Layer of Protection Analysis:
Generating Scenarios
Automatically from HAZOP Data
Arthur M. (Art) Dowell III,a P.E., and Tom R. Williamsb
a
Rohm and Haas Company, Deer Park, TX 77536; adowell@rohmhaas.com (for correspondence)
b
ABS Consulting, Risk Consulting Division, Knoxville, TN 37932
Published online 25 January 2005 in Wiley InterScience (www.interscience.wiley.com).
DOI 10.1002/prs.10061
This paper details the concept of automatically gen-
erating layer of protection analysis (LOPA) scenarios
from a process hazard analysis (PHA) conducted using
the hazard and operability (HAZOP) methodology.
Specialized software selects consequences that meet se-
verity criteria or risk criteria. It then takes each end
consequence, follows each link path to an initiating
cause, and presents each rolled-up link path as a single
LOPA scenario, complete with all the safeguards (that
is, candidate protection layers) found along the link
path. The scenarios can be presented in database or
spreadsheet format. The rolled-up LOPA spreadsheet
allows the analyst(s) to identify safeguards that are
independent protection layers and assign appropriate
values to each independent protection layer. The
spreadsheet calculates the resultant mitigated risk (or
mitigated likelihood or frequency) in real time. This
makes it easy for the analyst(s) to determine which
independent protection layer or group of independent
protection layers provides the most effective means for
reaching or maintaining a target risk threshold.
The concept (demonstrated using ABS Consulting’s
HazardReview LEADER™ software) makes the process
of going from PHA results to LOPA results a lot less time
consuming. It avoids retyping and reduces the risk of
overlooking scenarios. The paper will present lessons
learned from applying the tools in real PHA/LOPA ap-
plications. © 2005 American Institute of Chemical En-
gineers Process Saf Prog 24: 38 – 44, 2005
Originally presented at the AIChE Loss Prevention Symposium, New Or-
leans, LA, April 2004.
HazardReview LEADER™ is a trademark of ABS Consulting.
© 2005 American Institute of Chemical Engineers
38 March 2005
Keywords: LOPA, HAZOP, linking, risk assessment
tools
INTRODUCTION
Layer of protection analysis (LOPA) helps compa-
nies understand, in a rational and consistent manner,
how many safeguards are enough for a particular acci-
dent scenario. LOPA takes a predefined cause– conse-
quence pairing (typically identified during a qualitative
hazard evaluation), determines how many indepen-
dent protection layers (IPLs) are provided by existing
and/or recommended safeguards, and evaluates
whether this number of IPLs provides adequate risk
mitigation. LOPA goes beyond the typical use of a risk
matrix but is less detailed than quantitative risk analysis
(such as fault tree analysis). LOPA is an order-of-mag-
nitude tool. It basically separates the question of “How
likely is it?” into two issues:
1. Likelihood (frequency) of the initiating event
2. Probability of failure on demand (PFD) of the IPLs
LOPA can provide a company with the following
information for a scenario on a consistent basis:
1. Worst-case unmitigated risk (assuming all safe-
guards fail)
2. As-is mitigated risk (with existing safeguards in
place)
3. The improvements necessary to reach a target risk
threshold, as described in Dowell [1, 3– 6] and CCPS
[2]
The general format of a LOPA table is shown in
Table 1 from Dowell [1] with sample information filled
in for one scenario.
The severity of the consequence is estimated using
appropriate techniques, which may range from simple
Process Safety Progress (Vol.24, No.1)
Table 1. General format of LOPA table.

Preventive Independent Protection Layers

Probability of Failure on Demand (PFD)
Initiating Mitigation
Event SIF Independent Mitigated
Consequence Initiating Challenge Process BPCS Operator Response (PLC Protection Consequence
and Severity Event (Cause) Frequency Design (DCS) to Alarms Relay) Layers (PFD) Frequency
Column B Column B 0.1/yr Column B high Column B 0.001/yr
Catastrophic high level level alarm by relief valve
Rupture, due to DCS prompts (0.01)
Fatality Column B operator to
high feed reduce Column
flow rate B level
due to Tank manually; not
A low level independent of
due to Tank Tank A LIC (1.0)
A LIC loop
failure

“look-up” tables to sophisticated consequence-model-

ing software tools. One or more initiating events
(causes) may lead to the consequence; each cause–
consequence pair is called a scenario. LOPA focuses on
one scenario at a time. The frequency of the initiating
event is estimated (usually from look-up tables or his-
torical data). Each identified safeguard is evaluated for
three key characteristics:
• Is the safeguard effective in preventing the sce-
nario from reaching the consequence?
• Is the safeguard independent of the initiating
event and the other IPLs?
• Is the safeguard auditable?
If the safeguard meets all of these tests, it is an IPL.
LOPA estimates the likelihood of the undesired conse-
quence by multiplying the frequency of the initiating
event by the product of the PFDs for the applicable Figure 1. Comparison between LOPA and event-tree
IPLs using Eq. 1 from CCPS [2]. analysis. [Copyright © 2001, AIChE, reproduced by
permission.]

