LOPA-Layer of Protection Analysis technique


In this short LOPA tutorial, we will understand the Layer of Protection Analysis technique or LOPA for short. So what does one mean by it?

LOPA is used mainly in the process industries as a risk assessment tool. Every industrial process has a degree of risk associated with running it and this is one of the popular tools to evaluate it. It may be used in conjunction with other risk assessment tools such as HAZOP. It is also used to calculate a target SIL (Safety Integrity Level) for a Safety Instrumented Systems (SIS for short). Though this tool uses probabilities and thus does number crunching, it is not considered as a fully quantitative risk assessment tool, but only as a semi-quantitative one. This is because some of the probabilistic values used in Layer of Protection Analysis, may be estimates, rather than measured values.

To understand it in detail, one must first understand some basic concepts about Hazards, Risk,  Harm and Consequences. This is because these terms are often misunderstood by laymen and even sometimes by engineers and technicians!

What is a Hazard?

A hazard is an inherent attribute (or feature or quality) of a system or equipment, that has the potential to cause harm.  Thus a gasoline tank in an automobile filling station can be considered as a hazard. This is because there is the possibility, that a careless gas station attendant may light up his cigarette in the area, during a gasoline unloading operation (where gasoline from a tank truck is unloaded to the underground storage tank in the gas station) which may lead to an explosion  and fire.

What is Risk?
This possibility, of the gas station attendant lighting up, when there are vapors of gasoline present in the area, is the Risk. If we can estimate how likely this is to take place ( say 1 out of hundred times that the tank is filled) then we can quantify the risk. In this case the risk is 1/100 or 0.01

What is Harm?

Simply put, harm is simply when the risk is realized. That is, as long as there is only a possibility, that the gas station attendant may light up, it remains just a risk. As soon as he actually does light up (and blow up the gas station to smithereens),  it becomes harm. Thus the risk existing  until then does not merely continue to remain only a possibility or a probability, it gets realized and becomes harm, at some point of time.

By now it must be amply clear to you that hazard, risk and harm are all very different concepts.


Harmful events that take place as referred to as Consequences, in the field of Process safety. They may also be called as Impact events or Incidents.

Not all consequences are created equal though, some are far worse than others. For example, if the gas station in the above example were in the middle of an uninhabited desert , then probably the consequence would be just the gas station getting blown to bits (and probably the attendant too, if it is a manned one). But what if the gas station were located in a downtown area? Then we are talking about a really horrible event that has far worse consequences. The degree of the consequence (how bad it is) is described by a term known as severity.

Thus a gas station blowing up in the middle of the desert will be an Incident that has lesser severity, than one that blows up in downtown. Note that both incidents are accidents and have undesirable and tragic consequences, but the impact of the incident would be worse if it happens in a heavily populated area.

Protection from harmful incidents

In order to prevent unpleasant incidents from happening, we need to put in place several protective measures. These protective measures, either prevent the incident from happening at all, or mitigate the incident, so that even if it does occur, the severity is lesser. In the above gas station example, we can have several protective measures in place to prevent such incidents from happening. We may carry out the unloading operation only during times when there are not many people around and when it is relatively cooler so that we have less vapors,  (say at night time), we could have a stricter security regime in place where the gas station attendants have their cigarettes or matchsticks deposited in the office before they begin work, we would have  warning signboards at the entrance, requesting drivers of vehicles to stub out their cigarettes before entering the gas station filling area, we could mount surveillance cameras at various points with signboards clearly stating that the area is under surveillance and offenders would be strictly punished, we could install sprinkler systems  and so on. In short we will have a series of measures that would reduce the likelihood of such events happening.

Layers of Protection

In process plants that have several hazards and complex operations, we need to have a system in place that will prevent accidents and harmful incidents from happening completely, or at least reduce the probability of such events occurring to a very low number (which makes it almost improbable to occur). We can do this by having protection schemes in the form of layers. If the first layer is breached, there is a second layer to protect, if that is breached, then there exists a third layer and so on. It is highly improbable that all layers will be breached at the same time.

As an example from everyday life,  consider airport security. Typically the flyer  walks through a metal detector door frame that can detect concealed metallic objects such weapons. This is the first layer of protection. Then a security guard physically frisks the flyer to check again for concealed weapons. This is the second layer of protection. It is unlikely that both layers of protection will be breached .

LOPA in industry

Now consider an industrial operation where one is mixing two toxic chemicals in a reactor at a high temperature and pressure. The mixture is first heated with steam (through a steam heating jacket on the reactor) and when the ideal reaction temperature is reached, then steam is shut off and the reactor jacket is then filled with a coolant (to regulate the exothermic reaction). There is a possibility that if the temperature overshoots, the reaction may enter a runaway state and cause the pressure to increase suddenly, leading to the reactor exploding and spilling all its contents in the area. This may cause damage to the other equipment and also harm the plant personnel who may be working in that area. To ensure safety of this operation, we can think of having different layers of protection, to reduce the likelihood of such an incident from occurring.

Our first layer of protection can be considered the process design basis itself. The reactor must be sized right so that it can withstand some degree of overpressure. The reactants must be added in the correct proportion every time and so on. The second protection layer can be considered the Basic Process Control System (also known as the BPCS or Basic Process Control System). This is where the temperature sensors, process sensors  and other instruments and controls are connected to and which also generates alarms (in case of pre-programmed limits getting exceeded) for the operator. The third layer of protection can be considered to be the Safety Instrumented System (SIS for short). This system has its own sensors, logic solvers and actuators/valves that are separate from the BPCS. The fourth layer of protection can be considered the mechanical relief system, which may comprise of relief valves, burst discs and associated equipment like emergency containment systems.

Now we take a look at the cause and consequence pair. If we take the cause of the temperature overshooting happening, then a consequence would be the  release of the toxic chemicals to the environment and exposure to the workers. In order for this event to take place, when the temperature overshoots, all the intermediate levels of protection must fail. Thus the temperature rise (called the initiating event) must take place AND the subsequent layers of protection such as the SIS, the mechanical relief devices must all fail, for the contents to get released to the environment.

We estimate the probabilities of the initiating event happening and multiply the probability of failures of each of the independent protection layers to get a value. This value is the probability of occurrence of the hazardous event.

There are also several caveats that should be borne in mind. The Layers of Protection should be truly independent of each other, with no interdependent  behavior. The probabilities of failure of the protection layers must be calculated or estimated correctly. The correct cause-consequence pairs must be selected for analysis. The cause-consequence pair will be the outcome of another risk assessment technique such as HAZOP, which must be itself done well in order to get meaningful information that can be used in LOPA.

A sample template for LOPA is given below. We have considered 5 layers of protection.LOPA

To learn more about LOPA, please download the Abhisam Safety Instrumented Systems e-learning course, which explains the technique in detail, with real life examples.  The Safety Instrumented Systems e-learning course, will help enable  you to learn all about Functional Safety, SIL (Safety Integrity Level), the Safety Lifecycle,  SIL calculations, FMEDA, Layer of Protection Analysis, Design and Maintenance of Safety Instrumented Systems and much more!


1 thought on “LOPA-Layer of Protection Analysis technique

Comments are closed.