2

Overview of LOPA

2.1. Purpose

The purpose of this chapter is to introduce layer of protection analysis(LOPA) by describing what LOPA is, what it does, when it is used, how itworks, and how it is implemented. The limitations and benefits of LOPA arealso discussed. This chapter also introduces two example problems usedthroughout the book to illustrate each step in the LOPA process.

2.2. What Is LOPA?

LOPA is a simplified form of risk assessment. LOPA typically uses order ofmagnitude categories for initiating event frequency, consequence severity,and the likelihood of failure of independent protection layers (IPLs) toapproximate the risk of a scenario. LOPA is an analysis tool that typicallybuilds on the information developed during a qualitative hazard evaluation,such as a process hazard analysis (PHA). LOPA is implemented using a set ofrules.

Like many other hazard analysis methods, the primary purpose of LOPAis to determine if there are sufficient layers of protection against an accidentscenario (can the risk be tolerated?). As illustrated in Figure 2.1, many typesof protective layers are possible. A scenario may require one or many protec-tion layers depending on the process complexity and potential severity of aconsequence. Note that for a given scenario, only one layer must work suc-cessfully for the consequence to be prevented. However, since no layer is per-fectly effective, sufficient protection layers must be provided to render therisk of the accident tolerable.

11

LOPA provides a consistent basis for judging whether there are sufficientIPLs to control the risk of an accident for a given scenario. If the estimated riskof a scenario is not acceptable, additional IPLs may be added. Alternativesencompassing inherently safer design can be evaluated as well. LOPA doesnot suggest which IPLs to add or which design to choose, but it assists injudging between alternatives for risk mitigation. LOPA is not a fully quanti-tative risk assessment approach, but is rather a simplified method for assess-ing the value of protection layers for a well-defined accident scenario.

2.3. What LOPA Does

LOPA provides a risk analyst with a method to reproducibly evaluate the riskof selected accident scenarios. A scenario is typically identified during a qual-itative hazard evaluation (HE), such as a PHA, management of change evalu-ation, or design review. LOPA is applied after an unacceptable consequence,and a credible cause for it, is selected. It then provides an order of magnitudeapproximation of the risk of a scenario.

Once a cause–consequence pair is selected for analysis, the analyst canuse LOPA to determine which engineering and administrative controls (oftencalled safeguards) meet the definition of IPLs, and then estimate the as-is risk

12 2 . Overview of LOPA

FIGURE 2.1. Layers of defense against a possible accident.

LOPA is limited to evaluating a single cause–consequence pair as a scenario.

of the scenario. The results can then be extended to make risk judgments andto help the analyst decide how much additional risk reduction may berequired to reach a tolerable risk level. Other scenarios or other issues may berevealed while performing LOPA on a scenario.

Another way to understand LOPA is to view it relative to quantitativerisk assessment (CPQRA). In this context, a LOPA scenario represents onepath (typically we choose the path to the worst consequence) through anevent tree. Figure 2.2 shows an event tree for a given initiating event. Anevent tree shows all the possible outcomes (consequences) of an initiatingevent. A comprehensive treatment of the use of event trees and other quanti-tative risk assessment methods is provided by the CCPS CPQRA booksGuidelines for Chemical Process Quantitative Risk Analysis and Guidelines forChemical Process Quantitative Risk Analysis, Second Edition (CCPS, 1989a,2000a) and Guidelines for Hazard Evaluation Procedures, Second Edition withWorked Examples (CCPS, 1992a). For LOPA, the analyst (or team) must limiteach analysis to a single consequence, paired to a single cause (initiatingevent). In many applications of LOPA, the goal of the analyst is to identify allcause–consequence pairs that can exceed the organization’s tolerance for risk.

2.3. What LOPA Does 13

FIGURE 2.2. Comparison of LOPA and event tree analysis.

In others, the analyst chooses the cause–consequence pair that likely repre-sents the highest risk scenario from many scenarios that may be similar to theone chosen. The approach taken depends upon the analyst’s experience withLOPA and with the process under consideration - this is not always straight-forward.

In practice, the analyst who will apply LOPA will not have the benefit ofpicking a scenario from a fully developed event tree. Instead, LOPA typicallybegins with scenarios identified by a qualitative hazard review team. Asmentioned earlier, LOPA is a method that falls between qualitative and quan-titative methods and is applied when the analyst decides it is the best tool forjudging risk. The goal is to choose scenarios that the analyst believes repre-sent the most significant risk scenarios, as described in the next section.

