Download presentation

HIPPS (High-Integrity Pressure
Protection Systems) design,
analysis, and justification
Prevent damage and loss by protecting critical equipment
Unrestricted © Siemens 2016
usa.siemens.com/ oil-and-gas
Introduction
Per API Standard 521:
“A High-Integrity Protection Systems ( HIPS) typically involves an arrangement of instruments,
final control elements (e.g. valves, switches, etc.), and logic solvers configured in a manner
designed to avoid overpressure incidents by removing the source of overpressure or by reducing
the probability of an overpressure contingency to such a low level that it is no longer considered
to be a credible case.”
By definition (ISA 84.91.01)
It is a “SCAI” (Safety Control
Alarms and Interlocks)
It is a SIF
(Safety Instrumented Function)
ANSI/ISA 84.00.01, 2004
(IEC 61511 Mod.)
Unrestricted © Siemens 2016
Page 2
Introduction
HIPS are used for 5 major reasons (although there could be more):
 a) Eliminates a particular overpressure scenario from the design basis;
 b) Eliminate the need for a particular relief device;
 c) Provide system overpressure protection where a relief device is ineffective;
 d) Reduce the probability that several relief devices will have to operate
simultaneously, thereby allowing for a reduction in the size of the disposal system;
 e) To reduce the demand rate on a relief device consequently reducing the risk.
As a SIF, it should follow
ANSI/ISA 84.00.01 – 2004
(IEC 61511 Mod.)
Safety life cycle!
Unrestricted © Siemens 2016
Page 3
Introduction
API 521 4.2.4 second paragraph:
“The design shall comply with the local regulations and the owner’s risk
tolerance criteria, whichever is more restrictive. If these risk tolerance criteria
are not available, then,
as a minimum, the overall system performance including instrumented
safeguards should provide safety-integrity-level 3 (SIL-3) performance”
Seems to imply a dramatic
simplification of the functional
safety standards (safety
lifecycle)
Unrestricted © Siemens 2016
Page 4
Introduction - justification
•
Really?:
What is it meant by : “If these risk tolerance criteria are not available”
1. A Guidance to make all HIPS SIL 3?
Not really, just shifting focus
2. A way to simplify?
3. A way to standardize all HIPS designs?
4. Is it convenient?
Yes, even SIL 4
Not the intention
It might be conservative, but costly
5. What are the operational and maintenance implications?
Let’s consider an example….
Unrestricted © Siemens 2016
Page 5
Example (simplified)
Feed from process
or storage tank
Normal operation:
1.
2.
3.
4.
Charge pump feeds the pre-heat train
Heat exchangers used to raise feed temperature
Exothermic reaction generates vapor in reactor
Fractionator overhead products sent to gas plant
Pre-heat exchangers
Control valve
To further processing
Charge pumps
Fractionator
Reactor
Note: Details (check valves, sensors, multiple streams, etc.) have been excluded for simplification.
Unrestricted © Siemens 2016
Page 6
Example (simplified)
Feed from process
or storage tank
Possible causes of blocked fractionator overhead:
1.
2.
3.
4.
5.
6.
7.
Global power failure
Local power failure
Mechanical failure
BPCS failure
Operator error
Loss of overhead cooling
A combination of the above etc.
Pre-heat exchangers
Control valve
To further processing
Charge pumps
Fractionator
Reactor
Unrestricted © Siemens 2016
Page 7
Example (simplified)
Multiple simultaneous relief loads …
In a TOTAL power failure scenario, flare may NOT be effective.
KO Unit
Possible Solutions:
• Increase flare capacity
• HIPS
• Other safeguard(s)?
