Вы находитесь на странице: 1из 17

Exploration & Production

GENERAL SPECIFICATION

SAFETY

GS EP SAF 260

Design of High Integrity Protection Systems (HIPS)

Addition of EP root to document identification and improved


02 10/2005
the text to be in line with GS EP SAF 261

01 02/2004 Fully revised


00 04/2001 First issue
Rev. Date Notes

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc
Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

Contents

1. SCOPE ..................................................................................................................3

2. APPLICABILITY....................................................................................................3

3. REFERENCE DOCUMENTS.................................................................................3

3.1 Standards Professional Documents and Codes................................................................ 3

4. TERMINOLOGY AND DEFINITIONS....................................................................5

5. HIPS DESIGN PROCEDURE................................................................................9

5.1 Formal Approval of a HIPS................................................................................................ 9

5.2 Preliminary HIPS dossier................................................................................................... 9

5.3 HIPS dossier...................................................................................................................... 9

5.4 Company approval .......................................................................................................... 10

6. HIPS BASIS OF DESIGN....................................................................................10

6.1 General............................................................................................................................ 10

6.2 Functional requirements .................................................................................................. 12

6.3 HIPS Detail design specification...................................................................................... 13

6.4 Dynamic response and instrument settings..................................................................... 14

7. CALCULATION REQUIREMENT .......................................................................15


7.1 Probability of Failure on Demand ................................................................................................... 15

7.2 Component SIL............................................................................................................................... 15

7.3 Reliability achievement................................................................................................................... 15

8. RELIABILITY DATA............................................................................................17

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 2/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

1. Scope
The purpose of this specification is to define the requirements for the design of High Integrity
Protection Systems.

2. Applicability
This specification applies to all projects managed by Total E&P and its Affiliates and to
Companies of which Total is a shareholder and which have decided to apply the Total E&P
General Specifications.
This specification is not retroactive; it applies to new installations (fields or plants) and to major
modifications or extensions of existing installations, both onshore and offshore.

3. Reference documents
3.1 Standards Professional Documents and Codes
Where national regulations exist, their provisions and those of the standards and codes to which
they refer shall apply, supplementing or amending the provisions of this document. If there are
no national regulations covering all or part of the subject of this document, the reference
documents shall be strictly applied, as supplemented by the provisions of this document.
Only the main reference documents are mentioned; the CONTRACTOR shall be responsible for
complying with all secondary reference documents dealing with the subject of this document.
Unless otherwise specified, the CONTRACTOR shall apply IEC 61508, IEC 61511 standards.
Unless otherwise indicated in the detailed contractual conditions, all the reference documents to
be used, as well as their supplements shall be the latest issues.
The list of industry standards applicable to the design of a HIPS given hereafter is not
restrictive. It should be completed on a case by case basis.

Standards

Reference Title
IEC 61508 Functional safety of electrical/electronic/programmable electronic-
safety related systems
IEC 61511 Functional safety : safety instrumented systems for the process
industry sector
ISO 10418 Analysis, Design, Installation and testing of Basic Surface Safety
Systems

Professional Documents

Reference Title
ANSI/ASME B 31-3 Process piping
ANSI/ASME B 31-4 Liquid transportation systems for hydrocarbons, liquid petroleum
ANSI/ASME B 31-8 Gas transmission and distribution piping systems

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 3/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

API RP 14C Recommended practice on analysis, design, and testing of basic


surface safety systems for offshore production platforms
API RP 520 Sizing, Selection and Installation of Pressure Relieving Devices in
Refineries
API RP 521 Guide for pressure Relief and Depressuring Systems
ASME Section VIII Rules for Construction of Pressure vessels
BS (PD) 5500 Specification for Unfired Fusion Welded Pressure Vessels
UKOOA Guidelines for instrument-based protective systems

Codes

Reference Title
DNV 81 Rules for submarine pipeline systems

Other documents

Reference Title
Operating Philosophy
Safety Concept
Statement Of Requirements (SOR)

Total General Specifications

Reference Title
GS EP ECI 002 Drawing and Symbol - Principles of Presentation
GS EP INS 102 Instrumentation Symbols and Identification
GS EP PVV 142 Valves
GS EP SAF 261 Emergency Shut-Down and Emergency De-Pressurisation (ESD
& EDP)
GS EP SAF 262 Pressure protection relief and hydrocarbon disposal systems

