HOW to lopa

Layers of protection – know your onions

richard gowland
PROCESS SAFETY SPECIALIST; FORMER TECHNICAL DIRECTOR OF EUROPEAN SAFETY CENTRE, EPSC

L
AYER of Protection Analysis (LOPA) has become a popular
and convenient method for simplified risk assess- typical workflow
ment and as an important part of the life cycle of safety
instrumented systems which are covered by IEC 61511 (see
START
Figure 1, IEC 61511 part 3). It offers assistance in answering
the questions: is an operating system optimised for safety or
the environment? Does the operating system appear to be
under-protected when predictable hazards are considered? CONCEPTUAL DEVELOP
PROCESS SAFETY ESTABLISH
When I have a defined frequency target based on the severity of REQUIREMENT
DESIGN OPERATION &
an unmitigated hazard, does my system ensure that this target SPECIFICATION MAINTENANCE
is met? And if not: what is the scale of the deficiency and how PROCEDURES

might it be rectified?
The layer of protection concept is often described using PERFORM PERFORM SIS
the LOPA ‘onion’ (see over). It shows that an operating facility PROCESS CONCEPTUAL
HAZARD PRE-STARTUP
DESIGN &
is controlled for its designed purpose and is surrounded by ANALYSIS SAFETY REVIEW
VERIFY IT (ASSESSMENT)
‘layers’ which are intended to prevent harm to persons or the & RISK MEETS
ASSESSMENT THE SRS
environment. The Center for Chemical Process Safety produced
an excellent guide to LOPA in 2001 (Layer of Protection Analysis –
Simplified Process Risk Assessment, ISBN 0816908117, available from
IChemE). When LOPA is itself ‘mapped’, we get something like SIS STARTUP,
APPLY NON-SIS PERFORM SIS OPERATION,
the diagram from appendix 2 of the Process Safety Leadership PROTECTION DETAIL DESIGN MAINTENANCE,
Group Final Report on the Buncefield Accident (2009) Safety and LAYERS TO PERIODIC
PREVENT FUNCTIONAL
Environmental Standards for Fuel Storage Sites (see Figure 2). TESTING
IDENTIFIED
The whole study starts from an understanding of hazardous HAZARDS OR
REDUCE RISK SIS
scenarios developed before LOPA is attempted.
INSTALLATION,
Obviously in an operating facility there may be several COMMIS-
significant scenarios which need study. LOPA is a method SIONING &
PRE-STARTUP MODIFY
which is based on assessing single scenarios. This means that ACCEPTANCE MODIFY
several LOPA studies would be required for a typical unit. An NO TEST OR DECOM-
IS SIS
MISSION
example is the case of a gasoline storage facility such as the REQUIRED?
SIS?
tank which overflowed at Buncefield in 2005. The two imme-
diately obvious scenarios would be for fire and explosion. This
YES
would mean that a LOPA study would be done for each. In
SIS
turn, each of these studies would need to address the various DEFINE
DECOMMISSION-
TARGET SIL
initiating events which could start a train of events leading to ING
an overflow.

examine identified scenarios Figure 1: iec 61511 life cycle. LOPA fits well from the process
The obvious starting point in a LOPA study will be to examine hazard analysis step through to the question “Is SIS required?”
each identified scenario for its potential severity. This

MAY 2016 | The Chemical Engineer | page 49

 How to LOPA

UNIT Y EMERGENCY RESPON

COMM SE
ERGENCY RESPON
PL A N T E M SE
P R OT E C T I O N E G R E L I E F D
S I CA L E VIC
PH Y ES
MENTED SYSTEM PRE V
I N ST RU EN T
E T Y ATI
F R ATOR INTERVE VE
SA S /O P E NTI AC
A L ARM ON TIO
S / ( B PC S ) ( via N
IP T E M O P ER A B
T R Y S TIN P
O LS G CS
R D IS ? )
NT C
O

