HOW to lopa

Layers of protection know your onions

richard gowland
PROCESS SAFETY SPECIALIST; FORMER TECHNICAL DIRECTOR OF EUROPEAN SAFETY CENTRE, EPSC

AYER of Protection Analysis (LOPA) has become a popular

typical workflow

and convenient method for simplified risk assessment and as an important part of the life cycle of safety

instrumented systems which are covered by IEC 61511 (see

START

Figure 1, IEC 61511 part 3). It offers assistance in answering

the questions: is an operating system optimised for safety or
the environment? Does the operating system appear to be
under-protected when predictable hazards are considered?
When I have a defined frequency target based on the severity of
an unmitigated hazard, does my system ensure that this target

CONCEPTUAL
PROCESS
DESIGN

DEVELOP
SAFETY
REQUIREMENT
SPECIFICATION

PERFORM
PROCESS
HAZARD
ANALYSIS
& RISK
ASSESSMENT

PERFORM SIS
CONCEPTUAL
DESIGN &
VERIFY IT
MEETS
THE SRS

APPLY NON-SIS
PROTECTION
LAYERS TO
PREVENT
IDENTIFIED
HAZARDS OR
REDUCE RISK

PERFORM SIS
DETAIL DESIGN

is met? And if not: what is the scale of the deficiency and how

ESTABLISH
OPERATION &
MAINTENANCE
PROCEDURES

might it be rectified?
The layer of protection concept is often described using
the LOPA onion (see over). It shows that an operating facility
is controlled for its designed purpose and is surrounded by
layers which are intended to prevent harm to persons or the
environment. The Center for Chemical Process Safety produced

PRE-STARTUP
SAFETY REVIEW
(ASSESSMENT)

an excellent guide to LOPA in 2001 (Layer of Protection Analysis

Simplified Process Risk Assessment, ISBN 0816908117, available from
IChemE). When LOPA is itself mapped, we get something like
the diagram from appendix 2 of the Process Safety Leadership
Group Final Report on the Buncefield Accident (2009) Safety and
Environmental Standards for Fuel Storage Sites (see Figure 2).
The whole study starts from an understanding of hazardous
scenarios developed before LOPA is attempted.
Obviously in an operating facility there may be several
significant scenarios which need study. LOPA is a method
which is based on assessing single scenarios. This means that
several LOPA studies would be required for a typical unit. An
example is the case of a gasoline storage facility such as the

NO

IS SIS
REQUIRED?

tank which overflowed at Buncefield in 2005. The two immediately obvious scenarios would be for fire and explosion. This
would mean that a LOPA study would be done for each. In

YES

turn, each of these studies would need to address the various

DEFINE
TARGET SIL

initiating events which could start a train of events leading to

SIS
INSTALLATION,
COMMISSIONING &
PRE-STARTUP
ACCEPTANCE
TEST

SIS STARTUP,
OPERATION,
MAINTENANCE,
PERIODIC
FUNCTIONAL
TESTING

MODIFY
OR DECOMMISSION
SIS?

MODIFY

SIS
DECOMMISSIONING

an overflow.

examine identified scenarios

The obvious starting point in a LOPA study will be to examine

Figure 1: iec 61511 life cycle. LOPA fits well from the process
hazard analysis step through to the question Is SIS required?

each identified scenario for its potential severity. This

MAY 2016 | The Chemical Engineer | page 49

How to LOPA

COMM

UNIT Y EMERGENCY RESPON

IP

SE
ERGENCY RESPON
PL A N T E M
SE
P R OT E C T I O N E G R E L I E F D
E VIC
S I CA L
ES
PH Y
MENTED SYSTEM PRE V
EN T
ST RU
N
I
ATI
Y
T
E
VE
F
R ATOR INTERVE
AC
SA
NTI
S /O P E
TIO
ON
ARM
L
A
(
/
N
via
S
PC
S
B
)
(
O
P
M
ER A
E
IP
B
T
S
R
P
Y
TIN
T
CS
LS
G
O
D
?
R
)
IS
NT
C
O
/S U

