Machine and Process Management

What is an Independent Protection Layer?

In industrial control systems, we know the essential parts of a control scheme – we have control loops such as a PID, a calculation block, a start/stop block, and many others. The control scheme may also include instruments and devices like pressure transmitters and valves. So fundamentally, we have inputs, outputs, and logic to control a function called the basic process control system (BPCS).

In a safety instrumented system (SIS), we have the same elements that are part of the safety control scheme. But instead of calling these a first or second layer of protection, we refer to them as Independent Protection Layers (IPL). We call them that because they are independent of one another. According to American Institute for Chemical Engineers Center for Chemical Process Safety (AIChE CCPS), the definition of an IPL is ‘A device, system, or human action, which meets the core attributes to the necessary level of rigor and is capable of preventing an initiating cause from propagating to a hazardous event.’ It’s a fancy way of saying that anything that can control a system from reaching a hazardous state is an IPL.

So, as we talked about before, the BPCS and the SIS are each IPLs, and the elements within them are components of the IPL and need to be examined for their safety integrity levels. So why do we need to know all the IPLs if we are really only concerned about the safety of the plant and the safety system? Well, it’s because it helps add some additional information above and beyond just the safety system components like in a Triconex system – which is an SIS. It helps us look at the entirety of the controls and evaluate all those devices or actions that play a role in the plant’s overall safety.

Reminder, a BPCS for instance is an IPL. If the BPCS does not do a good job of regulating the tank, it can also cause it to explode. We need to know that the BPCS is in proper condition, the proper state of test, and proper visibility to do what-if analyses.

 

Independent Protection Layer Drawing

Let’s look at the classic plant and safety control system. The example shown in the Figure A below shows a storage tank and a mechanical pressure relief device. At the top of the tank and in blue, you see the plant controls. First, we have the Level Controller (LIC101). This Controller holds the control logic to ensure that when the Level Transmitter (LT101) reaches a point, the Valve (V101) opens. And we have another output from the control system logic – the Operator Alarm (LAH101). This completes the standard balance of the plant control system.

Independent Protection Layer

Figure A: classic plant and safety control system

But now we see the safety controls from the SIS in red. The difference in the control loop for the plant controls and the control loop in the Safety System is that the logic employed to manage the Level Transmitter is different. In most cases, this backup safety device LT102 goes into a voting loop inside the SIS which contains a controller and logic. Those parts are just represented as the diamond block SIS. This voting loop also provides a layer of protection that keeps tank controls from failing and causing an explosion. And just like the plant controls, we have the protection output from the SIS, which is another valve XV101, as a safety device to make sure the tank doesn’t over pressurize if the primary plant control fails.

When we talk about an Independent Protection Layer, we are talking about the protection layers that are separate from each other and provide safety protection. Meaning in this example, you’ll see the SIS is not part of the plant controls and the plant controls are not part of the safety controls. They work independently of each other. But together, they both play a role in the overall safety of the plant.

 

Why Do We Care About the Independent Protection Layer?

How does the safety system application that sits on top of the SIS manage these IPLs, and why do we care?

Clearly, we want to have a bird’s eye view of all elements of the safety system – the safety controllers, safety control loop, and the safety valves. Still, we also have to know what’s going on with the basic plant control loops, the actual devices, and the alarms. Why?

It’s all part of the control system of the tank, which can cause a hazardous event if not controlled correctly.

 

Real-life Examples of IPL Software in a Safety System Application

I like to use graphics because a picture is worth 1,000 words. Here is a graphic of the Safety System software that sits above the existing control system.

Independent Protection Layer

Figure B:  IPL Control Loop States for BPCS and SIS Elements

In the Figure B above, the software is showing us the state of two IPL control loops – CTRL01-SIF01 is the safety control loop in the SIS, and CTRL01-BPCS01, CTRL01-ALRM01, and CTRL01-MC01 are all part of the BPCS. It’s showing us that there is a problem with the Safety Instrumented Function Control loop (CTRL-SIF01), but it is also telling us that the rest of the controls associated with the Furnace – the BPCS – are ok; reiterating how these Independent Protection Layers are unique to each other.

Independent Protection Layer

Figure C:  Elements and State of Individual Elements of a SIF

 

By the way, don’t let the IPL single screen above trick you. There are many other screens that will tell you what the conditions are for the components in the safety control loops.

But to close the loop – no pun intended – on the rest of the elements of the safety loop, here is a screen that shows the parts and some additional statistics for the safety IPL.

The screen shot in Figure C was taken at a different moment in time because all the indicators show that CTRL01-SIF01 was compliant. But what we do see is more detail on what makes up CTRL01-SIF01. We see it consists of a Sensor (CTRL01-Sensor01), some logic at Node 1 LS (probably designated as such because the logic is located in PLC01), and CTRL01-FinalElement01 (probably a valve or pump or some kind of output based on the logic in the PLC).

With this view, we see in the analytical software that sits above the primary Safety Instrumented System all the parts of the two IPLs – while independent, they intrinsically work together.

 The Importance of IPLs for your Plant’s Control Scheme

Here are the three things we’ve learned about IPLs:

  1. An IPL is any layer of protection in the plant.
    1. Safety Loop
    2. Plant control loop
    3. Alarm
    4. A device like a valve
  1. All IPLs are critical to look at because each provides a level of protection beyond just the safety instrumented function.
  2. IPLs need to be monitored by analytical software that sits on top of the IPL systems – BPCS and SIS – because we can tell a lot about the state of the IPLs so we can act quickly.

Schneider Electric process automation systems have this Independent Protection Layer inherent to their safety portfolio. If you’re considering how to ensure your plant architecture is safely secured, contact a Schneider expert today.   You can learn more about EcoStruxure Process Safety Advisor at our website

 

 

 

 


No Responses

Leave a Reply

  • (will not be published)