What Is LOPA?

Layer of Protection Analysis (LOPA) serves as a tool for evaluating process risks, particularly those high-severity scenarios that lack sufficient historical data to inform frequency assessments. Unlike Hazard and Operability Studies (HAZOP), which is a Hazard Identification and Risk Assessment (HIRA) tool, LOPA is not designed for hazard identification but rather for hazard analysis.

It operates by examining one incident scenario at a time, each defined by a cause-consequence pair. LOPA reduces the subjectivity typically associated with qualitative methods such as HAZOP.

LOPA is a semi-quantitative analysis tool that effectively fills the methodological void between qualitative risk assessments, like HAZOP, and more comprehensive quantitative methods, such as Quantitative Risk Analysis (QRA). LOPA provides a focused and efficient means to evaluate the effectiveness of safety systems and risk management protocols without the extensive resources typically required for a full QRA.

Organizations handling and processing highly hazardous chemicals typically perform LOPA for the following reasons:

  • LOPA Addresses High-Severity Scenarios –  LOPA is conducted to effectively manage high-severity scenarios that could result in significant consequences, requiring rigorous and focused analysis.
  • LOPA Can Be Used To Evaluate the Adequacy of Safeguards – It helps organizations assess the adequacy of existing protection measures and pinpoint areas needing enhanced safeguards.
  • LOPA Offers a Consistent Estimate of Frequency –  LOPA offers a consistent and structured methodology for risk assessment, reducing variability and enhancing the reliability of safety evaluations across various scenarios. For instance, when the frequency is not only estimated based on experience.
  • LOPA Is Applied for Regulatory Compliance – Also known as Safeguard Protection Analysis (SPA), the structured approach of LOPA meets regulatory demands for a demonstrable, methodical approach to safety risk management. More stringent states in the USA, like California, regulate the use of Layer of Protection Analysis (LOPA), while others consider it a best practice.

Independent Protection Layers (IPL)

If you have undergone LOPA training in the USA, you will know that LOPA uses the concept of Independent Protection Layers (IPL) aimed at reducing the likelihood of consequences linked to process hazards. An IPL is a safeguard or barrier designed to prevent or mitigate the consequences of process-related hazards or events. These layers are “independent” in that each layer functions separately from the others, providing an additional level of defense to reduce risk to an acceptable level.

According to the Center for Chemical Process Safety (CCPS) Risk-Based Process Safety (RBPS) guidelines, IPLs must exhibit the following characteristics:

  • Independent – An IPL must operate independently from the control system and other protection layers. Its effectiveness should not be influenced by the failure of another system or component. Independence ensures that if one layer fails, others will still function, providing a fail-safe mechanism against cascading failures. This independence is essential for maintaining the integrity of the safety system, even in the event of a component or system failure.
  • Specific – Each IPL is designed to address specific types of hazards or risks. It must be appropriately chosen based on its ability to mitigate the identified risk effectively. This specificity ensures that the protection layer is not only suitable but also optimally configured to manage the particular hazard it is intended to control. For example, a safety instrumented system designed to shut down a reactor in case of overheating must be tailored to respond to temperature parameters accurately.
  • Auditable IPLs must be auditable, meaning they should have features that allow for regular testing and verification to confirm their operational readiness and effectiveness. This ensures ongoing reliability and functionality of the IPLs through maintenance, inspections, and functional safety audits. An auditable IPL provides traceable, documented evidence that it has been maintained and tested according to established safety standards and best practices.

To understand IPLs, it is useful to consider models like the Swiss Cheese Model and the Onion Ring Model. The Swiss Cheese Model visualizes multiple layers of defense as slices of Swiss cheese, where the holes represent potential failures. The idea is that while one layer may have vulnerabilities (holes), the cumulative effect of multiple layers reduces the likelihood of a hazard leading to a negative outcome.

