Paper 13 PDF

Aramco Paper HIPS 2007
Issue 1
HIP Systems 04 Page 1
APPLYING IEC61508 / IEC61511 TO HIPS SYSTEMS
by
KGL Simpson and KJ Kirkcaldy

Functional Safety Consultancy Limited
Broadlands Business Campus,
Langhurstwood Road,
Horsham UK, RH12 4PN
www.fsafetyc.com

Abstract
This paper presents a typical wellhead and pipeline analysis and illustrates the application
of IEC61508 and IEC61511 by providing assessments on the various High Integrity
Protective Systems (HIPS) designs that are used to provide the required protection against
over-pressure and loss of containment events.
The study found that not all HIPS installations have a SIL3 requirement. SIL targets are
determined by local factors such as the hazard frequency and the consequential effects on
the local environment, the population density and available mitigation such as the
independent layers of protection that apply and may range from SIL3 to no SIL requirement.
It is therefore important to analyse target SIL requirements for each specific case since
compliance with higher SILs inevitably leads to a higher spurious trip rate and
consequently, higher costs in terms of capital equipment, loss of revenue and maintenance
of complex redundant configurations.

1 APPLYING IEC61508 / IEC61511 TO HIPS SYSTEMS
1.1 Background
In the process industry, loss of containment due to vessel or pipeline overpressure is an important
concern. The release of flammable, explosive or toxic chemicals can impact the personal safety,
the environment and can result in economic effects due to asset damage, environmental clean-up
costs and loss of production.
In the past, industry standards such as those from the American Petroleum Institute (API), provide
the basis for the design and protection of vessels and pipelines from rupture or damage caused by
excess pressure. These requirements in general, only allowed mechanical, pressure relief
devices, such as pressure-relief or safety-valves, to be used as the primary means of pressure
protection. Conventional design of pressure relief systems, including relief header and flare sizing,
did not examine the reduction in the potential hazard due to hazard mitigation provided by other
means such as alarms or instrumented systems.
New standards, IEC 61508 and IEC 61511 have been introduced. These are performance based,
non-prescriptive standards and formally allow the use of instrument based HIPS to form part, or all
of the defence. This system should be operating independently from the other systems in the
installation. With HIPS, the protection against overpressure is achieved by quickly isolating the
source causing the overpressure, contrary to relief systems where the overpressure is relieved to
atmosphere.
Issue 1
1.2 Analysing the Hazard
The hazard analysis should follow a structured, systematic approach, using a multidisciplinary team
consisting of representatives from process engineering, operations, safety, instrumentation /
electrical and maintenance. Typical hazard analysis approaches include Hazard and Operability
Study (HAZOP) and Hazard Analysis (HAZAN). These analyses can involve the use of Layer Of
Protection Analysis (LOPA), dispersion modelling and Failure Modes, Effects, and Critically
Analysis (FMECA).
The hazard analysis examines operating (e.g. start-up, shutdown and normal operation) and upset
conditions that result in overpressure. The causes of overpressure should be reviewed to include
all of the potential sources of over-pressure which could lead to the hazard. For example, the
hazard analysis should examine the following initiating causes for overpressure events:
equipment failures;
instrumentation malfunctions;
loss of utilities;
runaway reactions;
fire exposure;
operating errors;
maintenance errors.
The Hazard analysis should document the propagation of each potential overpressure event from
the initiating case to the final consequence.
The risk of each overpressure scenario is evaluated in terms of frequency and consequence. The
hazard analysis includes the mitigated frequency of each overpressure scenario by assessing the
initiating cause frequency and risk reduction provided by any independent protection layers.
1.3 HIPS System Requirements
A HIPS requirements specification must be developed to address each overpressure scenario that
will be addressed using HIPS. This should describe how and under what conditions the HIPS will
mitigate each overpressure scenario, including a functional logic description with trip set points and
device fail-safe state. Only those scenarios that can be successfully mitigated by the HIPS can be
considered for removal from the pressure relief, or flare loading calculations.
When specifying the process performance of HIPS, the process dynamics must be evaluated to
ensure that the HIPS response time is fast enough to prevent overpressure of the vessel or pipe.
