Understanding Independent Protection Layers to Achieve a Safe Facility

Understanding IPLs

By Chet S. Barton, P.E., FS Expert | C&A Process Safety Industry Leader

Driving can be considered inherently dangerous, but relying on different mechanisms in your car to mitigate the risk helps ease the mind. Seatbelts and airbags are safeguards used in vehicles to prevent harm to their occupants. Each of those safety measures is an individual layer of protection that minimizes the effect of an accident.

The same principle applies to systems in your manufacturing facility. Safeguards or protections mitigate the hazards present in your facility.

What are Independent Protection Layers?

Whether you’re updating an existing processing unit or adding a new one, installing safety protective layers should be part of the design phase: protections engineered into the system. If you address protections at a later phase, not only will it be difficult to make any changes, but it will also be more expensive, as you’ll have already designed and engineered the unit.

In the early phases of the process safety lifecycle, you will conduct a risk assessment to identify potential hazards and apply different protections to address specific hazards. If these protections meet certain core criteria, they are classified as independent protection layers (IPLs). An IPL does not have to be a safety instrumented system (SIS); instead it can be a basic process control system (BPCS), a basic control system interlock, a deluge system, a human action, or other devices such as a pressure relief valve or operator alarm.

After the risk assessment, you will evaluate the likelihood and severity of each identified hazardous scenario. Companies use a risk matrix to rank these events and assign each a value. The goal is to reduce that value to an acceptable level of risk by implementing layers of protection to prevent or minimize a hazard. Since risk is inherent, the value can never be zero, but you can use credits to reduce the severity. Credits are awarded to each independent protective layer.

For example, in a basic processing control system, a valve controls the pressure. If the pressure gets too high, an alarm will sound and indicate for the operator to close the valve. The alarm is a layer of protection and can be considered one credit.

Industry guidelines determine the quantitative value of each protective layer, but the end user must accept those values.

Characteristics of an Independent Protection Layer

How do you know if a safety feature is independent? Industry standards like the American Institute of Chemical Engineering (AIChE) and the International Electrotechnical Commission (IEC) 61511 offer guidance on how to determine if an element is considered independent.

Here are the factors that must be considered to meet the requirements of a particular interlock in a BPCS while maintaining the operability of the process equipment.

 

Independence

IPLs are independent when their performance is not affected by an initiating cause or by an action of another IPL. Consequently, if an IPL fails, it will not affect other IPLs.

In the example above, the alarm is considered a credit. However, the valve can’t be a separate credit because it relies on the alarm to address a specific hazard. They are tied together and are not independent. So, you couldn’t take multiple credits for different interlocks in the same system to address the hazardous scenario. If that system fails or locks up, all interlocks in the system also fail. Similarly, if one interlock fails, it affects the others, so it would still be considered one credit.

Functionality

IPLs must be specifically designed to address a particular hazard or scenario that was identified in the risk assessment. In addition, it must have the ability to eliminate any consequences of the event from occurring.

For example, high fuel gas pressure can cause a hazard in a gas line if the burner is not designed to accommodate that much pressure. So, you might add a separate valve that can shut off the pressure in case it gets too high.

Reliability

IPLs must have a robust design that meets a certain level of effectiveness so it will operate as intended for the designed time frame. The system must have quality components suitable for the type of function required to perform the task and must be properly documented.

You can also use redundant components that are built into the system. For example, having two sensors installed to detect the level of a process variable will mitigate the risk of failure, because if one sensor fails, the other can still enact the safety function.

Auditability

IPLs need to be testable and verifiable. If you can’t test it, you can’t rely on it. You need to be able to run tests periodically and make sure these components are working for them to be considered a valid protective layer.

Valves tend to get stuck in place. If a valve is responsible for shutting off a fuel gas, and it gets stuck, it won’t be able to prevent a hazard. Instrumentation put into a chemical plant needs to be tested to ensure it’s actually operational.

Working with Industry Specialists

You are the expert of your own process. However, process facilities have inherent safety risks, which require safety experts. If a hazard evolves, what protections do you have to prevent it from progressing? Are those protections implemented properly to reduce risk to an acceptable level to meet industry standards? Use this BCPS IPL Checklist as a guide.

Our Team of TÜV Rheinland Functional Safety engineers has years of experience designing protections against hazards. Let our Team help you with hazard risk reduction at your site. Contact us today.

 

Share this article