IP
LI
S
ES

NE
B A S I C PR O C

/S U
PERVISION
PLANT
DESIGN
INTEGRITY

the LOPA ‘ONION’: Depicting the layers of protection normally arranged to control the hazards on an operational facility

would ideally proceed or emanate from a hazard identifi-
cation process such as HAZOP or HAZID, where deviations,
causes, consequences and safeguards will have been identi-
fied. The consequences at this stage may or may not have been
sufficiently studied to allow a proper estimation of severity to
be established. It is important to gain agreement from the study
team on this severity, usually in terms of harm to persons or to
the environment. In some cases, this might be quite a simple
step in the sense that the identified consequence is most likely
to affect a limited number of persons. This might be true for a
pool fire, but is much less clear when an explosion is considered.
A conservative approach is therefore vital.
People (R2P2), The Buncefield Final Report appendix 2 (Dec
2009), and the Chemical and Downstream Oil Industry Forum
(CDOIF) guidance on environmental hazards.
It is not the purpose of this article to tell the reader what
to do here. It requires logical thought and effort to choose a
target frequency. If too high a frequency target is chosen (eg for
a single fatality), it is unlikely to pass the ‘ALARP test’ which
will be needed at the end. It may also fail to meet a regula-
tor’s expectations. Again, reference to the publication Safety
and Environmental Standards for Fuel Storage Sites, appendix 2 is
very helpful.

Once the consequence has been defined, it needs
to be assessed for a ‘target frequency’ which is
related to internal guidance from the company
and that of the competent authorities
Once the consequence has been defined, it needs to be assessed
for a ‘target frequency’ which is related to internal guidance
from the company and that of the competent authorities (eg
the Health and Safety Executive of Great Britain, and the UK’s
Environment Agency). This guidance is related to the concepts
of ‘Broadly Acceptable’ and ‘ALARP’ frequencies described in
the HSE’s approach to risk described in Reducing Risks, Protecting
initiating events
Having established a target frequency, the first (of perhaps
several) initiating events needs to be considered. This will
likely come from the cause section of the HAZOP/HAZID. The
most convenient first initiating event will probably be a failure
in a process control or indication such as a level, pressure,
or temperature control loop. This needs to have a failure
frequency assigned to it. The source of this information is
ideally from the user’s own documented failure and main-
tenance records. The equipment manufacturer can provide
typical results. Failing that, there are databases available
which indicate typical ranges. Whichever is chosen, justifi-
cation will be required. Clause 8.2.2 in IEC 61511 specifies the

MAY 2016 | The Chemical Engineer | page 50

 How to LOPA

lowest frequency ‘allowed’ for instrumented systems typically

used in basic process control systems, but it is wrong to assume SELECT TANK FOR STUDY
that this frequency is the default value. Effort is required for
the LOPA study to justify the number used in the environment
DECIDE WHETHER CONSIDERING HARM TO
and circumstances which apply. PEOPLE OR HARM TO ENVIRONMENT AND SEE
SECTIONS
If a human error is chosen as an initiating event, it needs DETERMINE THE SEVERITY OF THE HARM FOR
THE SCENARIO BEING ASSESSED 3&4
to be properly assessed via a task analysis and a probability of
error established. This should take account of the complexity
of the task and the error-producing factors such as lack of SYSTEMATICALLY IDENTIFY EVENTS AND
RELATED ENABLING EVENTS/CONDITIONS
training, unfamiliarity, stress, time pressure. Techniques such SEE
THAT COULD (IF ALL OTHER MEASURES FAIL)
as human error assessment and reduction technique (HEART) SECTION 5
LEAD TO THE HARM BEING CONSIDERED AND
or technique for human error rate prediction (THERP) can DOCUMENT THE SCENARIOS FOR EACH

