[Oil&Gas] (inst) High Integrity Protection Systems and Pressure Relief Systems

Dirangkum oleh : KBK Instrumentasi

Moderator MIGAS [migas_indonesia@yahoo.com]

Pada industri MIGAS, situasi tekanan berlebihan (over-pressure) haruslah dijaga dan dikelola dengan baik karena menyangkut faktor keselamatan terhadap personil, lingkungan, peralatan utama dan aset. Umumnya katup pelepas tekanan (Pressure Relief Valve/PRV) dan sistem pebakaran gas (Flare) digunakan untuk mengatasi kelebihan tekanan tersebut. PRV yang di-set sesuai dengan design pressure peralatan mechanical akan bertindak sebagai weak point dari sebuah sistem proses. Apabila tekanan melebihi setting pressure, maka pressure relief valve akan membuka untuk meneruskan fluida proses ke sistem flare, sehingga sistem proses terlindungi dari over-pressure.

Ada kecenderungan pada situasi sekarang untuk meminimalkan pelepasan atau pembakaran gas. Lagipula biaya untuk merancang dan memasang sebuah sistem pembakaran gas dengan kapasitas besar, semakin mahal. Untuk itu perlu dicarikan suatu alternatif lain yang menggunakan sistem instrumentasi yang keandalannya melebihi sistem konvensional Pressure Relief Valve + Flare. Sistem itu sekarang dikenal sebagai HIPS yaitu High Integrity Protection System.

Penggunaan HIPS sebagai sebuah sistem proteksi terhadap kelebihan tekanan telah direkomendasikan oleh beberapa organisasi internasional yang telah diakui reputasinya, diantaranya adalah : American Petroleum Institute (API), American Society of Mechanical Engineers (ASME), International Society of Measurement and Control (ISA), International Electrotechnical Commission (IEC), dll.

Safety Instrumented Systems (SIS) dari HIPS umumnya mempunyai SIL (Safety Integrity Level) tingkat 3 (99.90 - 99.99% probabilitas) karena kritisnya konsekuensi yang bisa ditimbulkan apabila terjadinya kegagalan. HIPS umumnya terdiri dari 3 bagian dasar yaitu : field input devices, logic solver and final elements. Field Input devices umumnya menggunakan 3 transmitter dengan konfigurasi 2oo3 (two-out-of-three). ANSI/ISA S84.01-1996 dan draft IEC 61508 mempersyaratkan bahwa safety logic dari HIPS harus terpisah dan independent dari Basic Process Control System (BPCS). Final elements haruslah mempunyai respon yang sangat cepat, dalam dua detik dapat mengisolasi suatu sub-sistem dari sistem keseluruhan. Untuk tetap terjaga keandalannya, perlu dilakukan sistem diagnostic dan testing yang kontinu pada HIPS.

Sekedar catatan tambahan, untuk project Conoco Belanak Wellhead Platform di Natuna yang sedang dikerjakan oleh PT. J. Ray McDermott Indonesia, ada keuntungan lain dari penggunaan HIPS ini yaitu menurunkan pressure rating dari peralatan proses yang terletak dibagian downstream. Tegasnya, sistem upstream HIPS memiliki pressure rating ANSI 1500 sedangkan bagian downstream bisa menggunakan pressure rating ANSI 600.

Untuk pak Don Sardjono dari McDermott, ada komentar tambahan ?. Pak Cahyo dari Premier, bagaimana bila dibandingkan dengan inherently safer plant ?.Untuk syi 20 dari IPTN, ada kesamaan dengan sistem pesawat terbang ?.Untuk yang lainnya, SELAMAT BERDISKUSI.

High Integrity Protection Systems and Pressure Relief Systems

Introduction

In the petroleum refining industry, a key safety consideration is the control and response to over-pressure situations. Industry standards from the American Petroleum Institute (API) and American Society of Mechanical Engineers (ASME) provide criteria for the design of vessels and pipelines and the protection of these vessels and pipelines from over-pressure. Traditionally, pressure relief valves and flares were used to handle the relieving of vessels in the worst credible scenario. Design practice examined the loss of cooling water or loss of power as the worse case loading for the pressure relief system involving the simultaneous venting of all vessels. Flare loading calculations gave no credit for operator intervention, fail safe equipment operation or trip systems. No credit was given for the transient nature of flare loading due to the differing dynamic behavior of each piece of equipment.

But times have changed. In many communities and countries around the world, the belt is tightening on the venting and combustion of gases. It is simply not acceptable to flare large volumes of gas. In addition, the cost of designing and installing large flare systems has continued to rise. API 14C, API 521, and Code Case 2211 of ASME Section VIII, Division 1 and 2, provide alternatives in the design of overpressure protection systems. These alternatives revolve around the use of an instrumented system that exceeds the protection provided by a pressure relief valve and flare system.

Any instrumented system used to provide over-pressure protection is a safety-related system, since its failure would result in the rupture of the pipeline/vessel or in overloading the flare. As a safety-related system, the instrumented system must meet either the United States domestic ANSI/ISA S84.01-1996 or the international standard Draft IEC 61508. Due to the high likelihood that the instrumented system would be needed and the high severity of the consequence should these fail, the SIL assigned per the standards is often 3 (or simply as high as achievable with redundant architecture, high availability devices, and frequent proof testing). Due to the high availability requirements, these over-pressure protection systems are often called “high integrity protection systems” or HIPS.

