Engineering Procedure

SAEP-354 30 June 2020

High Integrity Protection Systems Design Requirements
Document Responsibility: High Integrity Protection Systems Standards Committee

Contents
1 Scope ................................................................ 2
2 Conflicts and Deviations ................................... 2
3 Applicable Documents ...................................... 2
4 Terminology ...................................................... 3
5 Instructions........................................................ 8
6 Responsibilities ............................................... 22
7 Grandfather Clause ......................................... 24
Revision Summary................................................. 25

Appendix A - Safety Life Cycle Raci Matrix ........... 27

Appendix B - Basic Hips Design Requirements ..... 29
Appendix C - Documentation ................................. 32
Appendix D - HIPS Decision Flowchart ................. 34

Previous Issue: 5 November 2017 Next Planned Update: 5 November 2022

Page 1 of 35
Contact: Dhir, Arvind (dhirax) on phone +966-013-8808475

©Saudi Aramco 2020. All rights reserved.

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

1 Scope

1.1 This Saudi Aramco Engineering Procedure (SAEP) defines the applications,
selection criteria, and requirements for each phase of the Safety Life-cycle for
High Integrity Protection Systems within Saudi Aramco.

1.2 This SAEP establishes the methodology and procedures for implementing HIPS
that will functionally replace or augment mechanical over-pressure relief
devices or systems to reduce flare or relief system loads for process equipment,
pipelines, wellhead flowlines, gas manifolds, or other special purpose
applications. This SAEP may be applied to HIPS responding to any typical
process measurement such as level, pressure, or temperature.

1.3 This document also defines the roles and responsibilities for managing the
Safety Life-cycle.

2 Conflicts and Deviations

Any conflict between this document and other Applicable Mandatory Saudi Aramco
Engineering Requirements (MSAERs) shall be addressed in writing to the EK&RD
Coordinator.

Any deviation from the requirements herein shall follow internal company procedure
SAEP-302, waiver of a Mandatory Saudi Aramco Engineering Requirements.

3 Applicable Documents

The selection of material and equipment, and the design, construction, maintenance, and
repair of equipment and facilities covered by this standard shall comply with the latest
edition of the references listed below, unless otherwise noted.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-27 Pipelines/Piping Hydraulic Surge Analysis
SAEP-149 Risk Assessment for High Integrity Protection Systems
SAEP-250 Safety Integrity Level Assignment and Verification
SAEP-302 Instructions for Obtaining a Waiver of a Mandatory
Saudi Aramco Engineering Requirement
SAEP-360 Project Planning Guidelines
SAEP-363 Pipeline Simulation Model Development and Support

Saudi Aramco: Company General Use

Page 2 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

SAEP-373 High Integrity Protection Systems - Inspection

Requirements

Saudi Aramco Engineering Standard

SAES-J-601 Emergency Shutdown and Isolation Systems

Saudi Aramco Best Practice

SABP-Z-076 Guideline for Development of Safety Requirements
Specification

Saudi Aramco Engineering Report

SAER-5437 Guidelines for Conducting HAZOP Studies

3.2 Industry Codes and Standards

International Electrotechnical Commission

IEC 61511:1-3 Functional Safety - Safety Instrumented Systems for
the Process Industry Sector

4 Terminology

4.1 Abbreviations
BPCS Basic Process Control System
CMS Capital Management System
CSD Consulting Services Department
DBSP Design Basis Scoping Paper
ESD Emergency Shutdown System
ESR Engineering Service Request
ESP Electric Submersible Pump
FEL Front End Loading
FTA Fault Tree Analysis
HIPS High Integrity Protection System
HFT Hardware Fault Tolerance
IPL Independent Protection Layer
IPT Integrated Project Team
LCC Life Cycle Cost

Saudi Aramco: Company General Use

Page 3 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

LPD Loss Prevention Department

MAOP Maximum Allowable Operating Pressure
MAWP Maximum Allowable Working Pressure
MOC Management of Change
MTTR Mean Time to Repair
P&ID Piping & Instrument Diagram
PFD Probability of Failure on Demand
PFDavg Probability of Failure on Demand average
PHA Process Hazard Analysis
PM Preventive maintenance
PST Process Safety Time
RACI Responsible, Accountable, Consulted, Informed
RBD Reliability Block Diagram
SCADA Supervisory Control and Data Acquisition
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SIWHP Shut-in Wellhead Pressure
SOE Sequence of Event Recorder
T&I Testing & Inspection

4.2 Definition of Terms

C1 Projects: Projects with a capital value ≤ $100MM and with low complexity
as defined in SAEP-360. The proponent runs, execute, and acts as construction
agency.

Consequence: For the purpose of this document, consequence will mean the
negative outcome of any event, expressed qualitatively or quantitatively.

Demand: Unmitigated frequencies of a potential load (in this document

exceeding predetermined conditions) on a system. Normally, if the
predetermined conditions exceed the system design limits, the system is required
to perform an action protecting the equipment(s) or the process.

Emergency Shutdown System (ESD): A Safety Instrumented System designed

Saudi Aramco: Company General Use

Page 4 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

for the purpose of taking the process, or specific equipment in the process, to a
safe state when predetermined conditions are violated, i.e., to isolate, de-energize,
shut down or de-pressure a process unit or process equipment.

Event: Occurrence of a particular set of circumstances. The event can be

singular or multiple. The probability associated with the event can be estimated
for a given period of time.

Fail-safe: The capability to go to a predetermined safe state in the event of a

specific malfunction.

Failure: Termination of the ability of a system, structure, or component to

perform its required function. Failures may be unannounced and undetected until
the next inspection (unannounced failure), or they may be announced and detected
by any number of methods at the instance of occurrence (announced failure).

Fault-Tolerant System: A system incorporating design features which enable

the system to detect, discriminate, and log transient or steady-state error or fault
conditions and take appropriate corrective action while remaining on-line and
performing its specified function.

Final Element: The whole assembly of components physically taking the

process to a safe state, for example a valve assembly [including solenoid
valve(s), quick exhaust(s), actuator and line isolation valve], or an interposing
relay and electro-mechanical component (Energized-To-Trip, e.g., breaker
operated by shunt coil) to cut the power to the electrical system associated with
electric submersible pump(s).

Fortified Zone: A section of pipe with an increased pressure rating located

downstream of the HIPS isolation valves to allow time to respond to the system
closure determined by the pressure transient calculations. The pressure rating of
the fortified section is project-specific and ranges from the maximum allowable
working pressure (MAWP) of the flowline/pipeline, to the same as the full
rating of the pressure source (e.g., tree).

Hazard: A potential source of harm to people, property, or environment.

