REPORT 443 FEBRUARY 2015 High Integrity Protection Systems – Recommended Practice plan protect Disclaimer Whilst every effort has been made to ensure the accuracy of the information contained in this publication, neither IOGP nor any of its Members past, present or future warrants its accuracy or will, regardless of its or their negligence, assume liability for any foreseeable or unforeseeable use made thereof, which liability is hereby excluded. Consequently, such use is at the recipient’s own risk on the basis that any use by the recipient constitutes agreement to the terms of this disclaimer. The recipient is obliged to inform any subsequent recipient of such terms. Copyright notice The contents of these pages are © International Association of Oil & Gas Producers. Permission is given to reproduce this report in whole or in part provided (i) that the copyright of IOGP and (ii) the sources are acknowledged. All other rights are reserved. Any other use requires the prior written permission of IOGP. These Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales. Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of England and Wales. REPORT 443 FEBRUARY 2015 High Integrity Protection Systems – Recommended Practice Revision history VERSION DATE AMENDMENTS 1.0 February 2015 First release High Integrity Protection Systems RP 4 Acknowledgements Standards Committee Instrumentation & Automation Subcommittee High Integrity Protection Systems Task Force IOGP Instrumentation and Automation Subcommittee (IASSC) HIPS Task Force having representation from the following companies: • BG Group • BP • Maersk Oil • Petrobras • Repsol • Siemens • Statoil • Total • Yokogawa. Photography used with permission courtesy of © ndoeljindoel/ iStockphoto and © Nostal6ie/iStockphoto (Front cover) and © Sharif El-Hamalawi/iStockphoto (Back cover). Contents Foreword6 1 Scope 7 2 References 8 3 Terms and definitions 9 Abbreviations11 4 General recommendations 12 4.1 Safety Requirements Specification 12 4.1.1 Service conditions 13 4.1.2 HIPS reliability criteria 14 4.1.3 Reliability data 15 4.1.4 HIPS reaction and response time 15 4.2 Avoidance of common-mode failures 18 4.2.1 Sensor positioning 18 4.2.2 Sensor and final element selection 18 4.2.3 Logic solver selection 18 4.2.4 Maintenance and human intervention 19 4.2.5 Utility failure 19 4.3 Hardware considerations 20 4.3.1 Electrical connections 20 4.3.2 Heat tracing and winterization 20 4.3.3 Materials of construction 21 4.3.4 Protection enclosures 21 4.3.5 Cabinet 21 5 HIPS elements 22 5.1 Sensor(s) 22 5.1.1 Sensor selection 22 5.1.2 Sensor configuration and positioning 22 5.2 HIPS automation system 23 5.2.1 Interfaces and cyber security (Programmable Logic Solvers) 24 5.2.2 Interfaces and cyber security (solid state logic solvers) 25 5.3 Final element(s) 26 5.3.1 Valves 26 5.3.2 Circuit breakers 27 High Integrity Protection Systems RP 6 6 Design testing 29 6.1 Design Validation/Typical Test (DVT) 29 6.2 Factory Acceptance Tests (FAT) 29 6.3 Integrated Factory Acceptance Test (IFAT) 30 6.4 Yard and On-Site Tests/Pre-Commissioning Tests 30 6.5 Operational Testing (OT)/Site Acceptance Test (SAT) 31 6.6 Test administration 32 6.6.1 Preparation 32 6.6.2 Procedures 32 6.6.3 Recording 32 7 Operational testing 33 7.1 Design for test and maintenance 33 7.2 Operational proof testing 34 7.3 Valves 34 8 Safety life cycle for HIPS 35 8.1 Obsolescence management 35 8.2 Maintainability 35 8.3 Spare parts 35 9 HIPS dossier 37 High Integrity Protection Systems RP 7 Foreword High integrity protection systems (HIPS) and especially high integrity pressure protection systems (HIPPS) are an increasingly common feature of oil and gas facilities worldwide. They can provide an alternative to conventional mechanical protective devices (e.g. relief valves) or reduce the load upon them. In some cases, they present the only practical option to facilitate field development and/or expansion. The application of HIPS, and the manner in which they are implemented across IOGP Members was considered worthy of investigation by the IOGP Instrumentation and Automation Standards Subcommittee, with a view to providing commonly agreed upon guidance on the subject. This Recommended Practice is the result of that process. The intended audience for this RP is those involved in the definition, design, implementation or operation and maintenance of HIPS. This RP does not provide guidance upon when, if and why a HIPS should be utilized – to this end, companies should apply their own internal methodologies. This RP provides mainly technical recommendations. High Integrity Protection Systems RP 8 High Integrity Protection Systems RP 9 1Scope The objectives of this IOGP Recommended Practice are to: • provide industry guidance in the provision, operation and maintenance of HIPS throughout the IEC 61508 Safety Life cycle • focus upon the instrumentation aspects of that provision • support, clarify where appropriate, and not contradict or repeat IEC 61511 and/or ISO 10418 as they apply to HIPS • make it easier for vendors to deliver consistent systems across the industry. This IOGP Recommended Practice is intended for global application. The following oil and gas production facility types are included: • onshore • offshore (not including subsea1) • oil and gas transmission and transport systems. This RP is applicable to all manner of high integrity protection systems, be they pressure, temperature, level flow or any other parameter driven. This RP is concerned with the instrumentation elements of HIPS. The assumption is made that the dynamic requirements associated with many HIPS have been satisfied in each case via a separate design and verification exercise. This RP is applicable to the Electrical, Electronic, Programmable Electronic HIPS related Systems. Other HIPS based on Mechanical Technology (e.g. using direct hydraulic or pneumatic pilot valves) are not directly covered by this RP. However, much of the guidance within this RP may also assist in their definition and use. 1 API RP 17O covers subsea HIPS High Integrity Protection Systems RP 10 2References The following documents, in whole or in part, are referenced in this document and are recommended for its application. API RP 14C, Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms API RP 17O, Recommended Practice for Subsea High Integrity Pressure Protection System (HIPPS) API Standard 521, Pressure-relieving and Depressuring Systems API Standard 598, Valve Inspection and Testing EN 10204, Metallic products. Types of inspection documents IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES) IEC 61511, Functional Safety – Safety instrumented systems for the process industry sector IEC 62442-3-3, Industrial communication networks – Network and system security – Part 3 3: System security requirements and security levels IEC 62443, Network and system security for