The response time must be evaluated by considering the time it takes to sense that there is an
over-pressure condition. The valve specification must include acceptable leakage rate, since this
affects downstream pressures and relief loading. The valve specification must also ensure that the
actuator functions correctly under the worst-case, upset pressure condition. In additional to the
safety functional requirements, the SIL target level and proof test frequency should be specified.
2 DETERMINING SIL TARGETS
2.1 Introduction
A generic approach was taken so that typical SIL targets could be determined for common
installation configurations based on potential causes of loss of containment, e.g. leaks from valves,
flanges and corrosion, and the possible consequences of such an event as a result of its location,
its effect on the local population and environment and the commercial consequences of asset
damage and loss of revenue.
The objective of taking this approach was to develop a generic model to determine the
requirements for the implementation of Safety Instrumented Systems (SIS) at typical upstream
facilities. The approach allowed the development of a commercial model that optimised the
Issue 1
requirements in terms of capital cost, configuration and maintenance (test frequency) and risk,
including cost of failure, environmental clean-up and loss of production.
The study looked at typical production network in order to:
determine the risk posed to the piping system rated at class ANSI-600 without over
pressure protection;
evaluate the risk gap in terms of the probability of failure on demand (PFD) and SIL target
for implementing SIS on the production wells where necessary, to reduce the residual risk
to an agreed tolerable level.
2.2 Hazard Identification
A HAZOP approach was adopted to identify potential hazards resulting from loss of containment
events. The well configurations considered for analysis included naturally flowing hydrocarbon wells
and high-pressure shut-in wells.
The generic production network was divided into the following nodes for analysis:
Wellhead to wing valve;
Wing valve to pipeline specification break (e.g. 1500/600);
Specification break to isolation valve at remote header (scraper launcher facilities are
provided and flowlines are tied-in to trunklines);
Remote header to production header.
2.3 Results of HAZOP
The HAZOP worksheets are presented below, and found that the potential existed for loss of
containment events to result in the serious injury or fatality of maintenance personnel. Such
hazards could result from:
leaks above ground leading to gas release and fire or explosion;
overpressure events leading to pipe rupture, gas release and fire or explosion.
Initiating causes of leaks were identified as:
loss of containment of flanges and valves;
corrosion failures;
mechanical damage as a result of collisions with vehicles;
corrosion failure during plant shutdown;
pipe rupture as a result of overpressure events caused by:
o pressure surge due to plant trip;
o closure of isolation valve due to operator error;
o isolation valve gate drops and causes inadvertent closure.
2.4 Establishing SIL Targets
Based on published risk acceptance criteria, the HAZOP results were imported into a Layers of
Protection Analysis (LOPA) to determine hazard frequencies, the risk gap and the SIL
requirements for any required protection systems.
LOPA considered each hazard identified by HAZOP and documented the initiating causes and the
protection layers that prevent or mitigate the hazard. The total amount of risk reduction was then
determined and the need for more risk reduction analyzed.
Issue 1
If additional protection was to be provided in the form of a SIS, the methodology would allow the
determination of the appropriate SIL and the required Probability of Failure on Demand (PFD).
The analysis assumed that inspection and maintenance activities, e.g. corrosion prevention,
followed the highest industry standards and included:
inspection procedures;
cathodic protection and monitoring;
repair and maintenance.
A conservative approach was taken and no credit assumed for inspection and maintenance since
the estimation of initiating event frequencies already took these procedures into account.
2.5 Results of the LOPA
The LOPA found that there were some requirements for implementing SIS on production wells, to
reduce the residual risk to an agreed tolerable level. The required risk reduction targets included
SIL3 (the highest), SIL2, SIL1 and (SIL1)
note 1
.
The results of the LOPA are summarised in Table 1.
TABLE 1. RESULTS OF SIL DETERMINATION
Environment Initiating Cause SIL
Target
Leaks due to component failures and
corrosion, overpressure conditions
and pipeline damage.
SIL3
Populated
area
corrosion.
SIL2
SIL2
SIL1
SIL1
(SIL1)
note 1