Components that are used to transport, store, or process a hazardous material can
be a source of a hazard.

High Integrity Protection Systems (HIPS): High availability, fail safe Safety
Instrumented System (SIS) with dedicated Safety Instrumented Functions (SIFs),
designed to reduce the size of or replace a mechanical relief system by isolating
the source of the over-pressure. A HIPS may respond to any typical process
measurement such as level, pressure, or temperature. A HIPS system is designed
as an independent and separate safety protection layer from any other process

Saudi Aramco: Company General Use

Page 5 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

control (BPCS, DCS and RTU/SCADA) and ESD safety systems. A HIPS
system must be in compliance throughout the system Safety Life Cycle to the
strict conditions of approval resulting from the risk assessment, dynamic process
simulations, and other specific design considerations.
Commentary Note:

For all new projects or new installations the HIPS logic solver shall be
independent of any other process control (BPCS, DCS and RTU/SCADA) and
ESD safety systems.

Integrated Project Team (IPT): A team composed of appointed members

from different organizations who work in an integrated manner and have clear
roles and accountabilities toward project planning and execution. Refer to
SAEP-360.

Life Cycle Cost: Total Capital Expenditure plus Operational Expense including
operation, testing, inspection, maintenance, administration, etc., through the
expected life of the system.

Maximum Allowable Operating Pressure (MAOP): The highest operating

pressure allowable at any point in a pipeline system during normal flow or static
conditions. Usually used in reference to pressurized piping systems.

Maximum Allowable Working Pressure (MAWP): The maximum gauge

pressure permissible at the top of a completed vessel in its normal operating
position at the designated coincident temperature specified for that pressure.
Usually used in reference to pressure vessels. MAOP and MAWP are widely
used in industry and will be found interchangeably in this document.

Mitigate: Limit any negative consequences of a particular event.

Process Hazard Analysis: The identification of undesired events that lead to

the realization of a hazard, the analysis of the mechanisms by which these
undesired events could occur and usually the estimation of the extent,
magnitude, and likelihood of any harmful effects.

Process Safety Time: The time that it takes for a hazardous situation (such as
loss of containment) to occur after the process exceeds the trip set point of the
Safety Instrumented Function (equivalent to Reaction Time per IEC 61511-2).
Commentary Note:

The ESD Safety Instrumented Function and the HIPS Safety Instrumented
Function have two different Process Safety Times.

Response Time: The time between the process reaching the HIPS trip set point
to the final element reaching the safe state.
Saudi Aramco: Company General Use
Page 6 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Commentary Note:

The ESD Safety Instrumented Function and the HIPS Safety Instrumented
Function have two different Reaction Times.

Risk: A measure of economic loss, environmental degradation or human injury

in terms of both the incident likelihood and the magnitude of the loss,
degradation or injury.

Risk Assessment: Describes a detailed qualitative, semi-quantitative, or

quantitative analysis to estimate the potential likelihood and consequences of
site-specific events, and to then compare the risk with acceptance criteria.

Safe-State: The state of the process when safety, freedom from unacceptable
risk, is achieved. Unless otherwise specified, the safe-state of the HIPS
components shall be De-energized-to-Trip.

Safety Instrumented Function (SIF): Function with a specified safety

integrity level, implemented in an SIS, and intended to achieve or maintain a
safe state for the process, with respect to a specific hazardous event.

Safety Instrumented System (SIS): Instrumented system used to implement

one or more safety instrumented functions. An SIS is composed of any
combination of sensor(s), logic solver(s), and final element(s).

Safety Integrity Level (SIL): A discrete level (1, 2, 3, or 4) specifying the

average probability of a SIS satisfactorily performing the required SIF under all
stated conditions within a stated period of time. SILs are defined in terms of
overall system safety availability or probability of failure on demand-average
(PFDavg). This dimensionless number is calculated for an entire SIS loop(s)
consisting of input device(s), the logic solver and final output device(s).

Safety Life Cycle: The sequence of necessary activities involved in the

implementation of SIF(s) occurring during a period of time that starts at the
concept phase of a project and finishes when all of the SIF(s) are decommissioned
(refer to IEC 61511).

Safety Requirements Specification (SRS): The specification that contains

all the requirements of the SIF(s) that have to be performed by the SIS.
The document shall follow the guidelines of SABP-Z-076.

Shall: Indicates a mandatory requirement.

Should: Indicates a preferential requirement.

Verification: Per IEC 61511, activity of demonstrating for each phase of the
relevant safety life cycle by analysis and/or tests, that for specific inputs, the
Saudi Aramco: Company General Use
Page 7 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

outputs meet in all respects the objectives, and requirements set for the specific
phase.

5 Instructions

Projects implementing HIPS shall follow the typical project execution with the
additional requirements as described in the following sections. Appendix D translates
this process into Saudi Aramco Project Phases. The Safety Life Cycle RACI Matrix in
Appendix A provides an overview of the process and responsibilities.

5.1 Business Case

For a project considering HIPS, the associated risks and responsibilities of HIPS
Life Cycle Management (functional testing, maintenance, inspection, and
reporting) shall be considered. Proponent and planning organizations shall take
into consideration the base design (inherently safe design or conventional
mechanical pressure relief systems) versus acceptable applications for HIPS and
the advantages / disadvantages.

5.1.1 Applications

The base design case for over-pressure protection is equipment and

piping that meet or exceed the MAWP and/or a conventional, passive
relief system. A passive relief system strictly relies on passive
components such as pressure relief valves and relief or flare systems.

The following are applications within Saudi Aramco where HIPS are
considered:

5.1.1.1 Conventional Gas Production (Offshore)

For conventional high pressure (shut-in wellhead pressure

exceeds 20,700 kPa (3,000 psig)), sour or sweet gas wells over-
pressure protection HIPS at the wellhead/platform to protect
the under rated flow line and trunk line shall be used. No LCC
Analysis is required.

5.1.1.2 Conventional Gas Production (Onshore)

For conventional high pressure (shut-in wellhead pressure

exceeds 20,700 kPa (3,000 psig)), sour or sweet gas wells
over-pressure protection HIPS at the wellhead to protect the
under rated flow line and trunk line are an acceptable
alternative to a flare. This is an approved use of HIPS but
requires an LCC Analysis.

Saudi Aramco: Company General Use

Page 8 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

5.1.1.3 Conventional Oil Production (Onshore and Offshore)

Where water injection or ESP causes wells to develop a

SIWHP that exceeds the MAOP of the collection network
(under rated flow line and trunk line), HIPS at the
wellhead/platform shall be used. No LCC Analysis is required.

