000 or better
b
A single safety system is not sufficient (even with redundant components)
Fault tree analyses HIPPS
MOKVELD HIPPS
PFD 3,65x10-4
CCF: SOL’s
1,0x10-4
1oo2
PROSAFE
Controller (AK7)
PFD 5x10-7
CCF: PT’s
2,7x10-5
PFD for combination
of 2 sequential FE’s
5,5x10-6
PFD for 2oo3
Voting PT
2,2x10-7
2oo3
PFD 2nd FE
2,3x10-3
PFD 1st FE
2,3x10-3
1st FE
PFD
2,7x10-4
PFD
Final Element
2,3x10-3
1oo2
1,0x10-6
PFD
Solenoid
1,0x10-3
PFD
Solenoid
1,0x10-3
PFD
2,7x10-4
PT1
FAILS
1oo2
1,0x10-6
PFD
Solenoid
1,0x10-3
PT1 &
PT3
FAILS
PT1 &
PT2
FAILS
2nd FE
PFD
Final Element
2,3x10-3
PFD
Solenoid
1,0x10-3
CCF: FE’s
2,3x10-4
PFD PT1
1,3x10-4
PFD
2,7x10-4
PFD
Input card 1
1,4x10-4
PFD PT1
1,3x10-4
PFD
Input card 2
1,4x10-4
PFD
2,7x10-4
PT1
FAILS
PT2
FAILS
PFD TF2
1,3x10-4
PT2 &
PT3
FAILS
PFD
2,7x10-4
PT3
FAILS
PFD PT3
1,3x10-4
PFD
Input card 1
1,4x10-4
PT2
FAILS
PFD PT2
1,3x10-4
PFD
Input card 3
1,4x10-4
PFD
2,7x10-4
PT3
FAILS
PFD PT3
1,3x10-4
PFD
Input card 2
1,4x10-4
PFD
Input card 3
1,4x10-4
HIPPS - Reliability Data
The HIPPS operator should approve the reliability data
utilized to demonstrate the integrity achieved by the
HIPPS. Reliability data sources include, in order of
preference:
1. Field data – but only where the quantity collected is sufficient
to be considered statistically significant
See 7.4.10.4 : A proven in use safety justification shall be
documented that the element supports the required safety
function with the required systematic safety integrity. This shall
include: the suitability analysis and testing of the element for the
intended application and the demonstration of equivalence
between the intended operation and the previous operation
experience, including the impact analysis on the differences
Database filled since 70‘s
Each after-sales related action entered in database
Introduction into HIPPS E L2 R0
slide 30
HIPPS - Reliability Data
2. Databases/reference handbooks– The data selection
3.
4.
process should consider similar service and environmental
conditions, and maintenance regimes (OREDA3, PDS Data
Handbook4, SINTEF5)
Failure Mode and Effect Analysis (FMEA) reports
Vendor data
PFD / SIL of complete safety loop to be verified
• Architecture to be verified
• Failure rates shall be dependable or “proven in use”:
•
• Based on field experience in same application
• For same stroking time (< 2 sec.)
Integrated FAT & SAT
Voting logic: closes final elements
in case of high pressure at 2oo3 PT
Small thermal SRV
Gas out
PT
PT
PT
Wellhead
Separation
Wing valve
Final elements
Choke
ANSI 1500
Initiators
ANSI 600
Liquid out
Example in Europe
Location
Specs
: Gasunie Netherlands BBL Balgzand pipeline
: 2 x 1oo2 Electronic HIPPS protecting ANSI 600 control
valves against pressure from ANSI 900 compressor
Introduction into HIPPS E L2 R0
slide 35
Example in Europe
Location
Specs
: NAM Netherlands mobile production unit
: 1oo2 Mechanical HIPPS protecting ANSI 900
pipeline against pressure from ANSI 2500 wellhead
Introduction into HIPPS E L2 R0
slide 36
Example in Europe
Location
Specs
: Dong Denmark Nybro
: 1oo2 Electronic HIPPS protecting ANSI 600 onshore
installation against pressure from ANSI 900 pipeline
Introduction into HIPPS E L2 R0
slide 37
Example in Europe
Location
Specs
: Statoil Germany Zeepipe landfall
: 1oo2 Mechanical HIPPS protecting ANSI 600 onshore
installation against pressure from ANSI 900 pipeline
Introduction into HIPPS E L2 R0
slide 38
We thank you for your attention