Industry is increasingly moving towards utilizing HIPS to reduce flare loading. They are becoming the option of choice to help alleviate the need to replace major portions of the flare systems in existing facilities when adding new equipment or units. The relatively low capital cost of HIPS compared to flare system piping upgrades and the ability to install HIPS without incurring significant additional downtime during a turnaround, makes these systems an extremely attractive option.

However, prior to making the choice to install the HIPS, the regulatory and industrial standards pertaining to their design must be well understood. Due to the unique nature of the HIPS application, certain design aspects must be carefully evaluated. Some of the nuances to HIPS design will be presented, but the reader is cautioned to do a thorough hazard evaluation prior to the implementation of HIPS.

Standards Addressing Overpressure Protection

API and ASME provide design standards for pressure vessels. These design standards are used worldwide by insurers to determine the appropriateness of pressure vessel design. As industry-recognized institutions, many API and ASME standards, are enforceable in the United States under OSHA PSM and EPA RMP. In many other countries worldwide, these standards are enforceable under local and/or national regulations.

ANSI/ISA S84.01-1996 and draft IEC 61508 are standards for SIS design. As a US industrial standard, ANSI/ISA S84.01-1996 is also enforceable as good engineering practice under OSHA PSM and EPA RMP. When finalized, IEC 61508 will be accepted in many countries as an enforceable national standard, whether associated with a national regulation or independently mandated.

American Petroleum Institute (API)

API has recommended practices that address pressure relieving and depressuring systems in the petroleum production industry. API 521 describes flare system design methods. These methods basically require sizing the relief valve for each vessel for the worst credible scenario and require sizing the main flare header for the worst case relieving scenario, involving the simultaneous venting of all affected vessels. The fourth edition of API 521 allows credit to be taken for a favorable response of some of the instrument systems. While this design alternative is provided, API 521 Part 2.2 recommends the use of high integrity protective systems (HIPS) only when the use of pressure relief devices is impractical.

The API standard for offshore production platform safety systems, API 14C, provides a design exemption for the substitution of HIPS for pressure relief valves (PRV) in wellhead, header and pipeline applications. API 14C does not provide a specific exemption for pressure vessels.

American Society of Mechanical Engineers (ASME)

ASME Code Case 2211, approved in 1996, sets the conditions under which overpressure protection may be provided by an instrumented system instead of a PRV. This ruling is intended to enhance the overall safety and environmental performance of a facility by utilizing the most appropriate engineered option for pressure protection. While there is no specific performance criteria in the Case Code, the substitution of the HIPS for the PRV should provide a safer installation. Consequently, the substitution is generally intended for limited services where the PRV may not work properly due to process condition, e.g. plugging, multiple phases, etc. The overpressure protection can be provided by a SIS in lieu of a pressure relieving device under the following conditions :

a) The vessel is not exclusively in air, water, or steam service.b) The decision to utilize overpressure protection of a vessel by system design is the responsibility of

the User.c) The User must ensure the MAWP of the vessel is higher than the highest pressure that can

reasonably be expected to be encountered by the system.d) A quantitative or qualitative risk analysis of the proposed system must be made addressing all

credible overpressure scenarios.e) The analysis in (c) and (d) must be documented.

International Society of Measurement and Control (ISA) and International Electrotechnical Commission (IEC)

ANSI/ISA S84.01-1996 and draft IEC 61508 are intended to address the application of safety instrumented systems (SIS) for the process industries. The objective of these standards is to define the design and documentation requirements for SIS. While these design standards are not prescriptive in nature, the design processes mandated in these standards cover all aspects of design including : risk assessment, conceptual design, detailed design, operation, maintenance, and testing. To ensure compliant implementation, the requirements of these standards, as pertaining to a specific HIPS application, must be investigated thoroughly.

One of the most important criteria for SIS design is the requirement that the User assign and verify the safety integrity level (SIL) for the SIS. The assignment of SIL is a corporate decision based on risk management philosophy and risk tolerance. Safety instrumented systems (SIS) should be designed to meet a safety integrity level, which is appropriate for the degree of hazard associated with the process upset. Safety integrity levels per draft IEC 61508, and ANSI/ISA S84.01 are designated in the following table.Table 1 - Safety Integrity Levels

Safety Integrity Level Availability Required Probability to Fail 1/PFD

On Demand

IEC 61508 4 >99.99% E-005 to E-004 100,000 to 10,000

ISA S84 3 99.90 – 99.99% E-004 to E-003 10,000 to 1,000

2 99.00 - 99.90% E-003 to E-002 1,000 to 100

1 90.00 - 99.00% E-002 to E-001 100 to 10

From the point of SIL selection, the entire lifecycle of the SIS is evaluated for agreement with the SIL. Thus, the SIL is the cornerstone of the SIS design.

Where do Regulations and Standards Leave Us ?