5.1.1.4 Special Purpose Applications-Inlet and Downstream Facilities

HIPS applications fall within the criteria of functionally

replacing or augmenting mechanical over-pressure relief devices
or systems to replace or reduce flare loads. HIPS require an
Application Acceptability Study and a LCC Analysis.

5.1.1.5 Government Regulations, Authorities, and Environmental Laws

HIPS shall be used when conventional relief, venting and/or

flaring is not allowed by government regulations or authorities,
or when environmentally protected areas are affected by
conventional means of over-pressure protection. A HIPS
Application Acceptability Study is required but not a LCC.

5.2 HIPS Application Acceptability Study

5.2.1 Selection Criteria

The HIPS system shall:

a. Meet or exceed the SIL and feature a PFD equal or less than the
calculated value during the risk assessment and SIL assignment per
SAEP-250.
b. Meet the risk criteria per SAEP-250 Appendix H.
c. Be more cost effective (considering capital and operational expenses
over the design life of the facility) than the other viable alternative
solutions.

5.2.2 Process Hazard Analysis

The IPT in conjunction with the Proponent shall refer to SAER-5437 and
identify the process hazards on the candidate HIPS, evaluating only
hazardous over-pressure scenarios, including:
a. Interfacing systems and other Budget Items (projects).
b. The unmitigated frequency of each cause with potential to become a
hazardous over-pressure event (incident), and its consequences.
Saudi Aramco: Company General Use
Page 9 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Commentary Notes:

Check valves, when installed on non-scrapable lines, shall not be

considered as a hazardous over-pressure initiating cause.

Special consideration shall be given to proper evaluation of human

error factors during manual operations, their frequency of initiating
events and the possible mitigation strategies.

c. Active protection systems (e.g., BPCS, ESD, partial flare and/or

HIPS).
d. Alarm and Operator interventions, and allowable operator reaction
time.
e. For existing installations (brownfield projects) verify the actual
MAOP of the system(s) to be protected.
f. Recommendations to lower the over-pressure risk.
Commentary Note:

It is recommended to follow the HAZOP structured approach,

evaluating only over-pressure scenarios and without risk ranking.

IPT shall obtain further assistance as needed on the level of details

required and the adequacy of the proposed technique from LPD.

A dynamic simulation per Section 5.3.1 shall be performed as

requirement for completion of the Hazard Analysis and Risk Assessment
in order to ensure there is sufficient PST for the HIPS to perform their
function.

5.2.3 Safety Requirements Specification - Preliminary

The IPT shall develop a SRS as per SABP-Z-076. The SRS shall
provide a written explanation of the process or operations where the
candidate HIPS will be used. The SRS shall specify how the HIPS will
respond to protect the process during all conceivable operational
scenarios, e.g., startup, normal operation, induced emergency shutdown,
process deviations or intermittent operations such as line scraping
operations. The SRS shall include a description of the Basic Process
Control System (BPCS), over-pressure upset scenarios, initiating causes,
consequences of each upset and the frequencies of each upset. The SRS
shall describe the required additional resources and the modifications on
existing installations in addition to the explanation of the activities to be
carried out by operators.

5.2.4 Life-Cycle Cost Analysis

Saudi Aramco: Company General Use

Page 10 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

The IPT shall conduct Life-Cycle Cost analyses on the HIPS application
and the other alternatives (non-HIPS), except as indicated in this
specification. All options shall be documented and tabulated. The HIPS
shall be evaluated versus the cost of implementing a conventional
flare/relief system; or upgrading equipment and piping to meet or exceed
new MAWP.

If a conventional system is impracticable or will not resolve the

particular process or pipeline design limits, the IPT shall document the
reasoning.

The IPT shall compare LCC for each candidate HIPS alternative. If the
comparative analysis shows that a conventional approach is technically
viable and as cost effective as the HIPS approach, use the conventional
approach due to the inherent safety of passive, conventional system.

5.2.5 HIPS Report for Application Acceptability Study

The IPT shall compile and submit the HIPS Report, with all supporting
project documentation per Appendix C for this phase, to all members of
the HIPS Unit for verification using the eReview process. After
verification by the HIPS Unit, the IPT shall issue an ESR to the HIPS
Unit requesting recommendation for approval for the subject phase.
Commentary Note:

For C1 projects and when the information is not defined clearly at the
FEL 2 Study Phase, activities (documentation and review) may be
combined with the next Phase (see following section).

Upon formal recommendation for approval by the HIPS Unit for the
HIPS, a letter indicating HIPS as the best option shall be prepared by the
IPT and approved by the Proponent Manager.

5.3 HIPS Implementation Study

The IPT shall conduct the analysis and prepare the documents as follows:

5.3.1 Dynamic Process Simulation / Transient Flow Analysis

5.3.1.1 The dynamic simulation shall utilize dynamic process

simulation tools, such as HYSYS or UNISIM, for modeling
the dynamic closure of the final element(s) to determine the
pressurization rate. This shall be integrated with OLGA
software to perform the overall analysis.

Saudi Aramco: Company General Use

Page 11 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

5.3.1.2 All HIPS designs shall include dynamic process simulation or

transient flow analysis (referred to as analysis in this section).
The analysis shall define the following key design criteria for
the HIPS:
a) Determine the required speed of response by the ESD
SIF and HIPS SIF for the applicable design
contingencies for which the HIPS is being installed.
This shall include determination of the shortest estimated
Process Safety Time, for ESD SIF and HIPS SIF, based
on the PHA over-pressure scenarios and confirmation of
the ESD and HIPS trip set points. The analysis shall
exclude manual valves, check valves, and spectacle
blinds as over-pressure initiating causes.
b) In liquid service, determine if the upstream pressure wave
generated by HIPS valve operation (referred to as liquid
hammer, hydraulic hammer, or pressure surge) will lead to
excessive upstream over-pressure per SAEP-27. HIPS
shall not be used to protect against liquid surge. HIPS can
only respond to static over-pressure conditions.
c) Demonstrate that the increase in pressure associated with
any scenario after the HIPS has been activated will not
continue beyond the value of the MAOP/MAWP for the
protected system.

5.3.1.3 The HIPS response time shall be equal or less than the
minimum PST. HIPS response time should be designed as
half of the minimum process safety time. For example if the
minimum PST is 20 seconds, the HIPS should respond in
10 seconds. The minimum PST requirements are as follow:
a) Onshore HIPS PST shall be ≥ 20 seconds
b) Offshore HIPS PST shall be ≥ 10 seconds
Commentary Note:

The PST stated above is applicable for HIPS system design

requirements only. The performance of HIPS shall be
evaluated on case by case basis as per actual PST time
available.