2.4. When to Use LOPA

LOPA is typically applied after a qualitative hazard evaluation (e.g., PHA)using the scenarios identified by the qualitative hazard review team. How-ever, “typically” means just that—LOPA can also be used to analyze scenar-ios that originate from any source, including design option analysis andincident investigations. LOPA can also be applied when a hazard evaluationteam (or other entity)

• believes a scenario is too complex for the team to make a reasonablerisk judgment using purely qualitative judgment, or

• the consequences are too severe to rely solely on qualitative risk judg-ment.

The hazard evaluation team may judge the “scenario as too complex” ifthey

• do not understand the initiating event well enough,• do not understand the sequence of events well enough, or• do not understand whether safeguards are truly IPLs.

LOPA can also be used as a screening tool prior to a more rigorous quan-titative risk assessment (CPQRA) method. When used as a screening tool,each scenario above a specified consequence or risk level will first go throughLOPA analysis, and then certain scenarios will be targeted for a higher levelof risk assessment. The decision to proceed to CPQRA is typically based onthe risk level determined by LOPA or based on the opinion of the LOPA ana-lyst (i.e., the scenario is too critical or complex to rely on LOPA for risk assess-ment).

Figure 2.3 depicts the spectrum of risk assessment tools: from purelyqualitative to rigorous application of quantitative methods. At the far left arequalitative tools; these are typically used to identify scenarios and qualita-

14 2 . Overview of LOPA

tively judge if the risk is tolerable. In the middle are semi-quantitative tools(or simplified quantitative tools); these include LOPA and are used to pro-vide an order-of-magnitude estimate of risk. Finally at the far right are quan-titative tools; these allow analysis of more complex scenarios and providerisk estimates for comparison and risk judgment. The percentages shown inFigure 2.3 are for illustration purposes only. Typically all scenarios are identi-fied and evaluated qualitatively, and some that are too onerous or complexproceed to semiquantitative risk assessment, and a few scenarios may needmore rigorous evaulation than is than possible with LOPA. Thus, LOPA canbe applied to evaluate scenarios that are too complex or consequential foronly qualitative review and LOPA can screen which scenarios need morequantitative scrutiny (which need to go beyond LOPA to CPQRA).

Later chapters provide examples of how companies have incorporatedLOPA into their risk assessment approaches. In general, the writers believethat if the analyst or team can make a reasonable risk decision using onlyqualitative methods, then LOPA may be overkill. However, LOPA can bemuch more efficient than qualitative methods for judging the sufficiency ofIPLs; in a qualitative hazard review these decisions can quickly digress intoshouting matches. LOPA should not be used as a replacement for quantita-

2.4. When to Use LOPA 15

FIGURE 2.3. Spectrum of tools for risk-based decision making.

tive analysis. If complex human behavior models or equipment failuremodels are required to understand the risk of a scenario, then quantitativeanalysis is more appropriate.

2.5. How LOPA Works

Like all analytical methods, LOPA has rules that are provided in this book.Like other methods, LOPA can be divided into steps. The LOPA steps are out-lined in Figure 2.4 and summarized below. Figure 2.4 also identifies the rele-vant chapter for each step. The steps below refer to Figures 2.5 through 2.11and show how the results are selected from the figures. These figures are dis-cussed in detail in later chapters.

Step 1: Identify the consequence to screen the scenarios. Since LOPA typi-cally evaluates scenarios that have been developed in a prior study, a firststep by the LOPA analyst(s) is to screen these scenarios, and the most

16 2 . Overview of LOPA

FIGURE 2.4. How LOPA works.

common screening method is based on consequence. The consequence is typ-ically identified during a qualitative hazard review (such as a HAZOP study)(see Figure 2.5). Next the analyst evaluates the consequence (including theimpact) and estimates its magnitude. Some companies stop at the magnitudeof a release (of material or energy), which implies, but does not explicitlystate, the impact to people, the environment, and the production system (seeFigure 2.6). Other companies will model the release (see Figure 2.7) and moreexplicitly estimate the risk to people, the environment, and production byaccounting for the likelihood of harm resulting from a specific scenario, forinstance by also accounting for the probability of operators being in harm’sway during a release scenario. Chapter 3 describes the methods used for con-sequence estimation within LOPA.

Step 2: Select an accident scenario. LOPA is applied to one scenario at a time.The scenario can come from other analyses (such as qualitative analyses), butthe scenario describes a single cause–consequence pair (see Figure 2.5). Chap-ter 4 provides rules and examples for identifying scenarios.

