High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective

© T O U C H B R I E F I N G S 2 0 0 7

Premises

In the oil industry, traditional protection systems as defined in

American Petroleum Institute (API) 14C are more and more often

replaced by high integrity protection systems (HIPS). In particular,

this encompasses the well-known high integrity pressure protection

systems (HIPPS) used to protect specifically against overpressure. As

safety instrumented systems (SIS) they have to be analysed through

the formal processes described in the International Electrotechnical

Commission (IEC) 61508 and IEC 61511 Standards in order to

assess which Safety Integrity Levels (SIL) they are able to claim.

What is really important when dealing with safety systems is that

the probability of accident is sufficiently low to be acceptable

according to the magnitude of the consequences. This can be done

in a lot of different ways: applying rules, know-how or standards

that may be deterministic, probabilistic, qualitative or quantitative,

using reliability analysis and reliability methods and tools, collecting

statistics, etc. Among them we find SIL calculations as per IEC

61508 and IEC 61511. Then we have to keep in mind that

calculating a SIL is not an end in itself. It is only a tool among many

others to help engineers to master safety through the whole life

cycle of the safety systems.

This proves to be very efficient from organisational point of view but,

unfortunately, some problems arise when probabilistic calculations

are performed by analysts thinking that it is a very easy job only

consisting to apply some magical formulae (found in IEC 61508-Part

6) or to build a kind of ‘Lego’ from certified SILed elements bought

from the shelf. Beyond the fact that sound mathematical theorems

(Bellman or Gödel) demonstrate that doing it that way gives no

guarantee of good results, this is the complete negation of the spirit

developed in the reliability field over the last 50 years that is based

on a sound knowledge of the probabilistic concepts and in-depth

analysis of systems under study. Therefore, a skilled reliability analyst

who aims to use the above standards in a clever and compatible way

with the traditional analysis has to solve several difficulties: this is

simple for the relationship between IEC standards probability

concepts and those recognised in the reliability field or for the failure

taxonomy and definitions which may need improvements; it is more

difficult for handling complex tests and maintenance procedures

encountered in oil industry; it is almost impossible for some concepts

like the ‘Safe Failure Fraction’ (SFF), which is not really relevant in

our field where spurious failures have to be thoroughly considered

and avoided.

SIL versus Traditional Concepts

The size of this article being limited, we will only give some

indications about our way to manage SIL calculations in an efficient

way for oil production installations. Figure 1 shows the links with the

traditional concepts. The first protection layer works in continuous

mode and the standards impose to calculate its Probability of Failure

per Hour (PFH). This is actually an average frequency of failure.

When the number of failures over [0, T] is small compared with 1,

PFH may be assimilated to F1(T)/T. When this is not the case, T/MTTF

shall be used instead. In these formulae F1(T) is the unreliability of

this layer over [0,T] and MTTF its classical Mean Time To Fail. Then,

in the general cases, PFH cannot be assimilated to a failure rate.

Anyway this gives the demand frequency on the second layer, which

runs in low demand mode (if the first layer is efficient). Its Probability

of Failure on Demand (PFD) as per the standards is in fact its the

average unavailability P2. Then F1(T).P2 is the probability that both

Jean-Pierre Signoret is the Reliability Expert at Total.He is part of the group of pioneers introducing anddeveloping probabilistic methods and tools in Franceand has worked the past 35 years in this field. On the operational side, he is in charge of theprobabilistic calculations in relationship with highintegrity protection systems (HIPS) and reliability,availability, maintainability (RAM) studies. On theR&D side, since the 1980s, he has developed theGRIF software package, which encompass all relevantmethods and tools needed for operationalprobabilistic studies in oil industry. He worked for 10years at the French Atomic Energy Commission (CEA)before moving to ELF in the early 1980s. He belongsto several international standard committees and isthe previous vice-chairman of the French Institute forSafety & Dependability (ISdF) and the previouschairman of the European safety and ReliabilityAssociation (ESRA).

High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective

a report by

Jean-Pierre S ignoret

Total

14

HSE

...we have to keep in mind that calculating a SIL isnot an end in itself. It is only a tool among manyothers to help engineers to master safety through

the whole life cycle of the safety systems.