For HIPS with ZV valve(s) as final elements, the HIPS valve

closure stroke time shall not be less than 4.0 seconds.

Saudi Aramco: Company General Use

Page 12 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

5.3.1.4 The analysis shall show the HIPS response time (closed loop
performance) considering at least two cases; one with HIPS
response time of half (0.5) of the process safety time, and the
other three quarter (0.75) of the process safety time.
Response time constrains shall be as per paragraph 5.3.1.3 of
this specification.

5.3.1.5 The Simulation Model must include within the response time
a minimum time value of 1.0 second to account for the
sensors, the logic solver and the activation of the final
elements. This response time is exclusive of the final element
reaching the safe state.

5.3.1.6 The Process Safety Time shall be estimated for all valid
process operational contingency scenarios of operation and
process conditions combined.

5.3.1.7 The analysis shall be performed and reviewed by qualified

technical personnel with experience in the area of fluid
dynamic analysis.

5.3.1.8 If the analysis shows that the HIPS does not have sufficient
time to protect against the worst case scenario, a fortified
zone or other methods shall be used in order to increase the
process safety time.

5.3.2 Risk Assessment Study

Risk assessment study shall be performed per SAEP-149.

The purpose of the risk assessment study is to evaluate the over-pressure

safety risks associated with the project and thus propose mitigation and
protection measures in line with Saudi Aramco standards.

For wellhead applications, the risk assessment shall determine the

maximum number of HIPS (high pressure wells or production
platforms) that can produce to a common network (header, manifold,
trunk line).
Commentary Note:

For Risk Assessment planning and budgeting IPT shall consult with
LPD. For SIL assignment and verification SAEP-250 shall be followed.

For further assistance consult with LPD.

5.3.3 SIL Assignment

Saudi Aramco: Company General Use
Page 13 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

The IPT shall perform a SIL Assignment per SAEP-250 to ascertain

the risk gap. The SIL Assignment may be performed in conjunction
with or following the Process Hazard Analysis (PHA).

When multiple SIS's are protecting a system (e.g., multiple HIPS at

different well heads protecting the piping and trunk lines) and the
demands on these SIS's are simultaneous, evaluate the combined
contribution of all SIS's in the assessment taking into account common
cause failures.

If the risk associated with each candidate HIPS exceeds the acceptable
risk of a SIL-3 system, the process must be redesigned. SIL-4
assignments are strictly not allowed.

5.3.4 Safety Requirements Specification

The IPT shall develop the SRS per SABP-Z-076 and receive
concurrence per SAES-J-601 Section 9 and IEC 61511-1, Section 10,
including the additional details as follows:
a) Operating parameters,
b) Independent Protection Layer Set Points,
c) Independent Protection Layer Functionality,
d) Special provisional requirements (e.g., environmental, diagnostics,
testing)

The SRS shall include a description of how each of the over-pressure

protection layers is intended to function, including any assumptions
made regarding their integrity. The SRS shall document any extreme
environmental and process conditions at the location of the facility that
are specific to the project. If nuisance trips can cause cascaded tripping
of other units, the trips must be considered in the design basis.

The SRS shall provide a detailed, written explanation of how the HIPS
will function to protect the process, equipment or pipeline from over-
pressure scenarios. It shall explain how the HIPS will respond during
all conceivable operational scenarios, e.g., startup, normal operation,
induced emergency shutdown, process deviations, or intermittent
operations such as line scraping operations.

5.3.5 HIPS Preliminary Design

The IPT shall develop a preliminary design including a schematic for the
HIPS, which will demonstrate the overall operation of the HIPS design

Saudi Aramco: Company General Use

Page 14 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

and how each component within the HIPS will be functionally tested
and verified (when the plant/platform/wellhead is on-line and offline).
The design shall meet the general design requirements in Appendix B.

5.3.6 HIPS SIL Verification Report - Preliminary

The IPT shall verify the HIPS Preliminary Design meets the design
requirements specified in the SRS with Reliability Block Diagram or
any of the verification methods identified in SAEP-250. The HIPS
components shall be certified by a functional safety third party notified
body, with Failure Rates dangerous undetected that meet the target PFD,
accounting for appropriate derating based on real operating conditions.
The failure data source and specifications of the selected components /
equipment shall be included in the HIPS Package.
Commentary Note:

When components third party certifications are not available,

components failure rates from recognized industry sources shall be
used. The subject failure rates shall be reviewed for proper derating
based on real operating conditions.

5.3.7 HIPS Report for Implementation Study

The IPT shall compile and submit the HIPS Report, with all
supporting project documentation per Appendix C for this phase, to
all members of the HIPS Unit for verification using the eReview
process. After verification by the HIPS Unit, the IPT shall issue an
ESR to the HIPS Unit requesting recommendation for approval for
the subject phase.

5.4 Detailed Engineering

Upon approval and endorsement of the HIPS preliminary design, including any
conditions of approval, the IPT shall proceed with the detailed design of the HIPS.

5.4.1 HIPS Detailed Design

The IPT shall develop the detailed design that addresses the
requirements identified in the SRS and meets the general design
requirements in Appendix B.

5.4.1.1 HIPS Logic Diagrams

The IPT shall provide an annotated logic diagram showing

how the HIPS is controlled and all the logic/calculation steps
involved. Include test and inspection logic. A cause and

Saudi Aramco: Company General Use

Page 15 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

effect diagram shall support the HIPS logic.

5.4.1.2 Components Selection

The HIPS components shall be certified by a functional

safety third party notified body, with Failure Rates
dangerous undetected that meet the target PFD, accounting
for appropriate derating based on real operating conditions.
The failure data source and specifications of the selected
components/ equipment shall be included in the HIPS
Design Package.
Commentary Note:

When components third party certifications are not available,

components failure rates from recognized industry sources
shall be used. The subject failure rates shall be reviewed for
proper derating based on real operating conditions.

Careful selection of components that make up the HIPS is

required to ensure safety performance targets are met over the
installed life of the system.

5.4.1.3 Proposed HIPS Equipment List

The IPT shall prepare a HIPS equipment list and include in

the HIPS Design Package.

5.4.2 SIL Verification

The IPT shall perform a SIL Verification based on the selected

components and design of the HIPS per SAEP-250. This verification
confirms the actual design (overall architecture defined, test intervals
established, and components selected) meets the required PFD defined
by the process.

The PFDavg shall take in consideration common cause failures (Beta

factor) of redundant components per SAEP-250. The determination of
the common cause factor shall be documented.

The PFDavg and the HFT of the HIPS operational degradation modes
shall be calculated.

