Layer of Protection Analysis (LOPA) is a risk assessment and hazard evaluation method which provides a simplified balance between qualitative process hazard analysis (PHA) and detailed and costly quantitative risk analysis.
It is a form of risk assessment often used to determine Safety Integrity Level (SIL) targets based on:
- Initiating event frequency
- Consequence severity
- Likelihood of failure of independent protection layers
- Scenario risk
The process starts with an identified accident scenario and then makes use of some simplifying rules that allow for the analysis of the initiating event frequency, along with the independent layers of protection. This results in an estimate of risk by order of magnitude.
Managing process safety means understanding the many factors that contribute to risk and establishing appropriate measures for risk mitigation. LOPA addresses the key questions:
“How safe is safe enough?”.
“How many independent protection layers are needed?”; and
“How much risk reduction should each layer provide?”
Our process safety experts are used to working with a high level of complexity and have implemented the LOPA methodology successfully. The LOPA report encourages self-sufficiency by assisting site staff in comprehending process hazards after the study the conclusion of the study.
Purpose
The primary purpose of LOPA is to determine if there are sufficient layers of protection against an accident
scenario and to determine if the risk can be tolerated.
Concept of LOPA
Methodology
Typically, a high-consequence scenario – which usually involves a combination of equipment and human failures – is identified during a qualitative hazard evaluation, such as a Process Hazards Analysis (PHA) or a Hazard and Operability study (HAZOP). LOPA is then implemented for a closer, more careful assessment of this scenario. LOPA is a quantitative screening tool which provides a consistent, objective, and defensible approach.
A LOPA can be seen as a series of slices of Swiss cheese, whereby each slice is a layer of protection with a varying number and size of holes representing flaws. A high-consequence scenario occurs only if at least one of the holes in each slice “line-up,” allowing propagation of multiple failures. For components of a process-control system, such as safety instrumented systems and other components such as relief valves and rupture disks, it is critical to know or estimate the likelihood of failure on demand.
We study the process under investigation to identify likely initiating events and estimate the frequency of initiating-event occurrence. We will then examine all process-control features and safeguards, estimating the reliability of protection provided and ensure the independence of each protection layer. With this information, the probability of occurrence (or frequency) of a given high-consequence scenario can be semi-quantitatively determined. Combining this likelihood with the severity of the consequences, an evaluation of risk is obtained.
A risk matrix is usually adopted to show the possible combinations of likelihood and consequence severity. The risk thus obtained can be compared to the facility or corporation’s risk tolerance for presentation to site and/or corporate management. We prepare a comprehensive study report to serve as a record of the completed analysis, including descriptions of potential risks with the existing safeguards and with recommendations for additional safeguards, where warranted.
Steps
In summary, the LOPA Determination steps involves:
- Identify the consequence to screen the scenarios.
- Identify the company’s tolerable frequency for the consequence.
- Identify the initiating event of the scenario and determine its frequency (i.e., the initiating event frequency).
- Identify the Independent Protection Layers (IPLs) and assign the probability of failure on demand (PFD) for each IPL
- Calculate the mitigated event frequency by taking the product of the initiating event frequency, the IPL PFDs and if applicable, the probability of enabling event and the probability of conditional modifier.
- Compare the mitigated event frequency to the criteria for tolerable frequency for the company
- If the risk criteria are not met, the remaining risk gap will be filled by the installation of a Safety Instrumented Function (SIF). The size of the risk gap determines the Safety Integrity Level (SIL) of the SIF required.
Results
