Monitoring the Reliability Performance of High Integrity Pressure Protection Systems

Baris Arslan

Senior Safety Consultant

Oilconx Risk Solutions (ORS)

www.ors-no.com 1 30.10.2012

This presentation is about

2

• How to maintain HIPPS?

• How to demonstrate the reliability of HIPPS in operation?

• Human Reliability & HIPPS Maintenance

www.ors-no.com

3

The beginning of wisdom is to call things with their

right names

• HIPPS protects downstream equipment against

overpressure coming from upstream.

• Instrument based systems for secondary

protection – or HIPPS?

• Why is HIPPS so special?

www.ors-no.com

Source: isa.org

HIPPS or not

4

• In most cases, it is developed as a result of a

deviation from traditional process design

• Upon failure, it may cause major accidents

with catastrophic safety, environmental and

commercial consequences

• Typically very high integrity and fault

tolerance requirements

• Critical response times for the entire system

(could be 2-3 seconds)

www.ors-no.com

HIPPS is a special case; because:

5 www.ors-no.com

Task-based Architecture-based Standard-based

Shared components Independent components Independent / combined system

Topsides (*) Export pipelines Subsea Reduce demand rate on relief Eliminate a particular scenario from design basis Others...

API designed assets IEC 61508 IEC 61508 / P-001 /OLF070

Classification of HIPPS – different

generations

6

• Procedures for analyzing maintenance

performance for:

– Systematic faults & recurring faults

– Assessing demand rates (if higher than design

basis or not)

– Diagnosis / repair / revalidation

• Ensuring that functional safety is maintained

during operation and maintenance

• Availability of skills and resources for

maintenance

www.ors-no.com

• Chronological documentation of repair and

maintenance

– Results of tests

– Documentation of the time

– Documentation of modifications

• High safety integrity systems with particularly

severe consequences – not share common

maintenance procedures

IEC:61508 §2010–ensuring functional safety

during operational phase

7

• OLF 070 gives detailed guidance about SIS (indirectly HIPPS) maintenance focusing on:

– SIS Maintenance Scope

– Use of vendor documents

– Functional testing requirements

– Integral / partial tests

– Maintenance reporting

– Compensating measures upon overrides and failures

– Reporting of demands / anomalies

• P-001 contains – Requirements about testing frequency

– Valve leakage testing frequency

– System regularity aspect

• Reference is made to IEC standards

• API 521, Annex E.5 gives some guidance

about HIPPS testing. Highlighted issues are:

– Considering site resources when establishing

testing frequency

– Potential for introducing faults and spurious

shutdowns due to human error

• API 17O – Subsea HIPPS

– The proof test intervals are to be documented

in the maintenance procedures

– Experience data to include failure data source

based on the number of performed tests of the

SIF together with how many of these resulted

in a failure

www.ors-no.com

OLF/NORSOK views on HIPPS maintenance

8

• PM Procedure for each HIPPS

– Linked to design basis documents (such as SRS)

• Maintained database for information such as demands, failures etc.

• Well-designed infrastructure to accomodate information flow (maintenance reports, failure codes,

damage codes, automatic notifications etc.)

• Well established procedures to analyse failure data

• Verification and validation activities (see assurance on next slide)

• Competent (and available) personnel to make decisions in due time

www.ors-no.com

Key requirements for HIPPS maintenance

appear to be

Data Validation PM or Corrective

Maintenance

• System responsible is notified

• Origin of data is controlled (document traceable)

• Equipment type (manufacturer, year etc. checked)

• Operating conditions are verified

• Failure code and long text is checked (i.e. in compliance

with corporate guideline/EN 14224)

• Offshore personnel is consulted for data validation

Onshore Verification

• Test period

• Acceptance criteria for verification

• Pass/fail statement for the verificaton

• Revisions on design basis documents

• Competence requirements

• Verification of functional test on

component basis

PM Procedure ERP System

Database

Stage 1 Stage 2

Two Stage Offshore Failure Data Validation

for HIPPS

20 years – How does reliability change?

Design Basis

Develop reliability model (Alternative: Existing model upon validation)

Define acceptance criteria (Datasheets/QRA/Corporate/Performance Standards)

Collect field data

Assess failure data

Revalidate

(How? – see failure reporting)

(Evaluate failure types) (Evaluate failure inter-arrival times) (Carry out trend analysis of field failure data)

Modification

Restore operation

(Degraded system)

Monitoring Reliability Performance

• 90% confidence interval has been applied for OREDA based studies

• 70% confidence interval for IEC-based appraoch

• Only useful lifetime has been included due to

– Offshore site-acceptance test

– Onshore factory acceptance test

– Assumption: Sub-components are replaced before the wear-out period (e.g. lifetime replacements)