The provisions of this document shall be applied in the light of the supplementary documents
relevant to the new facilities. This information shall be supplied by COMPANY and may include
(when they exist):
∗ Country specificity appendices
∗ STATEMENT OF REQUIREMENTS
∗ SAFETY CONCEPT
∗ Preliminary HIPS dossier
∗ Job specification
∗ Data sheets
∗ Articles and conditions, list of tasks
∗ Quality assurance provisions.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 4/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

4. Terminology and definitions


Common Mode of Failure of two or more channels in the same way causing the same
Failure (CMF) erroneous result. (IEC 61511-1)
Common Cause of Failure, which is the result of one or more events, causing failures of
Failure (CCF) two or more separate channels in a multiple channel system,
leading to system failure. (IEC 61511-1)
Demand rate Number of times per year where the activation of a protection
system is required.
Design conditions The internal equipment conditions used in the design calculations of
the equipment according to an industry standard. The design
conditions usually refer to pressure/temperature, occasionally to
flow-rate, hazardous component content.
Diversity Different means of performing a required function. Diversity may be
(Diversification) achieved by different physical methods or different design
approaches (with the aim of minimising the common mode of
failure). (IEC + COMPANY).
Emergency Shut Down Control actions undertaken to shut-down equipment or process in
(ESD) response to a hazardous situation (COMPANY)
Emergency Shut Down System, activated by automatic or manual signals, which
System (ESD System) undertakes the control actions to shutdown equipment or processes
in response to a hazardous situation (ISO 10418)
Alternative abbreviations: ESDS and SSS.
Emergency Shut Down High integrity shut-down valve, handling a hazardous fluid or a fluid
Valve (ESDV) having an essential function, and located at the limit of a fire zone or
within a fire zone to limit hydrocarbon inventory (COMPANY)
Failure Termination of the ability of a device or equipment item to perform a
required function (IEC + API).
Failure rate (λ) Conditional probability of failure per unit of time; generally
expressed in 10-6 per hour.
Hazard A chemical or physical condition with the potential of causing
damage (COMPANY)
High Integrity Instrument-based systems of sufficient integrity (involving high
Protection System reliability redundant and/or diversified instruments) so as to make
(HIPS) the probability of exceeding the design parameters lower than a
target value.
High Integrity Pressure A HIPS exclusively devoted to protection against over-
Protection System pressurisation
(HIPPS)
Alternative terminology: Over-Pressure Protection System (OPPS)
Integrity • Probability of a system satisfactorily performing the required
function under all the stated conditions within a stated period of
time (ISO 10418)

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 5/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

Incident Any event or a chain of events which has caused any or all of the
following consequences:
• occupational injury or fatality
• damage to the environment
• material / production loss
• loss of image
Major accident event • A fire, explosion or other release of a dangerous substance
involving death or serious personal injury to persons on the
installation or engaged in an activity on or in connection with it;
• Any event involving major damage to the structure of the
installation or plant affixed thereto or any loss in the stability of
the installation;
• The collision of a helicopter with the installation;
• Any event arising from a work activity involving death or serious
personal injury to five or more persons on the installation or
engaged in an activity in connection with it (HSE (UK))
Major failure A conceivable incident that can possibly occur on the concerned
facility, selected out of a list of reference incidents based on
experience and considering or not that mitigation measures have
been implemented and protection systems have operated as
required (COMPANY)
Major releases a Gas Releases
EITHER Quantity released > 300 kg
OR Mass release rate > 1 kg/s AND Duration > 5 minutes
b Liquid Releases (Oil / Condensate / Non-process)
EITHER Quantity released > 9000 kg
OR Mass release rate > 10 kg/s AND Duration > 15 min’s
c 2-Phase Releases
EITHER Quantity released > 300 kg
OR Mass release rate > 1 kg/s AND Duration > 5 minutes
(COMPANY)
Maximum allowable The maximum condition that is allowed for short duration in case of
incidental condition process upset leading to excursion out of the design conditions.
Maximum allowable The maximum pressure/temperature that is allowed in given
working exceptional conditions in accordance with an industry standard. The
pressure(MAWP)/ maximum allowable pressure/temperature is the basis for defining
temperature the set pressure/temperature of the protection system in order to not
exceed this pressure/temperature.
Maximum operating The maximum pressure, temperature, flow rate, etc., in the
conditions equipment when the plant operates at unstable conditions
corresponding to the high alarm set point.
Mitigation Reduction of the effects of a hazardous event (ISO + COMPANY)

