In conventional design, the primary means of protection against vessel overpressure is a PRV. It is a simple mechanical device that opens when pressure exceeds a set level. The pressure is relieved through the PRV to the atmosphere or to a contained collection system such as a flare, scrubber or thermal oxidizer.PRVs boast relatively high integrity, as long as they are properly sized, located, inspected and maintained. Table 1 summarizes reliability data for a single-valve relief system, as published in "Guidelines for Process Equipment Reliability Data" . It shows substantial uncertainty in the failure to open on demand. Reactive chemicals and their associated processes present complex scenarios for PRV design. Small deviations in reactant concentration or reaction conditions can put the reaction on a path that the process design, control system and operator procedures cannot adequately manage. Unfortunately, many PRVs are improperly sized for reactive processes, because relief rate calculations often are based on a design and operational envelope that ignores potential reaction paths that are not well understood.
Thus, the very nature of the reactive process often makes a PRV impractical. For such cases, HIPS should be investigated as a means to supplement the PRV for overpressure protection.
Successful implementation must be based on a hazard analysis of each potential overpressure scenario. The analysis should follow a structured systematic approach, using a multidisciplinary team. It should document the event propagation from the initiating cause to the final consequence (also referred to as the "overpressure scenario"). The analysis must examine operating and upset conditions that result in overpressure. It must include a thorough review of each step involved in startup and shutdown, in addition to normal operation. For batch and semi-batch processes, scrutinize each step of the operation using typical deviations and batch-oriented deviations, such as skipped steps, steps out of sequence, steps incomplete, steps at wrong time, recipe incorrect, etc.
The analysis should include a detailed examination of reactive scenarios and brainstorming on potential reaction paths that could lead to high pressure. Examine all reaction paths, including those that may require multiple errors or failures to begin propagating. Once the reaction paths are understood, HIPS can be designed to address each reaction scenario. In many cases, only one or two HIPS are required for mitigation of all potential reaction scenarios.
Detailing critical conditions
A safety requirement specification (SRS) describes how and under what conditions the HIPS will mitigate each overpressure scenario; it includes a functional logic description with trip set points and device fail-safe state. Choosing when and under what conditions to trip the unit is probably the most difficult decision to make in the design of the HIPS. For reactive processes, the design is often complicated by the process dynamics and by intricate process variable interactions.
HIPS design may use single process variables when the reaction path is relatively easy to detect. For example, on high temperature the HIPS will stop the catalyst feed or, on high pressure it will inject reaction kill solution. Single process variables also can prevent the start-up of the reactor under unsafe operational conditions. For example, the catalyst cannot be added until a fixed volume of solvent, which serves as a heat sink, is in the reactor.
Multiple process variables are used when the reaction path is more complex. These HIPS often use flow/mass ratios, temperature/pressure relationships and kinetic calculations. While it is best to try to keep the HIPS as simple as possible, if the reaction paths are intricate, the HIPS complexity will escalate.
When using reactor kill systems, it may be possible to use preemptive interlocks to prevent the reaction from progressing to the point where it must be killed. These interlocks may close reactor feeds, open a pressure control vent or close catalyst valves. If the temperature or pressure continues to increase after the preemptive interlock, a reactor kill is initiated. By using a preemptive interlock, the plant is able to recover more quickly from the process upset and suffer less production loss and downtime.
The potential rate of pressure escalation must be compared to the HIPS response time to ensure that it is fast enough to prevent vessel overpressure. The HIPS response time must be evaluated by considering the time it takes to sense that there is an unacceptable process condition; the scan rate and data processing time of the logic solver; and closure speed of the final element. The valve specification must include the acceptable leakage rate, because this affects potential downstream pressure and relief loading. The valve actuator must provide sufficient driving force to close the final element under the worst-case upset pressure condition.
The SRS also includes documentation of the safety integrity requirements, including the Safety Integrity Level (SIL) and anticipated testing interval. At a minimum, the integrity of the HIPS should equal that of a PRV. The data in Table 1 implies that the HIPS should be designed to meet either SIL-2 or SIL-3, depending upon the type of PRV. However, bear in mind that the failure modes of a PRV and the HIPS differ. A PRV that fails to operate at the set pressure nevertheless may operate at a higher pressure, whereas HIPS is more likely to fail completely. The failure-to-open-on-demand uncertainty, coupled with the difference in the failure modes, results in the majority of users setting an SIL-3 target for the HIPS.
Integrity and architecture
It is important to recognize that the HIPS consists of the entire instrument loop from the field sensor through the logic solver to the final elements, along with support systems required for successful HIPS functioning, such as power, air or gas supplies.
Process sensors. The process variables commonly measured in HIPS are pressure, temperature and flow. Most HIPS applications require one-out-of-two (1oo2) or 2oo3 voting transmitters for all field inputs. Redundant inputs enable the incorporation of input diagnostics, significantly increasing the integrity of the field inputs. Separate process connections also are required to decrease common cause faults such as plugged process taps.
Logic solver. This hardware must meet the required SIL, which often means that it must comply with SIL-3 performance requirements, as provided in IEC 61508 . The logic solver can be relays, solid state or programmable electronic systems (PES). If a PES is used, it must provide a high level of self-diagnostics and fault tolerance. Redundancy of signal paths and logic processing is necessary, and the trip output function must be configured as de-energize to trip.
Final elements. HIPS must use a minimum of dual final elements in a 1oo2 configuration. The final elements typically are either: relays in the motor control circuit for shutdown of motor-operated valves, compressors or pumps; or fail-safe valves opened or closed using solenoids in the instrument air supply. When valves are used, both valves must be dedicated block valves.
Solenoid operated valves (solenoids), configured as de-energize to trip, are used to actuate the block valves. The solenoid(s) should be mounted as close to the valve actuator as possible, to decrease the required transfer volume for valve actuation. Finally, the exhaust ports should be as large as possible to increase the speed of the valve response.
The HIPS must provide an installation that is as safe or safer than the PRV it replaces. To document that this has been achieved, the complete design and operation of the HIPS should be quantitatively verified to ensure it meets the required integrity. HIPS typically are SIL-3 SIS and are often the only layer of protection against the overpressure event. Consequently, many users require an independent third-party evaluation of the appropriateness of the design and the determination of the SIL.
An attractive alternative
HIPS can be used to safely mitigate potential reactive overpressure scenarios. As with any instrumented system, good design depends upon good specification. For HIPS, the origin of the design is the process hazard analysis, which must identify all overpressure scenarios. Then, the HIPS is designed to handle these scenarios. HIPS is often the "last line of defense;" so, its failure during a reactive scenario will result in loss of containment. Consequently, ensuring the integrity of the HIPS through proper field design, device testing and maintenance is mandatory for safe operation.
Angela E. Summers, Ph.D., P.E., is president of SIS-TECH Solutions, Houston, Texas, a consulting and engineering firm specializing in safety instrumented systems.
Acknowledgment: This paper is based on a presentation made at the 6th Annual Symposium of the Mary Kay O'Connor Process Safety Center, College Station, Texas, Oct. 28-29, 2003.