industrial-process measurement and control IEC 62443-2-4, Security for industrial automation and control systems – Network and system security – Part 2-4: Requirements for IACS solution suppliers ISO 5208, Industrial valves – Pressure testing of metallic valves ISO 10418, Petroleum and natural gas industries – Offshore production installations – Analysis, design, installation and testing of basic surface process safety systems ISO 23251, Petroleum, petrochemical and natural gas industries – Pressurerelieving and depressuring systems ISO/TR 12489, Petroleum, petrochemical and natural gas industries – Reliability modelling and calculation of safety systems High Integrity Protection Systems RP 11 3 Terms and definitions For the purpose of this document the following definitions apply. bypass Bypass (including overriding and inhibiting) input/output: action or facility to prevent all or parts of the SIS functionality from being executed (refer to IEC 61511). common-mode failure (CMF) According to UKAEA SRD R 196 (1981): “A common-mode failure (CMF) is the result of an event(s) which because of dependencies, causes a coincidence of failure states of components in two or more separate channels of a redundancy system, leading to the defined system failing to perform its intended function”. For the purpose of this document, CMF is taken to include common cause and dependent failures. HIPS Within the oil and gas industry, there are various company-specific definitions as to what constitutes a HIPS. It is not the purpose of this RP to define what constitutes a HIPS. According to the ISO/TR 12489 definition, a non-conventional2 autonomous safety instrumented system with sufficiently high safety integrity to protect equipment against exceeding the design parameters is considered a HIPS. One or more of the following may also be considered a HIPS: • a final protection layer comprising a combination of partial mechanical and instrumented protective function • an instrumented protection layer having an integrity requirement of SIL 3 or more • an instrumented protection layer where the consequence of nonoperation is major to catastrophic or disastrous. Deviations from industry standards describing mechanical protection systems (e.g. ISO 23251 = API Standard 521, ISO 10418, API RP 14C) are treated as HIPS. An ultimate protection relying principally, but not necessary solely, on Safety Instrumented Systems (SIS) is qualified as HIPS, irrespective of its required Safety Integrity Level (SIL). 2 High Integrity Protection Systems RP 12 HIPPS ISO/TR 12489 also defines HIPPS or OPPS as, “a HIPS exclusively devoted to protection against overpressure”. HIPS reaction time The maximum allowable time in which the HIPS should prevent a hazardous operational condition. It is thus the time between the process threshold value occurring and the occurrence of the hazardous event. HIPS response time The time between the process threshold value occurring until the final element has reached its safe state. High Integrity Protection Systems RP 13 Abbreviations BPCS Basic Process Control System BR Base Requirement CMF Common-Mode Failure DVT Design Validation Test FAT Factory Acceptance Test HIPS High Integrity Protection Systems HIPPS High Integrity Pressure Protection Systems HMI Human Machine Interface ICSS Integrated Control and Safety System IFAT Integrated Factory Acceptance Test IS Intrinsically Safe ITP Installation and Test Plan LOPA Layer of Protection Analysis MCC Motor Control Centre MTTR Mean Time to Repair OPPS Overpressure Protection System OT Operational Test PFD Probability of Failure on Demand RE Requirement Enhancement SAT Site Acceptance Test SIF Safety Instrumented Function SIL Safety Integrity Level SIS Safety Instrumented System SOE Sequence of Events SP Security Program SRS Safety Requirements Specification High Integrity Protection Systems RP 14 4 General recommendations A HIPS is normally the last in a series of process protection layers. The others typically comprise the process control, alarm (with manual response) and process shutdown layers. The HIPS function should thus be seen in the context of these other protection layers and potential process deviations, and any changes to such should not occur without considering the potential impact upon the HIPS function. For an over pressure HIPS (for instance), the following should be clearly defined: • sources of HIPS demand, and assumptions regarding how quickly they will cause that demand • process conditions • other protection layer set points assumed in design of the HIPS. All HIPS should be developed and implemented in accordance with the requirements of IEC 61508 and 61511. Competency assurance through the design, implementation and operational phases is a key requirement. A single HIPS Integrator should be utilized to ensure that the combination of the sensing elements, logic solver and final elements meet the integrity, operability and maintainability targets. 4.1 Safety Requirements Specification HIPS functions should be defined independently of other safety systems in a specific HIPS Safety Requirements Specification (SRS), normally produced by the end user. This should consider the complete system comprising sensing element(s), logic solver and final element(s). The HIPS should be developed and implemented in a similarly complete system manner. In addition to the requirements of IEC 61511 part 1 (SIS SRS which includes performance requirements relating to Functionality, Availability, Survivability and Interdependencies), the following should feature in a HIPS SRS. • The HIPS should execute all safety functions in automatic mode. • The HIPS should be autonomous, with dedicated sensors, logic and final elements. • The HIPS should be a physically segregated system, interfaced with the facility automation system for monitoring only. Any communications with HIPS should not be able to impede or override the safety function(s). High Integrity Protection Systems RP 15 • The HIPS should be designed according to fail-to-safe principles. • HIPS resetting should not be possible without a clear understanding of the initiating cause and/or fault. • Signals between sensors, logic solver and final elements should be hardwired. • The HIPS design should define and include allowance for test and maintenance activities. Nonetheless, HIPS sensor, logic or final element bypass functions should be avoided. When required, bypass functions should be subject to a thorough assessment of the risk and consequences for system integrity. • The required performance of the HIPS will be based on the process and facility conditions (e.g. production rates, plant line up) known/ assumed at the time of the system design and procurement. These should be clearly identified such that the HIPS can be readily assessed or re-validated against changing assumptions, conditions (i.e. design basis) etc. during the plant life cycle. • HIPS packages should be designated as ‘high’ focus with respect to quality management. 