5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Layer of Protection Analysis

Related terms:

Scenario Analysis, Shutdown, Relief Valve, Vulnerability, Furnace, Risk Analysis

Frequency Analysis
Ian Sutton, in Process Risk and Reliability Management (Second Edition), 2015

Team makeup
A LOPA is carried out by a LOPA uses a multidisciplined team (typically including
representatives from operations, maintenance, process engineering, and
instrument, or electrical engineering).
Some organizations conduct LOPA as a part of the HAZOP, using same team
members. This approach can be efficient because the team is familiar with the
scenarios under discussion, and decisions can be recorded as part of the HAZOP
recommendations. Other organizations have found it to be more efficient to
capture the list of potential LOPA scenarios during the PHA, for later evaluation by
a smaller team (perhaps just a process engineer and a person skilled in LOPA). The
LOPA team can then report back to the PHA team on the results of their
evaluation.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128016534000151

Gas Processing Plant Operations

Saeid Mokhatab, ... John Y. Mak, in Handbook of Natural Gas Transmission and
Processing (Fourth Edition), 2019

17.3.4 Layer of Protection Analysis

Layer of protection analysis (LOPA) is a methodology for hazard evaluation and risk
assessment. On a sliding scale of sophistication and rigor, LOPA lies between the
qualitative end of the scale (characterized by methods such as HAZOP and what-if )
and the quantitative end (characterized by methods using fault trees and event
trees).
LOPA helps the analyst make consistent decisions on the adequacy of the existing
or proposed layers of protection against an accident scenario (see Fig. 17.1). LOPA
results support:

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 1/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 17.1. Layer of protection analysis process diagram. IPL, independent

protection layer.
Source: ABS Consulting Inc.

• Assigning priorities to recommendations and

• Developing safety requirement specifications for safety instrumented systems
(SISs), which is a necessary step in complying with ANSI/ISA-84.00.01 (2004).
This decision-making process is ideally suited for coupling with a company's risk-
decision criteria, such as those displayed in a risk matrix. LOPA is a recognized
technique for selecting the appropriate safety integrity level of your SIS according
to the requirements of standards such as ANSI/ISA-84.00.01.
LOPA is a semiquantitative methodology that can be used to identify safeguards
that meet the independent protection layer (IPL) criteria. While IPLs are extrinsic
safety systems, they can be active or passive systems, as long as the following
criteria are met (Summers, 2002):
• Specificity: The IPL is capable of detecting and preventing or mitigating the
consequences of specified, potentially hazardous event(s), such as a runaway
reaction, loss of containment, or an explosion.
• Independence: An IPL is independent of all the other protection layers
associated with the identified potentially hazardous event. Independence
requires that the performance is not affected by the failure of another
protection layer or by the conditions that caused another protection layer to
fail. Most importantly, the protection layer is independent of the initiating
cause.
• Dependability: The protection provided by the IPL reduces the identified risk by
a known and specified amount.
• Auditability: The IPL is designed to permit regular periodic validation of the
protective function.
Examples of IPLs are:
• Standard operating procedures,
• Basic process control systems,
• Alarms with defined operator response,
• SIS,
• Pressure relief devices,
• Blast walls and dikes,
• Fire and gas systems, and

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 2/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
• Deluge systems.
LOPA should start from the point where the hazards have been identified, and it is
thus complementary to HAZOP. This use of LOPA often results in a second, in-
depth analysis of a hazard scenario by a different team of people, which may
challenge the HAZOP team's understanding of failure events and safeguards
(Brennan, 2012).

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128158173000174

Reliability and Safety Processes

DrEduardo Calixto, in Gas and Oil Reliability Engineering (Second Edition), 2016

6.10.1 Case Study 1: Applying LOPA to Decide Whether Risk is

Acceptable When Layers of Protection Are Not Available
Nowadays in the oil and gas industry, in most cases, the usual methodology
applied to assess risk when the layers of protection are under corrective
maintenance intervention because of failures or even preventive maintenance is
PHA. PHA is an ideal risk analysis tool because employees are familiar with it, and
it is easy to implement. However, it is not possible to know quantitatively if a risk is
under control or when one or more layers of protection are unavailable.
In some cases the consequences are clear and in others they are not, but in some
cases it is possible to check historical accident data or risk analysis reports. The real
problem of estimating the probability of an unwanted event happening is that it is
also necessary to estimate the probability of the initiating event combined with
layer protection failures. Because of this, in most cases when initiating events, and
layers of protection are not available, the analyst is conservative in decision making
and overestimates risk. In this case the plant is shut down to avoid a catastrophic
accident, but this was not necessary because a risk without a layer of protection is
acceptable.
Indeed, LOPA should be applied to analyze the probability of an unwanted event
occurring with and without a layer of protection. Once the data of the probability of
an unwanted event and layers of protection is available it is possible to find the risk
level and see if it is acceptable. The proposed preventive methodology supporting
decisions when layers of protection are unavailable because of maintenance or
failure is based on the following steps:
1. Conduct PRA of the system with a layer of protection to define the risk
qualitatively.
2. Conduct LOPA to find the probability of an accident without a layer of
protection.
3. See if the risk without a layer of protection is acceptable.
4. If the risk is unacceptable, propose some preventive action or new layer of
protection to reduce risks to the acceptable region.
5. If it is not possible to reduce the risk to an acceptable condition, shut down the
plant.
Based on these five steps, it is possible to make better decisions when layers of
protection fail or when it is necessary to perform preventive maintenance in layers
of protection. Fig. 6.52 shows the risk analysis methodology to support decisions
when or if to shut down a plant.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 3/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 6.52. Risk analysis methodology to support a plant shutdown decision

(LOPA).

