Planning protective measures, planning layers of protection and LOPA – Layers Of Protection Analysis
The term “layers of protection” refers to the total of protective measures meant to prevent a critical fault in a process.
At the organization level, layers of protection are divided into four categories:
- Procedural layer. Early planning and structural preparation.
- Preventative layer. Protective measures the goal of which is to prevent the escalation from “deviation” to “incident” and then to “disaster”.
- Holding layer. Dealing (automatic/ structural) with a scenario and minimizing its immediate damages.
- Immediate response. The organization’s preparedness to save lives and minimizing damages.
While planning protective measures we need to keep in mind the following eight principles:
- Independence. A protective measure needs to be independent. For instance, if the source of the failure is loss of air pressure in the facility, we cannot credit a protective measure that requires air pressure to fulfil its purpose.
- Functionality. The protective measure must react in a timely manner. Procedural deviations can be very fast and a protective measure must meet the incident’s timeline, otherwise they are redundant.
- Effectiveness. A protective measure must significantly mitigate risk and there is no point installing a protective measure that does not accomplish this. It is desirable to achieve protective measures that mitigate the risk by at least 10 times, however in reality we sometimes need to add up several measures to achieve an appropriate mitigation.
- Reliability. A protective measure should work at the highest possible reliability level. Planning protective measures often requires combining measures and logic to achieve a reliability level that would eventually bring the risk down to the required level.
- Testable and verifiable. It is only possible to credit a protective measure if it is known that the protective measure is available. This point is tricky and may require additional instrumentation and even changes to planning to ensure that the protective measure is always available.
- Safely accessible. If the protective measure requires human intervention, it means that someone must be able to access it and safely operate it during an incident.
- Completeness of the layer of protection. A complete layer of protection is a layer of protection in which the total protective measures protect from all of the sources of the tested scenario. Usually we will aspire to plan a complete layer of protection, meaning we will plan protective measures that provide an appropriate solution for the entire layer, however this is not always possible, in which case we would need to address the gaps in the next layer of protection.
- Change management. Any change in the process must lead to reference to a possible change to the protective measures and the possibility that there is an impact on the layer of protection.
Maintaining these principles requires from the planner of the protective measures knowledge and relevant experience in: 1) process engineering, 2) reliability engineering, 3) ability to conduct complex simulations to assess the effectiveness of the protective measures, 4) risk engineering, 5) safety engineering and 6) firefighting engineering. It is also preferable to have knowledge in economics to ensure that at the end of planning you are only paying for the necessary protections and not those that are “nice to have”.
The risk engineering division places at your disposal these knowledge and experience precisely for the appropriate planning of the protective measures and the layers of protection required for the process and the facility at the organization. For additional details, and to order a layers of protection survey, please contact us.