High Integrity Protective System Design

Using a Risk-Based Approach

Robert J. Stack
The Dow Chemical Company
Hillsdale, MI 49242
stackrj@dow.com


Dow Co-Authors:
John Armstrong [Houston, TX]
Don Eure [Plaquemine, LA]
Ron Johnson [Midland, MI]
Scott Tipler [Midland, MI]
Tim Wagner [Midland, MI]
Sofka Werkmeister [Freeport, TX]



Prepared for Presentation at
American Institute of Chemical Engineers
2010 Spring Meeting
6th Global Congress on Process Safety
San Antonio, Texas
March 22-24, 2010

UNPUBLISHED

AIChE shall not be responsible for statements or opinions contained
in papers or printed in its publications

The information provided in this paper is provided without any express or implied
warranties, and the reader assumes all risks associated with using the information
provided in this paper.

KEYWORDS: HIPS, Integrity, Protection, System, LOPA, Consequence, Relief

ABSTRACT
In 2007 API 521/ISO 23251 published guidance on the use of High Integrity Protective
Systems (HIPS). The Dow Chemical Company (Dow) updated its internal work process
to apply Dows risk based work processes to HIPS design, application and evaluation.
Rather than just focusing on the vessel related consequences of substituting a HIPS for a
pressure relief device (PRD), the work process calls for stepping back and looking at the
overall scenario and all the potential consequence outcomes. Using a risk based
methodology requires looking at a much wider consequence potential than what Dow has
traditionally focused upon for the design of relief systems.
By using Layer Of Protection Analysis (LOPA) to evaluate the consequences of the
overpressure scenarios and determine the consequence severity factor or LOPA Target
Factor for each scenario, the wider consequence potential is covered. The High Integrity
Protection System (HIPS) safety integrity level (SIL) is determined by the highest risk
scenario, which is typically the scenario with the greatest LOPA consequence severity
factor. The resulting SIL level for the HIPS is adjusted to close the HIPS scenario risk
gap. Other applicable LOPA independent Protection Layers (IPLs) are included in the
LOPA risk evaluation. The HIPS design is verified by calculation to meet the required
SIL level.
There are pressure relief device (PRD) services for which PRDs cant deliver the over-
pressure protection that Dow needs and expects. The updated work process also identifies
key opportunities for using a HIPS when: a conventional PRD is not practical or
possible, a conventional PRD will not be reliable or a conventional PRD will work but
will result in high treatment cost. Each of these three opportunities is discussed.
The overall result is an efficient process that links together the existing work processes
for conventional relief design, Layers of Protection Analysis (LOPA) and Safety
Instrumented Systems (SIS). This produces a risk based method for applying and
designing protection layers into a HIPS. This paper gives an overview of this work
process with some application examples and describes how this work process is used to
improve safety while reducing risks and potentially reducing costs.
1. INTRODUCTION
Conventional pressure relief devices provide highly reliable and cost-effective protection
for most pressure containing equipment. But there are applications where conventional
relief devices are not reliable or practical. In these scenarios a High Integrity Protection
System (HIPS) can be used.
So what is HIPS? In the simplest sense it is an instrumented protection system that is
used in lieu of a relief device to mitigate a single overpressure scenario. A HIPS
normally is comprised of sensors detecting the development of an overpressure situation,
final element(s) to interrupt the pressure increase and a logic solver to tie the sensors and
final element(s) together.
Typically, HIPS reduces the probability of a specific overpressure scenario to a point
where the specific scenario meets some predefined risk. This normally will allow the
relief designer to specify a smaller relief system to address the remaining scenarios.
There are rare occasions where a HIPS totally replaces a relief device.
The HIPS concept is defined in API 521 (5th edition 2007) Annex E, along with DIN V
19250 (DIN EN 51508). It is also important to recognize that HIPS applies to
underpressure scenarios as well as overpressure scenarios.
A HIPS system is typically used for one of the following primary reasons:
1. A conventional pressure relief device is not possible or practical
2. A conventional pressure relief device is not reliable
3. Installing a conventional pressure relief device requires excessive cost for
treatment

Lets look at these individually, in more depth:
NOT PRACTICAL OR POSSIBLE:
A conventional relief device may not be practical or possible if the relief device needs to
be overly large. This often occurs when designing a relief device for:
reactive chemical relief scenarios
scenarios involving small equipment, such as in research and market development
facilities
relief scenarios protecting against excessive temperature, such as over-firing a
cracker or heat transfer furnace

