Layers of Protection Analysis (LOPA) assumes that Independent Protection Layers (IPLs) are completely independent of both the initiating event and other credited IPLs in the same scenario. However, there are specific situations where this requirement can be relaxed, provided adequate analysis and documentation support the decision. This blog explores the methodologies for counting multiple functions within a Basic Process Control System (BPCS) as IPLs in the same scenario.
Importance of Independence in LOPA
The foundation of LOPA relies on ensuring IPLs operate independently from the initiating event and any other IPLs in the same scenario. Relaxing this requirement can introduce additional risk, requiring careful analysis.
Note: Modifying LOPA assumptions to count multiple BPCS IPLs in a scenario can lead to a Probability of Failure on Demand (PFD) below the 1 × 10–1 limit specified in IEC 61511. Such modifications should be backed by thorough analysis and documentation.
Comparison of Approaches
Two approaches exist for assessing the independence of IPLs involving BPCS loops:
Approach A (Conservative Method)
- Assumes a single BPCS loop failure invalidates all other BPCS loops using the same logic solver.
- Eliminates common mode failures by enforcing strict independence.
- Provides clear and unambiguous guidelines for implementation.
Approach B (Less Conservative Method)
- Assumes that if a BPCS loop fails, the failure is more likely due to a sensor or final control element rather than the logic solver.
- Allows crediting additional BPCS loops as IPLs if evidence supports the reliability of the logic solver.
- Requires experienced analysts and extensive performance data to justify its use.
Failure Mode Considerations in BPCS Loops
A BPCS loop consists of:
- Sensor: Detects the process condition.
- Logic Solver: Processes input signals and commands action.
- Final Control Element: Acts on the process (e.g., valve, solenoid, alarm).
Each component has a failure rate based on design, manufacturing, maintenance, and testing intervals. In general, shorter testing intervals reduce the PFD of a component. However, human error susceptibility within BPCS must also be factored in when assessing reliability.
Guidelines for Crediting Multiple BPCS IPLs in the Same Scenario
To justify counting multiple functions in one BPCS logic solver as IPLs, the following conditions must be met:
1. Adequate Access and Security Measures
- Ensures that human error risks (e.g., programming modifications, alarm bypassing) are minimized.
- May require increased restrictions on BPCS access.
2. Independence of Sensors and Final Control Elements
- The sensor for each additional BPCS function must be independent of:
- The sensor in the initiating event.
- Any sensor used as an IPL in the scenario.
- The final control element for each additional BPCS function must be independent of:
- The final control element in the initiating event.
- Any other final control element used as an IPL in the scenario.
3. Common Mode Failure Considerations
- If sensors, final elements, or alarms share components between loops, only one loop can be credited as an IPL. Example:
- If two BPCS loops share a common sensor, only one can be credited as an IPL.
-
- If two loops share a common final control element, only one can be credited.
4. Logic Solver Reliability and Input/Output Cards
- Input and output cards can fail at higher rates than the logic solver itself.
- If an input or output card is common to multiple loops, additional IPLs should not be credited unless sufficient performance data exists.
5. Maximum Number of IPLs Credited
- If the initiating event does not involve a BPCS logic solver failure:
- A maximum of two BPCS loops may be credited as IPLs.
- These may involve either:
- Two mechanical operations (e.g., valve closure, pump startup), or
- One mechanical action and one alarm with operator intervention.
- Two human actions should not be credited unless independence is fully demonstrated.
- If the initiating event involves a BPCS failure:
- Only one BPCS loop should be credited as an IPL.
Information and Expertise Required
Data Collection and Analysis
To apply multiple BPCS loops as IPLs, reliable performance data must be available:
- Historical data on failure rates of sensors, final control elements, and logic solvers.
- Manufacturer specifications and third-party certifications.
- Inspection, maintenance, and testing records over extended periods.
- Instrument diagrams and process flow documentation.
Analysis should include:
- Failure rate calculations for each BPCS component.
- Independence assessment of input/output cards.
- Security and access control evaluations.
Expertise Required for Evaluation
- LOPA analysts must have in-depth knowledge of:
- Instrumentation, control systems, and human factors.
- Fault tree and event tree analysis.
- Process safety management.
- Collaboration between process engineers, instrumentation experts, and LOPA analysts is critical to ensure proper application.
Cautions When Using Approach B
Approach B introduces additional complexity and potential failure points:
- The possibility of overlooking common cause failures increases.
- Additional time and resources are needed for detailed analysis.
- If security controls are insufficient, human error risks may prevent crediting multiple BPCS IPLs.
Using Approach B requires careful evaluation, structured analysis, and extensive documentation to ensure safety while optimizing protection layers.
Conclusion
Counting multiple functions within a BPCS as IPLs in the same scenario is possible but requires rigorous justification. While Approach A remains the conservative default, Approach B may be used in specific cases where:
- BPCS components are truly independent.
- The logic solver reliability is well-documented.
- Human error risks are minimized through secure access controls.
For organizations considering Approach B, investing in comprehensive risk assessments and expert analysis is crucial. Ultimately, the goal is to maintain process safety while ensuring compliance with standards such as IEC 61511.
By applying these guidelines, industries can enhance their LOPA methodology and make informed decisions about IPLs within BPCS systems.
References:
Layers of Protection Analysis, Simplified Risk Assessment, by CCPS
