Bg St Eng Proc 012_3.1 Bg Std Hipps Systems

Unclassified

BG Grou Group p Standard High Integrity Protection rot ection Systems yst ems (HI (HIPS) BG-ST-ENG-PROC-012

BG Grou Group p Standard

High Integrity Prot rotection ection Syst ystems ems (HIP (HIPS S)

Document Document and Version rsio n Control Version Version

Author

Issue Date Date

Revisio Revisio n Detail Detail

01

T. Arnold Arnold

09 Novem November ber 2007 2007 Issued Issued for use

01a

T. Arnold

10 March 2008

Updated/Issued Updated/Issued for use

02

W Dunning

31 March 2008

Revised and re-issued

02a

W Dunni Dunning ng

3.0

T. Arnold

01 January 2011

3.1

HSSE Assurance Manager (Antony Mullin)

05 March 2012

13 Novem November ber 2008 2008 Appro Approver verss change changed d Revised with Subsea HIPS included and to reflect updated Standards template. Revisions detailed in Appendix D Changed to unclassified

2 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold

Version: 3.1 (05 March 2012)  BG

Group 2012



Contents 1.0 Execut Exec ut iv eSummar eSum mar y ............................. ........................................... ............................. ............................. ...................... ........ 5 2.0 Owners Own ers hi p ........................... ......................................... ............................ ............................ ............................ .......................... ............ 6 3.0 Object Obj ect iv es ............................ ........................................... ............................. ............................. ............................. ....................... ......... 6 4.0 Scope Sco pe and Ap pl ic ati on ........................... ........................................ ........................... ............................ ..................... ....... 7 5.0 Link Li nk s to Other Oth er Cont ro ls ........ ............ ......... .......... .......... ......... ......... .......... ......... ......... .......... ......... ......... .......... ......... .... 8 6.0 Standar Stan dar d Requir Requ ir ements emen ts ....................... ..................................... ............................ ............................ ...................... ........ 9 7.0 Why do we need HIPS? ........................... ......................................... ........................... ........................... .................. .... 10 8.0 Relief Reli ef / HIPS Selecti Selec ti on ........................... ......................................... ............................ ........................... .................. ..... 11 8.1

Code Provisions ............................................................................. ........................................................................................................................... .............................................. 11

8.2

HIPS Selection in BG ....................................................................................... ................................................................................................................... ............................ 12

9.0 HIPS HIPS Just Ju st if icati ic ation on and Design Desig n ......... .............. .......... ......... ......... .......... .......... .......... .......... ......... ......... ......... .... 14 9.1

Basis for HIPS Design ................................................................................................................. 14

9.2

Analysis Requirements Requirements ............................................................................................... ................................................................................................................ ................. 14

9.3

HIPS Configurations Configurations .................................................................................................................... 16

9.4

Hazard Analysis ............................................................................................................... ........................................................................................................................... ............ 24

9.5

Safety Integrity Level (SIL) Targeting .......................................................................................... .......................................................................................... 25

9.6

Reliability Analysis ....................................................................................................................... 30

9.7

Functional Performance Requirements (Dynamic Analysis) ....................................................... 33

9.8

HIPS Valve Leakage................................................................................... .................................................................................................................... ................................. 36

9.9

Diagnostic Capability ................................................................................................................... 36

9.10

Common Cause Failures ......................................................................................................... ............................................................................................................. .... 37

9.11

Performance Standards ............................................................................................................... ............................................................................................................... 37

9.12

HIPS Dossier .................................................................................... ............................................................................................................................... ........................................... 39

9.13

HIPS Commissioning Commissioning ................................................................................................................... ................................................................................................................... 39

9.14

Testing Requirements Requirements .................................................................................................................. .................................................................................................................. 40

9.15

Third Party Verification............................................................................................... ................................................................................................................. .................. 42

10.0Sub 10.0Subsea sea HIPS ............................. ............................................ ............................. ............................ ............................. ................. .. 48 10.1

The Case for Subsea HIPS ......................................................................................................... 48

10.2

Subsea HIPS Requirements Requirements ...................................................................................................... ........................................................................................................ .. 48

11.0HIPS 11.0HIPS Operat io n and Mainten Main ten anc e .......................... ........................................ ........................... ............... .. 56 3 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard

High Integrity Protection Systems (HIPS)

11.1

Training and Competence............................................................................................................ 56

11.2

Maintenance ................................................................................................................................ 56

11.3

Change Management .................................................................................................................. 56

12.0 Ap pendic es ........................................................................................... 59 12.1

Appendix A–Definitions / Abbreviations....................................................................................... 59

12.2

Appendix B–Units ........................................................................................................................ 60

12.3

AppendixC – Referenced / Associated Documents..................................................................... 61

12.4

Appendix D – Revision Record .................................................................................................... 61



Group 2012

BG Group Standard


1.0 Executi ve Summary This document sets out mandatory requirements for the adoption and design of high integrity protection systems (HIPS) for prevention of overpressure or unsafe excursions of other process variables such as temperature, level, composition etc. This document applies to the design and operation of new “green field” facilities and “brown field” modifications. Existing HIPS arrangements shall also be reviewed against this standard. This Standard defines the minimum requirements for conducting the activities covered by this Standard within BG Group. The controls within the framework set the requirements for how BG Group must operate to achieve compliance with its Business Principles. Application of the Internal Control Framework is mandatory and this Standard details the implementation requirements which must be followed. Breach of BG Group mandatory controls by those to whom they apply may result in disciplinary action, up to and including dismissal.



Group 2012

BG Group Standard


2.0 Ownership Owning Function Standard owner Expert advisor Dispensation

Engineering Head of Engineering Phil Tudhope Head of Engineering

3.0 Objectives This document sets out the mandatory Company requirements for the adoption and design of High Integrity Protection Systems (HIPS) for offshore and onshore assets for both new “green field” developments and “brown field” modifications. The document is also intended to provide guidance on the application of safety instrumented systems (i.e. HIPS) as an alternative to conventional relief protection and to identify the mandatory steps necessary to justify and support such a selection. The main focus of this document relates to the use of HIPS for prevention of overpressure but the general principles within this document also apply to the use of HIPS for prevention of unsafe excursions of other process variables such as temperature, level, composition etc. Whilst this document provides general guidance as to design and specification aspects of HIPS, it is not the intent to provide detailed design requirements for such systems – these are encompassed in the referenced industry codes. This standard is deemed necessary for the following reasons: 

   

So as to provide a consistent basis across BG assets for establishing when HIPS may reasonably be adopted as a viable alternative to conventional relief or to inherently safe design; For ensuring that appropriate factors are considered in the analysis and selection phases; For ensuring that appropriate calculations are conducted to confirm the required performance targets for the HIPS and that these are achieved; To identify the steps and documentation required in order to justify and support adoption of such systems; To incorporate lessons learned and to avoid some of the mistakes made with HIPS historically within BG and within the industry as a whole.

This document applies to the following facilities:    

Onshore and offshore gathering and processing facilities from downstream of the wellhead Christmas tree wing valve to the export or sales battery limit or boundary; Onshore and offshore pipelines (including flowlines); LNG liquefaction, export and import facilities; Temporary plant and piping.

Whilst the principles within this standard are applicable for the transmission and distribution business segment, the Institute of Gas Engineers Recommendations on Transmission and Distribution Practice, “Pressure regulating installations for transmission and distribution systems”, IGE/TD/13 code is the generally recognised standard for the design of pressure letdown stations and overpressure protection within this sector and this is considered accepted practice in place of this standard. The use of this standard in such applications is considered optional 12. 6 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Drilling and well completion equipment is excluded from the scope of this document. The range of Business segments and Value Funnel lifecycle stages to which this Standard applies are identified below:

4.0 Scope and Applic ation A High Integrity Protection System (HIPS) is a safety instrumented system (SIS) designed to prevent an unsafe condition from arising. This usually relates to excess pressure but HIPS may also act to prevent high/low temperature, high/low level, high / low composition (e.g. concentration of a component) and so on. In the case of over-pressure protection, HIPS is applied where the plant or system is not fully rated to the pressures to which it might be exposed in a mal-operation, shutdown or fault condition and either there are no mechanical protective systems (e.g. bursting disc, relief valve) to prevent overpressure and potential loss of containment or, whilst these systems are present, they are inadequate alone to prevent loss of containment in certain reasonably foreseeable circumstances (e.g. they are not sized for the worst case). HIPS typically sense attainment of a critical value for the relevant process parameter (e.g. high pressure) and act via a logic solver to take actions to prevent this value rising (e.g. in the case of pressure) further towards an unsafe condition (e.g. exceeding design pressure) by isolating flow, tripping pumps, compressor or whatever is appropriate for the particular application. A HIPS will therefore typically involve field instruments (e.g. sensors), logic solver, final control elements (e.g. valves), power supply as well as associated inspection, testing and maintenance procedures (although it could be configured for field sensors to act directly on final elements). The boundaries of HIPS incorporate all aspects from the sensor to the final element. Whilst safety instrumented systems (SIS) are applied widely in the onshore and offshore sectors (e.g. the usual suite of process trips deployed in accordance with API RP 14C or BS EN ISO 10418), “high integrity” in this context relates specifically to those safety instrumented systems (SIS) that would typically require a higher degree of integrity as they replace the protection otherwise provided by relief valves (see Section 7.0). Although for simplicity this standard refers throughout to generic HIPS, some industry references may describe a High Integrity Pressure Protection System (HIPPS) or an Over Pressure Protection System (OPPS). Whilst specifically referring to a system protecting against overpressure, this is identical to a HIPS. The designation HIPS is used throughout this standard.



Group 2012

BG Group Standard


The remainder of the document refers to HIPS primarily in the context of over-pressure protection as an example, although the same principles apply to HIPS for temperature, level, composition and so on.

5.0 Links to Other Controls Governing Policies:

Governance & Stewardship

Complementary and linked Standards:

Relief, Blowdown and Flaring (BGA-ENG-PROC-TS-0003)

Supporting Guidelines:

Specifying and Achieving Functional Safety3, BGA-ENG-INSTGL-0002

Other Supporting Documents:



Group 2012

BG Group Standard


6.0 Standard Requirements Company requirement for the design of relief, blowdown and flaring systems is set out in the BG Standard Relief, Blowdown and Flaring 2, BGA-ENG-PROC-TS-0003 and, except where noted otherwise in that standard, is to follow the latest versions of: ● ● ● ● ●

● ● ● ● ● ● ● ● ● ● ● ● ●

API STD 520 part 1 and API RP part 2 (Relief) API STD 521 (Relief and Disposal Systems) API STD 526 (PSVs) API RP 14C (Offshore) API RP 170 (Recommended Practice for Subsea High Integrity Pressure Protection Systems (HIPPS)) API STD 2000 (Tank Venting) EN 1473 (European LNG Facilities) NFPA 59A (LNG Facilities where EN1473 is not used) ASME VIII (Pressure Vessels), particularly Code Case 2211-1 ASME B31.3 (Facility Piping) ASME B31.4 (Liquid Pipelines) ASME B31.8 (Gas Pipelines) BS EN ISO 10418 (Basic Surface Process Safety Systems) BS PD 5500 (Pressure Vessels) PED 97/23/EC (Pressure Equipment) IGE TD codes (Transmission & Distribution) DIN 3381 (Safety Devices for Gas Systems) IP Guidelines for the Safe and Optimum Design of Hydrocarbon Relief and Blowdown Systems (ISBN 0 85293 287 1)

The above mentioned BG Standard makes reference to the choice between relief and HIPS and provides high level guidance in this respect. This document provides more detailed Company requirements for determining when HIPS is appropriate and the steps required to then specify, design and implement a HIPS based design. Company requirement for ensuring the functional safety of all safety instrumented systems (SIS) is set out in the BG Guideline Specifying and Achieving Functional Safety 3, BGA-ENG-INST-GL0002. This provides guidance in achieving compliance with the following international standards pertinent to the specification of HIPS designs: ●

●

BS IEC 61508 – Functional safety of electrical/electronic/programmable electronic safetyrelated systems; BS IEC 61511 – Functional safety – safety instrumented systems for the process industry sector.

Company wishes to make it clear it regards the APIstandards and recommended practices and BS IEC standards mentioned above as mandatory, except where noted in this Standard.These are not merely recommended practices which a Project or Contractor can elect to follow or not. Company also has a number of deviations and supplementary requirements applicable to the above industry recognised practices which are documented in this Standard. Deviations within this Standard are where the Company believes an alternative approach is more appropriate and achieves at least the same level of safety and good practice or better. Deviations have also been added where the Company has learned specific lessons from past developments or operations. 9 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Supplementary measures within this Standard are those which either build on the principles contained in industry practices above or aim to fill in gaps not covered by them.

7.0 Why do we need HIPS? Typical industry standards from the American Petroleum Institute (API) and American Society of Mechanical Engineers (ASME) provide criteria for the design and protection of vessels and equipment from rupture or damage caused by excess pressure. In conventional design, pressure relief devices such as pressure relief valves (PRV) or pressure safety valves (PSV) are used as the principal means of pressure protection. The design of each pressure relief device is based on an assessment of the overpressure scenarios, caused by events such as blocked discharge, HP / LP breakthrough, loss of cooling or power supply, fire and so forth. Conventional pressure relief system design, including relief header and vent or flare sizing, does not examine the reduction in potential loading due to hazard mitigation provided by operator response to alarms or the initiation of instrumented protection systems, including basic process control systems or safety instrumented systems (SIS). However, in some applications, the use of conventional pressure relief valves is either impracticable or may not be suitable. This is particularly the case for reactive applications but may also apply in situations common within the oil and gas industry, such as: ●

●

●

● ● ●

●

●

Chemical reactions so fast that the rate of pressure propagation could result in loss of containment prior to the relief device opening; Chemical reactions so fast or generating uncontrollable rates so as to result in impracticably large design requirements for vent or flare systems; Instances where plugging or deposition in relief devices may hinder effective operation (and where bursting discs may be more appropriate); Multi-phase venting where the vent rate is difficult to predict; Where a pressure relief device creates additional hazards due to its vent location; Where the HP / LP breakthrough relief load through a PCV may be much higher than normal throughput and result in an unfeasibly large relief system design (e.g. the receiving end of a gas / liquid pipeline); Where modifications to existing facilities create new potential relief loads beyond the practical capacity of existing relief systems, e.g. tieback of additional production systems (flowline / pipeline) such as above; For subsea tiebacks where it is either impracticable or too costly to fully rate pipelines back to a host facility.

In applications such as these, the installation of pressure relief devices may provide limited risk reduction, not be the optimal solution or be completely impracticable. Other methods of preventing overpressure may be necessary in these instances in order to achieve a practicable, measurable risk reduction. This standard deals with the adoption of high integrity protection systems (HIPS) as one such method. There are five principal uses for HIPS: ● ● ●

To eliminate a particular relief sizing scenario from the design basis; To eliminate a particular relief device; To provide system overpressure protection where a relief device is ineffective or is impracticable; 10 of 63

Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard

●

●


To reduce the probability that several relief devices will have to operate simultaneously, thereby allowing a reduction in the size of the disposal system; To reduce the demand rate on a relief device and consequently the risk.

Commentary: HIPS are most commonly applied at HP / LP interfaces to avoid having to design relief systems for full flow in a blocked outlet condition or loss of interface control. In such cases they act by sensing high pressure and subsequently isolating in-flow from wells, pipeline etc., or closing liquid outlets to prevent gas blowby. However, HIPS are not limited to overpressure protection, at least not directly. HIPS may act to prevent other parameters reaching beyond the design envelope, such as:  



 

High or low temperature exceeding design due to upstream cooler maloperation / failure, excessive Joule-Thompson effect, high heater temperature etc.; High level in a vessel which could lead to excess pressure (in liquid dominated systems, detection of rising level may be more effective at preventing ultimate overpressure than relying on high pressure detection due to the respective response times / rate of change) or high level in a vessel or tank where the consequence of liquid overflowing would be severe; Low level in a vessel that could lead to loss of level and high pressure gas blowby to a lower pressure system (level HIPS in this context might replace gas blowby relief on the downstream system where the latter is considered impracticable for good reason); High concentration of a key contaminant like H 2S, H2O etc. Notwithstanding the above, adoption of HIPS should only be considered if either protection by inherent design or conventional relief is impracticable or HIPS offers a substantial benefit over relief – refer to Section 8.0

8.0 Relief / HIPS Selection 8.1

Code Provi sio ns

Although the typical industry standards and codes (refer to Section 6.0) primarily cover the provision and design of relief systems to protect against overpressure, these codes do make allowances for the possible use of alternatives to relief valves such as instrumented protection systems. Where used, such an instrumented system shall meet or exceed the protection that would be provided by a suitable pressure relief device. API STD 521

Although API STD 521 provides guidance primarily on the design of relief systems to protect against overpressure, the Fifth Edition (Addendum, May 2008) allows consideration of instrumented systems for protecting against overpressure or reducing the probability of an overpressure event to such a low level that it is no longer considered to be a credible case. This standard notes that whilst instrumented systems or HIPS can be designed to achieve a level of availability equal to or greater than a mechanical relief device, a great deal of caution and due consideration should be applied to selection of HIPS solutions given the special procedures necessary within the design process and particular attention required during operational life to maintenance, testing and inspection of these systems. ASME Secti on VIII / Cod e Case 2211-1

Similar allowances are made within the ASME Section VIII, Division 1 and 2 code, which until 1996 required the use of pressure relief devices for pressure vessels. The subsequent approval of Code Case 2211 (August 1996) and 2211-1 (1999) indicate conditions under which overpressure protection (against some overpressure hazards) may be provided by a safety instrumented system (SIS) instead of a pressure relief device. 11 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Code Case 2211-1 allows a vessel to be protected against overpressure by system design rather than a mechanical relief valve under the following conditions:  







The vessel or equipment is not exclusively in air, water or steam service; The decision to utilize overpressure protection by system design is the responsibility of the user (the manufacturer being responsible only for verifying that the user has specified overpressure protection by system design and listing Code Case 2211-1 on the data report); The user shall ensure that the maximum allowable working pressure (MAWP) of the vessel or equipment is higher than the highest pressure that can reasonably be achieved by the system; A quantitative or qualitative risk analysis of the proposed system must be made by addressing credible overpressure scenarios, demonstrating system independence from the potential causes of overpressure and confirming capability for mitigating the overpressure event; The analysis must be fully documented.