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 6/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

Normal operating The pressure, temperature, flow rate, etc., in the equipment when
conditions the plant is in normal operation.
Normal operation All operating configurations or modes, either steady or transient,
nominal or downgraded, but staying within the facility initial design
intent. (COMPANY)
Over-pressurisation Exposure of equipment to internal pressure in excess of its design
pressure. (UKOOA)
Over-Pressure A HIPS exclusively devoted to protection against over-
Protection System pressurisation (COMPANY)
(OPPS)
Alternative terminology: High Integrity Pressure Protection System
(HIPPS)
Pressure protection Device, generally pressure safety valve (PSV) or bursting disk,
and relief device releasing material contained inside process equipment in order to
ensure that the prevailing pressure shall not exceed the design
pressure (COMPANY)
Pressure Safety Valve Valve actuated by inlet static pressure and designed to open during
(PSV) an emergency or abnormal conditions to prevent a rise of internal
fluid pressure in excess of a specified value (API).
Pressure Switch High Trip on pressure high (COMPANY GS EP INS 102)
High (PSHH)
Prevention Means intended to reduce the likelihood of a hazardous event First
level of trip on pressure (COMPANY)
Probability of Failure Probability that a system or a component does not operate when it
on Demand (PFD) is activated. Concerning dormant systems, the PFD is actually the
mean unavailability of the components.
Process station One or more process component performing a specific process
function such as separation, heating, pumping (ISO 10418)
Process Control System to control normally automatically the operation of a process
System (PCS) station.
Process Shut Down Isolation of a given process station from the process by actuating
(PSD) appropriate shutdown systems (ISO 10418)
Process Shut Down System of manual stations and automatic devices which, when
System (PSD System) activated, initiate Process Shut-Down
Alternative abbreviations: PSDS and PSS
Redundancy: Existence of means, in addition to the means that would be
sufficient for a functional unit to perform a required function or for
data to represent information. (IEC 61508)
Reliability The probability that an item is able to perform a required function
under stated conditions for a stated period of time or for a stated
demand (IEC 61508)
Revealed / Unrevealed A failure which may be known/unknown at its occurrence either by
failure its effects or by a dedicated monitoring device.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 7/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

Risk Two-dimensional entity characterising an unwanted event by its


likelihood of occurrence and the extent of consequences arising
from the occurrence of this event (COMPANY)
Risk Assessment, Formal and systematic approach of identifying potentially hazardous
Quantitative (QRA) events and estimating likelihood and consequences to people,
environment and resources, of accident developing from these
events (COMPANY)
Safety function A function dedicated to the prevention of a defined accidental event
and/or the mitigation of its consequence. A safety function is
generally implemented through active and/or passive protections
and the related operating procedures.
Safety Integrity Average probability of a safety instrumented system satisfactorily
performing the required safety instrumented functions under all the
stated conditions within a stated period of time. (IEC 61511-1)
Safety Integrity Level Discrete level (one of the four) for specifying the safety integrity
(SIL) requirement of the safety instrumented functions to be allocated to
the safety instrumented system. Safety Integrity Level 4 has the
highest level of safety integrity; Safety Integrity Level 1 has the
lowest. (IEC 61511-1)
SIL is a measure of risk reduction provided by a safety instrumented
function, based on four levels. Each level represents an order of
magnitude of risk reduction. Every safety instrumented function has
a SIL assigned to it, the safety instrumented system and equipment
themselves do not have a SIL assigned to it. (IEC)
Safety Shutdown Valve Automatically operated, (generally fail to close) valve used for
(SDV) isolating a process station (API).
Alternative acronym: Process Shut-Down Valves (PSDV). The
acronyms SDV and PSDV are equivalent but SDV is a more general
word because SDVs are not always attached to a process system
(COMPANY).
Severity of an incident A measure of the consequences of an incident (human injury and/or
environment damage and/or material loss) with five levels.
(COMPANY)
Sub-Surface Safety Automatically operated device installed in a well below the mudline
Valve (SSSV) with the design function to prevent uncontrolled well flow in
response to a hazardous situation (ISO 10418)
Surface Controlled SSSV controlled from the surface by hydraulic, electric, mechanical
Subsurface Safety or other means (ISO 10418)
Valve (SCSSV)
Surface Safety Valve Automatically operated wellhead valve assembly which isolate the
(SSV) reservoir fluids on loss of the power medium (ISO 10418)

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 8/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

5. HIPS design procedure


5.1 Formal Approval of a HIPS
The installation of any new HIPS (either in new development or as part of the revamping of an
existing unit) shall be agreed upon by COMPANY and supported by a preliminary HIPS dossier.