NOT RELIABLE:
A conventional pressure relief device may not be reliable when used in applications:
that may cause plugging, such monomer service
that are involved with overly corrosive or erosive materials
with fluids that tend to freeze, or cure in the relief system

EXCESSIVE COST:
When relief valves are routed to a flare or scrubber system, the real cost is often much
higher than that for just the relief devices. That is especially true for new installations and
for existing systems that are already at their maximum capacity.
The incremental load from a relief device to an existing flare system or scrubber
system might be too much for the system to handle, resulting in a costly capacity
expansion project.
For new flare system or scrubbers, the initial cost can often be greatly reduced by
selectively using HIPS to eliminate high loads from a limited number of relief
devices. For example, plant-wide loss of cooling is often the controlling scenario
that determines the size of a flare system. For distillation columns, the pressure
relief load due to loss of cooling is often much higher than that for the other
remaining scenarios.
The flow from new relief devices into an existing flare header might create
excessive backpressure on some of the other safety valves already in that system.
Upgrading the existing safety valves, or the flare header, could be very costly.


2. IMPLEMENTING HIPS
So now that we know why HIPS are used, lets discuss how they are implemented. A
relief devices main purpose is to prevent catastrophic failure of a pressurized vessel that
may create destructive shrapnel and/or destructive pressure waves. And since a HIPS is
replacing a relief device for specific relief design scenario, one might simplistically
assume that the HIPS needs to be designed to the same integrity as the relief device. A
typical relief device has a failure probability similar to a Safety Instrumented System
(SIS) that is designed to a Safety Integrity Level (SIL) between SIL-2 and SIL-3.

Traditional HIPS Work Processes have used a prescribed solution to accomplish this
task. For example: a HIPS shall be a SIS with integrity of at least SIL 2.5. Some
institutions even mandate a Safety Integrity Level of 3 as a minimum. This rule based
solution is:
simple to implement
safely covers most cases because it is conservative by nature
consistent with the philosophy that a relief device simply prevents a vessel from
failing due to over pressure
needs only one HIPS PFD calculation for the standard solution
consistent with other rule bases standards, such as NFPA

But this prescribed solution is based on the concept of simply substituting a HIPS for a
PSV. By stepping back and looking at the overall scenario, Dow is able to consider the
consequence or risk of over pressurization. (Remember that a relief device or its
equivalent SIS used in a HIPS has a probability of failure on demand.) Vessel
fragmentation and the resulting pressure waves are certainly important, but what if the
contents of the vessel create a greater hazard? This may be a very serious issue if toxic
or flammable materials are involved. Shouldnt the population density in the vicinity of
the potential accident be an important design consideration? In some situations cant the
release of materials be an even more important concern than vessel fragmentation?

Lets look at some examples of varying consequence:
1. If a hot water tank over pressurizes, the resulting shrapnel or pressure wave could
certainly create potential fatalities
2. When an extruder feed line containing a heat exchanger over pressurizes, the only
concern is some hot polymer oozing out of ruptured flange gaskets (which are the
weak spot in the line)
3. If a chlorine sphere over pressurizes and ruptures, there could potentially be
multiple fatalities in both the production facility and in the community at large
IEC 61511 defines rules for implementing Safety Instrumented Systems in the process
sector. These rules center around the concept of first defining the hazard, followed by
defining the consequence of the hazard. As the severity of the consequence increases, so
does the required safety system design integrity or reliability. So why hasnt the
consequence of over pressurization ever been considered in HIPS design?

Dow decided to use the IEC 61511 philosophy in HIPS design. Since Dow already uses
LOPA for general process hazard quantification, scenario likelihood, and protection layer
identification, it was a natural evolution to use LOPA to assess the HIPS scenario for:
the consequence of over pressure
the likelihood of over pressure
the necessary layers of protection to reduce the likelihood of over pressure

These protection layers as per the LOPA Work Process - are not limited to Safety
Instrumented Systems, but can also consist of:
Basic Process Control actions
Operator Response to Alarms
Management Systems
Other Safety Related Protection Systems

This higher level of analysis is more work than simply substituting a HIPS for a PSV.
However it provides the opportunity to incorporate the existing protection layers and
adjust the protection to fit the consequences. Therefore, Dow has no rule that requires a
HIPS to be a SIL-2 or SIL-3 SIS. Instead, LOPA is used to determine the integrity level
of any required SIS beyond SIL-1. The only rule regarding Safety Instrumented Systems
is that the mitigation scheme must include a minimum of one SIL-1 SIS. But LOPA
could also identify the need for multiple SISs or multiple HIPSs to manage severe risks.

