260 likes | 516 Views
Dr. Angela Summers President SIS-TECH. Recipient of the 2005 ISA Albert F. Sperry Award. The award was given to her “For outstanding contributions and leadership in the specification, development, and implementation of safety instrumented systems for the process automation industry.“
E N D
Dr. Angela Summers President SIS-TECH • Recipient of the 2005 ISA Albert F. Sperry Award. The award was given to her “For outstanding contributions and leadership in the specification, development, and implementation of safety instrumented systems for the process automation industry.“ • Currently completing a new book for the Center for Chemical Process Safety on safe and reliable instrumented protective systems. • Ph.D. in Chemical Engineering from The University of Alabama. • Licensed Professional Engineer in the State of Texas.
To HIPS or not to HIPS Angela E. Summers, PhD, PE, President, Bryan A. Zachary, Director SIS-TECH
High Integrity Protective Systems (HIPS) • Automatic shutdown of process or processes to prevent overpressure of specific equipment. • Are a special class of Safety Instrumented System (SIS) and should be designed and managed in accordance with ANSI/ISA 84.00.01-2004 to achieve an assigned safety integrity level (SIL). • Should meet requirements of API 521 and ASME Code Case 2211, as appropriate.
HIPS are typically SIL 3 • ASME Code Case 2211 does not allow the consideration of consequence severity in defining the risk reduction requirements. • Frequency should be reduced to “non-credible.” • “Non-credible” is rarely actual target, because it is inconsistent with the known performance capability of pressure relief systems. • Hazard rate should be less than 10-4 to 10-5 per year • SIL 3 Accepted by OSHA and EPA
ASME Code Case 2211 • If you need a pressure relief device for any scenario, it must be sized for the worst case scenario. • If no pressure relief device is installed, the MAWP of the vessel must be greater than the highest pressure reasonably expected. • HIPS can be used to reduce the overpressure event frequency • Vessel should be stamped and its documentation should clearly state that Code Case 2211 is being applied
API 521 – Recommended Practice • Applies to flare load and header sizing • requires evaluation of relief loads based on credible overpressure scenarios. • requires sizing the main flare header for the worst case relieving scenario (involving the simultaneous venting of all affected vessels) • Allows credit for response of instrumented systems • Recommends use of HIPS only when the use of pressure relief device is impractical
High Integrity Protective System (HIPS) • Installed to reduce the risk of identified overpressure events that cannot be managed using conventional relief system design. • Relief system capacity is limited • Plugging applications • Reactive processes
ApplicationRelief system capacity is limited • Grass roots facilities. • Significant cost savings are often realized. • Smaller (and/or shorter) header • Smaller flare • Existing facilities. • Allows plant expansion when existing relief system is too small for potential new load. • Both • Reduces emissions. • Reduces radiant heat
ApplicationPlugging applications • Process contains materials that can plug the inlet or outlet of the pressure relief device during relieving or non-relieving scenarios. • Evaporators • Polymer Reactors
ApplicationReactive processes • Reaction generates pressure at an uncontrollable rate (e.g., runaway reaction or decomposition) • impractically large vent area is required. • Reaction occurs in a localized area (e.g., hot spots) • heats vessel wall enough to de-rate it or cause it to loose structural integrity • Reaction produces, during normal operation, materials that partially or completely blocks the pressure relief device. • Reaction produces material that continues to polymerize during release blocking the pressure relief system.
HIPS ARE NOT: • Installed to prevent a secondary consequence, which occurs due to the pressure relief device action: • Flaring • Overwhelming disposal (e.g., scrubbing) system • Atmospheric release • These are safety instrumented systems and are installed to reduce the risk associated with the secondary consequence. • They should not be designated as HIPS, which are systems installed to prevent vessel overpressure.