5.2 Preliminary HIPS dossier


A preliminary HIPS dossier is provided by COMPANY to CONTRACTOR. This dossier consists
of:
• Hazard assessment: identification of sources of hazard, protection selected for
management of the hazard, associated ESD logic, dynamic studies if applicable,
• Consequence analysis: evaluation of the consequences of the hazard,
• HIPS justification against industry standard,
• HIPS Design and OPERATING PHILOSOPHY, HIPS demand rate,
• Safety Integrity Level (SIL) required of the whole protection system (corresponding to a
required PFD and vice versa, see section 7.2), and the Probability of Failure on Demand
(PFD) required for the (regular) safety system and the applied HIPS components.

5.3 HIPS dossier


CONTRACTOR shall be responsible for updating the HIPS dossier according to this present
General Specification.
The HIPS dossier shall include the following items.
• Update of the hazard assessment.
• Update of the consequence analysis.
• Update of HIPS justification against industry standard.
• HIPS design principles, including the demonstration of :
- the PFD of the (regular) safety system components prior to HIPS installation,
- the PFD (corresponding to a SIL) of the whole safety system prior to HIPS installation,
- the PFD of the applied HIPS components,
- the PFD (corresponding to a SIL) of the whole safety installation after HIPS installation,
- the HIPS response time.
• HIPS detailed specification for the engineering and construction phases.
• Reliability and availability calculations, at detail design phase when the HIPS components
(sensors, logic solvers, final control elements) have been selected, including:
- Diagnostic coverage of failures,
- Detailed common cause/ mode failure analysis,
- Effect of spurious failures on the availability of the production installation.
• Engineering documentation including :

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 9/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

- an exact graphical scheme of the HIPS,


- Piping & Instrumentation Diagrams (P&IDs),
- Cause & Effect Charts,
- ESD Logic Diagram,
- Material selection (instrument data-sheet, vendor curves, …),
- Calculation notes (as for example dynamic calculations when required to demonstrate
that the response time target is reached).
• Dedicated HIPS Maintenance, Testing and Repair policy with a frequency to be defined
based on availability calculations.

5.4 Company approval


CONTRACTOR shall submit each item of the HIPS dossier for COMPANY approval.
If required, COMPANY will request the certification of the HIPS.

6. HIPS Basis of design


6.1 General
The design principles of the HIPS shall be established according to the following :
• The HIPS shall be dedicated to the protection against a single incident.
• The HIPS shall be designed in compliance with the relevant industry standards applicable to
the design of pressurised equipment and to the instrument-based protection systems.
• The protection system including the HIPS dedicated components shall be considered as a
whole system regarding its PFD target and its general objective expressed as SIL. The
reason of this approach is to facilitate the control of the hazard by considering all possible
causes and their effects and namely to tackle the possible Common Mode Failures (CMF)
which might induce a failure of the whole system.
• A HIPS is made up of one or more independent barriers, in addition to the first barrier
constituted by conventional Process ShutDown System (PSD System) and the Emergency
ShutDown System (ESD System)
• A HIPS is made up of dedicated components for detection of the hazard and isolation from
the source of hazard by SSVs and/or SDVs / ESDVs. The HIPS components shall be
independent from the components of the Process Control System (PCS), the Process
ShutDown System (PSD system) or Emergency ShutDown System (ESD system), with the
exception of the SDVs and ESDVs which can be used for both the HIPS and ESD (or PSD).
• Where the HIPS shares an SDV or ESDV with another safety system (PSD and/or ESD) a
dedicated solenoid valve shall be installed on the relevant valve for the HIPS action alone.
• In addition, when the HIPS actuates the same SDVs / ESDVs as the Process ShutDown
System and Emergency ShutDown System, a minimum of two independent active barriers
shall be implemented in the HIPS to mitigate the risk of common cause failure due to these
valves.
• The number of independent active barriers shall be set depending on the SIL requirement,
as defined from the SIL assessment.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 10/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