4.1.1 Service conditions A HIPS SRS should clearly identify and describe all credible process and ambient service conditions, such as: • process fluid compositions (all possible production scenarios) • possibility of slugging flow • fluids with plugging potential (e.g. wax, hydrates) • rate of change in process pressure, temperatures, flows • presence and worst case concentrations of H2S, CO2, solids, sand, paraffin, etc. • high and low extreme process pressure, temperatures, flows • change of process fluid composition and properties over the facility’s lifetime • presence and worst case concentrations of injected chemical products • high and low extreme ambient outdoor and indoor conditions • hazardous area classification • EMC requirements. High Integrity Protection Systems RP 16 The predicted or known occurrence and impact of each condition should be clearly defined for each operational situation, e.g. shut-in, cool-down, start-up, normal production. This analysis will assist in defining material requirements of sensors and final elements and the needs (if any) for heating and winterization of HIPS components. The HIPS should be suitable for any given situation/condition regardless its duration (including temporary conditions such as methanol injection or cool-down). 4.1.2 HIPS reliability criteria HIPS components, including sensors, logic solver and final elements should each be designed as fail-safe (i.e. failure of any component/ sensor/logic solver/power supply/motive fluids moves final elements to the safe state). According to IEC 61511, a HIPS integrity (SIL) assessment will be performed and the integrity target (PFDavg or failure rate, whichever applies according to the demand rate) included in the HIPS SRS. HIPS components or sub-systems are then selected such that the overall integrity (SIL) target of the HIPS Safety Instrumented Function (SIF) is achieved. This HIPS integrity demonstration should include a sensitivity study to test the robustness of the HIPS integrity prediction against variances in reliability data, the proof test period (e.g. min and max derived from an analysis of the PFD as a function of time, as opposed to PFDavg) and component MTTR. The HIPS design should take into account the process availability target, allowing for testing and maintenance activities (with or without disturbing the process – e.g. partial stroke testing requirement) and the predicted/allowable frequency of spurious trips, and reflect these within the HIPS SRS. Prototype or non-proven in-use components should not be used for a HIPS. High Integrity Protection Systems RP 17 4.1.3 Reliability data The HIPS operator should approve the reliability data utilized to demonstrate the integrity achieved by the HIPS. Reliability data sources include, in order of preference: 1. Reliability data collected and verified on the facilities (field data) – but only where the quantity collected is sufficient to be considered statistically significant 2. Databases/reference handbooks Data should primarily be selected from Oil and Gas applications, e.g. Offshore Reliability Data (OREDA3), PDS Data Handbook4, and Stiftelsen for industriell og teknisk forskning (The Foundation for Scientific and Industrial Research), (SINTEF5). The data selection process should consider similar service and environmental conditions, and maintenance regimes. 3. Failure Mode and Effect Analysis (FMEA) reports This data needs to be suitably factored to account for potential failures occurring due to process/operating conditions. The intended use and stated failure modes should match the application. 4. Vendor data The reliability data used should be adequately documented to allow validation, including: • source of the data • assumptions underlying selection. 4.1.4 HIPS reaction and response time The process safety time, HIPS reaction time and HIPS response time should be defined in the HIPS SRS. www.oreda.no www.sintef.no/projectweb/PDS-main-page 5 www.sintef.no 3 4 High Integrity Protection Systems RP 18 Process Safety Time (refer IEC 61511-2) HIPS Reaction Time HIPS Response Time Process or BPCS failure SIS trip initiation HIPS initiation Hazardous event occurrence Figure 1: Process safety, reaction and response times (showing typical protection layers) The HIPS response time should be determined with reference to the process safety time and HIPS reaction time. The HIPS SRS should require: HIPS response time < х(HIPS reaction time) (Where ‘х’ is less than 1, and specified with reference to the system dynamics and practicality, design uncertainties and equipment wear and tear) The HIPS response time is a summation of the following: • sensor response time • logic solver response time, including input cards • final element response time, up to final safe state. 4.1.4.1 Sensor response time The sensor response time is defined by summation of the following parts: • lag time of the process tapping, e.g. thermal inertia of a thermowell • lag time of the sensing element • processing (cycle) time of electronic instrument/transmitter • signal conditioning, e.g. dampening or filtering. High Integrity Protection Systems RP 19 4.1.4.2 Logic solver response time The logic solver response time is defined by the summation of the following parts: • worst (longest) processing (cycle) time of any input card • processing time of the logic part and output. In general, the processing time of the logic part and output is considered negligible for solid state technology. For a programmable logic solver, the response time will depend on the processing (cycle) time of all the components. 4.1.4.3 Final element response time The final element response time is defined by the summation of the following: Actuated valves case: • the response time of all control circuit components (e.g. solenoid valves, pilot valves, and quick exhaust valves) of the motive fluid feeding the actuator • the time required to depressurize the motive fluid before the actuator starts to move • the inertia and mechanical slack of the moving parts in the actuator and valve (i.e. stroking time), until the valve has reached its safety position. Electrical equipment case: • the response time of all control circuit components (e.g. interposing relay, switchgear, relay and switchgear drawer) • the inertia of the machinery, until it has reached safe state (e.g. fully stopped). High Integrity Protection Systems RP 4.2 20 Avoidance of common-mode failures In order to achieve the necessary levels of integrity, HIPS typically utilize redundancy in the sensing and final element groups. Whilst increasing system dependability, this also introduces the potential for common-mode failure (CMF). The HIPS should be designed to minimize CMF between HIPS subsystems, hardware or application software. This should be managed with reference to IEC 61511-1:2003, 9.4 and the following recommendations. 