All of the regulatory and standards issues boil down to a few simple rules that can be used when making the decision to implement HIPS.

The use of HIPS should be generally restricted to the reduction of flare loading in existing facilities. The capital cost differential should not be the only justification for installing a HIPS to reduce flare loading requirements in existing or grass-roots facilities.

There is a misconception that HIPS can readily replace relief devices on pressure vessels. Only in cases where the PRV is impractical should a HIPS be used to reduce the relieving capacity requirements on individual pieces of equipment whether existing or a grass-roots installation. For instance, if the relief of process gases into the lateral header causes polymerization to occur, which plugs the lateral and renders the relief valve useless.

A formal flare loading study should be made prior to deciding. The User must verify that a HIPS will work from a process standpoint (i.e., Can the valves shut in

time to prevent pressure wave propagation ?). The availability of the HIPS must be as good or better than the availability and reliability of the

“passive” mechanical device it replaces. The User must understand the importance of application-specific design aspects, as well as the

associated costs of the intensive testing and maintenance program whenever a HIPS is utilized. No matter what documentation is created in the justification for HIPS installation, it is still the

responsibility of the User to provide safe and environmentally friendly operation.

Considerations in the Design of HIPS

Once the decision is made to implement HIPS, a safety requirement specification must be developed to address various overpressure scenarios and the actions required to mitigate the scenario. The SRS includes the documentation of the safety integrity requirements, including the SIL and anticipated testing frequency. Since SIL is a risk based parameter, the frequency and consequence of potential incidents must be examined in order to select a SIL.

When HIPS are used, in lieu of PRVs or full-load flares, the consequences of the SIS failure are often significant such as the following :

Release of large quantities of flammable or explosive gases Release of toxic chemicals Catastrophic facility damage Worker injuries and fatalities, and Community impact with possible injuries and fatalities.

The frequency of over-pressure of vessels is often high, due to process upsets or inadvertent block-in of vessels. When the frequency and consequence are considered, SIL 3 is often selected. In other words, when all of the layers of protection are considered, the availability of the HIPS should be sufficiently high to cause

the overpressure of the vessel to be essentially a “non-credible” event. This is a serious criteria that requires careful examination of the important design aspects and a thorough assessment of all overpressure scenarios.

Once the assessment is complete, design can begin. A HIPS is a trip system consisting of three basic elements : the field input devices, the logic solver and the final elements. As with other trip systems, the purpose of HIPS is to protect life, to protect the environment, and/or assets and production. They do differ from a regular trip system in the high level of availability required. This is achieved through the redundancy in system components. Since the HIPS results in process shutdown, there is often significant economic impact to the plant due to loss of production when there is a spurious trip. Consequently, these systems also have high reliability requirements.

A quantitative verification of the SIL should be performed to ensure that the target SIL is met. The important parameters when considering HIPS design are as follows :

Voting Field input devices Logic solver Final control elements Diagnostics Testing, and Common cause failures.

It is also absolutely critical to quantify the availability of the system. In fact, both ANSI/ISA S84.01-1996 and draft IEC 61508 highly recommend a quantitative evaluation of SIL. This verification can also be used to establish the required testing and maintenance program for each HIPS once the device, architecture, and voting have been selected.

Voting Configurations

The use of voting is now common place in trip circuits. The purpose of using a voting scheme is to increase the integrity of the system and/or to minimize spurious trips. A two-out-of-three voting scheme is frequently used in HIPS. One-out-of-two voting will improve availability of a system but will significantly increase the nuisance trip rate. Two-out-of-two voting will improve the reliability of the system but will decrease the safety factor or availability of the system. Two-out-of-three (2oo3) voting combines the benefits of high availability and high reliability. The voting system works by initiating the trip function only when at least two of the input devices are in the trip state. Spurious trips are reduced and, if testing procedures are properly written and followed, inputs can be tested without bypassing.

Figure 1 - Two-out-of-three Voting

Field Input Devices : The process variables commonly measured in HIPS are pressure, temperature and flow. Traditionally, switches were used as the process sensor in SISs. Switches worked well for three reasons.

First, most trip conditions are discrete events, i.e., a high pressure, high temperature, or low flow. Second, relay systems and early programmable logic controllers (PLCs) could only process a discrete signal. They could not directly accept an analog signal. Finally, switches were usually less expensive than analog transmitters.

With the evolution of programmable electronic system (PES) technology, logic solvers now have the ability to readily accept analog signals. The use of transmitters to measure these variables is now preferred over the use of switches. Switches only give a change in output when they are activated and can “stick” or experience some other failure mode that is revealed only when the switch is tested or a demand is placed on it. Redundant transmitters are not subject to these same covert failures and their use has a positive effect on the system. Transmitters can be continuously monitored and the operability of the transmitters readily observed. With transmitter redundancy employed, out-of-range/deviation alarming and median select can be implemented to ensure a high level of availability. A single transmitter providing multiple levels of trip/alarm functions (i.e., low, high and high-high level) can replace multiple switches.

Most HIPS applications require 2oo3 transmitters on all field inputs, utilizing median select and deviation alarming from the median. Separate taps are also recommended to decrease common cause faults, such as plugged impulse lines. Utilizing diversity in the method of measuring the process variable, where practical, can also contribute to the reduction of common cause failure.

