Layer of Protection Analysis (LOPA) has become an important tool used in industry, often in conjunction with a Process Hazard Analysis (PHA). It is used to evaluate high severity or high risk consequences with additional rigor of review to assess that safeguards and systems are adequately in place to meet the company’s risk tolerance requirements. During a LOPA, safeguards are identified to interrupt an initiating event from progressing to an undesired consequence. These safeguards must meet the following five core attributes to be credited in a LOPA for risk reduction and classified as Independent Protection Layers (IPLs).
Independence is used to assure the effects of the initiating event, or of other IPLs, do not interact with a specific IPL and thereby degrade its ability to perform its function. Independence requires that an IPL’s effectiveness is independent of;
The occurrence, or consequences, of the initiating event; and
The failure of any component of an IPL already credited for the same scenario.
Dependability is used to assure the IPL is available when needed to prevent the hazard scenario from occurring. Protection provided by the IPL shall reduce the identified risk by at least ten-fold.
Specificity is used to verify the IPL can prevent the cause from progressing to the undesired consequence.
Auditability is used to verify the IPL is routinely tested/inspected at an adequate frequency through the process lifecycle to maintain its dependability. An IPL component, system or action shall be auditable to demonstrate that it meets the risk mitigation requirements of a LOPA IPL. The auditing process shall confirm effectiveness of the IPL through review of the design, installation, functional testing, and maintenance systems of the IPL.
Security is used to verify the IPL has controls in place that prevent unauthorized changes. The IPL shall be managed by design or by administrative procedure to ensure unauthorized changes are not made that affect the integrity of the IPL, its availability, or any of its properties.
Typically during a LOPA, the team does not have the time or resources to assess each IPL to verify they meet these requirements. IPL validation is a process to examine the key elements that qualifies a safeguard as an IPL to ensure they will function when needed and prevent propagation of a hazardous scenario. Good industry practice is to manage, test, and document IPLs through the lifecycle of the process. IPL validation is based on guidelines established under the International Society of Automation ISA-84.91.01 and OSHA Process Safety Management, 29 CFR 1910.119. It is important to note that validation of Safety Instrumented Function (SIF) IPLs are specifically managed under requirements for ISA 84.00.01 and not part of this validation.
IPL validation typically uses a set of questions to evaluate if a safeguard meets the five core attributes of an IPL. At aeSolutions, we approach IPL validation using checklists with specific questions for each type of IPL (e.g. alarm, check valve, dike, procedure, etc.). Our associates work closely with each site to gather and review the necessary data to complete the checklists. If an affirmative answer to a question cannot be proven with site documentation, the item is listed as a gap and recommendations are generated. The recommendations are communicated to the facility for further action.
Through our work on various IPL validation projects, it has often surprised facilities to discover the areas IPLs do not meet validation criteria. LOPA Teams make every effort to use up-to-date process safety information. They use P&IDs to identify available safeguards, such as relief or indicating devices, however during the IPL validation process discover that the device has been removed, modified or is not functioning properly. Further investigation would be recommended to resolve the risk and evaluate the potential gaps in process safety information, the management of change process, etc.
Another example is when a BPCS related IPL (alarm or software action) is identified as being on the same Input/Output (I/O) card as another credited IPL or the initiating event device. Typically, the LOPA team does not have the ability, due to time or resource constraints, to review automation logic diagrams during their meeting. So unless a LOPA team member is reviewing the automation logic diagrams this common cause would never be found. The team would feel confident the risk of the hazard scenario is sufficiently mitigated, when in actuality it is not. However, during the IPL validation, review of the I/O card would reveal the lack of independence and require either the selection of a new IPL or a modification to the I/O card arrangement.
These examples show that while the LOPA team may identify IPLs to sufficiently manage the risk of the hazard, more evaluation is needed to verify these IPLs as existing or to identify deficiencies. Corrective actions from IPL validation can range from adding IPLs to the site’s mechanical integrity program to revisiting the LOPA and selecting a more reliable IPL.
IPL validation is a good industry practice to verify that your IPLs are properly managed, tested, and documented. The IPL validation checklists are also a great reference for future PHA and LOPA studies.