CONSIDERATIONS ON REDUDANCY REQUIREMENTS IN FINAL ELEMENTS FOR HIPPS.
It is unfortunately quite common to see that various P&IDs specify one final element only in basic/FEED design studies for process scenarios involving HIPPS systems.
You will always find a sentence somewhere in the P&ID saying something like “SIL level will be defined during detailed engineering”.
Now, it is perfectly clear that there are several factors which contribute to SIL definition and assessment, but say for example that we are considering the following scenario: a pipe tie in where a new pipeline operating at 140 barg is connected to an old national grid operating at 70. In order to protect the receiving pipeline, the contractor will need to choose appropriate measures to mitigate the potential risk.
As a rule of thumbs in the oil & gas business, a HIPPS will be SIL 3 as overpressure will lead to a combustible gas mixture and once ignited the damage is too severe to qualify as minor
First of all, let’s be clear on a definition, i.e. low demand or high demand/continuous mode.
IEC 61511 is giving us a clear definition:
3.2.39
mode of operation (of a SIF)
way in which a SIF operates which may be either low demand mode, high demand mode or continuous mode
a) low demand mode: mode of operation where the SIF is only performed on demand, in order to transfer the process into a specified safe state, and where the frequency of demands is no greater than one per year.
b) high demand mode: mode of operation where the SIF, is only performed on demand, in order to transfer the process into a specified safe state, and where the frequency of demands is greater than one per year.
c) continuous mode: mode of operation where the SIF retains the process in a safe state as part of normal operation.
We can therefore assume that the HIPPS system in our example is operating in low demand mode. The risk is always present, but the focus of IEC61511 is to consider when/how often the SIS will have to perform its SIF (a HIPPS system, as last level of defense against overpressure, should stay open for almost all its life, and will be called to operate only when high pressure occurs. Being clear on this definition, we can then approach the right tables contained in IEC 61511.
The following table 4 is used to associate a RRF to a SIL level.
A.9.2.3 When a safety function is allocated to a SIS, it will be necessary to consider whether the application is low demand mode or high demand/continuous mode. In the process sector safety functions often operate in low demand mode where demands are normally infrequent. In such cases, Table 4 in IEC 61511-1:2016 is the appropriate measure to use. There are an increasing number of applications operating in high demand mode where it is more appropriate to consider the application as continuous mode because the hazardous event typically occurs as soon as the SIS fails to function. In such cases, Table 5 in IEC 61511- 1:2016 is the appropriate measure to apply.
9.2.3 For each SIF operating in demand mode, the required SIL shall be specified in accordance with either Table 4 or Table 5.
So now we know the SIL level associated to our RRF. Obviously, we may not know it in a very preliminary design phase, but we can look for some indications in the available project documents.
Following the example above (pipe tie-in) we may have a look at the P&ID and hunt for (pressure) safety valves which can aid in reducing the risk of our process, ableit at venting / flaring the gas.
Now we think: “ok, what happens to the downstream, low rated pipeline if a single FE SIS will not close in event of overpressure?”.
Personally, I will tend to question the (in)famous sentence often found in the P&ID and challenge my customer with this question. Will he still consider that the SIL level will be defined later?
Again IEC61511 is giving us some heads-up. Vendors have often been very creative with the way they were claiming systematic capabilities of their products, so the rule is warning the designer of the plant that it is quite common to have redundancy on FEs.
A.9.2.4 Reliability analysis may indicate that it is possible to achieve a PFDavg due to random hardware failures of less than 10-5, but IEC 61511-1:2016 presumes that systematic failures and common mode failures will limit the actual risk reduction that can be achieved.
A.11.2.4 b) Final element
For a SIL 2, SIL 3 or SIL 4 SIF, separate SIS final elements with identical or diverse redundancy will normally be needed to meet the required safety integrity.
The following paragraphs give a further strong indication on HFT and redundancy requirements.
As a rule of thumb, I always say to my customers that a SIL3 HIPPS will need 2 FEs.
A.11.4 Guidance to “Hardware fault tolerance”
A.11.4.1
NOTE 1 The SIS subsystems can be required to operate under low or high demand depending on the operating mode. A SIF can be specified to close a valve in response to specified process deviations. Whether manual or automatic reset, the SIS can maintain the valve in the safe state until it is commanded to do otherwise. The hardware fault tolerance requirements for the SIS’s operation in response to a hazardous event can be determined according to the low demand mode and its operation while in shutdown according to high demand mode.
NOTE 2 The minimum hardware fault tolerance has been defined to alleviate potential shortcomings in SIF design that can result due to the number of assumptions made in the design of the SIF, along with uncertainty in the failure rate of devices used in various process applications.
A.11.4.5 Table 6 of IEC 61511-1:2016 defines the minimum fault tolerance for SISs or SISs’ subsystems. The fault tolerance requirement depends on the required SIL of the SIF being implemented by the SIS.
NOTE The HFT requirements in Table 6 represent the minimum system or, where relevant, the SIS subsystem redundancy. Depending on the application, device failure rate and proof-testing interval, additional redundancy can be required to satisfy the failure measure for the SIL of the SIF according to 11.9.
There can be some exceptions (see 11.4.6 and A11.4.6, giving a further explanation of the law), but the “preferred solution” is still to have 2 valves.
A.11.4.6 Fault tolerance is the preferred solution to gain the required confidence that a robust architecture has been achieved. When IEC 61511-1:2016, 11.4.6 applies, the purpose of the justification is to demonstrate that the proposed alternative architecture with reduced hardware fault tolerance provides an equivalent or better solution (e.g., with the use of other verifiable means such as certification or similar).
NOTE 1 Examples to implement reduced hardware fault tolerance include: back-up arrangements (e.g., analytical redundancy (replacing a failed sensor output by physical calculation results from other sensors outputs); using more reliable items of the same technology (if available); changing for a more reliable technology; decreasing common cause failure impact by using diverse technology; increasing the design margins; constraining the environmental conditions (e.g., for electronic components); decreasing the reliability uncertainty by gathering more field feedback or expert judgment, etc. .
So basically this is quite clear for me. I cannot imagine that applying the HFT table (using 2 Final Elements) would decrease the overall safety.
And even so, in case of an alternative, we must be pretty sure that the proposed alternative architecture is really foreseen. For example, if someone tells me “ok, you are right but there are other mitigating measures” I always as: where? Will they cover the same risk? Do they share elements with the SIS? How reliable are they?
In short, I may be wrong, but I have seen more and more often a 1FE system becoming a 2FE system than the other way around.
As a vendor, I will always challenge my customers and I will always offer at least as an alternative (in a scenario like the one described in the beginning) with 2 valves, so that the contractor will not be short on budget or space in the event they win the EPC contract.