The Swiss Cheese ModelThe Onion Ring Model, in contrast, represents layers of protection surrounding the core hazard, much like the layers of an onion, with each layer providing a progressively stronger barrier against risks.

The Onion Ring Model

The types of IPLs are defined in the table below:

Type of IPLDefinition
Process DesignConcepts and strategies applied during design and construction to inherently reduce risk, such as using less hazardous materials or safer equipment configurations that inherently minimize the potential for hazard
Basic Process Control System (BPCS)The primary control system used for normal operation, designed to maintain safe process conditions through automated adjustments
Alarms and Operator InterventionAlarms alert operators to deviations from normal operating conditions, necessitating manual intervention to correct potentially hazardous situations.
Safety Instrumented Systems (SIS)Engineered systems specifically designed to perform one or more safety functions. In the event of certain faults, these systems will take action to bring the process to a safe state or maintain a safe operation until shutdown can be achieved.
Active ProtectionMechanical, electrical, or chemical devices that actively intervene to control a hazard once detected, such as pressure relief valves that discharge excessive pressure
Passive ProtectionFeatures that require no active functioning to perform their safety function, such as barriers or containment systems that work without moving parts or the need for activation
Emergency ResponsePre-planned procedures and trained personnel ready to address and mitigate the effects of releases or accidents, minimizing impacts on health and the environment

Consider an ammonia refrigeration storage system to demonstrate the concept of layers of protection. At the core is the process design, which includes double-walled construction of the tank to contain any potential leaks and prevent ammonia from escaping into the environment. This is complemented by a BPCS, such as a level control system that automatically maintains the ammonia within safe operational levels, preventing overfilling or undue depletion.

Additionally, alarms and operator intervention play a crucial role. A high-level alarm can alert operators if the ammonia reaches an unsafe threshold, prompting immediate manual adjustments to prevent overflow.

For automatic interventions, a SIS can be utilized. This system might automatically shut down the inflow of ammonia if sensors detect that pressure or levels exceed safe limits, functioning independently of human operators. In terms of active protection, the tank can be equipped with a pressure relief valve that automatically opens to release excess gas if internal pressure goes beyond what the tank structure can safely handle, thereby avoiding rupture.

Passive protection measures, such as a containment dike built around the tank, ensure that any accidental leaks or spills are caught and contained, minimizing environmental impacts and facilitating easier cleanup. Finally, a robust emergency response plan is vital. An equipped and trained emergency response team can manage incidents, handling everything—from evacuations to containment and cleanup operations—and ensuring rapid and effective responses to any emergencies involving the ammonia tank.

Together, these layers form a comprehensive safety net around the ammonia storage process, illustrating how diverse IPLs work in concert to protect against potential incidents and ensure robust defense against process-related risks.

Process of Conducting LOPA

Like any risk assessment tool designed to improve workplace safety, LOPA follows a systematic flow when it’s being performed. Here’s a step-by-step guide on how it’s usually conducted in chemical processing companies:

Step 1 – Identify Consequences

The first step in a LOPA involves identifying potential consequences associated with process hazards. This requires a detailed understanding of possible adverse outcomes, focusing primarily on high-severity scenarios that might result from safety, environmental, or offsite impacts. This step is crucial as it sets the stage for assessing risks and determining the necessary levels of protection required to mitigate these risks effectively.

Employing LOPA in conjunction with Process Hazard Analysis (PHA), such as HAZOP, ensures a comprehensive process safety evaluation. HAZOP studies, which identify potential hazard scenarios, act as the primary contributors of scenarios for LOPA analysis.

Step 2 – Determine the Risk Tolerance Criteria

Determining the Risk Tolerance Criteria is essential for setting acceptable limits of risk for the organization. These criteria represent the maximum level of risk the organization is willing to accept before additional protective measures are deemed necessary. This involves quantifying the acceptable frequency of hazardous events and the maximum allowable severity of consequences, guiding the subsequent analysis and decision-making processes in the LOPA.