PERVISION

B A S I C PR O C

NE

ES

LI

PLANT
DESIGN
INTEGRITY

the LOPA ONION: Depicting the layers of protection normally arranged to control the hazards on an operational facility

would ideally proceed or emanate from a hazard identifi-

People (R2P2), The Buncefield Final Report appendix 2 (Dec

cation process such as HAZOP or HAZID, where deviations,

2009), and the Chemical and Downstream Oil Industry Forum

causes, consequences and safeguards will have been identi-

(CDOIF) guidance on environmental hazards.

fied. The consequences at this stage may or may not have been

It is not the purpose of this article to tell the reader what

sufficiently studied to allow a proper estimation of severity to

to do here. It requires logical thought and effort to choose a

be established. It is important to gain agreement from the study

target frequency. If too high a frequency target is chosen (eg for

team on this severity, usually in terms of harm to persons or to

a single fatality), it is unlikely to pass the ALARP test which

the environment. In some cases, this might be quite a simple

will be needed at the end. It may also fail to meet a regula-

step in the sense that the identified consequence is most likely

tors expectations. Again, reference to the publication Safety

to affect a limited number of persons. This might be true for a

and Environmental Standards for Fuel Storage Sites, appendix 2 is

pool fire, but is much less clear when an explosion is considered.

very helpful.

A conservative approach is therefore vital.

Once the consequence has been defined, it needs

to be assessed for a target frequency which is
related to internal guidance from the company
and that of the competent authorities

initiating events
Having established a target frequency, the first (of perhaps
several) initiating events needs to be considered. This will
likely come from the cause section of the HAZOP/HAZID. The
most convenient first initiating event will probably be a failure
in a process control or indication such as a level, pressure,

Once the consequence has been defined, it needs to be assessed

or temperature control loop. This needs to have a failure

for a target frequency which is related to internal guidance

frequency assigned to it. The source of this information is

from the company and that of the competent authorities (eg

ideally from the users own documented failure and main-

the Health and Safety Executive of Great Britain, and the UKs

tenance records. The equipment manufacturer can provide

Environment Agency). This guidance is related to the concepts

typical results. Failing that, there are databases available

of Broadly Acceptable and ALARP frequencies described in

which indicate typical ranges. Whichever is chosen, justifi-

the HSEs approach to risk described in Reducing Risks, Protecting

cation will be required. Clause 8.2.2 in IEC 61511 specifies the

MAY 2016 | The Chemical Engineer | page 50

How to LOPA

lowest frequency allowed for instrumented systems typically

used in basic process control systems, but it is wrong to assume

SELECT TANK FOR STUDY

that this frequency is the default value. Effort is required for

the LOPA study to justify the number used in the environment
and circumstances which apply.
If a human error is chosen as an initiating event, it needs
to be properly assessed via a task analysis and a probability of

DECIDE WHETHER CONSIDERING HARM TO

PEOPLE OR HARM TO ENVIRONMENT AND
DETERMINE THE SEVERITY OF THE HARM FOR
THE SCENARIO BEING ASSESSED

SEE
SECTIONS
3&4

SYSTEMATICALLY IDENTIFY EVENTS AND

RELATED ENABLING EVENTS/CONDITIONS
THAT COULD (IF ALL OTHER MEASURES FAIL)
LEAD TO THE HARM BEING CONSIDERED AND
DOCUMENT THE SCENARIOS FOR EACH

SEE
SECTION 5

FOR EACH INITIATING EVENT LIST THOSE RISKREDUCING MEASURES (PREVENTION AND
MITIGATION PROTECTION LAYERS,
CONDITIONAL MODIFIERS ETC) THAT RELATE
TO THAT INITIATING EVENT, INCLUDING ANY
EXISITING OR PROPOSED HIGH LEVEL SAFETY
INSTRUMENTED FUNCTION

