Professional Documents
Culture Documents
443
FEBRUARY
2015
plan
protect
Disclaimer
Whilst every effort has been made to ensure the accuracy of the information
contained in this publication, neither IOGP nor any of its Members past, present or
future warrants its accuracy or will, regardless of its or their negligence, assume
liability for any foreseeable or unforeseeable use made thereof, which liability is
hereby excluded. Consequently, such use is at the recipients own risk on the basis
that any use by the recipient constitutes agreement to the terms of this disclaimer.
The recipient is obliged to inform any subsequent recipient of such terms.
Copyright notice
The contents of these pages are International Association of Oil & Gas Producers.
Permission is given to reproduce this report in whole or in part provided (i) that
the copyright of IOGP and (ii) the sources are acknowledged. All other rights are
reserved. Any other use requires the prior written permission of IOGP.
These Terms and Conditions shall be governed by and construed in accordance
with the laws of England and Wales. Disputes arising here from shall be exclusively
subject to the jurisdiction of the courts of England and Wales.
REPORT
443
FEBRUARY
2015
Revision history
VERSION
DATE
AMENDMENTS
1.0
February 2015
First release
Acknowledgements
Standards Committee
Instrumentation & Automation Subcommittee
High Integrity Protection Systems Task Force
IOGP Instrumentation and Automation Subcommittee (IASSC) HIPS Task
Force having representation from the following companies:
BG Group
BP
Maersk Oil
Petrobras
Repsol
Siemens
Statoil
Total
Yokogawa.
Photography used with permission courtesy of ndoeljindoel/
iStockphoto and Nostal6ie/iStockphoto (Front cover) and
Sharif El-Hamalawi/iStockphoto (Back cover).
Contents
Foreword 6
1 Scope
2 References
Abbreviations 11
4 General recommendations
12
12
13
14
15
15
18
18
18
18
19
19
20
20
20
21
21
4.3.5 Cabinet
21
5 HIPS elements
22
5.1 Sensor(s)
22
22
22
23
24
25
26
5.3.1 Valves
26
27
6 Design testing
29
29
29
30
30
31
32
6.6.1 Preparation
32
6.6.2 Procedures
32
6.6.3 Recording
32
7 Operational testing
33
33
34
7.3 Valves
34
35
35
8.2 Maintainability
35
35
9 HIPS dossier
37
Foreword
High integrity protection systems (HIPS) and especially high integrity
pressure protection systems (HIPPS) are an increasingly common feature
of oil and gas facilities worldwide.
They can provide an alternative to conventional mechanical protective
devices (e.g. relief valves) or reduce the load upon them.
In some cases, they present the only practical option to facilitate field
development and/or expansion.
The application of HIPS, and the manner in which they are implemented
across IOGP Members was considered worthy of investigation by the IOGP
Instrumentation and Automation Standards Subcommittee, with a view to
providing commonly agreed upon guidance on the subject.
This Recommended Practice is the result of that process.
The intended audience for this RP is those involved in the definition,
design, implementation or operation and maintenance of HIPS.
This RP does not provide guidance upon when, if and why a HIPS
should be utilized to this end, companies should apply their own
internal methodologies.
This RP provides mainly technical recommendations.
1 Scope
The objectives of this IOGP Recommended Practice are to:
provide industry guidance in the provision, operation and
maintenance of HIPS throughout the IEC 61508 Safety Life cycle
focus upon the instrumentation aspects of that provision
support, clarify where appropriate, and not contradict or repeat
IEC61511 and/or ISO 10418 as they apply to HIPS
make it easier for vendors to deliver consistent systems across
the industry.
This IOGP Recommended Practice is intended for global application. The
following oil and gas production facility types are included:
onshore
offshore (not including subsea1)
oil and gas transmission and transport systems.
This RP is applicable to all manner of high integrity protection systems,
be they pressure, temperature, level flow or any other parameter driven.
This RP is concerned with the instrumentation elements of HIPS. The
assumption is made that the dynamic requirements associated with
many HIPS have been satisfied in each case via a separate design and
verification exercise.
This RP is applicable to the Electrical, Electronic, Programmable
Electronic HIPS related Systems.
Other HIPS based on Mechanical Technology (e.g. using direct hydraulic or
pneumatic pilot valves) are not directly covered by this RP. However, much
of the guidance within this RP may also assist in their definition and use.
10
2 References
The following documents, in whole or in part, are referenced in this
document and are recommended for its application.