Determining the Risk Tolerance CriteriaThe concept of LOPA Demand, or the required Risk Reduction Factor (RRF), represents the degree of risk reduction necessary to bring a specific hazardous scenario down to an acceptable level of risk. This required RRF is determined based on the severity and likelihood of the potential hazard, balanced against the organization’s risk tolerance criteria. It quantifies how much the risk must be reduced to be considered manageable or tolerable.

To visualize this concept, one can think of a seesaw (teeter-totter) where the hazardous scenario’s potential risk sits on one end, and the RRF provided by various layers of protection sits on the other.

LOPA Seesaw Analogy

The goal is to balance the seesaw by applying enough protective measures to counterbalance the risk:

  • Fire or Explosion – The inherent risk of fire or explosion could be extremely high due to the presence of flammable materials and sources of ignition. The required RRF would need to be substantial to counterbalance this risk, ensuring safety measures, such as explosion-proof enclosures, gas detection systems, and automatic fire suppression systems, are in place. Each of these systems would contribute to the overall RRF needed to balance the seesaw.
  • Vessel Overpressure – In scenarios where there is a risk of vessel overpressure, the required RRF would account for the catastrophic potential of a vessel rupture. Protective measures might include pressure relief valves, rupture disks, and regular maintenance checks. These measures collectively provide RRF contributions that help balance the high initial risk posed by overpressurized equipment.
  • Toxic Gas Release – The release of toxic gases poses severe health risks to personnel and, potentially, the surrounding community. High RRF values are necessary to mitigate these risks adequately. Implementing layers such as continuous gas monitoring, emergency containment systems, and rapid response plans can accumulate sufficient RRF to balance out the significant initial risk.
  • Equipment Failure – General equipment failure, while perhaps less dramatic than the other scenarios, still requires a calculated RRF to manage potential outcomes effectively. Redundant systems, regular inspections, and failure mode analysis can be part of the protective layers that contribute to the overall RRF, ensuring the risk of equipment failure is managed to acceptable levels.

In each scenario, the seesaw analogy helps emphasize the need for sufficient protective measures to “weigh down” the side of the seesaw representing protective layers, thus balancing out the inherent risks on the other side. This balancing act is at the heart of LOPA, where the focus is not just on identifying risks but quantitatively ensuring that enough is being done to mitigate those risks effectively.

RRF quantifies the effectiveness of a protective measure or an IPL, reducing the likelihood of a hazardous event. Specifically, RRF is a measure of how much a given IPL reduces the frequency of a potential hazard scenario. It is calculated as the reciprocal of the average probability of failure on demand (PFDavg) of the IPL:

The higher the RRF, the more effective the IPL is in mitigating risks associated with a hazard scenario. This factor is crucial for determining whether additional protective measures are necessary to bring the risk down to an acceptable level.

The table below illustrates how LOPA numbers, particularly frequencies of hazardous events, are categorized using orders of magnitude in terms of risk reduction:

FREQUENCYPROBABILITYDECIMALRRF

(Risk Reduction Factor)

LAYERS
1/year100%1 or 10010
1/10 years10%0.1 or 10-1101
1/100 years1%0.01 or 10-21002
1/1,000 years0.1%0.001 or 10-310003
1/10,000 years0.01%0.0001 or 10-410,0004
1/100,000 years0.001%0.00001 or 10-5100,0005

Step 3 – Define Possible Initiating Events (IE) and Their Corresponding Probability of Failure on Demand (PFD)

This step involves identifying and defining the potential initiating events that could lead to the consequences previously determined. Initiating events are specific occurrences that can trigger a hazardous scenario, such as equipment failures, human errors, or external events. Understanding these triggers is crucial for developing strategies to either prevent these events or mitigate their effects.