Step 3: Identify the initiating event of the scenario and determine the initi-ating event frequency (events per year). The initiating event must lead to theconsequence (given failure of all of the safeguards). The frequency mustaccount for background aspects of the scenario, such as the frequency of themode of operation for which the scenario is valid. Most companies provideguidance on estimating the frequency to achieve consistency in LOPA results(see Figure 2.8). Chapter 5 provides guidance on selecting an appropriate ini-tiating event and in determining a reasonable frequency in the context of theaccident scenario being analyzed.

Step 4: Identify the IPLs and estimate the probability of failure on demandof each IPL. Recall that LOPA is short for “layer of protection analysis.” Someaccident scenarios will require only one IPL, while other accident scenariosmay require many IPLs, or IPLs of very low probability of failure on demand,to achieve a tolerable risk for the scenario. Recognizing the existing safe-guards that meet the requirements of IPLs for a given scenario is the heart ofLOPA. Most companies provide a predetermined set of IPL values for use bythe analyst, so the analyst may pick the values that best fits the scenario beinganalyzed (see Figure 2.9). Chapter 6 provides the rules (requirements) thatare applied to select existing IPLs and also describes how various companiesestimate the effectiveness of existing and proposed IPLs.

Step 5: Estimate the risk of the scenario by mathematically combining theconsequence, initiating event, and IPL data. Other factors may be includedduring the calculation, depending on the definition of consequence (impact

2.5. How LOPA Works 17

18 2 . Overview of LOPA

FIGURE 2.5. Choosing the scenario.

19

FIGURE 2.6. Determining the consequence and its severity.

20 2 . Overview of LOPA

FIGURE 2.7. Mathematical modeling of consequence.

FIGURE 2.8. Choosing initiating event frequency.

From

Click for high resolution graphic

21

FIGURE 2.9. Choosing IPL values.

From

event). Approaches include arithmetic formulae and graphical methods.Regardless of the methods, most companies provide a standard form for doc-umenting the results (see Figure 2.10). Chapter 7 describes how to use LOPAdata to estimate risk, using the initiating event frequency (discussed in Chap-ter 5), the IPL values (discussed in Chapter 6), and the consequence value(discussed in Chapter 3). Chapter 7 also discusses how to include the proba-bility of reaching the impact event, given the stated consequence (such as arelease of a hazardous substance) occurs; and how to estimate the frequencyof the scenario (by factoring the probability of the presence of people in thevicinity, probability of escape, probability of ignition, etc.).

22 2 . Overview of LOPA

FIGURE 2.10. LOPA documentation.

From

23

FIGURE 2.11. Estimating the risk and required action.

Step 6: Evaluate the risk to reach a decision concerning the scenario. Chap-ter 8 describes how to make risk decisions with LOPA. This includes compar-ing the risk of a scenario to a company’s tolerable risk criteria and/or relatedtargets (see Figure 2.11).

Chapter 10 describes other uses of LOPA results. Chapters 8 and 10 alsodescribe how the results can be used to prioritize risk management activities,such as identifying which equipment components to focus on within amechanical integrity program.

2.6. How to Implement LOPA

LOPA is most effective when an organization adopts a consistent approach toLOPA and sets criteria for when to use LOPA and who is qualified to use it.Chapter 9 provides general guidance for effective implementation of LOPAand includes lessons learned from several international companies. Trainingof personnel in LOPA is a key implementation task. Chapter 11 describesadvanced LOPA topics.

LOPA can be applied in a team setting, such as during or immediatelyfollowing a HAZOP- or What-If–based review (e.g., PHA) used to identifyaccident scenarios. LOPA can also be applied by a single analyst; in this case,the scenarios have typically already been identified for the analyst (such as bya hazard evaluation team). Note that a single analyst rarely works in avacuum and will almost inevitably need to clarify issues with others in theorganization. Many companies practice LOPA with a subteam composed ofthe analyst and a process engineer or production specialist (someone inti-mately familiar with the process); a larger team or an independent LOPA ana-lyst may review their work.

2.7. Limitations of LOPA

LOPA is just another risk analysis tool that must be applied correctly. Thelimitations imposed on LOPA result in a work process that is much less com-plex than quantitative risk analysis, while generating useful, somewhat con-servative, estimates of risk. LOPA is subject to the following limitations:

• Risk comparisons of scenarios are valid only if the same LOPA method(i.e., using the same methods for choosing failure data), and compari-sons are based on the same risk tolerance criteria or to the risk of otherscenarios determined by LOPA. The numbers generated by a LOPAcalculation are not precise values of the risk of a scenario. This is also alimitation of quantitative risk analysis.

