High Integrity Protective System Design Using a Risk-Based Approach

Robert J. Stack The Dow Chemical Company

Hillsdale, MI 49242 stackrj@dow.com

Dow Co-Authors: John Armstrong [Houston, TX]

Don Eure [Plaquemine, LA] Ron Johnson [Midland, MI] Scott Tipler [Midland, MI] Tim Wagner [Midland, MI]

Sofka Werkmeister [Freeport, TX]

Prepared for Presentation at American Institute of Chemical Engineers

2010 Spring Meeting 6th Global Congress on Process Safety

San Antonio, Texas March 22-24, 2010

UNPUBLISHED

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications

The information provided in this paper is provided without any express or implied warranties, and the reader assumes all risks associated with using the information provided in this paper.

KEYWORDS: HIPS, Integrity, Protection, System, LOPA, Consequence, Relief ABSTRACT In 2007 API 521/ISO 23251 published guidance on the use of High Integrity Protective Systems (HIPS). The Dow Chemical Company (Dow) updated its internal work process to apply Dow’s risk based work processes to HIPS design, application and evaluation. Rather than just focusing on the vessel related consequences of substituting a HIPS for a pressure relief device (PRD), the work process calls for stepping back and looking at the overall scenario and all the potential consequence outcomes. Using a risk based methodology requires looking at a much wider consequence potential than what Dow has traditionally focused upon for the design of relief systems.

By using Layer Of Protection Analysis (LOPA) to evaluate the consequences of the overpressure scenarios and determine the consequence severity factor or LOPA Target Factor for each scenario, the wider consequence potential is covered. The High Integrity Protection System (HIPS) safety integrity level (SIL) is determined by the highest risk scenario, which is typically the scenario with the greatest LOPA consequence severity factor. The resulting SIL level for the HIPS is adjusted to close the HIPS scenario risk gap. Other applicable LOPA independent Protection Layers (IPLs) are included in the LOPA risk evaluation. The HIPS design is verified by calculation to meet the required SIL level.

There are pressure relief device (PRD) services for which PRDs can’t deliver the over-pressure protection that Dow needs and expects. The updated work process also identifies key opportunities for using a HIPS when: a conventional PRD is not practical or possible, a conventional PRD will not be reliable or a conventional PRD will work but will result in high treatment cost. Each of these three opportunities is discussed.

The overall result is an efficient process that links together the existing work processes for conventional relief design, Layers of Protection Analysis (LOPA) and Safety Instrumented Systems (SIS). This produces a risk based method for applying and designing protection layers into a HIPS. This paper gives an overview of this work process with some application examples and describes how this work process is used to improve safety while reducing risks and potentially reducing costs.

1. INTRODUCTION Conventional pressure relief devices provide highly reliable and cost-effective protection for most pressure containing equipment. But there are applications where conventional relief devices are not reliable or practical. In these scenarios a High Integrity Protection System (HIPS) can be used.

So what is “HIPS?” In the simplest sense it is an “instrumented protection system” that is used in lieu of a relief device to mitigate a single overpressure scenario. A HIPS normally is comprised of sensors detecting the development of an overpressure situation, final element(s) to interrupt the pressure increase and a logic solver to tie the sensors and final element(s) together.

Typically, HIPS reduces the probability of a specific overpressure scenario to a point where the specific scenario meets some predefined risk. This normally will allow the relief designer to specify a smaller relief system to address the remaining scenarios. There are rare occasions where a HIPS totally replaces a relief device.

The HIPS concept is defined in API 521 (5th edition – 2007) Annex E, along with DIN V 19250 (DIN EN 51508). It is also important to recognize that HIPS applies to “underpressure” scenarios as well as “overpressure” scenarios.

A HIPS system is typically used for one of the following primary reasons: 1. A conventional pressure relief device is “not possible or practical” 2. A conventional pressure relief device is “not reliable” 3. Installing a conventional pressure relief device requires “excessive cost for

treatment”

Let’s look at these individually, in more depth:

NOT PRACTICAL OR POSSIBLE: A conventional relief device may not be practical or possible if the relief device needs to be overly large. This often occurs when designing a relief device for:

reactive chemical relief scenarios scenarios involving small equipment, such as in research and market development

facilities relief scenarios protecting against excessive temperature, such as over-firing a

cracker or heat transfer furnace NOT RELIABLE: A conventional pressure relief device may not be reliable when used in applications:

that may cause plugging, such monomer service that are involved with overly corrosive or erosive materials with fluids that tend to freeze, or cure in the relief system

EXCESSIVE COST: When relief valves are routed to a flare or scrubber system, the real cost is often much higher than that for just the relief devices. That is especially true for new installations and for existing systems that are already at their maximum capacity.