SEE
SECTIONS
6&7

error established. This should take account of the complexity

of the task and the error-producing factors such as lack of
training, unfamiliarity, stress, time pressure. Techniques such
as human error assessment and reduction technique (HEART)
or technique for human error rate prediction (THERP) can
be used for this. This probability is then combined with the
number of times the task is carried out to arrive at a frequency.

enabling events
The next step will be to consider the enabling events and
conditional modifiers which might be relevant.
A typical enabling event can be for example, the proportion

CONDUCT LOPA TO CALCULATE

THE FREQUENCY OF HARM FROM ALL
INITIATING EVENTS

of the year when a hazard is present. This is common in batch

processes in which a reaction is taking place for less than 100%
of the time, or a tanker-unloading operation. It may also be

REPEAT FOR ALL RELEVANT

INITIATING EVENTS

relevant to consider for injury cases the proportion of time

when persons could be in range of the effect of a hazardous
event during his or her work pattern. This needs to be handled

SUM THE FREQUENCY OF HARM FROM

ALL INITIATING EVENTS

with care since management of change may not prevent

subtle but significant changes with time. Furthermore, the
environment is always present and potentially exposed.
Examples of conditional modifiers include probability

COMPARE THIS TOTAL WITH TARGET

FREQUENCY FOR THE LEVEL OF SEVERITY

of ignition if a fire or explosion is considered. Furthermore,

SEE
SECTION 4

it might be necessary to consider that if an ignition takes

place, the result could be a fire, or worse, an explosion. These
YES

decisions require knowledge of factors such as physical properties of the substance released and the environment and

IS THE
RISK ALARP?

NO

REASSESS
THE TOTAL
FREQUENCY
OF HARM

conditions under which release takes place. In the case of toxic

substance releases, the protection available for the workers
potentially exposed will not necessarily be available to all
persons affected (eg the community). Additionally, a conditional
modifier used for a flammable case will not be relevant for an
environmental case since no ignition is needed in the latter,
for example.

NO

HAS
HARM
BOTH TO
PEOPLE AND TO THE
ENVIRONMENT BEEN
EVALUATED?

IDENTIFY
FURTHER
RISK REDUCTION
MEASURES AND
THE REQUIRED
PERFORMANCE
OF ANY MEASURE
INCLUDING THE
SIL IF THE
ADDITIONAL
MEASURE IS A SIS

The safeguards independent protection layers (IPLs) can

now be considered. These are the means of detection and
prevention which will stop the train of events proceeding to
the undesired full hazardous scenario (fire, explosion, toxic
release, damage to the environment). These safeguards include
response to alarms, basic process control system (BPCS) shutdowns, pressure relief devices (for pressure related cases),
other safety-related protection systems (eg hard wired
instrumented

systems

and

non-instrumented

FINISH

protection

systems such as physical interlocks), and finally any existing

safety instrumented systems (SISs). These would normally

figure 2: flowchart for application of lopa process

show up in a bow tie diagram or fit into the LOPA onion.

MAY 2016 | The Chemical Engineer | page 51

How to LOPA

of IPLs are adequacy and capability of a functional test. For

example, a pressure safety relief device may be cited as an IPL
for overpressure cases. The obvious questions relating to this
are: is the system properly tested and is it adequate to play its
part as an IPL? The latter is not a given. We need to be sure
that design calculations show that it has the required capacity
and its functioning does not cause a secondary hazard. When
considering alarm response, how can we be sure that we can
test this as an IPL?
As with other IPLs, one of the required features of a safety

buncefield: a gasoline storage facility would

require two LOPA studies, for fire and for explosion

instrumented system is that it is completely independent.

