(153b) Evaluating Protection Layers That Are Not Independent

Layer of Protection Analysis (LOPA) assumes that independent protection layers (IPLs) are independent of the initiating event (IE) components and any components of any other IPL in the LOPA scenario. Often it is found that protection layers are "almost" independent, that they have all separate components except they may:

1. share common utilities such as plant air, electricity or cooling water

2. share components in instrumented loops with other instrumented IPLs or the IE

3. be in the same location and share vulnerability to a common failure such as a fire

This paper looks at each of these situations using simple examples and by using a fault tree model of the LOPA scenarios to address the impact of sharing components or sub-systems. Also, the paper shows the difference between analysis of sharing at the order of magnitude LOPA level and using best estimate component reliability data.

Finally, some general guidelines are suggested for dealing with sharing issues in LOPA and the potential benefits of selected sharing and costs of associated with assuring independence are discussed.