API RP 170

API RP 170 covers recommended practice for the application of subsea HIPS, although many aspects of this will be applicable to any HIPS design. Reference should be made to Section 10– Subsea HIPS of this standard with regard to subsea HIPS requirements. IP Guidelines for the Safe and Optimum Design of Hydrocarbon Pressure Relief and Blowdown Systems

The Institute of Petroleum guidance on the design of pressure relief systems also allows instrumented protection systems to be used to eliminate or reduce a relief load when such a load would be excessively large. This guidance stipulates that any such HIPS should be at least as reliable as the relief valve which it is effectively replacing. Importantly, the guidance also indicates that it is not unusual to find HIPS installed to a level of reliability which is typically a factor of 10 greater than a relief valve, this being intended to cover the differences in failure mode associated with the two systems, e.g. a relief valve failing open still offers some protection whereas when a HIPS has failed to function it provides no protection. Fire relief shall always be provided by relief valve. 8.2

HIPS Select ion in BG

Reference should also be made to the BG Standard for Relief, Blowdown and Flaring (BGA-ENGPROC-TS-0003)2 regarding the choice between relief and HIPS. The use of HIPS for any particular application has both advantages and disadvantages. Therefore, for a given case, it is necessary to weigh the risk versus the benefit and make a well considered, informed decision as to whether HIPS is the best option. In line with the requirements of the referenced industry standard codes and recommended practices as above, HIPS is considered a viable and workable alternative to relief but it shall only be applied where it can be demonstrated there is a clear life cycle advantage over a conventional relief system. Demonstration of this shall evaluate environmental differences as well as safety, e.g. HIPS may prevent a release compared to a relief. Instances where HIPS may be justified are described above, but there are also situations where HIPS may be difficult to justify:



Group 2012

BG Group Standard





 


Where a system ties into a relief / flare system which already has adequate relief capacity set by other reasons to cope with the additional load and where there is little environmental benefit; Where it is difficult to provide the ongoing skilled maintenance and testing required for an instrumented system (lack of resources, suitable skills, inaccessible locations inconsistent with the required testing and maintenance frequency etc.); Where required HIPS valve closure times are extremely short and difficult or impossible to achieve (e.g. for the valve sizes required); Where a “proliferation” of HIPS is proposed as a way of avoiding reasonable relief system design capacity.

The use of HIPS shall be in moderation. Proliferation of HIPS arrangements on an installation shall be avoided in services that might be termed “routine relief cases” and readily accommodated using a PSV. For gas transmission and distribution systems, pressure reduction and relief systems designed in accordance with the Institute of Gas Engineers Recommendations on Transmission and Distribution Practice, “Pressure regulating installations for transmission and distribution systems”, IGE/TD/13 12 is acceptable in place of the requirements in this standard. Where consideration is given to the adoption of an instrumented protection system, a number of steps shall be followed to develop and document a full justification for its selection and design. An outline of requirements in this respect is detailed in the following sections within this standard. API RP 14C It should be noted that whilst API RP 14C is strictly applicable for offshore production platforms, BG requires that the layers of protection principles embedded in this code (as well as in BS IEC 61511) shall be applied across all BG projects, whether off or onshore. API RP 14C stipulates that the safety system should provide two levels of protection (primary and secondary) to prevent or minimize the effects of an equipment failure within the process and that the two levels of protection should be independent of and in addition to the control devices used in normal process operation. Where HIPS is applied as the secondary level of protection (usually in place of a PSV, or to reduce the sizing load on such a PSV), this does not mean that the primary protection (such as an ESD system activated pressure trip) can be deleted. Both primary and secondary protection systems shall be provided where necessary in accordance with API RP 14C. Commentary: The UK / European standard BS EN ISO 10418 effectively replicates the principles of API RP 14C and applies equally.

It is important to recognise that consistent with the principles of API RP 14 C / BS EN ISO 10418 and the provision of layers of protection, the HIPS shall be able to prevent the unsafe condition arising without any other protective system (e.g. ESD) operating. In a similar manner, these other protective systems (e.g. ESD) shall also be able to prevent the unsafe condition arising without the HIPS operating. Ideally, the lower level of protection (e.g. ESD) should operate such that the process excursion does not increase to the point at which the second level of protection (e.g. HIPS) is triggered. This document describes HIPS requirements pertinent to both surface (offshore on onshore) and subsea facilities. Sections 8, 9 and 11 describe general requirements applicable to all HIPS. Requirements specific to subsea HIPS are described in Section 10.



Group 2012

BG Group Standard


9.0 HIPS Justification and Desig n 9.1

Basis for HIPS Desig n

In accordance with both the intent implicit or stated within the referenced industry codes/standards and general industry best practice, HIPS shall be designed to have a probability of failure on demand as good as or better than that of a comparable relief system. Any safety instrumented system (SIS) or HIPS installed as an alternative to conventional relief (i.e. mechanical protection) shall achieve a default integrity standard of SIL 3, i.e. the achieved probability of failure (PFD) on demand of any HIPS shall in all cases be lower than 1 x 10 -3. Adoption of a less stringent integrity standard shall only be considered where this is established on the basis of BS IEC 61508 / IEC 61511 and where it can be fully justified through quantified risk analysis as meeting both the Company maximum tolerable risk target (refer to Section 9.5.2) and As Low as Reasonably Practicable (ALARP) criteria (refer to Section 9.5.3). In complying with the spirit of API RP 14C (or BS EN ISO 10418), the HIPS shall provide a totally independent layer of protection from other mitigations such as ESD and should primarily be assessed in that context, i.e. whilst other mitigations may be considered as a means of achieving a viable SIL target, they should not be used to justify adoption of a target that falls short of that offered by the completely independent mechanical protection that the HIPS is replacing, e.g. the relief valve. Al l pr opos als to im pl ement HIPS wit h in teg ri ty req ui rem ent s of les s th an SIL 3 (PFD equal to or greater than 1 x 10-3 ) shall require review by, and a dispensation to be approved in advance of implementation fro m, BG Advance Engineering . Commentary: With reference to the discussions on the reliability of relief valves (Section 9.6.1, in terms of probability of failure on demand) and on the corresponding Safety Integrity Level (SIL) targeting (Section 9.5, also reflecting probability of failure on demand), HIPS would be designed to meet either a SIL 2 or SIL 3 requirement, depending on the type of relief valve. However, it should be recognised that a relief valve that fails to operate at the set pressure (but whose failure is nevertheless captured in overall “failure rate” data) may still operate at a higher pressure, and so continue to provide some level of overpressure protection. In contrast, a HIPS failure is more likely to represent a total loss of overpressure protection, i.e. it has less diversity than the relief valve. The failure to open on demand uncertainty for relief valves coupled with the difference in the failure modes prompts many in the industry to stipulate a level of reliability for HIPS one order of magnitude better than that of a relief valve. As such, the vast majority of industry users set a SIL 3 target for HIPS. Commentary: Note also that some HIPS (e.g. the integral Mokveld system described in Section 9.6.3, which is purely hydraulic) do not attract a SIL target as would a safety instrumented system, but merely a PFD, i.e. probability of failure on demand. 9.2

Analysis Requirements

Any project considering the adoption of a HIPS solution for a potential overpressure scenario shall undertake a comprehensive analysis that supports and justifies the selection of HIPS over conventional relief for overpressure protection. The analysis shall also support the HIPS configuration, design and performance requirements necessary to achieve the system protection.



Group 2012

BG Group Standard


Justification for a HIPS solution shall give due consideration to all pertinent factors, including safety and environmental as well as life cycle cost (e.g. such as the HIPS solution being cheaper to implement). At a high level, consideration shall be given to the following aspects in analysing potential HIPS applications:      



   

 

  

Why is HIPS appropriate in this instance, why is conventional relief inappropriate? Can existing systems accommodate an additional or new relief flow and would it be practical to modify them to do so? Are there significant environmental factors / benefits to be taken into account in favour of HIPS? Are the systems available and resources / skills at hand to implement and maintain the HIPS? What potential configurations are feasible for the HIPS? Is it appropriate to rely on a combination of instrumented protection and conventional relief (e.g. in analysing the reliability of the instrumented system, one or more wells not being satisfactorily isolated may be tolerated by virtue of relief protection being provided for the maximum flow from these one or two wells, thereby not requiring relief sizing for the full facility throughput from all wells)? A hazard analysis shall be implemented to systematically examine the overpressure scenarios and the combinations of equipment and / or controls failures which may lead to hazards; Viable HIPS configurations and / or HIPS / relief combinations should be developed; Both functional and integrity requirements for each HIPS should be established; Quantified risk analysis shall be conducted for the proposed protection system configuration(s) to establish overall probabilities of failure on demand; Option selection can then reflect those permutations that meet the target reliability requirements derived from BG tolerable risk criteria and set safety integrity level (SIL) targets for the system; A check should be made to ensure that environmental, economic or reputational loss factors do not merit a more onerous SIL target for the system; The overall system to be protected by the HIPS shall be dynamically modelled in order to establish the speed of response necessary (e.g. sensing element response, valve closure time etc.) in order to prevent overpressure or the unsafe condition arising; Such dynamic analysis shall be extended to confirm the performance of other layers of protection (e.g. such as ESD) in independently preventing the unsafe condition arising; Is the required response time achievable with the existing / proposed sensing system, existing / proposed valves, new / replacement valves or actuation etc.? Performance standards shall be developed to fully define the basis for design, functional, performance and testing requirements for the HIPS.

Commentary: Note that hazard analysis and SIL targeting exercises may typically be conducted sequentially (e.g. HAZID / HAZOP followed by SIL). Note that the skills required to chair these two reviews differ and are likely to require different chairmen.

Figure 9.1 presents a simplified decision tree showing the key steps in assessing and designing a HIPS. More detailed requirements are specified below. Reference should also be made to the BG Guideline Specifying and Achieving Functional Safety 3, BGA-ENG-INST-GL-0002 in respect of reliability and integrity analysis required for SIL 3 / HIPS systems. The basic methodology for determining the integrity requirements for HIPS shall be as follows: 15 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard

   

 

 

 


Establish proposed HIPS configuration options (refer to Section 9.3); Conduct a hazard analysis / identification exercise to establish all the anticipated hazard scenarios for the proposed system that the HIPS is to protect (refer to Section 9.4); A default SIL target of SIL 3 shall be initially adopted for the HIPS; Quantified analysis shall be conducted to support every HIPS application, i.e. in which an instrumented protection system is replacing, or reducing the capacity of, some form of mechanical protection, such as a relief valve for overpressure risk, possibly inherent mechanical design for other risks etc. (refer to Section 9.5); The quantified analysis shall utilise fault tree methodology to establish overall probabilities of failure on demand for the proposed HIPS configurations (refer to Section 9.6); In the quantified analysis, the maximum tolerable probability of failure on demand for the HIPS shall be derived from the Company tolerable risk criteria and the corresponding SIL target established for the system; This approach shall be used to analyse alternative HIPS configurations or system redundancy to confirm the option most suitable for meeting the risk target; Where a SIL target of less than SIL 3 is established and desired, this shall be subject to review and approval by BG Advance (a dispensation shall be required before implementation for any SIL < 3 and / or PFD ≥ 1 x 10-3); The BG Risk Graph methodology3 shall be used to confirm that environmental, economic or reputational loss factors do not in fact set the determining SIL target for the system; An As Low as Reasonably Practicable (ALARP) assessment shall be conducted to demonstrate that no further improvement in the integrity of protection is justified (refer to Section 9.5.3).

Commentary: It is envisaged that initial evaluation of HIPS selection relative to conventional mechanical protection, full rating etc. will be conducted during the Select phase in order to establish the impact on option configurations and to support option selection. Initial design of any selected HIPS option would typically be conducted during the FEED stage, from justification through preliminary hazard analysis, SIL targeting and dynamic analysis in order to confirm that the design is workable and to establish impacts on flare / vent design, key components, design implications and initial SIL target. This work will be firmed up during the Detailed Engineering phase to include performance standards and a HIPS Dossier. Commentary: Note that only those scenarios that can be successfully mitigated by a safety instrumented system should be considered for removal from the pressure relief and vent / flare loading. The most common example of overpressure scenario that cannot be effectively mitigated by a HIPS is that pertaining to the fire case. As such, even if a vessel or section of plant were protected against a blocked discharge event by HIPS, it would still require conventional relief protection sized for the fire case loads (as well as typically any leakage across HIPS valves, surge flow on HIPS valve re-opening etc.).

No credit shall be taken for control system actions in HIPS analysis. 9.3

HIPS Confi gur ation s

It is important to recognise that the HIPS include all devices required to reach the fail-safe condition for the process. This includes the entire instrument loop from the field input devices (e.g. pressure transmitters) through the logic solver (if applicable) to the final elements (e.g. solenoids, valves), along with other devices required for successful functioning, such as safety instrumented system interfaces, communications, power supplies etc. Most HIPS require some form of voting system in order to achieve the desired reliability target whilst minimising spurious trips, from the field inputs through the logic to the final elements. The ease with which the assessed target probability of failure on demand can be achieved will typically determine 16 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


the extent of voting, configuration of voting (e.g. 1oo2, 2oo3 etc.), number of final elements and so on. Commentary: In general, SIL 3 HIPS utilise 2oo3 voting transmitters and, where protection is via isolation of the upstream source of high pressure, typically two valves as final elements, i.e. 1oo2 (although single valve configuration may be credible subject to selection of valves with appropriate integrity and demonstration of reliability). Final elements may also include duplicated trip signals onto pumps or compressors. Note that 2oo3 is used to protect against two failure modes (i.e. spurious trip and no trip). Common cause failure should be considered when modelling these cases, since this is likely to dominate the analysis and may be slightly less for 2oo3 redundancy.

More onerous reliability and diagnostic requirements will typically apply where HIPS are located subsea, given the constraints on system testing in comparison with surface located HIPS. Specific requirements in respect of subsea HIPS are discussed in Section 10. 9.3.1

Field Input s

Most HIPS applications (to achieve SIL 3) require voting sensors (normally 2oo3) on all field inputs, such as those measuring pressure, although this might conceivably be some other parameter such as temperature, level or composition. The use of redundant inputs enables incorporation of diagnostics into the HIPS which significantly reduce the probability of failure on demand for the field inputs. Transmitters shall be used for all field inputs to HIPS loops to enable input diagnostics to be implemented. Switches shall not be used. Commentary: The only exception to the above (permitting the use of switches) is where the Mokveld integrated HIPS solution is adopted, each switch acting directly on it’s dedicated valve (refer to Section 9.6.3).

Separate process connections shall be provided for HIPS sensing devices such as pressure transmitters so as to decrease common cause faults such as plugged inlet lines, valves. Commentary: Where there is an increased risk of blockages due to hydrates, ice, wax, sand and the like, then it is essential that sensing connections are made self-draining and that consideration be given to provision of suitable heat tracing to reduce the risk of such blockages (i.e. to prevent and / or melt hydrates and / or wax). Commentary: In a similar vein, adoption of diversity in the specification of process measurement (e.g. adoption of transmitters from different vendors), together with adequate spacing between sensing points, is recommended in order to further reduce common cause failures and therefore the probability of failure on demand. Commentary: In some instances HIPS may be triggered by a valve in the system opening or closing. As an example, the latter scenario typically applies where closure of a downstream valve generates the blocked outlet that causes the overpressure that the HIPS must protect against. In such cases, the required overall system response to prevent overpressure may be improved by initiating the HIPS on detection of partial closure of the valve in question, i.e. the ultimate system pressure reached may be reduced by the early triggering of HIPS, although system protection should not rely on this action. Note also that in some cases where limited response time is available for the system to protect against overpressure, HIPS initiation may be better achieved by detection of rate of change of pressure rather than absolute pressure.



Group 2012

BG Group Standard


HIPS field input devices shall be fully independent of the normal emergency shutdown (ESD) field input devices, e.g. separate dedicated sensors / transmitters shall be employed. Consistent with the above objective, HIPS transmitters shall be on separate connections / branches on the main process line to those associated with control or ESD functions. HIPS field input devices shall be located in the system being protected, unless that system is a downstream pipeline (see below). For HIPS protecting against overpressure, this means that the HIPS pressure transmitters shall be located downstream of the HP / LP interface or specification break, i.e. in the LP system, but as close to the interface as is reasonably possible (i.e. HIPS is effectively a reactive system). Commentary: If HIPS pressure transmitters are located upstream of the HP / LP pressure break (in a preventative mode), the pressure on the upstream side (e.g. of the HIPS valve(s) must be reduced to below the set-point before the HIPS can be reset. This would typically require depressurisation (and consequently environmental loss of hydrocarbons) of the upstream piping or else pressure equalisation across the HIPS valve (by bleeding off pressure into the downstream system, usually via a bypass) prior to re-start. Safe operation and retention of overpressure protection can be dependent in this arrangement on the integrity of interlocks preventing the HIPS valve(s) re-opening at high differential pressure, as well as operator actions with respect to reset of the HIPS. Note also that HIPS pressure transmitters should be located downstream of any device liable to generate pressure spikes in the system, i.e. potentially increased risk of spurious HIPS demands. One such example would relate to the provision of choke / throttling valves on subsea pipelines arriving onto a platform facility, where such valves typically serve to help manage liquids during start-up or ramp-up operations.

