HEALTH AND SAFETY EXECUTIVE

HID SEMI PERMANENT CIRCULAR

Hazardous Installations Directorate SPC/TECH/OSD/31

Review Date: Author Section: Issue Date: October 2008 OSD 3.5 October 2005 Subject File: OG Status: Version No: STATUS: For information 462 Fully Open 1

TO: OSD Inspectors [Bands 1-3] and all HID SI3 Inspectors

HIGH INTEGRITY PRESSURE PROTECTION SYSTEMS [HIPPS] FOR THE OVERPRESSURE PROTECTION OF PIPELINE RISERS
PURPOSE To provide guidance for Inspectors in respect of the provision of remotely located HIPPS, including those located subsea, for the protection of pipelines, pipeline risers and some associated topsides process pressure systems. ACTION Inspectors should take account of the contents of this SPC when undertaking the assessment of safety cases and the inspection of pipelines and process pressure systems. INTRODUCTION 1. The term HIPPS is applied to an instrument based protective system where the plant is not fully rated to the pressures to which it might be exposed in a fault condition and either: a. there are no mechanical protective systems [eg bursting disc, relief valve] to prevent overpressure and potential loss of containment; or the mechanical protective systems are present but by themselves may be inadequate to prevent loss of containment in certain reasonably foreseeable circumstances [eg they are not sized for the worst case].

b.

2.

Some Duty holders use alternative terms for HIPPS, eg Over Pressure Protection System [OPPS].

ANNEXES 3. Annex A gives examples of various plant configurations where remote HIPPS may be a proposed design option. Annex B provides information in respect of the design, operation and testing aspects of HIPPS.

4.

PIPELINES AND RISERS PROTECTED BY HIPPS 5. HSE has encountered several tens of HIPPS which provide topside protective functions. Often topside HIPPS have been implemented in situations where the ratio between the maximum pressure threat and rated pressure is below 1.5. In such cases the hydrotest pressure will not be breached and there is a relatively low risk of loss of containment. By contrast, the implementation of HIPPS subsea is relatively novel. HSE is aware of less than 6 subsea HIPPS worldwide and the majority of these are on the UKCS. The critical plant protected by a pipeline HIPPS has generally been the remote import riser and associated pipework. HIPPS are attractive for high pressure/high temperature [HP/HT] developments where: a. It is not possible to design the pipeline and risers to the full well closed-in tubing head pressure [CITHP]; or The pipeline is so long that rating the pipeline for the CITHP, though possible, renders the project uneconomic.

6.

7.

b.

8.

In some cases where a new well exceeds the capability of existing infrastructure a conceptual design utilising subsea HIPPS may be in competition with a conceptual design utilising a normally unattended installation (NUI) based HIPPS. HIPPS protected pressure systems may include high inventory pipelines and risers, the failure of which is a major hazard. Particular aspects regarding the of use of remotely located HIPPS include: a. The difficulty of access to subsea HIPPS for in-situ maintenance and/or testing. b. For installations which are manned there is scope to close valves manually in order to isolate a local pressure source in the event of a HIPPS malfunction and so prevent overpressurisation of downstream installations. Generally a NUI or subsea pressure source will be able to be isolated remotely from a downstream manned installation. However if problems are encountered in achieving a prompt isolation of the pressure source, e.g. a loss of the control system, then the period of time required for

9.

