1

Amir Masoud Masoudi - Senior Risk Consultant

 2

Contents
• LOPA Definition
• Necessity of LOPA
• Independent Protection Layer (IPL)
• IPL Criteria
• Safeguards Versus IPLs
• When to Use LOPA
• LOPA Process
• Examples
• LOPA Benefits & Limitations
 3

LOPA Definition
• Layers of protection analysis (LOPA) is a powerful
analytical tool for assessing adequacy of protection
layers used to mitigate process risk.
• LOPA is a semi-quantitative tool for evaluation of
the frequency of potential incidents and probability
of failure of protection layers.

• LOPA typically builds on the information developed

during a qualitative hazard evaluation(e. g. HAZOP).
4
 5

Necessity of LOPA
HAZOP team often list all safeguards:
Partially or completely mitigate the process risk
Dependent/independent

HAZOP team often assuming more risk reduction

from the safeguards than is possible.

Over and under-protected process risk (depending on

the team composition)
 6

Necessity of LOPA (Continued)

How safe is safe enough?
How many protection layers are needed?
How much risk reduction should each layer provide?

Independent engineering assessment of the

safeguards is needed.

LOPA provides a consistent basis for judging whether

there are sufficient IPLs to control the risk of an
accident for a given scenario.
 7

Independent Protection Layer (IPL)

• An IPL is a device, system, or action that is capable
of preventing a scenario from proceeding to its
undesired consequence independent of the initiating
event or the action of any other layer of protection
associated with the scenario.
 8of 53

IPL1 IPL2 IPL3

Impact Event
Occurs

PFD3 = y3 Impact Event

Frequency,
f3 = x * y 1 * y2 * y3
PFD2 = y2
f2=x * y1 * y2
PFD1 = y1 success
Safe Outcome
f1 = x * y 1
Initiating Event success
Estimated Safe Outcome
Frequency success
fi = x Safe Outcome

Key:
Arrow represents
severity and frequency of Impact
Frequency
Event
the Impact Event if later
IPLs are not successful
Severity

IPL - Independent Protection Layer

PFD - Probability of Failure on Demand
f - frequency, /yr
9
 10

Independent Protection Layer (Continued)

1. Process Design:
▫ Scenarios are eliminated by the inherently
safer design.
▫ The design of the IPL is intended to prevent
the consequence from occurring.
▫ Examples:
– The equipment might be designed to withstand the
maximum pressure for a particular scenario.
– A pump may have an impeller that is too small to
generate high pressure in a downstream vessel.
 11

Independent Protection Layer (Continued)

2. Basic Process Control Systems (BPCS):
▫ The normal operation of a BPCS control loop
may be credited as an IPL if it meets the
appropriate criteria.
▫ Failure of the BPCS can be an initiating event.
 12

Independent Protection Layer (Continued)

3. Critical Alarms and Human Intervention:
▫ Operator action, initiated by alarms or
observation, can be credited as an IPL.
▫ Various criteria should be satisfied to assure the
effectiveness of the action.
▫ Company procedures and training may improve
the performance of humans in the system, but
procedures themselves are not an IPL.
 13

Independent Protection Layer (Continued)

4. Safety Instrumented Function (SIS):
▫ A SIS is a combination of sensors, logic solver,
and final elements with a specified safety
integrity level.
▫ A SIS detects an abnormal condition and brings
the process to a functionally safe state.
▫ A SIS is functionally independent of the BPCS.
▫ “Interlock” is an older, imprecise term for SIS.
 14

Independent Protection Layer (Continued)

5. Physical Protection (Relief Valves, Rupture Discs,
etc.):
▫ These devices, when appropriately sized,
designed and maintained, are IPLs.
▫ Flow from the relief valves to the atmosphere
results additional consequences.
 15

Independent Protection Layer (Continued)

6. Post release Protection (Dikes, Blast Walls, etc.):
▫ These passive devices, when designed and
maintained correctly, are IPLs.
▫ Their failure rates are low.
▫ Also, if automatic deluge systems, foam systems,
or gas detection systems, etc., meet the
requirements of IPLs, then some credit can be
taken for these devices in specific scenarios.
 16

