Hazard and Operability (HAZOP) and Layer of Protection Analysis (LOPA) are recognized methods for PHA. LOPA is widely used as a semi-quantitative method to identify, assess, and improve the most effective safeguards for higher consequence scenarios identified in a qualitative HAZOP study.
One of the important products of a LOPA is a list of Independent Protection Layers (IPL). When correctly identified, IPLs are devices, systems, and actions that are capable of preventing a hazard scenario from proceeding to the undesired consequence. In layman’s terms, they are the “best” and most effective of the safeguards that were identified in the HAZOP for specific scenarios and initiating events.
The core attributes for safeguards to qualify as IPLs are well-known and have criteria including:
Independent of the initiating event and of other protection layers
Specific to the hazard
Functional, dependable, and reliable (including routine testing)
Subject to management of change
There are many reputable sources for training for the HAZOP and LOPA methods. Many organizations also have good internal guidance on this subject. But what happens when inadequate guidance, training, or discipline for the correct use of LOPA and identification of IPLs is present? You might be surprised at how often safeguards not meeting the core attributes are specified as IPLs in industry. It’s easy to find advice detailing the complexities of proper IPL selection and management, but without a facilitator well-versed in the basics of IPL selection, LOPA teams can get off on the wrong foot.
Many companies and LOPA practitioners employ excellent practices to identify and validate IPLs during LOPA. However, it is surprisingly common for significant IPL selection errors to be encountered during externally facilitated revalidation PHAs, audits and other types of process safety reviews.
IPL concerns of the following types are entirely possible to occur in LOPA studies if initial selection or follow-up IPL validation is not as it should be:
Use of two or more relief devices, all taken with two or more IPL credits. Relief devices are often a highly effective safeguard. However, they are subject to concerns that should limit the credit taken at times, including use in services where pluggage or other common cause failures are credible, engineering assumptions on sizing are not as the PHA team assumed, poor-quality or no routine inspections are performed, and other issues.
Use of instrumentation whose failsafe failure modes are opposite of that assumed by the PHA team, which may result in an unrecognized IPL failure to the dangerous mode.
Selection of one facet of an IPL such as a BPCS alarm, without recognition that other facets are also needed for a complete IPL, such as alarm prioritization and management, training in the specific alarm response, an operating procedure, and proper field instrument functional testing.
Selection of a BPCS alarm and Operator response as an IPL, without confirming that sufficient time is present before hazard development to evaluate and respond effectively to the alarm.
Selection of IPLs with insufficient independence from the initiating cause of a hazardous scenario, or insufficient independence from another IPL for the same scenario. A classic example of this is selection of an instrument to alarm or interlock of a process condition that could be initiated by a failure of that same instrument.
Crediting design pressure and temperature ratings; both are equipment attributes that should normally be taken into account in identifying the scenario consequences, not credited as an IPL.
Improperly selected and validated IPLs can result in high hazard scenarios that have far less risk reduction in place than you think you have. Implementing a systematic process to properly vet your IPL candidates for the core attributes is strongly recommended. Engaging experienced PHA/LOPA facilitators and having the right team during the meeting is the first step in proper IPL selection. Further validation of IPLs to confirm they meet the defined criteria can be time consuming but also goes a long way toward increasing your confidence in your most important safeguards for higher consequence scenarios in highly hazardous chemical processes.