Non-populated
area
corrosion.
None

Note 1: the category (SIL1) denotes that some risk reduction is required but not sufficient to
demand a SIL1 system, i.e. the required PFD is between 0.1 and 1.
The results of the analysis show that the significant driver in determining the SIL target is whether
the hazard can occur in a populated area or not.
The severity of the consequences of a hazard is generally considered less acceptable when the
public are affected and the maximum tolerable risk is less, in such circumstances, by an order of
magnitude.
The initiating causes are also significant factors in determining SIL targets since they determine the
hazard frequency. In this analysis, it was considered that the risk of loss of containment due to
leaks and pipeline damage due to external events such as over-pressure and vehicle collisions,
was more likely than significant leaks due to component failures or corrosion.
Operating Procedures and Operator Training may prevent high pressure events by ensuring wells
are shut down prior to maintenance. Appropriate operating procedures, together with personnel
trained in these procedures, could provide additional mitigation.
Issue 1
Ignition control could prevent fire but would be ineffective against H
2
S release. Application of
ignition control (e.g. by hazardous area classification) should reduce the probability of a loss of
containment event being ignited and causing a fire. However, due to the H
2
S within the well fluids
an un-ignited loss of containment could still be hazardous to personnel.
Issue 1
3 SIL ASSESSMENT OF HIPS SYSTEMS
3.1 Non-Electrical HIPS Systems
A SIL Assessment of typical configurations of HIPS (High Integrity Protective System) was carried
out in order to evaluate the performance against the established targets. The assessment
considered HIPS in simplex 1oo1, duplex 1oo2, 2oo3 and triplex 1oo3 configurations and
calculated performance for proof test intervals up to 4 years.
HIPS provides pipeline protection against over-pressure and mitigates environmental damage and
asset loss as a result of loss of containment events by detecting under-pressure conditions.
The following aspects were assessed against the SIL targets:
the calculation of Probability of Failure on Demand (PFD) including the contribution from
common mode failures;
the architectural performance of the HIPS including the determination of Safe Failure
Fraction (SFF) using Failure Modes, Effects and Criticality Analysis (FMECA) of HIPS
components where necessary.
systematic errors assessed by evidence of proven-in-use.
The suitability of the solution was also assessed in terms of:
the spurious trip rate (STR) of the HIPS;
the sensitivity of the PFD and architectural performance of the target SIL for various HIPS
configurations and proof test intervals.
3.2 System Description
The HIPS consists of a typical self-contained hydraulic actuator operating from a pilot supply fed
directly from the flowline.
The actuator has high and low pressure trip points and hold the gate valve open against return
spring pressure, provided the pilot pressure is within the high and low trip limits. If the trip levels are
exceeded, the mechanism of the actuator enables the return spring to close the HIPS valve. On
detecting high or low pressure, the HIPS valve is closed.
Since the HIPS is an entirely mechanical system and contains no electrical apparatus within the
safety function, nor requires any external electrical power to operate, standards IEC61508 and
IEC61511 are not directly applicable. The analysis however, has been performed against the
requirements of the standards as a consistent means of assessing competing configurations.
A simplified schematic showing the components of the HIPS is presented in Figure 1, but reference
should be made to the project documentation for a full description of the HIPS.

Issue 1
FIGURE 1. HIPS SCHEMATIC

Export Pipeline
SC Hydraulic
Actuator
HIPS Valve
Wellhead
Pressure Tapping
Threaded Joint
Manual Gate
Valve
T-Piece
Piping
Union
Tubing

3.3 Methodology
The Failure Modes, Effects and Criticality Analysis (FMECA) provides a stand-alone, bottom-up
analysis of single-point failures of the self-contained ESDV hydraulic actuator. The boundary of the
analysis is the actuator itself as described by the functional schematic shown in Figure 2
FIGURE 2. ESDV SCHEMATIC
Hand
Pump
Temp
Fuse
Check Valve
Suction
Screen
Suction
Screen
Discharge
High Pressure for
Actuator
Valve
Actuator
Closed
Open
Pressure
Reducing
Valve
Latching Trip
Valve (LTV)
HP/LPTrip
Control Valve
(TCV)
Accumulator
Pressure
Relief
Valve
Check Valve
Discharge
Low Pressure for
Control
Return Pressure
Reservoir
Pipeline Pilot
Pressure Inlet