4.2.1 Sensor positioning Sensors should be separated as far as reasonably practicable to reduce the likelihood of external (environmental) and/or internal (process e.g. wax/hydrates) factors affecting more than one simultaneously. 4.2.2 Sensor and final element selection Within HIPS: the use of identical sensors/final elements in a voting (e.g. two out of three/2oo3) configuration has the advantage of simplifying procurement and maintenance activities, but will increase the potential for CMF. For SIL 3 (and below) HIPS, it is usually acceptable to utilize identical sensing/final element devices, but for higher integrity service diverse (i.e. make/model) sensing and final element devices should be deployed. At SIL 3, the potential benefits of diverse sensing and final element devices verses the potential detriment to system maintenance should be considered. Within other protection layers: if identical make and model of sensing and/ or final element is utilized for both the HIPS and other protection layers, the potential for CMF between the HIPS and other protection layers should be addressed. 4.2.3 Logic solver selection A HIPS logic solver should be of programmable or Solid State type. For SIL 3 (and below) HIPS, it is generally acceptable to employ the same logic solver type as that used for other protection layers (not including BPCS). However, it should be fully independent of them in every respect (I/O, PSU, CPU where applicable, etc.). High Integrity Protection Systems RP 21 For higher integrity than SIL 3, the HIPS logic solver type should differ from those used in other protection layers Programmable Logic Solver: development, implementation, maintenance and modification of the HIPS application program should be by competent individuals who have not been involved in the application development for other protective layers. Logic Solver Input: Where a SIF has more than one sensor, each sensor should be routed through a different logic solver input card. Logic Solver Output: Where a SIF has more than one final element, each final element output should be routed through a different logic solver output card. 4.2.4 Maintenance and human intervention CMF should be considered in the development of HIPS maintenance routines. Particular attention should be paid where multiple simultaneous process isolations are required, e.g. when testing a sensor voting system. As a minimum, procedures should be defined to cover the management of HIPS sensor line isolations. However, car seal or interlocking of sensor line isolations is preferred. Regular inspections to verify correct position of HIPS sensor isolation valves are recommended. 4.2.5 Utility failure HIPS will often need to share utilities (e.g. instrument air drying system) with other protection layers. Where this is the case, the shared utility should be analysed for potential common faults and where these are considered significant diverse utilities for HIPS and other protection layers should be deployed. HIPS power should be from two diverse supplies, e.g. one UPS sourced, the other from a critical systems/emergency bus. DC power supplies can be either floating, or have positive or negative referenced to earth. The merits of these two approaches should be considered. In the former, the system will be less susceptible to tripping on earth fault, but an earth fault detection system would be required. Consistency with other facility DC earthing arrangements should also be considered. High Integrity Protection Systems RP 4.3 22 Hardware considerations 4.3.1 Electrical connections All HIPS field devices should be hard-wired directly into the HIPS cabinet via individual armoured instrument cables, without intermediate junction boxes or intermediate marshalling facilities. This also applies to cables run from the HIPS cabinet to MCC switchgear. An exception to the direct-cable rule is given to particular field devices which have by design a short length of cable encapsulated into the device, such as limit switches or heater blocks. In those cases, multiple devices of the same type might be hooked-up to a local junction box. Junction box and cabinet terminals should be of the spring-loaded type for both signal and power cabling. Screw type terminals should only be permitted inside final field devices (e.g. sensors, solenoids), earth bars, and for the power feeders and distribution inside the HIPS system cabinet. 4.3.2 Heat tracing and winterization In colder climates, heat tracing and/or winterization of the HIPS may be required: • heat tracing ensures that the process fluid inside the HIPS sensor assembly and process tapping (and standpipe if any) remain adequately fluid, i.e. avoiding potential clogging due to fluid cool-down • winterization ensures that electronic devices remain above a certain minimum temperature. An assessment of the expected ambient conditions and process fluid should be made to determine which, if any, of these is required and the HIPS SRS should include such requirement. The heating element for each sensor should have its own dedicated circuit breaker. Where heat tracing of HIPS sensor assembly, process tapping, standpipe/bridle is required, self-regulating resistive block heaters, self-regulating heat tracing wire under thermal insulation around quarter-turn ball valves, process tappings, level sensor chambers (and standpipe if any), including liquid drain lines as well as the sensors/ transmitters should be provided. High Integrity Protection Systems RP 23 Temperature and feeder monitoring and alarms facilities should also be provided and transmitted to the operator interface. The HIPS SRS should clearly state the action to be taken upon failure of a heating element, ranging from manual intervention to automated HIPS activation after a set time delay. 4.3.3 Materials of construction All outdoor HIPS equipment, including sensors, manifolds, associated mounting accessories and protection equipment, should be suited to the environment. Where required, protection against mechanical damage (e.g. dropped objects) should be provided. Process wetted parts (e.g. valves, sensors, manifolds) should be as per applicable piping class, including material certificates (e.g. EN 10204). 4.3.4 Protection enclosures All HIPS sensors, including the process isolation valves/manifold, should be protected against impact and environment. Therefore, enclosures should be considered for HIPS sensor assemblies. All connections should be bottom-mounted with the relevant cable gland assembly. 