High Integrity Protection Systems (HIPS) are more and more extensively used
in the oil industry to replace conventional safety systems, and this paper aims
to show how to efficiently evaluate their Safety Integrity Levels (SIL) as
required by the IEC 61508 (1998) and 61511 (2003) standards. These standards
provide rigorous formal processes to build the safety of Safety Instrumented
Systems (SIS) and are very efficient from an organizational point of view.
However, difficulties still arise with definitions and probabilistic
calculations, and for this reason our company has developed a set of
probabilistic methods and tools to overcome such difficulties. They are based
on traditional holistic approaches and the powerful algorithms developed in the
reliability field over the past 30 or 40 years: Fault Trees, Markov processes,
and Monte Carlo simulation performed on behavioral models (e.g., Petri nets or
formal languages). They are briefly analyzed in this paper using simple
examples to highlight the principles. This paper is mainly focused on HIPS
working in low-demand-mode (i.e., with less than one demand per year according
to the standards) and HIPS such as High Integrity Pressure Protection Systems
(HIPPS), but indications are given for HIPS functioning in continuous modes of
operation. The main conclusions are that, when properly handled, Fault trees
are very efficient for low-demand topside HIPS; that the Markovian approach is
interesting but practicable only for very small systems; and that Monte Carlo
simulation on behavioral models is efficient in all cases. From our point of
view, these approaches are simpler to handle than the informative formulae
proposed in the present issue of the standards. Therefore, we have begun to
disseminate these approaches and we strongly recommend our contractors to use
In the oil industry, the traditional protection systems defined in API 14C
are more and more frequently replaced by safety instrumented systems: the
so-called HIPS (High Integrity Protection Systems). Therefore, according to IEC
61508 and IEC 61511 standards, their safety integrity levels (SILs) shall be
Unfortunately, when using these standards some difficulties arise (Signoret
2006; Dutuit et al. 2006). They often remain ignored by those performing SIL
studies and are related to:
- Failure taxonomy and definitions.
- Tests and maintenance procedures handling.
- Safe failure fraction (SFF) concept.
- Probability of failure on demand (PFD) and probability of failure per hour
The first three difficulties are presented briefly before discussing the
fourth one in more depth, and showing how to cope with the various SIL
assessment situations encountered in the oil industry:
- Topside HIPS easily tested and maintained.
- Subsea HIPS difficult to test and maintain.
- Preventive HIPS.
According to the standards (see the following), topside and subsea HIPS
belong to the so-called “low-demand-mode” safety instrumented systems (SIS),
while preventive HIPS belongs to the so-called “continuous” mode SIS. This
paper is mainly focused on methods and tools devoted to low-demand-mode
© 2008. Society of Petroleum Engineers
View full textPDF
- Original manuscript received:
29 January 2007
- Meeting paper published:
30 April 2007
- Revised manuscript received:
8 October 2007
- Manuscript approved:
20 November 2007
- Version of record:
15 March 2008