There are two approaches to comparing risk when layers of protection are taken
out of the process and to see if the risk is tolerable. The first approach is to analyze
the frequency of accidents without layers of protection and combine it with the
consequences based on the risk matrix. The second approach is to compare the
final risk with the individual risk (ALARP) in cases where the consequence of death
is estimated by consequences and effects analysis. Consequences and effects
analysis measures the vulnerability of toxic releases, explosion, and jet fire, and
predicts the number of deaths of people in the vulnerable area.
In the first case the first step is to conduct PRA based on the qualitative risk matrix
and define the risk. Next, the probability of the unwanted event without a layer of
protection is defined using LOPA and the risk matrix.
In the second case the frequency defined in LOPA is multiplied by the expected
number of deaths estimated in the consequences and effects analysis and
compared to the individual tolerable risk values. For example, if there is excess gas
in a furnace, it is an unsafe condition, and to avoid furnace explosion a layer of
protection such as a human action (P(f1) ¼ 0.1), manual valve (P(f2) = 0.01), or
basic process control system (BPCS) (P(f3) = 1 × 10−4) is triggered. This incident
(excess gas in a furnace) has a frequency of 1 × 10−1 per year. The frequency of the
furnace explosion is:
f(Furnaceexplosion)=f(excessofgas)×P(f1)×P(f2)×P(f3)f(Furnaceexplosion)=1×10−1
×0.1×0.01×1×10−4=1×10−8

If this accident happened, at least 10 deaths in the plant are expected, so based on
the risk matrix the risk is moderate, as shown in Fig. 6.53 (severity category III and
frequency category A). Based on the individual risk criteria the risk is 10 (deaths)
1 × 10−8 (frequency), which is 1 × 10−7 (acceptable). For individual risk criteria this is
acceptable because it is lower than 1 × 10−4, as shown in Fig. 6.54.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 4/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 6.53. Risk matrix.

Figure 6.54. Individual risk tolerable region.

In case of preventive maintenance or shutdown in the BPCS, for example, the

furnace has to be stopped because the risk is not acceptable according to the
individual risk criteria. In fact, without BPCS the frequency of accident is:
f(Furnaceexplosion)=f(excessofgas)×P(f1)×P(f2)f(Furnaceexplosion)=1×10−1×0.1×
0.01=1×10−4

IndividualRisk=10×1×10−4=1×10−3

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 5/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
This is in the unacceptable region, as shown in Fig. 6.54. However, if this value is
used in the risk matrix the risk can be considered moderate (severity category III
and frequency category A), as shown in Fig. 6.53. This shows that more than one
risk criteria must be considered whenever possible to make better decisions.
Whenever decisions are made based on the risk matrix it is possible to consider the
tolerable risk to prevent plant shutdown. When LOPA is conducted the frequency is
calculated, thus risk has a more realistic value.
In addition to preventive layers of protection, the contingency system can also
influence the risk level to reduce consequence severity. If those systems are
undergoing preventive maintenance or have failed, the consequence would be
worse than expected if an accident occurred. This means the consequences without
a contingency system would be worse in terms of risk level. Therefore when there is
maintenance or a shutdown of the contingency system (sprinklers, fire system
pumps, and chemical showers) it is necessary to see if the consequences are worse
without it. Fig. 6.55 summarizes the steps applied to assess risk in case of
preventive maintenance or corrective maintenance (failure) for the contingency
system.

Figure 6.55. Risk analysis methodology to support plant shutdown decisions

(contingency plan).

An example of the application of such methodology is in the preventive

maintenance of a fire pump system in a refinery. This contingency system provides
water to combat fire, and if it has failed or is undergoing maintenance when the
fire occurred, the consequence will be worse; in other words, based on the matrix
in Fig. 6.53 the consequence goes from critical to catastrophic. Aware of this fact
the maintenance team will keep the system available during maintenance and take
out only one pump for maintenance.
If the electric system shuts down, one fire protection pump stops. At least one
pump is required to keep the fire pump system available. To define the fire pump
system availability the dynamic FTA was applied to find the fire pumps system's
availability and the failure rate without one pump. To model the fire pump system's
availability, the time-dependent FTA was used, as shown in Fig. 6.56.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 6/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 6.56. The fire pump system FTA.

