LOPA or Layer of Protection Analysis

1.1 – Introduction and general Guidelines:

LOPA or Layer of Protection Analysis is a study developed on the basis of a risk identification analysis (e.g. HAZOP). The main purpose of that study is to identify the countermeasures available against the potential consequences of a particular risk. Starting from the quantification of the likelihood of a particular hazard, the study analyze the system, and identify , using a quantitative approach, the mitigation measures against the hazard under study. The countermeasures or “Protective Layers”, must be independent to be effective.

Once that every kind of countermeasures have been identified, the risk has been reduced by those safeguards, but is it now tolerable?

The LOPA is commonly applied on systems already on place, and the safeguards already installed. The scope of the study is to find the weakness of the system and evaluate the risk. LOPA DOESN’T suggests which additional safeguards are required.

1.2 – Layers of Protection:

As Layer of Protection is defined an Independent series of elements related to the process design and maintenance. As example:

–         Process (Inherently Safer Design)

–         Process Design

–         BPCS

–         Alarm/Operator Action

–         Automatic Action (SIS o ESD)

–         Active/Passive Protection (E.g. PPE)

–         Plant Emergency Response

–         Plant Emergency Procedure

–         Community Emergency Response

–         Other

The previous list is not to be attended as complete, LOPs must be specified case by case. However, since no layer is perfectly effective, additional protection layers must be provided to render the tolerable risk. Alternatives encompassing inherently safer design can be evaluated as well.

Each layer modify the evaluated risk, with a different mitigation effect (on likelihood or Severity). Generally the severity of the mitigation effect is higher for the inherently or passive process design countermeasures. Especially for mechanical equipment, against the electronic ones, they should be considered with an high level of reliability.

1.3 – Application of LOPA – Step by Step:

The development of LOPA, as many other risk assessment analysis, is made by a correct series of steps or phases.

The basic steps for the LOPA risk assessment typically are:

1. Identify the consequence
2. Define the Risk Tolerance Criteria
3. Define the relevant accident scenario
4. Determine the initiating event frequency
5. Identify the conditions, conditional modifiers (if applicable) and estimate the PFD
6. Estimate the intermediate frequency of unmitigated consequence
7. Identify the IPLs and estimate the probability of failure on demand for each IPL
8. Determine the Frequency of Mitigated Consequence
9. Evaluate the need for additional IPL

The basic steps of the LOPA method will be explained as following.

1.3.I – Identify the consequence:

The consequence, in the LOPA study, is defined as “undesirable potential consequence of an accident scenario”. As consequence the operator should consider not only the direct or indirect effects on: Employee, Environment, or material targets. Even the loss of business, time or company reliability must be analyzed.

As the FMEA or the FTA, the LOPA study is focused on a particular event, or better, scenario. LOPA typically is applied on a single scenario identified by an Hazard Identification Analysis. LOPA analyst(s) first step is to screen these potential accident scenarios. The risk of a scenario may judged qualitatively by the HAZOP team. The most common screening method is based on ranking the consequence.

1.3.II – Determinate the Risk Tolerance Criteria (RTC):

Once that the undesirable scenarios had been screened, on which basis are we able to identify the most dangerous? The tolerance risk threshold must be identified as soon as possible on the data gathered from the different scenarios. To evaluate the different risk level of each scenario, an excellent Risk tolerance Criteria must be identified. The Risk Tolerance Criteria provides a reference point to judge the status of each relevant accident scenario.

The risk tolerance criteria could be determined by

1.Risk Matrix (Frequency vs Severity).

2. Maximum allowable Risk.

3.Minimum number of IPLs for each specific scenario.

4. Maximum cumulative risk for a single node or area.

To achieve consistent results, companies should define risk tolerance criteria before implementing LOPA. Without a risk tolerance criteria, there is a tendency to keep adding safeguards for each new idea for protection, under the false assumption that safety is continually being improved.

1.3.III – Determinate the Risk Tolerance Criteria (RTC):

A scenario is an incident, or better, an unplanned event/cause or sequence that triggers events resulting in an undesirable consequence. Each Scenario is characterized by a SINGLE event, like FTA or ETA.

Each Scenario is composed by at least two elements:

–         An Initiating Event that starts the main chain of events.

–         A Consequence that results if the chain of events continues without interruption (without any   successfully working safeguard ).