写 PFD ⫽ f ⫻ PFD
j

f Ci ⫽ f Ii ⫻ ij
I
i i1 ⫻ PFD i2 ⫻ · · ·
j⫽1
⫻ PFD iJ
where fiC is the frequency for consequence C for initi-
ating event i, fiI is the initiating event frequency for
initiating event i, and PFDij is the probability of failure
on demand of the jth IPL that protects against conse-
quence C for initiating event i.
Typical initiating event frequencies and IPL PFDs are
given by Dowell [1, 3] and CCPS [2]. Figure 1 illustrates
the concept of LOPA: that each IPL acts as a barrier to
reduce the frequency of the consequence. Figure 1 also
shows how LOPA compares to event-tree analysis. A
LOPA analysis describes a single path through an event
tree to the highest-severity consequence, as shown by
the heavy line in Figure 1. An IPL may prevent an
undesirable outcome (shown by IPL1), or an IPL may
mitigate the outcome to a tolerable level (shown by
IPL2 and IPL3). In either case, the frequency of occur-
rence of the highest-severity consequence is reduced.
(1)
DEVELOPING LOPA SCENARIOS
One approach to developing LOPA scenarios is to
use a simple screening risk matrix in the HAZOP or
other process hazard analysis methodology. Each
consequence is ranked for its severity, and the asso-
ciated causes for the consequence are placed into
categories for their unmitigated frequencies, that is,
the frequency before application of safeguards. The
risk associated with a scenario—a cause– conse-
quence pair—is estimated by the intersection of the
consequence severity and the cause frequency on
the risk matrix. Many companies have established
guidance criteria to select higher-risk scenarios for
additional analysis. For example, the “Red” zone on
the risk matrix may represent consequence severities
of one or more fatalities with a frequency above a
given threshold. A company’s guidance criteria may
require LOPA or more complex quantitative analysis
for all scenarios in the “Red” zone.
Translation of HAZOP information into LOPA sce-
narios is shown graphically in Figure 2 [3]. Note that