Figures 9.2 and 9.3 illustrate typical 1oo2 and 2oo3 transmitter configurations respectively. For HIPS that protect a downstream pipeline (rather than a section of process plant), it may be impracticable to locate HIPS input devices (e.g. transmitters) downstream of the HP/LP interface since this would place them outboard of system isolation (e.g. riser or boundary isolation). In such circumstances, it is acceptable to configure HIPS with input devices upstream of the boundary isolation. Example of this kind of application include a fully rated wellhead platform exporting to a de-rated pipeline tieback or the adoption of subsea HIPS (which is covered in greater detail in Section 10). 9.3.2

Logi c Solver

The logic solver (where applicable) shall be designed to meet the assigned SIL. Commentary: Where the HIPS is designated as SIL3, this means that the logic solver must be independently certified compliant with SIL3 performance requirements in accordance with BS IEC 61508.

The logic solver shall be a solid state hardware based or programmable electronic system (PES). If a PES is selected then the HIPS logic solver must be both functionally and physically separate, i.e. a separate processor shall be used for the HIPS function only. Note, however, that some regulatory parties (e.g. the UK Health and Safety Executive, prefer HIPS logic solvers to be nonprogrammable). Commentary: The use of relays for the logic solver shall be avoided. Programmable electronic devices require a high level of self-diagnostics and fault tolerance. In order to meet independent testing and certification of SIL 3, a logic solver has to demonstrate this. Redundancy of signal path and logic processing is desirable and the trip output function shall be configured as de-energize to trip (i.e. fail-safe). 18 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Consistent with the requirements of BS IEC 61508 and BS IEC 61511, IP recommendations etc., the hardware and software for HIPS shall be fully independent from the basic process control (i.e. DCS) and emergency shutdown (ESD) system logic. Under no circumstances shall software controlling ESD logic also control HIPS logic in the same processor / controller. Commentary: Independence of the HIPS logic eliminates the risk that a loss of process control or ESD system hardware will also result in a loss of HIPS function as well as reducing the possibility of inadvertent changes to HIPS functioning arising during modification of process control or ESD functions. Some ESD logic solvers carry the SIL 3 rating and so there may be a temptation to combine the ESD and HIPS within the same hardware - this shall be avoided. The safety lifecycle (BS IEC 61508 / 61511) requirements pertaining to SIL 3 are significantly more onerous than those of SILs 1 and 2. This means that the programming of a HIPS is a significantly more tortuous process than programming of an ESD. 9.3.3

Final Elements

The majority of HIPS use dual final elements in a 1oo2 configuration to achieve fault tolerance and the required PFD target, although this is obviously dependent on the HIPS configuration adopted, the reliability of the final element(s) and the corresponding SIL applicable. Commentary: For example (e.g. with reference to Section 9.3.5), provision of separate HIPS loops on individual well flowlines might not require dual final elements if some conventional relief capacity is provided to account for one or more wells not being satisfactorily isolated.

The final elements are typically:  

Relays in a motor control circuit for shutdown of motor operated valves, compressors or pumps, or Fail safe valves opened or closed using solenoids in an instrument air (or hydraulic) supply.

Use of control valves as HIPS final elements shall be avoided, but these may be used as a supplemental measure where other protective elements are provided. Figures 9.4, 9.5 and 9.6 illustrate typical configurations for when fail safe valves are employed as final elements. These reflect 1oo2 valves with 1oo1 solenoids, 1oo2 valves with 1oo2 solenoids and 1oo2 valves with 2oo2 solenoids respectively. Clearly the actual configuration will be determined as necessary to satisfactorily meet the reliability target for the overall HIPS (whilst considering required plant availability). Solenoid operated valves (solenoids) shall be used to actuate fail safe valves and configured as deenergize to trip. Commentary: Solenoids may by configured as 1oo1 or 1oo2, but spurious closures (e.g. due to coil burnout) may cause loss of production and downtime. Configuration as 2oo2 to reduce spurious trips is not recommended due to the risk of stuck valves (e.g. “welded open”), plugged vent ports etc.

The required valve closure time and hence port size shall be determined via dynamic analysis so as to prevent overpressure before final closure of the valve (refer to Section 9.7). Use of quick exhaust valves (QEV) may be required to attain the necessary closing times. Commentary: For fail safe valves acting as the final elements of HIPS, the solenoids should be mounted as close to the valve actuator as possible to reduce the required transfer volume for valve actuation. The size of solenoid exhaust ports should generally be as large as possible since this will 19 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


determine the speed of valve response. Care should be taken to ensure that rapid closure of a final element will not give rise to intolerable surge pressures and reaction loads. This may be important where HIPS valves are located on or close to wellhead Christmas trees, in which case checks should be made with production technologists to confirm that rapid valve closure cannot generate risks to the formation.

Reference should also be made to Section 9.3.4 regarding mandatory criteria relating to which process valves are permitted to be used as HIPS valves (or HIPS final elements). 9.3.4

HIPS Valves

Where a HIPS loop relies on one or more valves as the final element, these shall be dedicated valves provided purely for the purpose of the HIPS. ESD valves in general, boundary isolation valves (e.g. the riser valve on a platform), valves forming part of double block and isolation and subsea valves provided for other purposes, such as the subsea isolation valve (SSIV), shall not be used as HIPS valves. Commentary: Whilst it is notionally feasible to utilise ESD or boundary isolation valves as one element of a HIPS loop (e.g. riser valves, wing valves) by ensuring that the HIPS function onto such valves remains completely independent of the ESD function via dedicated solenoids, there is still a risk that the independent functions and roles of the valves may be compromised by the dual role and / or inadequately reflected in the quantified analysis (e.g. increased demands on the system). It is also likely that any combined role for HIPS valves in this manner would be subject to challenge and approval by appropriate regulatory authorities (e.g. the Health & Safety Executive in the UK sector). It should be noted that if a well is remote from the host being protected, then closure of wellhead valves may not provide sufficient protection if there is a pipeline at pressure in between. Al l pr op os als to im pl ement HIPS t hat ut il is e ESD, boun dary is ol ati on / ri ser val ves or SSIVs shall require review by, and a dispensation to be approved in advance of implementation from, B G Advance Engineering. 9.3.5

Overall HIPS Confi gur ation

A wide range of permutations are possible in respect of overall HIPS configurations, both in terms of the system architecture itself and the way in which the system is deployed, say acting on multiple feed streams etc.: ● ● ● ● ●

Voting arrangements for field input devices; Number of and voting arrangement for final elements (e.g. one or two valves); Voting extended to intermediate elements such as solenoids, relays; HIPS on individual feed streams or combined headers; HIPS completely or only partly replacing a conventional relief load.

The actual configuration shall be determined on a case-by-case basis to best fit the requirements and reliability target at the time. Commentary: Figures 9.7 and 9.8 are provided to illustrate the options in one specific example where HIPS is commonly applied, namely protection of the HP / LP pressure interface between wellheads and the process separation system. Both figures show a 2oo3 pressure transmitter arrangement acting on 1oo2 valves (via 1oo1 solenoids).



Group 2012

BG Group Standard


In a conventional arrangement, the specification break would be at the last valve or potential obstacle (e.g. spectacle blind on the separator inlet nozzle) before the separator. The lower pressure separator would be protected by a relief valve sized not only for duties such as fire relief but, critically, for full flow relief in the event of inadvertent blocked outlet, whether this be via system control / ESD failure, mechanical valve failure or operator error. If the wells are remote from the HP / LP interface being protected (e.g. a subsea tieback) the closure of remote valves in the vicinity of the tree or a SSIV may be of little value as the system between the wells and the interface may be at a high pressure. In such cases, HP / LP breakthrough by inadvertent opening of any valves local to the interface must be considered. Where HIPS is employed, the safety instrumented system senses increased pressure in the system and acts to isolate the source of inflow / pressure by shutting one or more valves in the feed from the wells. There is a choice as to whether this arrangement acts on the combined feed to the separator or on individual wellstream feeds. The former results in a simpler system, less individual loops, but larger faster acting valve(s) and the HP rating carried further in the system. The latter requires separate loops and / or final elements on each well flowline but HIPS valve sizes are smaller and the HP rating need not extend to the manifold and production header (provided there are no further valves or blockage risks in that piping). Obviously the greater the number of wells the greater the number of loops and the less attractive this approach may become. Provision of separate HIPS loops on each flowline in this example does potentially offer the opportunity to adopt lower integrity architecture (e.g. reduced redundancy, say 1oo2 rather than 2oo3) if some interim level of relief capacity is also provided. This means that rather than completely avoiding the full flow relief case by requiring every single well to be successfully isolated, limited relief capacity may be provided on the assumption that only a limited number of wells might reasonably not be isolated satisfactorily in a HIPS event, i.e. relief sizing limited to the maximum rate from one or more wells. This is ultimately a balance of complexity and operating cost against initial capital cost. This interim solution may be considered, however, in cases where the implications of reduced flow relief can be accommodated but where full flow relief has major impact. It may be particularly pertinent to modification and debottlenecking work once a facility is operational. It should be recognised from an environmental perspective that this hybrid solution is less effective at minimising released hydrocarbons through the plant lifecycle. Figure 9.7 shows the typical arrangement where a single HIPS loop is provided on the common manifold / production header. By default, satisfactory operation of this system completely isolates the source of high pressure in-flow. Figure 9.8 shows the alternative arrangement where a separate HIPS loop is provided on each well flowline. Final elements on each flowline could equally be triggered by a single 2oo3 set of transmitters on the common manifold / production header, although this would result in reduced reliability. Similarly, and subject to the required overall loop reliability, single HIPS valves on each flowline may suffice in this arrangement.

There is no single correct configuration, although the general principle should be to limit the complexity of HIPS wherever possible. The important point in so far as this standard is concerned is that the range of possible configurations shall be duly assessed before selecting the final arrangement. All HIPS shall be designed to be fail-safe, such that the system will revert to a pre-determined safe state in the event of failure of its components or its power supplies.



Group 2012

BG Group Standard

9.3.6


Re-Start after a HIPS Trip

In the design of HIPS, consideration shall be given to the requirements for facilitating safe re-start after a trip. For pressure protection systems, this usually means preventing the HIPS valves being opened when there is still a high upstream pressure, and where high pressure differential across the valve(s) might generate valve wear / damage that may compromise future performance. It shall also be recognised that quickly opening the HIPS valves with a high differential pressure across them can give rise to a very high surge / relief load in itself. The design shall prevent this wherever feasible but ultimately shall also ensure that surge pressures on re-opening against high differential can be safely managed by the downstream system. Depressurisation of the upstream section shall not be to the flare or vent but to the lower pressure process system wherever reasonably practicable. From an environmental perspective, this is obviously more important for larger lines and / or significant volumes to be depressured. One means of managing re-start after a HIPS trip that may block in high pressure upstream of the HIPS valve would typically be via the provision of abypass arrangement around the HIPS valve(s). This would facilitate controlled pressure equalisation and therefore HIPS valve re-opening against an acceptable pressure differential. Figure 9.9 provides a generic illustration of a typical HIPS set-up incorporating such a bypass. Adoption of such a design shall ensure that the following factors are accommodated: ●

●

●

●

●

●

●

●

●

In addition to an on / off bypass valve, a globe valve will typically also be provided to assure controllable depressurisation and to avoid potential problems due to rapid depressurisation downstream, although this is optional; It is important that provision of a bypass around a HIPS valve or valves does not compromise the protection / isolation afforded by the HIPS; In configuring a bypass, it is therefore essential to ensure that either the bypass is automatically isolated if the hazard arises that triggers the HIPS (e.g. blocked outlet), or else a downstream relief valve can accommodate the maximum flow that might arise should the bypass be open; Where an actuated bypass valve is provided, it would be preferable for the HIPS action, either directly or via the ESD, to also close the bypass valve; The potential capacity of the bypass shall be limited by the provision of a restriction orifice (RO); A downstream relief valve (e.g. for HIPS protecting against high wellhead pressures this is commonly on the production separator) shall be provided that is able to handle the maximum bypass flow (e.g. restriction orifice breakthrough flow) together with the maximum HIPS valve leakage (refer to Section 9.8), on the basis that there are no valves or obstructions between the specification break and the relief valve unless such valves are securely and demonstrably locked open; With this relief valve protection, the HIPS overpressure protection does not rely on isolation of the bypass and as such the bypass should not form part of the HIPS reliability (i.e. thereby simplifying the design); automatic closure of the bypass in the event of a HIPS t rip is then merely aimed at preventing a potential relief event; Where a manually operated bypass valve is provided, this shall be securely key locked closed in normal operation, and operable only under a permit to work; It should be noted that the bypass arrangement is usually a HP / LP interface in its own right (depending where the specification break is located – as an example shown at the HIPS valve / bypass RO in Figure 9.9) and, as such, if it were in normal continuous operation the LP system would typically require protection as per API RP 14C or ISO 10418 (i.e. two layers of over pressure protection). Commentary: In the normal course of events with no valves or obstructions downstream of the specification break as far as the relief valve, 22 of 63



Group 2012

BG Group Standard


ultimate protection would be afforded by the downstream relief capacity (although any HIPS / ESD trip of the bypass valve as above will also protect the interface). For systems not normally in use, reliance on primary protection being provided via the permit / procedural controls in place would generally be acceptable, e.g. in this case constraints on operation of the bypass (refer to Figure 9.9). In this example, the normal high pressure ESD trip on the downstream separator would also be expected to isolate inflow (e.g. from wells) and therefore limit continued flow via the bypass. ●

●

Provision shall be made for a high pressure inhibit to stop the HIPS valve(s) being opened with high differential pressure across them, but still allow the bypass valve to be operated (where this is actuated). The configuration in terms of number of pressure transmitters and voting required to achieve this inhibit shall be established on a case by case basis to achieve suitable integrity; Consideration shall be given in all such arrangements to the risk of low temperatures occurring across the bypass valve or orifice during pressure equalisation. Low temperature materials shall be selected where appropriate to cater for cold creep back from the valve / orifice, usually for a minimum of 1 meter upstream .

The implications of surge flow on re-opening HIPS valves shall be evaluated via dynamic analysis to ensure that downstream piping and relief capacity can safely accommodate any surge flow / reaction loads that result. This analysis shall also consider the consequences and system response requirements should the pressure inhibit on HIPS valve re-opening be defeated (by equipment failure or operator error). The system analysis shall take into account the reduction in protection afforded when the cause of the hazard (i.e. inadvertent opening of a HIPS valve with high upstream pressure giving rise to excessive surge flow) may also form part of the protective system. Credit shall not be taken for a HIPS valve that inadvertently opens also then closing as part of the HIPS being initiated, since the cause of the initial opening could also be the cause of a failure to re-close (and thereby effectively reduce the number of final elements available to prevent overpressure). This scenario should be reflected accordingly in the quantified analysis, as one failure mode for the valve for which it cannot then contribute to the system protection. This analysis must demonstrate that the demands on the system offset by the various protective elements and mitigation measures such as pressure inhibits still allows the required overall system probability of failure on demand to be met (refer to Section 9.5.2). Particular attention shall be given to any HIPS configured in preventative mode, such as protecting a downstream pipeline, since inadvertent opening of HIPS valves may infer failure of the HIPS function itself (which should normally keep the valves closed until the high upstream pressure had been reduced). Commentary: For a design to rely purely on a pressure inhibit to protect against overpressure arising from HIPS valve re-opening in the worst condition (highest upstream pressure or highest pressure differential), then it must be demonstrated that the integrity of the inhibit is appropriate for this purpose, and such justification be subject to review and approval by BG Advance Engineering.

Where the design of HIPS systems is critically dependent on the opening (or closing time) of valves, it is essential that the reliability of the systems controlling the speed of opening (or closing) is fully understood. In cases where the available response time for the HIPS is tight, it may become necessary to adjust the opening (or closing) time of valves, e.g. in the re-start scenario above, an attempt may be made to slow down the opening time of the HIPS valve(s) by restricting air / hydraulic flow to open. This relies both on the security of the restriction (whether limiting air / hydraulic fluid to open or to exhaust in a closure scenario) and the characteristic of the valve response as opening / closing times are modified. Where needle valves are used as part of this 23 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


“control”, the integrity of the system protection may depend entirely on how these are adjusted and maintained. Wherever there is a need to rely on such control methods to adjust an opening (or closure) time to satisfy HIPS response requirements for preventing overpressure, then a full justification shall be developed as part of the HIPS design to support this approach and demonstrate how the integrity of the protection will be assured. It should be noted that recovery from high pressure events may leave boundary or riser ESD valves with high pressure on the upstream side. Unlike the HIPS arrangements described above, bypasses around riser ESDVs are not permitted and re-opening of these valves is usually achieved by back-pressuring the valve (e.g. with methanol, nitrogen or suitable source of available gas/fluid – i.e. human intervention) to then allow re-opening at low differential pressure, after which pressure across any downstream HIPS valves can then be reduced via a bypass configuration. However, if such procedures are not followed correctly and boundary/riser valves are re-opened at high differential, there is a risk of generating low temperatures that may be below the minimum design temperature of the valve and piping downstream. In such situations, the adopted design and operational approach (which may typically encompass a combination of procedure and valve opening inhibits) shall be shown to be As Low as Reasonably Practicable (ALARP). Where ALARP cannot be demonstrated, then the design shall cater for the lowest temperatures that may arise with inadvertent opening of the boundary/riser ESD valve. 9.3.7

Power Supply

Given the high integrity requirements for HIPS, consideration shall be given to how HIPS are powered, in order to ensure sufficient redundancy so as to not compromise the reliability of the overall system. The default arrangement shall be to provide two electrical feeds to the system, with two high integrity uninterruptible power supplies (UPS) as back-up in order to reduce the risk of spurious HIPS trips and to maintain availability. An y pr op os al to ado pt alt ern ati ve appro ach es fo r ach iev in g th e requi red sy st em in teg ri ty and availability shall require a full supporting justification and shall be subject to review and approval by BG Advance Engineering. 9.3.8

HIPS Reset

Only manual / operator reset only shall be permitted for HIPS after a trip has been initiated, i.e. the HIPS shall not be reset (automatically) purely by falling pressure (or other criteria) to below the trip value. Reset of HIPS shall only be considered once operators have fully assessed the situation, identified the causes and system impacts and confirmed it appropriate and safe to reset. 9.4

Hazard Analy sis

Consideration of a HIPS solution for overpressure protection (or protection against any other parameter exceeding the design envelope) requires a quantitative risk analysis of the potential scenarios that could cause overpressure (or any other parameter to exceed design). The hazard analysis shall follow a structured, systematic approach, using a multidisciplinary team. The team shall typically include process, HSSE, instrumentation, electrical and operations/maintenance representation. Other disciplines may be necessary depending on the system under consideration. It shall document the event propagation from the initiating cause to the final consequence or overpressure / design excursion. The analysis shall examine both operating and upset conditions in addition to equipment failure that may result in overpressure or design excursion. This shall include a thorough examination of each step involved in start-up and 24 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


shutdown, in addition to the normal condition. For processes in which reactions may occur or propagation risks may apply, it is necessary to brainstorm all potential reaction paths, including the need for multiple errors or failures to generate propagation, to fully understand the potential for overpressure / design excursion. The information typically necessary to facilitate this hazard analysis would include the following: ● ● ● ● ●

Process flow diagrams; Heat and material balances; Equipment sizing, data sheets etc.; Piping and Instrumentation Diagrams (P&IDs); Cause and Effects (and alarm and trip schedule if available).