The most common categories of Initiating Events are:

Plant Event:

–         General Equipment Failure

–         General Control Failure

–         Mechanical Failure

–         Corrosion

–         Maintenance Failure

–         Vibration Failure

–         Other

Human Failures:

–         General Human Error

–         Inexperience Failure

–         Procedure Failure

–         Maintenance Failure

–         Loading Failure

–         System Response Error

–         Other

Other Event:

–         External Elements

–         Earthquake

–         Hurricane

–         Flood or others natural Events

–         Others

If the single Initiating Event generates multiple consequences, each consequence must be assessed in different scenarios, generating multiple analysis.

1.3.IV – Initiating Event Frequency:

Once that the bases of the study had been planted, to start the assessment is required the frequency or likelihood of the initiating event. Normally, the frequency is given by: Internal DB, External Sources like Private DB, with access by fee. Also many national DB are available, but could be better contact a manufacturer when the frequency required involve a particular item. In some case the Initiating event is generated by multiple source (or potentially could be generated by multiple sources). In those cases all the frequency of the events should be considered, combining these with a logic function ( “OR” like FTA analysis).

The initial event frequency is a milestone point of the study, and more the initial data are reliable, more the study and the assessment gains consistency.

The frequency of the initial event is normally expressed in events per year, but many other units are available like: Events per Hours worked per year or Events per 8000 years, etc. There is no limitation about the frequency unit adopted, but ensure that all the frequency, and the other factor, are based on the same scale.

Many companies provide standardized data. With mechanical integrity and incident investigation procedures, including the ability to collect and analyze the data, the credibility of the failure rate data may be obtained.

If the failure data is expressed as a probability of failure on demand (PFD), the initiating event frequency must be derived. This involves estimating the number of times per year that a demand is placed on a system or person. This may be as straightforward as counting the number of times the operation is carried out per year and multiplying by the PFD.

For equipment, the initiating event frequency is calculated by multiplying the PFD with the number of equipment (pump, compressor, seal, instrument) or by the length of pipe (assuming the two values are not interdependent).

1.3.V – Conditions, Conditional Modifiers:

During the Scenario Analysis it is necessary to evaluate every kind of condition able to mitigate or aggravate the situation like:

–         Probability of Ignition

–         Probability of Presence of People

–         Probability of Escape

–         Probability of absence of Operator

–         Other

Those factors modify the likelihood of the starting event or of the consequence. The mitigation or “aggravation factor” are the only factors than are neither IPLs or Failures. Especially this point of the assessment should be done by an expertise operator, able to avoid overestimation of the mitigation effect.

1.3.VI – Frequency of Unmitigated Events:

1.3.VII – Independent Protection Layer:

As independent Protection Layer is to be considered a device, system or action that is able to prevent (completely or partially) a scenario from its developing , interrupting the chain of the undesired events. Essential, for a IPL, is its independence: a device, depending from other shouldn’t be included inside the study as layer. As simplified analysis, LOPA indentified only independent safety systems or items or procedure as effective.

In order to be considered as an IPL, a device, system or action able to trigger the interruption of the scenario. So the main features required from a IPL are:

–         Effective

–         Independent

–         Auditable (Its reliability should be assessed)

The effectiveness of an IPL is quantified in terms of its PFD which is defined as the probability that the IPL will fail to perform a specified function on demand. The IPL PFD is a dimensionless number between 0 and 1. The smaller the value of the IPL PFD, the larger the reduction in frequency of the consequence for a given initiating event frequency. IPL PFD values range from the weakest IPL (1 ? 10?1) to the strongest IPL (1 ? 10?4 ? 1 ? 10?5). Since LOPA is a simplified method, the values of the PFDs are usually quoted to the nearest order of magnitude

The next table shows examples of typical PFD values.

1.3.VIII – Calculation:

The general equation for the determination of the frequency for a scenario, with specific consequence, it is the following:

To reach an high level of accuracy and reliability, the PFDs should be chosen with attention, avoiding repetitions and safety measures unable to act as countermeasures for the scenario considered.

1.4 – Is there are any other application for LOPA?:

With a Good starting point, LOPA can be applied on other relevance fields or procedure:

–         Design

–         Capital Improving Planning

–         Management of Change

–         Evaluating Facilities Siting Risk

–         Mechanical Integrity Programs

–         Incident Investigations

–         Screening tool for QRA

–         Design the over pressure system

Further Reading:

Difference between LOPA and HAZOP

Hazard Identification and Management in Oil & Gas Industry