Fractionator
KO Flare
Unrestricted © Siemens 2016
Page 8
KO Flare
Possible solutions:
Feed from process
or storage tank
HIPS actions: Bypass reactor
and minimize vapor generation
Pre-heat exchangers
Control valve
To further processing
Charge pumps
Two options:
1. Design SIL 3 HIPS
2. Follow SLC as per S84
Unrestricted © Siemens 2016
Page 9
Fractionator
Reactor
Option 2: evaluating severity of consequences
Consequence of interest : Moderate leak leading to fire & serious injury
Feed from process or storage tank
Serious  Category 100
Potential Consequences
Category
Descriptive Word
Environment
Production or Equipment
10,000
Catastrophic
Multiple Deaths
Detrimental offsite release
Loss > $1.5 M
1,000
Severe
At least One Death
Non-detrimental offsite release
Loss between $500K and $1.5M
Release onsite – not immediately
contained
Loss between $100K and $500K
100
Charge Pump
Serious
Lost time accident
Pre-Heat Exchanger
10
Minor
Medical treatment
1
Negligible
First aid treatment
Unrestricted © Siemens 2016
Page 10
Personnel
Release onsite – immediately contained
Loss between $2,500 and $100K
Fractionator
Reactor
No release
Loss < $2,500
Option 2: design following standard safety life cycle
Risk graph:
Row crude storage tank
Initiating event
Frequency categories - Years
Consequences
>10.000
10.000 - 1.000
1.000 - 100
100 - 10
10 - 1
1
A
A
A
B
B
10
A
A
B
B
C
100
A
B
B
C
C
1.000
B
B
C
C
D
10.000
B
C
C
D
D
Charge pump
Pre-heat exchanger
Fractionator
Reactor
Unrestricted © Siemens 2016
Page 11
Option 2: design following standard safety life cycle
Additional protections should be
considered
Row crude storage tank
Frequency categories - Years
Consequences
>10.000
10.000 - 1.000
1.000 - 100
100 - 10
10 - 1
1
A
A
A
B
B
10
A
A
B
B
C
100
A
B
B
C
C
1.000
B
B
C
C
D
10.000
B
C
C
D
D
Charge pump
Pre-heat exchanger
Fractionator
LOPA Implicit result 
Unrestricted © Siemens 2016
Page 12
Reactor Regenerator
Option 2: design following standard safety life cycle
Credit taken
Consequences
Frequency categories - Years
>10.000
10.000 - 1.000
1.000 - 100
100 - 10
10 - 1
1
A
A
A
B
B
10
A
A
B
B
C
100
A
B
B
C
C
1.000
B
B
C
C
D
10.000
B
C
C
D
D
Unrestricted © Siemens 2016
Page 13
Option 2: design following standard safety life cycle
Credit taken
Consequences
Frequency categories - Years
>10.000
10.000 - 1.000
1.000 - 100
100 - 10
10 - 1
1
A
A
A
B
B
10
A
A
B
B
C
100
A
B
B
C
C
1.000
B
B
C
C
D
10.000
B
C
C
D
D
Solutions: Use extra IPL (s)
a. Use a SIL 2 SIF
b. Use two non-SIF IPL
c. Use a non-SIF IPL and a SIL 1 SIF
Unrestricted © Siemens 2016
Page 14
Option 2: design following standard safety life cycle
Logic solver: No problem  Guaranteed SIL 3 for 20 years
Field devices: IEC 61508 certified sensors, PST, etc.
PT
PT
Control valve
Fractionator
Reactor
Unrestricted © Siemens 2016
Page 15
PT
SIL
Minimum hardware fault tolerance
1
0
2
1
3
2
4
See IEC 61508
Option1 vs Option 2 safety life cycle considerations
Total cost of ownership considerations when increasing SIL
Increase SIL 2 to SIL 3
Equipment costs (need more stuff)
Installation costs (mechanical, piping, wiring, etc.)
Physical space considerations (do you have available
space to add taps, piping, etc.?)
Maintenance (preventive maintenance, spare parts,
proof testing, etc.)
Operations (bypassing, spurious trip, complexity)
Unrestricted © Siemens 2016
Page 16
Conclusion
Advantages of Using ANSI/ISA 84.00.01, 2004
Safety Lifecycle Approach:
1. Simplify the design to meet your
Tolerable Risk criteria
2. Safety Lifecycle approach will
simplify operation and
maintenance
3. Lower both CAPEX and OPEX
Unrestricted © Siemens 2016
Page 17
Contact information
Charles Fialkowski
CFSE
Siemens Process Industries and Drives
1201 Sumneytown Pike
Spring House, PA
Phone: 267-470-3740
E-mail: [email protected]
Luis M.F. Garcia G.
CFSE
Siemens Process Industries and Drives
8850 Fallbrook Drive
Houston, Texas
Phone: 281-687-8369
E-mail: [email protected]
siemens.com
Unrestricted © Siemens 2016
Page 18
Similar pages