24 2 . Overview of LOPA

• LOPA is a simplified approach and should not be applied to all scenar-ios. The amount of effort required to implement LOPA may be exces-sive for some risk-based decisions and is overly simplistic for otherdecisions.

• LOPA requires more time to reach a risk-based decision than qualita-tive methods such as HAZOP and What-if. This extra time is offset bythe improved risk decision compared to using only qualitative meth-ods for moderately complex scenarios. For simple decisions, the valueof LOPA is minimal. For more complex scenarios and decisions, LOPAmay actually save time compared to using only qualitative methods,because LOPA brings focus to the decision making.

• LOPA is not intended to be a hazard identification tool. LOPA dependson the methods used (including qualitative hazard review methods) toidentify the hazardous events and to identify a starting list of causesand safeguards. The more rigorous procedure of LOPA frequentlyclarifies ill-defined scenarios from qualitative hazard reviews.

• Differences in risk tolerance criteria and in LOPA implementationbetween organizations means the results cannot normally be com-pared directly from one organization to another. This is true of CPQRAtechniques as well.

2.7. Limitations of LOPA 25

MYTH: Since LOPA uses numbers, the results express the precise risk of the

scenario.REALITY: This is NOT true. Like other techniques, LOPA gives approximations of

risk that are useful in making comparisons (which help to allocate limited

resources for risk control). For many purposes, LOPA analyses have sufficient

precision to adequately quantify the risk of a particular process scenario.

MYTH: Since LOPA provides quantitative results, LOPA is better than HAZOP.

REALITY: The two are different techniques with different goals and cannot be

compared directly.

• HAZOP is ideally suited for brainstorming or uncovering what could go wrong

and at identifying potential accident scenarios; a HAZOP team can also qualita-

tively judge the risk of a scenario.

• LOPA allows the analyst to take a predefined scenario and estimate the risk of

the scenario in a consistent and simplified manner.

LOPA complements HAZOP or other hazard identification methodologies.

2.8. Benefits of LOPA

LOPA has many benefits that justify investment by company managementand risk analysts. As with most new tools, however, the benefits often cannot

be fully appreciated until LOPA is applied to everyday problems. Some gen-eral benefits of LOPA include:

• LOPA requires less time than quantitative risk analysis. This benefitapplies particularly to scenarios that are too complex for qualitativeassessment of risk.

• LOPA helps resolve conflicts in decision making by providing a consis-tent, simplified framework for estimating the risk of a scenario andprovides a common language for discussing risk. LOPA provides abetter risk decision basis compared to subjective or emotional argu-ments based on “the risk is tolerable to me.” This is particularly benefi-cial for organizations making the transition from qualitative to morequantitative risk methods.

• LOPA can improve the efficiency of hazard evaluation meetings byproviding a tool to help reach risk judgments quicker.

• LOPA facilitates the determination of more precise cause–consequencepairs, and therefore improves scenario identification.

• LOPA provides a means of comparing risk from unit to unit or plant toplant, if the same approach is used throughout the company.

• LOPA provides more defensible comparative risk judgments than quali-tative methods due to the more rigorous documentation and the specificvalues assigned to frequency and consequence aspects of the scenario.

• LOPA can be used to help an organization decide if the risk is “as lowas reasonably practicable” (ALARP), which may also serve to meetspecific regulatory requirements.

• LOPA helps identify operations and practices that were previouslythought to have sufficient safeguards, but on more detailed analysis(facilitated by LOPA), the safeguards do not mitigate the risk to a toler-able level.

• LOPA helps provide the basis for a clear, functional specification for anIPL [ISA S84.01 (ISA, 1996) and IEC 61508 and IEC 61511 (IEC, 1998;2001)].

• Information from LOPA helps an organization decide which safe-guards to focus on during operation, maintenance, and related train-ing. For instance, many companies decide to focus their inspection,test, and preventive maintenance activities on the IPLs identifiedduring LOPA; these companies often decide to run the remaining safe-guards (those not identified as IPLs) to failure or subject them to lessrigorous test and maintenance schedules. Therefore, LOPA is a tool for

26 2 . Overview of LOPA

implementing a wise PSM mechanical integrity or risk-based mainte-nance system, and it aids in the identification of “safety critical” fea-tures and tasks.

2.9. Introduction of Continuing Examples

The following two examples will be used to illustrate the concepts of LOPAthroughout this book. Note that LOPA methods vary throughout the indus-try. Each example shows only one of the many approaches. Variations will beshown or discussed in the following chapters and appendices. The solution

steps for each example will be shown in each chapter. For each of these exam-ples:

• Chapter 3 discusses how to identify consequences and classify themfor severity.