be used for this. This probability is then combined with the

number of times the task is carried out to arrive at a frequency. FOR EACH INITIATING EVENT LIST THOSE RISK-
REDUCING MEASURES (PREVENTION AND
MITIGATION PROTECTION LAYERS, SEE
CONDITIONAL MODIFIERS ETC) THAT RELATE SECTIONS
TO THAT INITIATING EVENT, INCLUDING ANY 6&7
enabling events EXISITING OR PROPOSED HIGH LEVEL SAFETY
The next step will be to consider the ‘enabling events’ and INSTRUMENTED FUNCTION
‘conditional modifiers’ which might be relevant.
A typical enabling event can be for example, the proportion CONDUCT LOPA TO CALCULATE
of the year when a hazard is present. This is common in batch THE FREQUENCY OF HARM FROM ALL
INITIATING EVENTS
processes in which a reaction is taking place for less than 100%
of the time, or a tanker-unloading operation. It may also be
relevant to consider for injury cases the proportion of time REPEAT FOR ALL RELEVANT
INITIATING EVENTS
when persons could be in range of the effect of a hazardous
event during his or her work pattern. This needs to be handled
with care since management of change may not prevent SUM THE FREQUENCY OF HARM FROM
ALL INITIATING EVENTS
subtle but significant changes with time. Furthermore, the
environment is always present and potentially exposed. SEE
Examples of conditional modifiers include probability COMPARE THIS TOTAL WITH TARGET SECTION 4
FREQUENCY FOR THE LEVEL OF SEVERITY
of ignition if a fire or explosion is considered. Furthermore,
it might be necessary to consider that if an ignition takes
place, the result could be a fire, or worse, an explosion. These REASSESS
THE TOTAL
decisions require knowledge of factors such as physical prop- YES IS THE NO
FREQUENCY
RISK ALARP?
erties of the substance released and the environment and OF HARM
conditions under which release takes place. In the case of toxic
substance releases, the protection available for the workers
potentially exposed will not necessarily be available to all HAS
IDENTIFY
persons affected (eg the community). Additionally, a conditional HARM
BOTH TO FURTHER
NO
modifier used for a flammable case will not be relevant for an PEOPLE AND TO THE RISK REDUCTION
environmental case since no ignition is needed in the latter, ENVIRONMENT BEEN MEASURES AND
EVALUATED? THE REQUIRED
for example. PERFORMANCE
The ‘safeguards’ independent protection layers (IPLs) can OF ANY MEASURE
INCLUDING THE
now be considered. These are the means of detection and SIL IF THE
prevention which will stop the train of events proceeding to ADDITIONAL
MEASURE IS A SIS
the undesired full hazardous scenario (fire, explosion, toxic
release, damage to the environment). These safeguards include
response to alarms, basic process control system (BPCS) shut-
downs, pressure relief devices (for pressure related cases),
other safety-related protection systems (eg ‘hard wired’
FINISH
instrumented systems and non-instrumented protection
systems such as physical interlocks), and finally any existing
safety instrumented systems (SISs). These would normally figure 2: flowchart for application of lopa process
show up in a bow tie diagram or fit into the LOPA onion.