On the basis of all of the above, the architecture of a protection system which includes a HIPS
will typically be as follows :

Components
Sensor(s)

Number of
independent
Logic barriers is
solver dependent upon
SIL target of HIPS
Wiring

Actuator
Isolation
device

PSD ESD HIPS

Protection system architecture with dedicated HIPS valve(s)

HIPS
Components

Sensor(s)

Number of HIPS
barriers is
Logic dependent upon
solver SIL target of HIPS

Wiring
HIPS dedicated
solenoid valve

Actuator
Isolation
device

PSD ESD

Protection system architecture with ESDV used as HIPS valve

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 11/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

HIPS
Components

Sensor(s)

2 HIPS barriers to
mitigate CMF due
Logic to HIPS use of
solver ESD/ PSD valves

Wiring

Actuator
HIPS dedicated
Isolation
solenoid valves
device

PSD ESD

Protection system architecture with ESDV/PSDV used as HIPS valves

• Considerations shall be given to:


- The use of redundant devices in the design of each barrier to meet the pre-defined targets
- The provision, as an additional barrier, of a pressure relief valve to accommodate isolation
valve(s) leakage.
• Redundancy, diversity, testability and “idiot-proofing” are the foundations of an effective HIPS
system and prevention of common mode failures and human interference is of utmost
importance.
• Operational considerations: Due consideration shall be given to the prevention of spurious
functioning of the protection system. Spurious functioning of the system leads to unplanned
maintenance actions, which induce additional risks while the maintenance is being carried
out. The reduction of planned maintenance frequency is also to be considered as a safety
improvement. This can be achieved through the selection of qualified and reliable
components and optimisation of the redundancy arrangements.
• Environmental considerations: The system shall be designed to reduce the adverse effects of
hydrocarbon releases to the environment.

6.2 Functional requirements

6.2.1 Fail-safe requirement


The system shall be designed fail-safe which means that the system will revert to a
predetermined safe state in the event of failure of its components or of its power supplies.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 12/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

These include:
- Loss of the actuation energy of the valves
- Loss of the control signal of the valves
- Loss of the hazard detection sub-system
- Loss of the logic sub-system.

6.2.2 Single failure requirement


The system shall survive any single failure of its components without jeopardising its protection
function. This is to be implemented through the research and elimination of the possible
common mode failures, implementation of redundancies or by fail-safe action.
Consideration shall be given to the use of different technologies in the design of redundancies.

6.2.3 Auto-test requirement


The logic solver shall be designed so as to reduce the probability of unrevealed failures of its
components and of HIPS related instrumentation. This is achieved by implementing the
monitoring and/or automatic testing of the components the triggering of an alarm in case of
failure detection.

6.2.4 Testability requirement


The system shall be designed so as:
− to facilitate periodic full and partial testing,
− to record all parameters required to validate any single activation as a formal full or partial
test.

6.2.5 HIPS valve requirement


Dedicated HIPS valve and associated components shall:
− Be designed as an ESDV, as a minimum, i.e. in compliance with GS EP SAF 261 and GS
EP PVV 142.
− Be of a type and SUPPLIER different from that of the ESDVs which are part of the
protection system.

6.2.6 Qualification requirement


The protection system shall be made of field-proven components tested in accordance with the
industry standards. When the characteristics of the expected hazard detection necessitate the
use of components which are not field-proven, the related components shall be tested
considering the specific characteristics of the expected hazard.
The implementation of the requirements set out in section 6.2 shall be done in a systematic
manner, as for example by performing a failure mode analysis of the system components.