The incremental load from a relief device to an existing flare system or scrubber system might be too much for the system to handle, resulting in a costly capacity expansion project.

For new flare system or scrubbers, the initial cost can often be greatly reduced by selectively using HIPS to eliminate high loads from a limited number of relief devices. For example, plant-wide loss of cooling is often the controlling scenario that determines the size of a flare system. For distillation columns, the pressure relief load due to loss of cooling is often much higher than that for the other remaining scenarios.

The flow from new relief devices into an existing flare header might create excessive backpressure on some of the other safety valves already in that system. Upgrading the existing safety valves, or the flare header, could be very costly.

2. IMPLEMENTING HIPS So now that we know why HIPS are used, let’s discuss how they are implemented. A relief device’s main purpose is to prevent catastrophic failure of a pressurized vessel that may create destructive shrapnel and/or destructive pressure waves. And since a HIPS is replacing a relief device for specific relief design scenario, one might simplistically assume that the HIPS needs to be designed to the same integrity as the relief device. A typical relief device has a failure probability similar to a Safety Instrumented System (SIS) that is designed to a Safety Integrity Level (SIL) between SIL-2 and SIL-3. Traditional HIPS Work Processes have used a prescribed solution to accomplish this task. For example: “a HIPS shall be a SIS with integrity of at least SIL 2.5.” Some institutions even mandate a Safety Integrity Level of “3” as a minimum. This rule based solution is:

simple to implement safely covers most cases because it is conservative by nature consistent with the philosophy that a relief device simply prevents a vessel from

failing due to over pressure needs only one HIPS PFD calculation for the standard solution consistent with other rule bases standards, such as NFPA

But this prescribed solution is based on the concept of simply substituting a HIPS for a PSV. By stepping back and looking at the overall scenario, Dow is able to consider the “consequence” or “risk” of over pressurization. (Remember that a relief device or its equivalent SIS used in a HIPS has a probability of failure on demand.) Vessel fragmentation and the resulting pressure waves are certainly important, but what if the contents of the vessel create a greater hazard? This may be a very serious issue if toxic or flammable materials are involved. Shouldn’t the population density in the vicinity of the potential accident be an important design consideration? In some situations can’t the release of materials be an even more important concern than vessel fragmentation? Let’s look at some examples of varying consequence:

1. If a hot water tank over pressurizes, the resulting shrapnel or pressure wave could certainly create potential fatalities

2. When an extruder feed line containing a heat exchanger over pressurizes, the only concern is some hot polymer oozing out of ruptured flange gaskets (which are the weak spot in the line)

3. If a chlorine sphere over pressurizes and ruptures, there could potentially be multiple fatalities in both the production facility and in the community at large

IEC 61511 defines rules for implementing Safety Instrumented Systems in the process sector. These rules center around the concept of first defining the hazard, followed by defining the consequence of the hazard. As the severity of the consequence increases, so does the required safety system design integrity or reliability. So why hasn’t the consequence of over pressurization ever been considered in HIPS design? Dow decided to use the IEC 61511 philosophy in HIPS design. Since Dow already uses LOPA for general process hazard quantification, scenario likelihood, and protection layer identification, it was a natural evolution to use LOPA to assess the HIPS scenario for:

the consequence of over pressure the likelihood of over pressure the necessary layers of protection to reduce the likelihood of over pressure

These protection layers – as per the LOPA Work Process - are not limited to Safety Instrumented Systems, but can also consist of:

Basic Process Control actions Operator Response to Alarms Management Systems Other Safety Related Protection Systems