The time-dependent FTA is a quantitative risk methodology applied in

combinations of events that cause unwanted events, which in this case is fire pump
system unavailability. In the top event, to make the system unavailable, failure in
the electric energy supply and two others pumps (D and E) is necessary. Pump E is
the redundancy of pump D. The failure pump rate is 0.5 per year and the electric
system failure rate is 1 per year. The dynamic fault tree probability of failure is
described by:
P(FirePumpSystemOut)=Topeventfailureprobability;

P(FES)=FailureElectricSystemprobability;

P(PD)=PumpDfailureprobability;

P(PE)=PumpEfailureprobability.

P(FES)(t)=1−e−λt=1−e−0.0000014t=1−e−0.0000014(43800)=0.059

P(PD)(t)=1−e−λt=1−e−0.00023t=1−e−0.00023(43800)=0.9999

P(PE)(t)=1−e−λt=1−e−0.00023t=1−e−0.00023(43800)=0.9999

P(Fire·Pump·System·Out)=P(FES)×P(PD)×P(PE)=0.059×0.9999×0.9999=0.06

where P(fire pump system out), top event failure probability; P(FES), failure electric
system probability; P(PD), pump D failure probability; and P(PE), pump E failure
probability.
Whether 2 h are needed to reestablish the electric energy system and 8 h for each
pump repair, the simulations in Fig. 6.57 show the system is 100% available until
5 years despite pump failures.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 7/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 6.57. The fire pump system simulation.

If the pump in maintenance (pump D) is out for 1 h (maintenance service time
duration) in the fourth year and 11th month, for example, it is necessary to check
the fire pump system availability and the probability of failure. Fig. 6.58 represents
the fire pump system without pump D in maintenance.

Figure 6.58. The fire pump system without pump D.

In this case the exponential function was used to represent PDF failure over time
for both pumps and the electrical system. In this case the dynamic fault tree
probability of failure is described by:
P(FirePumpSystemOut)=P(FES)×P(PE)

where P(fire pump system out), top event failure probability; P(FES), failure electric
system probability; and P(PE), pump E failure probability.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 8/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
P(FES)(t)=1−e−λt=1−e−0.0000014t=1−e−0.0000014(43800)=0.059

P(PE)(t)=1−e−λt=1−e−0.00023t=1−e−0.00023(43800)=0.9999

P(Fire·Pump·System·Out)=P(FES)×P(PD)×P(PE)=0.059×0.9999=0.06

In terms of system probability of failure the situation will not worsen without pump
D. Regarding maintenance, action on pump D is performed in the 11th month of
the fourth year and takes only 1 h. The system will have 100% of availability as well
without pump D, as shown in Fig. 6.59, and if some accident occurs the
consequence will not be worse than expected because the fire pump system is
available.

Figure 6.59. Fire pump system simulation (without pump D).

The conclusion is that maintenance in pump D is allowed because the whole fire
pump system has 100% availability in 1 h (maintenance service duration) and
probability of failure is similar with or without pump D (0.06). The simulation
regards the system 4 years and 11 months older and operating without pump D.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 9/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
The PRA methodology proposed is used to provide information to employees to
make better decisions with respect to unsafe conditions when layers of protection
or contingency systems fail or are out of operation for maintenance. A huge
challenge today in the oil and gas industry is achieving safe behavior by employees
for preventive action.
Despite difficulties at the beginning of the Brazilian offshore application cases
discussed here, risk analysis tools such as LOPA are not widespread in the
workforce, even though most employees recognize that it is a feasible methodology
and a good approach to help keep processes under control. Whenever this
methodology is applied the analysis should be formalized using forms and reports
to supply future analysis with data to conduct a complete risk analysis.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128054277000063

Risk Analysis
Dennis P. Nolan, in Handbook of Fire and Explosion Protection Engineering
Principles for Oil, Gas, Chemical, and Related Facilities (Fourth Edition), 2019

Abstract
In this chapter a discussion is provided of the various risk identification and
evaluation methodologies that are being used in the process industries today, both
qualitative and quantitative reviews. These include PHAs, HAZOP, CHA, fishbone,
LOPA, SVA, and several types of QRAs. Additionally, other specialized supplemental
studies are described, which typically cover leak estimations, depressurization and
blowdown capabilities, combustible vapor dispersion, explosion overpressure,
survivability of safety systems, firewater reliability, emergency evacuation modeling,
fatality accident rates, human reliability analysis, cost–benefit analysis, computer
hazard and operability study, and electrical hazard and operability study.
Specialized studies for offshore facilities are also included. An examination of risk
acceptance criteria is also included, which includes the “as low as reasonably
practical principle.” Finally, a discussion on relevant and accurate data sources for
any risk evaluation is included.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128160022000076

Operating: Key Aspects of Deepwater Planning and

Project Implementation
Peter Aird, in Deepwater Drilling, 2019

General Guidance for Project Risk Assessment

Figs. 10.4 and 10.5 present that risk estimation assesses the severity (consequence)
and frequency (likelihood, probability) of project scope hazardous events to then
identify measure and evaluate existing and further reduction methods to be added
to achieve ALARP levels as illustrated in Tables 10.1–10.2.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 10/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Fig. 10.5. (Left illustration) Main stages in the risk assessment process. (Right
Illustration) Screening to determine appropriate risk assessment level.
Source: HSE Information sheet Guidance on Risk Assessment for Offshore Installations Offshore
Information Sheet No. 3/2006.