Here are examples of initiating event frequencies and their corresponding RRFs, which could vary from one organization or industry standard to another:

Initiating EventConditionRRF
BPCS FailureControl Valve Failure10
Relief Valve Opens EarlyPSV Fails Open or Leaking By100
Spurious Activation of Safety SystemXV Failing Open or Closed10

Step 4 – Determine the Conditional Modifiers (CM) and Their Corresponding Probability of Failure on Demand (PFD)

Conditional modifiers in Layer of Protection Analysis (LOPA) play a crucial role in refining risk assessments by adjusting the basic likelihood estimates based on specific conditions or situational factors. These modifiers include elements such as the Probability of Ignition, Time-at-Risk/Enabling Events, Probability of Personnel Presence, and Failure Probability of equipment (both fixed and rotating).

For example, the Probability of Ignition considers the likelihood that a released flammable or combustible material ignites, fundamentally altering the potential impact of a release scenario. Time-at-risk factors in the duration or frequency of exposure to a risk, accounting for intermittent operations or seasonal conditions that might affect the likelihood of an incident occurring.

Similarly, the Probability of Personnel Presence assesses the risk based on whether personnel are likely to be in the vicinity of a potential hazard, significantly impacting the potential for injuries. Lastly, Failure Probability is evaluated differently for fixed versus rotating equipment, recognizing that the mechanical integrity and operational conditions of these equipment types vary, influencing their likelihood of failure.

To better illustrate how RRFs are quantified for conditional modifiers in LOPA, here’s an example table:

Conditional ModifierDescriptionTypical ConditionRRF
Probability of IgnitionLikelihood that a released substance will igniteLow ignition energy substances or exposed sources10
Time-at-Risk/Enabling EventDuration when an initiating event can lead to a hazardOperations limited to certain hours or days100
Probability of Personnel PresenceLikelihood of personnel being in harm’s way when an event occursAreas infrequently accessed by staff50
Failure Probability – Fixed EquipmentLikelihood of failure in nonmoving componentsRegularly maintained and inspected equipment100
Failure Probability – Rotating EquipmentLikelihood of failure in mechanical moving partsHigh-wear components without frequent maintenance10

Step 5 – Identify Independent Protection Layers (IPLs) and Their Corresponding Probability of Failure on Demand (PFD)

IPLs are identified next. These are safeguards that can prevent or mitigate the consequences of an initiating event. Each layer’s effectiveness is evaluated based on its PFD, which measures how likely an IPL is to fail when required. This step is critical in understanding the reliability of each protective layer.

Below is an example table that categorizes common IPLs and provides an estimated RRF for each, illustrating their potential to mitigate risks:

Independent Protection Layer (IPL)DescriptionTypical RRF
Basic Process Control System (BPCS)Automated systems that manage routine operations to maintain safe process conditions10
Safety Instrumented System (SIS)Engineered systems designed to perform specific safety functions and to act to place the process in a safe state when certain parameters are exceeded100 to 1,000
Pressure Safety Valves (PSV)Valves that automatically release pressure from a vessel when the pressure exceeds design limits to prevent rupture100
Emergency Shutdown Systems (ESD)Systems designed to safely shut down process operations in response to hazardous conditions1,000
Operator ResponseActions taken by operators in response to alarms or abnormal situations to prevent escalation of an event10
AlarmsSystems that alert operators to hazardous conditions that require immediate attention10 to 100
Physical BarriersPassive systems like containment walls or dikes that do not require activation or operation to perform their safety function10 to 100
Relief and Blowdown SystemsSystems that relieve pressure or drain hazardous materials in controlled or emergency situations100 to 1,000

Step 6 – Calculate the Overall Risk Reduction Factor

The overall RRF in a LOPA is calculated by systematically combining the individual risk reduction contributions from multiple sources. These sources include the frequency of the initiating event, any applicable frequency modifiers, and the effectiveness of IPLs. Each component contributes a specific RRF, which, when multiplied together, provides a comprehensive measure of risk reduction.