6.3 HIPS Detail design specification.


Based on the previous functional requirements, the HIPS shall be designed to be as simple and
as robust as possible.
• A solution using direct hydraulic or pneumatic pilot valves will be preferred.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 13/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

• The sensors shall be redundant; usually a 2oo3 voting will be implemented. The number of
sensors will also depend on the PFD target. They will have their own process tappings and
impulse lines. Isolation valves will be interlocked to prevent simultaneous isolation of the
sensors. A detection system will be installed on the process tappings of the sensors to check
that isolating valves are not closed or that there is no clogging.
• If an electronic solution is used, the logic solver shall be independent from the Emergency
ShutDown System and from the Process ShutDown System and shall use solid state
technology.
• Transmitters shall be individually hardwired to the HIPS.
• Smart transmitters can be used only if their programming facility access is lockable.
• Whatever the technology, a failure of the system or of the power supplies (electrical,
pneumatic or hydraulic) shall cause the closure of the valves controlled by the HIPS. Any
failure of the system or of its components shall be reported for alarm and archiving to the
operators.
• Test facility of the complete loops, sensors, logic solver and isolation valves or electrical
contactors in case of motors, shall be implemented. The test initiation shall be reported and
logged.
• To improve the response time of the system the impulse lines shall be as short as possible.
Direct mounting on isolation valves will be preferred.
• Impulse lines will be tapped with 2” minimum connection, trace-heated to avoid hydrates or
wax deposit and the sensors will be installed in heated enclosures.
In case of common valve for HIPS and ESD System or common valve for HIPS and PSD
System, dedicated solenoid valves shall be used for each system. In no instance, a valve can
be activated by the three systems.

6.4 Dynamic response and instrument settings


CONTRACTOR shall check the response time of the whole protection system including the
HIPS, (sensors, logic solvers, isolation devices, wiring, connections), against the dynamic
aspects of the conditions which may cause the upset.
• The design shall minimise the demand rate of the HIPS. As a consequence, the set point of
the sensor(s) initiating each barrier shall be such that the activation of the other barriers is
avoided during its operation.
• The set point of the sensor(s) activating the HIPS barrier(s) shall be such that the full
isolation of the source is achieved before the conditions exceed the maximum allowable
incidental conditions of the equipment.
• The HIPS overall response time, from safety initiation to total completion of isolation shall be
3 times shorter than the calculated time for the upset condition to reach the maximum
allowable incidental conditions of the equipment. If this response time requirement cannot be
achieved, a detailed study shall be conducted and fast closure HIPS valves shall be
specified.

Possible effects on piping and equipment upstream and downstream of fast-acting barriers,
such as pressure surges or water hammer, shall be evaluated by dynamic simulation and the
simulation results used to define appropriate preventive measures.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 14/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

7. Calculation requirement
7.1 Probability of Failure on Demand (PFD)
The actual PFD of the whole protection system including the HIPS, shall be determined and
checked against the PFD target (corresponding to a SIL, see section 7.2).
Special attention shall be paid to the possible common mode causes that may induce a failure
of several (or all) barriers of the protection system, including, but not limited to:
− The power supplies of the system
− The logic control system(s)
− The valves actuation system(s)
− The wiring and connection(s)
− The corrosion/erosion/ plugging effects of the raw fluid
− The operation of the system (human error).

7.2 Certification and Relationship PFD - SIL


The PFD of the applied HIPS components is specified by COMPANY as part of the Preliminary
HIPS Dossier provided to CONTRACTOR.
CONTRACTOR shall demonstrate, by producing a third party certificate that the HIPS
components comply with the specified PFD.
The following table provides, by IEC 61508 definition, the relationship between RRF, PFD (γ)
and SIL.

Risk Reduction Factor PFD (γ) (1) SIL (level)


105 to 104 10-5 ≤ γ < 10-4 4
4 3
10 to 10 10-4 ≤ γ < 10-3 3
3 2 -3 -2
10 to 10 10 ≤ γ < 10 2
102 to 101 10-2 ≤ γ < 10-1 1

(1): Applicable to low demand mode

These numerical definitions of PFD shall be used for the definition of the SIL of the (regular)
safety system, and the SIL of the (regular) safety system including HIPS.

7.3 Reliability achievement

7.3.1 Incident frequency


The number of incidents per year shall be determined based on the demand rate of the whole
protection system and of the probability of the whole protection system to fail upon a demand:

Incident frequency = Demand rateProtection system X PFDProtection system


The demand rate of the whole protection system, related to the HIPS initiating hazard, shall be
determined by the CONTRACTOR. Each HIPS initiating hazard shall be quantified using a Fault
Tree Analysis, whenever applicable.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 15/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

7.3.2 Testing interval


The PFD of a dormant component is its mean unavailability which, in turn, is the average value
of its instantaneous unavailability over its test interval (see typical curve below).
The IEC 61508 standard shall be applied to specify the test interval. All assumptions, related to
full test, partial test, automatic permanent testing, shall be clearly mentioned in the testing
policy.
Instantaneous
Unavailability