MAY 2016 | The Chemical Engineer | page 51

 How to LOPA
buncefield: a gasoline storage facility would
require two LOPA studies, for fire and for explosion
Each of these will need to be assigned a probability of failure on
demand (PFD). In the case of alarm response and BPCS, there
are allowed lower limits which are described in IEC 61511 9.4.2.
The quoted probability of failure cannot be taken as applicable
to all cases. It is necessary to design and test these functions
to establish their reliability. Furthermore, there are logical
limits applied to alarm response, since the alarm usually
originates from a simple non-SIS source and requires an
operator to respond. The time available for this response is
crucial since the operator needs to be present, be alerted, under-
stand the needed response and have sufficient time to take the
process to a safe state. In many cases, this is not possible or
debatable and in some studies is ignored. This seems to be a
rather drastic approach since it implies to the operator that his
response to alarms does not matter. Some studies reveal that
a manually-initiated emergency shut down (ESD) is assigned a
very low PFD. If the alert for this is coming from a BPCS-driven
alarm, this would be questionable. The Engineering Equip-
ment Materials and Users Association (EEMUA) publication 191
Alarm Systems is recognised as good practice and will help a
user to make realistic decisions when accounting for operator
response.
It is quite clear that a BPCS-driven alarm or trip may be
considered as an independent protection layer when it is not
the initiating event – for example when human error is the
initiating event. However, care is needed if the response is
required from the operator who made the initiating error.
The quoted probability of failure cannot
be taken as applicable to all cases. It is
necessary to design and test these functions
to establish their reliability
In every case, the IPL safeguard must function independently of
the initiating event and any other IPL safeguard. It is remark-
able how many LOPA studies propose a control system (BPSC
loop) failure and then allow an alarm or trip driven from the
same system to appear as a safeguard IPL. Two other features
MAY 2016 | The Chemical Engineer | page 52
of IPLs are adequacy and capability of a functional test. For
example, a pressure safety relief device may be cited as an IPL
for overpressure cases. The obvious questions relating to this
are: is the system properly tested and is it adequate to play its
part as an IPL? The latter is not a given. We need to be sure
that design calculations show that it has the required capacity
and its functioning does not cause a secondary hazard. When
considering alarm response, how can we be sure that we can
test this as an IPL?
As with other IPLs, one of the required features of a safety
instrumented system is that it is completely independent.
This means that its sensing element(s), logic solver and final
element(s), eg block valves, are not used by any other system
in the same scenario study. In the case of non-SIS instru-
mented protection systems, even when other elements in the
loop pass the independence test, the BPCS logic solver may
appear to be shared between the control function and the safety
function. This may become a problem if a BPCS control loop is
considered as an initiating event. Separating the control and
safety functions in the BPCS may be possible but its validity
can only be verified by persons knowledgeable in the design
and architecture and testing of such systems. In practice, some
companies do not allow the BPCS to appear anywhere as an IPL.
The Buncefield Final Report (2009) (Appendix 2 of Safety and
environmental standards for fuel storage sites) has some positive
guidance and cautions in this respect.
When the BPCS is ignored as supporting an IPL it will mean
added emphasis on other IPLs such as SIS, and add cost. It may
lead to a result with a higher SIL for a SIS. Quite apart from
the ‘all eggs in one basket’ concerns, this may lead to extreme
burdens on the maintenance and testing regimes.
Once the scenario frequency – eg pool fire causing one
fatality set in train by each of the initiating events – is
calculated, the aggregate frequency must be addressed by
adding the individual initiating event ‘top event’ frequencies
together. For example if three individual causes for the same
scenario give top event frequencies of 1E-06/y, 3.0E-07/y and
2.1E-06/y, the overall frequency is 3.4E-06. This may mean
that although each initiating event may produce a tolerable
frequency, the actual result may not.
At the end of the LOPA study an examination of the result for
its uncertainties and sensitivities is advised before proceeding
to the as low as reasonably practicable question.
Uncertainty is mostly about the reliability data used in
the study. Normally, the study should identify where this is
and what effect it will have if it is wrong, and how it may be
ameliorated.
Sensitivity seems to be about the factors which have the
greatest effect on the outcome in terms of severity or frequency.
It is usually the second of these which is worth comment. If a
single IPL is required to have a very low probability of failure on
demand, eg an SIL 3 SIS, the failure to ensure this PFD via the
life cycle approach in IEC 61511 means that the top event could
be at least three orders of magnitude more frequent than we