transportation of technicians to the NUI for manual intervention becomes important. c. If the HIPPS protects the topsides of a NUI installation, as in Fig. 4 of Annex A, then there can be a general reluctance on the part of a dutyholder to send personnel to the NUI installation to undertake maintenance. This reluctance is due to the risks arising from helicopter travel to the NUI, the lack of support infrastructure on the NUI and also the potential for intervention on the NUI plant to cause problems. RECOMMENDATIONS FOR THE USE OF REMOTELY LOCATED HIPPS 10. It is difficult to generalise regarding the acceptable limits for protective systems. The following criteria are proposed for high consequence riser/pipeline section failures where there is a significant likelihood [say > 0.1] of multiple deaths of 10 or more persons. The criteria are based, with some modifications, on those suggested by HSE Pipelines Inspectors since late 2002. The preferred design option is that of inherent safety, ie risers are to be fully rated to maximum pressure to which they may be subjected. Where the inherently safe option is judged not to be reasonably practicable then the pipeline should be protected by a pressure relief system. Any deviation from these design options should be justified within an ALARP demonstration. In assessing the safety of different options, it should be noted that relief valves deliver their primary safety function with considerable reliability, and have different failure modes from instrumented trips, thus giving a useful degree of diversity which a HIPPS solution lacks. Where the inherent safety and the pressure relief options are not judged to be reasonably practicable then protection may be afforded by an appropriate instrumented protective system comprising an HIPPS as a backup to the Emergency Shutdown System [ESD]. Both systems are to be capable of independently isolating the over-pressure hazard with the HIPPS normally having a greater design reliability than the ESD: PLUS one or both of (a) or (b) should be implemented: a. provide a 'no burst' riser. [A riser which by engineering assessment is expected to have a low probability of failure, typically <0.05, if subjected to the maximum possible pressure.] provide for manual intervention. This may be feasible if the overpressure hazard is from a manned location where timely intervention [eg by closing valves] to prevent pressure exceeding the design pressure is possible. The time required for manual intervention must be significantly less than the time it would take for the pressure to exceed the design pressure. This time should be subject to an appropriate human factors assessment.

11.

12.

b.

PLUS some or all of (c)-(g) should also be considered: c. protect the pipeline risers with subsea isolation valves [SSIV]. [By limiting inventory, an SSIV, can sometimes convert a riser/pipeline section from a high consequence category to a lower consequence.] provide topsides pressure relief or blowdown system for the pipeline which can be brought into effect in the event of HIPPS failure. provide subsea relief or bursting, eg a weak pipeline section. provide means to avoid blockages [eg hydrates], which will reduce the number of demands on the over pressure protection systems. provide contingency plan for HIPPS failure [eg evacuate the installation].

d.

e. f.

g.

LEGAL CONSIDERATIONS 13. A pipeline rupture is a safety issue only if it occurs near people [or in the longer term, if people have to do potentially dangerous things to rectify the situation]. Thus in practice, only a rupture of a pipeline near an installation or at the riser itself is a major hazard issue. For pipeline sections remote from offshore installations shipping activity may be minimal, and therefore vessels are unlikely to be threatened by any release. Pipelines Safety Regulations 1996 [SI 1996/825] a. Regulation 5. Pipeline design so far as is reasonably practicable [SFAIRP] to be able to withstand forces arising from operation. Regulation 6. Provision of pipeline safety systems as are necessary SFAIRP. [This would include the ESD and HIPPS.] Regulation 11(a) Safe operating limits of pipeline to be established. [This would be the design or maximum allowable operating pressure of the pipeline.] Regulation 11(b) Operation of pipeline to be within the safe operating limits [ie the ESD system and the HIPPS must maintain the pipeline pressure within the safe operating limits in the event of any abnormal operating conditions or faults giving rise to overpressure]. Regulation 13 Pipeline to be maintained and be in good repair. Regulation 19. Fitting of emergency shutdown valves [ESDV].

14.

b.

c.

d.

e. f. 15.

Prevention of Fire and Explosion and Emergency Response Regulations 1995 [SI 1995/743]

a.

Regulation 9(a). Ensure the safe handling and movement of. flammable or explosive substances. Regulation 12 Provision for the remote operation of plant. Regulation 19(1) plant to be maintained and kept in good repair.

b. c. 16.

Safety Case Regulations 1992 [SI 1992/2885] a. b. c. Regulation 8(1)(a) adequate management system in place. Regulation 8(1)(d) risks evaluated and reduced to ALARP. Regulation 15A. Safety critical elements to be suitable.

[Note that a subsea HIPPS is not considered to be a SCE since it is not part of an installation. A HIPPS on one installation protecting risers under another installation is a safety critical element, but the practicalities of verifying such elements are not simple, particularly when the installations concerned have different operators.] 17. Management of Health and safety at Work Regulations 1999 [SI 1999/1877] a. b. Regulation 5 requirement for an effective health and safety management system. Regulation 4 and Schedule 1 Principles of prevention.

Note that Schedule 1(e) includes the goal adapting to technical progress 18. Provision and Use of Work Equipment Regulations 1998 [SI 1998/2306] a. b. c. Regulation 4(a) work equipment is suitable for the purpose. Regulation 5 work equipment is maintained in good repair. Regulation 6 work equipment to be inspected to ensure that it remains in good repair.

19.

Pressure Equipment Regulations 1999 [SI 1999/2001] a. These Regulations apply only to new pressure equipment. Of note, is the exemption in Schedule 1(1) relating to: pipelines comprising piping or a system of piping designed for the conveyance of any fluid or substance to or from an installation [onshore or offshore] starting from and including the last isolation device located within the confines of the installation, including all the annexed equipment designed specifically for pipelines. This exclusion does not apply to standard pressure equipment such as may be found in pressure reduction stations or compression stations; [refer to the EU Pressure Equipment website].

b.

Any new topside piping and fittings on NUI and manned installations which are inboard of the ESDV valve, ie after the spec break of the pipeline; will require to comply with the Pressure Equipment Regulations.

SAFETY CASE ASSESSMENT 20. The use of HIPPS should be addressed within a safety case. Past experience has indicated that Inspectors should ask generic question(s) during the issues raised stage of every Safety Case assessment to establish if any pressure system situated on the installation is protected by remote HIPPS and vice versa, for example: a. Are any of the hydrocarbon containment systems protected against over-pressurisation by remote HIPPS located subsea or on another installation? If so, details should be requested; and Does the installation feature any HIPPS that protect remote installation(s) from over pressurisation of the hydrocarbon containment system? If so, details should be requested.

b.

21.

GASCET 5.1F16 contains guidance for Inspectors undertaking Safety Case assessment of HIPPS. Safety Management System [SMS] assessment should include the operational maintenance and testing philosophies to ensure the correct functioning of HIPPS. Where there is more than one offshore installation involved then it is necessary, in order to ensure that the SMS measures are adequate for the HIPPS protective system as a whole, to consider whether the maintenance and testing philosophies included in the safety cases for the other installations are sufficient.

22.

INSPECTION 23. Relevant safety case post acceptance inspection topics [PAITs] which have been identified should be included in the annual inspection plans for the installation. Those HIPPS which are particularly critical to safety of persons should be identified for particular attention during inspection visits. The requirements of BS EN 61511 are considered as best practice in the UK process sector. Duty holders should follow the recommendations for hardware and software safety integrity or employ other equally effective means for ensuring safety. Duty holders should comply with the safety management systems, as specified in BS EN 61511, which are appropriate to the SIL of the HIPPS and Inspectors should inspect against them, ie the functional safety assessments, audits and reviews.

24.

25.

Inspection of HIPPS should include: a. Verification that the Duty holder is implementing a routine maintenance and testing schedule for both the hardware and computer software components. Verification that any necessary operational procedures, including any emergency procedures that are necessary in the event of a HIPPS malfunction, are in place on the installation and that personnel are knowledgeable of them and undertake their activities in accordance with the procedures. For those HIPPS which are remotely located on an adjacent interconnected installation verification that both a. and b. above are satisfactory. This is most important in a situation where there is more than one Duty holder involved.

b.

c.

Verification of the suitability of any transport arrangements that have been put in place to secure timely access to remote HIPPS locations for critical maintenance and testing.

26.

In the event that an inoperative or inadequately maintained HIPPS is identified during an inspection then appropriate enforcement action should be taken. Well CITHPs are likely to reduce over time and eventually may fall to a level below that of the pipeline/riser pressure rating. It will therefore be necessary to regularly review HIPPS inspection plan priorities in the light of this fact. [This should be a consideration for the ALARP demonstration for HIPPS.]

27.

REFERENCES BS PD 8010-2:2004 Code of Practice for Pipelines: Subsea Pipelines. BS EN 14161:2003: Petroleum and Natural Gas Industries: Pipeline Transportation Systems. BS EN 61508 Parts 1-7:2002: Functional Safety Programmable Electronic Safety Related Systems. of Electrical/Electronic/

BS EN 61511 Parts 1 to 3:2004 Functional Safety Safety Instrumented Systems for the Process Industry Sector. UKOOA Guidelines for Instrument-Based Protective Systems Issue 2 API RP 14 C - Recommended Practice for Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms

HSE Offshore Division Operations Notice 66: Publication of Revised Assessment Principles for Offshore Safety Cases HSE ALARP Suite of Guidance CONSULTATION 28. This SPC has been prepared by OSD3.5 in conjunction with HID SI3 and OSD3.4.

