High Integrity Protective System
The Figure shows a distillation column design with an independent High Integrity Protective System (HIPS) installed to minimize demands on the safety valve. The HIPS is designed to equal or exceed Safety Integrity Level (SIL) 3.
During normal operation, the column receives feed, which is vaporized in the reboiler, passes through the trays of the column, and one or more distillates are drawn off. Heat is introduced by controlling steam (as a function of product analyzer and/or column temperature and/or pressure) to the reboiler. Heat is removed by the overhead condenser.
Should column pressure or temperature rise above the normal operating range, the control system will reduce heat addition by closing the steam valve. Should column pressure continue to rise, the HIPS will close the control valve and the Emergency Shutdown Valve (ESV). Should the HIPS fail to initiate action, the operator may close the ESV by depressing the Manual Trip Pushbutton. Should column pressure continue to rise, approach the rating of the column, a self actuated safety relief valve opens, reducing energy/pressure and discharges to the atmosphere or flare header. The capacity of the relief valve to discharge energy exceeds the capacity of the heat source to add energy.
The design objective of a HIPS is a system that can continue to provide protection even with a single component failed. It must suffer two or more faults before safety is jeopardized and in most cases before spurious action occurs. The design as shown in the Figure, achieves the criteria, excepting the energy supply isolation valves. A single fault causing a single valve to fail close will cause a spurious shutdown of the column. The HIPS is a completely independent safety layer with it's own UPS power, sensors, logic cabinet and final element. It is designed to measure column pressure using three identical, but separately mounted, pressure transmitters.
Each transmitter signal is read by the Safety Instrument System (SIS), scaled to engineering units, tested against set point and majority voted. Each transmitter signal is also tested for reasonableness and defaults to a "trip vote" if out of range. Each transmitter is tested against the median of the three and a diagnostic alarm sounds on 5% deviation.
The Safety Instrument System (SIS) is composed of three input channels, three microprocessor/communication channels, and three output channels, all fully integrated. The SIS continuously checks the health of each channel and compares the results of the three channels. Failure of one channel is alarmed and may be repaired on-line. Multiple channel failures result in 'fail safe' action i.e. outputs de-energized.
When the voting logic receives two or more "trip votes", SIS outputs take control of two independent, and diverse valves to isolate the heat source from the reboiler. Valves may be installed in the supply or return from the reboiler. Solenoids SOV1 and SOV2 are de-energized, isolating the air supply and venting the air off the ESDV actuator, allowing the spring to close the valve. The SIS also de-energizes Relays A and B, removing the DCS signal to the current to pneumatic converter that allows the control valve actuator spring to close the valve.
A "read only" serial communication link is connected to the DCS to present and log significant data such as diagnostic information, discrepancy between pressure transmitters, trip voter status, process pressure, pre-alarm and trip set points, current status, software version, etc. HIPS employs significant security features and self diagnostics to detect and annunciate faults. The system is designed for and will be thoroughly function tested every three months.
The system is tested in several ways and frequencies. In many applications, each valve may be fully closed and reopened within a few seconds to verify valve closure through position indicators and process flow indicators. In those applications where process dynamics preclude interrupting steam flow, a bypass valve may be opened and the valve stroked closed.
An example application of HIPS to flare header protection is given in the next Section.