What is the Independent Protection layer (IPL)?
IPL is a tool, system, or action that can prevent process scenarios from becoming a consequence of unwanted initiating events. IPLs are extrinsic safety systems, they can be active or passive systems, as long as the following criteria are met:
Specificity: IPL is able to detect and prevent or mitigate the consequences of specific and potentially dangerous events, such as an uncontrolled reaction, loss of containment or an explosion.
Independence: an IPL is independent of all other protection layers associated with the potentially dangerous event identified. Independence requires that the performance is not affected by the failure of another layer of protection or by the conditions that caused the failure of another layer of protection.
Reliability: The protection provided by the IPL reduces the identified risk in a known and specified amount.
The effectiveness of IPL is calculated as the probability of failure on demand (PFD) which is the possibility that a system will fail to carry out its specific function. PFD is a dimensionless number between 0 and 1. The smallest value of PFD is the largest consequence frequency reduction of the frequency initiating event given.
The characteristics of the protection layer and how they should be grouped as IPL in the LOPA method are discussed in the explanation below:
Process Design:
it is assumed that some scenarios cannot occur because of inherently safer designs on equipment and processes. In other companies, some features of process design that are inherently safer are considered nonzero PFD that still occur - meaning that it is still possible to experience industrial failure.
Process design must be considered an IPL, or set as a method for eliminating scenarios, depending on the method used by the organization.
Basic Process Control System (BPCS):
BPCS includes normal manual control, is the first level of protection during normal operation. BPCS is designed to keep the process in the safe area. The normal operation of the BPCS control loop can be entered as an IPL if it matches the criteria.
When deciding to use BPCS as an IPL, analysts must evaluate the effectiveness of access control and security systems when human error can reduce BPCS’s ability
Critical Alarms and Human Intervention:
This system is the second level of protection during normal operation and must be activated by BPCS. Operator actions, beginning with an alarm or observation, can be entered as IPL when various criteria have been able to ensure the effectiveness of the action.
Safety Instrumented Function (SIF)
SIF is a combination of sensors, logic solver, and final elements with a specific level of safety integrity that detects conditions outside the boundary and brings the process to a safe function. SIF is an independent function of BPCS.
SIF is normally defined as the IPL and the design of a system, the rate of reduction, and the number and type of testing will determine the PFD of the SIF received by LOPA.
Physical Protection (Relief Valves, Rupture Disc, etc):
This tool is an IPL that can provide high level of protection to prevent excessive pressure, when the size, design and maintenance are appropriate. Their effectiveness can be damaged due to dirt and corrosion, if the block valves are installed under the relief valve, or if inspection and maintenance activities are very alarming.
Post-Release Protection:
These IPLs are passive devices that can provide high level of protection if properly designed and maintained. Although their failure rate is low, the possibility of failure must be included in the scenario.
Plant Emergency Response:
These features (firefighters, manual blackout systems, evacuation facilities, etc.) are normally not designated as IPLs because they are activated after initial release and too many variables affect overall effectiveness in reducing scenarios.
Community Emergency Response:
These measurements, which include the evacuation of communities and shelters normally are not designated as IPLs because they are activated after initial release and too many variables affect overall effectiveness in reducing scenarios. This does not provide protection for plant personnel