This higher level of analysis is more work than simply substituting a HIPS for a PSV. However it provides the opportunity to incorporate the existing protection layers and adjust the protection to fit the consequences. Therefore, Dow has no rule that requires a HIPS to be a SIL-2 or SIL-3 SIS. Instead, LOPA is used to determine the integrity level of any required SIS beyond SIL-1. The only rule regarding Safety Instrumented Systems is that the mitigation scheme must include a minimum of one SIL-1 SIS. But LOPA could also identify the need for multiple SISs or multiple HIPSs to manage severe risks. 3. WHAT API 521 SAYS A very interesting idea and argument follows, but does it comply with API 521? API 521 section E.4.2 says:

In accordance with ISA S84.01, a necessary step in safety instrumented system design is to set a safety integrity level (SIL) or availability value target for system design. The system is assigned as a SIL-1, SIL-2 or SIL-3 system, with SIL-3 being the most robust and most reliable and SIL-1 being the least.

API 521 doesn’t require a HIPS to be a SIL-2 or SIL-3.

API 521 section E.4.2 continues to say: The determination of target SIL for a given system is dependent upon:

• the risk associated with the hazard that the system is protecting against, • i.e. the likelihood of the initiating and contributing events • the magnitude of the consequences • the credit that can be taken for other safeguards

This sounds exactly like the philosophy that is the foundation behind LOPA. A closer look at this requirement reveals:

The “risk associated with the hazard” is like the LOPA “scenario” The “likelihood of initiating events” is like the LOPA “Initiating Event Freq.” The “magnitude of the consequences” is like the LOPA “Severity level” which is

used to assign a LOPA target factor The “credit taken for other safeguards” is like non-SIS LOPA “protection layers” The “determination SIL target” is what you do for SISs defined in LOPA

So “YES,” LOPA can be used (provided corporate risk criteria has already been defined). API 521 section E.4.4 HIPS availability analysis says:

The purpose of the HIPS availability analysis is to evaluate the system performance of the proposed configuration. The availability analysis should utilize standard techniques, such as fault-tree analysis (see ISA TR-84.02).

Dow does this availability or PFD analysis for every HIPS system. 4. DOW’S HIPS WORK PROCESS But implementing a HIPS at Dow is not an insignificant task. It is often more complex than designing and installing a relief device. There are many requirements that must be met. They are summarized here, and explained in further detail below:

1. Determine if HIPS is a better alternative 2. Gatekeeper review 3. Perform LOPA to determine SIL level 4. HIPS implementation using existing SIS work process 5. Follow Pressure Relief Design Work Process 6. Final review & approval

This Work Process includes the following as a minimum:

1. Determine if HIPS is a better alternative • Relief design, process design engineer or process safety review discovers

the need for a HIPS • Defined HIPS application criteria must be met

2. Gatekeeper Review • Ensure HIPS meets application criteria • Provide guidance for following HIPS work process

3. Perform LOPA on HIPS scenario • Identify and verify applicable independent protection layers (IPLs) • Determine the required SIL for HIPS SIS (minimum SIL-1 required)

4. Follow Dow’s SIS Work Process for identification and implementation of any Safety Instrumented Systems (SIS)

• All SIS and LOPA work processes apply • Special HIPS identifier in SIS, LOPA, and relief design records

5. Follow Dow’s Pressure Relief Design Work Process, which includes: • Responsibilities, • Design requirements, • Approvals • Integrity Management, • Flow chart of the overall relief design process.

6. Final Review and Approval • Stakeholder review and approval • HIPS registration and documentation archived • Note: Dow minimum design requirements must be followed:

• Design must include at minimum a SIL1 SIS, regardless of how benign the consequence is determined to be (in accordance with API 521),

• A qualified Relief Designer and reviewer has to be involved in the overall HIPS design,

• The HIPS registration process is used for tracking and auditing purposes.

The benefit of using LOPA to quantify both the risk and the associated protection layers is that you have more flexibility to better meet the actual risk reduction needs. But these benefits are not free. The cost is that you must:

define the LOPA overpressure scenario(s), calculate the LOPA target factor(s), design and verify the independent protection layers, demonstrate by PFD calculation per API 521 E4.4 that each HIPS meets the

required SIL level, Audit all aspects of the study, design, and protection layers.

However, using LOPA is the normal work process required in Dow for new equipment – much of this work was completed in parallel with the Relief Design process.