CONTACT POINT FOR FURTHER INFORMATION 29. For further information contact OSD3.5

ANNEX A
PLANT CONFIGURATIONS WHERE REMOTE HIPPS MAY BE A PROPOSED DESIGN OPTION. HSE may encounter design configurations as depicted in Figs 1 to 4. Applications of the type depicted in Figs. 1, 3 and 4 have already been encountered.
ESDV

Not fully rated

Subsea HIPPS

Manned installation

Fig. 1 Subsea wells with subsea HIPPS feeding directly to a manned installation, subsea pipeline/riser not fully rated.

ESDV

Not fully rated

Subsea HIPPS

NUI

Fig. 2 - Subsea wells with subsea HIPPS feed directly to an NUI, the subsea pipeline/riser is not fully rated.

Topsides piping fully rated ESDV HIPPS ESDV ESDV

Riser Fully rated

Not fully rated

Wells

NUI

Manned installation

Fig. 3 - Subsea wells feed directly to an NUI. The NUI does not have full flow relief and the NUI import pipeline is fully rated. The NUI exports to a manned installation and the NUI export riser and the import riser on the manned platform are not fully rated.

HIPPS

ESDV ESDV

Not fully rated

Local Wells

NUI

Manned installation

Fig. 4 - Local wells, with flow lines fully rated, feed an NUI and the NUI exports to a manned platform. The NUI topsides are not fully rated. The NUI does not have full flow relief. The export pipeline from the NUI and the riser at the manned platform are not fully rated and are protected by HIPPS on the NUI.

ANNEX B SYSTEM DESIGN BACKGROUND 1. An internet search was conducted to identify what has been achieved in relation to subsea wells without resorting to subsea HIPPS. The search found the Gyrfalcon single well development has the world's first 15,000 psi. subsea tree. The field has a single well, is located in 885 feet of water and is tied back 2.9 miles to Shell's GC-19 Boxer facility in the Gulf of Mexico. Gyrfalcon came on stream in 1999. The 6 inch flowline and riser system are rated to 12,200 psi. The 5 inch inner diameter riser was tested to a burst pressure above 25,000 psi. 2. The diagram at Fig. 2 provides a simplified summary of major design options for pressure systems that are not fitted with pressure relief. PRESSURE SYSTEM DESIGN CONSIDERATIONS 3. The starting point should be an inherently safe design for the pressure system. Refer to Assessment Principles for Offshore Safety Cases (APOSC) Principle 21. The inherently safer solution to this problem is to design the riser, the adjacent fortified section and the associated bolted joints so that they will not rupture. This can be achieved if the riser and associated items are fully rated to the maximum pressure that they can be subjected to. 4. An inherently safe system, i.e. a fully rated system, would normally be designed in accordance with a recognised code such as BS EN 14161 supported by BS PD 8010-2 with the design pressure above the maximum wellhead pressure. Adherence to such a code gives confidence that all of the forces acting on the system have been considered. Codes tend to be conservative to allow a margin for uncertainty. A fully rated system does not require a HIPPS. 5. In the event that the inherently safe criterion cannot be justified then, a. a 'no-burst criterion' could be considered for the riser and associated items. This would require a rigorous engineering analysis to be undertaken in order to demonstrate fitness for purpose. Typically the engineering analysis would take advantage of the actual minimum measured wall thickness and the actual measured material properties. It is important that the analysis also consider the external loadings on the system and riser. All codes require risers to be hydrotested at 1.5 x design pressure. Carrying out a hydrotest would raise confidence in the analysis. If the analysis assumes that any part of the corrosion allowance contributes to preventing burst, then a rigorous in-service inspection regime should be implemented,