This means that its sensing element(s), logic solver and final
element(s), eg block valves, are not used by any other system
in the same scenario study. In the case of non-SIS instrumented protection systems, even when other elements in the

Each of these will need to be assigned a probability of failure on

loop pass the independence test, the BPCS logic solver may

demand (PFD). In the case of alarm response and BPCS, there

appear to be shared between the control function and the safety

are allowed lower limits which are described in IEC 61511 9.4.2.

function. This may become a problem if a BPCS control loop is

The quoted probability of failure cannot be taken as applicable

considered as an initiating event. Separating the control and

to all cases. It is necessary to design and test these functions

safety functions in the BPCS may be possible but its validity

to establish their reliability. Furthermore, there are logical

can only be verified by persons knowledgeable in the design

limits applied to alarm response, since the alarm usually

and architecture and testing of such systems. In practice, some

originates from a simple non-SIS source and requires an

companies do not allow the BPCS to appear anywhere as an IPL.

operator to respond. The time available for this response is

The Buncefield Final Report (2009) (Appendix 2 of Safety and

crucial since the operator needs to be present, be alerted, under-

environmental standards for fuel storage sites) has some positive

stand the needed response and have sufficient time to take the

guidance and cautions in this respect.

process to a safe state. In many cases, this is not possible or

When the BPCS is ignored as supporting an IPL it will mean

debatable and in some studies is ignored. This seems to be a

added emphasis on other IPLs such as SIS, and add cost. It may

rather drastic approach since it implies to the operator that his

lead to a result with a higher SIL for a SIS. Quite apart from

response to alarms does not matter. Some studies reveal that

the all eggs in one basket concerns, this may lead to extreme

a manually-initiated emergency shut down (ESD) is assigned a

burdens on the maintenance and testing regimes.

very low PFD. If the alert for this is coming from a BPCS-driven

Once the scenario frequency eg pool fire causing one

alarm, this would be questionable. The Engineering Equip-

fatality set in train by each of the initiating events is

ment Materials and Users Association (EEMUA) publication 191

calculated, the aggregate frequency must be addressed by

Alarm Systems is recognised as good practice and will help a

adding the individual initiating event top event frequencies

user to make realistic decisions when accounting for operator

together. For example if three individual causes for the same

response.

scenario give top event frequencies of 1E-06/y, 3.0E-07/y and

It is quite clear that a BPCS-driven alarm or trip may be

2.1E-06/y, the overall frequency is 3.4E-06. This may mean

considered as an independent protection layer when it is not

that although each initiating event may produce a tolerable

the initiating event for example when human error is the

frequency, the actual result may not.

initiating event. However, care is needed if the response is

required from the operator who made the initiating error.

At the end of the LOPA study an examination of the result for

its uncertainties and sensitivities is advised before proceeding
to the as low as reasonably practicable question.

The quoted probability of failure cannot

be taken as applicable to all cases. It is
necessary to design and test these functions
to establish their reliability

Uncertainty is mostly about the reliability data used in

the study. Normally, the study should identify where this is
and what effect it will have if it is wrong, and how it may be
ameliorated.
Sensitivity seems to be about the factors which have the
greatest effect on the outcome in terms of severity or frequency.

In every case, the IPL safeguard must function independently of

It is usually the second of these which is worth comment. If a

the initiating event and any other IPL safeguard. It is remark-

single IPL is required to have a very low probability of failure on

able how many LOPA studies propose a control system (BPSC

demand, eg an SIL 3 SIS, the failure to ensure this PFD via the

loop) failure and then allow an alarm or trip driven from the

life cycle approach in IEC 61511 means that the top event could

same system to appear as a safeguard IPL. Two other features

be at least three orders of magnitude more frequent than we

MAY 2016 | The Chemical Engineer | page 52

How to LOPA

desire. This could be one of the reasons that many companies

studies but do not represent science. LOPA works well when

avoid using SIL 3 SISs anywhere in their systems if they can.

considering events which start from a well-understood severity

In the UK, the ALARP question will now need to be addressed.