DOCUMENTATION: The requirements for Dow’s SIS Work Process and for Dow’s Pressure Relief Design Work Process must both be met. The SIS work process includes documentation of the scenario and mitigation strategy in LOPA, a SIS functional specification, verification, validation, periodic proof testing, and audits/assessments required during the SIS’s life cycle. Lastly, all engineering calculations and assumptions must be documented. The Pressure Relief Design work process requires that a mechanical integrity equipment file be created for each relief device. Relief device documentation includes a description of the design scenario, relief design calculations, inlet/outlet piping pressure drop calculations, and a specification record. The documentation for the HIPS in included in this file. The LOPA scenario number is included for cross reference purposes. For the rare case where the relief device is eliminated by the use of a HIPS system, UG-140 (previously known as Code Case 2211) verification and documentation is required. The UG-140 documentation is placed in the mechanical integrity equipment file for the process containment equipment. APPROVALS: Dow’s Process Safety Technology Leader (PSTL) is the HIPS Gatekeeper for his/her business. This is a technical role and the PSTL must give the final approval for:

1. the application of HIPS 2. the Hazard Assessment and Evaluation (documented in LOPA) 3. the required SIL for the SIS component of a HIPS

Why does Dow have a gatekeeper? To ensure control of the work process to:

1. avoid misapplications of HIPS by ensuring the HIPS system fits prescribed applications

2. avoid unnecessary cost and waste of resources for incorrect applications 3. ensure the Process Safety Technology Leader is drawn into process 4. gain widespread and mutual approval of the LOPA work 5. conform with Dow’s stated preference to use conventional relief devices 6. reinforce that HIPS is not intended to make relief devices “go away”, rather it is

to mitigate a specific relief scenario in accordance with Dow’s risk criteria Additional approvals are needed from:

1. the Production Leader 2. the Business Technology Center 3. a “qualified” relief reviewer 4. all the normal approvals required for a Safety Instrumented System

5. HIPS VERSUS SIS Dow has historically performed risk assessments for Process Safety separately from our Relief Design process. They are separate processes performed by separate groups using separate acceptance criteria. This new HIPS work process presented a new paradigm and one important clarification had to be made: defining the distinction between when to use HIPS and when it is just a SIS:

If the size of the relief device is affected, it is a HIPS application: elimination of a relief device sizing scenario, or making a relief device smaller

If the frequency or probability of a relief device opening is affected, then it is purely a SIS/LOPA application. (In this case, the relief device is fully sized for all scenarios.)

Note: Others may consider this a HIPS application. So a HIPS system must include a SIS (for overpressure protection), but a SIS is not always part of a HIPS system. HIPS and SIS requirements are amazingly similar. Table 1: Summary of HIPS versus SIS requirements

Requirement HIPS SIS LOPA Risk Assessment

Documentation

Registration in Relief files Approvals

Follow the Work Process1

Testing The SIS work process used within the HIPS work process is a normal Dow work process. The PFD of the SIS must be calculated and verified to be adequate for HIPS application and/or required SIL level.

6. Common Examples Of Beneficial HIPS Application: Figure 1. conventional PRD is not practical or possible to use

HIPS Example : Fired Dowtherm heaterScenarios:1. Thermal Expansion – Liquid Venting2. Constant Heat Input – Two Phase Venting

Hazard: Will cause heater coil temperature to exceed MAWT and potentially fail due to low vapor pressure of Dowtherm.

Must prevent this from happening!Install EBV on all fuel streams and closewhen stack temperature exceeds trip point.

HIPS Required:Since the Relief Valve Is Not Adequate/SizedFor All Credible Scenarios

DH-922

Fuel

Dowtherm In

Dowtherm Out

Combustion Air

Logic Solver

If the heater coil ruptures from high temperature, the sudden release of hot Dowtherm into the heater combustion chamber would cause a “vapor explosion” type scenario which could not be adequately vented by a conventional PRD.

Figure 2. conventional PRD will not be reliable example

Example: Conventional Relief Device Is Not Adequate

High Risk of Plugging of PSV Inlet & Outlet Lines

Steam

Condensate

Molten Polymer

PT

Logic Solver

Input

Output

Positive Displacement

Pump

HIPS Solution:High pressure shutdown instrumentation for pump

Figure 3. conventional PRD will work but will result in high treatment cost example

Cost Savings Opportunities With HIPS

Example:•Existing plant with large flare header network.•Existing flare at/near capacity•Adding new process unit

36”36”

24”

24”

New Process Unit• Large number of PSV• Fare load = 1.0MM lb/hr• Based on Loss of Cooling

300 Ft

24”

Use HIPS to reduce the controlling scenario.