Process Safety Progress (Vol.24, No.1) March 2005 39

Figure 2. Relationship between HAZOP and LOPA information.
not all the information from the HAZOP is included
in the LOPA. Consequences that do not meet the risk
matrix criteria are omitted. Very low frequency
causes may be omitted. Safeguards that do not meet
the IPL criteria will not be given credit as IPLs in the
LOPA (but they may be noted in the LOPA documen-
tation). Additional IPLs may be added as a result of
the LOPA study.
The user can manually review the PHA documenta-
tion; identify consequences that meet the risk matrix
criteria for additional analysis; and develop LOPA sce-
narios for those consequences, including the associ-
40 March 2005
ated causes and safeguards. Such activities are tedious,
and information can be overlooked or left out, partic-
ularly if the PHA is not documented logically, thor-
oughly, and consistently.
To help ensure logical, thorough, and consistent
PHA documentation for processes involving interre-
lated process parameters and interconnected equip-
ment, interrelated HAZOP deviations are often linked
electronically such that the consequence of one devi-
ation is shown as a cause of another deviation, and vice
versa. Although this is the most efficient, logical, and
thorough way to document a PHA in many cases,
Process Safety Progress (Vol.24, No.1)
linking makes manual extraction of LOPA scenarios
more difficult.
Alternatives to this approach include the following:
1. Avoiding the use of logical cause– effect linking in
favor of documenting complete HAZOP scenarios
within single deviations. Although this approach
often results in erroneous, misleading, or incom-
plete HAZOP results, it can help minimize the effort
of importing HAZOP results to LOPA.
2. Using specialized software that queries linked HA-
ZOP scenarios and assembles the causes and safe-
guards along the entire cause– effect link path to
create a complete LOPA scenario for each cause–
consequence pair. This approach is equally effective
in minimizing the HAZOP-to-LOPA effort while also
allowing the HAZOP to be conducted and docu-
mented in a logical, thorough, and consistent man-
ner.
For example, the authors have analyzed systems (and
audited such analyses) in which a deviation in one
area/operation cascaded to a series of other system
deviations, leading to an ultimate consequence in an-
other area/operation. Where the first approach (docu-
menting complete HAZOP scenarios within single de-
viations) was used, the HAZOP team tended to
overlook or incompletely document other similar
and/or interrelated scenarios involving intermediate
causes, consequences, and safeguards. These errors of
omission were most likely caused by the inherent in-
ability of the analysis team to analyze the details of
multiple analysis nodes at once. These types of errors
have been most pronounced in HAZOPs of large, com-
plex systems and those involving continuous opera-
tions. Using the second approach, particularly for com-
plex, continuous systems, helps to ensure that the
similar and/or interrelated scenarios are carefully con-
sidered during the team discussion of each analysis
node.
HazardReview LEADER includes a LOPA module
that implements the second, more thorough approach.
It rolls up individual cause– consequence LOPA scenar-
ios from more broad PHA scenarios recorded in Haz-
ardReview LEADER. It is particularly powerful when
used in conjunction with the LEADER Links feature.
LEADER Links are used to show cause– effect rela-
tionships between multiple HAZOP deviations. When
used correctly, LEADER Links help prevent duplication
or multiple crediting of safeguards as well as helping to
ensure that safeguards are listed only at deviations
where they are directly applicable. This is the first step
in moving a PHA toward LOPA.
For example, as shown in Figure 3, a relief valve is
not a direct safeguard against a low level in Tank A,
but a consequence of interest is catastrophic rupture
of Column B. As shown by the arrows, catastrophic
rupture can be caused by high pressure in Column B,
which can be caused by a high level in Column B,
which can be caused by high-feed flow to Column B,
which in turn can be caused by a Tank A LIC loop
failure, identified in the Tank A low-level deviation.
The relief valve on Column B thus protects against
the scenario initiated by a Tank A LIC failure. A
Process Safety Progress (Vol.24, No.1)
Figure 3. Cause– effect linking.
LEADER Link then shows the cause– effect relation-
ships between the Tank A low-level deviation, the
high-feed flow deviation, and the high-pressure de-
viation. Thus, the LEADER Links methodology cred-
its the relief valve as a direct safeguard at the high-
pressure deviation, but not at the Column B high-
feed flow or Tank A low-level deviation. Any
safeguards that can detect and prevent the high flow
to Column B caused by the Tank A LIC failure would
be also captured by the LEADER Links methodology
for this scenario.
This concept is important for understanding the
power of LEADER’s LOPA module. The LOPA mod-
ule rolls up linked scenarios into Excel spreadsheets.
That is, it takes each end consequence, follows each
link path to an initiating cause, collects all the exist-
ing and recommended safeguards for each link path,
and presents each rolled-up link path as a single
LOPA scenario, complete with all the safeguards
(that is, candidate protection layers) found along the
link path.
Each rolled-up LOPA spreadsheet allows the ana-
lyst(s) to assign appropriate values (or credits) to each
safeguard, and the spreadsheet calculates the resultant
mitigated risk (or mitigated frequency) in real time.
This makes it easy for the analyst(s) to play the “what-
if” game to determine which safeguard or group of
safeguards provides the most effective means for reach-
ing or maintaining a target risk threshold.
A screenshot of the LEADER LOPA wizard is shown
in Figure 4. At this point, the wizard has examined all
the consequences in the HAZOP study, selected those
that meet the criteria to be considered for LOPA, and
worked back from each consequence through all the
related deviations to the initial cause for each scenario.
In this example, 539 scenarios (cause– consequence
pairs) have been listed for consideration by the analyst.
The analyst has checked the second visible scenario to
be analyzed using LOPA. As shown, the consequence
March 2005 41
Figure 4. Leader 4 LOPA wizard screen shot. [Color figure can be viewed in the online issue, which is available
at www.interscience.wiley.com.]
of the selected scenario is located at Deviation 1.9 in the
HAZOP table, and the selected cause is acid corrosion
arising from the high concentration of water (which is
Deviation 1.8), resulting from the high concentration of
water in the compressed air system (which is Deviation
3.10), resulting from a defective or improperly maintained
desiccant dryer (which is the initial cause located at De-
viation 3.10). Note that there are other causes located at
Deviations 1.8 and 3.10 [and perhaps elsewhere (out of
the current view)] that the analyst could select to form
separate LOPA scenarios. The wizard also allows quick
selection of all scenarios as well as grouping and sorting
of scenarios by location, by consequence, and/or by
cause to aid the analyst.
The LOPA module does not provide the answers to
the LOPA study, but it makes the process of going from
PHA results to LOPA results a lot less time consuming.
As described in previous publications [1, 2, 3, 5, 6], the
effort and expertise to execute a LOPA study (deter-
mining which safeguards are IPLs, assigning initiating
event frequencies, and assigning PFDs to IPLs, etc.) are
not trivial. A trained LOPA analyst is needed to apply
the LOPA rules appropriately and consistently.
There are some pitfalls to avoid when using the
LEADER Links methodology. If linking is done inap-
propriately, the user may find a multitude of essentially
duplicate scenarios that must be screened by hand.
Based on lessons learned during actual HAZOP
meetings and LOPA preparation, we emphasize the
following key points for successful linking and gener-
ation of LOPA spreadsheets:
1. Avoid assigning risk matrix severities to interme-
diate consequences. In the preceding example,
where high level leads to high pressure, if there is
no safety consequence for the high level by itself,
42 March 2005
high level should not be assigned a risk matrix
severity. Assigning a safety severity to high pres-
sure is sufficient to ensure that high level and its
preceding causes will be captured in the rolled-up
LOPA scenario.
2. Assign safeguards only to the specific deviations
where they apply (see the relief valve example
above). This will avoid having a particular safeguard
appear multiple times in a particular LOPA scenario.
3. Exercise discipline and consistency in linking. For
example, similar analysis nodes should have similar
link paths. To illustrate, a process system similar to
that in Figure 3 should have a link path similar to
that shown in Figure 3.
4. Minimize parallel link paths having the same ultimate
cause and the same ultimate consequence, but with
different intermediate causes and consequences.
Where parallel link paths are appropriate, use explan-
atory text to differentiate the two paths.
5. Avoid circular links. (In working backward from an
ultimate consequence, a circular link returns to the
deviation with the ultimate cause. In essence, the
consequence is its own cause—a logical inconsis-
tency!) For each ultimate consequence, the software
needs to be able to work back through each link
path to an ultimate cause without revisiting the de-
viation having the ultimate consequence.
6. Use the same text to describe the same consequence,
cause, or safeguard, wherever each item occurs.
This will help in eliminating duplicate items in the
LOPA scenarios.
There are also some important things to keep in
mind when developing a LOPA protocol for your com-
pany. These items have a direct impact on the software
you choose and how, when, and by whom LOPA
Process Safety Progress (Vol.24, No.1)
 Differences between Typical PHA and LOPA Risk Matrices
Impact-Based Severity Categories
Typical risk matrix severity categories used in PHAs are based on the types/extent of personnel, public,
and environmental impacts rather than quantity, type, and conditions of material or energy released or
number of persons potentially exposed to life-threatening injuries. For example, the following is a popular
set of safety severity categories used in PHAs:

1. No injury
2. First-aid injury
3. Lost-time injury
4. Fatal injury

It requires a subjective judgment to determine what types of protection layer and conditional modifiers
(probability of ignition, probability of person present, probability of fatality) reduce the expected
frequency of a fatal injury from once per year to once in 10, 100, or 1000 years. Likewise it is a subjective
judgment to determine what types of conditions make the potential for a fatal injury “not credible” [that
is, the perceived frequency of a severe consequence is so low that the analyst(s) assigns a lower severity
category]. The less-severe consequence can be visualized on Figure 1 by the path where IPL1 and IPL2
fail, but IPL3 is successful, leading to the second from the bottom consequence, a less-severe conse-
quence. For example, if IPL3 is a relief device, the more-severe consequence of vessel rupture and
release leading to multiple fatalities may be avoided, but there is now a release from the relief device,
which itself may have sufficient risk (severity and frequency) to require analysis.

Range-Based Severity Categories

On the other hand, many LOPA methods use a release range severity risk matrix. The severity category is
based on the amount of material released, its toxicity or flammability, and the conditions of the release. It is
much more objective and defensible to state what type of protection layer reduces the frequency of a 1000-lb
release of flammable material above its boiling point (or a release large enough to potentially expose 100
persons to life-threatening injuries) from once per year to once in 10, 100, or 1000 years. It is also objective
to state what types of conditions make this type of release “not credible” such that a 100-lb release (or a
release potentially exposing only 10 persons to life-threatening injuries) becomes the assigned severity. Again
as mentioned above, if IPL3 is a relief device, the more-severe consequence of release from the vessel rupture
may be avoided, but there is now a release from the relief device, which itself may have sufficient risk
(severity and frequency) to be analyzed. However, very few risk matrices used in PHAs have these types of
severity categories.
Typical PHA risk matrix categories can be used for LOPA, but the analyst(s) must be very careful and
understand the assumed conditions that are built into each category. Also, consequence categories must be
well characterized using consistent terminology with detailed documentation describing their bases, and
likelihood or frequency categories must be based on sound data with documentation showing the data’s
applicability to the system/components/situations being analyzed. Most PHA teams are not afforded this level
of detail nor the training necessary to understand the risk matrix categories to this degree. To help bridge this
knowledge gap, companies have taken two basic tacks, including (1) providing specialized LOPA training to
select engineers/analysts, and (2) developing more specific or advanced LOPA rules and tables to help
minimize subjectivity when estimating the frequency of fatality or injury from a given release event, described
in Dowell [1, 3, 6] and CCPS [2]. Again, we believe LOPA and particularly the more advanced LOPA rules are
best applied by trained engineers/analysts outside of PHA meetings.