For green field developments it is essential that pressure relief requirements and HIPS requirements are examined at the earliest opportunity, not when the design is nearly complete (refer also to Section 9.2 and Figure 9.1). This may require the hazard analysis to be conducted before final P&IDs are available in order to fully understand overpressure and design excursion scenarios and establish the need for HIPS at a stage when this may be incorporated into the design with the least impact on project documentation, schedule and cost. For brown field modifications, a comprehensive examination of all aspects of the existing design as well as the new requirements shall be conducted as part of the hazard analysis process. This may include some of the following elements: ● ● ● ● ● ●

Coincident relief cases, potential increased relief load; Capacity in existing relief systems; Practicality of accommodating new loads; Existing elements that may form part of the HIPS; New components / valves potentially required for a HIPS solution; Implications on the existing ESD system.

Commentary: The hazard analysis process may frequently be combined with the SIL review process for safety instrumented systems, with the SIL requirements assessed for each identified hazard scenario in turn to establish the dominant (safety related) SIL target for the system, but note that for high integrity systems (i.e. HIPS) that require quantified analysis, the hazard analysis is primarily aimed at identifying all appropriate hazards to reflect in that quantified assessment.

9.5

Safety Integri ty Level (SIL) Targeting

Reference should be made to the BG Guideline Specifying and Achieving Functional Safety 3, BGAENG-INST-GL-0002 for greater detail on SIL targeting but the broad requirements relevant to HIPS are repeated here. Safety Integrity Level (SIL) analysis or targeting relates to the process of ascribing a required integrity target to a safety instrumented system (SIS), in this case a HIPS, in terms of its reliability or probability of failure on demand (PFD) and the safety lifecycle requirements. This process involves establishing the combinations of failures of equipment and controls which may lead to hazards (via the hazard analysis described in Section 9.4) and then analyzing these hazardous failures in order to establish the overall integrity target for the proposed protection system for alleviating those hazards.



Group 2012

BG Group Standard


The three recognised approaches to SIL targeting are as follows: ● ● ●

Qualitative - Risk Graph; Semi-Qualitative - Layers of Protection Analysis (LOPA); Quantitative or Quantified Analysis (apportioning failure rates and failure probability targets).

In terms of high integrity safety instrumented systems (i.e. HIPS), the first two methodologies above are not applicable. SIL targeting for HIPS shall adopt quantified analysis in every case to determine the target safety SIL and confirm system configuration requirements. However, the risk graph methodology (or LOPA) shall be used in every case to check that environmental, economic or reputational loss factors do not set the determining SIL requirements (refer to Section 9.5.1 below) and the BG Guideline “Specifying and Achieving Functional Safety BGA-ENG-INST-GL-0002 for further details3. Commentary: In the context of the above, high integrity is intended to represent any proposed protection system that replaces either inherently safe design (e.g. suitable for the over-pressure, over-temperature, under-temperature risk etc.) or else replaces the provision of (or reduces the sizing capacity of) some form of mechanical protection (e.g. a relief valve).

Table 9.1 below illustrates the relationship between SIL and the probability of failure on demand (PFD). Table 9.1: Safety Integri ty Levels SIL

PFD

SIL1 SIL2 SIL3 SIL4

10-1 to 10-2 10-2 to 10-3 10-3 to 10-4 10-4 to 10-5 (Not allowed)

Commentary: The PFD ranges presented in the Table 9.1 above reflect the “low demand” failure events pertinent to protective functions (as opposed to the “high demand” events pertinent to continuous operations, such as control system failure etc., refer to BS IEC 61508). 9.5.1

SIL Review Process

The SIL review process for safety instrumented systems (SIS) described in theGuideline Specifying and Achieving Functional Safety 3 BGA-ENG-INST-GL-0002using the risk graph method is, as indicated above, not to be used for the safety analysis of HIPS. It should, however, be noted that this methodology also extends to environmental and financial consequences as well as the primary safety consequences above. Separate evaluation of the environmental consequences is included in the BG Risk Graph for which an environmental SIL rating is established on the basis of whether the event could generate a reportable release, major temporary environmental impact or major permanent environmental impact. In a similar manner, evaluation of the financial consequences is included, for which a financial SIL rating is established on the basis of financial impact (e.g. impact < US$ 1MM, US$ 1MM-10MM, >US$ 10MM).



Group 2012

BG Group Standard


There may also be instances when the most serious implications of an event / hazard might relate to Company reputation rather than significant safety or environmental concerns. Although there is not a separate risk graph to cover this category, the implications on reputational loss shall be recognised in applying the financial risk graph methodology. The most onerous SIL target established across the range of safety, environmental, economic or reputational scenarios for a particular system shall set the overall target for that system. The BG Risk Graph methodology (or LOPA) 3shall be employed for all HIPS to establish if factors other than safety are determining. Commentary: It is feasible that a safety hazard could be determined, and justified, as requiring a SIL 2 target via quantified analysis (refer to Section 9.5.2) and yet require SIL 3 for environmental, economic or reputational loss reasons. An example might be where the risk of fatalities arising from the overpressure event is considered low (say where operators are rarely present or where peak overpressure might be below the test pressure of the LP system), but where any release arising (even if small) could have significant reputational implications, say for sour service applications local to public communities, discharge of pollutants etc..

SIL4 targets are generally considered to involve unrealistic requirements and shall not be permitted. Where such targets arise from a safety perspective, the required quantified analysis shall be used to better understand the risks and/or prompt implementation of additional layers of protection or increased redundancyto reduce the target to SIL 3. Failing this, consideration shall be given to alternative / conventional protection, i.e. to whether system protection is best served by HIPS at all. Commentary: In some extreme cases, a SIL 4 target for HIPS may be unavoidable, perhaps where there is high demand, extreme consequences and / or limited alternatives to adopting a HIPS design. An y p ro posed HIPS wi th a tar get SIL i n ex ces s o f 3 sh all be s ub jec t to rev iew by , and a dispensation to be approv ed in advance of implementation fr om, BG Advance Engineering. 9.5.2

Quantif ied Analys is

Quantitative (or quantified) analysis shall be carried out for all HIPS and shall reflect all the hazards identified during hazard analysis. Whereas the maximum tolerable risk for a hazard is expressed as an individual risk (of fatality) per annum (IRPA), the related integrity requirement is expressed as either a failure rate of a continuous process or a probability of failure on demand (PFD) of a safety related system. The quantified analysis shall establish a maximum probability of failure on demand (PFD)target for the safety protective system, derived from the Company maximum tolerable individual risk target and confirm the system architecture / configuration required to meet this target. This involves conducting reliability or event tree analysis that considers both causes / demands on the one hand and mitigation / prevention on the other to derive an overall PFD that achieves the target (refer to Section 9.6). The BG IRPA (maximum tolerable risk) target (for new facilities and activities / modification) shall be 10-4. This applies to voluntary (employee) process risk. A reduced target of 10 -3 applies to existing assets (reference should be made to the BG Safety Case Standard, BGA-HSSE-SAF-ST-1526 7). For non-voluntary (i.e. public) risk, the target shall be 10 -5. The required integrity target for the HIPS is derived from the above as follows: 27 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard

● ●


The number of simultaneous risks to which an individual on site is at risk shall be estimated; The maximum tolerable risk per scenario (i.e. for the HIPS) shall be calculated from the IRPA target above divided by this number of simultaneous risks;

Commentary: As an example, with an overall risk target of 10-4 and an estimated individual exposure to 10 risks simultaneously on a facility, a risk per target of 10 -5 per risk would apply.

A similar analysis shall be conducted for off-site risks (i.e. risks to the public, at or beyond the boundary fence for instance). The following factors or probabilities shall then be estimated (as fractions) to determine the likelihood of the hazardous event resulting in a fatality: ● ● ● ● ●

Likelihood of the plant being operational (and thus in a position for the hazard to occur); Likelihood of individuals / operators being present and at risk; Likelihood of vessel or equipment rupture / leak (i.e. significant loss of containment); Likelihood of ensuing ignition; Likelihood of propagation to one or more fatalities and likelihood of propagation to adjacent facilities. (i.e. Domino effect)

The impact of multiple trains (i.e. duplicated similar risks) shall be taken into account in this analysis. Commentary: Note that where future plant modifications result in changes to the configuration, additional equipment / trains etc., the basis and justification for the HIPS shall be revisited (refer to Section 11.3). Where future trains are planned, either the existence of these should be included in the analysis or a clear strategy for how this will be managed must be documented.

The maximum tolerable failure rate (as failure rate per annum) shall be calculated as the maximum tolerable risk per scenario divided by the product of the factors above. The maximum tolerable probability of failure on demand (PFD) of the HIPS protection (i.e. the mitigation) is the maximum tolerable failure rate divided by the frequency of demand on the protection, e.g. from the demand gate in the fault tree (refer to Section 9.6). The above is only an outline of this process. Reference should be made to the BG Guideline Specifying and Achieving Functional Safety, BGA-ENG-INST-GL-0002, for further detail (including guidance on the values that should be applied for the modifying factors listed above) 3. Quantified assessment shall only be performed by an independent expert as the techniques involved require specialist knowledge and training. It is important to note that a quantified analysis will deliver a very precise answer, but will be highly sensitive to the nature of the initial assumptions, not least the factors estimated in the process above. It is therefore essential that appropriate project and operations personnel are involved in supplying input data and liaising with the independent expert conducting this work to ensure that a true reflection of the situation is achieved. Given the uncertainties that will be involved in applying some of the probabilities and assumed component failure rates in quantified analysis, due consideration shall be given to the sensitivity of the conclusions (and the SIL target established) to adopting a conservative range of values for assumed probabilities, component failure rates etc. It is important that all assumptions in this respect are fully documented. Analysis of HIPS integrity shall reflect the fundamental “layers of protection” approach inherent in API RP14C (or BS EN ISO 10418) (refer to Section 8.2) and, in particular, recognise that the HIPS is replacing the completely independent relief valve (i.e. in an over-pressure application, perhaps 28 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


inherent safety in other cases), and not the primary (ESD) trip protection, and as such should independently achieve a level of reliability that is equal or better than that of a relief valve (refer to Sections 9.1 and 9.6.1). As such, whilst SIL targeting (quantified analysis) may take credit for an ESD protective device reducing demand on the HIPS, this shall not be used as a means of justifying adoption of a SIL requirement for a HIPS that is less than the default SIL 3 (refer to Section 9.1). Where initial evaluation suggests a very challenging SIL requirement (such as SIL 4, or SIL 3 with onerous testing requirements, it is acceptable to take credit for all mitigations in order to achieve a realistic design. Note that where mitigations such as ESD are taken credit for in the analysis, this shall only be permissible provided that dynamic analysis is conducted to confirm that it acts fast enough to prevent the hazardous scenario should the HIPS not function (refer to Section 9.7). Commentary: There may be circumstances where it is not practicable to employ such layers of protection, for instance where limited pressure margins are available to set the various trip levels. Where it can be justified for HIPS alone to provide protection then this shall be subject to review by, and approval in advance of impl ementation f rom, by B G Advance Engineering. Commentary: It is important to emphasise that a given system (e.g. ESD) cannot be shown as mitigating an event via one set of outputs when it has caused the event as a result of failure of some other output function. Although possible, it is important not to take credit for it in making a safety argument. An example might be where a (HIPS) valve failing to the open position (just one of a number of failure modes, most of which would otherwise be to fail safe) should not then be considered as subsequently closing as part of the protective system. Commentary: The response time of a primary protection system such as ESD is a crucial factor. Credit is often taken for layered protection systems in the analysis (e.g. the usual ESD pressure trips in line with API RP14C), without recognising that this is only valid provided that they too, like the HIPS, function fast enough to prevent the unsafe condition arising (e.g. overpressure). On plant revamp or debottlenecking applications particularly, this may not be the case and response times for ESD trips may often have to be speeded up if they are to be credited as part of the protection system, e.g. faster closing wing valves. Note that in all cases it is preferable (from an operability perspective) to have the ESD device close in sufficient time that the HIPS set-point is not attained.

For failure rate data to be used in conducting quantified (fault tree) or LOPA analysis, reference should be made to the BG Guideline Specifying and Achieving Functional Safety, BGA-ENG-INSTGL-00023. 9.5.3

ALARP

In the context of the IRPA assessment above (refer to Section 9.5.2), it shall be recognised that the Company maximum tolerable risk target is just that, a maximum. In respect of the As Low as Reasonably Practicable (ALARP) criteria, the broadly acceptable risk level at which ALARP is deemed to be satisfied is 10 -6 (employee risk) or 10 -7 (public risk), two orders of magnitude lower than the (Company) maximum tolerable. This should be carried forward to establish a parallel broadly acceptable failure rate for the HIPS. Therefore, any assessment of HIPS requirements via quantified analysis shall consider the risk reduction options available to reduce risk to the broadly acceptable level. This is typically achieved via an analysis of the cost and time involved in any proposed risk reduction to establish whether this is grossly disproportionate to the safety benefit gained. The cost per life (or non-injury) criterion applied as part of this analysis may vary depending on whether the application is onshore or offshore. Reference should be made to the BG Guideline Specifying and Achieving Functional 29 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Safety, BGA-ENG-INST-GL-00023, for establishing a “cost per life saved” value to be used in quantified cost-benefit analysis and for further information relating to ALARP assessment. The ALARP assessment shall include the following steps: ● ●

● ● ●

Establish the maximum tolerable risk per scenario per annum (refer to Section 9.5.2); Establish the broadly acceptable risk per scenario per annum (two orders of magnitude lower than the maximum above); Establish the maximum tolerable failure rate per annum (refer to Section 9.5.2); Identify the achieved failure rate per annum (from fault tree analysis – refer to Section 9.6); Calculate the achieved risk per annum (pa):

Achieved risk pa = maximum tolerable risk per scenario pa x achieved failure rate pa / maximum tolerable failure rate per annum ● ●

Adopt the appropriate cost per life saved figure 3; Calculate the ALARP cost:

Cost per life saved = cost of proposal / [(achieved risk pa – broadly acceptable risk per scenario pa) x life of operation x number of fatalities]

Any proposal for reducing risk costing at or below the cost of proposal identified above shall be implemented. It shall not be acceptable to simply accept a risk level that meets the maximum tolerable target without considering opportunities to further reduce the risk to ALARP. 9.6

Reliability Analysis

Reliability analysis shall be conducted to establish the predicted reliability (in terms of the probability of failure on demand or achieved failure rate) of the HIPS and demonstrate that this meets the assessed safety target, relative to the default SIL target (refer to Section 9.1) and the target derived from the maximum tolerable risk / failure rate criteria or from BG Risk Graph evaluation of environmental, economic or reputational loss criteria etc. (refer to Sections 9.5, 9.5.1 and 9.5.2). Comment: The reliability assessment is a statistical process for applying historical failure data to the proposed design and system configuration. It therefore provides a credible target / estimate of the likely reliability of equipment assuming manufacturing, design and operating conditions similar to those under which the data was collected. It is therefore a valuable design review technique for comparing alternative configurations, establishing order of magnitude targets and evaluating the potential effects of design changes, different degrees of component redundancy etc. The actual predicted values cannot, however, be guaranteed since forecasting the precise number of field failures which will eventually occur depends on many factors outside of the control of a predictive exercise. As such, care should be taken in the interpretation and use of reliability analysis results.

Such reliability analysis is typically undertaken by external consultant companies. As indicated above (refer to Section 9.5.2) quantified assessment shall only be performed by an independent expert as the techniques involved require specialist knowledge and training. The reliability analysis shall adopt a fault tree methodology to examine all elements of the HIPS from sensor through the logic solver to the final elements and establish the top level probability of failure on demand (or failure rate) from the individual component contributions, failure rates etc. In 30 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


constructing the fault trees, the causes of overpressure and demand frequency on the protection should be considered as one gate with the mitigations (i.e. the HIPS) as the other gate to generate the top level PFD. Commentary: The use of reliability block diagrams may be considered as an alternative reliability analysis method to fault trees, provided that appropriately qualified and experienced parties are employed for this analysis.

