Mokveld Valves First in Safety

Instrumented Protection Systems

Introduction
High Integrity Pressure Protection Systems (HIPPS) are used to reduce the risk that a system can exceed its design pressure to a tolerable level. Conventional design standards applied in the oil and gas industry stipulate that nal protection of piping and pressure vessels against over-pressurisation shall be provided by means of mechanical relief devices. Sometimes the use of these devices, like relief valves, is undesirable or impossible. Instrumented protection systems provide a technically sound and economically more attractive solution to this problem in situations where: - Extremely high-pressures, or ow rates are processed. - Environmental constraints or restrictions limit the use of conventional relief systems. - The economic viability of a development needs improvement. - The risk prole of the plant must be further reduced.

HIPPS INSTRUMENTED ESD ALARMS CONTROL SYSTEM

PROCESS

Levels of Defence.

ACTUAL REMAINING RISK Risk with the addition of other risk reduction facilities and IPS

TOLERABLE RISK

INTERMEDIATE RISK Risk with the addition of other risk reduction facilities

INITIAL RISK Risk without the addition of any protective features

INCREASED RISK
NECESSARY MINIMUM RISK REDUCTION

ACTUAL RISK REDUCTION PARTICIAL RISK COVERED BY INSTRUMENTED SYSTEM

PARTIAL RISK COVERED BY: - OTHER TECHNOLOGY - EXTERNAL RISK REDUCTION FACTORS

Determination of Tolerable Risk

RISK REDUCTION ACHIEVED BY ALL SAFETY RELATED SYSTEMS AND EXTERNAL RISK REDUCTION FACILITIES

Schematic example of various risk reduction methods resulting in an acceptable or tolerable risk.

Standards & Design Practices

The enormous ow rates that are currently being processed in combination with the environmental constraints initiated the widespread and rapid acceptance of HIPPS as the ultimated protection system. The International Electrotechnical Commission (IEC) has followed up on these developments by introducing the IEC 61508 standard. This is a performance based, nonprescriptive standard, which provides a detailed framework and a life-cycle approach for the design, implementation and management of safety systems applicable to a variety of sectors with different levels of risk denition. In this standard the qualitative risk reduction concept as described in the DIN V 19250 is used as a basis, enhanced with quantitative targets. A consistent basis in reducing the probability of a hazardous event is applied. It is dened as a function of the risk that a process will exceed its safety limits multiplied by the probability that the safety system will fail on demand (PFD). Although this Standard is mainly focused on Electrical/Electronic/Programmable Electronic Safety-related systems, it also provides a framework for safety-related systems based on other technologies including mechanical systems. The basis for using instruments in safety functions are four Safety Integrity Levels (SIL) representing the necessary risk reduction as recognised in a risk analysis. Each SIL level corresponds with a tolerable Probability of Failure on a Demand (PFD). The entire safety loop, including the safety function, shall meet this PFD value. The German DIN 3381 standard, dictating qualitative requirements as well as some quantitative requirements for safety shut-off valves has been used for the past decades in >

What is HIPPS
In HIPPS, instruments provide the safety function. The Safety Loop consists of one or more initiators, nal elements and a logic solver. Either completely mechanical components or a combination of mechanical and electrical components can be used. All components shall be fail safe in the deenergised mode. With HIPPS, the protection against overpressure is obtained by quickly isolating the source causing the overpressure, reducing the plants risk prole.

Logic

Logic Solver

PT

PT

PT

Initiator

Final Elements

1500# 600#

Typical safety Loop.

Safety Integrity Level SIL 4 3 2 1

Probability of Failure on demand PFD 10-5 to < 10-4 10-4 to < 10-3 10-3 to < 10-2 10-2 to < 10-1

> (mechanically) instrumented overpressure

protection systems. Along with leakage rates, response times and accuracy levels, this standard also species safety factors for the material quality and over-sizing of the driving force closing the nal element. Independent design verication and testing to prove compliance to the DIN 3381 standard is mandatory. This resulted in an inherently safer product as illustrated by Mokveld HIPPS valves build in accordance to DIN 3381 with a failure rate () as low as 4.410-04 failures per year.

Safety Function Related Monitoring / Smart HIPPS

Currently two systems provide solutions to valve diagnostics and monitoring. These can be divided into smart valve positioners from the process control industry, and complete high-speed data collection and analysis systems. Both systems can provide the operator with data concerning the labour performed by the valve and the overall valve performance, reducing maintenance, increasing availability and lifetime. In addition to valve diagnostics, the Mokveld HIPPS can be equipped with an unique online monitoring unit making the valve smart .

Reliability
The Safety Integrity Level (SIL) of a loop dictates the Probability of Failure on Demand (PFD). If a demand occurs and the safety system is not able to perform its function, a hazardous event may arise. The PFD is equal to 1/2T (for a single loop) whereby , the failure rate is equal to 1/MTBF (Mean Time Between Failure) with T being the test interval. This test interval is the time between periodical tests in which either all or part of the undetected dangerous failures are found. The lifecycle of components in a safety loop depends on the coverage rate of this periodical test. The applied level of monitoring and diagnostics determines the coverage rate.

Schematic of Mokveld SMART HIPPS.

Probability [-]

This type of monitoring is done online, automatically and without the necessity for an operating demand or test. Using the reliability of a Mokveld valve and applying extended diagnostics, a single nal element (1oo1) may full the qualitative and quantitative requirements for a SIL 3 level as stipulated in the latest revision of the IEC 61508.

