30 High-Integrity Pressure Protection Systems (HIPPS)
30.1 Introduction
Flowlines can be an expensive item due to their length and the wall thickness requirement for pressure containment and an applied corrosion allowance. If the flowline is designed to withstand the maximum Wellhead shut-in pressure at production start-up, the system will be over designed as reservoir pressure falls later in field life. In addition, flowing pressures will be significantly less than the shut-in pressure and hence the system will normally operate at pressures well below the design.
Project feasibility should consider the economics of reducing the rated working pressure of a flowline below the maximum Wellhead shut-in pressure of the well(s) feeding it, whilst at the same time taking precautions to ensure the pressure in the flowline can never rise as high as the Wellhead Shut-in pressure. A typical field study consideration is a gas field where the reservoir shut in pressures may be high.
For a flowline to be rated lower than a pressure that could potentially be applied to it requires considerable means to ensure this over pressure can never occur. If a barrier valve is placed at the Manifold just before the flowline and is shut whenever the pressure rises, only the Tree and manifold pipework need then be rated to the full shut in pressure.
To achieve this, a High Integrity Pressure Protection System (HIPPS) is required. The HIPPS system is a high-availability emergency shutdown system to ensure the wells feeding the flowline are isolated whenever the pressure in the flowline exceeds an alarm point, by closing the Barrier Valves.
The consequences of any decision to de-rate the flowline and introduce a HIPPS are considerable and the overall economics and safety issues including a safety case study must be carefully evaluated before proceeding along this path. An intermediate approach is to rate the flowline such that full Wellhead pressure does not cause it to rupture, but 'merely' to exceed its plastic limit.
When considering the complexity of a HIPPS system and the dual/triple redundant equipment on the seabed, it may be appropriate to be able to isolate the HIPPS system later in the field life when the reservoir depletes and the well shut in pressure becomes lower.
There are several different abbreviations that have been used for overpressure protection systems, such as HIPPS (High Integrity Pressure Protection System), HIPS (High Integrity Protection Shutdown system) or OPPS (Overpressure Pipeline Protection System).
30.2 Implementation of a HIPPS
30.2.1 Requirements
The requirements are therefore for a system that detects a rising pressure in a flowline and quickly shuts one or more isolation/barrier valves before the pressure can rise too high.
This requires:
A very reliable and highly available system.
A fast-acting system.
The main components of a HIPPS therefore comprise:
Pressure (and other) transmitters.
Logic.
Redundant Barrier Valves.
In its simplest form, a HIPPS barrier valve, installed in the fully rated pipe work section of the Process Manifold/Template, is controlled by local logic monitoring a downstream Pressure Transmitter. HIPPS control logic monitors the Transmitter and closes the HIPPS barrier valve in the event that excessive pressure is detected.
Usually the implementation of a HIPPS system subsea gives rise to many other considerations during detailed design, and hazard and operability (HAZOP) studies. This is due to the amount of dual/triple redundant equipment on the seabed, adequate system isolation, and consideration of keeping critical instrumentation hydrate free. Thus the ability to isolate the HIPPS system later in the field life should also be considered during the design phase.
The actual HIPPS implementation is more complex in order to assure the reliability, availability and speed, and to power and test the system. Topsides equipment will need to supply the necessary electrical and hydraulic power, which will be transmitted to the subsea equipment via an umbilical. Subsea equipment located adjacent to the Barrier Valves will provide the actual detection and actuation mechanisms. A second HIPPS barrier valve, is also monitored either side by Pressure Transmitters, which provides redundancy in case of failure or leakage of the first valve.
30.2.2 Typical system
The Topsides equipment comprises:
The Subsea equipment comprises:
Umbilical and termination/distribution unit
HIPPS subsea control module and mounting base
Subsea Accumulator Module and mounting base
Hydraulic jumpers ©N.J. Smith 2000
Process Barrier Valves and Position Indicators
Maintenance, venting and test valves
Standard subsea hardware can be used for non-critical control functions, but specially designed equipment will be required for the rest of the system.
These components are described below in more detail.
30.2.3 Pressure Transmitters
The Transmitters used for this application are 'normal' subsea devices. Pressure Transmitters rather than Pressure switches are used, as failures can be more easily detected and pressure values are more useful.
To ensure availability and prevent erroneous shutdowns, usually more than one transmitter is employed in a "2 out of 3" voting (triplicate) (mentioned as 2oo3 on P&ID) configuration and different makes of sensor can be used to avoid common fault modes.
Either the transmitters themselves and/or the detection logic will act in such a way that a failed transmitter is seen as a 'high' pressure and therefore trips the system.
Common-mode failures due to blocked sense lines (ice, hydrates, scale, wax or mechanical damage) can be a serious problem and the design should ensure this risk is minimised.
30.2.4 Control Hardware
The control hardware monitors the Transmitters and closes the Barrier Valves when high pressure is detected. The detection and activation system is inevitably an electronic system and it should be independent of any other platform or subsea system, although data-feeds to other systems are usually available.