Figure 2 - Field Input Devices

Logic Solver : The logic solver must meet the maximum SIL required by any of the HIPS contained in the logic solver. This typically means that the logic solver must meet a high SIL 3. The logic solver can be hard-wired relays for HIPS with a low I/O count, however, a PES is typically preferred. The PES should provide a high level of self-diagnostics and fault tolerance. It should be certified to a TUV Class 6. Redundancy of signal paths within the logic solver and redundant logic processing is desirable. The trip output function should be de-energize to trip.

ANSI/ISA S84.01-1996 and draft IEC 61508 require that the safety logic be separate and independent from the basic process control system. Separation of the HIPS from the BPCS is required. This separation of the BPCS from the HIPS reduces the probability that both functions would become unavailable at the same time. The possibility that inadvertent changes to the HIPS safety functionality will also be reduced.

Final Control Elements : The final control elements in HIPS are usually two fail-safe valves in series working in a 1oo2 configuration. At least one of the valves must be a dedicated shutdown valve. The second valve can be a control valve, but it must be configured failsafe with no minimum stops. The use of the control valve as part of the HIPS should be examined during the hazard analysis to determine whether the failure of the control valve could have caused the overpressure. A failed control valve (for example, an eroded seat) may not be able to achieve a fail-safe condition. On-line testing provisions should be provided to permit each valve to be function tested independently. Bypasses around the valves must be secured.

Solenoid operated valves (SOVs) are used to actuate the isolation valves. Solenoids can be configured 1oo2 to maximize safety availability, but spurious trips are a problem. These valves can be configured 2oo2 or 2oo3 to reduce spurious trips. The 2oo2 configuration will require more frequent testing than a 2oo3 configuration to maintain acceptable availability. The SOVs should be mounted as close to the valve actuator as possible to decrease the required transfer volume for valve actuation. The exhaust ports of the SOVs should be as large as possible to increase speed of valve response. The SOVs should be de-energize to trip.

Figure 3 - Final Control Elements Showing 1oo2 Valves and 2oo2 Solenoids

Diagnostics : Diagnostic capability should be designed into all HIPS. The ability to detect failures of components on-line significantly improves the availability of the HIPS. For example, the use of signal comparison on analog inputs allows annunciation of transmitter failures to the control room. Operation and maintenance procedures can dictate that these alarms be responded to promptly with a work order for repair. This type of diagnostics should be included throughout the system to improve availability.

Testing : If all failures were self-revealing, there would be no need to test safety system components. Level switches with stuck floats, shut down valves that will not close completely, or pressure switches with stuck closed contacts are all examples of covert failures. If safety system components are not tested, dangerous failures reveal themselves when a process demand occurs, often resulting in the unsafe event that the safety system was designed to prevent. Testing is performed for one reason, and one reason only, to uncover failures.

The appropriate testing of a SIS utilized as a HIPS is key to ensure that the availability requirements are satisfied. Architecture, redundancy, and device integrity have a significant effect on the probability to fail on demand and therefore testing frequency requirements. To determine the required testing frequency, quantitative risk assessment is the accepted approach by most process industry companies. Draft ISA TR84.02 recommends use of the following methods :

1. Markov Models2. Fault Tree Analysis (FTA)3. Simplified Methods

Any of these techniques can be utilized to determine the appropriate testing frequency for the HIPS. In general, HIPS require a minimum of annual testing of the field components. Whatever the testing frequency, it is essential that the testing is performed throughout the safety system life. Any changes in the testing frequency must be validated by quantitative methods to ensure that the availability is not lowered to an unacceptable level.

Common Cause Failures

Common cause failures (CCF) in HIPS design should be assessed. A CCF occurs when a single fault results in the corresponding failure of multiple components. Thus, CCFs can result in the HIPS failing to function when there is a process demand placed on it. CCFs must be identified during the design process and the potential impact on the HIPS functionality understood.

There is a great deal of disagreement among the experts on how to define CCF and what specific events comprise a CCF. The following are often cited as examples of common cause faults :

Miscalibration of sensors Pluggage of common process taps for redundant sensors Incorrect maintenance Improper bypassing Environmental stress on the field device Process fluid or contaminant plugs valve

The most critical failure is that the safety requirement specification (SRS) is incorrect at the beginning of the design process and the HIPS cannot effectively detect the potential incident. This is a most disastrous common cause failure that can directly lead to the hazardous incident that the designer is seeking to prevent. Improper system specification can compromise the entire HIPS.

Industrial standards and corporate engineering guidelines and standards can be utilized to reduce the potential for CCF. The proposed or installed HIPS design can be compared to these standards. Deviation from the standards can be corrected through design revision or documented to justify why this specific application has different requirements.

Checklists can also be used to reduce potential CCFs. Checklists are simply a list of questions that are answered “yes”, “no”, or “not applicable”. A checklist analysis will identify specific hazards, deviations from standards, design deficiencies and potential incidents through comparison of the design to known expectations, which have been expressed the checklist questions.