For each component part, the FMECA was conducted at a functional level. Functional failure
modes were postulated and the effects of failure at ESDV and safety function level were evaluated.
Issue 1
The analysis was documented in the form of FMECA Worksheets which detail the functions
considered, the failure modes postulated and the analysed effects. The worksheets also quantify
the rate of occurrence of each failure effect and in each case, show the calculation of SFF.
Normally, field failure data, or appropriate data provided by the manufacturer, is the preferred
source for reliability and safety studies but as field data was not available, a Parts Count Reliability
Prediction approach was used to quantify the FMECA. Faradip was used as a source of published
data for the components of the self-contained hydraulic actuator assembly. This data source
generally gives a close comparison with field data, and the results were compared with other
published data sources, in order to ensure that the failure rate value used in the analysis was
reasonable and conservative.
3.4 General Assumptions
The analysis assumes constant failure rates and therefore the effects of early failures are expected
to be removed by appropriate processes. It is also assumed that functions are not operated beyond
their useful life thus ensuring that failures due to wear-out mechanisms do not occur.
Actuators and valves were considered to be Type A (as defined in IEC61508), in that they are not
complex programmable devices, the failure modes and behaviour under fault conditions are well
defined.
The analysis assumes that proof tests are 100% effective.
If a failure occurs, it is assumed that on average it will occur at the mid point of the test interval. In
other words, the fault will remain undetected for 50% of the test period.
For the purposes of the analysis, it has been assumed that there are no diagnostics on the HIPS
and therefore all dangerous failure modes have been classified as dangerous undetected failures.
3.5 Failure Rates of Components
Table 2 presents the failure rates of the HIPS ESDV component parts used in the analysis.
TABLE 2. SELF-CONTAINED ESDV COMPONENT FAILURE RATES
Item Ref Devices Data Source / Comments
1 Accumulator 5.00E-07 Faradip, v6.0.
2 Trip Control Valve 3.50E-09 Faradip, v6.0.. Fail to operate 90%
3 Latching Trip Valve 3.50E-09 Faradip, v6.0.. Fail to operate 90%
4 Pressure Reducing Valve 1.50E-07 Faradip, v6.0.. Leak 50%, blocked 25%
5 Pressure Relief Valve 1.50E-07 Faradip, v6.0.. Leak 50%, blocked 25%
6 Check Valve Discharge 1.00E-07 Faradip, v6.0.. 80% passing
7 Screen Discharge 1.50E-07 Faradip, v6.0.. Leak 30% blocked 70%
8 Hand Pump and Reservoir 5.00E-08 Faradip, v6.0.. Stop 70% low output 30%
9 Check Valve Suction 1.00E-07 Faradip, v6.0.. 80% passing
10 Screen Suction 1.50E-07 Faradip, v6.0.. Leak 30% blocked 70%
11 Valve Actuator 7.50E-07 Faradip, v6.0.. Failure mode ratio exida
12 Temperature Fuse 2.50E-08 Faradip, v6.0.. Fail to relieve 0.003
13 Pressure Lines 5.00E-11 Faradip, v6.0.. Hydraulic pipework section.
14 Return Lines 5.00E-11 Faradip, v6.0.. Hydraulic pipework section.
15 Flowline Inlet 5.00E-11 Faradip, v6.0.. Hydraulic pipework section.
16 Filler / Breather 2.00E-08 Faradip, v6.0.. Hydraulic connector.
Total 2.15E-06 Compares with Actuator failure rate of 1.94E-06,
exida

Issue 1
3.6 FMECA Results
The failure rates calculated by the FMECA are summarised in Table 3 and used in the SIL
Assessment.
TABLE 3 SUMMARY OF FMECA RESULTS
Parameter Failure Rate (/hr)
Fail to trip on HP 1.58E-07
Fail to trip on LP 1.58E-07
Dangerous Undetected Failure Rate DU 3.16E-07
Dangerous Detected Failure Rate DD 0.00E+00
Safe Failure Rate S 1.04E-06
Non-safety related Failure Rate non-SR 7.96E-07