• Chapter 4 shows how to identify scenarios in LOPA terms.• Chapter 5 shows how to identify the initiating events in a scenario, and

how to calculate the initiating event frequency.• Chapter 6 shows how to identify potential Independent Protection

Layers (IPLs), how to test for independence, and how to estimate theprobability of failure on demand (PFD) for the applicable IPLs.

• Chapter 7 shows how to calculate the frequency of the scenario withthe IPLs in place.

• Chapter 8 describes how to use LOPA to evaluate risk and make deci-sions.

Continuing Example 1: Hexane Surge Tank Overflow

The following process, shown in Figure 2.12, will be used as a continuingexample to illustrate the concepts of LOPA throughout this book.

DesignHexane flows from another process unit (not shown) into a hexane surgetank. The hexane supply pipeline is always under pressure. The surge tanklevel is controlled by a level control loop (LIC-90) that senses the level in thetank and throttles a level valve (LV-90) to control the level. Hexane is used bya downstream process (also not shown). The LIC loop includes a high levelalarm (LAH-90) to alert the operator. The tank normally operates half full; thetotal tank capacity is 80,000 lb of hexane. The tank is located in a dike that cancontain up to 120,000 lb of hexane.

The designs in the examples are for illustrative purposes only. Thedesigns are not necessarily endorsed by the authors. Readers are cautioned touse designs appropriate for their applications.

2.9. Introduction of Continuing Examples 27

ScopeThis example provides a limited illustration of LOPA for a process safetydecision based on the use of a safety instrumented function (SIF) as an inde-pendent protection layer (IPL). During the process hazard analysis (PHA),the team discussed the need for a high level SIF to help prevent overfillingaccidents. They decided to use LOPA to help structure this process safetydecision. The PHA team identified other scenarios that would lead to releasesof hexane from the surge tank and related process equipment, but these otherscenarios are not modeled here.

Hazard InformationThe hazard information was prepared as part of the PHA, prior to conductingthe LOPA. This included identification of the hazards, scenarios, consequences,safeguards, and subsequent recommendations. The consequences identified are:overflow of the tank; possible failure of the dike; and subsequent dispersion offlammable hexane vapors, which if ignited, will result in a pool fire.

Continuing Example 2: Hexane Storage Tank Overflow

The following process, shown in Figure 2.13, will be used as a second continu-ing example to illustrate the concepts of LOPA throughout this book.

28 2 . Overview of LOPA

FIGURE 2.12. Continuing Example 1: Hexane surge tank overflow (as is).

DesignHexane is unloaded from a tank truck (50,000 lb) via pump 3-40 into makeupstorage tank T-301, which has a capacity of 80,000 lb. The surrounding dike isdesigned to contain 120,000 lb of hexane. The truck is unloaded once every 4days or about 90 times per year. The makeup storage tank is equipped with alevel indicator (LI-80) and a high level alarm (LAH-80) that annunciates in thecontrol room. Two operators are typically involved in this operation; one inthe field who initiates the transfer with the delivery truck driver and one inthe control room who monitors and operates various process functions froma computer interface. The driver is required to supervise the transfer.

ScopeThis example provides a limited illustration of LOPA for a process safetydecision on the use of a safety instrumented function (SIF), as an independentprotection layer (IPL). During the process hazard analysis (PHA), the teamdiscussed the need for a high level SIF to trip the feed pump and close an inletvalve (to be installed) to help prevent overfilling accidents. They decided touse LOPA to help structure this process safety decision. The overflow sce-nario of concern is initiated by arrival of a truck when there is insufficient

2.9. Introduction of Continuing Examples 29

FIGURE 2.13. Continuing Example 2: Hexane storage tank overflow (as is).

room in tank T-301 for the truck contents. This could be due to a number ofsituations, including an error in ordering, or the unit was shut down after thetruck was ordered. The PHA team identified other scenarios that would leadto releases of hexane from the surge tank and related process equipment, butthese other scenarios are not analyzed here.

Hazard InformationThe hazard information was prepared as part of the qualitative PHA, prior toconducting the LOPA. This included identification of the hazards, scenario,consequences, safeguards, and subsequent recommendations. The conse-quences are overflow of the tank; possible overflow of the dike; and subse-quent dispersion of flammable hexane vapors, which if ignited, will result ina pool fire.

30 2 . Overview of LOPA

Click here to go to Chapter 3