Safeguards and IPLs

About Safeguards and Independent Protection Layers (IPL)

Safeguard

A safeguard is a safety instrumented system or any other safety device that prevents a risk from occurring or lowers the probability or severity identified by the risk assessment. Safeguard can also be an action performed by a person (e.g., operator response to an alarm). In APM, Safeguards can be linked to an asset.

Independent Layer of Protection

When a safeguard is independent of the performance of other Safeguards, or the initiating event, the safeguard is considered as an Independent Protection Layer (IPL). An independent layer of protection is external to any other layer of protection or safety instrumented system. All independent layers of protection are safeguards, but not all safeguards are independent layers of protection. To be specified as an IPL, a Safeguard must satisfy a set of criteria.

The effectiveness of an independent layer of protection is quantified in terms of its probability of failure on demand (PFD), which is a numeric value that represents the probability that the independent layer of protection will fail to perform its specified safety function when required.

The following three types of IPLs are defined in the APM:

  • Active IPL: An active IPL is a device or system that changes from one state into another in response to a change in process activity. For example, a pressure relief device is an active IPL that opens when there is an abnormal change in the pressure inside a vessel and remains open until the pressure in the vessel reduces to a value below the settings in the pressure relief device.

  • Passive IPL: A passive IPL can achieve its risk reducing function without the requirement to take any action or change the state of the system. For example, detonation arrestors and blast-walls are passive IPLs that reduce the risk.
  • Human IPL: Human IPLs involve the dependence on operators or other staff to take action to prevent an undesired consequence, in response to alarms or following a routine check of the system.

Active, Passive, and Human IPLs are further classified as IPL Sub Types, and are defined in the Active IPL family, Passive IPL family, and Human IPL family, respectively. For each subtype defined in the Active IPL, Passive IPL, and Human IPL families, the probability of failure on demand (PFD) value is also defined. Based on your selection of the IPL Type and the IPL Sub Type, the PFD for the Safeguard is determined from the Active IPL, Passive IPL, or Human IPL records.

The PFD values for each of Safeguard that is an IPL is multiplied to populate the Total IPL PFD field in LOPA. These values also modify the unmitigated and mitigated consequence frequency values in the LOPA.

About Identifying an Independent Protection Layer

You must assess the independence of the safeguards to determine if the safeguard can be qualified as an IPL. You must create one Safeguard for each layer of protection that exists. In the IPL Checklist section of the Safeguards and IPLs workspace, a set of criteria appear as questions. To be classified as an IPL, a Safeguard must meet all the criteria listed in the IPL Checklist section. These criteria can be modified in the administrative settings for LOPA.

By default, the following criteria are defined for the IPL Checklist and are required to be true for a safeguard to be considered as an independent protection layer:

  • The safeguard must be independent of the initiating event such that a failure associated with the risk will not cause the safeguard to fail.
  • The safeguard must be testable and verifiable using an industry standard (e.g., a risk based inspection).
  • The safeguard must be specific in detecting a potential hazard and taking action to prevent the hazard from occurring.
  • The safeguard must be capable and available at least 90 percent of the time.

  • The safeguard must increase the Risk Reduction Factor (RRF) of the LOPA to a value greater than or equal to 10.

To determine if a Safeguard is an IPL, you must select the criteria that are true for the Safeguard. If all the criteria are true for a Safeguard, the Safeguard is classified as an IPL. The IPL Type field, IPL Sub Type field, and PFD field are enabled. When you select the IPL Type and the IPL Sub Type, the corresponding PFD value for the IPL is automatically populated.

When the IPL is saved, the Total IPL PFD field in the LOPA is updated with the calculated PFD value. If there are more than one IPLs for the same LOPA, then the Total IPL PFD is calculated by multiplying the values in the PFD fields of each Safeguard associated with the LOPA. These values also modify the unmitigated and mitigated consequence frequency values in the LOPA.

Example

Suppose that in a hazardous scenario a high pressure separator releases liquid to downstream equipment. If the liquid level in the high pressure separator decreases to a certain level, pressure could be released to downstream equipment and cause it to rupture. In this scenario, a controller monitors the liquid level. If the level gets too low, the controller closes a valve so that the pressure is not released to downstream equipment.

