Implementing LOPA Recommendations Into Design of Instrumented Protective Systems
- Type: Conference Presentation
- Skill Level:
The inherent process risk is reduced to a tolerable level by implementing Protective Functions. Each organization has to define the tolerable risk level. Each Protective Function reduces the risk by certain order of magnitude and act as an Independent Protection Layer (IPL). Layers of Protection Analysis (LOPA) is one of the most widely used semi-quantitative methods of analyzing and documenting protective functions. An important outcome of LOPA is identification of Instrumented Protective Functions (IPF) essential for required risk reduction. The required Safety Integrity Level (SIL) of each IPF is also determined during LOPA. SIL defines the target performance level of an IPF in terms of a range of Probability of Failure on Demand (PFD).
The Instrumented Protective System (IPS) design, implementation, maintenance and operation are covered by ISA84 standard as Functional Safety Lifecycle. ISA84 is endorsed by OSHA as a Recognized And Generally Accepted Good Engineering Practice (RAGAGEP). If an employer documents that it will comply with ISA84 and meets all ISA84 requirements, the employer will be considered in compliance with OSHA PSM requirements for the IPS.
An IPF must be designed to meet the requirements of ISA84 to be an Independent Protection Layer (IPL). In Functional Safety lifecycle, the next step after LOPA is conceptual design of the IPS. In most cases multiple IPFs and control functions require the same process value. For example, an alarm, a trip and a PID control loop may require the same process measurement.
This paper talks about the design of adequate instrumentation that needs to be provided to meet the independency criteria of IPL. Various scenarios are discussed on how and when to share the process signals between IPS and Basic Process Control System (BPCS). Good engineering practices to achieve safety as well as reliability of the system by means of different fault tolerant configurations are discussed. Typical P&ID representation of some of the common scenarios is also presented.
If operator response to alarm is one of the IPLs, then some additional requirements need to be taken into consideration such as Operator Response Time, Process Safety Time, Human factors, etc. If certain protection layers are found to be inadequate during the safety system engineering and design, an iterative approach to revisit the LOPA is required to ensure the required risk reduction is achieved by the IPLs.