API RP 14C, Analysis, Design, Installation, and Testing of Basic Surface
Safety Systems for Offshore Production Platforms
API RP 17O, Recommended Practice for Subsea High Integrity Pressure
Protection System (HIPPS)
API Standard 521, Pressure-relieving and Depressuring Systems
API Standard 598, Valve Inspection and Testing
EN 10204, Metallic products. Types of inspection documents
IEC 61508, Functional Safety of Electrical/Electronic/Programmable
Electronic Safety-related Systems (E/E/PE, or E/E/PES)
IEC 61511, Functional Safety Safety instrumented systems for the process
industry sector
IEC 62442-3-3, Industrial communication networks Network and system
security Part 3 3: System security requirements and security levels
IEC 62443, Network and system security for industrial-process measurement
and control
IEC 62443-2-4, Security for industrial automation and control systems
Network and system security Part 2-4: Requirements for IACS solution
suppliers
ISO 5208, Industrial valves Pressure testing of metallic valves
ISO 10418, Petroleum and natural gas industries Offshore production
installations Analysis, design, installation and testing of basic surface
process safety systems
ISO 23251, Petroleum, petrochemical and natural gas industries Pressurerelieving and depressuring systems
ISO/TR 12489, Petroleum, petrochemical and natural gas industries
Reliability modelling and calculation of safety systems
11
12
HIPPS
ISO/TR 12489 also defines HIPPS or OPPS as, a HIPS exclusively devoted
to protection against overpressure.
HIPS reaction time
The maximum allowable time in which the HIPS should prevent a
hazardous operational condition. It is thus the time between the process
threshold value occurring and the occurrence of the hazardous event.
HIPS response time
The time between the process threshold value occurring until the final
element has reached its safe state.
13
Abbreviations
BPCS
BR
Base Requirement
CMF
Common-Mode Failure
DVT
FAT
HIPS
HIPPS
HMI
ICSS
IFAT
IS
Intrinsically Safe
ITP
LOPA
MCC
MTTR
OPPS
OT
Operational Test
PFD
RE
Requirement Enhancement
SAT
SIF
SIL
SIS
SOE
Sequence of Events
SP
Security Program
SRS
14
4 General recommendations
A HIPS is normally the last in a series of process protection layers.
The others typically comprise the process control, alarm (with manual
response) and process shutdown layers.
The HIPS function should thus be seen in the context of these other
protection layers and potential process deviations, and any changes to
such should not occur without considering the potential impact upon
the HIPS function.
For an over pressure HIPS (for instance), the following should be clearly
defined:
sources of HIPS demand, and assumptions regarding how quickly
they will cause that demand
process conditions
other protection layer set points assumed in design of the HIPS.
All HIPS should be developed and implemented in accordance with the
requirements of IEC 61508 and 61511. Competency assurance through the
design, implementation and operational phases is a key requirement.
A single HIPS Integrator should be utilized to ensure that the combination
of the sensing elements, logic solver and final elements meet the
integrity, operability and maintainability targets.
4.1
15
16
17
www.oreda.no
www.sintef.no/projectweb/PDS-main-page
5
www.sintef.no
3
4
18
HIPS
Reaction Time
HIPS
Response Time
Process or
BPCS failure
SIS trip
initiation
HIPS
initiation
Hazardous event
occurrence
19
4.2
20
21
For higher integrity than SIL 3, the HIPS logic solver type should differ from
those used in other protection layers
Programmable Logic Solver: development, implementation, maintenance
and modification of the HIPS application program should be by competent
individuals who have not been involved in the application development for
other protective layers.
Logic Solver Input: Where a SIF has more than one sensor, each sensor
should be routed through a different logic solver input card.
Logic Solver Output: Where a SIF has more than one final element, each
final element output should be routed through a different logic solver
output card.
4.3
22
Hardware considerations
23
4.3.5 Cabinet
Where a cabinet is required for part of the HIPS system (typically the
logic solver), this should be separate from other equipment cabinets and
dedicated to the HIPS function only. It should preferably be located in an
acclimatized room.
Dampening systems may be provided in case of presence of vibration or
tilt effects.
Forced ventilation should be avoided. Where required, this typically
consists of redundant air extraction on the top with redundant air inlet
filters on the bottom of the front doors.
Ingress protection requirements should be defined in the SRS and
maintained throughout the HIPS life cycle.
24
5 HIPS elements
5.1 Sensor(s)
5.1.1 Sensor selection
Sensor models specifically designed for safety service are preferred.
The failure modes of concern should be identified and failure rates
pertaining to those considered in the sensor selection process, as should
the availability or otherwise of auto-diagnostic capabilities.
Process transmitters are preferred over switches.