In some cases, it may be necessary to consider the impact of potential common cause failures when verifying whether the HIPS can achieve the target SIL. In such cases, the potential common cause failures will need to be considered in the quantitative performance evaluation. Ford, et al., describe various approaches for addressing CCFs.

Summary

HIPS do not differ greatly from other trip systems. The systems are composed of field input devices, a logic solver and final elements. The necessity for high availability and reliability is where the differences truly begin. Redundancy in field devices is utilized to provide a high level of availability while, at the same time, increasing reliability. Typically, the inputs are configured in a two-out-of-three voting basis, the logic solver should have high availability, and the final elements are configured one-out-of-two. The design of any HIPS should be quantitatively verified to ensure it meets the required availability.

Care must be taken in any decision to implement HIPS. The use of HIPS should be generally restricted to the reduction of relief and flare loading in existing facilities. The use of HIPS should not be a justification for reducing the pressure relieving requirements on individual pieces of equipment. The pressure relieving of vessels should be sized for the worst credible scenario for each piece or groups of equipment irrespective of the HIPS design.

Advantages of HIPS Low capital costs compared to upgrading flare systems Can be installed without incurring additional downtime during a turnaround

Disadvantages of HIPS

HIPS require that many different components work as designed. Effectiveness of system is highly dependent on the field design, device testing, and maintenance

program. Limit of knowledge in the identification of all over-pressure scenarios HIPS becomes the “last line of defense”. Failure results in potentially over-stressing of vessel.

References

1. “Recommended Practice for Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms,” API 14C, Sixth Edition, American Petroleum Institute, March 1998.

2. “Guide for Pressure-Relieving and Depressurizing Systems,” API 521, Fourth Edition, American Petroleum Institute, March 1997.

3. “Pressure Vessels with Overpressure Protection by System Design,” Section VIII, Divisions 1 and 2, ASME Code Case 2211, The 1995 Boiler Pressure Vessel Code, American Society of Mechanical Engineers, 1995.

4. “Application of Safety Instrumented Systems for the Process Industries,” ANSI/ISA-SP 84.01-1996, ISA, Research Triangle Park, NC, 1996.

5. IEC 61508, 65A/255/CDV, “Functional safety of electrical/ electronic/programmable electronic safety related systems,” Parts 1, 3, 4, and 5, International Electrotechnical Commission, Final Standard, December 1998.

6. IEC 61508, 65A/255/CDV, “Functional safety of electrical/ electronic/programmable electronic safety related systems,” Parts 2, 6, and 7, International Electrotechnical Commission, Final Draft International Standard, January 1999.

7. “Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents,” 29 CFR Part 1910, OSHA, Washington, 1992.

8. “Risk Management Programs for Chemical Accidental Release Prevention,” 40 CFR Part 68, EPA, Washington, 1996.

9. Ford, K.A. and Summers, A.E., “Are Your Instrumented Safety Systems up to Standard?,” Chemical Engineering Progress, 94, pp. 55-58, November, 1998.

10. Summers, A.E., “Techniques for assigning a target safety integrity level,” ISA Transactions, 37, pp. 95-104 1998.

11. “Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques, Part 1: Introduction,” TR84.0.02, Draft, Version 4, March 1998.

12. “Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques, Part 2: Determining the SIL of a SIS via Simplified Equations,” TR84.0.02, Draft, Version 4, March 1998.

13. “Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques, Part 3: Determining the SIL of a SIS via Fault Tree Analysis,” TR84.0.02, Draft, Version 3, March 1998.

14. “Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques, Part 4: Determining the SIL of a SIS via Markov Analysis,” TR84.0.02, Draft, Version 4, March 1998.

15. “Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques, Part 5: Determining the PFD of SIS Logic Solvers via Markov Analysis,” TR84.0.02, Draft, Version 4, April 1998.

16. Summers, A.E. and G. Raney, “Common Cause and Common Sense: Designing Failure Out of Your SIS,” ISA EXPO 1998, Houston, Texas, October 1998, accepted for publication in ISA Transactions 1999.

17. Summers, A.E., K. Ford, and G. Raney, “Estimation and Evaluation of Common Cause Failures,” 1999 Loss Prevention Symposium, American Institute of Chemical Engineers Spring Meeting, Houston, Texas, March 1999.

Bob H. A. S. Djanegara

Apakah pak Moderator atau rekan-rekan lain ada yang bisa memberikan gambaran tentang bentuk P&ID dari system ini, sehingga saya bisa lebih mengerti tentang cara kerja sistem ini ?.

Moderator MIGAS [migas_indonesia@yahoo.com]

Saya punya P&ID, vendor's quotation dan presentasi dalam MS powerpoint untuk sistem HIPS ini, tapi sayangnya ada di kantor semua. Untuk sementara sebenarnya bila anda melihat gambar-gambar yang ada di dalam attachment tersebut, sudah jelas kok.

Pada prinsipnya ada 3 buah pressure transmitter sebagai field devices yang akan mendeteksi over-pressure. Jika kondisi tersebut terjadi maka logic solver akan memerintahkan shutdown valve (final element) untuk segera menutup dalam waktu kurang dari 2 detik, sehingga downstream akan terlindung dari overpressure tersebut.