• Smaller PSVs• Smaller header pipes

Figure 4. conventional PRD will work but will result in high treatment cost example

Cost Savings Opportunities With HIPS

36”36”

24”

24”

New Process Unit• Large number of PSV• Fare load = 1.0MM lb/hr

300 Ft

24”

Use HIPS to defend against the loss of cooling scenario for these 4 columns. Reduces flare load by 410,000 lb/hr. Requires 4 HIPS….shutoff stm to reb. Smaller PSVs - sized for fire scenario

Big cost savings !!

Note that most HIPS applications only mitigate specific relief scenarios, not all relief scenarios. HIPS process trip inputs can be pressure, temperature, flow, level or concentration, etc. depending on the relief scenario. Multiple process inputs are typically needed to design a higher SIL HIPS system. Process equipment can have multiple HIPS systems for multiple HIPS scenarios. 7. SUMMARY: The consequence of a relief device failing is not limited to vessel failure and should also include the potential consequences of the specific material released. LOPA is an appropriate tool to quantify the consequences and risks of a failed relief device. It is a standard risk assessment tool at Dow. API 521 does not mandate any specific SIL level for a SIS used in a HIPS, but does state that the SIL determination is dependent upon “credit taken for other safeguards”. A risk based approach provides more flexibility to better meet the actual risk reduction needs and allows for improved safety while reducing risks, and also potentially reducing costs.

8. References:

1. AANSI/API STANDARD 521 FIFTH EDITION, JANUARY 2007 ISO 23251, Petroleum and natural gas industries Pressure-relieving and depressuring systems

2. Anderson Greenwood Crosby Technical Seminar Manual - 4.0 Department Of Transportation Code Requirements - Gas Transmission And Distribution Piping Systems 4.2.4, 4.2.5 (2001)

3. API Recommended Practice 520: Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries

4. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries,” American Petroleum Institute (API), API Recommended Practice 520, July 1990

5. API 617 API Std 617 Axial and Centrifugal Compressors and Expanders -2003 6. API 618 API Std 618: 2007 Reciprocating compressors for the petroleum,

chemical and gas industry services. - 5th edition 7. API 619 API Std 619: 2004 Rotary-Type Positive-Displacement Compressors for

Petroleum, Petrochemical, and Natural Gas Industries, Fourth Edition 8. API 672 API STD 672 Packaged, Integrally Geared Centrifugal Air Compressors

for Petroleum, Chemical, and Gas Industry Services ISO/DIS 10442 9. API 675 Positive Displacement Pumps - Controlled Volume 1994 10. API STD 674 Positive Displacement Pumps - Reciprocating 1995 11. API STD 676 Positive Displacement Pumps - Rotary 1994 12. Application of Safety Instrumented Systems for the Process Industries, ISA

Standard, ISA-S84.01-1996 and S84.01-2004 13. ASME Code Case 2211-1 Pressure Vessels With Overpressure Protection By

System Design, Section VIII Division 1 and 2 14. Deutsches Institute für Normung (DIN) – DIN 19250, “Fundamental safety

aspects to be considered for measurement and control equipment,” 2008 15. DOT Guidelines 4.2.4. 4.2.5 16. DOT Pipeline Standard 17. Guide for Pressure-Relieving and Depressurizing Systems, High Integrity

Protective Systems (HIPS)”, American Petroleum Institute (API), API Standard 521, Jan. 2007

18. Guidelines for Pressure Relief and Effluent Handling Systems, Sec. 5.9, CCPS, 1998

19. International Electrotechnical Commission (IEC) - IEC 61511-1, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, 2002

20. International Electrotechnical Commission (IEC) IEC 61508, Functional Safety of electrical/electronic/programmable electronic Safety Related Systems, 7 Parts, 1998 – 2000

21. ISO 4126-5 Controlled Safety Pressure Relief Systems 22. VDI/VDE 2180 Safety device of plants of process engineering with means of the

process instrumentation (PLT) introduction, terms, conception (April 2007)