4.3.5Cabinet Where a cabinet is required for part of the HIPS system (typically the logic solver), this should be separate from other equipment cabinets and dedicated to the HIPS function only. It should preferably be located in an acclimatized room. Dampening systems may be provided in case of presence of vibration or tilt effects. Forced ventilation should be avoided. Where required, this typically consists of redundant air extraction on the top with redundant air inlet filters on the bottom of the front doors. Ingress protection requirements should be defined in the SRS and maintained throughout the HIPS life cycle. High Integrity Protection Systems RP 24 5 HIPS elements 5.1Sensor(s) 5.1.1 Sensor selection Sensor models specifically designed for safety service are preferred. The failure modes of concern should be identified and failure rates pertaining to those considered in the sensor selection process, as should the availability or otherwise of auto-diagnostic capabilities. Process transmitters are preferred over switches. Interfaces with other systems (e.g. asset management systems) should be ‘read-only’. Adjustment of HIPS sensor parameters (e.g. calibration and configuration) should be possible only from the HIPS logic solver cabinet or locally at the sensor, requiring either password input or ‘dip’ switch adjustment. HART or other fieldbus communication protocols should be used for diagnostic purposes only. Wireless sensors are not considered suitable for HIPS application. 5.1.2 Sensor configuration and positioning For SIL 3 systems, three sensor elements with a two out of three (2oo3) trip logic are normally selected, each sensor being configured to go to ‘trip state’ after a detected failure occurs. This 2oo3 voting should revert to a 1oo2 voting during a single sensor maintenance or fault detected. The HIPS should be fitted with the necessary equipment to facilitate sensor tests as required by the SRS, and defined within the test procedure. Each sensor should have a dedicated process tapping. Discrepancy HIPS sensors alarms may be configured in the HIPS, SIS or BPCS. HIPS sensor positioning should take into account other protection layers (e.g. BPCS) sensor positioning. High Integrity Protection Systems RP 5.2 25 HIPS automation system The HIPS automation system consists of the complete engineered and tested cabinet, from input terminals to output terminals, typically including: • signal converters, isolators, IS barriers and anti-surge devices • logic solver • HMI devices • engineering and maintenance workstations. The HIPS automation system should be dedicated to HIPS safety functions and physically segregated from other safety or control systems. Any nonessential functionality should be removed. The HIPS automation system should include a capability to record Sequence Of Event (SOE) data, diagnostic information and logic solver status for post-incident data analysis. A HIPS logic solver containing more than one HIPS SIF should be avoided. If necessary, more than one SIF can be deployed in the same logic solver, but only where it can be demonstrated that each of these is fully independent of the others. That is, the failure of any HIPS SIF, and/or the occurrence of the hazard it is designed to prevent, could not cause one or more of the other hazards, or compromise one of the other SIFs. In addition, each HIPS logic solver should have the capability to be verified independently of other HIPS logic solvers dedicated to another safety functions. Since the final elements normally consume the majority of the PFD budget, the HIPS logic solver should typically not consume more than 15% of the PFD budget. Response speed of the HIPS automation system, including electrical propagation time of the I/O channels and signal convertors, should be assessed for each application as part of the overall process safety time. Programmable HIPS logic solvers should have at least 60% spare CPU load and memory capacity. Trip thresholds (set points) should be protected/locked to prevent adjustment through human error. High Integrity Protection Systems RP 26 5.2.1 Interfaces and cyber security (Programmable Logic Solvers) Interfaces between HIPS and other systems should be minimized. HIPS cyber security should conform to IEC 62443. HIPS programmable components capabilities type should as a minimum be SL-3 (see IEC 62442-3-3). HIPS Asset Owner should specify the Security Program (SP) capabilities requirements (see IEC 62443-2-4) to the HIPS Integrator in the Safety Requirement Specification. The SP requirements are composed of the base requirements (BRs) and requirement enhancements (REs). For example: • For SIL 2 and below HIPS the security requirement may be made of all the BRs and all the REs(1) • For SIL 3 and above HIPS security requirement may be made of all the BRs, all REs(1), all REs(2), all REs(3) and all REs(4). In particular, the following steps are recommended: • Malware prevention: Ensure malware cannot transit between HIPS and other protection layers by restricting communications between these layers. • Any monitoring interface between HIPS and facility automation systems should be either hardwired or dedicated serial. • Remote access (off-facility) connections should not be permitted. • Temporary engineering machines (e.g. supplier laptops) should not be connected to the HIPS logic solver until it has been verified that anti-virus software is installed and fully updated and that a full system scan has been performed showing the system to be free from malware/infection. • The HIPS logic solver and associated workstations should be subject to access control: • Physical – by key-locked cabinets • Software – by means of strong password. High Integrity Protection Systems RP 27 5.2.2 Interfaces and cyber security (solid state logic solvers) Despite the use of solid state technology, cyber threats can still pose a direct or indirect threat to the integrity of a HIPS package. The following design requirements should therefore be applied. • The HIPS may only be interfaced with BPCS or SIS through hardwired or ModBus links. • Remote maintenance/engineering and associated networks should not be permitted. • The SOE function should be embedded inside the HIPS. Hard-wired signals to BPCS/SIS input cards should be used for time-critical events. • Data storage is generally not required. Main data, alarms and trips should be registered by via the BPCS through serial bus and/or hard-wired links. • The Solid State Logic Solver should not be interfaced with any support system (e.g. Plant Information, Real Time Data Base and Instrumentation Management Systems). The use of IT-based technology for the HIPS HMI and/or communication links is generally not permitted. HIPS HMI should be solid state mimic panel type. High Integrity Protection Systems RP 5.3 28 Final element(s) Final element selection should be done taking into account the particular application, process conditions and the suitability for use in safety applications. Final elements with a demonstrable, trusted and proven track record in safety service should be selected over lesser alternatives. A high and continual focus should be placed upon quality control during the final element manufacturing and test process. An exception alarm should be generated if a HIPS final element (e.g. valve) is not in the required position. The necessary response to such an alarm should be defined in the SRS. HIPS final element assembly should be considered as a whole. This should be taken into account in the design, the fabrication and the testing. The relevant documentation should be managed by the same principle. 