HIPS Identification • Typical hazard and risk analysis techniques are applied to identify overpressure events and the independent protection layers used to reduce their risk. • Identified overpressure events may undergo more detailed analysis. • Process simulation • Dynamic simulation • Flare load calculations
Considerations • Relief Design Case • Process Safety Time • Propagating Risk • Redundancy and Testing
HIPS Design Case • Defined by the network of vessels that relieve during each specified overpressure scenario. • Single vessel • Reactor runaway • Relief load • Multiple vessels • Simultaneous relief of more than one vessel yields excessive relief load.
Understand Network Risk • Determine likelihood (or frequency) of initiating causes for overpressure affecting the network. • Determine consequence of overpressure • Potential locations within or outside network • Evaluate consequence severity.
Leads to Runaway with Overpressure Wrong Feed Ratio Batch Reactor Network Example 1 One HIPS
Network Example 2 Vessel 1 Vessel 2 All 5 vessels relieve simultaneously when cooling water is lost. Vessel 3 Vessel 4 Vessel 5
Process ConsiderationsRelief Design Case • How many vessels does it take to overload flare system? • The combination must achieve the required risk reduction. Vessel 1 Vessel 2 Vessel 3 Vessel 4 Is there fault tolerance by relief design? Vessel 5
Process ConsiderationsRelief Design Case • Each vessel produces a relief load greater than the flare capacity: • The total of the inputs, logic solver, and outputs from the five vessels must meet the required risk reduction. • Any one out of five results in the event. • Fault tolerance is not present in relief system design. • Very difficult to achieve SIL 2 Vessel 1 2 Vessel 2 1.5 Vessel 3 1 Vessel 4 0.9 Vessel 5 0.75
Process ConsiderationsRelief Design Case • Requires a combination of two vessels to cause overpressure: • The total combination of the inputs, logic solver, and outputs from the five vessels must meet the required risk reduction. • Any two out of five results in the event. • Fault tolerance is built into the flare system design. • Not so hard to achieve SIL 0.5 Vessel 1 0.5 Vessel 2 0.4 Vessel 3 0.6 Vessel 4 0.4 Vessel 5 0.75
Process Safety Time • How much time do you have to take action? • How long does it take the process to respond to HIPS? • For example, “retained heat” after shutdown of reboiler • Process dynamics • Size and layout of equipment • Intended process operation • May require process simulation or transient analysis.
Process ConsiderationsPropagating Risk • You may stop overpressure in one vessel, but action propagates event to another vessel. • Shutdown of reboiler results in loss of fractionation (stripping) with light components being passed to next column which subsequently overpressures. • Shutdown of feed blocks discharge of previous vessel and causes loss of flow to next vessel. • The installation of a HIPS results in a new source of spurious trips.
Integrity = SIL 3… TESTING REDUNDANCY REDUNDANCY TESTING REDUNDANCY REDUNDANCY REDUNDANCY TESTING REDUNDANCY TESTING TESTING TESTING TESTING REDUNDANCY TESTING REDUNDANCY REDUNDANCY TESTING TESTING REDUNDANCY REDUNDANCY REDUNDANCY TESTING REDUNDANCY TESTING TESTING REDUNDANCY TESTING REDUNDANCY REDUNDANCY REDUNDANCY TESTING TESTING TESTING
0.5 Vessel 1 0.5 Vessel 2 0.4 Vessel 3 0.6 Vessel 4 0.4 Vessel 5 0.75 Redundancy • Fault Tolerance • For SIL 3, no single points of failure… • By process design or I&E design. More than one vessel must relieve. SIS design provides fault tolerance.
Advantages • Reduce relief load by reducing frequency of overpressure events • Reduce frequency that multiple relief devices will operate simultaneously • Provide protection when a pressure relief device is ineffective
Disadvantages • HIPS are more complex, requiring many components to work as designed • How do spurious trips affect operation? • How complex is the relief design case • Can it act fast enough (Process Safety Time)? • Potential for propagating risk • Redundancy, inspection and proof test requirements increase long term operation and maintenance costs.