Since all devices used in the HIPS contribute to the potential probability of failure on demand of the protection, the structure of the instrumented loop shall be defined and evaluated as a system so that the entire loop meets the target. The uncertainty in reliability data shall be taken into account in performing the analysis and the sensitivity to alternative data duly assessed. Since available reliability data is often limited, it becomes essential that field availability data is sought and collected in a suitable manner, as a minimum post start-up or implementation of the HIPS in question, i.e., as an ongoing validation of the basis of design for the HIPS (refer to Section 11). Commentary: Care shall be taken in the use of industry reliability data typically used in reliability analysis, e.g. OREDA, FARADIP. The user should recognise where reliability data derives from either a very large sample (and is therefore more representative) or, as is often the case, from a mere handful of cases (for which its representability may be more questionable). Finding data for a particular component type in the specific relevant service may not be straightforward and the extent of the available reliability data may be severely limited. It may also not be possible to discern from the failure data what percentage of failures arose from the specific failure cause pertinent to the HIPS component under study (i.e. that would lead to the unsafe condition). Where suitable data is limited, it may be appropriate to take a conservative view in respect of the values adopted for the fault tree analysis but to then instigate a programme for reporting and documenting component failures through the plant life-cycle to enable the basis for HIPS design(s) to be adapted in future, e.g. a high frequency test interval might be necessary initially, based on conservative failure rate data, that might be reduced to a lower frequency after several years collection and reporting of actual field data if this justifies better failure rate assumptions. It is worth recognising that in the case where failure of valves to close, transmitters to sense / transmit etc. dominates the overall HIPS reliability, there may be numerous valves or transmitters across the facility with similar characteristics that may contribute to building a failure data archive. It is essential in such cases that the nature of the individual failures is recorded (partial, total, failure to open or to close etc.).

Reference should be made to BG Guideline Specifying and Achieving Functional Safety, BGAENG-INST-GL-0002 for further detail on the analysis process 3. 9.6.1

Reliabi lit y of a Relief Valve

As indicated in Sections 8.1 and 9.1, the basic criterion against which any proposed (high pressure) HIPS shall be assessed is whether it achieves a reliability (or probability of failure on demand) that meets or exceeds that of the mechanical relief protection that it replaces (or the sizing case for that protection that it negates). For the purposes of determining the default configuration requirements and integrity of any proposed HIPS (notwithstanding the outcome of SIL targeting and quantified analysis results – refer to Section 9.5), it is necessary to assume a number for the typical reliability of a relief valve. Industry data3,6 suggests that this is in the range of 3 x 10-3 (failures to open) to 1 x 10 -2 (total failures) per annum, broadly applicable to conventional spring operated relief valves. Pilot operated relief valves could be taken to be typically one order of magnitude worse than this. The default probability of failure on demand for a typical relief valve shall be taken as better than 10 3 for the purposes of evaluating minimum HIPS requirements. 31 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Commentary: The range of reliability data available in the public arena for relief valves lends itself to adopting a single “reasonable” figure for presumed reliability as above, rather than simply assuming the worst reliability predicted (given that we are seeking an instrumented system that is equal to or better than the mechanical protection). Alternative sources of user supplied process equipment reliability data such as available from the US Center for Chemical Process Safety (i.e. the American Institution of Chemical Engineers 9,11 for this kind of analysis (i.e. not manufacturers’ data) would suggest that relief valve reliability may be substantially better than indicated by the UK sources above. In setting the minimum integrity target for HIPS replacing a relief valve, the HIPS should therefore meet at least a SIL2 standard, and more likely a SIL3, depending on the type of valve. 9.6.2

Reliabi lit y of Mokveld Valves

One of the dominant factors dictating the overall reliability of HIPS loops is the historical failure rate data associated with typical ball (or gate) type shutdown valves forming the final element(s) of the system. Mokveld Valves is one supplier that offers a more reliable axial flow valve having tight shut-off capabilities and suitability for high integrity applications (e.g. in SIL3 service). Commentary: Mokveld themselves highlight a number of factors that purportedly justify the improved reliability claimed for their valve over conventional ball / gate valve designs: ●

●

●

●

●

●

●

The design of the Mokveld HIPS valve does not need the high seating torques for open and closed positions like ball valves. Instead, the required valve thrust is fairly constant over the full valve stroke. Valve failure, sometimes caused by unpredictable high initial opening (breakaway) torque, is therefore avoided, making the valve very reliable; The design results in less change to valve friction caused by pressure differentials, scaling, debris and corrosion on the closing elements; The design allows for fast operation, typically slam-shut closing times of 2 seconds or less being achievable; The design allows for an actuator oversize factor of 5 and the capability of opening or throttling against full design pressure (note that this does not preclude having to make provisions for safe re-pressurisation after a HIPS trip, refer to Section 9.3.6); In addition to valve diagnostics, the Mokveld HIPS can be equipped with online monitoring capability to achieve a “smart” system; Mokveld claim independent derivation of the claimed failure data by Serco (formerly the Atomic Energy Agency Technology) based on a database collection of 30 years experience in applying these valves. Further details can be found on the company websitewww.mokveld.com

Key to specifying Mokveld type valves is the improved failure rate data that can be adopted for reliability analysis, which can greatly improve the predicted probability of failure on demand of the overall HIPS. If Mokveld valves are specified, the failure rate data (i.e. failure to close) that shall be used is as follows: Failure rate per annum = 0.0035 (equivalent to 0.4 failures per million hours) 3 Commentary: The above failure rate number for Mokveld valves failure to close has been derived from a field study of Mokveld valve reliability 6 10. Note that this links to an overall failure rate for such valves of around 0.07 per annum (equivalent to 8 failures per million hours). Whilst there is general industry acceptance that Mokveld valves offer enhanced reliability in HIPS service compared to more conventional valve designs, the manufacturer’s claim that a failure rate of 4.4 x 10-4 failures per annum is achievable for their valve is not supported by such actual reliability data as is available, hence the adoption above of a more conservative value. 32 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


For clarity, HIPS loops do not have to utilise Mokveld valves as the final elements. These are just one type of shut-off valve the design of which supports the use of better failure rates than some more conventional designs. Whilst the use of Mokveld valves is encouraged due to their higher reliability, any design of final element can be selected so long as the failure rate data used in the reliability analysis is pertinent to that type of valve and the system as a whole meets the SIL 3 requirement. If there is deemed to be due reason and supporting justification for adopting a more optimistic failure rate than the above for Mokveld or any other valves in the HIPS reliability analysis for a given application, this shall be subject to review and approval by BG Advance Engineering. 9.6.3

Integral Mokveld Solut ion

Mokveld Valves also offer an alternative configuration to the more usual initiator - logic solver - final element arrangement where the transmitters and logic solver are most often supplied by other parties. This is based on mechanical (pressure) switches directly (hydraulically) actuating a Mokveld shut-off valve, with no external energy, wiring or cabling required. This configuration is hydraulically unbalanced across the actuator. High pressure detection via the pressure switch releases the hydraulics, balancing pressure and rapidly closing the valve. By design this represents a much simpler configuration, avoiding the typical voting and logic solver elements of a HIPS, and may therefore be worthy of consideration by projects where this feature offers key advantages, e.g. where local factors, skills etc. might promote adoption of simpler designs (i.e. operators do not require training for a complicated safety system). The voting arrangement conferred by this approach is set by the number of pressure switch / valve combinations provided (e.g. 1oo2, 1oo3) and as such overall plant availability might be impacted (e.g. compared to the 2oo3 typically possible with conventional HIPS). This shall be taken into account in determining requirements, number of elements etc. in adopting and justifying this kind of protection system. Commentary: Given the limited historical application of this technology, reliability data may need to be sought from Mokveld. The vendor claims TUV certification suitable for SIL 3 application. Any data used should ideally have been validated by such third parties or, failing that, validated by the project against typical component reliability data held in industry databases. An assessment of the overall probability of failure on demand of an electronic Mokveld HIPS in contrast to the hydraulic design has been completed in Technis Report No. T392. 10 9.7

Functional Perfor mance Requirements (Dynamic Analysis)

When specifying the process performance of a HIPS, the process dynamics shall always be evaluated to ensure that the HIPS response time, from initial sensor response to a high process parameter measurement through to completed closure of relevant valves, trip of rotating machinery etc., is fast enough to prevent the unsafe condition (e.g. overpressure) arising in the vessel/system protected. The response time shall be evaluated by considering the time it takes to sense that there is an unacceptable process condition, the scan rate and data processing time of the logic solver and the time taken to isolate/trip or close the final element(s). In most HIPS applications, the critical element in this response time is usually the closure time of valve(s) forming part of the HIPS. The required closure time for the HIPS valves must be established for each individual HIPS installation. The valve specification shall ensure that the actuator provides sufficient driving force to close the final element under the worst case upset pressure condition. 33 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Dynamic simulation shall be employed in order to establish required closure times for valves within HIPS loops or, where the HIPS relies on a device stopping (e.g. a pump, compressor etc.), then the time to completed trip. Such simulation will typically require detailed knowledge of the system being protected, such as: ● ● ● ● ● ● ● ●

Normal / starting operating conditions, trip set points; In-flow rates; Vessel / equipment details / sizes; Piping isometrics and system volumes; In-line component data, valve size / characteristic / time to close/ time to open data; Details of the HIPS configuration; Sensing time data for the initiating transmitters; Lag time data for the instrumentation / HIPS logic systems .

Evaluation of HIPS response behaviour shall always consider the most extreme scenario, such as the maximum envisaged flowrate condition, the worst case system blockage event and so on. Where inadvertent closure of a valve serves as the trigger for a HIPS event, determination of HIPS response requirements shall be established on the basis of the shortest conceivable closure time for the valve. For HIPS applications where a blocked outlet generates the hazardous condition, consideration shall be given to all potential causes that might result in either blockage or closure, not just the normal closure time for a valve on utility supply failure (e.g. air, hydraulics, power) and reflect these accordingly in the functional performance evaluation (i.e. dynamic analysis). The designer shall consider whether mechanical failure modes apply to the valve types in the system that could result in very rapid blockage of flow. This is liable to represent the worst case scenario where surge is likely to be a factor in the rate of pressure rise and this may influence the set pressure for the HIPS trips etc. This may typically require contact with vendors to confirm design details of the components and their potential for such failures. Where mechanical failure giving rise to rapid flow blockage is deemed physically feasible, this shall not be omitted as a case for the dynamic analysis on the basis of presumed low probability alone, particularly so where the consequences of failure are high. Commentary: It is recognised that some valve types will not be susceptible to any mechanical failure mode that could result in very rapid blockage of flow (say within a second or so), e.g. ball valves. In contrast, some other designs (e.g. certain types of butterfly valves) are known to be susceptible to stem shear or loss of the pin(s) that retain the disc to the stem. Such failures in valves where the action is “flow to close” could cause extremely rapid cessation of flow. It is incumbent on the designer to establish these risks on a case-by-case basis.

In a similar manner, the designer shall give due consideration to process related properties that may generate blockages. The most obvious of these is the potential formation of hydrates. Even where it may be considered unreasonable that such blockages could occur rapidly, the risk of hydrates subsequently being dislodged and then rapidly blocking any downstream flow constriction, orifice, valve etc. shall be evaluated and reflected in the dynamic analysis where appropriate. This risk is prominent where methanol is deployed operationally in an attempt to clear any such blockage (which would be the usual approach). Commentary: It is common for special (quick exhaust) valves and / or actuator dump systems to be necessary in order to achieve the fast closure times often required for HIPS valves. Where the closure time calculated is deemed impracticable, however, HIPS may not provide a suitable method of preventing overpressure. 34 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Commentary: In most oil & gas industry HIPS applications, there is just a single process variable of interest, usually pressure, i.e. the HIPS responds to a high detected pressure and acts to isolate the source of high pressure / in-flow. It is worth noting, however, that this may not be the case in more complex process operations, where more than one process variable may be involved (e.g. where there are reactions, flow / mass or pressure / temperature relationships). In such cases, both the HIPS complexity and the dynamic modelling complexity will escalate. Commentary: It is possible that in some circumstances neither HIPS nor conventional PSVs will be capable of preventing overpressure, in which case some other more appropriate protection is required, e.g. tube rupture on a shell and tube exchanger where PSVs and HIPS would be too slow and a bursting disc may be needed, surge pressures requiring specialised surge relief valves etc.

Whilst provisional assessments of HIPS dynamic response times, and hence required valve closure or trip times, may be conducted by necessity based on early design information (perhaps isometrics not being available, so estimated system volumes), these shall be confirmed at the earliest opportunity based on firm data (refer to Section 9.2 and Figure 9.1 ). Commentary: It is essential that reasonable estimates of HIPS requirements be made during the FEED stages of a project in order to fully understand the design implications and options available. Whilst this will be further engineered during detail design, it is crucial that the confirmed design configuration is incorporated in the bid documents for that phase of work, the more so when this is let as lump sum rather than reimbursable.

For brown field modifications, a thorough analysis of existing safety and overpressure protection systems shall be undertaken in order to establish suitability and confirm validity for the new operating conditions, flows etc. HIPS designs, and their inherent performance/response times, reflect the initial set of process operating data appropriate at the time of design. Whenever any of this initial data changes (e.g. increased plant throughput, changed trip settings etc.), it is essential that dynamic modelling is conducted to confirm that the response times of installed systems/valves etc. continue to prevent overpressure. Consideration shall be given in the dynamic analysis to the impact of a system re-start after a HIPS trip and, in particular, the risk of high surge pressures potentially incurred should a HIPS valve be re-opened with a high upstream pressure. Reference should be made to Section 9.3.6 in respect of how this risk shall be normally mitigated / prevented, but in order to achieve the most inherently safe design, the HIPS shall respond sufficiently fast to prevent overpressure should the controls / safeguards against valve re-opening on high upstream pressure be defeated. As such, dynamic analysis will need to identify the implications on the required closure times of the HIPS valves as part of overall HIPS response and, potentially also the fastest re-opening times of the HIPS valve(s). Commentary: It may be necessary in some instances to slow down opening times of HIPS (or other actuated) valves to ensure that the HIPS can provideacceptable system protection, where this is not otherwise provided by downstream relief capacity. This approach shall not, however, obviate the need to provide system interlocks and inhibits of an appropriate integrity to help prevent this unsafe condition from arising (number and voting arrangements to be determined to meet the assessed integrity requirements).

Activation of the first level of protection (e.g. an ESD) should not ideally cause the second level of protection (i.e. the HIPS) to activate. Both ESD and HIPS levels of protection shall function in sufficient time to prevent the hazard if the other one were to fail. Dynamic analysis of the response time and set points for the ESD and HIPS shall be performed to ensure that this objective is satisfied. Commentary: This is particularly pertinent where credit is taken for either the ESD trip reducing HIPS demand or for the ESD system in tandem with HIPS meeting the overall target integrity (refers to Section 9.5.2). Where dynamic analysis indicates that the ESD is unable to prevent overpressure 35 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


alone and system protection relies only on the HIPS, then it is essential that the reliability analysis reflects this (refer to Section 9.6). Such proposed designs shall be subject to review by, and approval in advance of imp lementation from BG Advance Engineering.

The calculated set point and response time for the HIPS shall then form part of the performance standard for the system (refer to Section 9.11) and shall be validated by system test in accordance with the test interval integral to the reliability analysis for the system (refer to Section 9.14). 9.8

HIPS Valve Leakage

In HIPS applications where a source of high pressure/in-flow is isolated in order to prevent overpressure (i.e. by provision of HIPS valve(s)), then due allowance shall be made for the potential of such valve(s) to leak. Where the protected system is closed in, leakage across HIPS valves may still lead to overpressure in the downstream system. Provision shall be made in such cases for relief valve(s) to protect the low pressure system against the maximum leakage rate. Commentary: For many systems, there will already be a relief valve downstream of the HIPS valves (e.g. fire relief on a production separator) and it will simply be necessary to confirm that this can also handle the potential leakage rate across the HIPS valve(s). Where no such relief valve is provided for other reasons, a dedicated relief valve(s) shall be provided to cater solely for HIPS valve leakage.

The valve specification for HIPS valves shall always include the required or limiting leakage rates. Relief valve sizing shall take into account the highest leakage rates identified by valve suppliers with reasonable margins added. The leakage rate acceptable given the proposed / installed relief capacity shall form an element of the performance standard for the HIPS (refer to Section 9.11). The minimum allowance for valve leakage in sizing downstream relief shall be 1% of the rated flow through the HIPS valve 12. Where there is a start-up bypass around the HIPS valve (refer to Section 9.3.6), the downstream relief valve sizing shall, as a minimum, cater for the bypass flow in the fully open position (or alternatively the maximum flow limited by a restriction orifice if fitted) with the HIPS valve closed, plus leakage of up to 1% of rated flow through the HIPS valve or its performance leakage specification, whichever is the greater. 9.9

Diagnost ic Capability

Diagnostic capability shall be designed into all HIPS in accordance with BS IEC 61511 as necessary to achieve the required SIL, with the single exception of the integral Mokveld configuration (refer to Section 9.6.3). The ability to detect failures of devices on-line also significantly improves the availability of the HIPS. Commentary: One example would be the use of signal comparison on analogue inputs which allow transmitter failures to be detected and alarmed in the control room.

Consideration shall be given to the use of advanced diagnostic capability for valves / systems (e.g. such as that supplied by Mokveld) that may serve to achieve better reliability for a HIPS. Commentary: Note that diagnostic coverage will affect the safe failure fraction which, in turn, will affect the SIL which can be claimed.