The following test interval frequencies, repair time, and Beta factors
shall be used for RBD or FTA and SIL reliability verification:
a) Primary sensors and elements: ≤ 12 months (applying analog
components).
Saudi Aramco: Company General Use
Page 16 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

b) Logic Solver: ≤ 12 months.

c) Final Elements:
Partial Stroke Test ≤ 3 months, credit in SIL assessment can be
taken only if repair of the final element detected failures during
the partial stroke testing occur within the MTTR.
Full stroke ≤ 12 months.
d) Mean Time to Repair (MTTR):
Onshore 24 hours.
Offshore 72 hours.
e) Minimum Common Cause (Beta) Factor:
Per SAEP-250 Appendix L.
f) RBD or FTA Sensitivity analysis shall be provided for Beta Factors
of 3% and 5%

5.4.3 HIPS Design Package Review

The IPT shall submit the HIPS Design package, with all supporting
project documentation per Appendix C for this phase, to all members
of the HIPS Unit for verification using the eReview process.

The HIPS Unit shall either endorse the design and selection of
components or recommend acceptable alternatives via formal
correspondence.

After verification by the HIPS Unit, the IPT shall issue an ESR to the
HIPS Unit requesting recommendation for approval for the subject
phase.

5.4.4 Procurement of HIPS

The IPT shall proceed with procurement of HIPS components upon

approval of the design package, update the detailed design
documentation package identifying specific equipment descriptions,
functionality, operation, and testing procedures, test intervals, methods
and instructions.

5.4.5 Preventive Maintenance Test Procedure

The IPT shall develop a Preventive Maintenance Test Procedure to

explain all routine preventive maintenance testing methods and
Saudi Aramco: Company General Use
Page 17 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

procedures for HIPS primary sensors, logic solver and final control
elements. The testing procedures shall be based on the HIPS being on-
line and consider the final elements seat leakage, where applicable.

5.4.6 Final Transient Flow Analysis

The IPT shall update the Transient Flow Analysis accounting for any
changes in design, verifying assumptions, and closing out any open
items. Transient Flow Analysis for pipelines shall be conducted in
compliance with SAEP-363.

5.4.7 Final PHA Study

The IPT shall update the PHA study accounting for any changes in
design and closing out all open items.

5.4.8 Final Safety Requirements Specification

The IPT shall update the SRS data based on the actual design of the
HIPS.

5.4.9 Final HIPS Report

The IPT shall compile and submit the Final HIPS Report, with all
supporting project documentation per Appendix C for this phase, to all
members of the HIPS Unit for verification using the eReview process.
After verification by the HIPS Unit, the IPT shall issue an ESR to the
HIPS Unit requesting recommendation for approval for the subject
phase.

5.5 Construction and Startup of the HIPS

5.5.1 Factory Acceptance Test Procedure

The IPT shall prepare the FAT Procedure. The HIPS supplier shall be
the primary author. Testing shall comply with the requirements of
SAES-J-601 Section 11.

The IPT shall submit the FAT Procedure to all members of the HIPS
Unit for review using the eReview process. After verification by the
HIPS Unit, the IPT shall issue an ESR to the HIPS Unit requesting
recommendation for approval for the FAT Procedure.

5.5.2 Factory Acceptance Test

The IPT shall perform a FAT on all HIPS per the approved procedure.

Saudi Aramco: Company General Use

Page 18 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

The IPT shall notify the HIPS Unit at least two weeks in advance.

5.5.3 Storage and Preservation

The IPT shall store and preserve the HIPS after receipt at site in
accordance with manufacturer recommendations.

5.5.4 Pre-Commissioning and Testing

The IPT shall install and perform pre-commissioning of the system.

Principal concern is the installation of primary elements, sensors and
all final elements. Document the following activities:
a) Confirmation of Instrument Calibration
b) Loop checks

The IPT shall notify the HIPS Unit at least two weeks in advance.

5.5.5 Site Acceptance Test Procedure

The IPT shall prepare the SAT Procedure. The HIPS supplier shall be
the primary author. Testing shall comply with the requirements of
SAES-J-601 Section 11.

The IPT shall submit the SAT Procedure to all members of the HIPS
Unit for review using the eReview process. After verification by the
HIPS Unit, the IPT shall issue an ESR to the HIPS Unit requesting
recommendation for approval for the SAT Procedure.

5.5.6 Site Acceptance Test

The IPT shall perform a SAT on all HIPS per the approved procedure.

The IPT shall notify the HIPS Unit at least two weeks in advance.

5.5.7 HIPS SAP Tracking System

The IPT shall enter the HIPS into the HIPS SAP Tracking System
per SAEP-373. Entry is on an individual system basis by location,
e.g., well, platform, plant inlet.

5.5.8 Validation and Start-up

The proponent shall validate the installation, integrity, and functionality

of the HIPS prior to start-up against the approved SRS. Treat any
deviations from the SRS as safety-related and perform a risk analysis to
determine whether the deviation impacts the safety of the process.
Saudi Aramco: Company General Use
Page 19 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Prior to start-up, the proponent shall confirm the following activities

have been performed and recorded:
a) Calibration of Instruments
b) Loop checks
c) Energy source verification
d) Pre-startup safety review
e) Site Acceptance Test
f) Training on operational and maintenance procedures

5.6 Operation and Maintenance

5.6.1 Maintenance Quality Assurance Manual

The proponent shall develop and maintain a Quality Assurance Manual

of the HIPS per SAEP-373.

The Quality Assurance Manual shall include the following procedures:

a) Preventive Maintenance Procedure
b) Test & Inspection Procedure
c) Management of Change Procedure

The Proponent shall submit the Manual for review and

recommendation for approval to the HIPS Unit using the eReview
process. The Proponent shall submit the Manual to all members of the
HIPS Unit for review using the eReview process. After verification by
the HIPS Unit, the Proponent shall issue an ESR to the HIPS Unit
requesting recommendation for approval for the Manual.

In order to meet the integrity requirements of the HIPS design,

procedures shall address diagnostics, testing, allowed bypassing
provisions and HIPS access security. Consequently, administrative
controls must be established and implemented to emphasize the
importance of repairing diagnosed faults, testing/repairing
instrumentation, and allowing bypass of HIPS functions only during
maintenance and not to ride out process upsets.

5.6.2 Maintenance Plan

The proponent shall develop and maintain a Maintenance Plan per

SAEP-373.

Saudi Aramco: Company General Use

Page 20 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

5.6.3 Training

The proponent shall conduct and document training of proponent

personnel per SAEP-373.

Adequate training (manuals, courses, etc.) and equipment shall be

provided to operating and maintenance personnel to ensure that the
integrity of the HIPS is maintained as designed. Training shall call
particular attention to the dire consequences of failure to maintain the
integrity of the HIPS.