The low level alarm is an independent layer of protection for this scenario because it meets all of the following criteria:

  • The safeguard is independent because if the first controller fails, the low level alarm has independent process connections and independent BPCS hardware from the failed controller.
  • The safeguard is auditable because the low level alarm can be routinely inspected.
  • The safeguard is capable because it is available at least 90 percent of the time.
  • The safeguard is specific because the alarm detects potential hazards by measuring the liquid level and will alert the operator when the potential failure is detected.

The low level alarm coupled with an operator response can reduce the risk associated with the hazards scenario and can be considered an IPL.

For the above example, in APM, the following IPL related information would be stored in the record for the low level alarm Safeguard:

  • IPL Type: Active IPL
  • IPL Sub Type: Basic Process Control System
  • PFD: 0.1
  • Total IPL PFD value for the LOPA: 0.1

Access a Safeguard

Procedure

  1. Access the Layer of Protection Analysis that is linked to the Safeguard that you want to access.
  2. In the left-pane, select Safeguards and IPLs.
    The Safeguards and IPLs workspace appears, displaying a list of safeguards linked to the LOPA.
  3. In the Safeguard ID column, select the link for the Safeguard that you want to access.
    The Safeguards and IPLs workspace appears, displaying the Definition and IPL Checklist tabs. The Definition tab is selected by default, displaying the datasheet for the selected Safeguard.
    Note: As needed, you can modify the values in the available fields, and then select to save your changes. You can modify values for a Safeguard only if the associated LOPA is in the Planning state. Additionally, if you have linked the LOPA to a Consequence in Hazards Analysis, you can modify the Safeguard only if the Hazards Analysis is also in the Planning state.

Create a Safeguard

Before You Begin

About This Task

This topic describes how to create a Safeguard.
Note: You can create a Safeguard only if the associated LOPA is in the Planning state. Additionally, if the LOPA is linked to a Consequence in Hazards Analysis, you can create a Safeguard only if the Hazards Analysis is also in the Planning state.

Procedure

  1. Access the Layer of Protection Analysis for which you want to create a Safeguard.
  2. In the left pane, select Safeguards and IPLs.
    The Safeguards and IPLs workspace appears, displaying a list of safeguards linked to the LOPA.
  3. In the upper-left corner of the workspace, select
    A blank datasheet for the Safeguard appears, displaying the Definition section.
  4. As needed, enter values in the available fields.
  5. In the upper-right corner of the workspace, select .
    The Safeguard is created and linked to the selected LOPA.

What To Do Next

Assess if a Safeguard is an Independent Protection Layer (IPL)

Before You Begin

Procedure

  1. Access the Safeguard that you want to assess to determine whether it is an IPL.
  2. Select the IPL Checklist tab.
    The IPL Checklist section appears, displaying a set of criteria to identify if the Safeguard is an IPL.
  3. In the IPL Checklist section, next to each criteria that is applicable for the selected Safeguard, select the check box.
    The IPL Type box and the IPL Sub Type box are enabled.
    Note: The IPL Type box and the IPL Sub Type box are enabled only if the check box for all the criteria in the IPL Checklist section is selected.
  4. As needed, select values in the available fields.
  5. In the upper-right corner of the workspace, select .
    The Safeguard is specified as an IPL.

Results

Delete a Safeguard

About This Task

Note: You can delete a Safeguard only if the associated LOPA is in the Planning state. Additionally, if you have linked the LOPA to a Consequence in Hazards Analysis, you can delete the Safeguard only if the Hazards Analysis is also in the Planning state.

Procedure

  1. Access the Layer of Protection Analysis that is associated with the Safeguard that you want to delete.
  2. In the left pane, select Safeguards and IPLs.
    The Safeguards and IPLs workspace appears, displaying a list of Safeguards linked to the LOPA.
  3. Select the row containing the Safeguard that you want to delete.
  4. In the upper-right corner of the Safeguards and IPLs workspace, select .
    The Delete IPL/Safeguard dialog box appears, asking you to confirm that you want to delete the safeguard or IPL.
  5. Select OK.
    The Safeguard is deleted.

Results

  • If the deleted Safeguard was an IPL, then the Total IPL PFD field on the LOPA datasheet is updated with the recalculated PFD value to remove the effect of the deleted Safeguard.

  • If you have linked the LOPA to a Consequence in Hazards Analysis, the Safeguard that you deleted in the LOPA is also removed from the Hazards Worksheet of the Hazards Analysis.