To support the claimed risk reduction associated with diagnostics (in the reliability analysis), operational procedures shall require that these alarms be responded to promptly with a work order to repair within the mean time to repair period specified in the performance standard (and as used in the reliability analysis). 36 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Maintenance procedures shall place high priority on the repair of HIPS related devices. For a more comprehensive discussion of issues associated with diagnostic capability, reference should be made to BS IEC 61511. 9.10

Common Cause Failures

A common cause failure occurs when a single failure results in the failure of multiple devices. The application of HIPS designs shall ensure sufficient independence and diversity of devices to achieve the reliability required for the HIPS. Whilst common cause factors should be incorporated into the fault tree analysis (typically via the beta factor), it is important that common cause failures are minimised by design. In the course of the hazard analysis (refer to Section 9.4), all causes leading to each possible design excursion or overpressure should be documented. Specification of the HIPS shall then ensure that the system functions independently from these initiating causes. Commentary: For example, if a control transmitter were identified as an initiating cause of an overpressure scenario (say by triggering closure of an outlet valve, thus blocking the discharge), the control transmitter cannot be the sole means for also detecting the potential overpressure incident. At least one additional transmitter would be required for the HIPS function.

The following examples (as a minimum) of common cause faults shall be considered when analysing HIPS requirements: ● ● ● ● ● ● ● ●

9.11

Miscalibration of sensors; Fabrication flaws; Blockage of common process taps for redundant sensors (e.g. hydrates, wax); Flawed maintenance; (Unexpected) bypassing; Environmental impact on devices (e.g. solar radiation); Process fluid, contamination, solids etc. preventing action / closure (e.g. hydrates, wax); Utility failure, air, hydraulics, power. Perform ance Standards

A performance standard (sometimes referred to as a safety requirement specification (SRS)) shall be developed to cover each HIPS application. Performance standards are required to both ensure that the basis of design of the HIPS is clearly documented and to provide a reference point for ensuring that the system continues to meet its protection objectives and target integrity (SIL) throughout its lifecycle. Each performance standard shall include all aspects pertinent to the design and implementation of the HIPS. For the purpose of achieving a consistent approach to documentation, it is recommended that the format described in UKOOA guidelines 8should be followed, with components/sections relating to Functionality, Availability, Survivability, and Interdependencies (FASI) as indicated below. As a minimum, the information listed below shall be included in the performance standard. Functionality

This should document each overpressure scenario that will be addressed by the HIPS. It should include the functional requirements for the HIPS and describe how and under what conditions the HIPS will mitigate each overpressure scenario. 37 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Role statement summarising the overpressure risk and the functionality required of the HIPS to reduce the risk; ● Reference to controlled document(s) that relate to the HIPS (e.g. relevant P&IDs, cause & effects); ● A definition of the boundaries protected by the HIPS; ● Logic; ● Set point and tolerance (i.e. acceptable variation on the setting); ● Response time; ● Maximum valve leakage rate (where this is a significant factor in HIPS performance / downstream PSV sizing). ●

Availability ● ●

● ●

Integrity specification; Integrity assessment assumptions (if a quantitative method has been used, the assumptions shall also be listed, together with the accepted probability of failure on demand (PFD) and frequency of overpressure); Test interval; Assumed mean time to repair of components.

Survivability ● ●

Where survivability is an issue it should be elaborated on here; This might include, for example, indications of where key components / valves etc. are specified as fire-safe.

Interdependencies

The required performance of the HIPS will be based on a set of assumptions relating to the process/facilities at the time of the analysis. These shall be clearly identified so that validity can be checked and so that the HIPS can be readily assessed or re-validated against changing assumptions, conditions etc. during the plant lifecycle. Dependencies will include such items as: ● ● ● ●

● ●

Process conditions; Production rates; Plant line-up; Action time of the device causing the overpressure risk (e.g. assumed closure time of a valve blocking in a section of plant); Key assumptions used in the hazard analysis; Action of other protective systems to reduce the demand rate.

Commentary: Key assumptions relating to the hazard analysis and HIPS performance specification that should be documented in the above may include: ●

● ●

●

Blockage scenarios not considered credible at the time, e.g. such as wax blockage of a component (this may change over time, or perhaps as new reservoirs are tied back and therefore materially impact the validity of the HIPS through plant lifecycle); Interlocks / inhibits or defeat of interlocks / inhibits critical to the performance of the HIPS; Procedures relating to the re-instatement of spectacle blinds and the like that would defeat the HIPS protection if incorrectly applied; Assumptions on revealed or un-revealed failures; 38 of 63



Group 2012

BG Group Standard

●


Where multiple overpressure scenarios help define the HIPS performance requirements, these shall be clearly identified for future reference (i.e. it is not good enough to simply list the determining case since this could change with future plant modification or changing process conditions), e.g. HIPS response times determined by HIPS valve re-opening with high upstream pressure rather than necessarily by inadvertent blocked outlet, how such may set required opening time limits on the HIPS valves etc.

The performance standard shall specify exactly how the HIPS shall be configured to achieve the target SIL. The high availability requirements for HIPS drives the choices to be made concerning device integrity, diversity, redundancy, voting, common cause concerns, diagnostic requirements and testing frequency. Where credit is taken for supporting systems such as ESD in meeting the system protection integrity target, then these requirements shall be fully reflected in the performance standard as an integral component of the system design, performance and testing. All HIPS elements shall be added to the safety critical items register. 9.12

HIPS Doss ier

Whilst the HIPS performance standard provides a summary of the key elements and basis for each HIPS, it is also important to develop and retain concise documentation covering all aspects of the design for each HIPS, both as a record of the work done and a basis for life cycle maintenance and update of the HIPS. A HIPS Dossier shall therefore be compiled which covers all HIPS on a particular installation or facility. It is expected that this Dossier shall contain the following as a minimum: ● ●

● ● ● ●

●

● ● ● ● ● ● ● ●

9.13

The HIPS assessment methodology; Description of each HIPS application, incorporating plant basis of design and basic requirement for the HIPS; Justification for HIPS selection, design and configuration; HIPS schematic; Hazard and consequence analysis studies / reports; Quantified / reliability analysis supporting selection of PFD / SIL and relevant test intervals and capturing assessment of diagnostic coverage of failures, common cause / mode failure analysis; Risk graph analysis reports checking environmental, economic and reputational loss SIL targets; Pertinent P&IDs; Pertinent cause and effect charts; Process calculation and dynamic analysis studies / reports; HIPS valve leakage contingencies; HIPS operating philosophy, including re-start constraints; HIPS maintenance, testing and repair plans / procedures; HIPS performance standards; HIPS lifecycle design plans. HIPS Commi ssi oni ng

Implementation and commissioning of HIPS shall be conducted in accordance with the parameters specified in the performance standard and of course in line with the system design intent itself. 39 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Any deviation from these documents identified during the commissioning process shall be documented and commissioning suspended until such time as the implications on the achieved system integrity (SIL) and performance have been fully analysed and either the HIPS confirmed as still providing satisfactory protection or else modifications are implemented to ensure that it does so. Commentary: One example might be where during commissioning the closure time of a HIPS related valve is tested and found to be outwith the required time set by the performance standard. Resolution of this problem might involve re-examination of the dynamic analysis setting overall system response time, reduction of the set-point and / or speeding up of the valve closure time (or slowing down of a valve re-opening time).As below, such changes shall be fully justified and documented before implementation.

HIPS performance requirements and performance standard, including all relevant factors such as set pressures etc. shall always be defined and documented during the design stage, except where a new requirement arises during production due to changes and so forth. These fixed requirements shall then apply during commissioning and operation. Under no circumstances shall HIPS design parameters or settings be “adjusted” during commissioning, unless justified and supported by a complete formal reassessment and update of the performance standard as part of the usual management of change process (refer to Section 11.3). 9.14

Testing Requi rements

If all failures were self-revealing, there would be no need to test safety system devices. Shutdown valves not closing completely, solenoid valves stuck in position, pressure switches with stuck closed contacts are examples of covert, dangerous failures. If safety system devices are not tested, dangerous failures may only reveal themselves when a process demand occurs, perhaps resulting in the unsafe event the system was designed to prevent. Testing is performed solely to identify failures. The appropriate testing of HIPS is fundamental to ensuring that the availability requirements for the safety protection are satisfied. Architecture, redundancy and device integrity have a significant effect on the probability of the system to fail on demand and therefore the necessary testing requirements. The required test interval for all HIPS loop components shall be established via the reliability analysis of the installed HIPS loop. Commentary: In general, HIPS components are tested at intervals ranging from between 3 to 12 months but in practice this will be whatever is required to meet the target system probability of failure on demand. Whilst operationally longer (e.g. annual) testing is preferred, this may not always be achievable.

Unrealistically short test intervals shall be assessed for practicality (the more frequent testing becomes the greater the impact on production availability for components that cannot be tested offline). This may become a particular issue in assessing the suitability of existing systems for brown field modifications. Where it is feasible to do so, a capability for on and off-line testing shall be provided. Commentary: There are other important aspects that should be assessed in setting test intervals. Firstly, it is essential that the site capability enables the test frequency proposed (i.e. adequate resources are available). Secondly, testing by its very nature may potentially introduce faults and spurious shutdowns due to human error, thereby increasing the risk of hazardous events. Every 40 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


effort should therefore be made to design a system that requires the minimum of off-line testing. Adoption of supervised circuits, built-in diagnostics and built-in redundancy (enabling on-line testing of components and circuits) all contribute to minimising the frequency of off-line testing.

Whatever test frequency is established by the quantitative analysis, this becomes integral to the safety design and testing shall be performed throughout system life in accordance with this frequency. It is essential that operations and maintenance implement this testing regime. If it changes, so does the QRA model. Any changes in test frequency shall be validated by quantitative methods to ensure that the integrity is not lowered to an unacceptable level. Extending a test interval for operational convenience, even if on the basis that the next interval would be reduced, is not an acceptable practice. Within reason, all HIPS testing shall be in accordance with the performance specification. Whilst the operation of individual HIPS loop components may be tested separately, often off-line, an overall system performance test shall be conducted in line with the test interval embedded in the performance standard, i.e. in the reliability analysis. This test shall not only demonstrate completion of the HIPS function from sensor detection of high signal to completed trip of the final device or closure of the HIPS valve(s), but it shall also confirm the response time for this total process (sensing to completed trip/closure). This response time must remain within that specified in the performance standard, i.e. as included in the basis of design for the HIPS (refer to Section 9.11). “Nudge”, “jog” or “partial stroke” tests (i.e. just checking the movement against the seat) may avoid a shutdown but shall not be employed without go od just ificatio n and approv al by BG Advance Engineering . Even where such an approach is justified and agreed, a full closure test shall be conducted periodically, say every three tests ( basis to be reviewed and agreed by BG Advance Engineering ). In many cases these are not practical due to the fast operating times of the HIPS final elements. System response times shall be verified by personnel attendance in situ, e.g. to time and report completed valve closure (not simply relying on a signal from limit switches back in the control room). Should a test demonstrate that the required response time is not met, a complete re-analysis of the HIPS design shall be undertaken to confirm current input data, system configuration, system volumes, operating conditions, flows, component function / performance (e.g. achieved valve closure times against original design / intent) etc. This exercise shall establish if any modifications (e.g. such as reduced set-point) are necessary to enable the HIPS to satisfactorily provide the required overpressure protection. Under normal circumstances, it is not acceptable to continue operation if a test has shown that a required HIPS performance target has not been met. Each such c ircum stance may be subject to individual risk assessments to allow production to continue whilst remedial steps are taken but this shall only be with review by, and approval in advance of implementation from, BG Ad vance En gi neerin g.

System testing shall extend to all elements that deliver the system protection in accordance with the SIL targeting and reliability analysis. If a HIPS design should be justified that also takes credit for the ESD system in meeting integrity targets or Company maximum tolerable risk criteria, then these systems shall also be subject to the same level of testing and verification as the HIPS, in accordance with the reliability analysis and performance standard. Test protocols for HIPS shall be imbedded in the facility electronic operation/recording system and aligned with the requirements set out in the performance standards. It is essential that HIPS testing is not only conducted in accordance with these protocols but that results are recorded in full and examined against the required performance targets stored in the system. Automatic alerts shall be 41 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


raised where a target is not met. It is not acceptable to simply record results without the check to ensure that those results meet the performance standard requirements. 9.15

Third Party Verific ation

Independent third party verification shall be carried out for every HIPS application in order to confirm the system requirements and design. Such verification shall only be conducted by functional safety specialists with appropriate expertise. This verification shall be required both for the system architecture to be provided (to confirm that it meets the required integrity target) as well as for the design work underlying the HIPS, e.g. the quantified analysis setting the integrity target in the first place. Commentary: Verification of all HIPS designs shall be subject to quantified random hardware failure analysis. Note that this may be particularly pertinent where methods other than fault tree analysis (in which the probability of failure on demand is predicted) are used for reliability analysis.



Group 2012

BG Group Standard


Figure 9.1: Simplified HIPS Decision Tree Can HIPS be applied to prevent an unsafe condition occurring, reduce the sizing basis for a relief valve or replace the relief valve altogether?

YES

Applicability of ASME Code Case 2211: Is the vessel / equipment exclusively in air, water or steam service?

NO Use conventional pressure relief

YES

Does any local code, regulation or authority require relief valve protection?

NO • • • •

INITIAL JUSTIFICATION FOR HIPS HIPS .v. Relief pros / cons Environmental factors Availability of skills / resources Life cycle benefits

NO Is HIPS the optimal solution?

YES HAZARD ANALYSIS • Document unsafe conditions / overpressure scenarios • Assess merits of HIPS as mitigation • Define functional requirements

• • • • •

QUANTIFIED ANALYSIS / SIL TARGETTING Scenarios / configurations for analysis Fault tree analysis for selected configurations Selection of design meeting tolerable risk targets Confirm SIL target for the system Conduct ALARP assessment

• • • • • •

DESIGN ISSUES Independence Device integrity Architecture Testing frequency Diagnostics Common cause considerations

Confirm via BG Risk Graph that environmental, economic or reputational loss criteria do not dictate higher SIL BGA review of quantified analysis required

DURING SELECT PHASE: • HIPS .v. relief .v. full rating review • Impact on option configurations • Support for option selection

YES Is the target SIL < 3?

NO

DURING FEED: • Confirm workable • Confirm impact on flare / vent design • Establish key components • Identify design implications • Establish SIL

DURING DETAILED ENGINEERING: • Firm up hazard analysis • Complete quantified analysis • Finalise design details • Develop performance standard • Compile HIPS Dossier • Establish test / maintenance plans

FUNCTIONAL PERFORMANCE (DYNAMIC ANALYSIS) Confirm that the required system response requirements can be met for the HIPS and any other layers of protection taken credit for in t he reliability analysis (e.g. ESD)

RELIEF SIZING • Confirm reduced sizing basis for relief valve • Modify vent / flare design basis accordingly

• • • • • • •

PERFORMANCE STANDARD Document rationale for the HIPS Specify functional / logic requirements Specify target SIL Provide supporting quantified / reliability analysis Specify system response time requirements Identify system testing requirements Compile all HIPS documentation into a HIPS Dossier

INSTALLATION / TESTING • Verify loop response time • Verify functionality • Validate performance

OPERATION / MAINTENANCE / TESTING • Test at designated frequency • Follow change management procedures



Group 2012

BG Group Standard


Figure 9.2: Typical 1oo2 Field Input Configuration

1oo2

PT

PT

Figure 9.3: Typical 2oo3 Field Input Configuration

2oo3

PT

PT

PT



Group 2012

BG Group Standard


Figure 9.4: Typical Configuration of Final Elements with 1oo2 Valves and 1oo1 Solenoids IA

IA

S

S


IA

S

S

S

S


IA

S

S S

S



Group 2012

BG Group Standard


Figure 9.9: Typical HIPS Bypass Arrangement to Facilitate Re-Start after a HIPS Trip DIFFERENTIAL PRESSURE INHIBIT

DPT ESD (TRIP OF BYPASS VALVE)

HIPS

PT

PT

PT

PT

PT VENT / FLARE

FEED

GAS

HP LP

HIPS / ESD

RO

OIL/CONDENSATE

LC HP LP

WATER

BYPASS



Group 2012



10.0 Su Su bsea bs ea HIPS HIPS 10.1

The Case for fo r Subs ea HIPS

The general requirements for HIPS described in Section 8, 9 and 11 relate to all HIPS applications. This section, on the other hand, describes requirements specific to the application of subsea HIPS. For offshore developments where HIPS is applied to protect lower rated processing facilities against potential overpressure from the wells this results in the pipelines between the wells and processing having to be designed designed for the full wellhead shut-in shut-in pressure. This has significant significant cost implications and in some cases (such as for high pressure high temperature (HPHT) developments) may even be impracticable due to constraints on the availability of components having a suitable size/pressure rating. Even where physically physically possible to fully fully rate such pipelines, pipelines, the cost may make the project project uneconomic. There are also also flow assurance assurance implications implications of operating operating pipelines pipelines at potentially potentially elevated pressures. Application of subsea HIPS where the protection system is located close to the wells allows the tieback pipeline (and risers where applicable) to be substantially de-rated, with both economic and safety benefits, since the higher pressure hydrocarbon risk is kept away from the topsides/surface facilities. Reference should be made made to Section 10.2 regarding the implications implications of subsea HIPS for remote risers. The use of subsea HIPS is therefore attractive for deepwater developments, long tie-backs and/or where wellhead shut-in pressures (and hence fully rated pipeline design pressures) are high. The requirements for subsea HIPS are, however, more onerous than for surface located HIPS given the additional elements that have to be incorporated to achieve fully remote testing and integrity assurance and and the difficulties associated associated with repair or component component replacement. replacement. Pre-qualification, Pre-qualification, design effort and quality control are likely to be integral factors in achieving successful subsea HIPS application. 10.2

Subs ea HIPS Requiremen Requi remen ts

For general requirements related to the application of subsea HIPS, reference shall be made to API RP 170 “Recommended Practice for Subsea High Integrity Pressure Protection Systems (HIPPS)” 14 Whilst subsea HIPS have obvious benefits, their use requires a significantly higher focus on reliability and and availability. Design of subsea subsea HIPS shall consider consider both the cost and difficulty difficulty in replacing defective components and the increased complexity involved in testing the systems to ensure that performance performance requirements requirements are met. At the same time, system design must minimise minimise the potential for spurious trips and resultant production loss. This may often be a balancing act increased integrity and nuisance failures reduce availability, whilst increased redundancy may improve availability and reliability reliability but requires more components that may fail. Consideration should be given to a number of factors in selecting and designing subsea HIPS, including the following: ● ● ● ● ● ● ● ● ●

Diversity of control functions; In-built remote communications; communications; Autonomous shutdown functions; Remote testability; Remote diagnostics; diagnostics ; Space (inclusion within the the subsea subsea control module (SCM)); Weight (SCM must be ROV friendly); Power (within standard SCM design, design, no batteries); batteries); Functionality under all all operating operating conditions, conditions, including including cold start-up. 48 of 63



Group 2012



General requirements relating to the design and specification of subsea HIPS shall be in accordance with other other sections in this standard. Specific requirements requirements relating to subsea HIPS are described below. 10.2.1 HIPS Configurations

The principal benefit of subsea HIPS lies in the ability to subsequently rate the pipeline, and risers where applicable, for a lower pressure than the maximum wellhead shut-in pressure of the wells. For all subsea HIPS, consideration shall be given to the requirements for a transition or fortified zone rated for a higher higher pressure than the pipeline, pipeline, but less than wellhead wellhead shut-in shut-in pressure. The length of the fortified section shall shall be established on a case-by-case case-by-case basis. Dynamic assessments assessments shall be conducted to support this design – the length of the fortified zone is a function of how far the pressure wave travels before the HIPS has time to sense the rise in pressure and close the HIPS valves (refer also to Section 10.2.6). The HIPS modules can be located on the wells/trees, pipeline end terminations or manifolds depending on the subsea architecture. The general architecture of the overpressure protection protection is expected to be similar in nature to that for topsides HIPS, i.e. ●

● ●

Process (ESD) shutdown shutdown via pressure transmitter(s) transmitter(s) closing wellhead wellhead wing and master valves; The subsea HIPS itself; Protection against HIPS valve leakage.