consistent with the anticipated corrosion rate and expected pressure reduction from the wells, or b. the design strength of the riser and associated items could be sufficiently stronger than the main section of the pipeline. This will ensure that in the event of a pressure protective system failure the pipeline section (at a safe distance from the installation) would fail rather than the riser. 6. Implementation of one of the design measures listed above in para. 5 does require the use of a HIPPS. The HIPPS safety integrity level (SIL) requirement necessary in such circumstances would be generally modest and practically achievable. In contrast if none of the design measures listed above at para. 3 and 5 are implemented then the SIL requirements on a HIPPS would become very onerous and probably exceed recognised integrity claim limits for instrumented protective functions. 7. A subsea isolation valve (SSIV) upstream of a critical import riser to an installation may limit the potential inventory release, converting the consequences from major to minor and reducing the required SIL performance of the HIPPS. It should be noted that closures of a SSIV or emergency shutdown valve (ESDV) may place additional demands on the HIPPS. 8. Pressure relief at the receiving installation could fulfil a protective role with respect to the receiving installation's import riser. The pressure relief should be upstream of the riser ESDV. Any such design would require careful consideration to ensure the riser ESDV requirements of Reg. 19 of the Pipelines Safety Regulations are complied with. It is understood that the Kirstin installation in Norwegian waters uses this concept although HSE is not aware of pressure relief upstream of the import ESDV on any UK installation. 9. Where the pressure relief is not upstream of the ESDV a guaranteed method of re-opening the ESDV prior to import linepack exceeding the riser rating could be used as a protective measure. HSE is not aware of the use of this method in UK waters. A variation of this could be based on a manually operated ESDV bypass but again HSE is not aware of the use of this method in UK. 10. For design measures as detailed in para. 8 and 9 above, gas from the pressure relief system can be disposed of via the flare system. Liquids present could be a problem, though it may be acceptable to dispose of small quantities to sea. 11. As an alternative to the designs given in Figures 3 and 4 of Annex A full flow relief or partial relief could be implemented at the exporting normally unattended installation (NUI). However disposal of liquids present could again be a problem. HIPPS DESIGN

12. A HIPPS for protecting pipeline/risers from well pressure is functionally simple. The source of pressure, i.e. closed in tubing head pressure (CITHP), is isolated by two shut down valves when pressure sensors, utilising either 2 out of 3 or 1 out of 2 voting, detect an overpressure.

13. It should be noted that API Recommended Practice 14 C Appendix A Process Component Analysis Para. A.1.2.2.1 indicates that a single shut down valve with a single independent pressure sensor and relay is an acceptable alternative to a pressure relief valve, as depicted in Fig A-1.3 of API RP 14C. This arrangement would not generally be an acceptable alternative to a pressure relief valve on the UKCS as such a basic HIPPS design would not have a sufficient SIL. However the arrangement may be considered where a low SIL is acceptable. e.g. in instances where the CITHP only marginally exceeds the maximum allowable working pressure of the pressure system and thus the CITHP is well within the hydrotest pressure. 14. HIPPS should have dedicated shut down valves and generally a wellhead master valve should not form part of an HIPPS design. There is the potential for a wireline tool to prevent the closure of a wellhead valve during workover operations on a well. 15. According to BS EN 61508 and BS EN 61511, the HIPPS design should satisfy: a. the required SIL by calculation, based on component reliability. b. fault tolerance requirements. 16. The integrity required for an HIPPS function is determined by the ALARP principle, overall risk targets, and engineering judgement. Considerations of ALARP and target SIL for a HIPPS are difficult.

