Please Wait...


PT Notes

Qualifying Safeguards as IPLs for LOPA

PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.

Layers of protection analysis (LOPA) is a risk analysis method based on assumptions that simplify the analysis. A key assumption is that any safeguards credited with risk reduction must be independent protection layers (IPLs). Consequently, a key aspect of LOPA is qualifying safeguards as IPLs. Not all safeguards will qualify as IPLs. Moreover, the same safeguard may be an IPL for one hazard scenario but not for another one. Mistakes in qualifying safeguards as IPLs are common so this aspect of LOPA requires careful consideration.

LOPA practitioners must determine if a protection layer qualifies as an IPL using appropriate criteria. At a minimum, safeguards must be effective, independent, and auditable. Usually, LOPA practitioners apply guidelines to make these determinations.

A safeguard is effective if it protects against the undesired consequences of a hazard scenario when it functions as designed. A safeguard is not an IPL if it does meet effectiveness requirements.

The key criterion for an IPL is independence. In order for a safeguard to be independent, the safeguard’s effectiveness must be independent of the occurrence, or consequences, of the initiating event; the failure of any component of an IPL already credited for the scenario, or conditions that caused another IPL to fail; or any other element of the scenario. Common cause failures (CCFs) must be addressed in determining the independence of protection layers. Causes of failure can be common between an initiating event and one or more IPLs, or different IPLs. Credit should be taken for only one of the IPLs where they are affected by CCF. Similarly, when a safeguard is not independent of the initiating event, it cannot be credited as an IPL, for example, if the initiating event is an operator error and a candidate IPL requires action by the same operator to mitigate the situation, or if the initiating event is loss of a utility and a candidate IPL depends on that utility. Where safeguards are dependent and only one of them can be credited as an IPL, the one with the highest probability of failure on demand (PFD) may be selected to be conservative. Alternatively, credit may be taken for the safeguard that receives the first demand.

An IPL is auditable if it is designed to enable periodic validation that it is effective in preventing the consequences of the scenario it protects against when it functions as designed; it achieves the specified PFD and design, installation, functional testing, and maintenance systems are in place and working; and it is functional.

The Center for Chemical Process Safety (CCPS) has proposed seven core attributes for protection layers to be considered IPLs: independence, functionality, integrity, reliability, auditability, access security, and management of change.

Functionality means a protection layer must be capable of operating as expected during actual service conditions and all process operating modes where a hazardous event can occur, and responding effectively within the time required by stopping propagation of the initiating event, even in the presence of other protection layer failures.

Integrity / dependability is related to the risk reduction reasonably achievable by a protection layer given its design and management. It is the degree to which an IPL can be relied on to operate in the expected manner. The protection provided by the IPL is known to reduce the risk by a specified amount, i.e. the IPL has the claimed PFD.

Reliability means the probability that a protection layer operates according to its specification for a specified period of time under all relevant conditions.

Access security is the use of administrative controls and physical means to reduce the probability for unintentional or unauthorized changes. It includes protection against physical and cyber attacks.

Management of change means the formal process used to review, document, and approve modifications to safeguards and other aspects of a process prior to their implementation. 

Additional criteria also may be used, for example, availability, meaning that an IPL is expected to be functional when needed, and specificity, meaning that the claimed IPL is designed to be a safeguard, i.e. it prevents or mitigates a hazard scenario.

Companies must decide which criteria to use in qualifying safeguards as IPLs. Then, careful consideration must be given to the criteria for each candidate IPL. A rush to judgment should be avoided. This takes more time than typically is spent deciding what credit to take for each safeguard in a process hazard analysis (PHA) study.

Further information on LOPA studies is provided in:

Analytical Methods in Process Safety Management and System Safety Engineering – Layers of Protection Analysis, in Handbook of Loss Prevention Engineering, Wiley-VCH, 2013.

You may contact Primatech for further information by clicking here.

To comment on this PT Note, click here.

Copyright © 2018, Primatech Inc. All rights reserved.



Back to PT Notes