3. WHAT API 521 SAYS

A very interesting idea and argument follows, but does it comply with API 521?

API 521 section E.4.2 says:
In accordance with ISA S84.01, a necessary step in safety instrumented system
design is to set a safety integrity level (SI L) or availability value target for system
design. The system is assigned as a SIL-1, SIL-2 or SIL-3 system, with SIL-3 being
the most robust and most reliable and SIL-1 being the least.

API 521 doesnt require a HIPS to be a SIL-2 or SIL-3.
API 521 section E.4.2 continues to say:
The determination of target SI L for a given system is dependent upon:
the risk associated with the hazard that the system is protecting against,
i.e. the likelihood of the initiating and contributing events
the magnitude of the consequences
the credit that can be taken for other safeguards

This sounds exactly like the philosophy that is the foundation behind LOPA. A closer
look at this requirement reveals:
The risk associated with the hazard is like the LOPA scenario
The likelihood of initiating events is like the LOPA Initiating Event Freq.
The magnitude of the consequences is like the LOPA Severity level which is
used to assign a LOPA target factor
The credit taken for other safeguards is like non-SIS LOPA protection layers
The determination SIL target is what you do for SISs defined in LOPA

So YES, LOPA can be used (provided corporate risk criteria has already been defined).

API 521 section E.4.4 HIPS availability analysis says:
The purpose of the HIPS availability analysis is to evaluate the
system performance of the proposed configuration. The availability
analysis should utilize standard techniques, such as fault-tree
analysis (see ISA TR-84.02).

Dow does this availability or PFD analysis for every HIPS system.

4. DOWS HIPS WORK PROCESS

But implementing a HIPS at Dow is not an insignificant task. It is often more complex
than designing and installing a relief device. There are many requirements that must be
met. They are summarized here, and explained in further detail below:
1. Determine if HIPS is a better alternative
2. Gatekeeper review
3. Perform LOPA to determine SIL level
4. HIPS implementation using existing SIS work process
5. Follow Pressure Relief Design Work Process
6. Final review & approval

This Work Process includes the following as a minimum:
1. Determine if HIPS is a better alternative
Relief design, process design engineer or process safety review discovers
the need for a HIPS
Defined HIPS application criteria must be met
2. Gatekeeper Review
Ensure HIPS meets application criteria
Provide guidance for following HIPS work process
3. Perform LOPA on HIPS scenario
Identify and verify applicable independent protection layers (IPLs)
Determine the required SIL for HIPS SIS (minimum SIL-1 required)
4. Follow Dows SIS Work Process for identification and implementation of any
Safety Instrumented Systems (SIS)
All SIS and LOPA work processes apply
Special HIPS identifier in SIS, LOPA, and relief design records
5. Follow Dows Pressure Relief Design Work Process, which includes:
Responsibilities,
Design requirements,
Approvals
Integrity Management,
Flow chart of the overall relief design process.
6. Final Review and Approval
Stakeholder review and approval
HIPS registration and documentation archived
Note: Dow minimum design requirements must be followed:
Design must include at minimum a SIL1 SIS, regardless of how
benign the consequence is determined to be (in accordance with API
521),
A qualified Relief Designer and reviewer has to be involved in the
overall HIPS design,
The HIPS registration process is used for tracking and auditing
purposes.

The benefit of using LOPA to quantify both the risk and the associated protection layers
is that you have more flexibility to better meet the actual risk reduction needs. But these
benefits are not free. The cost is that you must:
define the LOPA overpressure scenario(s),
calculate the LOPA target factor(s),
design and verify the independent protection layers,
demonstrate by PFD calculation per API 521 E4.4 that each HIPS meets the
required SIL level,
Audit all aspects of the study, design, and protection layers.

However, using LOPA is the normal work process required in Dow for new equipment
much of this work was completed in parallel with the Relief Design process.

