Using Layers of Protection
Analysis to Evaluate Fire
and Gas Systems
Paul Baybutt
Primatech Inc., Columbus, Ohio; paulb@primatech.com (for correspondence)
Published online in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.10504
An International society of automation (ISA) tech-
nical report provides guidance on evaluating the
effectiveness of fire and gas systems (FGSs) in reduc-
ing risks in processes using an event tree risk model
in preference to layers of protection analysis (LOPA)
which was viewed as too limited for application to
FGSs. This article shows that LOPA can be used
instead of event trees to produce equivalent results
and that LOPA is preferred for both technical and
practical reasons. One of the examples from the ISA
technical report is analyzed using LOPA to show how
this is accomplished. Ó 2011 American Institute of
Chemical Engineers Process Saf Prog 00: 000–000,
2011
Keywords: LOPA; FGS; ISA TR84.00.07; IEC 61511;
ISA S84
INTRODUCTION
Fire and gas systems (FGSs) play an important role
in managing the risks of processes. Often they are
mandated by industry standards, government regula-
tions, and insurer requirements. The International so-
ciety of automation (ISA) has published a technical
report providing guidance on the evaluation of FGS
effectiveness [1]. The premise of the report is that
multiple factors make it difficult to apply a perform-
ance-based approach to FGSs comparable to that
used for other safety instrumented functions (SIFs) in
a process [2–4]. The report states:
‘‘As a result of these factors, it is difficult to
develop a sound technical justification for allo-
cating risk reduction to FGS functions in a sim-
plified risk assessment process, such as layer of
protection analysis (LOPA). The identification of
FGS functions and allocation of risk reduction to
Ó 2011 American Institute of Chemical Engineers
Process Safety Progress (Vol.00, No.00)
them requires detailed release scenario develop-
ment and residual risk considerations that are
beyond simplified risk assessment tools.’’
Increasingly, LOPA is used to determine required
safety integrity levels (SILs) for SIFs. It is desirable
that the same risk analysis method be used for all
types of SIFs, including FGSs, as this makes for more
efficient studies and requires less training of person-
nel. Moreover, addressing FGSs in risk analysis stud-
ies separately from other SIFs, as described in the ISA
report [1], poses serious difficulties in using risk toler-
ance criteria. Furthermore, other SIFs help to protect
against the same hazardous events as FGSs and it is
difficult to optimize risk reduction from FGSs sepa-
rately. This article shows how these problems can be
overcome by applying LOPA to address requirements
for FGSs while obtaining equivalent results to the ISA
approach [1].
LOPA METHODS
LOPA is used to analyze the risks of individual
hazard scenarios, usually taken from process hazard
analysis (PHA) studies, and the effectiveness of safety
functions [5] which are means of achieving or main-
taining a safe state for a process with respect to a
specific hazardous event [2]. LOPA takes credit only
for those safety functions that are qualified as Inde-
pendent protection layers (IPLs) which are devices,
systems or actions that act to prevent a hazard sce-
nario from proceeding to its undesired consequence
regardless of the initiating event, or the action or fail-
ure of any other safety function credited for the sce-
nario [5]. In traditional LOPA, IPLs are assumed to
operate with 100% success or to fail completely.
However, this is not an inherent limitation of the
LOPA method. Rather it is an assumption that is made
for the scenarios analyzed. It is certainly possible that
2011 1
scenarios involving partial failures could be studied
using LOPA.
LOPA improves upon the qualitative consequence
severity and likelihood estimates that are typically
used to provide risk estimates in PHA [6]. Either se-
verity or likelihood estimates, or both, may be
improved in various ways and consequently there are
different forms of LOPA. Generally, improvement of
the severity estimate is more involved than for the
likelihood estimate and usually involves modeling
energy or hazardous material releases which can be
complex and time consuming and is more commonly Figure 1. Conceptual event tree.
performed as part of quantitative risk analysis [7].