Independent Protection Layer (Continued)

7. Plant Emergency Response:
▫ These features (fire brigade, manual deluge
systems, facility evacuation, etc.) are not
normally considered as IPLs.
▫ Too many variables (e.g., time delays) affecting
their overall effectiveness in mitigating a
scenario.
 17

Independent Protection Layer (Continued)

8. Community Emergency Response:
▫ These measures (community evacuation and
shelter-in-place) are not normally considered as
IPLs.
▫ They provide no protection for plant personnel.
 18

IPL Criteria
• IPLs should met following criteria:
▫ Specificity: The IPL is capable of detecting and
preventing or mitigating the consequences of
specified, potentially hazardous event.

▫ Independence: An IPL is independent of all the

other protection layers associated with the
identified potentially hazardous event.
 19

IPL Criteria (Continued)

▫ Dependability: The protection provided by the
IPL reduces the identified risk by a known and
specified amount.

▫ Auditability: The IPL is designed to permit

regular periodic validation of the protective
function.
 20

Safeguards Versus IPLs

• The distinction between an IPL and a safeguard is
important.
• A safeguard is any device, system, or action that
would likely interrupt the chain of events following
an initiating event.

All IPLs are safeguards, but not all safeguards are IPLs.
 21

When to Use LOPA

• Scenario is too complex or the consequence is too severe
for the HAZOP team to make a sound judgment based
solely upon the qualitative information.
• Used at any point in the lifecycle of a project or process.
• Most cost effective when:
▫ Process flow diagram (PFD) are complete.
▫ Piping and instrumentation diagrams (P&IDs) are
under development.
▫ For existing processes during or after the HAZOP
review or revalidation.
 22

LOPA Process
1. Record all reference documentation.
2. Document the process deviation and hazard
scenario.
3. Identify all of the initiating causes and
frequencies.
4. Determine the consequence of the scenario.
5. List the IPLs.
6. Provide specific implementable recommendations.

LOPA is limited to evaluating a single cause-consequence

pair as a scenario.
 23

Step 1: Record all reference documentation

▫ Hazard analysis documentation
▫ Pressure relief valve design and inspection reports
▫ Protection layer design documents, etc.

Step 2:Document the process deviation and

hazard scenario
▫ Catastrophic rupture
▫ Toxic release
 24

Step 3: Identify all of the initiating causes

and frequencies
▫ Loss of flow control, loss of pressure control, excess
reaction, etc.
▫ Failure rate for each devices, system, or human:
– Industry-accepted
– Standards-compliant
Initiating Cause Likelihood
Control loop failure 1.0 * 10 -2 events per year
Relief valve failure 1.0 * 10 -2 events Per year
Human Error (trained, no 1.0 * 10 -2 events per number of times task was
stress) done
Human Error (under stress) 0.5 to 1.0
Other initiating even Use experience of personnel, e.g., CTW pumps trip
Twice a year, total power failure once every two years.
 25

Initiating Event Frequency Range (/yr.)

Pressure Vessel Residual Failure 10 -5 to 10 -7
Piping Residual Failure 10 -5 to 10 -6
Piping Leak (10% section)- 100m – Full Breach 10 -3 to 10 -4
Atmospheric Tank Failure 10 -3 to 10 -5
Gasket /Packing Blowout 10 -2 to 10 -6
Turbine/Diesel Engine Overspeed with Casing Breach 10 -3 to 10 -4
3rd Party Intervention (external impact by backhoe, 10 -2 to 10 -4
vehicle, etc.)
Crane Load Drop 10 -3 to 10 -4
Lightning Strike 10 -3 to 10 -4
Safety Valve Opens Spuriously 10 -2 to 10 -4
Cooling Water Failure 1 to 10 -2
Pump Seal Failure 10 -1 to 10 -2
Unloading/Loading Hose Failure 1 to 10 -2
BPCS Instrument Loop Failure 1 to 10 -2
Regulator Failure 1 to 10 -1
Small extemal fire (aggregate causes) 10 -1 to 10 -2
Large extemal fire (aggregate causes) 10 -2 to 10 -3
 26