The calculated failure rates allowed the SFF of the self-contained hydraulic actuator to be
determined:
SFF = 87%
It should be noted that in practical terms, since the self-contained ESDV is non-electrical, the
architectural requirements of IEC61508 do not strictly apply and its suitability in terms of risk
reduction can be determined by virtue of its PFD alone.
3.7 Spurious Trip Rate (STR) Analysis
The HIPS System will trip spuriously in response to safe failures of the components of each self-
contained hydraulic actuator or ESD Valve. These failure rates are summarised in Table 4.
TABLE 4 CALCULATION OF STR
Item / Function S (/hr) Source
Pressure Tapping 9.90E-10
Faradip, v6.0. Hydraulic threaded joint. Blockage
1% assumed based on NPRD-85.
Threaded Joint 9.90E-10
Faradip, v6.0. Hydraulic threaded joint. Blockage
1% assumed based on NPRD-85.
Hand Gate Valve (FC) 9.90E-07
Faradip, v6.0. Gate Valve. Ratios NPRD-85.
Blockage 1% assumed based on NPRD-85.
T-piece Plugged 2.97E-09
Faradip, v6.0. Mechanical or welded union (3 off).
Piping 9.90E-10
Faradip, v6.0. Hydraulic pipework section.
Union 9.90E-10
Faradip, v6.0. Mechanical or welded union.
Tubing 9.90E-10
Faradip, v6.0. Hydraulic pipework section.
Self-contained ESDV
(Spurious trip on HP)
1.04E-06
FMECA [Appendix 1]
Gate Valve 4" (HIPS)
Fail to close.
3.60E-06 SINTEF, PDS Data Handbook, ESV, p63
Total STR / branch 5.64E-06 /hr

Therefore for a simplex HIPS safety function in a 1oo1 configuration, the total STR is 5.64E-06 /hr
which is equivalent to a mean time between spurious trips of approximately 20 years.
Issue 1
3.8 SIL Assessment
A SIL Assessment was carried out on simplex 1oo1, duplex 1oo2, 2oo3 and triplex 1oo3
configurations of High Integrity Protection Systems (HIPS), based on the requirements of
IEC61508 and IEC61511. The analysis was conducted in order to determine whether the
configurations analysed:
provided an adequate level of risk reduction;
are not over-designed, i.e. the level of redundancy has been optimised.
3.9 Accounting for Common Cause Failures
Common mode failures are failures that may result from a single cause but simultaneously affect
more than one channel. They may result from a systematic fault for example, a design specification
error or an external stress such as an excessive temperature that could lead to component failure
in both redundant channels. It is the responsibility of the system designer to take steps to minimise
the likelihood of common mode failures by using appropriate design practices.
The following lists typical factors that can typically affect the CCF contribution:
separation over the lengths of redundant channels with written maintenance procedures to
prevent re-routing;
field failures are analysed and fed back into the design;
installers and maintainers understand CCFs;
personnel access is limited;
controlled operating environment.
The contribution of Common Cause Failures (CCF) in parallel redundant paths is accounted for by
inclusion of a factor. The CCF failure rate that is included in the calculation is equal to x the
total failure rate of one of the redundant paths.
The BETAPLUS model has been used to estimate the -factor for the redundant HIPS
configurations. The -model is the preferred technique because it is objective and provides
traceability in the estimation of . The model has been compiled to ask a series of specific
questions, which are then scored using objective engineering judgement. The maximum score for
each question has been weighted in the model by calibrating the results of various assessments,
against known field failure data.
3.10 Estimation of Common Cause Failure Contribution
For the parallel redundant elements, a CCF factor has been estimated based on the BETAPLUS
model, judgement tables in Appendix 2. This assesses the degree of channel separation, design
with common mode awareness, diagnostic cover and self-test frequency and the fact that the
operating environment will be controlled to limit common mode failure risk. It is also assumed that
the system maintainers will be made aware of the risks of common mode failures and that
maintenance of the redundant channels will be staggered. The BETAPLUS model, generated
values for redundant configurations as shown in Table 5.
TABLE 5. BETAPLUS GENERATED CCF CONTRIBUTIONS
Redundant Configuration CCF -factor
Series configuration of pressure sense, pilot
feed and self-contained ESD Valve
7%