Probability of Failure on Demand. Single Mokveld conguration.

Proof Test Interval [hours x10 4 ]

Mokveld pressure switches, model P198, used in a HIPPS system with 1oo2 pressure sensing.

Initiators
The available pressure sensing initiators are mechanical switches or electronic pressure transmitters. A safety loop may consist of one or more sensors to full the requirements of the safety function. Mechanical Systems are most often used in systems required to be totally selfcontained. These can be stand-alone with no requirement for external power source and therefore suitable for locations in remote areas. The Mokveld pressure switches are certied to DIN 3381 and have a setpoint accuracy better than 1%.

The HIPPS safety loop

The safety loop is a functional unit, consisting of input (Initiator), Logic Solver and output (Final Element). The function is arranged so that signals pass from one to another for safeguarding a process. The recommended principle is de-energised to trip.

PIC

An example of how and where HIPPS can be implemented in a typical production facility.

Logic Solver
Electronic voting systems utilising pressure transmitters are typically used for remote sensing. They permit full communication with the Safety System and allow for integrated monitoring. The communication feature reduces the chance of spurious trips. The transmitters are connected to a dedicated logic solver by means of trip ampliers. The logic solver is probably the most complex device in the loop, especially the programmable ones. Most systems on the market are available with DIN V 19250 AK 5/6 certicates. The solid state systems such as the ones using magnetic core technology are available with AK 7/8 certicates.

Mokveld RZD-X HIPPS nal element (actuator and valve).

Actuator
The actuator is a vital component between the pressure sensing element and the nal element. It should be specically designed for fast reliable stroking over an extended service life. On failure, they are to close the nal element. This action should be generated by energy that is independent of external sources, commonly springs. These actuators are designed to provide 5 times more closing thrust than that the nal element requires (including any break-out forces). Two types of Mokveld actuators are commonly used: Low pressure instrument air or line gas to open, springs to close. Hydraulic supply to open, springs to close. This type can be supplied in two kinds, using the hydraulic supply: - from an external source (powerpack). - or from a hydraulic handpump mounted directly on the valve. This is a fully selfcontained system.

Typical Safety System control cabinet with schematics of magnetic core logic solver.

Final Element
The shut-off valve must meet the requirements of high safety standards in critical applications. The nal element shall be designed to be a highly reliable valve and maintain tight shut-off capabilities under all encountered conditions maintaining the integrity of the elements function. Long periods of inactivity (valve remains fully open for a long period) shall not inuence the response time of the valve, nor the stroking speed (to close). With the Mokveld axial ow design, changes in valve friction caused by pressure differentials, scaling, debris or corrosion on the closing elements is reduced. a) In the open position, the closing element is completely protected by the innerbody while there is no contact between parts (apart for the transmission). Therefore breakout thrust is minimal, while the available spring force of the actuator is at its maximum. b) During the valve stroke, the main sealing element (main seal) is fully retracted. Contact between the sealing elements is limited to the last 3% of the stroke. c) The full pressure balanced design permits the available actuator thrust to be independent of the pressure differential across the valve.

Typical result of pressure use and stroke speed calculations.

Notes: * CCF considered with Beta=0.1 rev. 0, July 5, 99 Sheet 1

HIPPS fails [3.87E-05]

HIPPS fails to shutdown [8.27E-05]

Mokveld Engineering Assistance

CCF of Final Element 4.4E-05

HIPPS Initiator fails 3.85E-05

Both HIPPS final element fails [1.94E-07]

Mokveld engineers can provide support in an early phase of the project. We can assist in dening suitable HIPPS architecture, fault tree analysis, determining the pressure rise in the protected volume and the required stroking times and set points of the entire system.

1.50E-05 Logic fails 2.35E-05

4.4E-04 4.4E-04

PT & Input card fails 2.34E-03

PS & Input card fails 6.44E-03

HIPPS valve fails 4.4E-04

Both solenoid valves fail [2.7E-08]

HIPPS valve fails 4.4E-04

Both solenoid valves fail [2.7E-08]

Keywords: HIPPS IEC : High Integrity Pressure Protection System : International Electrotechnical Commission : Mean Time between Failure : Probability of Failure on Demand : Safety Integrity Level : Instrumented Protection System : Safety System

PT fails

Input card fails

PS fails

Input card fails

SV1 fails

SV2 fails

SV1 fails

SV2 fails

MTBF PFD

2.2E-03

1.4E-04

6.3E-03

1.4E-04 1.64E-04 1.64E-04

1.64E-04

1.64E-04

SIL

Typical HIPPS model to SIL 4 consisting of 1oo2 PT & PS Initiator, SIL 4 logic solver & 1oo2 Mokveld Final Element.

IPS SS

Mokveld Valves
Mokveld Valves bv P .O. Box 227 2800 AE Gouda Holland Nijverheidsstraat 67 telephone (31) 182 597500 facsimile (31) 182 517977 mokveld@mokveld.com www.mokveld.com

Mokveld ofces in:

Houston, United States of America Wesel, Germany Swindon, United Kingdom Dubai, United Arab Emirates Sumy, Ukraine Beijing, the Peoples Republic of China Kuala Lumpur, Malaysia Stavanger, Norway

0303

Technical information and illustrations included are subject to changes without notice.