Table 10.1. Risk Matrix—Likelihood and Consequence Assessment Table

Likelihood of Loss Control Consequence Severity

5 Severe 4 Major 3 Serious 2 Minor 1 Negligible

5 Very high X X X X O

4 High X X X O O

3 Average X x O O =

2 Low X O O = =

1 Very low O O = = =

X: Unacceptable high risk. Operator must reduce through prevention, mitigation,

reduction. O: high risk. Operator must address QHSE, cost, value benefits of
further risk reduction. Peer review/specialist assist to verify standards, procedures,
guidelines, and controls are in place. =: Acceptable risk. No action required.
Source: Kingdom Drilling modified April 2018.

Table 10.2. Project-Based Risk-Matrix Category Definitions

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 11/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Likelihood Scale (Probability) Consequence Scale (Based on

Deepwater Operating Costs of £500,00
per Day)

1 Very low. Failure never heard of in Negligible. Minor impact on personnel,

industry. Almost impossible on a negligible project failure, damage, loss,
well’s project. < 10− 4 per year environment harm. <£10,000, <½ h,
< 1 bbl spill

2 Low. Failure heard of in the Minor. Medical treatment for personnel,

industry. Remote, but possible minor project damage, failure,
during projects. < 10− 3 per year environmental harm. <£150,000 cost.
½–6 h lost time, 1–50 bbl spill

3 Average. Failure results on company Serious. Serious injury to personnel (LTI),

projects. Occasional, could occur project stoppage, delay, interruption,
during a project. < 10− 2 per year environmental harm. <£500,000 cost.
6–24 h lost time, 50–500 bbl spill

4 High. Failure is evident several Major. Permanent injury/health effect,

times a year in company projects. major project damage, delay, loss,
Possibility isolated incidents in environmental harm. <£1,000,000 cost.
individual projects. < 10− 1 per < 1–2.0 days, 500–5000 bbl spill
year

5 Very high. Failure evident several
times a year on specific wells.
Repeated incidents on certain
project types. > 10− 1 per year
Severe. One or more fatalities, severe
project, damage, failure, loss,
environmental harm. >£1,000,000
cost. > 2.0 days lost time,
> 5000 bbl spill

Modified from generic sources, Kingdom Drilling May 2018.

The purpose of the matrix is to readily fit and rank real risks in a reasonably precise
accurate and ALARP manner.
Due to the qualitative factors, degrees of uncertainty and conservatism that might
prevail, specialist peer reviews and assists are recommended. For example, if
several hazardous events result into the same risk matrix category, specialist
judgment is more likely to assure more fitting ranking results.
The amount of detail and effort required increases from qualitative (Q) to
quantified risk assessment (QRA). For the Q or SQ and SQA approaches, the risk
matrix and tables as shown to provide the most convenient method to present,
rank and evaluative metrics levels and limits to use and apply.
To close this section, it is important to note that risk matrices must be capable of
discriminating between real project hazard and risks likely to exist. If not, they need
to be changed.
Matrices must afford a well-reasoned rationale and detailed election of severity and
frequency, matrix categories as outlined. In practice, a 5 × 5 matrix affords greater
opportunity for discrimination vs. a 3 × 3. Frequency categories must also cater for
the range and relevance of severity that exists.
Bow-Tie Diagrams
Bow-tie diagrams are used and viewed as better suited to hydrocarbon, refining,
processed safety downstream business requirements.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 12/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
They are used to:
(a) Identify and document the “lines of defense” or “safety barriers” that are in
place,
(b) Facilitate a qualitative assessment of any gaps,
(c) Help inform an assessment of event likelihood for semiquantitative analysis.
Source guidance on the use of bow-tie diagrams is:
(a) CCPS (2001). “Layer of Protection Analysis—Simplified Process Risk
Assessment”. American Institute of Chemical Engineers, New York.
(b) Amey VECTRA (2002). “Lines of Defence/Layers of Protection Analysis in the
COMAH Context”, www.hse.gov.uk/research/misc/vectra300-2017-r02.pdf.
The concluding view on bow-tie diagrams in this guide is that they can be used but
have limited application in multiple and complex evident facets of deepwater well
operations and situations.
Hazards, Risk, and Uncertainties
To reduce hazards, risk, and uncertainty at ALARP results desired, regular peer
reviews, assists and specialist advice shall have to be planned for, resourced, and
scheduled to support any risk management approach undertaken. High-end
modeling of specific deepwater project hazard/risk consequences as identified
through major accident hazard weaknesses identified must also be worked to
assure that the right decisions for all the right risk-based reasons result. Note:
Deepwater well operations can frequently be extremely complex involving multiple
disciplines, where getting as true handle on the degree of real risk and uncertainty
that prevails rest assured is not an easy task.
One way of dealing with risked uncertainty is to improve all aspects of
standardization used throughout each project, e.g., use more generic and reliable
data, metrics, and controls. Inputs of uncertainty within any frequency analysis
results are more cautious when using more conservative norms. However, this may
present a double-edged sword. For Q and SQ approaches, significant conservatism
in terms of risk shall likely result. QRA analysis on the other hand can be pitched
within a more accurate range vs. conservatism. If it is apparent that conservatism is
far too great to support reasoned, rationale, ALARP decisions (safe operating kick
tolerances to be < 100 or 50 bbl as per company standards, as the classic deepwater
drilling example), it is essential and necessary to refine analysis to remove
conservatism as it may not be practical.
Note: Refinements in more critical circumstances, e.g., well operations, well
integrity, well control assurance, etc. require far more precise screening, sensitivity
analysis, and evident details to justify the end result and withstand scrutiny that
may later result.
Sensitivity analysis is another simple operating technique that in the right hands is
employed to scrutinize more extreme magnitudes of risk and uncertainty. In
specific cases, e.g., kick tolerance safe operating limits, a small number of carefully
chosen sensitivity analysis studies and scenarios would be conducted via a technical
well control assurance specialist. This is considered far more proficient than costly
black box QRA modeling or Monte Carlo exercises.
Keeping it simple is the best practice approach to approximate risk assessment (in
terms of the accuracy of any quantification) and can be more useful to a project for
later decision making, particularly if the risk assessor has the wider deepwater
knowledge and experience, skills set required. The important statement here is that
reality checks must apply at each and every project stage for all risk assessment
conducted.
Relationships With Risk to Safety Management Systems