Actual in-service performance however, will depend upon the specific installation and the design,
operating and maintenance practices that are adopted.
Issue 1
3.11 SIL Assessment Results
The results of the quantitative SIL Assessment are presented in Table 6.
TABLE 6 SUMMARY OF SIL ASSESSMENT RESULTS
HIPS Configuration Tp (mths) Tp (hrs) PFD SIL (PFD) SIL (Arch) SIL
HP trip (1oo1) 12 8760 1.12E-02 1 2 1
LP trip (1oo1) 12 8760 1.12E-02 1 2 1
HP trip (1oo2) 12 8760 9.22E-04 3 3 3
LP trip (1oo2) 12 8760 9.22E-04 3 3 3
HP trip (2oo3) 12 8760 1.26E-03 2 4 2
LP trip (2oo3) 12 8760 1.26E-03 2 4 2
HP trip (1oo3) 12 8760 7.57E-04 3 4 3
LP trip (1oo3) 12 8760 7.56E-04 3 4 3

Figure 3 shows how the PFD performance of the analysed configurations, varies with proof test
interval. The figure shows that the 1oo3 and 1oo2 configurations have the potential to meet SIL3
for reasonable (annual) proof test intervals. SIL3 can also be achieved by the 2oo3 configuration,
with a reduced proof test interval, typically 9 months.
All three redundant configurations meet the requirements of SIL2 for proof test intervals of up to
approximately 4 years. SIL2 can also be achieved by a simplex HIPS configuration for proof test
intervals of up to 9 months.
All HIPS configurations, including simplex 1oo1, meet the requirements of SIL1 for proof test
intervals of up to approximately 4 years.
FIGURE 3 HIPS PERFORMANCE WITH PROOF TEST INTERVAL
1.0E-04
1.0E-03
1.0E-02
1.0E-01
0 6 12 18 24 30 36 42 48
Proof Test Interval (mths)
P
F
D
1oo1
1oo2
2oo3
1oo3

For a given SIL target therefore, there are a number of options that could be potentially available in
terms of PFD performance and therefore configuration selection may come down to other issues
such as the spurious trip rate or the life cycle cost.
SIL1 band
SIL2 band
SIL3 band
Issue 1
3.12 Spurious Trip Rate
The calculated spurious trip rate for the configurations analysed is presented in Table 7.
TABLE 7 SUMMARY OF SPURIOUS TRIP RATES
HIPS Configuration
STR (/hr) Spurious Trip Interval
(yrs)
STR (1oo1) 5.6E-06 20.2
STR (1oo2) 1.1E-05 10.1
STR (2oo3) 3.8E-07 300
STR (1oo3) 1.7E-05 6.7

4 HIGH INTEGRITY PROTECTIVE SYSTEM UTILISING A SIS
4.1 System Description
This SIS is a very simple and typical HIPS devoted to protect downstream from an overpressure.
When pressure increases beyond a certain threshold, this is detected by 3 pressure sensors which
input a logic solver implementing a 2003 voting logic on the sensors. When an overpressure is
detected, a signal is sent to solenoid valves SVs which release the hydraulic pressure maintaining
the shut-down valves SDVs open allowing strong springs to close them. When SDVs are closed
the pressure drops in the system.
The overpressure protection system is shown in Figure 4.

Logic
Solenod
Valve
SV1
SV2
W1
PS
H1
PS
H2
PS
H3
Shut Down Valve
Sensors
Logic
Solver
Solenoid
Valve
SDV1
SDV2
Logic
Solenod
Valve
SV1
SV2
W1
PS
H1
PS
H2
PS
H3
Shut Down Valve
Sensors
Logic
Solver
Solenoid
Valve
SDV1
SDV2

FIGURE 4. HIPS ARCHITECTURE
One of the advantages of having an electrical logic solver in a HIPS system is that it is relative easy
to implement a partial stroke test on the valve.
Issue 1
4.2 Accounting for Partial Stroke Testing

