An Independent Protection Layer (IPL) is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario. IPL is an independent mechanism that reduces risk by control, prevention or mitigation. The effectiveness and independence of an IPL must be auditable.
To qualify as an IPL, a safeguard must meet the following requirements:
- Effective in preventing the consequence when it functions as designed
- Independent of the initiating event and the components of any other IPL already claimed for the same scenario
- Auditable; the assumed effectiveness in terms of consequence prevention and PFD must be capable of validation in some manner (by documentation, review, testing, etc.)
Characteristics of Effective IPLs
The “Three Ds” – Key Elements of IPLs
To determine whether a safeguard qualifies as an IPL, consider these essential characteristics:
- Detect – The IPL must detect a condition that signals a hazardous event.
- Decide – It should be capable of deciding whether action is needed.
- Deflect – The IPL must prevent or mitigate the unwanted event from occurring.
The “Three Enoughs” – Evaluating IPL Strength
An effective IPL must meet these three conditions:
- Big Enough? – Does the IPL have enough capacity to prevent the incident?
- Fast Enough? – Can it act in time to stop the hazard?
- Strong Enough? – Is the IPL robust enough to handle the stress of preventing failure?
The “Big I” is a reminder that the IPL must be independent of the initiating event and other IPLs.
1. Effectiveness of IPL
If a device, system or action is credited as an IPL it must be effective in preventing the undesired consequence associated with the scenario. To determine whether a safeguard is an IPL, the following questions are used to guide the team or analyst in making the appropriate judgment.
- Can the safeguard detect the condition that requires it to act? This may be a process variable, or an alarm, etc. If the safeguard cannot always detect the condition, and generate a specific action, it is not an IPL.
- Can the safeguard detect the condition in time to take corrective action that will prevent the undesired consequence?
The time required must include.
- the time to detect the condition
- the time to process the information and make the decision
- the time to take the required action, and the time for the action to take effect
- Does the IPL have adequate capacity for it to take the required action in the time available?
- If a specific size (e.g., relief valve orifice, dike volume, etc.) is required, does the installed safeguard meet these requirements?
- Is the strength of the IPL adequate for the required action? The strength of an IPL might consist of physical strength (e.g., a blast wall or dike); the ability of a valve to close under the conditions that would be present for a particular scenario (i.e., strength of valve spring, actuator, or components); human strength (i.e., is the required task within the physical capabilities of all operators?).
If the safeguard cannot meet these requirements, it is not an IPL. In LOPA, the effectiveness of an IPL in reducing the frequency of a consequence is quantified using its PFD. Determining, or specifying, the appropriate value for the PFD of an IPL is an important part of the LOPA process. An IPL is expected to operate as intended, but any system can fail. The lower the value of the PFD for an IPL the greater the confidence that it will operate correctly and interrupt a chain of events.
2. Independence of IPL
The LOPA method uses independence to assure that the effects of the initiating event, or of other IPLs, do not interact with a specific IPL and thereby degrade its ability to perform its function. It is important to understand when a safeguard can and cannot be claimed as an IPL in LOPA. Independence requires that an IPL’s effectiveness is independent of;
- the occurrence, or consequences, of the initiating event; and
- the failure of any component of an IPL already credited for the same scenario.
Two approaches are used in assessing the independence of IPLs involving BPCS loops or functions to decide how many IPLs exist for a particular scenario. Approach A is generally recommended because its rules are clear and it is conservative. Approach B may be used if the analyst is experienced, and adequate data is available on the design and actual performance of the BPCS logic solver.
Approach A: Conservative Method
- Allows only one IPL within a Basic Process Control System (BPCS).
- Ensures clear, unambiguous rules that minimize the risk of common-cause failures.
- Requires IPLs to be fully independent of both the initiating event and any other credited IPLs.
- Provides a straightforward and conservative assessment method.
Approach B: Conditional Method
- Permits multiple IPLs within a single BPCS if supported by data on design and historical performance.
- Assumes that failures in detection devices or final control elements occur more frequently than failures in the logic solver.
- Demands a thorough understanding of common-cause failures and requires experienced analysts for evaluation.
- Offers flexibility but requires comprehensive analysis and validation.
- An analyst experienced with the definition and application of the rules for claiming a safeguard as an IPL.
- Approach B is less straightforward to apply.
3. Auditing the IPL
A component, system or action must be auditable to demonstrate that it meets the risk mitigation requirements of a LOPA IPL.
- The audit process must confirm that the IPL is effective in preventing the consequence if it functions as designed.
- The audit should also confirm that the IPL design, installation, functional testing, and maintenance systems are in place to achieve the specified PFD for the IPL.
- Functional testing must confirm that all the components of an IPL (sensors , logic solver, final elements, etc.) are operational and meet the requirements for LOPA to be applied.
- The audit process should document the condition of the IPL as found; any modifications made since the last audit, and track to resolution any corrective actions that are required.
References:
Layer of Protection Analysis, Simplified Risk Assessment by CCPS.