Consequently, qualitative estimates of scenario conse-
quence impacts typically are used. Frequency esti-
separate outcome and a distinct hazard scenario, and
mates commonly are improved by calculating sce-
since LOPA analyzes individual scenarios, there is no
nario frequencies using failure data for the elements
reason why it cannot be used to analyze the other
of the scenarios such as the initiating event frequen-
branches. Indeed, LOPA can be used to analyze any
cies and safety function failure probabilities. The cal-
or all scenarios from an event tree including
culations are simplified by restricting consideration to
both direct and indirect consequences. Usually, the
safety functions that meet certain criteria such as
branches in an event tree are binary, i.e., two out-
independence from each other and other scenario
comes are considered for each event but multiple
elements.
outcomes can be addressed without significant
This LOPA approach is sensible because uncertain-
difficulty.
ties in qualitative consequence estimates are likely
The frequency of an event tree outcome is calcu-
less than in qualitative frequency estimates as the
lated as the product of the initiating event frequency
possible consequences of hazard scenarios can usu-
and all succeeding event probabilities leading to that
ally be better understood and estimated than their
outcome. The frequency of all outcomes necessarily
frequencies which, for higher consequence scenarios,
must sum to the initiating event frequency. The
are typically very low numbers which are not well-
events in the tree must be independent to allow this
understood. However, more quantitative methods can
simple multiplication of probabilities. That is the prin-
certainly be used to estimate the consequence values
cipal reason that safety functions must be qualified as
that are entered into the LOPA worksheet. Frequen-
IPLs to be credited in LOPA. Dependencies between
cies for these scenarios can be determined using ei-
events in the tree invalidate this calculation except
ther standard LOPA approximations, which should
where the conditional probability of an event in
produce conservative results, or values can be
the tree is 0 (cannot happen) or 1 (guaranteed to
entered into the LOPA worksheet that have been cal-
happen).
culated separately to improve the results further. Such
enhanced LOPA methods overcome objections to sim-
pler forms of LOPA and can incorporate the conse- FGSs as Safety Functions
quence evaluation methods referenced in the ISA Safety functions such as high level shutdowns that
report [1]. activate early in a hazard scenario usually will pre-
vent adverse consequences when they operate suc-
LOPA AND EVENT TREE ANALYSIS cessfully. Safety functions that activate after process
LOPA is actually based on event tree analysis containment has been lost, and energy or hazardous
(ETA). Event trees provide a graphical depiction of materials have been released, usually act to mitigate
the possible sequence of events and their outcomes or reduce the consequence severity rather than pre-
following an initiating event, i.e., they depict hazard vent the consequence. Thus, even if FGSs operate
scenarios that can develop from an initiating event with 100% success, usually there will still be an
[7]. They address the events, such as actions of pro- adverse consequence. In conventional LOPA, it is
cess control systems, operators, and preventive safety good practice to consider not only the failure of miti-
functions, that lead up to a release of energy or haz- gation safety functions that produce worst-case con-
ardous material, and the events that follow a release, sequences, as for other safety functions, but also their
such as ignition of flammable or explosive materials, successful operation since that may still result in con-
release conditions such as wind direction, and the sequences of concern, albeit of a lesser magnitude.
operation of mitigation safety functions. A conceptual Often these are referred to as secondary consequence
event tree with three safety functions is shown in Fig- events. They represent a different branch on the event
ure 1. By convention, downward branches in the tree tree that forms the basis for LOPA (see Figure 1). LOPA
represent failures and upward branches successes. teams must decide what consequence severity to
Conventional LOPA evaluates the risk from the worst- assign to such secondary consequence events.
case consequence branch in which all safety func- Usually, it is not appropriate to assume that FGSs
tions fail which is the branch at the bottom of the operate with 100% effectiveness. Less-than-com-
tree. However, each branch in the tree represents a pletely-effective operation can be expected owing to

2 2011 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
less than 100% detection rates, delays in detection,
and less than 100% mitigation. FGS effectiveness is
defined as the ability of a FGS to perform its intended
safety actions on demand [1]. It is a function of sev-
eral parameters:
FGS effectiveness ¼ f ðdetector coverage;
FGS safety availability; mitigation effectivenessÞ
where
Detector coverage is the probability that FGS sen-
sors will be given the opportunity to respond to a
release for each hazard scenario. It depends on de-
tector layout and voting logic and represents the like-
lihood that the detector configuration will be given
the opportunity to detect a release based on the dis-
persion pattern of the release. Thus, it is a failure in
detection, not of the detectors. It does not include
the probability of successful operation of the detector
sensors.
FGS safety availability is [1—the FGS probability of
failure on demand (PFD)]. It depends on the FGS
sensor, logic solver and final element PFDs, voting
architectures, and proof test intervals and represents
the likelihood that a FGS will operate successfully if
the detector array is given the opportunity to detect a
release.