Partial Stroke (PS) testing of valves provides improved diagnostic coverage by exercising the
valves periodically. PS Testing therefore will improve the PFD performance since a greater
proportion of failure mechanisms will be detected and consequently, can allow the proof test
interval to be extended.
Although diagnostic coverage can be increased, PS Testing cannot detect failure of a valve to form
a complete seal on closure and therefore cannot replace Proof Testing of the ESD Valve.
The actual proportion of failure mechanisms detected by PS Testing (the PS Efficiency) depends
upon the valve type, size and the fluid properties of the process. Published studies into the effects
of PS Testing have assumed efficiency values of typically 40% to 80%, mainly depending on how
critical a good seal on closure is to successfully meeting the safety function requirements. With
80% efficiency, 20% of the dangerous failure modes will remain undetected. Hence, a valve with
say 40% dangerous failure mode and 60% safe (fail shut) failure mode will have a 60% SFF.
However, if partial stroke testing is applied and detects 80% of the dangerous failures then the
designated safe failures become 60% + (40 x 0.8)% = 92%, giving a SFF of 92%.
For ESD Valves that are in relatively clean service, it is unlikely that a build up of material will
prevent the valve from closing completely and an efficiency value near the high end of the range
may be justifiable.
4.3 SIL Assessment of HIPS Utilising SIS
The HIPS comprises:
1. Three pressure transmitters which are voted 2oo3 in the logic system. The contribution to
the PFD will be dominated by the undetected dangerous failures which will be revealed
during proof test and the common cause failures.
2. One dual Logic solver which have only a very small undetected dangerous failures which
will dominate its contribution to the PFD.
3. Two SDVs: SDV1 and SDV2.
a) Each SDV is equipped with one Solenoid Valve: SV1 for SDV1 and SV2 for SDV2.
b) SDV movement failures are detected by partial stroke tests.
c) SDV closure failures are detected by full stroke tests, which are less frequent than
the partial stroke testing.
Table 8 presents critical reliability data of all components and the tests frequencies.

Parameters
Components
Failure Mode k
DU
(hr
-1
)
Test interval
months
(CCF)
%
PSH1
(Total = 2.1 E-6 h
-1
)
Fails to issue
signal
0.2 E-6 12
PSH2
(Total = 2.1 E-6 h
-1
)
Fails to issue
signal
0.2 E-6 12
PSH3
(Total = 2.1 E-6 h
-1
)
Fails to issue
signal
0.2 E-6 12
5
SDV1
(Total = 6.3 E-6 h
-1
)
Failure to
move
1.5 E-6 3
SDV2
(Total = 6.3 E-6 h
-1
)
Failure to
move
1.5 E-6 3
8
SDV1
Failure to fully
close
0.8 E-6 12 8
Issue 1
Parameters
Components
Failure Mode k
DU
(hr
-1
)
Test interval
months
(CCF)
%
SDV2
Failure to fully
close
0.8 E-6 12
SV1
(Total = 0.6 E-6 h
-1
)
Failure to
move
0.2 E-6 12
SV2
(Total = 0.6 E-6 h
-1
)
Failure to
move
0.2 E-6 12
5
Logic solver
(Total = 2.1 E-6 h
-1
)
Failure to act <0.01 E-6 12

TABLE 8. RELIABILITY DATA
The HIPS system shown in figure 1 can be represented in terms of a reliability block diagram as
shown in Figure 5.

LS PS
2003
PS
PS
Ps
SV
SV
SV
SDUFC
SDUFC
SDUFC
SDVFM
SDVFM
SDVFM
Sensor Logic
Solver
Final Element
LS PS
2003
PS
PS
Ps
SV
SV
SV
SV
SV
SDUFC
SDUFC
SDUFC
SDVFM
SDVFM
SDVFM
Sensor Logic
Solver
Final Element

FIGURE 5. RELIABILITY BLOCK DIAGRAM OF THE HIPS SHOWN IN FIGURE 4
Issue 1
If the failure rate date and proof test data, in Table 8, are applied to the above reliability block
diagram then the following results are obtained.
ELEMENT SENSOR LOGIC
SOLVER
FINAL
ELEMENT
OVERALL
RESULT
Type of
subsystem
B B A _
SFF /
Allowed SIL
90% / SIL 3 >95% / SIL 3 85% / SIL 3
The partial
stroke test is
initiated
automatically,
therefore
included in the
safe failure for
SFF calculation
SIL 3
PFD /
Allowed SIL
0.00004 <0.00004 0.00045 0.00053/SIL3
OVERAL
Maximum
SIL
SIL3

TABLE 9. SIL 3 HIPPS
The spurious trip rate for the system in Table 8 is 0.08 per year.
If the HIPS system was now only required to meet a SIL2 target the redundant sensor and
actuators could be reduced to simplex and the reliability block diagram would be reduced to that
shown in Figure 6.