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 13/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
Risk assessment alone shall not reduce all evident deepwater hazards and risks
(where they are often too many unknowns) if the process is viewed as an end to
itself. Problem solving and risk reduction merits are only realized when persons
involved act in a collaborative, systematic, logical and rationale manner, using the
tools, techniques, and skills provided to continuously manage control and reduce
risks. It is important to note that project scope associated hazards and risk can
change at any time. Management change and dynamically conducting further risk
assessment is now crucial with critical aspects to address. Active engagement and
the ability to readily manage project change, from start to end, require a complete
understanding of all risk inputs and outputs desired. Risk management is to be
encouraged at each and every project stage until the final scope item is completed
and closed.
Identification of Potential Risk Reduction
All risk-reducing measures should entail detailed thought processes in regards to
how project-related problems and scenarios can unfold the physical interaction
with the layout, the people, the task at hand, the rig, the well, the equipment,
systems, conditions, environments, etc. Ranking and prioritization are then
essential via a systematic and sequential hazard and risk-reducing approach, led by
adopting a multidisciplinary thought process approach to assure all skills,
knowledge, and experience are used to deliver more qualified results. A hierarchical
approach to risk reduction is designed to:
(a) Eliminate and minimize hazards by design (inherently safer design),
(b) Prevent (reduction of likelihood),
(c) Detect (transmission of information to control point),
(d) Control (limitation of scale, intensity and duration),
(e) Mitigate consequences (protection from effects), and
(f ) Emergency response plans (spill, well control, blow out, drive off/drift off, etc.).
Risks must be assessed from highest to lowest, to assure ALARP reduction
measures result.
Operating Relationship With Third Parties Employed to Carry Out Hazard
and Risk Assessment
Regarding third parties hazard and risk assessments, the operator is responsible
that all project-related risk studies are conducted, collated, duly assessed, and
acted upon, including:
(a) Initiating the process of project hazards and risk assessment;
(b) Scoping of any risk assessment as outlined in this section;
(c) Subcontracting appropriate aspects, e.g., leadership of hazard identification,
quantification, to specialist contractors, if appropriate;
(d) Providing the necessary inputs and members of brainstorming teams to the
subcontractors;
(e) Providing all necessary resources and support;
(f ) Reviewing outputs to ensure project operating details are appropriate, and to
obtain an understanding of the hazards, potential consequences, and risks;
(g) Making use of the results of the hazards and risk assessment as part of the
continuous improvement of safety, e.g., by using it to identify and evaluate
possible remedial measures;
(h) Reviewing the hazards and risk assessment periodically and updating it as
required.
What may be needed to settle differences in methods is that a balance is struck
(e.g., within contracts) to decide and assure the hazard and risk assessment
https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 14/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
approach best to use.
The ownership of the risk assessment method selected then to be retained by the
operator to carefully consider how to supply all inputs and outputs to and from
each contractor, including details of all associated project-related rig and well
operations information.
In all cases, personnel carrying out the risk assessment should have knowledge of:
(a) Equipment, process, and/or activity to be assessed,
(b) Hazards present,
(c) Probability/likelihood of the failure scenarios realizing a hazard,
(d) Consequences of exposure to the hazards present or produced.
All consultants or contractors employed within a project shall be competently
trained and expected to conduct hazard and risk assessment, and their scope of
work shall include this task with the operator retaining responsibility to evaluate
and assure all needs are met in this respect.
Unscheduled Work
For unscheduled or unplanned work, the person in charge or delegate, and an
operator senior person must ensure that all hazards and risks are identified,
assessed, highlighted, and controlled to ALARP levels desired.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780081022825000107