Hanya masalahnya disini adalah setiap saat HIPS aktif maka tidak ada output yang dihasilkan karena sistem benar-benar terisolasi. Jadi bisa dibayangkan kerugiannya apabila HIPS seringkali aktif. Pada titik ini seringkali terjadi diskusi yang tidak berkehabisan antara safety dan production department.

Waskita Indrasutanta

Saya kurang yakin kalau safety system bisa terbaca pada P&ID. Seandainya bisapun, kita hanya melihat misalnya 3 buah sensor pada titik pengukuran yang sama dan adanya function block voting 2oo3. Selebihnya harus kita kaji dari spesifikasi dan keterangan dari designer seperti diuraikan oleh Pak Moderator dibawah ini.

Stephanus Sulaeman inp rel up v

Terima kasih atas informasinya mengenai HIPS ini, cuma saya mempunyai banyak ganjalan mengenai hal tersebut. Hal ini mungkin karena penjelasannya yang ada kurang banyak, sehingga didalam melakukan change of mind saya ada yang kurang.

Pertama-tama saya ingin tanya aplikasi penggunaan HIPS ini meliputi rangkaian apa saja, dipasangnya dibagian mana, metode perhitungan pressure wave propagation target medium bagaimana, bagaimana sebaiknya perbandingan kecepatan response instrumentasi terhadap wave propagation ( karena pada banyak kasus wave propagation amat sangat cepat, terutama kalau terjadi kebakaran ). Sedang pertanyaan selanjutnya sesudah pertanyaan tersebut diatas terjawab.

Moderator MIGAS

Kebetulan pagi ini saya sempat ke kantor sebelum dipulangi oleh boss untuk tindakan jaga-jaga karena Afganistan diserang oleh Uncle Sam. Ada tambahan mengenai artikel HIPS yang dirancang oleh vendor Mokveld. Ukuran filenya cukup gede yaitu sekitar 2 MB, jadi saya putuskan untuk membuat summary yang penting-penting aja. Mudah-mudahan dapat membantu untuk memahami HIPS dengan lebih baik lagi.

Perlu ditekankan disini bahwa HIPS adalah level proteksi yang terakhir kali bekerja. Urutan sekuensialnya adalah sebagai berikut :

1. Sistem Kontrol2. Alarm3. Emergency Shutdown4. HIPS

Saya lengkapi juga dengan gambar-gambar yang ada di attachment dalam format MS Word. Dijamin deh nggak bakalan bingung lagi.

Gambar 1 - Instalasi HIPS di Lapangan

Gambar 2 - Levels of Defense

Gambar 3 - Production Separator with HIPPS

Gambar 4 - IEC 61508 (draft) Risk Graph / Safety Integrity Levels

Gambar 5 - HIPS Schematic Diagram

a

b

c

d

e

f

g

h

-

a

b

c

d

e

f

g

-

-

a

b

c

d

e

f

W3

W2

W1

P2

P1

P2

P1F

1

F2

F2

F1

C1

C2

C3

C4

STARTING POINTFOR

RISK ESTIMATION

a

1

2

3

4

0

1

2

3

4

0

1

2

3

ForW3

ForW2

ForW1

REQUIRED RISKREDUCTION FOR

IPFs

SAFETY INTEGRITY

LEVELS

CLASSIFICATION

ConsequenceC1 =

Minor injury.C2 =

Serious permanent injury to one or more persons; death to one person.

C3 =Death to several people.

C4 =Very many people killed.

Frequency and exposure timeF1 =

Rare to more often exposure in the hazardous zone.

F2 =Frequently to continuously.

Possibility to avoid hazardous event

P1 =Possible under certain conditions.

P2 =Almost impossible.

Probability of the unwanted occurrence

W1 =A very slight probability that the unwanted occurrence will come to pass and only a few unwanted occurrences are likely.

W2 =A slight probability that the unwanted occurrences will come to pass and few unwanted occurrences are likely.

W3 =A relatively high probability that the unwanted occurrences will come to pass and frequent unwanted occurrences are likely.

a

a

b

IEC 61508 (draft) Risk Graph / Safety Integrity Levels

Keuntungan penggunaan HIPS Reducing the plant risk profile (insurance) Reduced size flare system and piping Human protection (toxic fluids) Environmental issues & regulations Reduced weight Reduced installation footprint To obtain lower investment cost (Exxon study : Conventional/Hybr/HIPPS adalah -

100%/70%/60%)IEC 61508 Engineering cycle

Know your potential hazards (perform a HAZOP study) Evaluate the acceptability of the risks of those hazards Determine the required Safety Integrity Level SIL, by implementing HAZOP results into the risk

graph Define and select protective measures Classify the Safety function using target reliability & architecture Verify if the reliability meets the initial requirements

When designing HIPPS be aware that There are no "standard: or generic solutions Eeach situation has to be evaluated to find the best solution Full reliability assessment should be performed by an independent third party Dynamic process simulation is strongly recommended The design basis of the process control system should be closely re-evaluated

Stephanus Sulaeman inp rel up v

Oo, jadi yang dimaksud HIPS itu tokh. Saya mau tanya (mengacu gambar no. 3, karena berbeda dengan gambar no. 5), apakah up-stream dari sistim HIPS tidak mempunyai sistim kontrol tekanan ?. Kalau ada, mengapa tidak ditingkatkan saja kemampuannya (baik response dan kehandalannya), karena konsep HIPS ini tentu memerlukan biaya tambahan. Kalau tidak ada, sehingga langsung diadakan HIPS, apakah betul sistim proteksi high pressure vessel hanya berdasarkan feedback control, bukan cascade control ?.

