LOPA
The concept of layers of protection and an approach to analyse the number of layers required was first published by the Center for Chemical Process Safety (CCPS). From these concepts, several companies developed internal procedures for Layer of Protection Analysis (LOPA).
LOPA is a semi-quantitative risk analysis technique that is applied after a qualitative hazard identification tool such as HAZOP. We describe LOPA as semi-quantitative because the technique uses figures and generates a numerical risk estimate. However, the figures are chosen in such a way that the failure probability is estimated conservatively. Usually this gives an order of accuracy rather than the actual performance of specific equipment. The result is intended to be conservative (an overestimate of the risk) and is usually sufficient to understand the required SIL for the SIF. Where a more complete or accurate understanding of the risk is required, more rigorous quantitative techniques are available, such as Failure Mode Effect Analysis (FMEA) or Quantitative Risk Analysis (QRA).
LOPA begins with an unwanted consequence or consequence of an event with environmental, health, safety, business or economic consequences. These consequences are usually identified in a HAZOP.
The severity of the consequence is estimated using appropriate techniques, which can range from simple “look-up tables” to sophisticated software tools for modelling the consequences (also visit our page on award winning safety lifecycle software aeShield).
One or more initiating events (causes) may lead to the effect. Each cause-effect pair is called a scenario. LOPA focuses on one scenario at a time. The frequency of the initiating event is estimated (usually from look-up tables or historical data). Next, each identified security is evaluated on two important characteristics:
– Is the safeguard effective in preventing the scenario from reaching the consequence?
– AND, is the safeguard independent of the triggering event and the other IPLs (independent layers of protection)?
If the security meets BOTH tests, it is an IPL. LOPA estimates the probability of the undesired consequence by multiplying the frequency of the triggering event by the product of the PFDs for the applied IPLs. It may be that a further nuance to the estimated risk is warranted. For example, an operator may only be present part of the time or another condition may be required to initiate the scenario (enabling conditions and conditional modifiers).