It should be emphasised that the process/ESD shutdown shall also prevent overpressure of the low rated pipeline. pipeline. System design (incorporating (incorporating dynamic dynamic analysis) shall shall demonstrate that the normal ESD trip of the wells acts sufficiently sufficiently fast to provide this protection. This may influence the length of any fortified zone. In a similar manner to topsides topsides HIPS, all subsea subsea HIPS shall be designed designed to be SIL 3. However, integrity requirements shall be assessed for each application in the usual manner, in this case taking into account the proposed pipeline and remote riser design and commercial and environmental factors. factors. As for topsides HIPS, BG does not allow application application of SIL 4 systems and should this be considered necessary then it should be addressed by providing additional layers of protection in addition to a SIL 3 HIPS. Overall system architecture shall be established (HIPS plus process/ESD shutdown) so as to meet company risk targets, including financial and environmental targets (as per the BG Safety Case Standard7). The enhanced requirements for remote testability and fault diagnosis implicit with subsea HIPS influences the ideal system system configuration that should should be adopted. It may also be impracticable to locate pressure transmitters in de-rated piping downstream of any fortified zone, and potentially remote from the HIPS valves. The requirement requirement in Section 9.3.1 9.3.1 to locate locate HIPS pressure transmitters only in the lower lower rated piping shall shall not apply for design of of subsea HIPS. In this case, the location of transmitters shall be established so as to best enable remote testing of the system and regular diagnostic diagnostic tests on individual components. components. Consideration must must also be given to the need to use pressure readouts to help confirm closure action of valves, monitor pressure build-up or decline etc. More detail is provided provided in the sections sections below. Commentary: For subsea HIPS HIPS where reliance reliance is placed placed entirely on remote testing and the requirement to verify successful operation must be assured remotely from field devices, pressure signals, valve positions etc., it becomes even more critical that function testing of the HIPS can be 49 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012



achieved and and success assured assured at pressure pressure initiated set point. There would be issues with achieving this for transmitters located in the lower rated piping (not least the impracticality of pressurising the pipeline pipeline section for such a test). test). This promotes location location of transmitters upstream of the HIPS valves in the case of subsea HIPS. Commentary: The required transmitter/valve transmitter/valve configuration configuration and redundancy should should be established for each application. Adoption of twin banks of 2oo3 voting voting transmitters with redundant redundant solenoids closing multiple (two or more) HIPS valves is a commonly adopted approach for subsea HIPS. Either bank tripping would close the HIPS valves. The system may have more or fewer transmitters or HIPS valves but the logic arrangement is much the same. A variation on this subsea HIPS which has proved successful for one HPHT subsea HIPS included a suite of four pressure transmitters, acting on two HIPS valves, with two transmitters located upstream of the first valve and two between the valves. All four transmitters may trigger HIPS valve closure closure based on 2oo4 voting. Loss of one one transmitter transmitter leaves HIPS HIPS initiation based on 1oo3. The location location of transmitters in this arrangement allows both diagnostic checks between the transmitters and leak testing for the two HIPS valves.

Remote manual shutdown capability shall be provided for subsea HIPS, together with t he ability to override inputs and test outputs remotely, including partial closure testing of valves (refer to Sections below). Subsea HIPS shall be be failsafe on loss of electrical electrical power or electrical electrical control signal. signal. Fail safe solenoid valves valves should be used to help help achieve this. Failsafe functionality functionality shall be retained retained on loss of communications with the platform/control centre or beach, but loss of communications should not automatically generate a HIPS trip. Consideration shall be given to where provision of installed spare components/redundancy may help meet system availability requirements, allowing for testing (refer to Section 10.2.9) without loss of overpressure protection. protection. 10.2.2 Field Inputs

A key element in designing any HIPS is maximising diversity between components to reduce the risk of common mode failures f ailures either leading to spurious trips or reducing the integrity of the system. Consideration Consideration should be given to using different types of transmitters in a similar manner to topsides HIPS, but in the case of subsea HIPS additional consideration shall be given to design approaches that best meet the above objectives, e.g. ● ●

●

●

Combination Combination of of digital digital and analogue transmitters; Use of transmitter designs/suppliers designs/suppliers with proven designs designs in subsea service and with pertinent reliability data available; Location of transmitters to minimise minimise common mode risks such as blockage, blockage, i.e. spatial diversity; Location of transmitters transmitters on top of pipe pipe to reduce risk risk of hydrate or sand sand clogging (although (although this is beneficial for all HIPS);

Commentary: Note that in the typical field field configuration discussed discussed above, above, the HIPS transmitters were selected as analogue type so as to offer diversity in comparison with the digital transmitter(s) triggering the process/ESD shutdown of the wellhead valves, thereby reducing the probability of common mode failures failures between ESD and and HIPS. In addition, the two upstream upstream transmitters were were located several meters upstream of the valves to further reduce the probability of more than two sensors failing simultaneously from a common cause. 50 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


10.2.3 Logic Solver

Logic solvers for subsea HIPS shall be certified for SIL3 by an independent competent body (e.g. TUV, Exida) Commentary: The Pro Safe-SLS system supplied by Yokogawa for many subsea HIPS has been certified up to safety integrity level (SIL) 4.

It is essential to ensure that whilst the HIPS status and features to facilitate remote testing are available in the surface/topsides control room (via the subsea control system), this is entirely separate from the HIPS itself and cannot compromise the safety function. Modification or repair of the logic systems will typically require retrieval of the SCM. 10.2.4 Final Elements

Given that valves may sometimes be the least reliable components of any HIPS, and given that component replacement for a subsea system is both difficult and costly, it is essential that high integrity valves are utilised as part of subsea HIPS. Valves shall be selected that are able to seal against pressure from either direction. As for topsides HIPS valves, loss of hydraulic pressure shall force the valve to close in a failsafe manner. Consideration shall be given to independence and redundancy for hydraulic supplies serving HIPS compared to ESD in order to achieve the required system integrity and availability. In comparison with topsides systems, valves for subsea applications may require a greater degree of testing in order to suitably qualify them for the combinations of pressure, temperature and potentially solids production that they may have to operate under. Failure mode effect consequence analysis (FMECA) shall be considered in order to improve reliability of valve/actuation and ensure that the arrangement is failsafe. In multi-well arrangements (e.g. linking to a common manifold), design of hydraulic systems shall ensure that the required opening time of valves is not impacted by potential pressure differences between the wells. 10.2.5 Cold Re-Starts

The situation with respect to managing cold re-starts is largely the same as for any subsea tieback, whether the HIPS is subsea or topsides. However, locating HIPS subsea imposes particular requirements on the design of the HIPS components. Due consideration shall be given in subsea HIPS designs to cold re-start operations and how these will be managed. HIPS valves and piping (both upstream and downstream) shall be designed to handle the lowest temperatures possible due to a combination of ambient conditions and high pressure drop temperature loss across both the subsea choke and potentially opening HIPS valves on re-start. Provision of methanol (or similar) shall be made as necessary to help manage such restarts. Cold re-start operations shall not be allowed to compromise the reliability of subsea components forming part of the HIPS, and this must be recognised during the design, reliability analysis and testing (i.e. quality assurance) process. In particular, consideration must be given to how high differential pressures are to be managed on re-starts (hot or cold). 51 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


For topsides HIPS, bypass arrangements are proposed to bleed off upstream high pressure until the differential is low enough to allow HIPS valve re-opening without risking valve seat damage (even where rated to open on maximum differential) – refer to Section 9.3.6. Such arrangements may be impracticable subsea due to the increased complexity incurred, in which case it is particularly important to ensure that the selected materials and reliability of components impacted by the operation (e.g. HIPS valve re-opening at potentially high differential pressure) are not compromised. For subsea systems, consideration should be given to the benefits and environmental implications of venting locally to facilitate HIPS valve re-opening at reduced pressure differential (i.e. venting the section between well valves/chokes and HIPS valves). 10.2.6 Dynamic Analysis

Some references have been made in the paragraphs above to the particular requirements for dynamic analysis to support subsea HIPS designs. Whilst performance requirements may be less severe than for topsides HIPS where the high pressure interface is much closer to the low pressure processing systems, subsea HIPS must still be designed for the worst case blockage scenario and due consideration shall be given to such events. The most onerous case is typically an assumed hydrate lockage located just downstream of the HP/LP interface. In cases where a fortified zone is included, this worst blockage may be a blockage at the transition to lower rated pipeline. Dynamic modelling shall be used to support the adopted design pressures for the pipeline and requirements for a fortified zone (design pressure and length). It is even more critical for subsea HIPS that are difficult and costly to access and/or repair that sufficient attention is paid to the risks of shock loads and vibration during HIPS operations, re-starts etc. Design of subsea HIPS shall include shock loading and vibration analysis in tandem with dynamic response assessments to ensure that system design is robust against these risks. 10.2.7 HIPS Valve Leakage

Whilst leakage past HIPS valves is liable to take a significant time to pressurise the downstream pipeline in subsea applications, dependent on pipeline length and leakage rate, consideration shall be given in all subsea HIPS applications to the implications of such leakage and the need for protection against this event. 10.2.8 Diagnostic Capability

Design of subsea HIPS shall utilise intelligent or smart devices (e.g. transmitters) with programmable failure modes based on internal diagnostics. Diagnostic capability, to detect and respond to potential abnormal function/reading of a transmitter as an example, is particularly important for subsea HIPS given the enhanced reliability requirements, even greater need to assure failsafe operation etc. 10.2.9 Testing

For any HIPS, testing in order to confirm functionality and performance is fundamental to the lifecycle maintenance of the protection system, but for subsea HIPS the requirements for testing become even more onerous given the need to fully conduct this remotely and the likely impracticalities of repair or replacement. Local manual (whether diver, where possible, or ROV) intervention to assist testing is generally impracticable and so system design shall provide the flexibility to allow all component tests and diagnostic checks to be readily implemented remotely. 52 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


In order to demonstrate system functionality and performance and improve the reliability of the system, the following elements shall be incorporated into test routines for subsea HIPS: ● ● ● ●

Full functional test of the complete system (as required by IEC 61508/511); Leak test of the HIPS valves; Test that HIPS valves start to close on demand (i.e. partial stroke test); Pressure sensor verification test.

Test intervals required for the complete system test (typically annual) and the secondary tests (typically more frequent) shall be established as part of the reliability analysis of the system (as with any HIPS). It should be understood, however, that more testing may be justified for subsea HIPS simply because of the implications of component failure on availability. As with any HIPS, complete system testing (i.e. to full valve closure) is usually conducted at operating pressure and not at the actual maximum (wellhead shut-in) pressures that apply. This may be even more the case for subsea HIPS where extreme well shut-in pressures has helped drive selection of subsea HIPS. Where there is a substantial difference between operating (i.e. HIPS test) pressure and the maximum shut-in pressure, procedures shall be developed to form part of performance standards and testing routines that verify closing time at test pressure on a curve (to establish closing time at maximum well pressure). Commentary: The following lists some typical test elements that could apply for the kind of HIPS configuration described above (two pressure transmitters (PT) upstream of the first HIPS valve and two between the HIPS valves). This should be taken as indicative only – actual requirements will depend on the configuration selected for a given application and the reliability demands for that system. In all cases, procedures should be developed that enable full testing of all system components: ● ● ●

●

●

●

●

●

●

Electrical isolation of one PT upstream of the HIPS valves and one PT between the valves; This initiates shutdown due to loss of 2oo4 signals and HIPS valves should close; The remaining PTs are available to monitor pressure upstream and between the valves as they close; Pressures and valve positions should be monitored and logged during this process to verify that the valves close as intended; The pressure build-up upstream of the HIPS should also cause a test of the ESD shutdown of wellhead valves as part of the same test; To test that the transmitters trip at the set-point, the pressure is relieved in the system and between the valves allowing the system to be reset, at which point the upstream HIPS valve can be re-opened; Methanol (or MEG or similar) can then be injected to increase pressure beyond the set point of the HIPS, which should result in all four pressure sensors signalling to trip and the open valve should close (total time from set-point initiation to completed valve closure being recorded as per usual for HIPS); To verify leakage, pressure can be reduced to a specified value between the valves (but above the downstream settled-out pipeline pressure) and stabilisation of pressures monitored – if the pressure is then increased upstream of the first HIPS valve and left to stabilise, increasing pressure between the valves would indicate leakage across the first valve and decreasing pressure would indicate leakage across the downstream valve; Partial function tests may also help demonstrate valves moving to close of demand to improve reliability – a simulation of a trip signal from the control room triggering closure of the valves, but with the system resetting automatically after only a few seconds, opening the valves – with correct timings, valves should not fully close during this process (thereby 53 of 63



Group 2012

BG Group Standard

●


maintaining production) but allow verification that they are not stuck open. As well as avoiding production loss, this test has no negative impact on the safety function and is readily performed from the control room; Common cause failure of pressure sensors should also be tested, via a procedure that verifies that all transmitters are active and reading the same pressure – reference may be made to the pressure downstream of the choke and changes to all HIPS transmitters confirmed where this is modified slightly by adjustment of the choke.

One particular concern with pressure transmitters (whether topsides or subsea) is the potential for blockages to occur in the impulse lines. As already noted, separating banks of transmitters may help reduce the risk of coincident impact on multiple devices, as would locating instrument connections on the top of pipes, but there remains a need to assure the correct functionality of safety critical trip devices. Consideration shall be given to providing online capability for clearing impulse lines, particularly in respect of hydrate blockage risk (e.g. provision of appropriate methanol (or similar) injection facilities). Consideration shall also be given to the potential for wax blockages in waxy fluid service and the possible need for solvent injection to deal with blockages. Commentary: One technique which has been applied uses injection of methanol to clear impulse lines also acting as a sensor test, since the methanol injection is expected to introduce an instantaneous overpressure (for that instrument) and generate a trip condition, thus testing the device. This test produces an alarm but no overall trip since only one channel has tripped .

The design of subsea HIPS and test routines shall ensure that genuine trip demands are not disabled during test cycles. 10.2.10

Maint enance Impli catio ns

The design of subsea HIPS must take into account the difficulties in repairing or maintaining components as indicated in the paragraphs above. Consideration shall be given in all cases to how the subsea systems are configured in a manner that most readily supports intervention for repair and retrieval should this prove necessary. Consideration should be given to making as many components as possible reasonably replaceable by diver or ROV intervention should the need arise. Maximising HIPS components incorporated into a SCM which would typically be retrievable to surface would be one means of achieving this intent. It would also encourage provision of suitable isolation for components (e.g. instruments), even where this in itself may pose a potential cause of failure for that device. 10.2.11

Remot e Riser s

For many applications of subsea HIPS, the HIPS will be protecting a high inventory pipeline and remote riser, the failure of which would constitute a major hazard. Whilst the subsea HIPS enables a reduced design pressure to be applied to the pipeline system rather than fully rating this, special attention must be paid to remote risers where any system failure would pose a greater personnel hazard (than subsea). For systems encompassing a subsea HIPS, particular consideration shall be given to the design pressure adopted for remote risers, and any adjacent fortified zone (at the riser end). This might need to be greater than that for the pipeline in order to provide greater assurance against loss of containment, e.g. should the HIPS valves leak. Design of the fortified zone and riser up to and including at least the riser ESD valve shall at least be to a “no-burst” condition (whereby an engineering assessment confirms a low probability of leak or rupture when subjected to the maximum possible pressure, typically <0.05). Other factors such as application of an SSIV, available time for manual intervention etc. should be taken into account in the analysis. 54 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Consideration shall also be given to adopting a “no yield” approach (whereby an engineering assessment confirms that the pipework is not expected to be stressed beyond yield, and not to leak, when subjected to the maximum possible pressure). The selected approach shall be supported by appropriate ALARP justification. Commentary: The UK Health and Safety Executive, for example, prefer to see remote risers in subsea HIPS installations designed to be inherently safe, i.e. fully rated, even where the pipeline is de-rated13. Where the inherently safe design is deemed impracticable, mechanical pressure relief is preferred. Only when this is also impracticable is reliance on HIPS considered justifiable, this as a back-up to the ESD. The UK HSE require that a “no-burst” riser is applied for subsea HIPS, as well as considering inclusion of options such as topsides relief, provision of an SSIV or subsea relief (e.g. effectively inclusion of a weak, or sacrificial pipeline section, remote from the manned facilities). It must be shown that each option is demonstrated to be not reasonably practicable before an option with less inherent safety is adopted.