The proponent shall keep and make available all training records for
any subsequent operation and safety compliance review.

5.6.4 Preventive Maintenance and Testing & Inspection

The proponent shall perform PM and T&I and record per SAEP-373.
The proponent shall conduct scheduled functional testing and
validation as prescribed by the testing interval for the HIPS.

Inspection personnel shall monitor the ongoing PM or T&I program

for the HIPS to ensure that the prescribed testing is conducted at the
prescribed intervals per SAEP-373.

The proponent shall keep in electronic format and make available all
testing and detailed maintenance records for any subsequent operation
and safety compliance review.

5.6.5 Auditing

The Inspection Department shall conduct random audits as part of the

continuing verification process.

5.6.6 Revalidation

At least every five years after commissioning of the system, the HIPS
application and installation shall be revalidated. This should be
performed in conjunction with the revalidation of the facility risk
assessment.

Revalidation involves the following:

a) Review of associated studies and confirmation of assumptions
b) Review of modifications since previous review
c) Review of process related incidents since previous review
d) Review of maintenance records since previous review
Saudi Aramco: Company General Use
Page 21 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

e) Walk down and witness of actual HIPS functional testing

5.7 Management of Change

5.7.1 Any subsequent process or equipment change that will result in a

change from the original operation or function of the HIPS shall
involve a complete MOC review of the associated process and HIPS.

5.7.2 MOC shall comply with the requirements of SAES-J-601, Section 12.

5.7.3 The proponent shall process Management of Change per SAEP-373.

5.8 Decommissioning

When the hazard that the HIPS protects against is deemed to no longer exist, the
proponent shall perform an analysis to update the hazard and risk assessment.

The proponent shall follow the process defined in per SAEP-373.

5.9 Verification

Each phase of the Safety Life Cycle shall be verified per IEC 61511.

Verification activities include design reviews and performance testing of

completed HIPS to confirm performance meets the specification.

6 Responsibilities

The Safety Life Cycle RACI Matrix in Appendix A provides an overview of the process
and specific responsibilities.

6.1 Integrated Project Team

6.1.1 While developing the business case for a project, the IPT shall consider
the applications where HIPS may be a viable option. When a HIPS is
under consideration, the IPT shall notify and receive concurrence from
the proponent organization accepting the responsibilities of a HIPS.

6.1.2 The IPT shall agree to the project execution requirements of a HIPS as
defined by the specification during the Initial phase of the project.

6.1.3 The IPT is responsible for the execution of the capital project, inclusive
of managing the engineering contractor(s), third party risk consultant(s),
and process simulation consultant(s). The IPT is also responsible for
coordination of participation and reviews by company Subject Matter
Experts (SME).

Saudi Aramco: Company General Use

Page 22 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

6.2 Proponent Organization

6.2.1 The proponent organization shall agree to the testing and maintenance
requirements of a HIPS as defined by the specification during the Initial
phase of the project.

6.2.2 The proponent organization shall assign competent and knowledgeable

engineering, operations, and maintenance personnel to participate in the
Hazard and Risk Analysis and Assessments.

6.2.3 The proponent organization shall train, equip, and manage personnel to
operate, maintain, and function test the HIPS as required by the design.

6.2.4 The proponent organization shall operate, maintain, and function test the
HIPS as required to meet the testing interval of the design and meet the
requirements of SAEP-373.

6.3 Loss Prevention Department

6.3.1 LPD shall support the IPT in planning and performing the Hazard and
Risk Assessments.

6.3.2 LPD shall support the IPT by reviewing the Hazard and Risk Assessment
Reports.

6.4 Consulting Services Department

CSD shall provide technical support for valves, piping, and if applicable
electrical systems, throughout the Safety Life Cycle per Appendix A - Safety
Life Cycle RACI Matrix in this specification.

6.5 HIPS Unit

The HIPS Unit shall provide technical support and verification of HIPS
throughout the Safety Life Cycle per Appendix A - Safety Life Cycle RACI
Matrix in this specification.

6.6 Inspection Department

6.6.1 The Inspection department shall support the proponent organization in

understanding and complying with the requirements of SAEP-373.

6.6.2 The Inspection department shall verify operation, maintenance, and

function testing of HIPS complies with the requirements of SAEP-373.

Saudi Aramco: Company General Use

Page 23 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

7 Grandfather Clause

7.1 Scope: SIS designed and constructed prior to the issue of this standard must
demonstrate that the system is “designed, maintained, inspected, tested and
operating in a safe manner.” This “grandfather” clause releases existing HIPS
Installations from the new requirements of this standard, if they can meet the
criteria of the clause.

7.2 Determining Applicability of the “Grandfather” Clause: In order to utilize

the exception for existing systems provided by the “grandfather” clause, there
are two methods to demonstrate that the Safety Instrumented System is
designed, maintained, inspected, tested, and operating in a safe manner, either
one can be used:

7.2.1 Method One: Utilize the Process Hazards Analysis (PHA) process to
investigate the safety of the system. At the PHA, the teams shall identify
the potential causes of over-pressure process hazards and the associated
engineering and administrative controls as defined in this specification.
The PHA team will need to affirm that the SIS design functionality is
appropriate to fulfill the intended safety function and that the SIS
architecture is consistent with the required risk reduction. This judgment
shall also consider the frequency of over-pressure demands on the SIS and
the history of incidents and near misses associated with the SIS. The team
will also need to review the maintenance, testing, and inspection records in
order to evaluate the sufficiency of their frequency and content. If the
team is unable to agree that the SIS meets all of the requirements of the
“grandfather” clause, they can develop an action item for the particular
SIS to receive full consideration under this standard; hence excluding it
from coverage under the “grandfather” clause.

7.2.2 Method Two: Reviewing the existing SIS in comparison to the key
design requirements of this standard and by identifying deviations,
determine whether further efforts are warranted to analyze the SIS.
A checklist shall be developed based on requirements within this
standard. This checklist would address the major philosophical and
technology issues defined in this standard. Any significant deviations
from the design characteristics defined in this standard would identify
the SIS under consideration for exclusion from the “grandfather” clause.
A few examples of the types of issues that could be addressed in the
checklist are provided below:
a) Does the SIS function take the process to a safe state without human
intervention?

