Mokveld’s Considerations in Designing HIPPS
HIPPS has gained popularity over recent years, replacing pressure safety valves (PSV), blow down and flare systems. Although HIPPS has been used for more than a quarter of a century, design and implementation of HIPPS is still not as obvious as one might expect. The main reason for this is the way the IEC 61508 and IEC 61511 standards are written. The Oil & Gas industry for years has been accustomed to work with prescriptive standards.
Standards like API 6A and API RP series, ASTM, ASME precisely prescribe how to design and manufacture equipment, an installation, or material. IEC 61508 and IEC 61511 however are performance based standards. They describe the process to reach a solution rather than prescribing the solution itself. The IEC therefore leaves room for interpretation, which in some cases causes confusion or leads to over- or under-engineered solutions, thus requiring end-users to watch over their contractors and contractors to verify suppliers to assure that a safe system is installed.
IEC 61508 handles the final elements only superficially and focuses on the logic solver. This leads to the common misunderstanding that the word ‘system’ is to be understood as a synonym for controller or logic solver. The IEC however defines a ‘system’ as the complete loop, being the logic solver, initiators and final elements.
HIPPS and other SIS therefore have to be primarily treated as a complete loop and should not be designed on separate component level. The gap left by the IEC 61508 regarding the mechanical components (valves, solenoids), has been patched by the introduction of the IEC 61511. The latter standard specifically refers to final elements and initiators.
Risk of under-specifying
The misunderstanding that ‘system’ stands for controller and that a SIS can be designed on component level, is the cause for the biggest problem in the implementation of HIPPS. Namely the underspecification of mechanical components and the acceptance of component Safety Integrity Level (SIL) certification, instead of verification of the complete loop SIL.
Certification doesn’t prove system is safe
Another consequence of the Oil & Gas industry’s history of prescriptive standards, is the love for certificates. Certificates suggest they relieve the engineer from the responsibility to verify the ‘difficult to check’ performance of a component. A good example of this is the hazardous area classification and the related Ex certification. When the hazardous area is correctly classified any component with the right Ex certificate can be used in that area without further checking.
Since PFD calculations, dependability of failure rates and the check if a component is fit for a certain SIL level is very complicated, the question for SIL certificates came very quickly from the industry. The issuance of ‘SIL certificates’ for components however has started the dangerous perception that buying certified equipment assures plant safety without further verification. However for the same reason that an Ex i component does not protect against explosions when used in circuits without Ex i barriers, component SIL certificates do not assure the plant safety, nor that the SIL level for the ‘system’ is met.
First we have to go back to the IEC. The IEC defines a SIL level, with its PFD and architecture, for a complete safety loop only and not for the subsystems. The IEC has no rules or specifications how to qualify a component for a certain SIL level, while the term SIL only applies to the complete system. Therefore one should ask how to obtain a SIL certificate if no rules to certify components exist? Or actually, why obtain a component certificate within the frame of a performance-based standard, where the words verification and validation of the ‘system’ are part of the foundation.
Component manufacturers adapt to the questions from the market by assuming a certain architecture for the complete system of which the certifiable component is a part. Assumptions are made for common cause, proof test interval, typical process duty, and response times for which their failure rates are applicable. Based on assumptions a component is then certified, which naturally limits the applicability of the certificate. Dependability of failure rates is already a difficult concept; dependability of a certificate takes the word difficult to a completely different level.
Failure rates obtained from operating experience in the nuclear industry does not mean that those failure rates are dependable and applicable in the Oil & Gas industry. Or closer to home, failure rates obtained from operating experience such as an isolation valve in an oil application does not qualify that valve for a fast stroking duty in a HIPPS in upstream gas service.
To assess the applicability of a SIL certificate, the report should be closely studied. In most cases the certificate’s only purpose is to serve as a justification for the failure rates provided by the manufacturer. In all cases the verification of the system’s overall PFD and the system’s architecture should fit the required SIL level of the system. Simply piling up certificates of components might result in a system which no longer fulfils the correct SIL level.
With this article we try to reach awareness that responsible engineering is important, especially when it is considered that lives are at stake when a high SIL level HIPPS fails.
Tel: 01285 700719
Published in Valve User Magazine Issue 21
- What are key interlocks?
- Case Study - Malaysian LNG Facility
- Using butterfly valves for control
- Steam Today and Steam Tomorrow
- Design to get the best results from your fluid seals
- Valve Position Detection in Modern Process Installations
- Steam today and steam tomorrow
- Steam Today and Steam Tomorrow
- Metso - Just add intelligence...
- Partnership leads to pneumatic control innovation for Biomass transport