 How to LOPA
desire. This could be one of the reasons that many companies
avoid using SIL 3 SISs anywhere in their systems if they can.
In the UK, the ALARP question will now need to be addressed.
The issue arises about a cost benefit analysis at the end of a
LOPA study which addressed the question: is a reduction in
frequency of the top event achievable at reasonable cost? A
cost benefit analysis can be quite simple to do, but the diffi-
culty comes when assessing if the attendant cost of capital and
regular testing is greatly disproportionate to the benefit gained.
The HSE publication Reducing Risks Protecting People (R2P2) gets
you started, although the figures quoted for values are from
2001 and need to be adjusted. Furthermore, the values associ-
ated with an event are likely to be determined by a court. The
HSE has some more advice on its website (www.hse.gov.uk). In
the end, this leads to a reasonable framework. There are state-
ments in the procedure for checking for ALARP which suggest
that a cost benefit analysis may not be necessary, however it is
difficult to see how this might always be possible. Even when
the ALARP question is not part of a regulator requirement, it
makes sense to carry out a cost benefit analysis to establish that
resources are assigned wisely.
The practicalitieS
Any LOPA study needs to have documentation on the source of
the scenarios (eg HAZOP), and the names and competences of
the LOPA study team. Usually this would be:
• trained leader/facilitator;
• production operator(s) – for existing facility studies;
• project engineer – for new facilities;
• process technology specialist;
• process control specialist;
• production engineer;
• maintenance;
• instrumentation design engineer; and
• scribe (preferably using proprietary recording and
calculating software such as ABB TRACS or simple
EXCEL software in IChemE training course)
The resources for the study would include:
• process description;
• piping and instrument diagrams;
• operating instructions;
• outcomes from previous studies (eg HAZOP); and
• lists of systems which are bypassed or in ‘manual’
(recommended – software for recording and calculating
outcomes)
The study outcomes include actions on improving existing
systems and additional protection required to meet the target
frequencies for the scenario; full descriptions for the safety
functions of all IPLs along with required PFDs; and review dates.
I have a number of rules of thumb. These have assisted some
MAY 2016 | The Chemical Engineer | page 53
studies but do not represent ‘science’. LOPA works well when
considering events which start from a well-understood severity
evaluation. Describe the scenario as simply as possible and
include a description of the final outcome, eg single fatality to
patrol operator. Remember to start the LOPA assuming that the
top event happens, and then bring in all the factors which affect
its outcome and frequency. A top event with severity lower than
serious injury often produces results which could have been
worked out much earlier without resorting to LOPA. So be ready
to allow other evaluations to solve the problems (permit to
work, job safety analysis etc).
LOPA requires at least approximate (not wet finger)
estimates of initiating event frequency and probability of failure
of demand of safeguards. Initiating events for which no data
exist can lead to a lack of credibility, although there is some
merit in understanding which IPLs may apply even when the
data are guessed. This at least helps us to focus on preventive
measures even if the initiating event or some IPLs cannot be
quantified. There have been cases of working LOPA backwards
by establishing a tolerable frequency and then allowing for all
the normal factors in LOPA to arrive at a required frequency of
the initiating event. A reality check may then be applied to this
– does this make sense if we examine history?
Human factor evaluation can be tricky. The use of HEART
requires significant judgement when addressing proportion
of affect (sic) of error producing conditions (EPCs). However,
simply comparing a task to the generic tasks described in the
method allows a baseline to be drawn for a probability of error.
At this stage, task simplification can be considered. The influ-
ence of the proportion of affect can minimised by making sure
that the described error producing conditions are eliminated
or minimised.
Conclusion
LOPA is a simple method but requires you to know and obey the
rules. A well-run study gains the confidence of all participants
including the essential operating staff who know the actual
conditions at the plant (and may reveal problems unknown
by the other study participants). Anyone familiar with HAZOP
should know that sometimes provision of information or
decisions need to be made by persons outside the LOPA team.
This would be normal and needs to be managed properly.
As with other methods, manipulating the outcome to suit a
pre-existing requirement is not a good idea. If this is attempted,
the clarity of the LOPA method will soon reveal shortcuts or
rule violations. This is one of its greatest advantages. Like most
risk assessment methods, LOPA is not an exact science, so there
needs to be a reality check on its results. And lastly – LOPA is
more fun than HAZOP!
Disclaimer: This article is provided for guidance alone. Expert
engineering advice should be sought before application.