DOCUMENTATION:
The requirements for Dows SIS Work Process and for Dows Pressure Relief Design
Work Process must both be met.
The SIS work process includes documentation of the scenario and mitigation strategy in
LOPA, a SIS functional specification, verification, validation, periodic proof testing, and
audits/assessments required during the SISs life cycle. Lastly, all engineering
calculations and assumptions must be documented.

The Pressure Relief Design work process requires that a mechanical integrity equipment
file be created for each relief device. Relief device documentation includes a description
of the design scenario, relief design calculations, inlet/outlet piping pressure drop
calculations, and a specification record. The documentation for the HIPS in included in
this file. The LOPA scenario number is included for cross reference purposes.

For the rare case where the relief device is eliminated by the use of a HIPS system, UG-
140 (previously known as Code Case 2211) verification and documentation is required.
The UG-140 documentation is placed in the mechanical integrity equipment file for the
process containment equipment.


APPROVALS:
Dows Process Safety Technology Leader (PSTL) is the HIPS Gatekeeper for his/her
business. This is a technical role and the PSTL must give the final approval for:
1. the application of HIPS
2. the Hazard Assessment and Evaluation (documented in LOPA)
3. the required SIL for the SIS component of a HIPS

Why does Dow have a gatekeeper? To ensure control of the work process to:
1. avoid misapplications of HIPS by ensuring the HIPS system fits prescribed
applications
2. avoid unnecessary cost and waste of resources for incorrect applications
3. ensure the Process Safety Technology Leader is drawn into process
4. gain widespread and mutual approval of the LOPA work
5. conform with Dows stated preference to use conventional relief devices
6. reinforce that HIPS is not intended to make relief devices go away, rather it is
to mitigate a specific relief scenario in accordance with Dows risk criteria

Additional approvals are needed from:
1. the Production Leader
2. the Business Technology Center
3. a qualified relief reviewer
4. all the normal approvals required for a Safety Instrumented System

5. HIPS VERSUS SIS

Dow has historically performed risk assessments for Process Safety separately from our
Relief Design process. They are separate processes performed by separate groups using
separate acceptance criteria. This new HIPS work process presented a new paradigm and
one important clarification had to be made: defining the distinction between when to use
HIPS and when it is just a SIS:
If the size of the relief device is affected, it is a HIPS application: elimination of a
relief device sizing scenario, or making a relief device smaller
If the frequency or probability of a relief device opening is affected, then it is
purely a SIS/LOPA application. (In this case, the relief device is fully sized for all
scenarios.)
Note: Others may consider this a HIPS application.

So a HIPS system must include a SIS (for overpressure protection), but a SIS is not
always part of a HIPS system. HIPS and SIS requirements are amazingly similar.

Table 1: Summary of HIPS versus SIS requirements
Requirement HIPS SIS
LOPA Risk Assessment
Documentation
Registration in Relief files

Approvals
Follow the Work Process
1

Testing

The SIS work process used within the HIPS work process is a normal Dow work process.
The PFD of the SIS must be calculated and verified to be adequate for HIPS application
and/or required SIL level.

6. Common Examples Of Beneficial HIPS Application:

Figure 1. conventional PRD is not practical or possible to use
HIPS Example : Fired Dowtherm heater
Scenarios:
1. Thermal Expansion Liquid Venting
2. Constant Heat Input Two Phase Venting
Hazard: Will cause heater coil temperature to
exceed MAWT and potentially fail due to low vapor
pressure of Dowtherm.
Must prevent this fromhappening!
Install EBV on all fuel streams and close
when stack temperature exceeds trip point.
HIPS Required:
Since the Relief Valve Is Not
Adequate/Sized
For All Credible Scenarios
DH-922
Fuel
Dowtherm In
Dowtherm Out
Combustion Air
Logic Solver
If the heater coil ruptures from high temperature, the sudden release of hot Dowtherm
into the heater combustion chamber would cause a vapor explosion type scenario
which could not be adequately vented by a conventional PRD.