PFD (T2)

PFD (T1)
T1 time
T2

Unavailability and PFD of a redundant safety system for various test intervals

7.3.3 Common Mode / Cause Failures (CMF / CCF)


The design of a HIPS calls for redundant systems. Therefore, this design shall be as far as
possible immune to common mode failures. This generally requires, as much as possible,
segregation of functions and diversity such as:
- diverse physical parameters (e.g. pressure and flow)
- diverse locations
- diverse design principles (e.g. hardwired logic solver vs. programmable logic solver)
- diverse models or manufacturers
A major cause of CMF is human error. Consequently, all efforts shall be deployed to implement
barriers against human interference (continuous monitoring, signal coherence analyses,
interlocks, minimal man-machine interfaces, etc.). "Idiot-proofing" is a stringent requirement.
Another CMF specific to Oil & Gas industry is the possible blockage of instruments by hydrates,
wax or deposits. The design of the HIPS shall pay due consideration to potential malfunctions
originating from the behaviour of the processed fluids.
Reliability calculations are based on equipment failures in isolation and take no account the
human or blockage factors. Confidence in the calculated reliability figures shall be granted only
if those two issues have been properly addressed in the design.
Regarding the quantification of CMF, IEC 61508 standard shall be applied. All assumptions
used shall be clearly stated. Sensitivity calculations, using a β factor (ratio of CMF and
independent failures) for 2 identical items not less than 10 %, shall be produced.

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 16/17


Exploration & Production
General Specification Date: 10/05

GS EP SAF 260 Rev: 02

8. Reliability data
Reliability calculations shall be based on generic data provided hereafter.
The generic reliability data are average values applicable to all component types and to all
operational conditions on Oil & Gas production installations. They do not take into account the
built-in redundancies or the reliability improvements which may apply namely for PSD/ESD
systems, radio transmission or detection systems.
More accurate values considering the type of component, built-in redundancies and the
operational conditions shall be defined on a case by case basis.
Components Failure mode Fail.rate PFD Reference Comments
10-6/h 10-3/d.
PRV Spurious opening at 12 Oreda - 4 Conventional
(PSV) - 10%
3 Pilot Operated
FTO at +10% 0.7 20 Oreda - 4
FTO at +40% 0.07 2
Gate valve FTO 3.6 2 Oreda - 4
FTC 5.1 3 closure test: 1/3 month
FTC+Internal leak 6.5 4 leak test: 1/12 month
Ball valve FTO 3.6 2 Oreda - 4
FTC 6 4 closure test: 1 /3 month
FTC+Internal leak 7.4 5 leak test: 1/12 month
SCSSV FTO 0.36 0.8 Sintef - 3
(TR) FTC 1.1 2.4 closure test: 1/3 month
FTC+Internal leak 1.4 2.9 leak test: 1/12 month
SCSSV FTO 0.9 2 Sintef - 3
(WR) FTC 1.5 3.3 closure test: 1/3 month
FTC+Internal leak 3 6.6 leak test: 1/12 month
PT Fails to operate 0.7 1 Oreda - 4 pressure test: 1/2month
Spurious operat. 0.4
PSD/ESD Fails to operate 35 6 Estimation assumes 1 demand/week
Spurious operat. 3.2 0.6 ,
Limit switch Faulty indic. 3.5 33 Estimation assumes 1 demand / year
0.7 assumes 1 demand / week
Op. error Routine job 10
Non routine job 1 Using dedicated precautions
Radio Fails to operate 34 - 114 2.4 to Estimation PFD = f ( failures freq-, & repair
Transmission (*1) 80 time)
1 simple barrier Fails to operate 42 11 Based on the here above data :
(n = 1) PT + PSD/ESD +SDV
(without Radio) Spurious operat. 10 3 (for coarse evaluation only)
redundant Fails to operate 0.5 Assessed with 3% of CMF
barrier (Common Mode of Failure)
(n = 2)
(without Radio) Spurious operat. 20 6 (for coarse evaluation only)

FTC : Fail to close


FTO : Fail to open

( * 1 ) depends of the site environment

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_EP_SAF_260A Rev.02.doc Page 17/17