Monitoring the Reliability Performance of

High Integrity Pressure Protection Systems

Baris Arslan
Senior Safety Consultant
Oilconx Risk Solutions (ORS)

www.ors-no.com 1 30.10.2012
This presentation is about
2
How to maintain HIPPS?

How to demonstrate the reliability of HIPPS in operation?

Human Reliability & HIPPS Maintenance

www.ors-no.com
3
The beginning of wisdom is to call things with their
right names

HIPPS protects downstream equipment against
overpressure coming from upstream.

Instrument based systems for secondary
protection or HIPPS?

Why is HIPPS so special?

www.ors-no.com
Source: lsa.org
HIPPS or not
4
In most cases, it is developed as a result of a
deviation from traditional process design

Upon failure, it may cause major accidents
with catastrophic safety, environmental and
commercial consequences

Typically very high integrity and fault
tolerance requirements

Critical response times for the entire system
(could be 2-3 seconds)

www.ors-no.com
HIPPS is a special case; because:
3 www.ors-no.com
1ask-based ArchlLecLure-based SLandard-based
Shared componenLs
lndependenL componenLs
lndependenL / comblned
sysLem
1opsldes (*)
LxporL plpellnes
Subsea
8educe demand raLe on rellef
LllmlnaLe a parLlcular scenarlo from
deslgn basls
CLhers...
Al deslgned asseLs
lLC 61308
lLC 61308 / -001 /CLl070
Classification of HIPPS different
generations
6
Procedures for analyzing maintenance
performance for:
Systematic faults & recurring faults
Assessing demand rates (if higher than design
basis or not)
Diagnosis / repair / revalidation

Ensuring that functional safety is maintained
during operation and maintenance
Availability of skills and resources for
maintenance

www.ors-no.com
Chronological documentation of repair and
maintenance
Results of tests
Documentation of the time
Documentation of modifications

High safety integrity systems with particularly
severe consequences not share common
maintenance procedures

IEC:61508 2010ensuring functional safety
during operational phase
7
OLF 070 gives detailed guidance about
SIS (indirectly HIPPS) maintenance
focusing on:
SIS Maintenance Scope
Use of vendor documents
Functional testing requirements
Integral / partial tests
Maintenance reporting
Compensating measures upon overrides
and failures
Reporting of demands / anomalies

P-001 contains
Requirements about testing frequency
Valve leakage testing frequency
System regularity aspect
Reference is made to IEC standards

API 521, Annex E.5 gives some guidance
about HIPPS testing. Highlighted issues are:
Considering site resources when establishing
testing frequency
Potential for introducing faults and spurious
shutdowns due to human error


API 17O Subsea HIPPS
The proof test intervals are to be documented
in the maintenance procedures
Experience data to include failure data source
based on the number of performed tests of the
SIF together with how many of these resulted
in a failure

www.ors-no.com
OLF/NORSOK views on HIPPS maintenance
8
PM Procedure for each HIPPS
Linked to design basis documents (such as SRS)

Maintained database for information such as demands, failures etc.

Well-designed infrastructure to accomodate information flow (maintenance reports, failure codes,
damage codes, automatic notifications etc.)

Well established procedures to analyse failure data

Verification and validation activities (see assurance on next slide)

Competent (and available) personnel to make decisions in due time

www.ors-no.com
Key requirements for HIPPS maintenance
appear to be
uaLa valldaLlon
M or CorrecLlve
MalnLenance
System responsible is notified
Origin of data is controlled (document traceable)
Equipment type (manufacturer, year etc. checked)
Operating conditions are verified
Failure code and long text is checked (i.e. in compliance
with corporate guideline/EN 14224)
Offshore personnel is consulted for data validation
Cnshore verlflcaLlon
Test period
Acceptance criteria for verification
Pass/fail statement for the verificaton
Revisions on design basis documents
Competence requirements
Verification of functional test on
component basis
M rocedure
L8 SysLem
uaLabase
SLage 1
SLage 2
Two Stage Offshore Failure Data Validation
for HIPPS
20 years How does reliability change?
ueslgn 8asls
uevelop rellablllLy model
(Alternative: Existing model
upon validation)
ueflne accepLance crlLerla (Datasheets/QRA/Corporate/Performance Standards)
CollecL fleld daLa
Assess fallure daLa
8evalldaLe
(How? see failure reporting)
(Evaluate failure types)
(Evaluate failure inter-arrival times)
(Carry out trend analysis of field failure data)
ModlflcaLlon
8esLore operaLlon
(Degraded system)
Monitoring Reliability Performance
90% confidence interval has
been applied for OREDA
based studies

70% confidence interval for
IEC-based appraoch

Only useful lifetime has been
included due to
Offshore site-acceptance test
Onshore factory acceptance
test
Assumption: Sub-components
are replaced before the wear-
out period (e.g. lifetime
replacements)

Useful lifetime and confidence interval
12
Field data is vital for the credibility of
Periodic Reliability Monitoring