5.3.1Valves Where a valve is the final element, this should be considered, designed and tested as a complete assembly including the valve body, the actuator and the associated actuator controls. In pressure protection, HIPPS the valve should be specified to account for the capacity of the downstream system to absorb valve leakage when closed. Although valves may be specified as zero, or close to zero leakage (e.g. ISO 5208 or API Standard 598), in reality it should be assumed that some leakage in service will always occur. As such, the downstream process system should be able to handle a degree of leakage. The leakage rate to be designed should be determined in conjunction with Process design Engineers and will typically be based upon the greatest of: • 100% Flow through a valve bypass (if installed) when open • that experienced following total collapse of soft seats (where fitted) • a percentage of design flow (assessed in discussion with valve manufacturer) for metal seated valves. High Integrity Protection Systems RP 29 Where a HIPS bypass is required (e.g. for pressure equalization post HIPPS activation), this should not compromise the HIPS integrity. For example the bypass should be locked closed or similar (e.g. interlocked) to prevent being left in the open position. Leak tightness specification for the bypass should be equivalent to that of the main HIPPS valves. HIPPS re-open inhibits may also be required either to protect the valves from damage due to opening against high differential pressure, or to prevent a rapid pressure rise scenario should the HIPPS be re-opened onto a blocked downstream system. As the integrity of these inhibit functions are also high, they should be part of the HIPPS. 5.3.1.1 Fail-safe function The valve fail-safe function should be achieved by spring return actuators. Other solutions such as operating pressure inside the valve or double acting piston actuators should only be considered if there are justifiable reasons not to use the spring return option. 5.3.1.2 Actuator force and drive train For ball valves, the actuator output torque should be at least 1.3×, and preferably 2.0×, the required valve torque throughout all stages of the opening and closing strokes as determined by workshop tests which should simulate or otherwise be representative of: • actual service in which the valve will be employed, i.e. gas service or liquid service • maximum design differential pressures across the valve • actual valve configurations i.e. seat type, stem extensions, etc. • closure within specified time (speed of closure affects torque required). 5.3.2 Circuit breakers Circuit breakers and control relays are generally accepted as final elements for specific applications due to extensive operating experience and their mature technology, but such devices should be carefully selected considering characteristics and available track record (proven for the application). It should be ensured that any failure data provided covers the full breaker function, both electrical and mechanical. High Integrity Protection Systems RP 30 Failure rate data pertaining to the ‘fail to disconnect mode’ should be available and, where possible, safe fail fraction and hardware fault tolerance data should be sought. Circuit breakers and control relays should be fail-to-safe, i.e. contacts are de-energized to open. Note in some cases (e.g. certain HV breakers) energize to break is the only option. Circuit breakers and control relays should be specified according to following criteria: • coil provided with gravity dropout or dual springs • provision should be made for preventing HIPS relay contacts from welding closed (e.g. energy limiting load resistance, contact arc suppression) when dealing with high power and /or inductive loads at the interface with breakers. High Integrity Protection Systems RP 31 6 Design testing Testing activities should be performed during several design and development phases such as: • Design Validation/Typical Test (DVT) • Factory Acceptance Tests (FAT) of each HIPS component • Integrated Factory Acceptance Test (IFAT) • Yard and On-Site Tests/Pre-commissioning • Operational Testing (OT)/Site Acceptance Test (SAT) • HIPS Performance Tests. The aim of these tests is to demonstrate that the HIPS supply and configuration meet the HIPS SRS at each one of the above stages. A HIPS testing plan should document which of these tests will take place, and address the items listed in the remainder of this section. 6.1 Design Validation/Typical Test (DVT) Design validation testing may apply to the logic solver(s) and smart valve testing systems only. It is a validation test of the interface principles and technologies between the HIPS logic solver and other systems including smart valve testing systems. The purpose is to define and test how HIPS data are transferred to other Systems as well as the SL-3 requirement level (IEC 62442-3-3) and the Security Program (SP) requirements BRs and (REs) (IEC 62443-2-4). 6.2 Factory Acceptance Tests (FAT) Separate factory acceptance tests (FAT) should be conducted for all HIPS components. All test and measurement equipment should have valid calibration certificates and labels from a certified laboratory. The purpose of the FAT is to ensure that the HIPS sensors assembly, the HIPS Logic Solver and the HIPS Final elements function as per the HIPS SRS. The FAT should also consider the interface with other systems testing. High Integrity Protection Systems RP 6.3 32 Integrated Factory Acceptance Test (IFAT) An IFAT should be performed after successful completion of the individual components FATs. The HIPS arrangement during IFAT should reflect the final HIPS configuration on-site. All HIPS components should be hooked-up and connected together. Interfaces with other systems (dummy systems during the IFAT) should be part of the IFAT. Simulation of physical measurement for actuating some sensors (e.g. pressure and level) should be included in the IFAT. During the IFAT, ‘black-out’ (after which the HIPS will fail safe) and ‘black-start’ (after which the HIPS will remain in the fail safe state) tests should be performed. 