evaluation. Describe the scenario as simply as possible and

The issue arises about a cost benefit analysis at the end of a

include a description of the final outcome, eg single fatality to

LOPA study which addressed the question: is a reduction in

patrol operator. Remember to start the LOPA assuming that the

frequency of the top event achievable at reasonable cost? A

top event happens, and then bring in all the factors which affect

cost benefit analysis can be quite simple to do, but the diffi-

its outcome and frequency. A top event with severity lower than

culty comes when assessing if the attendant cost of capital and

serious injury often produces results which could have been

regular testing is greatly disproportionate to the benefit gained.

worked out much earlier without resorting to LOPA. So be ready

The HSE publication Reducing Risks Protecting People (R2P2) gets

to allow other evaluations to solve the problems (permit to

you started, although the figures quoted for values are from

work, job safety analysis etc).

2001 and need to be adjusted. Furthermore, the values associ-

LOPA requires at least approximate (not wet finger)

ated with an event are likely to be determined by a court. The

estimates of initiating event frequency and probability of failure

HSE has some more advice on its website (www.hse.gov.uk). In

of demand of safeguards. Initiating events for which no data

the end, this leads to a reasonable framework. There are state-

exist can lead to a lack of credibility, although there is some

ments in the procedure for checking for ALARP which suggest

merit in understanding which IPLs may apply even when the

that a cost benefit analysis may not be necessary, however it is

data are guessed. This at least helps us to focus on preventive

difficult to see how this might always be possible. Even when

measures even if the initiating event or some IPLs cannot be

the ALARP question is not part of a regulator requirement, it

quantified. There have been cases of working LOPA backwards

makes sense to carry out a cost benefit analysis to establish that

by establishing a tolerable frequency and then allowing for all

resources are assigned wisely.

the normal factors in LOPA to arrive at a required frequency of

the initiating event. A reality check may then be applied to this

The practicalitieS

does this make sense if we examine history?

Human factor evaluation can be tricky. The use of HEART

Any LOPA study needs to have documentation on the source of

requires significant judgement when addressing proportion

the scenarios (eg HAZOP), and the names and competences of

of affect (sic) of error producing conditions (EPCs). However,

the LOPA study team. Usually this would be:

simply comparing a task to the generic tasks described in the

method allows a baseline to be drawn for a probability of error.

trained leader/facilitator;

At this stage, task simplification can be considered. The influ-

production operator(s) for existing facility studies;

ence of the proportion of affect can minimised by making sure

project engineer for new facilities;

that the described error producing conditions are eliminated

process technology specialist;

or minimised.

process control specialist;

production engineer;

Conclusion

maintenance;
instrumentation design engineer; and

LOPA is a simple method but requires you to know and obey the

scribe (preferably using proprietary recording and

rules. A well-run study gains the confidence of all participants

calculating software such as ABB TRACS or simple

including the essential operating staff who know the actual

EXCEL software in IChemE training course)

conditions at the plant (and may reveal problems unknown

by the other study participants). Anyone familiar with HAZOP

The resources for the study would include:

should know that sometimes provision of information or

process description;

decisions need to be made by persons outside the LOPA team.

piping and instrument diagrams;

This would be normal and needs to be managed properly.

operating instructions;

As with other methods, manipulating the outcome to suit a

outcomes from previous studies (eg HAZOP); and

pre-existing requirement is not a good idea. If this is attempted,

lists of systems which are bypassed or in manual

the clarity of the LOPA method will soon reveal shortcuts or

(recommended software for recording and calculating

rule violations. This is one of its greatest advantages. Like most

outcomes)

risk assessment methods, LOPA is not an exact science, so there

needs to be a reality check on its results. And lastly LOPA is

The study outcomes include actions on improving existing

more fun than HAZOP!

systems and additional protection required to meet the target

frequencies for the scenario; full descriptions for the safety
functions of all IPLs along with required PFDs; and review dates.
I have a number of rules of thumb. These have assisted some

Disclaimer: This article is provided for guidance alone. Expert

engineering advice should be sought before application.

MAY 2016 | The Chemical Engineer | page 53