Signoret_edit.qxp 10/4/07 4:16 pm Page 14


Figure 1: SIL versus Traditional Concepts

Fully independent protection layers

Continuous mode Demand mode

F1

P2

Protection layer n01 Protection layer n02

1-F1

1-P2

F1.P2

∞

RRF = ∞

PFD averageunavailability Accident

probability

New demand= PFH= F1.P2/T

New demand= PFH= F1/T

RRF = 1/P2

F1.(1-P2)Unreliabilityover (0, T)

Frequencyis infinite

?

Europe +44 (0)1702 616333

www.olympusindustrial.com/touch

Europe +44 (0)1702 616333

www.olympusindustrial.com/touch

IPLEX R-series Videoscope RangeMeeting your plant inspection needs

Choose from SA, SX and MX models - the most comprehensiverange of high performance vidoescopes in the market, offering:

• Wide Dynamic Range, for clear images in dark areas

• Solid-state Media, for still image and voice recording

• Network Ready - Ethernet & Wireless Control

• Versatile Inspection System with Interchangeable Probes

• Truly Portable Systems - 4.4kg in 4mm and 6mm ø

• Accurate, Intuitive Measurement

• Battery Operation

• LED Illumination


E X P L O R A T I O N & P R O D U C T I O N – O I L & G A S R E V I E W 2 0 0 7 – O T C E D I T I O N


protection layers fail during a given period T. If there is no more

protection layer this is the probability of accident. If a third

protection layer is installed this will be is the demand frequency on

this layer. Note that the Risk Reduction Factor (RRF) is infinite when

working in continuous mode.

The standard split, the demand mode between low and high

according to the demand frequency (lower or greater than 1/year).

From probabilistic calculation point of view we prefer to consider

the relationship between test and demand frequencies to do that:

when the test frequency is big compared with the demand

frequency, PFD may be used, on the contrary it is better to use the

unreliability, which provides a conservative estimation.

From a failure mode point of view the main problem encountered is

that the genuine on demand failures are forgotten by the standards.

They are likely to occur when the system experiences sudden

changes of states. Therefore, they shall be taken under consideration

when calculating the PFD, which comprises both hidden failure

(occurring within test intervals) and genuine on-demand failures

(due to tests or demands themselves). Another commonly

encountered problem is that a superficial reading of the standard

leads one to think that every revealed failure becomes automatically

safe. This, of course, is not true. It remains unsafe as long as

something is done to make it safe. This also has to be considered in

the calculations.

Now it remains to evaluate the SIL of the safety system under

study and the most severe problem arises because IEC 61508-

Part 6 provides only a list of simplified formulae for some

cases but does not indicate the method used to establish them nor

the underlying hypotheses. Therefore, an important warning

has to be raised here: part 6 is informative, its content is not

intended to cope with all problems encountered and there is

no obligation to use it. Analysts trusting that they just have to apply

this part to obtain relevant results are wrong and softwares

developed on these bases shall be considered very cautiously.

As results obtained in this way are likely not to be conservative

this is very dangerous indeed and not acceptable from a safety point

of view. Part 6 is not really useable to deal with complex

safety systems such as those installed in oil industry and this

is why we have developed the methods and tools just described

hereafter.

Methods and Tools for Efficient SIL Calculations.

Our HIPS may be split between curative versus preventive and

topside versus subsea HIPS. Curative HIPS works on-demand mode

and needs PFD calculations when preventive HIPS works in

continuous mode and need PFH (unreliability) calculations. As

they are easy to test and maintain, the components of topside

HIPS are almost independent (from a probabilistic point of view)

from each other. It is the opposite for subsea HIPS. Therefore,

we have investigated three main techniques to cope with all this

various HIPS:

• fault tree approach – very efficient for topside curative HIPS, it is

widely used by most of our reliability contractors;

• markovian approach – efficient to model small HIPS of any category

it is sometimes known by our contractors; and

• behavioural modelling (Petri nets or AltaRica DF language) and

Monte Carlo simulation – the only way to deal with industrial sized

HIPS implying several interlinked protection layers.