The implementation of this is usually a dedicated subsea controller, located in a subsea control module adjacent to the Barrier Valves themselves. The HIPPS control module monitors the Transmitters and closes the valves in the event excessive pressure is detected. This operates via a certified fixed-logic electronic system and is not dependent on control boards or links to the surface. Thus each trip is pre-set and cannot be changed without physical access to the controller. This requires careful attention to hydraulic design to ensure pulses do not inadvertently trip the system. ©N.J. Smith 2000
A secondary controller is control board based and provides non-safety related and secondary functions and communicates with the surface controller. When the safety controller trips the barrier valves, the secondary controller detects this and closes all secondary and test valves (the links between the systems must be shown to be independent).
The hydraulic control of the Barrier Valve requires the use of high flowrate control valves in the HIPPS control module; these are not necessarily identical to other subsea control system valves.
The Barrier valves are controlled using hydraulic power, in a similar manner to a subsea control system, and so a Hydraulic Power Unit is required. This HPU can be the same unit as for the subsea control system, although the design must ensure that the reliability and availability criteria are still met; there may be auxiliary components such as a dedicated HIPPS Accumulator Unit to assure the integrity of the HIPPS supply.
The control hardware will be operated using a dual-redundant electrical supply and should be fail-closed on loss of electrical power. A HIPPS system must therefore be continuously operated via a UPS. Some systems again use the same EPU as for the subsea control system but this may be undesirable as the shutdown philosophy for the subsea control system is usually such that the subsea control system does not shutdown on loss of power, whereas the HIPPS must do so. This could lead to the supplies being inadvertently shut off for maintenance, causing a HIPPS shutdown.
The control hardware must be fail-safe under all modes of failure. Regulations are such that designs using computers are not permitted, as software can fail on occasions or perform in a way not originally foreseen. Required approvals typically include TÜV DIN 19250 Classes 5,6 and 7 safety standard. Standard subsea control systems are not applicable without modification, as they are usually not constructed to a fail-safe design. A Programmable Electronic Safety System or Electronic Safety System which is “Stand Alone” must meet IEC 61508 SIL requirements appropriate to the application.
Electronics should NOT be integrated with other control/safety functions to avoid common-mode failures and influence on the HIPPS from other sources.
The system should perform self-testing operations on a frequent basis, at least once per second, although again, the extra circuitry involved must be demonstrated not to interfere with the primary failsafe system.
The whole system must be 'low-maintenance' and not require manual intervention.
30.2.5 Barrier valves
These can be 'standard' subsea isolation valves, operating in a failsafe-closed mode, although some designs may not be suitable, as the valve response time needs to be fast enough to prevent pressure excursions above the permitted limits (say, <2-5 seconds) and so the valve actuator must be carefully selected for this task. For large valves a spring-activated system may not be practical and a hydraulic accumulator provides the closure force; in this case the overall hydraulic system must again be carefully designed to ensure the system is available when required. In both cases, subsea accumulation is provided to ensure availability of the system whatever the state of the surface equipment. Pipeline pressure-assist is another method to accelerate the closing time.
After actuation of the barrier valves, the pressure must still be monitored downstream in case leakage causes it to continue to rise; secondary (cascade) shutdown of the Tree valves feeding the pipeline may be required, and the excess pressure may need to be bled off at the surface or via secondary flow lines or service lines. The accuracy of the position-monitoring devices may not be sufficient to detect a small degree of opening, which in time would lead to the increase in pressure. ©N.J. Smith 2000
Re-opening of the barrier valves following a shutdown is via a command from the surface unit, providing the "2 out of 3" voting system permits. Venting the locked-in high pressure that originally caused the trip requires suitable additional valves and/or the use of the subsea control system with the service or test line etc, as the HIPPS itself may not have 'overrides' to permit reopening the barrier valve(s) whilst high pressure is still present. ©N.J. Smith 2000
The barrier valves can also be shut by command from the surface; this will cause a pressure build-up and it is therefore advisable to shut the well in first to prevent closure against flow. This requires a link between the HIPPS and subsea control system surface controllers, or by manual procedures.
Hydraulic lines from the subsea HIPPS control module are duplicated to ensure that a trapped hose could not hold a barrier valve open.
Other isolation valves may be required for maintenance, testing, hydrate inhibition and pressure testing, but are not part of the primary HIPPS and are therefore controlled by the secondary controller.
30.2.6 Surface Equipment
The UPS/EPU provides dual-redundant electrical power, and the HPU provides hydraulic power. These services may sometimes be shared with the normal subsea control system, with the provisions noted above. They are distributed via lines in an umbilical to the HIPPS system. It may be possible to use the same umbilical as for the subsea control system, thus economising on cost, but the HIPPS lines themselves must be entirely independent, so there will still be a certain cost impact. A dedicated HIPPS Accumulator Unit provides hydraulic reserves for peak demands.
The surface HIPPS units are independent but are also connected to the MCS and other platform DCS/SCADA as required.
