What is LoPA?
LoPA -Layer of Protection Analysis
Process facilities should be designed as far as possible to be inherently safe. Inherent safety involves reducing hazardous inventory and making the process mechanical design sufficiently robust.
However, it is not always possible to reduce risk to tolerable levels by inherent safety measures. Where further risk reduction is required, protection layers will be needed to prevent incidents propagating into accidents. Mitigation layers will be needed to minimise the consequences of hazardous failure events. LoPA provides special rules for protection layer credit which, when applied correctly, should ensure that adequate risk reduction is applied in the design.
What you get out of LoPA
The end result of a LoPA study is often linked directly to selecting a Safety Integrity Level (SIL) target for a number of Safety Instrumented Functions (SIF). The goal is to reduce the risk to a tolerable or negligible level,
The use of LoPA is not limited to SIL determination, because in essence it can be used for multiple risk based decisions. However, this blog will focus on the specific aspect of LoPA when used to determine the target SIL for a SIF.
Timing in a project
In a capital project such as a new process or major modification, LoPA is applied after process hazards analysis or sometimes in combination with it, depending on company preference. The risk scenarios must be clear and categorized to the point where the high consequence events are known. At the very least, there must be stable drawings and agreement on the hazard scenarios that need to go forward to a LoPA study.
Timing during operation
Carrying out LoPA during operation is also a requirement on a periodic basis. Some regulators recommend no longer than a five year interval. The reason is that over the lifetime of a modern process facility there are multiple things that can affect previous LoPA team assumptions. Consider these:
- Higher than anticipated demand frequency.
- Change in occupancy levels in a hazard zone.
- Alteration to a non-SIF independent protection layer.
- Increase in number of batches in a batch process.
- Higher than anticipated failure rate of a SIF device (sensor etc.).