Skip to main content

Operations & Maintenance

Layers of Protection for Industrial Facilities

Layers of Protection

Nobody will want your products if they cause harm or cost too much. Therefore, every industrial facility in the world seeks to ensure performance in three primary categories: safety, the environment and cost. To achieve success in these categories, using multiple layers of protection to prevent hazards from escalating to consequences of interest is crucially important. These consequences can range from minor process inefficiencies to loss of containment, explosions, fires or even fatalities. Measuring the health of the different layers of protection ensures their continued effectiveness, while also highlighting potential weaknesses or faults in any given layer. 

Let’s examine the typical layers of protection within an industrial facility. At the core are procedures and management systems. Procedures and practices that govern every task within a facility help ensure safe, environmentally friendly and profitable operations. However, abnormal conditions can still arise.  

When an abnormal condition appears within the process, the automation system and automatic control loops are the first layer of protection. The purpose of this layer is twofold. First, to handle abnormal conditions and return the process to normal operating ranges, and second, to ensure optimal production.  

If, for any reason, the automatic controls are unable to handle the disturbance, an alarm is triggered. The alarm is a call to action for the operator to intervene in the process to correct the abnormal condition and return the process to the normal operating range. Correcting the abnormal situation in the control loop or alarm layer prevents escalation of the potential consequences. 

Should the operator's response be delayed or hampered, the next layer of protection is the trips, activation of safety instrumented systems (SIS) and unit shutdowns. When a facility shuts down, losses from the abnormal condition are no longer avoidable. If things work as designed, those losses will be largely economic and environmental. Production is halted, material is flared, etc.  

If the trips, SIS activations and unit shutdowns don’t function within the required time, physical devices and operating limits are one of the last layers of protection. The equipment and facility design's intent are to keep material “in the pipe,” or at the very least within the confines of the facility, to prevent consequences to the community at large. Events that reach this layer of protection almost always necessitate reporting to regulatory agencies and often fines and undesirable news coverage. 

If all other layers of protection have failed to contain the event, the last layer of protection is evacuation. Removal of personnel from the affected area and surrounding community is the last-gasp effort to safeguard lives. Losses from the consequences of events that reach this layer of protection can be staggering in terms of the lives, communities and habitats impacted. Events that reach this layer often become case studies of how all the other layers of protection were inoperable, degraded or simply ignored. These are events that will forever be associated with the company responsible. To this day, it’s nearly impossible to mention Union Carbide, for example, without talking about Bhopal. The Bhopal disaster was a catastrophic chemical accident that occurred at the Union Carbide India Limited pesticide plant. Safety systems were malfunctioning, and many valves and lines were in poor condition. In December of 1984, gas was accidentally released from the plant, exposing more than 500,000 people to chemicals. Historically, it is the world’s worst industrial disaster.  

The innermost layers of protection have the largest number of controls in place to prevent an escalating event. The outermost layers have the fewest available options to prevent a consequence. Addressing events before they reach the point of loss is a key characteristic of effective operational risk management. Understanding and measuring the health of each of these layers identifies weaknesses before they can turn into failures and lead to an event “passing through another hole in the “Swiss cheese,” moving ever closer to a consequence. 

Identify and solve problems while they are small before they reach the point of loss.

Want to learn more or get in touch with us? 

Read the PAS PlantState Integrity Platform brochure and PAS PlantState Integrity Platform.

About the Author

Brian Nixon received a Bachelor of Science in Chemical Engineering with a minor in Computer Science from Rose-Hulman Institute of Technology. His early career was as a process/plant engineer in the process industries, including agricultural processing, specialty chemical manufacturing and plastics compounding. He then transitioned into control systems consulting, business development and software product management roles. He is currently a Senior Strategy & Enablement Consulting Lead with Hexagon's Asset Lifecycle Intelligence division.

Profile Photo of Brian Nixon