Interfaces with other systems (e.g. asset management systems) should
be read-only. Adjustment of HIPS sensor parameters (e.g. calibration
and configuration) should be possible only from the HIPS logic solver
cabinet or locally at the sensor, requiring either password input or dip
switch adjustment.
HART or other fieldbus communication protocols should be used for
diagnostic purposes only.
Wireless sensors are not considered suitable for HIPS application.
5.2
25
26
27
5.3
28
Final element(s)
Final element selection should be done taking into account the particular
application, process conditions and the suitability for use in safety
applications. Final elements with a demonstrable, trusted and proven
track record in safety service should be selected over lesser alternatives.
A high and continual focus should be placed upon quality control during
the final element manufacturing and test process.
An exception alarm should be generated if a HIPS final element (e.g.
valve) is not in the required position. The necessary response to such an
alarm should be defined in the SRS.
HIPS final element assembly should be considered as a whole. This
should be taken into account in the design, the fabrication and the testing.
The relevant documentation should be managed by the same principle.
5.3.1 Valves
Where a valve is the final element, this should be considered, designed
and tested as a complete assembly including the valve body, the actuator
and the associated actuator controls.
In pressure protection, HIPPS the valve should be specified to account
for the capacity of the downstream system to absorb valve leakage when
closed. Although valves may be specified as zero, or close to zero leakage
(e.g. ISO 5208 or API Standard 598), in reality it should be assumed that
some leakage in service will always occur. As such, the downstream
process system should be able to handle a degree of leakage.
The leakage rate to be designed should be determined in conjunction with
Process design Engineers and will typically be based upon the greatest of:
100% Flow through a valve bypass (if installed) when open
that experienced following total collapse of soft seats (where fitted)
a percentage of design flow (assessed in discussion with valve
manufacturer) for metal seated valves.
29
Where a HIPS bypass is required (e.g. for pressure equalization post HIPPS
activation), this should not compromise the HIPS integrity. For example the bypass
should be locked closed or similar (e.g. interlocked) to prevent being left in the
open position. Leak tightness specification for the bypass should be equivalent to
that of the main HIPPS valves.
HIPPS re-open inhibits may also be required either to protect the valves from damage
due to opening against high differential pressure, or to prevent a rapid pressure rise
scenario should the HIPPS be re-opened onto a blocked downstream system.
As the integrity of these inhibit functions are also high, they should be part of
the HIPPS.
30
31
6 Design testing
Testing activities should be performed during several design and
development phases such as:
Design Validation/Typical Test (DVT)
Factory Acceptance Tests (FAT) of each HIPS component
Integrated Factory Acceptance Test (IFAT)
Yard and On-Site Tests/Pre-commissioning
Operational Testing (OT)/Site Acceptance Test (SAT)
HIPS Performance Tests.
The aim of these tests is to demonstrate that the HIPS supply and
configuration meet the HIPS SRS at each one of the above stages.
A HIPS testing plan should document which of these tests will take place,
and address the items listed in the remainder of this section.
6.1
6.2
6.3
32
6.4
6.5
33
6.6
34
Test administration
6.6.1 Preparation
Prior to each test phase, a comprehensive Inspection & Test Plan (ITP)
should be prepared covering the following:
full set of test procedures (see below)
testing schedule, including Manufacturers internal tests
resources and equipment list
predefined test report and correction (punch) list for each test
HIPS test log (see below).
6.6.2 Procedures
Dedicated test procedures should be issued for each test phase, covering
individual HIPS components and overall HIP system as required:
sensors, including isolation valves, heating and protective enclosures
logic solvers
valve control panels, including smart valve testing systems
valve actuator
HIPS valves
electrical switchgear
end-to-end HIPS.
Test procedures should clearly indicate the test criteria (values) which
are to be met, referencing the appropriate (e.g. company) standard from
which the criteria are derived.
6.6.3 Recording
After each test, a test log should be issued. It should include the following
as a minimum:
test procedure
test results/report
correction/punch/exception lists.
35
7 Operational testing
The appropriate testing of HIPS is fundamental to ensuring that the
integrity requirements for the safety function are satisfied6. The required
proof test interval for the HIPS function should have been established via
reliability analysis.
Any proposed changes in test frequency throughout a HIPS life should
be validated via an update to such analysis (this should in any case be
covered by facility management of change procedures).
Unrealistically short test intervals (e.g. less than three months) should be
avoided. (The more frequent testing becomes, the greater the impact on
production availability for components that cannot be tested off-line.)
One potential downside of increased test frequency is increased
intervention, given that each intervention may present opportunities to
compromise the HIPS (e.g. by not returning the system to operation state
following test).