Useful lifetime and confidence interval

12

• Field data is vital for the credibility of Periodic Reliability Monitoring

• Standardized data format is necessary to adress failure cause and failure consequence

• Data needs to be collected for all HIPPS components, e.g. input devices, control units and final elements

• Why is it difficult to collect data? – It requires:

• Resources (positive & negative reporting)

• Competence and motivation

• Sophisticated ERP systems

www.ors-no.com

System responsible

Offshore supervisor Offshore technician

Vendors

Reliability specialist

Surveyors/ Authorities

Data collection is the key

13 www.ors-no.com

Functional Check Procedure is followed

In case of failure, notification is created in the company ERP by technicians

Unique failure codes are used

Additional damage text is included

Operational mode is adjusted as per SRS and PM procedure

Always shutdown Degraded Operation Always Production

Onshore investigations start

• All possible HIPPS sub-component failures must be well known

• Technicians must be trained to recognize all failure types

• Interfacing systems and associated failures must be assessed in detail

• HIPPS Training package for technicians must adress:

• Practical use of SRS • Use of Preventive

Maintenance (PM) procedure with SRS

• Use of failure codes in ERP systems

• Potential human errors

In case of HIPPS failures (offshore) and

training package

14

• Different strategies based on HIPPS

classification (see Slide 4)

– For 1st generation HIPPS, focus on dangerous

undetected failures and

– For 3rd generation HIPPS, classification of both

safe and dangeorus failures

• Failure database is updated based on failure

classifications

www.ors-no.com

Code Input Final Logic

AIR X

DOP X

ELP X X

ELU X X

ERO X X

FTC X

FTF X X

HIO X

HUE X X X

INL X

LOO X

PLU X X

SER X X X

SPO X X X

STD X

Failure codes for HIPPS ~ SAP/EN14224

Classification of failure codes for different

generations HIPPS

15

PERIODIC CHECKS

• Keep it simple

• Use existing reliability model (if any) for a particular HIPPS

– (clear benefits if the model is not software dependent, e.g. excel based or similar)

• Apply simple but recognized methods to evaluate the effect of failure inter-arrival times, distributions, sampling etc.

• Determine a final failure rate to update the model

• Is the HIPPS performance acceptable?

– Where is the acceptance criteria?

ACCEPTANCE CRITERIA

Again, different acceptance criteria based on HIPPS classifications (Slide 4)

Some examples:

• Fully risk-based approach

• Risk-based approach with minimum requirements

• API-based judgments (equal to or better than ”x” concept)

• Remember: Two-stage assurance model

to verify acceptance criteria periodically

www.ors-no.com

Periodic Verifications

• Classical human error producing conditions apply widely to ”full-automatic” HIPPS operation

and maintenance

• Based on our experience, typically observed human errors on HIPPS relate to red marked

items in the North Sea:

– Poor feedback (reporting)

– Physical capabilities exceeded

– No independent check after testing

– Unclear allocation of function and responsibility

– An incentive to use more dangerous methods

– A poor or hostile working environment

– Task pacing caused by intervention of others

– Operator inexperienced

– Little or no independent checking or testing of output

– High level emonotional stress

– Disruption of normal work sleep cycles

– Unfamilarity with the situation which occurs (infrequent or new situation)

– A need to unlearn a technique and apply one which requires application of another philosophy

HIPPS – Human Error Producing Conditions

17

• Human reliability is a huge concern for HIPPS operation and maintenance

• Numerous incidents have been observed at different companies where HIPPS valves and/or transmitters have been disabled

• Generally speaking, limited focus on quantification of human reliability for maintenance of HIPPS in the oil and gas business

• Limited failure reporting regarding human failures during maintenance

• Human reliability must be considered as

an integral part of «overall reliability» for

HIPPS

www.ors-no.com

Human Reliability

Hardware Reliability

Software Reliability

Overall HIPPS reliability

Human reliability & HIPPS maintenance

Required

Achieved

Periodic Reliability Assessments (PRA) reveal the

weakest components in critical loops

19

• Failure of HIPPS may lead to major accidents with catastrophic consequences

• Maintenance & Operation – longest lifecycle – we need reliable HIPPS all the way thru

• A customized approach is needed for different types of HIPPS, Operating Company and Operating Unit

• HIPPS maintenance – if done as advised by IEC – is a complex job requiring strict collaboration and interaction at all levels. It requires highly competent, motivated people and enhanced data management tools

• Collection and analysis of data are very important. Credibility of simply «everything» is at the stake if we don’t collect correct field data from offshore oil platforms

• Human failures remain as a big concern. Human reliability must be adressed as a part of overall HIPPS reliaibility

• No quick-fix for HIPPS maintenance

www.ors-no.com

Conclusion

Baris Arslan

Senior Safety Consultant

baa@ors-no.com

+46 735391827

20 www.ors-no.com

For more information, please contact