For example, the initiating event might have a base frequency that is modified by certain operational conditions or environmental factors. These are the frequency modifiers that adjust the likelihood of the event occurring. Subsequently, various IPLs, such as safety instrumented systems, alarms, and physical barriers, each with a quantifiable RRF, are considered.

By multiplying the RRFs associated with these IPLs by the adjusted event frequency, we derive the overall RRF, effectively quantifying the total risk reduction achieved through all implemented safety measures. This aggregate RRF is critical in assessing whether the residual risk is within acceptable limits or if additional safety measures are needed to mitigate risks further. Quantitatively, we can express it as,

where:

RRFTotal = Total Risk Reduction Factor for the cause/consequence pair

RRFICF = Risk Reduction Factor for the initiating cause frequency

RRFCM = Risk Reduction Factor for the conditional modifiers

RRFIPL = Risk Reduction Factor for the independent Protection Layers

Step 7 – Verify if Additional IPLs Are Neededand Develop Recommendations

Based on the overall RRF calculated and the predefined Risk Tolerance Criteria, this step involves deciding whether additional IPLs are needed to reduce the risk to an acceptable level. If the mitigated risk is still above the acceptable threshold, more layers of protection or more reliable alternatives must be considered.

If it has been determined that the current IPLs might not fully mitigate the identified risks to an acceptable level, the following recommendations can be proposed:

  • Implement Additional Protections – To further diminish the risks associated with the process, it is advised to install supplementary safeguards or enhance existing IPLs. These additional measures should be designed to reduce the likelihood and severity of potential consequences.
  • Validate Provisional IPLs – It is crucial to ensure that any provisional IPLs, which were initially considered as temporary solutions, are rigorously validated within an agreed timeframe. This validation process will confirm their efficacy and suitability as permanent risk mitigation measures.

Saltegra Is Here To Assist You in Conducting LOPA

Although LOPA is not required by US federal regulations, it is still a highly recommended method that should be done to improve chemical process safety in the highly hazardous chemical industry. Meanwhile, in more stringent US states like California, USA, the use of Layer of Protection Analysis (LOPA), also known as Safeguards Protection Analysis (SPA), is regulatory. If you want to have it conducted at your chemical processing plant, it’s wise to request assistance from experts like us at Saltegra Consulting LLC.

Our company is based in California, USA, and we conduct layers of protection analysis (LOPA) and other risk assessment methodologies. Feel free to get in touch with our team today to learn about the services we offer.

Conclusion 

Layer of Protection Analysis (LOPA) is a critical semi-quantitative tool used by chemical processing companies in the USA to evaluate process risks, particularly useful in addressing high-severity scenarios where historical data is insufficient for frequency assessments. Unlike HAZOP, which is more focused on identifying and assessing risks, LOPA zeroes in on hazard analysis, assessing one incident scenario at a time through defined cause-consequence pairs.

This approach significantly reduces the subjectivity found in qualitative methods like HAZOP, bridging the gap to more comprehensive quantitative methods such as Quantitative Risk Analysis (QRA). The structured, focused nature of LOPA not only allows for efficient evaluation of safety systems and risk management protocols but also ensures operations do not require the extensive resources typically needed for a full QRA.

Conducting LOPA begins by identifying potential high-severity consequences from process hazards, often using data from a preliminary Hazard and Operability Study (HAZOP). Risk Tolerance Criteria are then established to set acceptable risk levels and necessary Risk Reduction Factors (RRF).

Subsequent steps involve defining possible initiating events and assessing their probabilities, followed by identifying and evaluating the effectiveness of Independent Protection Layers (IPLs) based on their Probability of Failure on Demand (PFD). The overall RRF is calculated by integrating the effects of all IPLs to determine if risks are reduced to acceptable levels; if not, additional IPLs may be required.

If you are looking for LOPA facilitators and experts in California or any other part of the USA, do not hesitate to give us a call at Saltegra Consulting LLC. We can assist you in performing different risk analysis methods.

Author