30.3 System Testing
A common problem is that the Barrier Valves may stick in the open (or closed) position. To minimise this risk, regular testing is performed in which the valves are completely or (usually) partially closed. To achieve this, the barrier valves are fitted with an analogue linear valve position sensor (4-20mA) which is monitored by the HIPPS module. This allows fine control of the valve position; the valve can be commanded shut until the position is seen to move then re-opened again, thus avoiding a complete shutdown. This is a common test method for SSIVs, but it should be noted that deliberately slowing the valve-closure mechanism to permit such testing contradicts the philosophy of a fast-acting system, and the design must therefore ensure that the main closure mechanism is not affected by the test-circuit design. ©N.J. Smith 2000
Testing of the HIPPS itself is not easy. It would be necessary to modulate the pressure to the transmitters to check they are working - this can only be done by decreasing the pressure otherwise increasing it may set off a shutdown. The readings from each transmitter are available at the Surface controller and can be compared with readings from other pressure transmitters in the subsea control system, which gives some degree of assurance that they are operating and are in calibration; however, this does not prove the system will detect a high pressure and operate.
Alternatively, the trigger points for the HIPPS could be set to a value below the current pressure; this would trip the system but by virtue of the Certification (see 30.1.4) such intervention on an operating system is not permitted, so is not feasible for routine testing.
The only other method is to isolate each transmitter and increase the pressure above its trigger point via an external means, such as by methanol purging (which can also be a regular maintenance function). Doing this by remote control from the surface requires a number of ancillary control valves - a parallel arrangement would allow one leg to be tested with the other isolated, but the scope for leaving valves in the wrong position, wrong set-points or common-mode failures etc., are significant.
Clearly, therefore, the complexity of the system increases considerably if such a philosophy is required, but the only other sure way of testing is by deliberately closing a topsides valve and causing the pressure to rise, thus activating a genuine HIPPS shutdown. The subsea choke can be used to restrict the rate of increase to some extent.
30.4 Other concerns
Pigging a flowline could cause the pressure to rise above the trigger point of the HIPPS, particularly if the pig sticks; thus, it is not advisable to use the well stream as the driving force.
"Fortified" zones may be required close to the topsides production facility and possibly near the subsea template to ensure that, even if the flowline does rupture, it does not endanger the platform (or flowline near the template).
Similarly, flowline 'weak-link' devices may be provided to ensure any rupture occurs in a defined place.
The HIPPS system can to some extent be supplemented by designing shutdown sequences into the subsea control system. A subsea control system may have algorithms to detect temperatures and pressures being within the hydrate-forming region. This system has control of Tree/manifold Valves and Chokes, and can be designed to detect rising pressure (particularly relatively slow events such as formation of wax or hydrates) and to close the Production Wing Valve and/or choke (these being the items usually closed against flow). This may be sufficient to avoid triggering the HIPPS in many cases, but the main reason why this is unacceptable as a primary HIPPS being that the subsea control system is not usually designed or approved for such high-integrity, high-availability, fast-acting purposes. ©N.J. Smith 2000
Similarly, any closure of topsides valves should immediately be conveyed to the subsea control system to permit it to attempt to reduce the flowline pressure; it is not usually the case that all such events are reflected back to the subsea control system (only major ones such as Platform Shutdowns) so it is feasible that the inadvertent closure of a topsides block valve could trigger the HIPPS, unless all such events are immediately followed by closure of Tree/Manifold valves and chokes.
This requires a better integration of the topsides and subsea facilities and in practice can be difficult to implement, particularly where a topsides system already exists when a new subsea field is connected to an existing Platform. It is very easy to manually close a topsides riser or separator valve, without prior subsea action, and the system effects of this, including the 'water-hammer' effect, may well cause the pipeline pressure to be exceeded.
Pressure-testing of a pipeline would also activate the HIPPS, which should therefore be taken into account when planning such operations - again, only an override would permit such testing past the Barrier Valve(s) themselves.
30.5 Summary
A HIPPS flowline protection system is readily achievable using existing proven technology, but there are consequences to the overall subsea and topsides control system designs in implementing such a system.
The need for overall Project commitment to a HIPPS system is mandatory, as there are far-reaching consequences in taking this route to all aspects of developing a new field, particularly when being tied-back to an existing Platform.
The total cost of ownership must be fully accounted for in determining the feasibility of having a low-pressure rated pipeline, and a number of areas have been highlighted which will, in practice, add to the development cost and reduce the advantage of lowering the pipeline design pressure. The effects of adding a HIPPS system depend also on the nature of the Field Development Project itself, and unless being implemented at the start of a completely new Development, will have cost implications on existing systems which may be unacceptable or difficult to implement.
Further precautions can be implemented using technology within existing designs of Subsea Control System. A dedicated HIPPS module can then be added to the control system, sharing the power / hydraulics / communications (albeit with certain provisos), to provide overall protection via a dedicated HIPPS Barrier Valve, should the well control system fail to maintain pressure in the safe region.
Nevertheless, it is evident that a simple commercial decision to economise on pipeline costs results in a considerable and complex outlay for a system to adequately and reliably prevent the pipeline being over pressured.