Mitigation effectiveness is the probability that a
FGS will mitigate the scenario consequence. It
depends on the magnitude of the event being miti-
gated (larger magnitude events may overwhelm the
mitigation measures used), limitations of the mitiga-
tion measures (e.g., the quench ability of deluge sys-
tems), and the probability that FGS mitigation will be
activated in time to mitigate the consequence. Delays
in activation will allow larger releases resulting in a
lower likelihood that mitigation will be effective.
Event Tree Risk Analysis Versus LOPA
An event tree is used in the ISA report to model
the effectiveness of a FGS in which detector cover-
age, safety availability and mitigation effectiveness
are branches in the tree (Figure 2). Each of the out-
comes can be modeled easily using LOPA. Depend-
encies may exist between some of these events, e.g.,
mitigation effectiveness and the timeliness of the
detection of the event which may be related to detec-
tion coverage or FGS component failures. Such
dependencies are not addressed in the event tree or
LOPA models and to the extent that they are signifi-
cant they can invalidate results obtained using con-
ventional event tree and LOPA models.
The first upward branch in the event tree repre-
sents the probability that the fire or gas event will be
detected, the second upward branch represents the
probability that the FGS control loop will operate,
and the third upward branch represents the probabil-
ity that the FGS will be able to mitigate the event at
some level of effectiveness. The consequence out-
comes of all the failure paths except the path in
which mitigation operates (top path) is assumed to
be the same. This is not necessarily the case in the
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
Figure 2. FGS event tree [1].
real world and different consequence outcomes could
be modeled.
A weighted average consequence (WAC) is calcu-
lated by multiplying the likelihood of each possible
outcome from the event tree by its consequence se-
verity and summing the results to produce an overall
risk measure which is compared to risk tolerance cri-
teria [1]. However, the consequence outcomes may
range over, for example, fatalities to injuries for
impacts on people, and it would be difficult to set
risk tolerance criteria applicable to such a combina-
tion of consequence severities without the use of se-
verity equivalence factors that are not commonly
used. Consequently, WACs can be used only for sce-
narios where all the consequence severities are the
same. Of course, this is unlikely to be the case for
FGSs when mitigation effectiveness is considered.
Mitigation effectiveness is incorporated in the event
tree model but is not discussed in the examples
provided so there is no indication of how this
issue would be addressed in the context of the risk
analysis [1].
LOPA can be used to evaluate each of the event
tree hazard scenarios. The frequency contribution to
each consequence severity is considered individually
and a comparison made with risk tolerance criteria
for each consequence severity. Thus, LOPA can
model all the aspects of FGS effectiveness covered in
the ISA report [1] and lends itself readily to the risk
comparisons needed to judge the need for further
risk reduction.
The effectiveness of other safety functions and
their required performance is typically evaluated
using LOPA rather than event trees. The consideration
of FGSs in the same risk model as other safety func-
tions allows their combined effects on risk to be
addressed. Also, use of risk tolerance criteria to deter-
mine any required risk reduction is greatly facilitated
since all pertinent hazard scenarios are included in
the same LOPA risk model and tolerable risk does
not have to be allocated across different risk models.
Furthermore, there may be fire or gas scenarios that
are not protected by a FGS and they must also be
considered in determining risk reduction require-
ments. Allocating tolerable facility risk to hazardous
events involving only the activation of a FGS is com-
plicated when they are evaluated separately from
DOI 10.1002/prs 2011 3
other fire or gas scenarios that do not activate
the FGS.
For most processes, there will be numerous hazard
scenarios that challenge a FGS. The frequency of all
these demands on the FGS must be determined
which requires that each of the hazard scenarios that
creates a demand be evaluated. Typically, this is
accomplished using LOPA so it is desirable that the
FGS be included in the LOPA study too.
Example of the Use of LOPA to Evaluate FGS
Effectiveness
Examples of determining the effectiveness of FGSs
are in the ISA report [1]. The risk analysis for one of
those examples will be reproduced here with the
same data but using LOPA rather than event trees.
The example is for a fire detection and suppression
system in an oil and gas wellbay module. A release
of flammable material may ignite and presents a sig-
nificant hazard to platform personnel. For simplicity,
only one hazard scenario was included in the analy-
sis. In reality, more scenarios would need to be
addressed. The scenario considered involves a pin-
hole leak from the wellhead resulting in a potential
turbulent jet fire in the module.
