Human Independent Protection Layers (IPLs) rely on operators to take action in response to alarms or during routine system checks to prevent undesired outcomes. While human performance is generally less reliable than engineering controls, and great care should be taken when considering the effectiveness of human action as an IPL. However, not crediting human actions under well-defined conditions is too conservative. The IPL must be effective 90 percent of the time.
Unlike mechanical devices with established failure rates, human IPLs are influenced by a broad range of factors, including operator knowledge, experience, stress levels, and motivation. Operators serving as IPLs must detect, diagnose, and respond effectively within a sufficient timeframe to prevent the consequence of concern and avoid unsafe conditions during further troubleshooting.
More about independent protection layers, please view the previous blog “Independent Protection Layers in Process Industry“.
Guidelines for Considering Human Intervention as IPL:
Managing human performance is important to prevent errors that can initiate LOPA scenarios and adversely impact the reliability of IPLs. Human error depends on a number of factors that should be considered during the selection of IEF and IPL PFD values.
1.Procedures accuracy and procedure clarity
Do procedures have a high level of accuracy, do they clearly convey the information, and are they
convenient to use?
Operator Capability and Readiness:
- Consider the least experienced, least knowledgeable, and least motivated operators under realistic conditions while considering human intervention.
- Assess stress levels operators face during emergency scenarios, as stress can significantly impact performance. Simulation training can help operators act effectively under stress, but the assigned Probability of Failure on Demand (PFD) must reflect realistic stress conditions.
- Have factors such as fatigue, stress, illness, and substance abuse been managed during all phases of operation? It is important that workers be physically capable of completing the tasks required.
2. Response Time:
- Ensure sufficient time is available for operators to detect and respond effectively to alarms.
- Response time depends on factors such as procedures, training, alarm clarity, action complexity, and operator physical condition.
- A commonly used industry guideline is that the control room operators must have at least 30 minutes to intervene before the hazard occurs, while field operators may require at least 60 minutes.
3. Plant Culture or Work Environment:
- Consider cultural tendencies to avoid shutting down equipment or processes for short-term profitability, which can compromise safety.
- Have factors such as lighting, noise, temperature, humidity, ventilation, and distractions been managed to minimize their contribution to human error?
4. Alarm and Action Indications:
- The indication for action required by the operator must be detectable. The indication for required action must be:a. Consistently available to the operator.
b. Clear and comprehensible, even during emergencies.
c. Simple and straightforward to understand.
5. Available Time and Actions Requirements
- Operators should have adequate time for decision-making and action execution, with minimal complexity in the required decisions. The longer the time available for action, the lower the PFD (Probability of Failure on Demand) given for human action as an IPL.
- Actions should not involve calculations or complicated diagnostics, weighing production costs against safety.
6. Workload and Task Isolation:
- Operators should not perform other tasks simultaneously and must have sufficient availability to act as IPLs.
- Has workload been optimized during all phases of operation, including normal, startup, and emergency shutdown modes?
- If the workload is too low, operators may become bored, resulting in decreased vigilance. If an operator’s workload is too high, however, human error will tend to increase as a result of task overload.
7. Accessibility and Feasibility:
- Required actions must be feasible under expected conditions. For example, if an initiating event (e.g., fire) prevents an operator from performing a task, the action cannot be considered an IPL.
8. Independence:
- Human IPLs must be independent of any alarms, instruments, Safety Instrumented Functions (SIFs), or systems already credited as part of another IPL or initiating event sequence.
9. Training and Preparedness:
- Regular training and documented drills should be conducted based on written operating instructions. Audits should verify that all operators can perform required tasks when alerted by alarms. Effective, demonstration-based initial and refresher training can be used to develop and maintain skill level.
10. Management Practices & Procedures
- Management practices, procedures, and training may be considered as methods that would assist in establishing the PFD claimed for human action but should not be considered IPLs by themselves.
11. Communication
- Have management systems and protocols for proper communication on radios and during shift changes been implemented? Miscommunication is a frequent cause of human error in the workplace, and effective communication strategies can reduce human error due to miscommunication.
12. Human-machine interface
- Does the human-machine interface (HMI) facilitate the operator’s interaction with the process? The layout of equipment, displays, and controls strongly affects human performance.
- Abnormal conditions need to be clearly annunciated, and alarm management is important to prevent nuisance alarms or alarm overload.
Ensuring Auditability of Alarm and Operator Intervention IPLs
For Independent Protection Layers (IPLs) like relief valves, meeting auditability requirements is straightforward because their maintenance, testing, and modifications are well-documented. However, when IPLs rely on alarms and operator intervention, achieving the same level of auditability can be more challenging and is often neglected.
To address this, alarms should be configured to prevent inhibition or bypassing. Any changes to an alarm’s set point must occur within a password-protected system, with modifications approved and documented to maintain effectiveness.
Operators must have clear, documented instructions in standard operating procedures detailing the necessary actions to take when an alarm is triggered. Moreover, they should be thoroughly trained and tested on these procedures to ensure readiness and compliance.
Requiring operators to acknowledge their training, such as by signing off upon its completion, can provide the necessary documentation to meet auditability requirements. This demonstrates that the IPL’s effectiveness is upheld and verified through training.
Additionally, this approach enhances operator engagement with their critical role in ensuring safety. It not only reinforces their accountability but also contributes to fostering a stronger safety culture within the plant.
Top References
- Layer of Protection Analysis (Simplified Risk Assessment) by CCPS.
- Guidelines for Initiating Event and Independent Protection Layers in LOPA by CCPS.
- Practical SIL Target Selection by Heidi Hartmann, Dr. Eric Scharpf & Hal Thomas