Whilst the operation of individual HIPS loop components may be tested
separately, an overall system performance test should be conducted in
line with the test interval embedded in the SRS. This test should verify
both the end to end HIPS function and its response time (sensing to
completed trip/closure).
7.1
A performance standard should be provided for every HIPS, which should capture test
interval, trip setting, maximum allowed response time, underlying assumptions (e.g. on
flowrate, process conditions, plant line-up). Any proposed change in any parameter in the
performance standard should only occur with full management of change applied.
6
7.2
36
7.3 Valves
Where the final element is a valve a leakage test may be required, typically
carried out by means of pressure build up. Where required, this is unlikely
to be able to detect small volume leaks (such as can be found in factory
acceptance testing) and should be designed with a view to detect gross
leakage (albeit within the capacity of the downstream relief device) only.
If the ability to detect very small leaks is required, consideration may be
given to acoustic valve leak detection techniques.
Partial stroke testing can provide a benefit in terms of improved HIPS
PFD, and/or increased interval between full proof tests. The downside is
the provision of partial stroke capability increases the complexity of an
otherwise simple system. And partial stroke means partial coverage
a significant portion of the HIPS (particularly the valve stroke) remains
untested and should eventually be covered via full stroke testing.
Valve signatures can be obtained via monitoring and recording of the valve
closure characteristic. These can then be used to provide timely indication
of impending valve problems. This typically requires actuator pressure
monitoring and valve position indication (via transmitter) and may be
supplied as part of a partial test system.
37
8.1
Obsolescence management
A dedicated obsolescence management plan should be established for
the HIPS. The HIPS supplier should provide an inventory list with all
lifetime statuses.
As part of the obsolescence management strategy, local (e.g. in-country)
support from the HIPS supplier or agent should be considered.
8.2 Maintainability
A maintenance management plan should be prepared for each HIPS
detailing maintenance procedures and intervals, and listing required
equipment. This should be developed by the HIPS Integrator, reviewed and
approved by the operator.
8.3
Spare parts
Commissioning and operational spares should be identified, procured and
stored commensurate firstly with the maintenance plan, and secondly
allowing for unexpected failures.
Reference should be made to each HIPS component MTTR when
determining spares quantities and storage locations.
Stored items should be subject to a preservation plan.
38
Objectives
Inputs
Outputs
Process Hazard
analysis (PHA)
2.
3.
HIPS Specification
(User)
HIPS Specification
(Supplier)
To generate an equipment
specific specification that meets
the requirements of the HIPS
SRS
Dynamic analysis
1.
4.
Relevant Philosophies
HIPS Design
6.
HIPS Engineering
FDS
Physical hardware
Software code
Software algorithms
7.
HIPS installation,
commissioning and
validation
8.
HIPS FDS
FSA Report
As-built documentation
Maintenance plan
Maintenance records
Maintenance schedule updates
Spares listing
9.
HIPS Modification
10. Decommissioning
To make corrections,
enhancements or adaptations
to the HIPS, ensuring that the
required safety integrity level is
achieved and maintained
MOC approvals
Documentation (Philosophy/
SRS/FDS/drawings etc.)
updates as required to maintain
alignment with installed system
FSA Report
MOC Procedures
39
9 HIPS dossier
Whilst the HIPS performance standard (within the SRS) provides a
summary of the key elements and basis for each HIPS, it is also important
to develop and retain concise documentation covering all aspects of the
design for each HIPS, both as a record of the work done and a basis for
life cycle maintenance and update of the HIPS.
A HIPS Dossier should therefore be compiled and maintained for each
HIPS by the operator and should include as a minimum the following
elements from the safety and instrumentation perspective:
justification for HIPS selection, design and configuration
HIPS SRS Performance standards (Response time, Integrity
requirement etc.)
dynamic analysis
HIPS drawings (e.g. P&IDs, architecture, wiring, hook-ups, system
schematic, block diagrams)
hazard and consequence analysis studies/reports Assumptions
pertinent to the Hazard analysis and integrity target
quantified/reliability analysis supporting selection of PFD/SIL targets
and relevant test intervals, capturing assessment of diagnostic
coverage of failures and common cause failure analysis
pertinent cause and effect charts
HIPS maintenance, testing and repair plans/procedures and records
HIPS operating and re-start procedures (including bypass etc.)
FSA report (according to IEC 61511)
HIPS Obsolescence plan.
All HIPS should be added to the facility safety critical systems/items register.
Registered Office
Level 5
209215 Blackfriars Rd
London SE1 8NL
United Kingdom
Brussels Office
Bd du Souverain,165
4th Floor
B-1160 Brussels
Belgium
www.iogp.org