An event tree was constructed [1] that considers
detection coverage, FGS safety availability and mitiga-
tion effectiveness (Figure 2). For detector coverage,
the downward branch represents failure to detect a
fire or gas event and the upward branch represents
successful detection. For FGS safety availability, the
downward branch represents failure of the FGS to
operate and the upward branch represents successful
operation. The branches for mitigation effectiveness
represent paths to different consequences that may
occur depending on the effectiveness of mitigation.
In the model used [1], the downward branch repre-
sents zero mitigation effectiveness and therefore the
consequence severity is the same as the paths in the
event tree below it. The upward branch represents a
path to a lesser severity consequence which is deter-
mined by the analysts. Various different consequence
severities may be possible according to variations in
the mitigation effectiveness. These can be modeled
by adding branches to the tree for mitigation effec-
tiveness leading to the different consequence severi-
ties. The event tree is quantified by assigning proba-
bilities to the branches in the tree. Assuming that all
possible states are included at each branch, the
branch probabilities necessarily must sum to 1. The
event tree resulted in four branches representing dif-
ferent hazard scenario paths from the initiating event
(Figure 2):
• Scenario 1: Detection coverage fails with a prob-
ability, PDC and consequently the FGS fails with
this probability leading to a fatality.
• Scenario 2: Detection coverage is successful
with a probability, (1 2 PDC), but the FGS fails
with its assigned PFD, PFGS, leading to a fatality.
• Scenario 3: Detection coverage is successful
with a probability, (1 2 PDC), the FGS operates
successfully with a probability, (1 2 PFGS), but
4 2011 Published on behalf of the AIChE DOI 10.1002/prs
mitigation fails with a probability, PM, leading to
a fatality.
• Scenario 4: Detection coverage is successful with
a probability, (1 2 PDC), the FGS operates suc-
cessfully with a probability, (1 2 PFGS), and miti-
gation is successful with a probability, (1 2 PM),
but not completely effective because it leads to an
employee impact but less severe than a fatality.
Mitigation effectiveness was effectively excluded in
the example analyses [1] as mitigation was assumed
to be completely effective. The example used the fol-
lowing data: PDC 5 0.063, PFGS 5 0.015, PM 5 0.
They can also be seen in the LOPA worksheet for
Scenario 3 (Figure 3).
Each of the four branches in the event tree repre-
sents a distinct hazard scenario and they have been
modeled as such using LOPA. Detection coverage,
FGS safety availability and mitigation effectiveness
were modeled as enabler probabilities. Primatech’s
software tool, LOPAWorksÒ, was used to perform the
LOPA analyses. In a more realistic example, there
would be other safety functions acting as IPLs, possi-
bly including other SIFs, and more hazard scenarios.
Their contributions to risk reduction need to be stud-
ied together and LOPA provides an easier means of
doing so than using event trees which can become
cumbersome when many events and scenarios are
involved owing to the graphical depictions used. Fur-
thermore, when mitigation only lessens impacts on
people and different consequence severities are possi-
ble, or when different consequence types are involved
(e.g., impacts on both people and equipment), fre-
quency contributions must be summed from all sce-
narios that contribute to each consequence type and
severity and compared with applicable risk tolerance
criteria. This is easier to do with LOPA than event trees
(see Figure 4). The result of the LOPA study is the
same as the event tree study [1]. The system exceeds
the tolerable risk criterion by 20%.
Scenarios involving two more initiating events
were added to the analysis to show the effect of addi-
tional scenarios. These initiating events were flange
failure and rupture of a process connection to the
wellhead. For these two scenarios, a SIL 1 SIF was
credited in addition to the FGS. Equipment damage
scenarios were also included. This resulted in a total
of 24 hazard scenarios. A mitigation effectiveness of
90% was assumed for people scenarios and 99% for
equipment scenarios. Risk summations that result in
the hazardous event of fire in the wellbay module
were calculated and compared with applicable risk
tolerance criteria to determine the risk reduction
required (Figure 5). The summations include contri-
butions from all 24 scenarios organized by conse-
quence type and level and there are now two conse-
quence levels present for each of the two conse-
quence types used in the analysis. Hazard scenarios
for all hazardous events in a process can be included
in the summations with their various combinations of
consequence types and levels so that their contribu-
tions to the total risk can be determined and com-
pared with overall facility risk tolerance criteria.