Step 4: Determine the consequence of the

scenario
• Safety, environmental, and economic losses
▫ Laws and standards
▫ Cost/benefit analysis

• Risk matrix
▫ Risk is acceptable
▫ Additional risk reduction is required
 27

Step 5: List the IPLs

• IPLs must meet:
▫ Independence, Specificity, Dependability,
Auditability.
• IPL must be completely independent from the
initiating cause.
▫ If Initiating cause: process control loop:
– Alarm generated by the process control transmitter is not
an IPL
• For each IPL, determine the PFD (Probability of
failure on demand)
 28

Determine PFD
PFD: risk reduction obtaining by IPL.
• The frequency reduction for an IPL is two orders of
magnitude
▫ 1E-2 PFD (that is, the availability is 99%)
• Exception: Risk reduction for Operator Response to
Alarms is one order of magnitude (1E-1)
• If an IPL is believed to be more reliable (lower value
for PFD), a Quantitative method should be used to
confirm the PFD.
 29

Independent Protection Layer PFD

Control loop failure
Relief valve failure
Human Error (trained, no stress)
Operator Reponse to Alarms
Vessel pressure rating above
maximum Challenge from internal
and external Pressure sources
Other events
1.0 * 10 -2
1.0 * 10 -2
1.0 * 10 -2
1.0 * 10 -1
10 -2 or better, if vessel integrity is
maintained (i.e., corrosion understood,
inspections and repairs in place)
Use experience of personnel, e.g., CTW
pumps Trip twice a year, total power failure
once every Two years.

For SISs, PFD is equivalent to the safety integrity level (SIL)

 30

Comments PFD from

Assuming adequate documentation, Literature and
IPL Training and testing procedures Industry
Human action Simple well-documented action with clear 1.0 – 1 * 10 -1
with 10 minutes and reliable indications that the action is
response time. required
Human response Simple well-documented action with clear 1 * 10 -1
to BPCS and reliable indications that action is (>1 * 10 -1 )
indication or required. (The PFD is limited by IEC Allowed by IEC)
alarm with 40 61511; IEC 2001.)
minutes response
time
Human action Simple well-document action with clear 1 * 10 -1 – 1 * 10 -2
with 40 minutes and reliable indications that the action is
response time required
 31

Step 6:Provide specific implementable

recommendations
• Develop as many recommendations as possible

• Select the best option:

▫ Implementation ease
▫ Cost standpoint
 32

POTENTIALLY SERIOUS Step3 Step6

PROCESS-RELATED Identify all of the Provide specific
HAZARDS ARE IDENTIFIED initiating causes and implementable
AS A RESULT OF THE PHA frequencies recommendations

Step4
Step1 Determine the
Record all reference Is the risk N
consequence of the reduction
documentation scenario adequate?

Step2 Y
Step5
Document the process
List the IPLs
deviation and hazard
scenario

Is the risk N
Can process reduction
be made N adequate?
inherently
safe?
Y GO TO NEXT
Y SCENARIO
 33

Examples
• Screening important scenarios from HAZOP
• Define maximum target likelihood for each
scenarios
▫ Catastrophic rupture of distillation column with
toxic release (1E-8/yr)
▫ Toxic release from distillation column relief valve
(1E-6/yr)
• Following LOPA process and complete worksheet
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

with toxic release

Process
4

Catastrophic rupture
of distillation column
Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

34
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design

water to condenser
5

BPCS

Loss of cooling tower

Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

35
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design

1E-1
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

36
 37

1 2 3 4 5 6 7 8 9 10

Additional Mitigations
Likelihood (per year)

Likelihood (per year)

Independent Protection

Mitigated Event
Number of IPLs
Initiating Cause
Impact Event

Layers

Procedures
Alarms,
Process
Design

BPCS

SIF
Column, condenser, reboiler, and piping
maximum allowable working pressure are
greater than maximum possible pressure
from steam reboiler (1E-2)
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

since not independent of SIS)

Additional Mitigations
pressure or high temperature (No credit
9

Number of IPLs
Logic in DCS trips steam flow valve on high

Mitigated Event
10

Likelihood (per year)

38
 39

1 2 3 4 5 6 7 8 9 10

Additional Mitigations
Likelihood (per year)