Saudi Aramco: Company General Use

Page 24 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

b) Are the designed “fail safe” modes of the SIS elements consistent
with a safe state?
c) Is the SIS logic solver separate from the Basic Process Control
System (BPCS)?
Commentary Note:

For existing SIS installations, sharing of BPCS and SIS logic solver is
acceptable as long as the BPCS loop is not an initiating cause for the
over-pressure scenario and putting a demand on the SIS.

d) Are sensors for the SIS separate from the sensors for the BPCS?
e) Is the technology employed in the SIS appropriate for the expected
performance?
f) For SIS associated with high risk events, are two valves provided
for process isolation?
g) Does each SIS I/O device have independent wiring?
h) Is periodic functional testing performed for all of the SIS elements,
including field sensors, logic solver, and final elements?
i) Are all equipment provided to perform testing at the desired test
interval?
j) Is sufficiently redundant and available power provided to the SIS?
k) Historically, has the performance of the SIS met the operating
demands?
l) Is sufficient documentation available to describe the desired SIS
function and the expected design, operation, maintenance, testing,
and inspection?

An answer of “No” to any question indicates potential exclusion from

the “grandfather” clause.

7.2.3 Even if the existing SIS design is accepted under the “grandfather”
clause, it is important to note that the documentation, training, and other
requirements of this standard are not waived. Therefore, efforts must be
directed at developing documents such as the SRS, procedures for and
records of SIS operation, testing, and maintenance, and records of
periodic functional testing, inspection, and maintenance.

Revision Summary
6 March 2016 Major revision. The approval process for projects is cumbersome, lengthy, and costly.
The goal is to streamline and speed up the project flow with:

Saudi Aramco: Company General Use

Page 25 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

1. Align SAEP-354 with industry best practices;

2. Update SAEP-354 with Saudi Aramco current projects’ phases;
3. Eliminate meetings and pre-approval from proponent;
4. Eliminate dual-path engineering efforts adopting HIPS from the beginning on applications
where Saudi Aramco has proven experience they are the proper solution (Offshore Oil
WHPs ESPs, Offshore Gas WHPs, Onshore Oil Wells);
5. Review process of documents and approval through eReviews; and
6. Bring the minimum safety availability from 0.9999 to 0.999, high-end SIL 3, based on
experience from typical completed QRA’s.
27 September 2016 Major revision. HIPS design is fully risk-based. Streamlined and simplified the standard:
1. Eliminated references to international standards called only for definitions (ANSI/ISA
84.01, API 520, API 521 and API 14C), updated and incorporated the definitions into the
standard itself.
2. Updated definitions of HIPS and Final Element to reflect company experience.
3. Focused HIPS only to over-pressure scenarios.
4. Replaced HAZOP with PHA. Introduced PHA guidelines for over-pressure scenarios.
5. Consolidated PHA into a single event.
6. Added HIPS applications and guidelines for Special Purpose Applications - Inlet and
Downstream Facilities and for Government Regulations, Authorities, and Environmental
Laws.
7. Clarified HIPS components failure rate sources.
8. Removed QRA requirements and added Risk Assessment per SAEP-250.
9. Clarified Safety Requirements Specification.
10. Added verification of PFDavg and HFT of HIPS operational degradation modes.
11. Added requirement for Sequence of Event Recorder (SOE).
12. Updated RACI Matrix.
13. Corrected typographical errors.
5 November 2017 Minor revision:
 Deleted reference and call for SMS, added reference and call for SAEP-149.
25 June 2020 Editorial revision:
 Section 4.2 Safe-State definition, deleted Commentary Note.
 B.1.4 Any deviations shall follow SAEP-302.
 B.1.9 HIPS shall be de-energized to trip. Deleted Commentary Note.
 Removed Vendors’ names.

Saudi Aramco: Company General Use

Page 26 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Appendix A - Safety Life Cycle RACI Matrix

Safety Life Cycle Phase Organization

Loss Prevention

Flow Assurance
Proponent

Inspection
HIPS Unit
CSD
Phase

IPT
Section #
Activity / Deliverable

5.1 Business Case

5.1 Development of Business Case R CA

5.2 HIPS Application Acceptability Study

Project Design Review(s) R CA C C C

5.2.2 PHA (over-pressure) - Preliminary R CA C C
Safety Requirements Specification -
5.2.3 R A C C C
Preliminary
5.2.4 Life-Cycle Cost Analysis (all options) R A C C C
5.2.5 HIPS Report - Application Acceptability Study R A C C I
5.3 HIPS Implementation Study
60, 90% Design Reviews R A C C C C
5.3.1 Transient Flow Analysis (over-pressure) R A C C C
5.3.2 Risk Assessment (over-pressure) R CA C C
5.3.3 SIL Assignment Report per SAEP-250 R CA C C
5.3.4 Safety Requirements Specification (SRS) R A C C C
5.3.5 HIPS Preliminary Design R A C C
5.3.6 HIPS SIL Verification Report - Preliminary R A C C
5.3.7 HIPS Report – Implementation Study R A C C
5.4 Detailed Engineering
30, 60, 90% Design Reviews R A C C C
5.4.1 HIPS Detailed Design R CA C C C
5.4.2 SIL Verification Report per SAEP-250 R CA C C C
5.4.3 Design Package Review R A C C C
5.4.4 Procurement of HIPS R A C I
5.4.5 Preventive Maintenance Test Procedure R CA C C
5.4.6 Transient Flow Analysis - Final R A C C
5.4.7 PHA (over-pressure) - Final R CA C C
5.4.8 SRS - Final R A C C C
5.4.9 HIPS Report - Final R A C C C

Saudi Aramco: Company General Use

Page 27 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Safety Life Cycle Phase Organization

Loss Prevention

Flow Assurance
Proponent

Inspection
HIPS Unit
CSD
Phase

IPT
Section #
Activity / Deliverable

5.5 Construction and Startup

5.5.1 FAT Procedure R CA C
5.5.2 FAT R CA I C
5.5.3 Storage and Preservation R CA C
5.5.4 Pre-Commissioning & Testing R CA I C
5.5.5 SAT Procedure R CA C
5.5.6 SAT R CA I C
5.5.7 HIPS SAP Tracking R CA I C
5.5.8 Validation and Startup RA I C
5.6 Operation and Maintenance
5.6.1 Maintenance Quality Assurance Manual RA I
5.6.1a Preventive Maintenance Procedure RA C
5.6.1b Test & Inspection Procedure RA C
5.6.1c Management of Change Procedure RA I
5.6.2 Maintenance Plan RA I
5.6.3 Training RA I
5.6.4 PM and T&I RA I C
5.6.5 Auditing CA I R
5.6.6 Revalidation RA C C
5.7 Modification
5.7 Management of Change RA C I
5.8 Decommissioning
5.8 Decommissioning RA I C
5.9 Verification
5.9 Verification RA C C
R - Responsible, A - Accountable, C - Consulted, I - Informed

Responsible The one who does the work or manages the work.
Accountable The one ultimately answerable for the correct, thorough completion of the work.
Consulted Those whose opinion is sought – Subject Matter Experts.
Informed Those who are kept up-to date on progress.