Warih Kundono

Saya mau menambahkan satu safety equipment yaitu Pressure Safety Valve, dalam sekuensial sistem proteksi yang telah diuraikan bapak moderator. Sehingga urutan protection layer adalah :

1. Sistem Kontrol 2. Alarm 3. Emergency Shutdown 4. PRESSURE SAFETY VALVES 5. HIPS

HIPS tidak dirancang untuk menggantikan fungsi dari pressure safety valve.

Moderator MIGAS

Saya jawab borongan aja yah, mudah-mudahan benar jawabannya. Kalau salah yah saya mohon maaf sebelumnya, karena yang merupakan pakar yang sebenarnya untuk sistem HIPS ini adalah boss saya yang juga member milis ini. Pak DS, kapan anda maju ke diskusi ini.

Untuk pak Sthepanus Sulaeman.

Upstream dari HIPS adalah christmas tree dan manifold, tentu saja punya sistem safety terhadap over-pressure ini. Malahan kalau anda perhatikan gambar tersebut, sistem proteksinya berlapis. Sekuensial pertama adalah tertutupnya choke valve, kemudian dilanjutkan dengan wing valve, master valve dan terakhir kali adalah SCSSV. Kemudian ada lagi masing-masing shutdown valve pada setiap flowline yang menuju ke production manifold maupun test manifold.

Kemudian masalah cascade control. Kalau lihat definisinya : cascade control is a technique that uses two measuring and control systems to manipulate a single final control element. Umumnya hubungan yang terjadi adalah master-slave atau primary-secondary. Cascade control yang saya tahu biasanya digunakan untuk aplikasi temperatur dan analitikal dimana waktu tunda pengukuran yang terjadi cukup lama. Jadi untuk pressure vessel yang prosesnya sederhana seperti production separator yang bertugas untuk memisahkan fluida proses menjadi gas, oil & water berdasarkan gaya gravitasi, rasanya tidak diperlukan. Mungkin di sistem yang lebih kompleks seperti refinery di Pertamina Balikpapan, kita baru dapat menemukan cascade control.

Untuk pak Warih Kundono

Anda salah dalam hal menginterprestasikan tulisan tersebut. Untuk contoh HIPS pada kasus Conoco adalah untuk derated pressure rating pada bagian downstream HIPS. Anda bisa bayangkan bahwa pada bagian upstream dan downstream dari production separator, semua material yang digunakan adalah super duplex stainless steel yang comply terhadap NACE requirement, yang harganya cukup mahal. Berapa biaya yang bisa dihemat bila kita dapat menurunkan pressure rating dari semua peralatan mechanical dan asesorisnya dari rating 1500# menjadi 600#.

Anda bisa lihat pada gambar production separator bahwa masih terdapat sebuah PSV untuk memproteksi pressure vessel dari kejadian over-pressure, tapi dengan setting pressure untuk rating 600#, BUKAN 1500#. Bingung...?, yah besoklah anda tanya sama DS.

Nanan Yanie

Pak Moderator, saya mau ikutan ngeramein issue ini. Sorry saya menggunakan fasilitis e-mail istri saya (maklum, lagi off-duty) untuk ikut berkomentar ttg HIPS (high integrity protective system) ataupun HIPPS (high integrity pressure protection system). Menurut saya :

HIPS/HIPPS adalah suatu terobosan di bidang instrumentasi yang berhubungan dengan safety dari plant. Karena reliable-nya, dia "mulai menawar" asumsi-asumsi yang digunakan ketika mendesain suatu flare system. Memang asumsi-asumsi yang digunakan ketika melakukan Flare study ataupun blowdown study terkadang “overkill”. Jika HIPS/HIPPS menawarkan alternatif untuk mereduksi flaring load, pada satu kasus tertentu mungkin benar. Tetapi tidak jarang loh flare load capacity itu ditentukan oleh blowdown plant inventory ketika ESD atau fire. Dalam hal ini, penerapan system HIPS/HIPPS nampaknya kurang tepat.