studies will be conducted. The following are two of the
most critical items to consider:
1. LOPA is an objective, deductive engineering
study, in contrast to the subjective, inductive
brainstorming nature of a PHA. LOPA does not
have to be quantitative or even semiquantitative,
but it does need to be objective. With this said, it
is nearly impossible to develop objective LOPA
results during a PHA team meeting. LOPA needs
to be conducted outside of the influences of the
various interests and biases of a typical PHA meet-
ing. (However, some organizations do report suc-
cessful use of LOPA protocols during the PHA
meeting. Note that the risk tolerance criteria used
for such LOPA decisions must be based on a
per-scenario frequency. If the risk tolerance crite-
ria involve summation of multiple scenarios, it is
much better to do the LOPA analysis after the PHA

Process Safety Progress (Vol.24, No.1) March 2005 43

 is complete [6].) The experienced opinion of the
authors is to do LOPA after the PHA.
2. Most risk matrices being used for risk ranking in
PHA meetings are not appropriate for use in LOPA.
The reasoning is not obvious or easily understood
without practice. However, the sidebar is a brief
attempt to explain this issue.
CONCLUSION
LOPA has proven to be an effective tool to deter-
mine whether there are enough safeguards and suffi-
cient risk reduction to meet the risk tolerance criteria
for scenarios developed from PHA information. How-
ever, preparing for LOPA can require tedious efforts in
sorting through complex and duplicative PHA informa-
tion to develop meaningful LOPA scenarios. These ef-
forts can be minimized by applying risk matrix rules
consistently, carefully documenting PHA information
in a logical manner, and using specialized software that
automates the rollup of LOPA scenarios from interre-
lated HAZOP deviations.
NOMENCLATURE
AIChE American Institute of Chemical Engineers
BPCS Basic Process Control System
CCPS Center for Chemical Process Safety
DCS Distributed Control System
HAZOP Hazard and Operability Analysis
IEC International Electrotechnical Commission
IPL Independent Protection Layer
ISA The Instrumentation, Systems, and Automa-
tion Society
LIC Level Indicating Controller
LOPA Layer of Protection Analysis
PFD Probability of Failure on Demand
44 March 2005
PHA Process Hazard Analysis
PLC Programmable Logic Controller
SIF Safety Instrumented Function [the sensors,
wiring, logic solver, and final elements
(valves, motor trips) that take the process
to a safe state when out of range process
variables are sensed]
SIS Safety Instrumented System (a system that
includes one or more SIFs)
LITERATURE CITED
1. A.M. Dowell III, Layer of protection analysis for
determining safety integrity level, ISA Trans 37
(1998), 155–165.
2. Center for Chemical Process Safety (CCPS), Layer
of protection analysis: Simplified process risk as-
sessment, American Institute of Chemical Engi-
neers, New York, 2001.
3. A.M. Dowell III, Layer of protection analysis: A
new PHA tool, after HAZOP, before fault tree anal-
ysis, Presented at CCPS Int Conf Workshop on Risk
Analysis in Process Safety, Atlanta, GA, October 21,
1997, American Institute of Chemical Engineers,
New York, 1997, pp. 13–28.
4. A.M. Dowell III, Layer of protection analysis and
inherently safer processes, Process Safety Prog 18
(1999), 214 –220.
5. A.M. Dowell III, Layer of protection analysis: Les-
sons learned. ISA Technical Conf. Series: Safety
Instrumented Systems for the Process Industry, Bal-
timore, MD, May 14 –16, 2002.
6. A.M. Dowell III and D.C. Hendershot, Simplified
risk analysis—Layer of protection analysis (LOPA),
AIChE 2002 National Meeting, Indianapolis, IN,
November 3– 8, 2002.
Process Safety Progress (Vol.24, No.1)