Independent Protection Layers in Process Industry

IPLS
Facebook
WhatsApp
LinkedIn
Pinterest
Telegram

An Independent Protection Layer (IPL) is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario. IPL is an independent mechanism that reduces risk by control, prevention or mitigation. The effectiveness and independence of an IPL must be auditable.

In Layers of Protection Analysis (LOPA) the effectiveness of an IPL is quantified in terms of its probability of failure on demand (PFD) which is defined as the probability that a system (in this case the IPL) will fail to perform a specified function on demand. The PFD is a dimensionless number between 0 and 1. The smaller the value of the PFD, the larger the reduction in the frequency of the consequence for a given initiating event frequency. The “reduction in frequency” achieved by an IPL is sometimes termed the “risk reduction factor.”

To be considered an IPL, a device, system, or action must be

As per IEC 61511-2016, the criteria to qualify a protection layer (PL) as an IPL are:

– the protection provided reduces the identified risk by a large amount, that is, a minimum of

a 10-fold reduction;

– the protective function is provided with a high degree of availability (0.9 or greater

– it has the following important characteristics:

  1. a) Specificity: An IPL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event (for example, a runaway reaction, release of toxic material, a loss of containment, or a fire). Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action of one IPL;
  1. b) Independence: An IPL is independent of the other protection layers associated with the identified danger;
  1. c) Dependability: It can be counted on to do what it was designed to do. Both random and systematic failures modes are addressed in the design;
  1. d) Auditability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system is necessary

Common Types of IPLs

1. Inherently Safe Process Design

In many companies, it is assumed that some scenarios cannot occur because of the inherently safer design of the process equipment. For example, the equipment might be designed to withstand the maximum pressure for a particular scenario, batch size might be limited, inventory lowered, chemistry modified, etc.; i.e., scenarios are eliminated by the inherently safer design. The LOPA analyst should be aware that inherently safer process design features may have a PFD and appropriate inspection and maintenance (auditing) might be required

“Inherently safer process design features are encouraged to eliminate possible scenarios.”

2. Basic Process Control Systems

The basic process control system (BPCS), including normal manual controls, is the first level of protection during normal operation. The BPCS is designed to maintain the process in the safe operating region. The normal operation of a BPCS control loop may be credited as an IPL if it meets the appropriate criteria. The failure of the BPCS can be an initiating event. When considering using the BPCS as an IPL, the analyst must evaluate the effectiveness of the access control and security systems as human error can degrade the performance of the BPCS.

3. Critical Alarms and Human Intervention

These systems are the second level of protection during normal operation and should be activated by the BPCS. Operator action, initiated by alarms or observation, can be credited as an IPL when various criteria are satisfied to assure the effectiveness of the action. Company procedures and training may improve the performance of humans in the system, but procedures themselves are not an IPL.

4. Safety Instrumented Function (SIF)

A SIF is a combination of sensors, logic solver, and final elements with a specified safety integrity level that detects an out-of-limit (abnormal) condition and brings the process to a functionally safe state. A SIF is functionally independent of the BPCS. A SIF is normally considered to be an IPL and the design of the system, the level of redundancy, and the amount and type of testing will determine the PFD the SIF receives in LOPA. “Interlock” is an older, imprecise term for SIF.

5. Physical / Active Protection(Relief Valves, Rupture Discs, etc.)

These devices, when appropriately sized, designed, and maintained, are IPLs that can provide a high degree of protection against overpressure in clean services. However, their effectiveness can be impaired in fouling or corrosive services, if block valves are installed under the relief valves, or if the inspection and maintenance activities are of poor quality. If the flow from the relief valves is discharged to the atmosphere, additional consequences may occur which will require examination. This could involve the examination of the effectiveness of flares, quench tanks, scrubbers, etc.

6. Postrelease / Passive Protection (Dikes, Blast Walls, etc.)

These IPLs are passive devices which provide a high level of protection if designed and maintained correctly. Although their failure rates are low, the possibility of failure should be included in the scenarios. Also, if automatic deluge systems, foam systems, or gas detection systems, etc., meet the requirements of IPLs, then some credit can be taken for these devices in specific scenarios.

7. Plant Emergency Response

These features (fire brigade, manual deluge systems, facility evacuation, etc.) are not normally considered as IPLs since they are activated after the initial release and there are too many variables (e.g., time delays) affecting their overall effectiveness in mitigating a scenario.

8. Community Emergency Response

These measures, which include community evacuation and shelter-in-place, are not normally considered as IPLs since they are activated after the initial release and there are too many variables affecting their effectiveness in mitigating a scenario. They provide no protection for plant personnel.

Safeguards Not Usually Considered IPLs
  1. Training and Certification: These factors may be considered in assessing the PFD for operator action, but are not of themselves IPLs.
  2. Procedures: These factors may be considered in assessing the PFD for operator action, but are not—of themselves—IPLs.
  3. Normal Testing and Inspection: These activities are assumed to be in place for all hazard evaluations and form the basis for judgment to determine PFD. Normal testing and inspection affects the PFD of certain IPLs. Lengthening the testing and inspection intervals may increase the PFD of an IPL.
  4. Maintenance: This activity is assumed to be in place for all hazard evaluations and forms the basis for judgment to determine PFD. Maintenance affects the PFD of certain IPLs.
  5. Communications: It is a basic assumption that adequate communications exist in a facility. Poor communications affect the PFD of certain IPLs.
  6. Signs: Signs by themselves are not IPLs. Signs may be unclear, obscured, ignored, etc. Signs may affect the PFD of certain IPLs.
  7. Fire Protection: Active fire protection is often not considered as an IPL as it is post-event for most scenarios and its availability and effectiveness may be affected by the fire/explosion which it is intended to contain. However, if a company can demonstrate that it meets the requirements of an IPL for a given scenario it may be used (e.g., if an activating system such as plastic piping or frangible switches are used).Note: Fire protection is a mitigation IPL as it attempts to prevent a larger consequence after an event that has already occurred.
  8. Fireproof insulation can be used as an IPL for some scenarios provided that it meets the requirements of API and corporate standards.
  9. The requirement that information is available and understood is a basic requirement.

Top References

  1. Layer of Protection Analysis, Simplified Process Risk Assessment by Center for Chemical Process Safety
  2. IEC 61511
Share on facebook
Share on whatsapp
Share on linkedin
Share on pinterest
Share on telegram

Leave a Comment

Home Forums Topics

Viewing 15 topics - 91 through 105 (of 122 total)
Viewing 15 topics - 91 through 105 (of 122 total)