Human Independent Protection Layers (IPLs) rely on operators to take action in response to alarms or during routine system checks to prevent undesired outcomes. While human performance is generally less reliable than engineering controls, and great care should be taken when considering the effectiveness of human action as an IPL. However, not crediting human actions under well-defined conditions is too conservative. The IPL must be effective 90 percent of the time.
Unlike mechanical devices with established failure rates, human IPLs are influenced by a broad range of factors, including operator knowledge, experience, stress levels, and motivation. Operators serving as IPLs must detect, diagnose, and respond effectively within a sufficient timeframe to prevent the consequence of concern and avoid unsafe conditions during further troubleshooting.
More about independent protection layers, please view the previous blog “Independent Protection Layers in Process Industry“.
Guidelines for Considering Human Intervention as IPL:
1. Operator Capability and Readiness:
- Consider the least experienced, least knowledgeable, and least motivated operators under realistic conditions while considering human intervention.
- Assess stress levels operators face during emergency scenarios, as stress can significantly impact performance. Simulation training can help operators act effectively under stress, but the assigned Probability of Failure on Demand (PFD) must reflect realistic stress conditions.
2. Response Time:
- Ensure sufficient time is available for operators to detect and respond effectively to alarms.
- Response time depends on factors such as procedures, training, alarm clarity, action complexity, and operator physical condition.
- A commonly used industry guideline is that the control room operators must have at least 30 minutes to intervene before the hazard occurs, while field operators may require at least 60 minutes.
3. Plant Culture:
- Consider cultural tendencies to avoid shutting down equipment or processes for short-term profitability, which can compromise safety.
4. Alarm and Action Indications:
- The indication for action required by the operator must be detectable. The indication for required action must be:a. Consistently available to the operator.
b. Clear and comprehensible, even during emergencies.
c. Simple and straightforward to understand.
5. Available Time and Actions Requirements
- Operators should have adequate time for decision-making and action execution, with minimal complexity in the required decisions. The longer the time available for action, the lower the PFD (Probability of Failure on Demand) given for human action as an IPL.
- Actions should not involve calculations or complicated diagnostics, weighing production costs against safety.
6. Workload and Task Isolation:
- Operators should not perform other tasks simultaneously and must have sufficient availability to act as IPLs.
7. Accessibility and Feasibility:
- Required actions must be feasible under expected conditions. For example, if an initiating event (e.g., fire) prevents an operator from performing a task, the action cannot be considered an IPL.
8. Independence:
- Human IPLs must be independent of any alarms, instruments, Safety Instrumented Functions (SIFs), or systems already credited as part of another IPL or initiating event sequence.
9. Training and Preparedness:
- Regular training and documented drills should be conducted based on written operating instructions. Audits should verify that all operators can perform required tasks when alerted by alarms.
10. Management Practices & Procedures
- Management practices, procedures, and training may be considered as methods that would assist in establishing the PFD claimed for human action but should not be considered IPLs by themselves.
Ensuring Auditability of Alarm and Operator Intervention IPLs
For Independent Protection Layers (IPLs) like relief valves, meeting auditability requirements is straightforward because their maintenance, testing, and modifications are well-documented. However, when IPLs rely on alarms and operator intervention, achieving the same level of auditability can be more challenging and is often neglected.
To address this, alarms should be configured to prevent inhibition or bypassing. Any changes to an alarm’s set point must occur within a password-protected system, with modifications approved and documented to maintain effectiveness.
Operators must have clear, documented instructions in standard operating procedures detailing the necessary actions to take when an alarm is triggered. Moreover, they should be thoroughly trained and tested on these procedures to ensure readiness and compliance.
Requiring operators to acknowledge their training, such as by signing off upon its completion, can provide the necessary documentation to meet auditability requirements. This demonstrates that the IPL’s effectiveness is upheld and verified through training.
Additionally, this approach enhances operator engagement with their critical role in ensuring safety. It not only reinforces their accountability but also contributes to fostering a stronger safety culture within the plant.
Top References
- Layer of Protection Analysis (Simplified Risk Assessment) by CCPS.
- Guidelines for Initiating Event and Independent Protection Layers in LOPA by CCPS.
- Practical SIL Target Selection by Heidi Hartmann, Dr. Eric Scharpf & Hal Thomas