Likelihood (per year)

Independent Protection

Mitigated Event
Number of IPLs
Initiating Cause
Impact Event

Layers

Procedures
Alarms,
Process
Design

BPCS

SIS
High column pressure and temperature
alarms can alert operator to shut off the
steam to reboiler by manual valve (1E-1)
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIS
8

Additional Mitigations
separate from DCS-SIL 3)(1E-3)
9

Number of IPLs
Logic in PLC trips steam flow valve on high
pressure or high temperature (dual sensors

Mitigated Event
10

Likelihood (per year)

40
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

opens on high SIS

pressure (1E-2)
8

Additional Mitigations
Pressure relief valve
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

41
 Impact Event 1

1 E-8
Target
likelihood
2

Initiating Cause
3

Likelihood (per year)

1 E-1
Process
4

1 E-2
Design
5

---
BPCS
Layers

Alarms,
6

1 E-1
Procedures
7

Independent Protection

SIS
8

Additional Mitigations
1 E-3 1 E-2
9

Number of IPLs

Mitigated Event
10

1 E-9

target

Likelihood (per year)

Meet the

likelihood
42
 43

Examples (continued)

Note that the relief valve protects against

catastrophic rupture of the distillation column,
but it introduces another impact event

toxic release
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

relief valve
Process

Toxic release from

4

distillation column
Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

44
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design

water to condenser
5

BPCS

Loss of cooling tower

Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

45
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design

1E-1
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

Likelihood (per year)

46
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIF
8

since not independent of SIS)

Additional Mitigations
pressure or high temperature (No credit
9

Number of IPLs
Logic in DCS trips steam flow valve on high

Mitigated Event
10

Likelihood (per year)

47
 48

1 2 3 4 5 6 7 8 9 10

Additional Mitigations
Likelihood (per year)

Likelihood (per year)

Independent Protection

Mitigated Event
Number of IPLs
Initiating Cause
Impact Event

Layers

Procedures
Alarms,
Process
Design

BPCS

SIS
High column pressure and temperature
alarms can alert operator to shut off the
steam to reboiler by manual valve (1E-1)
 1
Impact Event
2

Initiating Cause
3

Likelihood (per year)

Process
4

Design
5

BPCS
Layers

Alarms,
6

Procedures
7

Independent Protection

SIS
8

Additional Mitigations
separate from DCS-SIL 3)(1E-3)
9

Number of IPLs
Logic in PLC trips steam flow valve on high
pressure or high temperature (dual sensors

Mitigated Event
10

Likelihood (per year)

49
 Impact Event 1

1 E-6
Target
likelihood
2

Initiating Cause
3

Likelihood (per year)

1 E-1
Process
4

---
Design
5

---
BPCS
Layers

Alarms,
6

1 E-1
Procedures
7

Independent Protection

SIS
1 E-3
8

---

Additional Mitigations
9

Number of IPLs

Mitigated Event
10

1 E-5

Likelihood (per year)

needed
Additional
prevention
/mitigation
50
 51

Examples (continued)

• The team should consider if the design could be

changed to be inherently safer to avoid the toxic
release.
• Additional independent protection layers may be
needed:
▫ A scrubber or flare could be added to treat the
release from the relief valve.
 52

LOPA Benefits & Limitations

• Benefits:
1. Often reveals process safety issues that were not
identified in previous qualitative hazards analysis.
2. Requires less time than quantitative risk analysis.
3. Provides a better risk decision basis compared to
subjective or emotional arguments.
4. Allocate risk reduction resources efficiently.
5. Information from LOPA helps an organization decide
which safeguards to focus on during operation,
maintenance, and related training.
 53

LOPA Benefits & Limitations (Continued)

6. Often identifies acceptable alternatives to the SIS,
such as adding other layers of protection, modifying
the process, or changing procedures.
• Limitations:
1. Requires more time to reach a risk-based decision
than qualitative methods such as HAZOP and What-
if.
2. LOPA is not intended to be a hazard identification
tool.
3. Risk comparisons of scenarios are valid only if the
same LOPA method.
– Using the same methods for choosing failure data.