Dengan atau tanpa HIPS/HIPPS sebenarnya derating suatu pipa adalah hal yang umum karena "cost-driven". Hanya saja, jika kita pake HIPS/HIPPS kita lebih "pede" sehingga dapat mengurangi sizing suatu PSV capacity dari full blocked-discharge ke partial blocked discharge (tergantung seberapa yakinnya kita akan system HIPS/ HIPPS yang mungkin gagal). Memang secara logika, tidak mungkin jika kita punya sekian system HIPS/HIPPS akan gagal semua, paling-paling double atau triple jeopardizes. Tapi membicarakan kegagalan system bukanlah melulu tentang fail atau unfail, sebab ada faktor luar juga yang berpengaruh, misalnya bagaimana bila ternyata tingkat pencurian alat-alat instrumentasi di sekitar wellhead sangat tinggi, sehingga secanggih-canggihnya sistem kita, tetap bisa bobol juga….mungkin aja kan…

Tanpa HIPS/HIPPS sebenarnya plant bisa jalan (meskipun ada kegiatan konstruksi yang berhubungan dengan live system) asalkan ketika mendesain dahulu, disediakan valve-valve yang diletakkan pada titik-titik stategis guna menghindari shutdown ketika harus tie-in. Hanya saja masalahnya, gambaran masa datang suatu pabrik belum tentu jelas, dan itu memang bisnis nature-nya dunia migas. Alternatif yang lain adalah kita bisa melakukan "hot-tap" pada tempat-tempat tertentu, misalnya di flare header. Disamping ada persyaratan tertentu, beberapa perusahaan nampaknya tidak suka dengan metode ini karena alasan safety dan lebih memilih untuk men-shutdownkan plantnya. Nah, si HIPS/HIPPS ini kelihatannya bisa menambal kekurangan system konvensional yang ada.

HIPS/HIPPS kelihatannya membutuhkan banyak perhatian, terutama dari sisi maintenance. Lihat saja dia harus bisa menutup dalam waktu yang relatif cepat (orde 2 sekon) serta testing frekuensi yang ketat. Nah pertanyaannya adalah, apakah ketika akan mengaplikasikan system ini sudah melihat jauh-jauh ke depan sampai akhir hayat plant ?. Sudahkah terpikirkan siapa yang akan memaintain dan meng-kontrol system ini secara baik?. Bisa kan dalam suatu perjalanan operasi pabrik terjadi suatu re-organisasi yang mengarah ke penciutan jumlah pegawai, unproper skill distribution, budget limitation, bahkan mungkin degradasi maintenance skill availability, dsb, bla..bla.., yang pokoke kesemuanya akan menyentuh sisi reliability dari suatu pabrik ?.

Sebagaimana kita ketahui, HIPS/HIPPS dapat digunakan untuk mereduksi beban flare. PSV tetap dipertahankan keberadaannya (hanya ukurannya yang diperkecil) karena satu atau lebih dari hal-hal : untuk antisipasi kebocoran SDV pada system HIPS/HIPPS ataupun untuk kasus fire, (atau mungkin gas blow-by) di vessel itu sendiri, atau untuk antisipasi dua atau tiga system HIPS/HIPPS yang gagal. Nah masalah yang mungkin timbul adalah ketika akan dilakukan maintenance terhadap system tersebut. Apakah maintenance crew tahu persis bahwa dalam satu pekerjaan ini maksimum jumlah HIPPS yang boleh di-bypass ada berapa supaya safety integritinya tetap terjaga ?. Saya bisa berkilah dengan menempatkan sejumlah by-pass pada system HIPPS yang juga menggunakan HIPPS yang dilengkapi dengan safety interlock seperti yang disarankan olek Norsok standard, sehingga kalau mau ngetest yang satu, yach dihidupin aja by-passnya kan beres. That's good, tapi bagaimana kalau jumlah flowline-nya banyak, sekitar 200-an seperti yang ada di Badak Plant, wah issue ekonomi mungkin jadi ganjalan kali yach….Di kasus ini, punya PSV yang di desain full blocked-discharge ada untungnya loooh… yach, relatif bisa tidur lebih nyenyak he..he..

Proses Perjalanan untuk mendesain HIPS/HIPPS tentunya juga menentukan keberhasilan dari HIPS/HIPPS ini. Kita kan ingat, bahwa system ini sebenarnya untuk mengkover apa-apa yang harus dikover dan dirancang oleh desainer dan verifikasi oleh team yang melakukan risk assessment. Nah di system PHA (Process Hazard Analysis, ex : Hazop, Hazid, Hazan, FMEA, What-if, Check list, Fault Tree Analysis) itu sendiri punya inherent flaw, yaitu kurang begitu dalam memasukkan unsur human factor ketika melakukan assessment, serta sifatnya yang "snap shot" dari sisi waktu. Jadi rekomendasi PHA team mungkin tidak valid lagi untuk satu atau dua bulan mendatang, apalagi jika ada engineering change lagi, walahh, kudu PHA lagi euy. Faktor time availability, expertise, indenpedensi serta integrity dari team PHA juga menentukan hasilnya loh.

Banyak juga hasil PHA yang harus diverifikasi atau mungkin dibatalkan karena memang mutunya tidaklah seperti yang diharapkan.

Dari sisi Inherently Safer Plant, HIPS/HIPPS adalah termasuk criteria Active. Doi itu rangking 3 setelah inherently safer dan Passive Protection. Jadi yang dilakukan si HIPS/HIPPS ini adalah mengimprove kinerja safety shutdown system. Kita memang tidak perlu memaksakan tingkat safety karena "How much safety is enough" is depend on you. You must decide for your self , how much risk can be reduce as low as appropriate.

Thanks atas attachment-attachment yang bagus-bagus. Salut!.