Historical Background, Legal Influences, Management

Responsibility, and Safety Culture
Dennis P. Nolan, in Handbook of Fire and Explosion Protection Engineering
Principles for Oil, Gas, Chemical, and Related Facilities (Fourth Edition), 2019

1.8 Recent Process Safety Management Initiatives Being Established

in the United States
In the United States, State of California, CAL/OSHA is adopting a new PSM
standard in 2016, after outreaching to the industry to improve their safety
standards, strengthen enforcement, and improve emergency preparedness and
response procedures
It is using PSM as a new approach to regulating the petroleum refining industry in
the state.
Their revised PSM standard is incorporating seven new aspects which include:
1. Hierarchy of hazard controls analysis;
2. Damage mechanism reviews (DMRs);
3. Human factors;
4. Management of organization change;
5. Root cause analysis;
6. Safeguard protection analysis;
7. Safety culture assessments.
They recommended changes to the California PSM standard that would require
petroleum refineries to:
1. Implement inherently safer systems to the greatest extent feasible;
2. Perform periodic safety culture assessments;

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 15/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
3. Incorporate damage mechanism hazard reviews into PHAs;
4. Conduct root cause analyses after significant accidents or releases;
5. Account for human factors and organizational changes;
6. Use structured methods, such as layer of protection analysis, to ensure
adequate safeguards in process hazard analyses.
The DMRs for each process shall include:
1. Assessment of process flow diagrams;
2. Identification of all potential damage mechanisms;
3. Determination that the materials of construction are appropriate for their
application and are resistant to potential damage mechanisms;
4. Methods to prevent or mitigate damage;
5. Review of operating parameters to identify operating conditions that could
accelerate or otherwise worsen damage, or that could minimize or eliminate
damage.
The hierarchy of hazard controls analysis is to include the following aspects:
1. Compile or develop all risk-relevant data for each process or recommendation;
2. Identify, characterize, and prioritize risks posed by each process safety hazard;
3. Identify, analyze, and document all inherent safety measures and safeguards
for each process safety hazard from most preferred to least preferred;
4. Develop an effective review protocol to ensure that relevant, publicly available
information on inherent safety measures and safeguards is analyzed and
documented by the team.

This information shall include inherent safety measures and safeguards that
have been:
1. Achieved in practice by the petroleum refining industry and related
industrial sectors;
2. Required or recommended for the petroleum refining industry and
related industrial sectors, by a federal or state agency, or local California
agency, in a regulation or report.
5. In the following sequence and priority order: For each process safety hazard
identified, develop written recommendations:
1. Eliminate hazards to the greatest extent feasible using first-order inherent
safety measures;
2. Reduce any remaining hazards to the greatest extent feasible using
second-order inherent safety measures;

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 16/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
3. Reduce remaining risks using passive safeguards;
4. Reduce remaining risks using active safeguards;
5. Reduce remaining risks using procedural safeguards.
For the human factors aspects:
• Perform a written analysis of human factors, in major changes, incident
investigations, process hazard analysis (PHAs), Management of organizational
changes (MOOCs), and hazard consequence analysis (HCAs). The analysis shall
include a description of the selected methodologies and criteria for their use;
• Assess human factors in existing operating and maintenance procedures;
• Human factors analysis shall evaluate: staffing levels; complexity of tasks;
length of time needed to complete tasks; level of training, experience and
expertise of employees; human–machine and human–system interface;
physical challenges of the work environment; employee fatigue and other
effects of shiftwork and overtime; communication systems; and the
understandability and clarity of operating and maintenance procedures;
• The human factors analysis of process controls shall include: (1) error-proof
mechanisms; (2) automatic alerts; and (3) automatic system shutdowns.
MOOC includes the following:
• Designate a team to conduct a MOOC assessment prior to reducing staffing
levels, reducing classification levels of employees, or changing shift duration or
employee responsibilities;
• Provide for employee participation;
• The MOOC assessment is required for changes affecting operations,
engineering, maintenance, health and safety, or emergency response.

Incident investigation—root cause analysis includes the following features:

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 17/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
• Establish an incident investigation team, which shall have a person with
expertise and experience in the process involved; a person with expertise in the
employer’s root cause analysis method;
• The incident investigation team shall include an assessment of management
system failures, including organizational and safety culture deficiencies
Safeguard protection analysis features the following:
• Inherent safety measures and safeguards for each process safety hazard to be
categorized in the following sequence and priority order.
• From most preferred to least preferred: first-order inherent safety measures;
second-order inherent safety measures; passive safeguards; active safeguards;
and procedural safeguards.
1. Eliminate hazards to the greatest extent feasible using first-order inherent
safety measures;
2. Reduce any remaining hazards to the greatest extent feasible using
second-order inherent safety measures;
3. Effectively reduce remaining risks using passive safeguards;
4. Effectively reduce remaining risks using active safeguards;
5. Effectively reduce remaining risks using procedural safeguards.
A process safety culture assessment (PSCA) includes the following: The PSCA shall
include an evaluation of the effectiveness of the following elements of process
safety leadership:
• Hazard reporting program;
• Response to reports of hazards;
• Procedures to ensure that incentive programs do not discourage reporting of
hazards;
• Procedures to ensure that process safety is prioritized during upset or
emergency conditions.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128160022000015

