LOPA (Layer of Protection Analysis)
LOPA (Layer of Protection Analysis) is the semi-quantitative process safety technique used to determine whether the existing layers of protection adequately reduce the risk of a hazardous scenario, and if not, what additional independent protection layer (typically a new safety instrumented function) is required. LOPA takes a hazardous scenario identified by HAZOP as input, identifies the initiating event frequency and the existing layers of protection (each with a probability of failure on demand), and calculates the residual risk. The required risk reduction factor (RRF) drives the target SIL of any new SIF.
How does LOPA structure a scenario?.
Each LOPA scenario starts with an initiating event (a deviation from HAZOP, such as 'control valve fails open' or 'operator opens manual valve in wrong sequence'). The initiating event has an estimated frequency (typically per year) from generic data. Existing layers of protection sit between the initiating event and the consequence: each layer has a probability of failure on demand (PFD). Layers of protection include the BPCS (basic process control system, PFD ~ 0.1), operator response to alarm (PFD ~ 0.1 with rich procedural support, higher otherwise), relief devices (PFD ~ 0.01 with regular proof testing), pre-existing SIS protection (PFD per the SIL of the existing SIF). The product of the initiating event frequency and the PFDs of all layers between the event and the consequence gives the residual frequency of the consequence.
How does LOPA produce the target SIL?.
If the residual frequency of the consequence exceeds the tolerable risk target (set by the company's risk-matrix tolerable region, typically 10^-5 per year for severe consequences), the gap must be closed by adding a new independent protection layer. The required risk reduction factor (RRF) is the ratio of the residual frequency to the tolerable target. The RRF translates to a target SIL: RRF 10-100 = SIL 1, RRF 100-1000 = SIL 2, RRF 1000-10000 = SIL 3, RRF 10000-100000 = SIL 4. The target SIL becomes the design constraint for the new SIF; SIL verification under IEC 61511 then confirms whether the as-designed architecture achieves the target.
What makes a layer of protection independent?.
Independence is the central LOPA discipline. A layer of protection is independent if its failure does not share a common cause with the initiating event or with another layer being credited. The BPCS (the same system whose deviation initiated the scenario) cannot be credited as an independent layer for the same scenario. A relief valve sized for the same overpressure case cannot be credited twice. Operator response to an alarm whose setpoint is set by the BPCS (whose failure initiated the scenario) is not independent. Each credited layer must pass an independence test; failed independence reduces the credited PFD product and increases the required RRF.
Frequently asked.
What is the typical initiating event frequency data source?
CCPS publishes a Layer of Protection Analysis (LOPA) initiating event frequency data table that operators reference for typical events (control valve fails open: 0.1/yr, transmitter fails: 0.5/yr, pump fails on demand: 0.1/yr). Operating companies often supplement with company-specific failure data for unusual services or for equipment with detailed operating history.
What is the typical layer-of-protection PFD data source?
CCPS publishes typical PFDs by layer type. Operator response to alarm: 0.1 with rich procedural support, 0.5 to 1.0 with no procedural support. BPCS: 0.1 if the BPCS is well-maintained and unrelated to the initiating event. Relief device: 0.01 with regular proof testing. Pre-existing SIS: per the SIL of the SIF (SIL 1 = 0.1, SIL 2 = 0.01, SIL 3 = 0.001).
What is the tolerable risk target?
Tolerable risk targets are set by the operating company's risk-matrix tolerable region. Severe consequences (multiple fatality) typically warrant 10^-5 or 10^-6 per year tolerable frequency. Major financial loss with no harm typically tolerates 10^-4 or 10^-3 per year. The tolerable region is documented in the company's risk-management standard and applies consistently across all LOPA studies at the company.
Can LOPA conclude that no SIF is required?
Yes. Many LOPA scenarios conclude that the existing layers of protection (BPCS + alarm + relief device + procedural controls) adequately reduce the residual frequency below the tolerable target, and no additional SIF is required. The LOPA documentation supports this conclusion. LOPA documentation includes scenarios that drive new SIFs and scenarios that justify the existing protection.
How often is LOPA repeated?
LOPA is repeated when the HAZOP is re-validated (typically every 5 years per CCPS guidance, or after major process modifications). The HAZOP revalidation may identify new scenarios that warrant LOPA; existing LOPA scenarios are reviewed against current operating data and current layer-of-protection performance.