Process Safety Progress (Vol.00, No.00)
Figure 3. LOPA worksheet for Scenario 3. [Color figure can be viewed in the online issue, which is available at
wileyonlinelibrary.com.]

Figure 4. LOPA risk summations (EMP, employee; EQP, equipment). [Color figure can be viewed in the online
issue, which is available at wileyonlinelibrary.com.]

Figure 5. LOPA risk summations for hazard scenarios by hazardous event, consequence type and consequence
level (EMP, employee; EQP, equipment). [Color figure can be viewed in the online issue, which is available at
wileyonlinelibrary.com.]
CONCLUSIONS
LOPA can be used to evaluate the effectiveness of
FGSs in reducing risks in processes. It produces equiva-
lent results to the ETA described in the ISA report [1].
LOPA is preferred for various reasons. The effectiveness
of other safety functions and their required performance
is typically evaluated using LOPA rather than event trees.
The consideration of FGSs in the same risk model as
other safety functions allows their combined effects on
risk to be addressed. Also, use of risk tolerance criteria
to determine any required risk reduction is greatly facili-
tated since all pertinent hazard scenarios are included in
the same LOPA risk model and tolerable risk does not
have to be allocated across different risk models. Also,
hazard scenarios that do not activate FGSs may contrib-
ute to the risk from a process and it is easier to deter-
mine risk tolerability if they are addressed in the same
risk model as FGSs. Furthermore, analysts do not have
to learn new risk analysis methods since LOPA is an
established and commonly-used tool for these analyses.
There are more complex scenarios that may occur
involving FGSs. For example, if a fire or gas release
event is not initially detected by a FGS, the situation
will escalate to a larger magnitude event which may
become detectable by the FGS but at that point miti-
gation may or may not be effective. Any such scenar-
ios that are identified can be modeled using LOPA.
Other recent Process Safety Progress articles
address applications of LOPA [8–10].
LOPAWorks is a registered trademark of Primatech.
10. B.K. Vaughen, J.O. Mudd, and B.E. Pierce, Using
LITERATURE CITED
1. ISA-TR84.00.07-2010, Technical Report, Guidance
on the Evaluation of Fire, Combustible Gas and
Toxic Gas System Effectiveness.
6 2011 Published on behalf of the AIChE DOI 10.1002/prs
2. ANSI/ISA—84.00.01—2004 Part 1 (IEC 61511-1
Mod), Functional Safety: Safety Instrumented Sys-
tems for the Process Industry Sector—Part 1:
Framework, Definitions, System, Hardware and
Software Requirements.
3. ANSI/ISA—84.00.01—2004 Part 2 (IEC 61511-2
Mod), Functional Safety: Safety Instrumented
Systems for the Process Industry Sector—Part
2: Guidelines for the Application of ANSI/
ISA—84.00.01—2004 Part 1 (IEC 61511-1
Mod).
4. ANSI/ISA—84.00.01—2004 Part 3 (IEC 61511-3
Mod), Functional Safety: Safety Instrumented Sys-
tems for the Process Industry Sector—Part 3:
Guidance for the Determination of the Required
Safety Integrity Levels—Informative.
5. Layer of Protection Analysis: Simplified Process
Risk Assessment, AIChE/CCPS, New York, 2001.
6. Guidelines for Hazard Evaluation Procedures, 3rd
ed., CCPS/AIChE, New York, 2008.
7. Guidelines for Chemical Process Quantitative Risk
Analysis, 2nd ed., CCPS/AIChE, New York, 2000.
8. R. Freeman, Using Layer of Protection Analysis to
Define Safety Integrity Level Requirements, Vol.
26, Issue 3, Process Safety Progress (2007), pp.
185–194.
9. G. Evenson, S. Befus, M. Dolfi, A. Muir, and D.
Pinho, LOPA as Practiced at a Global Manufactur-
ing API Facility, Vol. 28, Issue 4, Process Safety
Progress (2009), pp. 312–316.
the ISA 84/HAZOP/LOPA Procedure to Design a
Safety Instrumented System for a Fumed Silica
Burner, Vol. 30, Issue 2, Process Safety Progress
(2011), pp. 132–137.
Process Safety Progress (Vol.00, No.00)