Standardized data format is necessary to
adress failure cause and failure
consequence

Data needs to be collected for all HIPPS
components, e.g. input devices, control
units and final elements

Why is it difficult to collect data?
It requires:
Resources (positive & negative
reporting)
Competence and motivation
Sophisticated ERP systems

www.ors-no.com
System responsible
Offshore supervisor
Offshore technician
Vendors
Reliability specialist
Surveyors/
Authorities
Data collection is the key
13 www.ors-no.com
luncLlonal Check rocedure ls followed
ln case of fallure, noLlflcaLlon ls creaLed
ln Lhe company L8 by Lechnlclans
unlque fallure codes are used
AddlLlonal damage LexL ls lncluded
CperaLlonal mode ls ad[usLed as per
S8S and M procedure
Always shuLdown
uegraded CperaLlon
Always roducLlon
Cnshore lnvesLlgaLlons sLarL
All posslble PlS sub-componenL
fallures musL be well known
1echnlclans musL be Lralned Lo
recognlze all fallure Lypes
lnLerfaclng sysLems and assoclaLed
fallures musL be assessed ln deLall
PlS 1ralnlng package for
Lechnlclans musL adress:
racLlcal use of S8S
use of revenLlve
MalnLenance (M) procedure
wlLh S8S
use of fallure codes ln L8
sysLems
oLenLlal human errors


In case of HIPPS failures (offshore) and
training package
14
Different strategies based on HIPPS
classification (see Slide 4)
For 1st generation HIPPS, focus on dangerous
undetected failures and
For 3rd generation HIPPS, classification of both
safe and dangeorus failures

Failure database is updated based on failure
classifications

www.ors-no.com
Code Input Final Logic
AIR X
DOP X
ELP X X
ELU X X
ERO X X
FTC X
FTF X X
HIO X
HUE X X X
INL X
LOO X
PLU X X
SER X X X
SPO X X X
STD X

lallure codes for PlS ~ SA/Ln14224
Classification of failure codes for different
generations HIPPS
13
PERIODIC CHECKS


Keep it simple

Use existing reliability model (if any) for a
particular HIPPS
(clear benefits if the model is not software
dependent, e.g. excel based or similar)

Apply simple but recognized methods to
evaluate the effect of failure inter-arrival times,
distributions, sampling etc.

Determine a final failure rate to update the
model

Is the HIPPS performance acceptable?
Where is the acceptance criteria?

ACCEPTANCE CRITERIA


Again, different acceptance criteria based on HIPPS
classifications (Slide 4)
Some examples:

Fully risk-based approach
Risk-based approach with minimum
requirements
API-based judgments (equal to or better than x
concept)

Remember: Two-stage assurance model
to verify acceptance criteria periodically

www.ors-no.com
Periodic Verifications
Classical human error producing conditions apply widely to full-automatic HIPPS operation
and maintenance
Based on our experience, typically observed human errors on HIPPS relate to red marked
items in the North Sea:
Poor feedback (reporting)
Physical capabilities exceeded
No independent check after testing
Unclear allocation of function and responsibility
An incentive to use more dangerous methods
A poor or hostile working environment
Task pacing caused by intervention of others
Operator inexperienced
Little or no independent checking or testing of output
High level emonotional stress
Disruption of normal work sleep cycles
Unfamilarity with the situation which occurs (infrequent or new situation)
A need to unlearn a technique and apply one which requires application of another philosophy
HIPPS Human Error Producing Conditions
17
Human reliability is a huge concern for
HIPPS operation and maintenance

Numerous incidents have been observed
at different companies where HIPPS
valves and/or transmitters have been
disabled

Generally speaking, limited focus on
quantification of human reliability for
maintenance of HIPPS in the oil and gas
business

Limited failure reporting regarding human
failures during maintenance

Human reliability must be considered as
an integral part of overall reliability for
HIPPS

www.ors-no.com
Puman
8ellablllLy
Pardware
8ellablllLy
SofLware
8ellablllLy
Cverall PlS rellablllLy
Human reliability & HIPPS maintenance
8equlred
Achleved
Periodic Reliability Assessments (PRA) reveal the
weakest components in critical loops
19
Failure of HIPPS may lead to major accidents with catastrophic consequences

Maintenance & Operation longest lifecycle we need reliable HIPPS all the way thru

A customized approach is needed for different types of HIPPS, Operating Company and Operating Unit

HIPPS maintenance if done as advised by IEC is a complex job requiring strict collaboration and
interaction at all levels. It requires highly competent, motivated people and enhanced data management
tools

Collection and analysis of data are very important. Credibility of simply everything is at the stake if we
dont collect correct field data from offshore oil platforms

Human failures remain as a big concern. Human reliability must be adressed as a part of overall HIPPS
reliaibility

No quick-fix for HIPPS maintenance

www.ors-no.com
Conclusion
Baris Arslan
Senior Safety Consultant
baa@ors-no.com
+46 735391827

20 www.ors-no.com
For more information, please contact