LoPA -Layer of Protection Analysis

Process industry facilities should be designed as far as possible to be inherently safe. Inherent safety involves reducing hazardous inventory and making the process mechanical design sufficiently robust.

However, it is not always possible to reduce risk to tolerable levels by inherent safety measures. Where further risk reduction is required, protection layers will be needed to prevent incidents propagating into accidents. Mitigation layers will be needed to minimise the consequences of hazardous failure events. LoPA provides special rules for protection layer credit which, when applied correctly, should ensure that adequate risk reduction is applied in the design.


What is LOPA?

LOPA - Layer Of Protection Analysis. LOPA is a risk study method first proposed by the AIChE (American Institute of Chemical Engineers) in the early 2000's to provide a simplified method for attributing risk reduction to protection layers.

Who needs LOPA?

End users in chemical, oil and gas, pharmaceuticals and others with major accident hazards.

Is LOPA a Process Hazard Identification Method?

No. LOPA gets done after hazards have been identified by other techniques such as HAZOP, What-If? or similar methods. A good guide is that Process Flow diagrams and P&ID's should be complete.

Is LOPA a Standardized Procedure?

No. LOPA is applied in many different ways, so there is no standard (correct as of July 2021). This makes defining a LOPA procedure a critical step for companies to agree and approve.

What's needed to start LOPA?

Clear terms of reference (procedure) plus information about the scenarios to be assessed. Data usually comes from a process hazard analysis e.g. HAZOP, coupled with detailed P&ID drawings and a knowledge of the process. LOPA is a team study, and should be led by someone trained in the technique.

Can LOPA be used for SIL?

Yes and No.

Yes: Safety Integrity Level TARGETS can be derived directly from a LOPA study with appropriate procedures.

No: It is not possible to use LOPA to calculate if a Safety Instrumented Function (SIF) meets the SIL target.

What you get out of LoPA

The end result of a LoPA study is often linked directly to selecting a Safety Integrity Level (SIL) target for a number of Safety Instrumented Functions (SIF). The goal is to reduce the risk to a tolerable or negligible level,

The use of LoPA is not limited to SIL analysis, because in essence it can be used for multiple risk based decisions. However, this blog will focus on the specific aspect of LoPA when used to determine the target SIL for a SIF.

LOPA timing in a project

In a capital project such as a new process or major modification, LoPA is applied after process hazards analysis or sometimes in combination with it, depending on company preference. The risk scenarios must be clear and categorized to the point where the high consequence events are known. At the very least, there must be stable drawings and agreement on the hazard scenarios that need to go forward to a LoPA study.

LOPA during operation

Carrying out LoPA during operation is also a requirement on a periodic basis. Some regulators recommend no longer than a five year interval. The reason is that over the lifetime of a modern process facility there are multiple things that can affect previous LoPA team assumptions. Consider these:

  1. Higher than anticipated demand frequency.
  2. Change in occupancy levels in a hazard zone.
  3. Alteration to a non-SIF independent protection layer.
  4. Increase in number of batches in a batch process.
  5. Higher than anticipated failure rate of a SIF device (sensor etc.).


Jon Keswick, CFSE

Jon Keswick is a Certified Functional Safety Expert (CFSE) and founder of eFunctionalSafety. Feel free to make contact via Linked-In or comment on any of the eFunctionalSafety blog pages.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
Success message!
Warning message!
Error message!