Independent Protection Layers (IPL)
Every piece of hardware may fail at one time or another. Failure requires repair or replacement. However, control and safety functions provided within the same hardware show that system failures and repair leave the process unprotected, which is unacceptable in most operations. There's also the need to spread risk. Like financial investors who diversify their investments, designers and operators of control and safety systems need to prevent one system's failure from causing devastating effects.
Broadly speaking, risks can be classified into 3 categories:
There is no single method that can totally eliminate all risks. Therefore, several methods must be implemented to reduce the risk of an accident. The concept of protection layers applies to the use of a number of safety measures all designed to reduce risk by reducing either the likelihood of potential incidents resulting in an impact on people, environment or property, or by reducing the magnitude of the impact should an incident occur.
Multiple, independent protection layers (IPL), also known as the "defense-in-depth" approach, generally consists of the following independent layers (see the Figure):
- process design
- process control system
- critical alarms and operator supervision/response
- automatic shutdown and interlocks (SIS)
- physical protection (e.g. pressure relief valve, containment)
- plant emergency response (e.g. fire fighting)
- community emergency response (e.g. notification, evacuation)
Each protection layer consists of a grouping of equipment and/or administrative controls that function in concert with other protective layers to control or mitigate process risk. Click here for more information. An independent protection layer should:
For an accident to occur, each safety layer must fail simultaneously. So the more layers present, the higher the probability they all will not fail simultaneously. In other words, the risk can be reduced to very low levels by providing a sufficient number of protection layers, and by making each layer highly reliable.
However, it must be remembered that the basic process hazards remain, and there is always the potential - perhaps very small, but never zero - that all layers must fail simultaneously and the hazardous incident will occur.
Back on Top