6.4 Yard and On-Site Tests/Pre-Commissioning Tests Once the HIPS components have arrived in the yard or site after IFAT, the HIPS should be unpacked, installed and the HIPS components should be hooked-up. The pre-commissioning should consist a series of tests to demonstrate that: • the integrity of HIPS components has not been affected in transport • the components are installed in the correct way, segregated from other systems, etc. • field components are adequately protected against impact, flooding, etc. • interconnections between actuators and control panels are adequate (length, protection, etc.) • power supply to cabinets and heat tracing are adequately installed, segregated, etc. • heat tracing and thermal insulation are adequately applied, etc. • interfaces with other systems (e.g. BPCS) are fully operational • cabling of installed sensors and final elements is adequately installed and functions. High Integrity Protection Systems RP 6.5 33 Operational Testing (OT)/Site Acceptance Test (SAT) Once the HIPS pre-commissioning and facility commissioning has been completed, an OT/SAT should be performed prior to facility start-up. The purpose of the OT/SAT is to verify and test the following: • HIPS installation and pre-commissioning successful • linking with other systems (e.g. ICSS) • safety and Interlocking logic • energizing the sensors and the final elements by the HIPS • interacting between HIPS and BPCS and other systems (if any) • integration of the HIPS mimics in the BPCS (if required) • storage of HIPS data in the relevant SOE • HIPS trip functions (sensors – including combinations of voted components) • HIPS performance test (end to end, including full closure where the final elements are valves) • HIPS SOE recording. The HIPS performance test should demonstrate that the achieved HIPS response time is equal to or better than target. As far as practical, the OT/ SAT should be performed by creating real process conditions. In addition a confirmation that valves are sealing adequately should be sought. High Integrity Protection Systems RP 6.6 34 Test administration 6.6.1Preparation Prior to each test phase, a comprehensive Inspection & Test Plan (ITP) should be prepared covering the following: • full set of test procedures (see below) • testing schedule, including Manufacturer’s internal tests • resources and equipment list • predefined test report and correction (punch) list for each test • HIPS test log (see below). 6.6.2Procedures Dedicated test procedures should be issued for each test phase, covering individual HIPS components and overall HIP system as required: • sensors, including isolation valves, heating and protective enclosures • logic solvers • valve control panels, including smart valve testing systems • valve actuator • HIPS valves • electrical switchgear • end-to-end HIPS. Test procedures should clearly indicate the test criteria (values) which are to be met, referencing the appropriate (e.g. company) standard from which the criteria are derived. 6.6.3Recording After each test, a test log should be issued. It should include the following as a minimum: • test procedure • test results/report • correction/punch/exception lists. High Integrity Protection Systems RP 35 7 Operational testing The appropriate testing of HIPS is fundamental to ensuring that the integrity requirements for the safety function are satisfied6. The required proof test interval for the HIPS function should have been established via reliability analysis. Any proposed changes in test frequency throughout a HIPS life should be validated via an update to such analysis (this should in any case be covered by facility management of change procedures). Unrealistically short test intervals (e.g. less than three months) should be avoided. (The more frequent testing becomes, the greater the impact on production availability for components that cannot be tested off-line.) One potential downside of increased test frequency is increased intervention, given that each intervention may present opportunities to compromise the HIPS (e.g. by not returning the system to operation state following test). Whilst the operation of individual HIPS loop components may be tested separately, an overall system performance test should be conducted in line with the test interval embedded in the SRS. This test should verify both the ‘end to end’ HIPS function and its response time (sensing to completed trip/closure). 7.1 Design for test and maintenance HIPS should be designed to facilitate the required testing, of the complete HIP function, with minimal operational impact. Description of required tests (including high level procedures) should form part of the SRS. Proof test procedures should be produced by the system designer in conjunction with the Operator as part of the design deliverables package. These should be completed early enough in the system design life cycle to enable any additional testing facilities to be provided. Similarly maintenance procedures should be developed as part of the design package and implications for facility operation (e.g. shutdown requirements, access requirements) should be communicated to the Operator by the system designer to enable appropriate facilities to be provided in the wider facility design and operational plan. A performance standard should be provided for every HIPS, which should capture test interval, trip setting, maximum allowed response time, underlying assumptions (e.g. on flowrate, process conditions, plant line-up). Any proposed change in any parameter in the performance standard should only occur with full management of change applied. 6 High Integrity Protection Systems RP 7.2 36 Operational proof testing HIPS typically comprise redundant elements (e.g. 2oo3 sensors and 1oo2 solenoids). HIPS testing should be planned and procedures produced such that the correct function of each and every redundant element is verified at each proof test and the outcome recorded. 7.3Valves Where the final element is a valve a leakage test may be required, typically carried out by means of pressure build up. Where required, this is unlikely to be able to detect small volume leaks (such as can be found in factory acceptance testing) and should be designed with a view to detect gross leakage (albeit within the capacity of the downstream relief device) only. If the ability to detect very small leaks is required, consideration may be given to acoustic valve leak detection techniques. Partial stroke testing can provide a benefit in terms of improved HIPS PFD, and/or increased interval between full proof tests. The downside is the provision of partial stroke capability increases the complexity of an otherwise simple system. And partial stroke means partial coverage – a significant portion of the HIPS (particularly the valve stroke) remains untested and should eventually be covered via full stroke testing. Valve signatures can be obtained via monitoring and recording of the valve closure characteristic. These can then be used to provide timely indication of impending valve problems. This typically requires actuator pressure monitoring and valve position indication (via transmitter) and may be supplied as part of a partial test system. High Integrity Protection Systems RP 37 8 Safety life cycle for HIPS HIPS should be designed, constructed, tested, operated and maintained according to the IEC 61511 and IEC 61508. • Integrity targeting for the overall HIPS function should be performed according to IEC 61511 part 3 utilizing either the LOPA or quantified analysis methodologies. • HIPS verification should be managed by the Operator and not deferred to the system provider, ensuring adequate levels of independence. Table 1 takes the IEC 61511 safety life cycle and suggests the key elements required at each of the normal HIPS development phases. 