Some guidance is contained in section 4.4 of the UKOOA Guidelines for Instrument-Based Protective Systems. The cost of instrumented protective functions increases rapidly with integrity level, but at the same time the benefit in terms of risk reduction reduces because a large proportion of the risk has already been protected. (Note that well CITHP may decline very rapidly, and this will have an impact on the benefit element of ALARP calculations.) An ALARP case should consider both the CAPEX savings and the OPEX costs arising from the use of HIPPS. 17. Furthermore to achieve higher SILs there would be a need for increased testing and maintenance. Where required this intervention can itself have a detrimental risk impact because of the need for helicopter flights, work on an NUI or work subsea. 18. Calculation of the SIL achievable by a HIPPS appears to be a deceptively simple matter, based on reliability data. But there is a problem with common cause failure, e.g. hydrate formation in the valves. 'Beta factors' used to quantify the likelihood of common cause failure mechanisms are at best a guess. 19. Minimum fault tolerance requirements of an HIPPS are determined from BS EN 61511 methods or BS EN 61508 Part 2 architectural constraints tables. The mechanism for determining the fault tolerance requirements is relatively simple but again it is likely that a scarcity of component failure mode/ reliability data will cause problems. 20. It is important to design the HIPPS such that it fails to a state of least danger on fault condition where failure to safety is easily designed in (e.g. electronics failure, transmitter failure) as well as on electric power failure, hydraulic power failure - thus spring return valves are preferred. 21. A major difference between traditional subsea wellhead control and topsides control is that the solenoid valves used in subsea wellhead control do not fail safe on loss of electric power. Consideration should be given for the design for subsea HIPPS to be consistent with traditional HIPPS topsides and topsides wellhead control by dumping hydraulic fluid on loss of electrical power or electrical control signal to the subsea HIPPS. 22. An hydraulic dump valve to speed up 'failure to safety' on loss of hydraulic power from the protected (host) installation should also be considered, as otherwise valve closure could take several tens of minutes. In general without rapid hydraulic dump capability the subsea valve closure time will be related to the distance from protected installation to subsea HIPPS. Likewise the time to pack the line from the wellhead to the importing platform will be related to the distance between subsea wellheads to the protected installation. 23. The basic function of the remote HIPPS (whether subsea or on an NUI) should be autonomous, with no inhibit facility; there may be advantages in latching the tripped state.

24. The basic HIPPS function logic solver should preferably be nonprogrammable, and fail safe when its internal self test fails. If the target integrity for the HIPPS 'isolate pressure threat' function is SIL 3 then, whatever combination of software lifecycle specification, design, programme coding, verification and validation techniques have been used, that combination should demonstrably, reliably and reproducibly have resulted in software compatible with SIL 3 performance. In practice this would mean that the software methodology is mature, widely used and with extensive field evidence. 25. There are certain ancillary functions which are likely to be useful, though such functions should be designed so that they are not capable of interfering with the basic function of the HIPPS. The protected (host) installation may have read-only supervisory communications; typically this function should be able to read pressures and valve positions (including bypass valves, methanol injection valves), etc. There may not be a pressure transmitter upstream of the import riser ESDV, so there will generally be merit in a HIPPS trip after a 'time-out' in the event of a communications failure. 26. It may be desirable to have a trip function capable of being operated from the protected (host) installation, a HIPPS reset function, and a function to force any component (e.g. transmitter) to the safe state; some of these functions may be implemented in programmable logic. 27. Start up bypass valves can be required to bleed down locked in pressure, or to reduce the differential pressure across the HIPPS valves. Control of start up bypass valves around HIPPS valves should be interlocked so that the HIPPS protection cannot be lost. 28. Other useful ancillary functions include discrepancy checks between transmitters readings and valve position checks. OPERATIONAL TESTING AND MAINTENANCE OF HIPPS 29. Because of the difficulty and risks associated with personnel access to the types of remote HIPPS being considered, certain SMS issues are especially relevant. In particular remote monitoring of operational performance, demand rate and component failures should be carefully considered as part of the design. A properly developed strategy should be in place to cater for severe problems such as transmitter failure, loss of communications or loss of test facility such as valve position indication. There may be advantages in employing additional redundancy so that the fault tolerance criterion continues to be met under certain fault conditions. 30. Subsea transmitters can be 'tested' only crudely, usually implemented via the methanol flush of the tapping points, but this does not give a proper calibration (normally done at 0%, 20%, .. 100% of range, both rising and falling). 31. Subsea HIPPS valves can be tested to an extent by partial stroking, but some tests should involve full closure. Leak tests might be

necessary depending on the inventory of the protected system. Where a remote HIPPS also provides topsides protection to an NUI the closure time for valves can be critical, i.e. where a HIPPS protects a downstream system with a small inventory from an upstream system with a large inventory. An automated regime may be the only practical way to confirm correct operation. These restrictions should be considered in the reliability calculations. 32. Any maintenance of a subsea HIPPS is likely to need a remotely operated vehicle (ROV) or diver intervention. Thus as many components as reasonable should be diver/ROV replaceable. Instrument isolation valves should be considered for pressure transmitters, even though they have a potential for failure.

Fig. 2 Design option summary