LOPA (Layer of Protection Analaysis)

Schematic view of LOPA.
Visual representation of te LOPA method.

LOPA is about controlling risks. According to the IEC 61508 / 61511 standards a risk analysis has to be performed for Loss Of Containment scenarios from a HAZOP study which are considered potentially dangerous. The method for this analysis is free to choose. Some companies use a risk matrix, some a risk graph and others the method LOPA (Layer of Protection Analysis). Each method has its pros and cons.

In order to determine the risks in objective way, some factors are important:

  • Performance by a team of experts (eg HAZOP team) through a brainstorming session.
  • An experienced chairman who knows well the risk method, knows how risks can be reduced, and will maintain a balance between brainstorming and make progress.

Conduct LOPA study

It is essential to document the risk assessment properly, the choice of the various parameters must be clear and explained in detail.

Using LOPA, it is essential to know which incident frequencies the company tolerates. What is the risk reduction of independent protection layers and frequency modifiers?

LOPA (Layer of Protection Analysis) with Risk matrix
LOPA method shown in a risk matrix.

One pitfall is that overly optimistic risks are reduced. For example, by the activation of an alarm, without it being certain that an operator will respond adequately.

Another pitfall is calculating too precisely the “frequency of occurrence”. LOPA is intended as a simple and quantitative risk analysis method to analyze and assess risks.

CCPS books about LOPA
CCPS books related to LOPA.

The LOPA methodology is based on the LOPA standards of CCPS.

It is often wise to assess the risks of the identified scenarios during a HAZOP study. Conducting a risk assessment determines the need for (further) safeguards and their necessary reliability.

LOPA methodology – step by step

For each scenario, the following steps are followed:

1. LOC scenario
The Loss of Containment scenario must be established. This is usually derived from the HAZOP study.

2. Causes (initiating event), consequences
The cause (initiating event) and the consequence of a scenario should be clear. Usually these are also from the HAZOP study.

3. Initiating event frequency
The frequency of the cause (initiating event frequency) should be determined.

4. Acceptable incident frequency
The acceptable incident frequency (acceptable risk) must be determined. This often depends on the potential severity of the consequence. The acceptable risk is often written or recorded in a risk matrix.

5. Layers of Protection
The layers of protection (LOPs) present are analysed. The term Independent Protection Layer (IPL) is sometimes used. The LOPs should be (sufficiently) independent of each other and from the cause of the scenario (initiating event). The LOP’s must also respond and function appropriately. Each LOP must be able to avoid the scenario on its own.

6. What conditional modifiers
Conditional modifiers are factors that say something about the likelihood of a particular consequence occurring. For example, the presence of persons, the risk of inflammation, the risk of certain injuries, the risk of catastrophic failure, etc. can be included in the analysis.

7. Mathematical check
With the certain data, the ‘frequency of occurrence’ can be calculated for the scenario. This frequency should be smaller than the certain acceptable incident frequency. If necessary, it can be determined from the calculation whether an additional risk reduction is necessary and how large this risk reduction should be.