Figure 2 shows an example of fault tree used for SIL calculations.

As FT does not allow combining PFD averages of individual

components, the calculation is performed by imputing the

instantaneous unavailabilities (saw tooth curves) and calculating

PFDavg as the average of the Top event instantaneous

unavailability. On this figure, the tests of individual components

have been staggered in order to decrease both the maximum of the

saw tooth curve and the impact of common causes failures. The

SIL menu of the ARALIA Workshop allows these calculations to

be performed.

Figure 2 shows that PFDavg is not a good safety indicator. It may be

SIL2 when a lot of time is spent in SIL1. This is why, for our HIPS, we

16

Figure 2: Fault Tree Used for SIL Calculations

1 2 3

CCF

Top

2003

+

Max: 1.4e -2

Mean: 7.3e-3

β = 10%

PFD(t)

λ = 1.10-4τ = 1,000

0 1,000 2,000 3,000 4,000 5,000

5.e -2

0 1,000 2,000 3,000 4,000 5,000

5.e -2

0 1,000 2,000 3,000 4,000 5,000

5.e -2

0 1,000 2,000 3,000 4,000 5,0002.e -3

-1.0000e-30.0000e+01.0000e-32.0000e-33.0000e-34.0000e-35.0000e-36.0000e-37.0000e-38.0000e-39.0000e-31.0000e-21.1000e-21.2000e-21.3000e-21.4000e-21.5000e-2

0.0000 1000.0000 2000.0000 3000.0000 4000.0000 5000.0000

Figure 3: Stochastic Petri Nets System

Rig on location

Rig

D

Detection

Failuredetected

δ = 0

Wait Waiting

!nbF = nbF + 1

!nbF = nbF - 1

!nbF = nbF + 1

DCCδ = 0

δ = 0?DCC

Failure

λ

RunningW

End of rep.

Repair

?EoR

R

δ = 0Start rep.

?StR


require the calculation of the time spent in the various SIL zone in

addition of the average itself.

The second tool that we have developed is based on the multiphase

markovian approach. The number of states being generally too high

to be managed by hand we use a formal language (AltaRica Data

Flow implemented in the COMBAVA software) to generate them

automatically. Even if our computation engine MAR-XPR is able to

handle millions of states this method is really efficient only for small

systems and this is why we have developed a third tool based on

behavioural models and Monte Carlo simulation that are virtually

without limitations.

Our preferred model is stochastic Petri nets like that presented in

Figure 3. The method consists in building a finite state automata

behaving exactly as the system under study and to perform Monte

Carlo simulations on this model. This provides statistical results

which are used to calculate the probabilistic parameters under

interest. This method has been in use in our company since the early

1980s when we have begun to develop our GRIF-MOCA-RP

software. Mainly used for RAM analysis, it has been adapted to SIL

calculations by developing a library of sub Petri nets corresponding

to the element encountered in HIPS studies. It has been designed to

run very fast and there are no difficulties to reach accurate SIL4

estimations with the present time PCs.

Conclusion

Implementing SIL calculations as per IEC 61508 or IEC 61511 on

HIPS is not too difficult a task provided that an in depth analysis

of the standard is achieved and that alternatives to IEC 61508-Part6

are considered. Traditional approaches such as Fault trees, Markov

graphs or Monte Carlo simulation on behavioural models like

Petri nets have proven to be very efficient and easy to use for

this purpose. This is what we do in TOTAL, where a full set of

methods and software tools is available and used daily for our

SIL calculations. ■


IDEADESIGN

VISION

www.vidaps.com

DanishFire

www.dafila.com

Laboratories

VID (Vision Idea Design)

The leading company within consultingand custom solutions for fire protectionwith little water consumptions at lowwater pressures. Member of IWMA theInternational Water Mist Association.

DFL (Danish Fire Laboratories)

Accreted fire test laboratory for full scalefire tests of extinguishing systems.Member of IWMA the International WaterMist Association.

Svalbardvej 13, DK-5700 Svendborg, Denmark.www.vidaps.com www.dafila.com

Another commonly encountered problem is that asuperficial reading of the standard leads one to

think that every revealed failure becomesautomatically safe.


Documents

High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective