Using Instrumented Systems for Overpressure Protection

By Dr. Angela E. Summers, PE
SIS-TECH Solutions, LLC - Houston, TX

Prepared for Presentation at the 34 th Annual Loss Prevention Symposium, March 6-8, 2000 Overpressure Protection Alternative Session
Copyright © SIS-TECH Solutions, LLC, December 1999

Accepted for publication in Chemical Engineering Progress

AICHE shall not be responsible for statements or opinions contained in papers or printed publications.


Industry is moving towards the use of high integrity protection systems (HIPS) to reduce flare loading and alleviate the need to upgrade existing flare systems when expanding facilities. The use of HIPS can minimize capital project costs, while meeting an evolving array of standards and regulations. This paper will discuss API and ASME standards and how these relate to ANSI/ISA S84.01-1996 and IEC 61508. It will focus on process that should be followed in implementing the engineering design of HIPS.


In the process industry, a key safety consideration is the control and response to over-pressure situations. Industry standards from the American Petroleum Institute (API) and American Society of Mechanical Engineers (ASME) provide criteria for the design of vessels and the protection of these vessels from over-pressure. Traditionally, pressure relief valves and flares were used to handle the relieving of vessels in the worst credible scenario. Flare loading calculations gave no credit for operator intervention, fail safe equipment operation or trip systems. But times have changed. In many communities and countries around the world, the belt is tightening on the venting and combustion of gases. It is simply not acceptable to flare large volumes of gas. In addition, the cost of designing and installing large flare systems has continued to rise. API 521 (1) andCase 2211 of ASME Section VIII, Division 1 and 2 (2), provide alternatives in the design of overpressure protection systems. These alternatives revolve around the use of an instrumented system that exceeds the protection provided by a pressure relief valve and flare system.

These instrumented systems are safety-related systems, since their failure can result in the vessel rupture or in overloading the flare. As safety-related systems, they must be designed according to either the United States domestic ANSI/ISA S84.01-1996 (3) or the international standard draft IEC 61508 (4,5). The risk typically involved with overpressure protection results in the need for high safety system availability; therefore, these systems are often called "high integrity protection systems" or HIPS.

Regulations and Standards Concerning HIPS

API and ASME provide design standards for pressure vessels. These design standards are used worldwide by insurers to determine the appropriateness of pressure vessel design. As industry-recognized institutions, many API and ASME standards, are enforceable in the United States under OSHA PSM 7 and EPA RMP 8 . In many other countries worldwide, these standards are enforceable under local and/or national regulations.

ANSI/ISA S84.01-1996 and draft IEC 61508 are standards for SIS design. As a US industrial standard, ANSI/ISA S84.01-1996 is also enforceable as good engineering practice under OSHA PSM (6) and EPA RMP (7). When finalized, draft IEC 61508 will be accepted in many countries as an enforceable national standard, whether associated with a national regulation or independently mandated.

American Petroleum Institute (API)

API has recommended practices that address pressure relieving and depressuring systems in the petroleum production industry. API 521 describes flare system design methods. These methods basically require sizing the relief valve for each vessel for the worst credible scenario and require sizing the main flare header for the worst case relieving scenario, involving the simultaneous venting of all affected vessels. The fourth edition of API 521 allows credit to be taken for a favorable response of some of the instrument systems. While this design alternative is provided, API 521 Part 2.2 recommends the use of high integrity protective systems (HIPS) only when the use of pressure relief devices is impractical.

American Society of Mechanical Engineers (ASME)

ASME Code Case 2211, approved in 1996, sets the conditions under which over-pressure protection may be provided by an instrumented system instead of a PRV. This ruling is intended to enhance the overall safety and environmental performance of a facility by utilizing the most appropriate engineered option for pressure protection. While there are no specific performance criteria in the Case Code, the substitution of the HIPS for the PRV should provide a safer installation. Consequently, the substitution is generally intended for limited services where the PRV may not work properly due to process condition, e.g. plugging, multiple phases, etc. The overpressure protection can be provided by a SIS in lieu of a pressure relieving device under the following conditions:

  1. The vessel is not exclusively in air, water, or steam service.
  2. The decision to utilize overpressure protection of a vessel by system design is the responsibility of the User.
  3. The User must ensure the MAWP of the vessel is higher than the highest pressure that can reasonably be expected to be encountered by the system.
  4. A quantitative or qualitative risk analysis of the proposed system must be made addressing all credible overpressure scenarios.
  5. The analysis in (c) and (d) must be documented.

International Society for Measurement and Control (ISA) and International Electrotechnical Commission (IEC) :

ANSI/ISA S84.01-1996 and draft IEC 61508 are intended to address the application of safety instrumented systems (SIS) for the process industries. The objective of these standards is to define the design and documentation requirements for SIS. While these design standards are not prescriptive in nature, the design processes mandated in these standards cover all aspects of design including: risk assessment, conceptual design, detailed design, operation, maintenance, and testing (8). To ensure compliant implementation, the requirements of these standards, as pertaining to a specific HIPS application, must be investigated thoroughly.

One of the most important criteria for SIS design is the requirement that the User assign and verify the safety integrity level (SIL) for the SIS (9). The assignment of SIL is a corporate decision based on risk management philosophy and risk tolerance. Safety instrumented systems (SIS) should be designed to meet a safety integrity level, which is appropriate for the degree of hazard associated with the process upset. Safety integrity levels per draft IEC 61508, and ANSI/ISA S84.01 are designated in the following table.

Table 1: Safety Integrity Levels

Safety Integrity Level Availability Required Probability to Fail on Demand 1/PFD
  4 >99.99% E-005 to E-004 100,000 to 10,000
3 99.90-99.99% E-004 to E-003 10,000 to 1,000
2 99.00 - 99.90% E-003 to E-002 1,000 to 100
1 90.00 - 99.00% E-002 to E-001 100 to 10

From the point of SIL selection, the entire lifecycle of the SIS is evaluated for agreement with the SIL. Thus, the SIL is the cornerstone of the SIS design.

Advantages and Disadvantages of Using HIPS

Industry is increasingly moving towards utilizing HIPS to reduce flare loading. They are becoming the option of choice to help alleviate the need to replace major portions of the flare system in existing facilities when adding new equipment or units. If the header and flare system must be enlarged, significant downtime is incurred for all of the units that discharge to that header. The relatively low capital cost of HIPS compared to flare system piping upgrades and the ability to install HIPS without incurring significant additional downtime during a turnaround, makes these systems an extremely attractive option. Another benefit is that the process unit will not flare as much as a process unit designed for full flare loading. In some areas of the world, this is becoming important as regulatory agencies place greater restrictions on flaring.

The main disadvantage of HIPS is these systems are more complex and require that many different components work as designed. The effectiveness of the system is highly dependent on the field design, device testing, and maintenance program. The ability of the HIPS to adequately address overpressure is limited by the knowledge and skill applied in the identification and definition of overpressure scenarios. When a PRV is not installed, the HIPS becomes the "last line of defense," whose failure potentially results in rupture of the vessel or pipeline.

Making the Decision to Use HIPS

A decision tree can be utilized to facilitate the use of HIPS in the process industry. Figure 1 is a highly simplified decision tree showing only the key steps in assessing and designing a HIPS.

Figure 1. Simplified Decision tree

The first question that must be asked revolves around regulatory and standards issues. Some local codes mandate the use of PRVs, regardless of the industry standards, so make sure local jurisdictional issues are understood. From ASME Code Case 2211, the vessel can not be exclusively in air, water, or steam service. This requirement is intended to prevent building utility systems (e.g. residential boilers) from being installed without PRVs.

Once the local regulations and standards are understood, a hazard assessment must be performed to determine the credible overpressure scenarios. During the hazard assessment, analyze each scenario thoroughly. If any scenario is determined to be non-credible during the assessment, make sure the documentation provides adequate justification. Remember that the flare system most likely will not be to handle your non-credible event, if it turns out to be credible and happens.

A safety requirement specification (SRS) should be developed to address various overpressure scenarios. The SRS will describe the specific actions required to mitigate each scenario. When assessing the performance of HIPS, examine the process dynamics carefully to make sure that the instrumented system can respond fast enough to the event to prevent the overpressure of the vessel. In addition to the safety functional requirements, the SRS also includes the documentation of the safety integrity requirements, including the safety integrity level (SIL) and anticipated testing frequency.

Typically, the high availability requirements for HIPS drive the choices made concerning component integrity, component redundancy, common cause concerns, diagnostic requirements, and testing frequency. The conceptual design or basis of design document must specify exactly how the HIPS will be configured to achieve the necessary availability.

For documentation of the "as safe or safer" and compliance with the target SIL, the design of any HIPS should be quantitatively verified to ensure it meets the required availability. Quantitative verification of SIL for HIPS is the generally accepted approach for most companies utilizing HIPS. This is because the quantitative technique is the most defensible from a legal standpoint. A draft guidance report by ISA, ISA dTR84.02 (10, 11, 12, 13, 14), recommends use of one of the following methods for SIL Verification:

  1. Markov Models
  2. Fault Tree Analysis (FTA)
  3. Simplified Methods

Any of these techniques can be utilized to determine whether the design meets therequired SIL. If it does not  meet the required SIL, the design must be modified until it does.

Detailed design and implementation/commissioning activities must be performed within the bounds of the safety requirements specification and the conceptual design. Any deviations from these documents must be evaluated for impact on the safety integrity level and on any assumptions made with regard to performance.

Finally, the HIPS must be operated, maintained and tested throughout the life of the plant. The high integrity of HIPS is often achieved through the use of frequent testing. Once the required testing frequency is documented in the SRS, it must be done. If the SRS says that the testing occurs at a 6 month interval, it must be done at 6 months, not one year.