Risk Management
Ian Sutton, in Process Risk and Reliability Management (Second Edition), 2015

Historical Development
Safety and risk management programs have always been an integral part of the
process industries. Initially such programs were quite crude and basic, but they
have become much more sophisticated as standards have risen and as processes
have become more complex.
Figure 1.3 provides an overview of some of the major changes and advances that
have been made in the last 150 years or so.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 18/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 1.3. Developments in safety systems.

1 Safety as a Value
People working in the process industries now take it for granted that safety is a
value, even when their own organization has a poor safety record—no one ever
says, “Safety doesn’t matter.” However, such an attitude was not the norm 200
years ago. In his novel Hard Times, published in the year 1854, Charles Dickens
satirically condemned the industrialists who failed to acknowledge that safety and
clean air were values, in and of themselves.
They [the industrialists] were ruined when they were required to send labouring
children to school; they were ruined when inspectors were appointed to look into
their works; they were ruined, when such inspectors considered it doubtful whether
they were quite justified in chopping people up with their machinery; they were
utterly undone, when it was hinted that perhaps they need not always make quite
so much smoke…
The weapon that Dickens and his fellow authors used was satire. This weapon has
now fallen out of use—modern professional safety workers rarely attempt the use
of irony (although some of what is written in Chapter 3 in the section to do with
Warning Flags represents a feeble attempt to follow in Dickens’ footsteps).
2 Codes and Standards
By the beginning of the twentieth century, the number of industrial accidents had
risen to unacceptably high levels. For example, between the years 1870 and 1910,
at least 10,000 boiler explosions occurred in North America. By the year 1910, the
rate of such explosions had reached approximately 1,400 per year.
In response to this unacceptable situation, industrial societies (particularly the
American Society of Mechanical Engineers) started publishing what has since
become a very wide range of codes and standards. The first boiler code was
published in 1914.
3 Workers’ Compensation
Worker’s compensation programs were introduced around the start of the
twentieth century in various nations. These programs are a no-fault insurance
system in which an injured worker receives medical and compensation benefits
regardless of the causes of the job-related accident. If the injury or illness is job
related, the injured worker receives medical benefits and, if eligible, temporary

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 19/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
compensation for loss of earning power. In some cases, the injured worker may
also receive permanent compensation and job retraining. In return, lawsuits
against the employer, except under very limited circumstances, are not permitted.
The cultural impact of workers’ compensation was to make it clear that there is
liability to do with accidents; some of that liability lies with the employer, and some
with the worker, and that both parties need protection.
4 Occupational Safety
In the mid part of the twentieth century, increasing emphasis was placed on
occupational safety issues such as training, working conditions, and the use of PPE
(personal protective equipment).
5 Systems Analysis
Toward the end of the Second World War, systems techniques such as fault tree
analysis were introduced in order to predict the reliability and performance of
military airplanes and missiles. The use of such techniques led to the formalization
of the concept of probabilistic risk assessment (PRA). The publication of the Reactor
Safety Study (NRC, 1975)—often referred to as the Rasmussen Report after the
name of principal author, or by its subtitle WASH 1400—demonstrated the use of
such techniques in the fledgling nuclear power business. Although WASH 1400 has
since been supplanted by more advanced analysis techniques, the report was
groundbreaking in its approach to system safety.
Systems analysis was also an integral part of the U.S. nuclear navy. The stringent
standards imposed by Admiral Rickover to do with both nuclear safety and
personnel selection have been a critical factor in the navy’s continuing record of
zero reactor accidents.
Systems analysis techniques are used only to a limited extent in the process
industries for two reasons. First, such techniques are not generally effective at
predicting human behavior (e.g., WASH 1400 did not anticipate the Three Mile
Island accident). Yet human performance is a very important component of safety
performance in the process industries. Second, the use of PRA methodologies is
generally time-consuming and expensive—particularly when used in the chemical
industries where there is so much difference from facility to facility.
A modified method of quantifying risk through the use of systems analysis has
been adopted by the process industries. The technique is known as LOPA (layers of
protection analysis) provides an order of magnitude estimation of risk (details of
the method are provided in Chapter 15).
In spite of its limitations, the use of systems analysis has helped modify the culture
of the process industries. By developing quantified analyses, risk professionals are
able to move to a more objective approach in the management of process safety
and operational integrity. There is less “I think/You think,” and more “Here is what
the numbers are telling us.”
6 Regulations
Regulation of the process industries has increased steadily, particularly since the
early 1960s. In the United States, the catalyst for the environmental movement was
the publication of Rachel Carson’s Silent Spring in the year 1962. Although her book
focused on the hazards of DDT on birds of prey, it also created a broader challenge
to technological progress and set the stage for the modern environmental
movement.
Of particular importance to process industries in the United States was the creation
of OSHA (Occupational Safety and Health Administration) in the year 1970 by the
Nixon administration.
7 Management Systems