Where a “no-burst” approach is adopted for remote risers protected by subsea HIPS, no credit shall be taken for a corrosion allowance contribution to preventing burst unless a rigorous in-service inspection regime is implemented. The design strength of the riser (and any fortified zone) shall be sufficiently greater than that of the main pipeline such that in the event of a HIPS failure, the main pipeline section (at a safe distance from the installation, typically at least 500m) would fail rather than the riser. Note that in avoiding connections outboard of riser valves 1, there is unlikely to be a pressure detector on the riser. If there were a communications link failure with the subsea control module then the pressure condition in the pipeline and riser would be unknown. Consideration should be given to implementing an autonomous well ESD trip after an appropriate time-out period for loss of communications.



Group 2012

BG Group Standard


11.0 HIPS Operation and Maintenance 11.1

Trainin g and Competence

It is a requirement of BS IEC 61508 that “any persons involved in any overall electrical / electronic / programmable electronic systems or software safety lifecycle activity, including management activities, should have the appropriate training, technical knowledge, experience and qualifications relevant to the specific duties they have to perform”. It is therefore essential that adequate competence based training shall be provided to all operating and maintenance personnel so as to ensure the integrity of all HIPS is maintained as designed. Such training shall encompass awareness of all aspects of the HIPS function and performance standard, but in particular with respect to the test and maintenance requirements pertinent to each system. Operator training should aim to raise awareness amongst operators of factors that might impact on the validity of the HIPS design and its performance, whether in terms of integrity (reliability of components, assumptions on failure modes etc.) or response (changing process conditions, plant throughput, fluid properties etc.). Routine assessment by an independent verification party shall be employed to ensure that training / competence is being maintained through the plant lifecycle. 11.2

Maintenance

Every HIPS shall be operated, maintained and tested in accordance with its performance standard throughout the lifetime of the plant, so long as the overpressure risk (or similar) still applies. The frequency of testing shall not be allowed to fall short of the set requirement. It is important to recognise that for safety critical systems such as HIPS, it is necessary to ensure both maintenance of the achieved reliability (i.e. SIL in this context) and system functional performance (i.e. response time) throughout the plant lifecycle. Aspects integral to the design of the HIPS such as voting configuration, diagnostics, set point, response time, test interval, plant line-up, demand reducers etc. (as indicated in the performance standard) must be preserved throughout the life of the facility. It is crucial that maintenance and testing activities ensure that these parameters remain as originally defined. Where differences from the original specification are identified then steps shall be taken to rectify this. Commentary: One physical example might be lengthening valve closure times, in which case prevention of overpressure may not be guaranteed. Shortening closure times may also generate surge effects outwith the design. A less apparent example might be actual plant component reliability differences from that assumed in the original reliability analysis.

11.3

Change Management

All management of change shall be subject to the BG Management of Change Standard 4. The other aspect of maintaining the HIPS design and operation in line with its performance standard relates to material changes in the plant operation or configuration that might impact the protection afforded by the HIPS. Two principal elements of lifecycle design shall be considered: ● ●

Changes that affect the HIPS response performance; Changes that affect the HIPS reliability / integrity. 56 of 63



Group 2012

BG Group Standard


HIPS Perfor mance

Changes that could impact the response time performance of the HIPS can be established from the performance standard for each HIPS. These would encompass factors that determine the rate of pressure rise in the system (or deviation of any other critical feature such as temperature, level, composition) and those that establish how quickly the system can respond to prevent overpressure (or any other pertinent “out of the design envelope” condition). They may include, but are not necessarily limited to, the following: ● ● ● ● ● ● ● ● ● ● ● ●

Changes in process conditions; Changes in fluid properties; Changes in production rates, GORs, CGRs, water cuts; Changes in plant line-up; Changes in system boundaries; Changes in system architecture or configuration; Changes to HIPS set-point; Changes in system logic or cause and effect modifications; Changes in system design – new equipment, piping changes etc.; Changes in valve specification – control valve trims, opening / closing times etc.; Deterioration in valve closure (or opening) performance; Changes to other elements that may be integral to the overall system protection (such as relief valve set pressure / capacity, restriction orifice size etc.).

Whilst HIPS designs are typically engineered to be as flexible as possible to cover a range of expected operations they are, for the most part, relatively restrictive given often tight margins available between design response requirements and that achievable by the installed systems for the production rates required. Commentary: This depends to a large extent on the system protected by the HIPS. HIPS protecting topsides systems from platform wellhead pressures may have limited time margins available for HIPS response whereas HIPS protecting the entry to a long pipeline sections may have greater margins by virtue of a larger system capacity and therefore slower rate of pressure rise.

Every asset shall regularly review the design basis for HIPS to ensure that nothing has changed relative to the original assumptions. Production/fluid behaviour/conditions at variance from the design expectations or varying over time would be one such example that might escape the more rigid management of change process (as not reflecting a material change) – see below. The normal management of change processes shall encompass a formal review of the possible impacts on HIPS designs of any proposed change to plant operation or configuration. The most obvious of these would be plant throughput changes, but anything from the list above might apply. Such changes shall not be implemented until the HIPS performance has been confirmed as still acceptable and/or system modifications completed to ensure this is the case. This may necessitate revised calculations to confirm the HIPS design (e.g. dynamic modelling). HIPS Reliability

Equally important is the reliability achieved by the installed HIPS. The required system reliability in terms of the safety integrity level (SIL) and the inferred probability of failure on demand (PFD) would have been assessed on the basis of both the nature of potential overpressure hazards and the probable demand rate on the system. At the same time, the PFDs and SILs achieved for each HIPS would have been determined on the basis of assumed failure rates for HIPS components (e.g. transmitters, logic, valves etc.) and the frequency at which these systems would be tested. 57 of 63 Doc Ref: BG-ST-ENG-PROC-012 Author: T Arnold


Group 2012

BG Group Standard


Regular review of these underlying assumptions shall be conducted, both to confirm that they remain valid and, where relevant, to potentially support adoption of less stringent test frequencies. There is an inherent need to justify the continuing application of an instrumented protection system by establishing that assumed demand and failure rate data continue to apply: ●

●

●

Demand rates should be recorded with plant monitoring and maintenance systems and periodically compared to those used to set target SILs; A continuing process of recording component performance data is necessary to confirm (and potentially modify) the failure rate data originally applied, i.e. recording successful component / system operation and detailing all component failures (and modes of partial or total failure) that contribute to overall failure rate data (e.g. for valves, as well as failure to close on demand this would include failure to completely close, delayed operation and evidence of significant leakage after closure); Statistical failure rate data accumulated over time should periodically be compared with that used in the reliability analysis and the achieved SIL reassessed.

Commentary: In some cases, where conservative failure rate data might have been used in the original analysis and where this resulted in an onerous test frequency, it may be possible to justify a longer test period once sufficient data has been collected to support adoption of less conservative failure rates in the analysis. It should be recognised that many HIPS components may be common with other elements across the plant (e.g. shut-off valves,) hence extending the source of data for the archive.

A programme shall be established for the periodic review of each HIPS application to confirm it’s applicability to ongoing production conditions and requirements. Such system design reviews shall be built into operator maintenance schedules. Commentary: Such a review might be instigated on a checklist basis at a prescribed frequency. It should be triggered automatically as part of management of change for any system modifications deemed to have an impact on any HIPS operation or the assumptions integral to the HIPS design.



Group 2012

BG Group Standard


12.0 Appendices 12.1

Appendix A–Definitio ns / Abbreviations

Definitions

COMPANY

BG Group or a wholly owned subsidiary company or other client organisation;

CONTRACTOR

The person, firm or company undertaking to supply services plant, or equipment to which this document applies;

SHALL

A mandatory term - no dispensation is permitted without written approval using the formal dispensation procedure;

GROUP

The manager or principal discipline engineer responsible for

TECHNICAL

producing and maintaining a given Standard / Guideline;

AUTHORITY

Review and either approve or reject Dispensation Requests made against BG Standards by Asset / Project.

Ab br evi ati on s

ALARP

As Low as Reasonably Practicable

API

American Petroleum Institute

API RP

American Petroleum Institute Recommended Practice

ASME

American Society of Mechanical Engineers

BS

British Standard

CGR

Condensate Gas Ratio

DCS

Distributed Control System

DIN

Deutsches Institut fur Normung

EN

European Norm

ESD

Emergency Shutdown

ESDV

Emergency Shutdown Valve

FASI

Functionality, Availability, Survivability and Interdependencies

FEED

Front End Engineering Design

GOR

Gas Oil Ratio

HIPS

High Integrity Protection System

HIPPS

High Integrity Pressure Protection System

HP

High Pressure

HPHT

High Pressure High Temperature

IEC

International Electrotechnical Commission 59 of 63



Group 2012

BG Group Standard


IGE

Institution of Gas Engineers

IP

Institute of Petroleum

IRPA

Individual Risk (of Fatality) Per Annum

ISO

International Standards Organisation

LOPA

Layers of Protection Analysis

LP

Low Pressure

MAWP

Maximum Allowable Working Pressure

OPPS

Over Pressure Protection System

P&ID

Piping and Instrumentation Diagram

PCV

Pressure Control Valve

PD

Published Document

PED

Pressure Equipment Directive

PFD

Probability of Failure on Demand

PRV

Pressure Relief Valve

PSV

Pressure Safety Valve

QEV

Quick Exhaust Valve

QRA

Quantitative Risk Analysis

RO

Restriction Orifice

ROV

Remotely Operated Vehicle

RP

Recommended Practice

SCM

Subsea Control Module

SI

Système International d’Unités

SIF

Safety Instrumented Function

SIL

Safety Integrity Level

SIS

Safety Instrumented System

SRS

Safety Requirement Specification

SSIV

Subsea Isolation Valve

TUV

TechnischeÜberwachungsVereine

UKOOA

United Kingdom Offshore Operators Association

12.2

App endix B–Units

Company requirements are that metric SI units shall be used throughout. If an asset requires Imperial units to be used for clarity, then SI units shall be stated, followed by the local requirement in brackets. The following exceptions shall apply: ●

● ●

Pressure shall be expressed as either gauge pressure in barg or absolute pressure in bara, gauge pressure being referenced to Standard Atmospheric pressure of 1.01325 bara. Temperature shall be expressed as degrees Celsius ( oC) Dynamic viscosity shall be expressed as centipoise (cP) 60 of 63



Group 2012

BG Group Standard


In addition, the following common industry units shall also be used (applying dual units where appropriate): ● ● ●

Volume gas flow in million standard cubic feet per day (MMscfd) Volume liquid flow in barrels per day (bpd) or US gallons per minute (gpm) as appropriate Stock tank oil/condensate flow shall be expressed in stock tank barrels per day (stbpd) and reflect the oil/condensate volumetric flow after flashing to stock tank conditions of 1.01325 bara and 15.5556 oC.

The definition of Standard Conditions for pressure and temperature that shall be applied is 1 atmosphere pressure (or 1.01325 bara) and 15.5556 oC (rather than 1 atmosphere and 273.15 degrees Kelvin (0 oC).). An y d evi ati on s t o t hi s d efi ni ti on to be c on si st ent wi th lo cal st andard s s hal l b e di sc us sed and agreed with BG Advance Engineering but shall, as a minimu m, be fully defined in t he project Basis of Design. 12.3

App endix C – Referenced / Ass oci ated Docum ents

BG Standards / Guidelines: 1. 2. 3. 4. 5.

BG Standard “Safe Plant and Equipment Isolation”, BGA-ENG-PROC-TS-0002. BG Standard “Relief, Blowdown and Flaring”, BGA-ENG-PROC-TS-0003. BG Guideline “Specifying and Achieving Functional Safety”, BGA-ENG-INST-GL-0002. BG Standard “Management of Change (MOC)”, BGA-BGA-GEN-OS-0003. BG Standard “The Purpose, Development and Application of BG Standards and Guidelines”, BGA-ENG-GEN-OS-0001 6. Recommended Failure Rates for Use in Safety and Reliability Studies, Technis Report No. T393, dated 19 February 2008. 7. BG Standard “Safety Case”, BGA-HSSE-SAF-ST-1526. 8. UK Offshore Operators Association (UKOOA) “Guidelines for Instrument-Based Protective Systems”, Issue 2, November 1999. 9. American Institution of Chemical Engineers, Center for Chemical Process Safety, Guidelines for Process Equipment Reliability Data. 10. Safety Integrity Assessment of Mokveld HIPP Systems, Technis Report No. T392, dated 19 February 2008. 11. “High Integrity Protective Systems for Reactive Processes”, SIS-TECH Solutions, Chemical Processing, March 2004. 12. The Institute of Gas Engineers “Pressure Regulating Installations for Transmission and Distribution Systems”, IGE/TD/13. 13. Health and Safety Executive, HID Semi Permanent Circular “High Integrity Pressure Protection Systems (HIPPS) for the Overpressure Protection of Pipeline Risers, SPC/TECH/OSD/31, Version 3, November 2008. 14. API RP 170, Recommended Practice for Subsea High Integrity Protection Systems (HIPPS), First Edition, October 2009. 12.4

App endix D – Revis ion Record

Issue No.

Description of Revision 61 of 63



Group 2012

BG Group Standard

1.0a 2.0 2.0a 3.0


Source of cost per life value used in ALARP analysis updated in paragraph 6.5.3, failure to close data for Mokveld valves updated in paragraph 6.6.2 and Reference 7 revised to reflect later source of Mokveld failure rate data Introduction revised to match updated standard template Mark Nishapati added to approvers Michael Tousignant removed Paragraph 1.0 –New Executive Summary section (replaces Introduction). Paragraph 2.0 –New Ownership section added. Paragraph 3.0 –Clarification regarding the acceptability of applying IGE/TD/13 for transmission and distribution systems (new Objectives section, previously paragraph 1.1). Paragraph 4.0 – Minor text change regarding direct acting HIPS (new Scope and Application sectionpreviously paragraph 3.0). Paragraph 5.0 –New Links to Other Controls section added. Paragraph 6.0 – Updated API RP/STD references, including reference to API RP 170 for subsea HIPPS (new Standard Requirements section, previously paragraph 2.0). Paragraph 7.0 – Reference to subsea tiebacks clarified; other minor wording changes (previously paragraph 4.0). Paragraph 8.0 – Previously paragraph 5.0. Paragraph 8.1 – Requirements of API STD 521 updated to reflect Fifth Edition (May 2008 Addendum); reference added to API RP 170 for subsea HIPS (previously paragraph 5.1). Paragraph 8.2 –Clarification regarding the acceptability of applying IGE/TD/13 for transmission and distribution systems; reference to new section on subsea HIPS added(previously paragraph 5.2). Paragraph 9.0 – Previously paragraph 6.0. Paragraph 9.1 – Minor wording changes (previously paragraph 6.1). Paragraph 9.2 – Minor wording changes (previously paragraph 6.2). Paragraph 9.3 – Clarification added regarding direct acting HIPS (no logic solver); clarification added regarding single final elements; implications for subsea HIPS added (previously paragraph 6.3). Paragraph 9.3.1 –References to reactive and preventative HIPS added; allo wance of HIPS transmitters downstream of the HP/LP interface included for HIPS protecting pipelines (e.g. subsea HIPS); wording clarified (previously paragraph 6.3.1). Paragraph 9.3.2 – Minor wording change regarding potential for direct acting HIPS (no logic solver) (previously paragraph 6.3.2). Paragraph 9.3.3 –Minor wording change regarding reference to reliability of final element(s) (previously paragraph 6.3.3). Paragraph 9.3.4–Previously paragraph 6.3.4. Paragraph 9.3.5–Previously paragraph 6.3.5. Paragraph 9.3.6 – Reference added to re-start for preventative HIPS configurations; paragraph added regarding management of high differential pressure, and low temperature risk, across riser ESDVs; some minor wording change (previously paragraph 6.3.6). Paragraph 9.3.7–Previously paragraph 6.3.7. Paragraph 9.3.8 – Previously paragraph 6.3.8. Paragraph 9.4 –Previously paragraph 6.4. Paragraph 9.5 – Minor wording change, reference to LOPA (previously paragraph 6.5). Paragraph 9.5.1 –Minor wording change, reference to LOPA (previously paragraph 6.5.1). Paragraph 9.5.2 – Clarification added for IRPA target for new and existing facilities; reference toBG Safety Case Standard added; Section references updated; references made to BG Guideline Specifying and Achieving Functional Safety added for modifying factors/probabilities and typical failure rate data to be used in quantified analysis (previously paragraph 6.5.2). Paragraph 9.5.3 – Reference revised to only the BG Guideline Specifying and Achieving Functional Safetyfor cost per life saved basis for use in ALARP justification (previously paragraph 6.5.3). Paragraph 9.6 – Section reference updated (previously paragraph 6.6). Paragraph 9.6.1 – Assumed reliability of a relief valve and application of this updated to be consistent with the BG Guideline Specifying and Achieving Functional Safety; references updated (previously paragraph 6.6.1). Paragraph 9.6.2 – Clarification added regarding the use of Mokveld valves as final elements; references updated (previously paragraph 6.6.2). Paragraph 9.6.3 – Reference added for assessment of reliability for the hydraulic Mokveld 62 of 63



Group 2012

Bg St Eng Proc 012_3.1 Bg Std Hipps Systems

Recommend Documents