Care must be taken in any decision to implement HIPS. The use of HIPS should be generally restricted to the reduction of relief and flare loading in existing facilities. The use of an instrumented system should not be used as the only justification for reducing the pressure relieving requirements on individual pieces of equipment. Any justification should be thoroughly documented through a hazard analysis, which identifies all potential overpressure scenarios and consequences of the scenarios. A SIL appropriate to the risk  should be selected and the design should be validated for adherence to this SIL.

All of the regulatory and standards issues boil down to a few simple rules:

  • Specific regulatory and enforcement jurisdiction requirements must be determined. In some instances, approval of local authorities is required.
  • Regulatory and standards requirements must be understood by all parties, including management, I&E, operations, and maintenance.
  • Detailed hazard assessment must be performed to demonstrate that the HIPS solution can adequately address all credible overpressure scenarios.
  • The User must verify that HIPS will work from a process standpoint (i.e., Can the valves shut in time to prevent pressure wave propagation?).
  • The availability of the HIPS must be as good or better than the availability of the "passive" mechanical device it replaces.
  • The User must understand the importance of application-specific design aspects, as well as the associated costs of the intensive testing and maintenance program whenever a HIPS is utilized.
  • Finally, there is no "approved" rubber stamp in any regulation or standard for the use of HIPS for replacement of relief devices on pressure vessels or pipelines. Substantial cautionary statements are made in all of the regulations and standards, concerning the use of HIPS. No matter what documentation is created, the User still has the responsibility to provide a safe and environmentally friendly operation.


  • "Guide for Pressure-Relieving and Depressurizing Systems," API 521, Fourth Edition, American Petroleum  Institute, March 1997.
  • "Pressure Vessels with Overpressure Protection by System Design," Section VIII, Divisions 1 and 2, ASME Code Case 2211, The 1995 Boiler Pressure Vessel Code, American Society of Mechanical Engineers, 1995.
  • "Application of Safety Instrumented Systems for the Process Industries," ANSI/ISA-S84.01- 1996, ISA, Research Triangle Park, NC, 1996.
  • IEC 61508, 65A/255/CDV, "Functional safety of electrical/ electronic/ programmable electronic safety related systems," Parts 1, 3, 4, and 5, International Electrotechnical Commission, Final Standard, December 1998.
  • IEC 61508, 65A/255/CDV, "Functional safety of electrical/ electronic/ programmable electronic safety related systems," Parts 2, 6, and 7, International Electrotechnical Commission, Final Draft International Standard, January 1999.
  • "Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents," 29 CFR Part 1910, OSHA, Washington, 1992.
  • "Risk Management Programs for Chemical Accidental Release Prevention," 40 CFR Part 68, EPA, Washington, 1996.
  • Ford, K.A. and Summers, A.E., "Are Your Instrumented Safety Systems up to Standard?," Chemical Engineering Progress, 94, pp. 55-58, November, 1998.
  • Summers, A.E., "Techniques for assigning a target safety integrity level," ISA Transactions, 37, pp. 95-104 1998.
  • "Safety Instrumented Systems (SIS) - Safety Integrity Level (SIL) Evaluation Techniques, Part 1: Introduction," TR84.0.02, Draft, Version 4, March 1998.
  • "Safety Instrumented Systems (SIS) - Safety Integrity Level (SIL) Evaluation Techniques, Part 2: Determining the SIL of a SIS via Simplified Equations," TR84.0.02, Draft, Version 4, March 1998.
  • "Safety Instrumented Systems (SIS) - Safety Integrity Level (SIL) Evaluation Techniques, Part 3: Determining the SIL of a SIS via Fault Tree Analysis," TR84.0.02, Draft, Version 3, March 1998.
  • "Safety Instrumented Systems (SIS) - Safety Integrity Level (SIL) Evaluation Techniques, Part 4: Determining the SIL of a SIS via Markov Analysis," TR84.0.02, Draft, Version 4, March 1998.
  • "Safety Instrumented Systems (SIS) - Safety Integrity Level (SIL) Evaluation Techniques, Part 5: Determining the PFD of SIS Logic Solvers via Markov Analysis," TR84.0.02, Draft, Version 4, April 1998.


Dr. Angela Summers is President of SIS-TECH Solutions, LLC, specializing in safety instrumented system assessment and design. Angela contributed extensively to the development of ISA TR84.0.02, a guidance document on verifying safety integrity levels for SISs. Angela has also contributed to the development of the dIEC 61511 standard through involvement with the ISA S84 committee. Angela has taught courses on SIS assessment, evaluation and design to over 1500 process industry representatives worldwide. She has traveled extensively presenting papers at numerous technical conferences and has published papers in major trade journals.

Angela Summers has a Ph.D. in Chemical Engineering from The University of Alabama and a Masters of Engineering in Environmental Systems Engineering from Clemson University. She is a registered Professional Engineer in the State of Texas and an Adjunct Professor at the University of Houston-Clear Lake. Angela is a member of the International Society for Measurement and Control and is a member of the American Institute of Chemical Engineers.

EIT Latest News

Engineering Institute of Technology