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 20/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
During the 1980s, a series of bad accidents in the process industries, both onshore
and offshore, demonstrated that a new approach to management safety was
needed. Examples of these new approaches were the development of Process
Safety Management (PSM) in the United States and the introduction of the Safety
Case Regime in Europe. In the United States, process safety legislation
requirements were included in the amendments to the Clean Air Act of 1992. This
legislation directed the OSHA and the Environmental Protection Agency (EPA) to
each develop, implement, and enforce process safety standards in order to protect
both workers and the public. Some states also introduced their own process safety
regulations.
Similar programs were introduced in the same time frame in many other nations
and industries. For example, regulations covering the offshore industry in the
North Sea were introduced following the Piper Alpha disaster of 1988. In addition,
industry organizations such as the American Petroleum Institute (API) and the
American Chemistry Council (through the Responsible Care® program) developed
their own process safety standards that were generally not adopted into law but
that typically provided good practical guidance regarding the implementation and
management of process safety systems.
Considerable progress to do with the implementation of process safety programs
has been made in the 15 years since the early 1990s—particularly with respect to
regulatory compliance. For example, prior to the early 1990s, few companies had a
formal Management of Change program; now such programs are part of the
furniture in almost all process facilities. This is not to say that further
improvements cannot be made. Indeed, in the words of one facility manager,
“There is always news about safety, and some of that news will be bad.” Moreover,
there have been greater improvements in occupational safety than there have been
in process safety (Whipple and Pitblado, 2008).
And such data as exist would seem to confirm that progress with process safety has
not been as good as for occupational safety. For example, Figure 1.4, which is
based on data provided by Pitblado (2008), showed that there has been a steady
improvement in occupational safety in the process industries—(the overall trend
line, which is built on data from many large companies, demonstrates an order of
magnitude improvement in occupational safety in the 12-year period covered.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 21/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics

Figure 1.4. Occupational injury trends.

The same paper states, however, that “there is no clearly visible overall decline in
major accident process safety events observed in either the United States or
European Union, although the data is noisy and some successes do exist—notably
the U.K. Sector of the North Sea reduction in major leak events.” In other words,
the significant improvements that have occurred in occupational safety in the last
decade are not being repeated with regard to process safety. One suggested
technique for improving process safety performance is to manage technical safety
barriers in real time, i.e., to implement a system to ensure that all safety systems
and devices are fully functioning at all times.
In addition, new concerns—such as the increased shortage of experienced
employees—have come to the fore as challenges to continued improvement in
process safety performance process. Nevertheless, the process industries (including
the regulators) can take a great deal of credit for having made substantial strides in
process safety during the course of the last two decades.
8 Behavior-Based Safety
In recent years, many companies have invested in behavior-based safety (BBS)
programs. BBS is a process that helps employees identify and choose a safe
behavior over an unsafe one. It also encourages employees to work with their
colleagues on improving their mutual understanding of effective and ineffective
behaviors as they apply to safety.
The first step in the BBS process is to observe employees performing their routine
tasks. Both safe and unsafe behaviors are noted and recorded (with personal
information omitted). The observer provides positive feedback on safe behaviors
and nonthreatening feedback on unsafe behaviors. Employees are provided with
suggestions on correcting the unsafe or at-risk behaviors. The employees are not
reprimanded or disciplined for at-risk behaviors, nor are any findings reported to
management. Employees are encouraged to comment on the observations; their
comments are included with observations themselves, along with any suggestions
for improvement.
Results from the observation records are gathered and compiled in a single
database. Reports from the database indicate which types of at-risk behavior are
most prevalent and in which locations they are taking place. Based on the insights

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 22/23
5/3/2021 Layer of Protection Analysis - an overview | ScienceDirect Topics
generated during the review and analysis phase, recommendations for
improvement can be made.
BBS should be a part of the company way of life. This means that if any employee
notes that a colleague is demonstrating an at-risk behavior then he or she is
encouraged to talk to the colleague and suggest ways of eliminating that behavior.
Similarly, behaviors that are particularly good should receive commendation.
9 Safety Culture
The final box in Figure 1.3 is to do with the concept of safety culture—a topic that
is the focus of much current discussion and development. This topic is discussed in
Chapter 3.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128016534000011

Recommended publications

Process Safety and Environmental Protection

Journal

Process Risk and Reliability Management (Second

Edition)
Book • 2015

Process Risk and Reliability Management

Book • 2010

Journal of Hazardous Materials

Journal

Copyright © 2021 Elsevier B.V. or its licensors or contributors.

ScienceDirect ® is a registered trademark of Elsevier B.V.

https://www.sciencedirect.com/topics/earth-and-planetary-sciences/layer-of-protection-analysis 23/23