What Is The Difference Between a Safeguard and an IPL?
Updated: Sep 27, 2022
A safeguard is any safety device that would either interrupt the chain of events following an initiating event to prevent a consequence from occurring or would reduce the severity of a consequence, and overall reduce the risk. Safeguards can be devices, systems, or actions performed by a person/operator. Safeguards help to protect a process when the system deviates from the safe operating conditions.
Safeguards are often utilized in a Process Hazard Analysis (PHAs) or a Hazard and Operability (HAZOP) study as a way to reduce the severity or probability of a scenario that was identified by the risk assessment.
Types of Safeguards
A Preventative Safeguard is a safeguard that can prevent a scenario’s top event from occurring. This is a safeguard that intervenes between an initiating cause and a top event. For example, in a scenario where the initiating cause is a pump tripping that would result in a top event of an upstream vessel overfilling, an example of a preventive safeguard here would be a low flow alarm on the pump with associated operator action. Ideally, the operator would respond to the low flow alarm and either return the pump to service or stop the filling of the upstream vessel which would all prevent the top event of overfilling from occurring.
A Mitigative Safeguard is a safeguard that can mitigate the consequences of a scenario’s top event. This is a safeguard that intervenes between a top event and its consequences. For example, in a scenario where the top event is an upstream vessel overfilling and loss of containment of materials with high H2S that would result in a consequence of potential injury due to personnel exposure to H2S, an example of a mitigative safeguard here would be personnel H2S monitors. The H2S monitor is only needed if a release occurs, but ideally, this monitor would alert the personnel of high H2S in the area which would mitigate the top event of overfilling by keeping an injury due to exposure consequence from occurring.
INDEPENDENT PROTECTION LAYER (IPL)
A device, system, or action that acts to prevent a scenario from proceeding to the undesired consequence without being adversely affected by the initiating event or the action or failure of any other protection layer associated with the scenario, or any other component of the scenario.
IPLs are often utilized in a Layers of Protection Analysis (LOPA) as a way to quantitatively reduce the risk of a scenario based on that IPLs risk reduction factor (RRF).
IPLS VS. SAFEGUARDS
In geometry terms, an IPL is a square and a Safeguard is a rectangle. All IPLs are Safeguards but not all Safeguards are IPLs. IPLs are safeguards that also adhere to more rigorous criteria. The Center for Chemical Process Safety (CCPS) has proposed seven core attributes for safeguards to be considered IPLs, which are discussed in the following section on IPL Criteria.
Most of the time, the safeguards that are credited for the PHA or HAZOP portion of the study are referenced as potential IPLs for LOPA. Part of the LOPA process is to determine which safeguards qualify as IPLs. It must also be noted that one safeguard may be an IPL for one hazard scenario but not for another one. It is common to make mistakes when qualifying safeguards as IPLs which means this aspect of LOPA requires careful deliberation.
The seven core criteria for safeguards to be considered IPLs are independence, functionality, integrity, reliability, auditability, access security, and management of change. Because each company sets its criteria for IPLs and the criteria are not always consistent it is important to note that the three most used criteria are that IPLs must be effective, independent, and auditable.
Independence is when a safeguard’s performance is independent of the consequences of the initiating event and the initiating event itself. This includes being independent of the failure of any element of an IPL already credited for the scenario, or the conditions that caused another IPL to fail, or any other component of the scenario. It is important to watch out for causes of failure that are common between an initiating event and one of the IPLs, or between the different IPLs. When a safeguard is not independent of the initiating event, it cannot be credited as an IPL, for example, if the initiating event is an operator error and the IPL in question requires action by the same operator or operating group to mitigate the situation. [ref]
Auditability means an IPL can be examined on a set time interval that is effective in preventing the consequences of the scenario it protects against when it functions as designed. The design, installation, functional testing, and maintenance systems are in place and working.
Functionality means a protection layer functions in a way that fully prevents or mitigates the consequence of concern and is capable of operating as expected during actual service conditions and any hazardous operating modes where a loss event can occur. Functionality also means an IPL can respond effectively within the required process safety time, even in the presence of other protection layer failures.
Integrity means a protection layer has sufficient dependability to be capable of completely preventing the consequence of the scenario. Integrity can also be defined as the reasonably achievable risk reduction provided by a protection layer given its design and management.
Reliability means the probability that a protection layer operates as intended, under stated conditions, for a specified period of time.
Access security is the use of controls to reduce the probability of unintentional or unauthorized changes.
Management of change is a systematic approach to safeguard changes that ensure that the change is dealt with in a proactive fashion.
Additional criteria also may be used, but the seven identified above are considered the main criteria used for identifying safeguards that qualify as IPLs.
Initiating Event or Initiating Cause
The event that initiates a hazard scenario. It may be an equipment failure, human failure, or external event. [ref]
Point in time in an abnormal situation when an irreversible physical event occurs that has the potential for loss and harm impacts. [ref]
A measure of human injury, environmental damage, or economic loss in terms of both the incident likelihood and the magnitude of the injury or loss.
A simplified version of this relationship expresses risk as the product of the Frequency and the Consequence of an incident (i.e., Risk = Frequency x Consequence). For example, Frequency may be expressed as "events/year" and Consequence as "impact/event" (F = 1 release/year; C = 1 fatality/release; with R = 1 fatality/year for the release scenario). [ref]
A detailed description of an unplanned event or incident sequence that results in a loss event and its associated impacts, including the success or failure of safeguards involved in the incident sequence. [ref]
An organized effort to identify and evaluate hazards associated with processes and operations to enable their control. This review normally involves the use of qualitative techniques to identify and assess the significance of hazards. Conclusions and appropriate recommendations are developed. Occasionally, quantitative methods are used to help prioritized risk reduction. [ref]
A systematic qualitative technique to identify process hazards and potential operating problems using a series of guide words to study process deviations. A HAZOP is used to question every part of a process to discover what deviations from the intention of the design can occur and what their causes and consequences may be. This is done systematically by applying suitable guidewords. This is a systematic detailed review technique, for both batch and continuous plants, which can be applied to new or existing processes to identify hazards. [ref]
An approach that analyzes one incident scenario (cause-consequence pair) at a time, using predefined values for the initiating event frequency, independent protection layer failure probabilities, and consequence severity, in order to compare a scenario risk estimate to risk criteria for determining where additional risk reduction or more detailed analysis is needed. Scenarios are identified elsewhere, typically using a scenario-based hazard evaluation procedure such as a HAZOP Study. [ref]
CCPS (Center for Chemical Process Safety). Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis. Wiley. Kindle Edition.