Multiple process variables are used when the reaction path is more complex. These HIPS often use flow/mass ratios, temperature/pressure relationships and kinetic calculations. While it is best to try to keep the HIPS as simple as possible, if the reaction paths are intricate, the HIPS complexity will escalate.
When using reactor kill systems, it may be possible to use preemptive interlocks to prevent the reaction from progressing to the point where it must be killed. These interlocks may close reactor feeds, open a pressure control vent or close catalyst valves. If the temperature or pressure continues to increase after the preemptive interlock, a reactor kill is initiated. By using a preemptive interlock, the plant is able to recover more quickly from the process upset and suffer less production loss and downtime.
The potential rate of pressure escalation must be compared to the HIPS response time to ensure that it is fast enough to prevent vessel overpressure. The HIPS response time must be evaluated by considering the time it takes to sense that there is an unacceptable process condition; the scan rate and data processing time of the logic solver; and closure speed of the final element. The valve specification must include the acceptable leakage rate, because this affects potential downstream pressure and relief loading. The valve actuator must provide sufficient driving force to close the final element under the worst-case upset pressure condition.
The SRS also includes documentation of the safety integrity requirements, including the Safety Integrity Level (SIL) and anticipated testing interval. At a minimum, the integrity of the HIPS should equal that of a PRV. The data in Table 1 implies that the HIPS should be designed to meet either SIL-2 or SIL-3, depending upon the type of PRV. However, bear in mind that the failure modes of a PRV and the HIPS differ. A PRV that fails to operate at the set pressure nevertheless may operate at a higher pressure, whereas HIPS is more likely to fail completely. The failure-to-open-on-demand uncertainty, coupled with the difference in the failure modes, results in the majority of users setting an SIL-3 target for the HIPS.
Integrity and architecture
It is important to recognize that the HIPS consists of the entire instrument loop from the field sensor through the logic solver to the final elements, along with support systems required for successful HIPS functioning, such as power, air or gas supplies.
Process sensors. The process variables commonly measured in HIPS are pressure, temperature and flow. Most HIPS applications require one-out-of-two (1oo2) or 2oo3 voting transmitters for all field inputs. Redundant inputs enable the incorporation of input diagnostics, significantly increasing the integrity of the field inputs. Separate process connections also are required to decrease common cause faults such as plugged process taps.
Logic solver. This hardware must meet the required SIL, which often means that it must comply with SIL-3 performance requirements, as provided in IEC 61508 . The logic solver can be relays, solid state or programmable electronic systems (PES). If a PES is used, it must provide a high level of self-diagnostics and fault tolerance. Redundancy of signal paths and logic processing is necessary, and the trip output function must be configured as de-energize to trip.
Final elements. HIPS must use a minimum of dual final elements in a 1oo2 configuration. The final elements typically are either: relays in the motor control circuit for shutdown of motor-operated valves, compressors or pumps; or fail-safe valves opened or closed using solenoids in the instrument air supply. When valves are used, both valves must be dedicated block valves.
Solenoid operated valves (solenoids), configured as de-energize to trip, are used to actuate the block valves. The solenoid(s) should be mounted as close to the valve actuator as possible, to decrease the required transfer volume for valve actuation. Finally, the exhaust ports should be as large as possible to increase the speed of the valve response.
The HIPS must provide an installation that is as safe or safer than the PRV it replaces. To document that this has been achieved, the complete design and operation of the HIPS should be quantitatively verified to ensure it meets the required integrity. HIPS typically are SIL-3 SIS and are often the only layer of protection against the overpressure event. Consequently, many users require an independent third-party evaluation of the appropriateness of the design and the determination of the SIL.
An attractive alternative
HIPS can be used to safely mitigate potential reactive overpressure scenarios. As with any instrumented system, good design depends upon good specification. For HIPS, the origin of the design is the process hazard analysis, which must identify all overpressure scenarios. Then, the HIPS is designed to handle these scenarios. HIPS is often the "last line of defense;" so, its failure during a reactive scenario will result in loss of containment. Consequently, ensuring the integrity of the HIPS through proper field design, device testing and maintenance is mandatory for safe operation.
Angela E. Summers, Ph.D., P.E., is president of SIS-TECH Solutions, Houston, Texas, a consulting and engineering firm specializing in safety instrumented systems.
Acknowledgment: This paper is based on a presentation made at the 6th Annual Symposium of the Mary Kay O'Connor Process Safety Center, College Station, Texas, Oct. 28-29, 2003.