8.1 Obsolescence management A dedicated obsolescence management plan should be established for the HIPS. The HIPS supplier should provide an inventory list with all lifetime statuses. As part of the obsolescence management strategy, local (e.g. in-country) support from the HIPS supplier or agent should be considered. 8.2Maintainability A maintenance management plan should be prepared for each HIPS detailing maintenance procedures and intervals, and listing required equipment. This should be developed by the HIPS Integrator, reviewed and approved by the operator. 8.3 Spare parts Commissioning and operational spares should be identified, procured and stored commensurate firstly with the maintenance plan, and secondly allowing for unexpected failures. Reference should be made to each HIPS component MTTR when determining spares quantities and storage locations. Stored items should be subject to a preservation plan. High Integrity Protection Systems RP Safety Life cycle Phase 38 Objectives Inputs Outputs Process Hazard analysis (PHA) Identification, description and evaluation of hazardous events and scenarios PFDs, P&IDs, Layouts, Operating philosophy, Manning Philosophy, ESD and Blowdown Philosophy, safety targets HAZID and HAZOP reports 2. Safety Integrity (SIL) Targeting To assign a numerical (RRF) and Integrity (SIL) target to each SIF HAZID and HAZOP reports and all inputs detailed above Integrity (SIL) Targeting Report (detail targets for each HIPS) 3. HIPS Specification (User) To specify the user requirements pertaining to each HIPS such that an equipment provider can generate a specification specific to their equipment offering Integrity (SIL) Targeting Report HIPS Safety Requirements Specification HIPS Specification (Supplier) To generate an equipment specific specification that meets the requirements of the HIPS SRS HIPS Safety Requirements Specification Functional Design Specification (FDS) for each HIPS Dynamic analysis Comprises hardware (including System Architecture) and software requirements 1. 4. Relevant Philosophies Identify SIFs requiring HIPS Verify Phase 4 with 3 5. HIPS Design To generate a hardware and software HIPS design that meets the FDS requirements HIPS SRS and FDS System diagrams AFC (e.g. Hook up drawings, panel layouts) Software algorithms (e.g. flow charts, C&E) Verify Phase 5 with 3 6. HIPS Engineering To engineer the HIPS in compliance with the design To verify the design against the numerical (RRF) and integrity target FDS Physical hardware System diagrams AFC Software code Software algorithms SIL Verification report Operation and Test procedures Verify Phase 6 with 5 (FAT) 7. HIPS installation, commissioning and validation To integrate and test the HIPS. To validate that the HIPS meets the SRS To install and commission the HIPS 8. HIPS Operation and Maintenance To ensure the integrity of the HIPS is maintained during operation and maintenance HIPS Safety Requirements Specification Fully functioning HIPS in conformance with the SRS HIPS FDS Verify Phase 7 with 5 (SAT) Test and Validation Plan FSA Report Commissioning and handover Workpacks As-built documentation HIPS Safety Requirements Specification Maintenance plan Proof testing and routine maintenance procedures Maintenance records Maintenance schedule updates Spares listing 9. HIPS Modification 10. Decommissioning To make corrections, enhancements or adaptations to the HIPS, ensuring that the required safety integrity level is achieved and maintained To ensure proper planning for decommissioning HIPS Safety Requirements Specification MOC approvals Management of Change (MOC) Procedures (including software change control) Documentation (Philosophy/ SRS/FDS/drawings etc.) updates as required to maintain alignment with installed system FSA Report FSA Report update MOC Procedures HIPS placed out of service To remove HIPS from service without compromising the safety integrity of the facility Table 1: Key elements in the IEC 61511 safety life cycle High Integrity Protection Systems RP 39 9 HIPS dossier Whilst the HIPS performance standard (within the SRS) provides a summary of the key elements and basis for each HIPS, it is also important to develop and retain concise documentation covering all aspects of the design for each HIPS, both as a record of the work done and a basis for life cycle maintenance and update of the HIPS. A HIPS Dossier should therefore be compiled and maintained for each HIPS by the operator and should include as a minimum the following elements from the safety and instrumentation perspective: • justification for HIPS selection, design and configuration • HIPS SRS – Performance standards (Response time, Integrity requirement etc.) • dynamic analysis • HIPS drawings (e.g. P&IDs, architecture, wiring, hook-ups, system schematic, block diagrams) • hazard and consequence analysis studies/reports – Assumptions pertinent to the Hazard analysis and integrity target • quantified/reliability analysis supporting selection of PFD/SIL targets and relevant test intervals, capturing assessment of diagnostic coverage of failures and common cause failure analysis • pertinent cause and effect charts • HIPS maintenance, testing and repair plans/procedures and records • HIPS operating and re-start procedures (including bypass etc.) • FSA report (according to IEC 61511) • HIPS Obsolescence plan. All HIPS should be added to the facility safety critical systems/items register. Registered Office Level 5 209–215 Blackfriars Rd London SE1 8NL United Kingdom Brussels Office Bd du Souverain,165 4th Floor B-1160 Brussels Belgium T +44 (0)20 3763 9700 F +44 (0)20 3763 9701 reception@iogp.org T +32 (0)2 566 9150 F +32 (0)2 566 9159 High integrity protection systems (HIPS) and especially high integrity pressure protection systems (HIPPS) are an increasingly common feature of oil and gas facilities worldwide. They can provide an alternative to conventional mechanical protective devices (e.g. relief valves) or reduce the load upon them. In some cases, they present the only practical option to facilitate field development and/or expansion. This RP provides mainly technical recommendations for those involved in the definition, design, implementation or operation and maintenance of HIPS. www.iogp.org