Saudi Aramco: Company General Use

Page 28 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Appendix B - Basic HIPS Design Requirements

B.1 General
B.1.1 The HIPS shall be a separate and independent layer from the basic process control
system (BPCS), ESD safety layers, and RTU/SCADA.
B.1.2 The overpressure protection system shall have two (2) safety layers of protection as
follows:

1. ESD.

2. HIPS and/or safety relief valves.

B.1.3 The HIPS shall:

a. Meet or exceed the required SIL with a PFDavg equal or less than the calculated
value during the risk assessment per SAEP-250.

b. Be minimum SIL 2, per SAEP-250.

B.1.4 Any deviation from the requirements herein shall follow internal company procedure
SAEP-302, waiver of a Mandatory Saudi Aramco Engineering Requirements.
B.1.5 The full test interval (test frequency) shall not be less than 3 months (quarterly) and
shall not exceed 12 months (yearly).
Commentary Notes:

Projects shall strive to achieve a test interval of 12 months for operational efficiency.
In order to achieve this goal particular care needs to be taken to minimize initiating
causes of over-pressure scenarios in the piping design.

A dynamic simulation shall be performed to determine the HIPS and ESD trip set
points.

B.1.6 In case of lack of electrical power supply a fully mechanical self-contained system
with hydraulic logic may be used in place of a fault-tolerant logic solver.
B.1.7 Consideration shall be given to utilizing components having high levels of diagnostic
coverage, such as transmitters designed by the manufacturer for safety system service.
B.1.8 HIPS shall be designed to be Fail-Safe, including loss of signal, electrical power,
instrument air, or hydraulic supply.
B.1.9 HIPS SIFs shall be de-energized to trip.
B.1.10 The HIPS shall have redundant power sources and may be powered from a common
facility redundant UPS.
Saudi Aramco: Company General Use
Page 29 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

B.1.11 Where the process fluids can cause fouling (e.g., precipitation of elemental sulfur,
solidification, polymerization, etc.), facilities shall be included to prevent plugging or
fouling of the sensors and for the timely detection of plugging or fouling. The final
elements shall be selected to be compatible and minimize the impact of the process
media.
B.1.12 Provisions shall be made to accommodate the periodic testing and maintenance
activities necessary for the HIPS to meet the target Safety Availability and risk
reduction targets.
B.1.13 Manual trip pushbutton(s) shall be installed near the HIPS valves or Control Panel.
B.1.14 Functional requirements per SAES-J-601 shall be included.
B.1.15 Sequence of Event Recording (SOE) shall be included as part of all new HIPS
installation with the exception of fully mechanical self-contained systems with
hydraulic logic. The SOE may be integral to the HIPS cabinet or part of the SCADA.
Commentary Note:

The SOE, SCADA, external PLC or any data acquisition system shall not interfere with
the inputs, boolean logic, and outputs of the HIPS logic solver.

B.2 Sensors
B.2.1 When the process fluid at the sensors is subject to freezing, heat tracing shall be
provided.
B.2.2 It is preferred to use direct process measurement such as level, pressure, or
temperature.
Exception:

If the incorrect location of a SIS valve (final element) is identified as an over-pressure

initiating cause, the valve position feedback/indicator(s) can be used to create a new
SIF to mitigate the over-pressure risk.

B.2.3 Sensors shall be used to activate the HIPS SIF upon reaching the high pressure trip set
point (HH). Activating the HIPS SIF on low pressure trip set point (LL) is allowed
provided:

a. If the high and low sensors are two different components, each low pressure
sensor can be manifolded from the same process connection as the high pressure
sensor.

b. Combining both high and low pressure sensors into a single component is
acceptable.

B.3 Logic Solver

Saudi Aramco: Company General Use
Page 30 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

B.3.1 HIPS logic solver shall generate an alarm on any diagnosed failure.
Commentary Note:

For existing SIS/HIPS installations, sharing of BPCS and SIS/HIPS logic solver is
acceptable as long as the BPCS loop is not an initiating cause for the
over-pressure scenario and putting a demand on the SIS/HIPS.

B.4 Final Elements

B.4.1 HIPS valves may not be used for any other purpose, including ESD.

Saudi Aramco: Company General Use

Page 31 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Appendix C - Documentation

Sec Title

5.2 HIPS Application Acceptability Study

Project Description
Scope of Work
Plot Plans
Process Flow Diagrams
P&IDs
Hazard Analysis Report - Preliminary
Safety Requirements Specification - Preliminary
Life-Cycle Cost Analyses Report
HIPS Report – Application Acceptability Study
5.3 HIPS Implementation Study
Scope of Work
Plot Plans
Process Flow Diagrams
P&IDs
Pipe Specification
Hazard and Risk Assessment Report
SIL Assignment Report
Transient Flow Analysis Report
Safety Requirements Specification
HIPS Preliminary Design Specification
HIPS Schematic
System Block Diagram
Risk Assessment Report
HIPS Report – Implementation Study

5.4 Detailed Engineering

Scope of Work
Plot Plans
Process Flow Diagrams
P&IDs
Pipe Specification
Safety Instruction Sheets (Pipe Data Sheet)
HIPS Detailed Design Package

Saudi Aramco: Company General Use

Page 32 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Sec Title

SIL Verification Report

HIPS Detailed Design Package
Instrument Specifications
Cause & Effect Diagrams
Logic Diagrams
Wiring Schematics
Instrument Loop Diagrams
Preventive Maintenance Test Procedure
Transient Flow Analysis Report - Final
PHA Study - Final
Safety Requirements Specification - Final
HIPS Report - Final

5.5 Construction and Startup

FAT Procedure
FAT Report
Calibration Sheets
Loop Check Report
SAT Procedure
SAT Report
Validation and Startup Report

5.6 Operation and Maintenance

Maintenance Quality Assurance Manual
Preventive Maintenance Procedure
Test and Inspection Procedure
Management of Change Procedure
Maintenance Plan
Training Records

5.7 Modification
Management of Change Form

Saudi Aramco: Company General Use

Page 33 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Appendix D - HIPS Decision Flowchart

Saudi Aramco: Company General Use

Page 34 of 35

Saudi Aramco: Company General Use

 Document Responsibility: High Integrity Protection Systems Standards Committee SAEP-354
Issue Date: 30 June 2020
Next Planned Update: 5 November 2022 High Integrity Protection Systems Design Requirements

Saudi Aramco: Company General Use

Page 35 of 35

Saudi Aramco: Company General Use