LS
PS
SV
SDUFC
Sensor Logic
Solver
Final Element
SDVFM
LS
PS
SV
SDUFC SDUFC
Sensor Logic
Solver
Final Element
SDVFM

FIGURE 6. RELIABILITY BLOCK DIAGRAM OF A SIMPLEX HIPS
If the failure rate date and proof test data, in Table 8, are applied to the above reliability block
diagram then the following results are obtained.

Issue 1
SOLVER
FINAL
ELEMENT
OVERALL
RESULT
Type of
subsystem
B B A _
SFF / Allowed
SIL
90% / SIL 2 >95% / SIL 2 85% / SIL 2
The partial
stroke test is
initiated
automatically,
therefore
included in the
safe failure for
SFF calculation
SIL 2
PFD / Allowed
SIL
0.0009 <0.00004 0.0060 0.007 / SIL2
OVERAL
Maximum SIL
SIL2

TABLE 10. SIL2 HIPPS WITH PARTIAL STROKE TEST
The spurious trip rate for the system in Table 10 is 0.06 per year
If the HIPS system was now only required to meet a SIL target of 1 the same simplex system as
shown for the SIL2 case could be used but with know partial stroke testing on the actuator.
If the failure rate date and proof test data, in Table 8, are applied to the above case the following
results are obtained.

SOLVER
FINAL
ELEMENT
OVERALL
RESULT
Type of
subsystem
B B A _
SFF / Allowed
SIL
90% / SIL 2 >95% / SIL 2 64% / SIL 2

SIL 2
PFD / Allowed
SIL
0.0009 <0.00004 0.011 0.012 / SIL1
OVERAL
Maximum SIL
SIL1

TABLE 11. SIL1 HIPS WITHOUT PARTIAL STROKE TESTING
The spurious trip rate for the system in Table 11 is 0.06 per year.

Issue 1
5 SUMMARY AND CONCLUSIONS
The study shows that not all HIPS installations need to have a SIL3 requirement. SIL targets are
determined by local factors such as the hazard frequency and the consequential effects on the
local environment, the population density and available mitigation such as the independent layers
of protection that apply.
Table 12 shows that the SIL targets that may apply range from SIL3 to no SIL requirement.

TABLE 12. RESULTS OF SIL DETERMINATION
Environment Initiating Cause SIL
Target
SIL3
Populated
area
corrosion.
SIL2
SIL2
SIL1
SIL1
(SIL1)
Non-populated
area
corrosion.
None

It is therefore important to analyse target SIL requirements for each specific case since compliance
with higher SILs inevitably leads to a higher spurious trip rate and consequently, higher costs in
terms of:
Capital equipment;
Loss of revenue;
Maintenance of complex redundant (e.g. triplicated) configurations.
Table 13.presents a summary of the performance of the HIPS considered in this study.
TABLE 13. SUMMARY OF HIPS RESULTS
Non-electrical HIPS SIS HIPS

1oo1 1oo2 2oo3 1oo3
1oo1
(no PST)
1oo1
(with PST)
2oo3 Sensors
1oo2 Valves
(with PST)
SIL 1 3 2 3 1 2 3
PFD 1.1E-02 9.2E-04 1.3E-03 7.6E-04 1.2E-02 7.0E-03 5.3E-04
STR (/hr) 5.6E-06 1.1E-05 3.8E-07 1.7E-05 6.8E-06 6.8E-06 9.1E-06
ST Interval (yrs) 20 10 300 7 17 17 13

Issue 1
Abbreviations
1oo1 (MooN) 1 out of 1 (general case M out of N)
API American Petroleum Institute
ASME American Society of Mechanical Engineers
CCF Common Cause Failure
ESDV Emergency Shutdown Valve
FC Fail Closed
FMECA Failure Modes, Effects and Criticality Analysis
HAZAN Hazard Analysis
HAZOP Hazard and Operability Study
HIPS High Integrity Protective System
LOPA Layers of Protection Analysis
PFD Probability of Failure on Demand
PS Partial Stroke
SFF Safe Failure Fraction
SIL Safety Integrity Level
SIS Safety Instrumented System
STR Spurious Trip Rate
D Dangerous failure rate
DD Dangerous detected failure rate
DD Failure rate
DU Dangerous undetected failure rate
S Safe failure rate

Paper 13 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Paper 13 PDF

Uploaded by

Copyright:

Available Formats

Aramco Paper HIPS 2007

You might also like