Figure 2. conventional PRD will not be reliable example

Example: Conventional Relief Device
Is Not Adequate
High Risk of Plugging of PSV Inlet & Outlet Lines
Steam
Condensate
Molten
Polymer
PT
Logic Solver
Input
Output
Positive
Displacement
Pump
HIPS Solution:
High pressure shutdown
instrumentation for pump


Figure 3. conventional PRD will work but will result in high treatment cost example
Cost Savings Opportunities With HIPS
Example:
Existing plant with large flare header network.
Existing flare at/near capacity
Adding new process unit
36
36
24
24
New Process Unit
Large number of PSV
Fare load = 1.0MM lb/hr
Based on Loss of Cooling
300 Ft
24
Use HIPS to reduce the
controlling scenario.
Smaller PSVs
Smaller header pipes


Figure 4. conventional PRD will work but will result in high treatment cost example

Cost Savings Opportunities With HIPS
36
36
24
24
New Process Unit
Large number of PSV
Fare load = 1.0MM lb/hr
300 Ft
24
Use HIPS to defend against the
loss of cooling scenario for these 4
columns.
Reduces flare load by 410,000 lb/hr.
Requires 4 HIPS.shutoff stm to reb.
Smaller PSVs - sized for fire scenario
Big cost savings !!


Note that most HIPS applications only mitigate specific relief scenarios, not all relief
scenarios. HIPS process trip inputs can be pressure, temperature, flow, level or
concentration, etc. depending on the relief scenario. Multiple process inputs are typically
needed to design a higher SIL HIPS system. Process equipment can have multiple HIPS
systems for multiple HIPS scenarios.

7. SUMMARY:

The consequence of a relief device failing is not limited to vessel failure and should also
include the potential consequences of the specific material released. LOPA is an
appropriate tool to quantify the consequences and risks of a failed relief device. It is a
standard risk assessment tool at Dow. API 521 does not mandate any specific SIL level
for a SIS used in a HIPS, but does state that the SIL determination is dependent upon
credit taken for other safeguards. A risk based approach provides more flexibility to
better meet the actual risk reduction needs and allows for improved safety while reducing
risks, and also potentially reducing costs.

8. References:

1. AANSI/API STANDARD 521 FIFTH EDITION, JANUARY 2007 ISO 23251,
Petroleum and natural gas industries Pressure-relieving and depressuring systems
2. Anderson Greenwood Crosby Technical Seminar Manual - 4.0 Department Of
Transportation Code Requirements - Gas Transmission And Distribution Piping
Systems 4.2.4, 4.2.5 (2001)
3. API Recommended Practice 520: Sizing, Selection, and Installation of Pressure-
Relieving Devices in Refineries
4. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries,
American Petroleum Institute (API), API Recommended Practice 520, July 1990
5. API 617 API Std 617 Axial and Centrifugal Compressors and Expanders -2003
6. API 618 API Std 618: 2007 Reciprocating compressors for the petroleum,
chemical and gas industry services. - 5th edition
7. API 619 API Std 619: 2004 Rotary-Type Positive-Displacement Compressors for
Petroleum, Petrochemical, and Natural Gas Industries, Fourth Edition
8. API 672 API STD 672 Packaged, Integrally Geared Centrifugal Air Compressors
for Petroleum, Chemical, and Gas Industry Services ISO/DIS 10442
9. API 675 Positive Displacement Pumps - Controlled Volume 1994
10. API STD 674 Positive Displacement Pumps - Reciprocating 1995
11. API STD 676 Positive Displacement Pumps - Rotary 1994
12. Application of Safety Instrumented Systems for the Process Industries, ISA
Standard, ISA-S84.01-1996 and S84.01-2004
13. ASME Code Case 2211-1 Pressure Vessels With Overpressure Protection By
System Design, Section VIII Division 1 and 2
14. Deutsches Institute fr Normung (DIN) DIN 19250, Fundamental safety
aspects to be considered for measurement and control equipment, 2008
15. DOT Guidelines 4.2.4. 4.2.5
16. DOT Pipeline Standard
17. Guide for Pressure-Relieving and Depressurizing Systems, High Integrity
Protective Systems (HIPS), American Petroleum Institute (API), API Standard
521, Jan. 2007
18. Guidelines for Pressure Relief and Effluent Handling Systems, Sec. 5.9, CCPS,
1998
19. International Electrotechnical Commission (IEC) - IEC 61511-1, Functional
Safety: Safety Instrumented Systems for the Process Industry Sector, 2002
20. International Electrotechnical Commission (IEC) IEC 61508, Functional Safety of
electrical/electronic/programmable electronic Safety Related Systems, 7 Parts,
1998 2000
21. ISO 4126-5 Controlled Safety Pressure Relief Systems
22. VDI/VDE 2180 Safety device of plants of process engineering with means of the
process instrumentation (PLT) introduction, terms, conception (April 2007)