LOPA Red Flags

Layers of Protection Analysis (LOPA) is a key technique to quantify the risks of a process scenario and provide insight into where controls need to be added and if they are justified. After the Buncefield incident in 2005,  The UK HSE issued a recommended practice guide as part of the Process Safety Learning Group (PSLG) investigation report. This guidance was the genesis of the advanced form of LOPA which "couches" scenarios as a bowtie and structures the assessment within that framework. There are other formulations of LOPA that are equally as effective however all can be misused, abused or mistreated - this is the nature of risk assessment. The outcome of a poor quality LOPA can lead to:

  • Incorrect capital allocation to resolve risk
  • High or low SIL levels for SIFs (compared to what is needed)
  • Missing safety critical elements and assurance processes

Learnings for LOPA

Bellow are some of the learnings and red flags I have developed over the years from executing LOPAs, reviewing my colleagues LOPAs, auditing and training in the topic. There are 4 broad areas of comment:

  1. Suggestions around LOPA Infrastructure - before the review
  2. Application of the technique.
  3. What to do with the outcome
  4. Red flags for auditors and regulators

Setting yourself up for Success - Before the Review

  1. LOPA Procedure & rule set - This is a critical piece of your LOPA puzzle. The procedure will define how you apply your methods, standardise the data you will use, and define how specific classes of situations should be handled.  A procedure helps you to develop consistency in your assessments. Your process safety or LOPA technical authority should be the gatekeeper for requests to deviate from the procedure. Often there is a lot of thought that goes into these procedures and control of change is needed.
  2. There are many data references out there on how data can be applied to a LOPA study.  The Centre for Chemical Process Safety (CCPS)  guide or the OREDA handbook are examples. These types of references can become a smorgasbord of possibilities  to reduce your risk numbers. Be careful when selecting data and ensure you justify the use numbers. 
  3. LOPA vs Risk Graph - in many countries LOPA has become the main technique for assessing the need for Safety Instrumented Functions (SIFs). LOPA is scenario focused, Risk Graphs tend to be SIF focused and they naturally do not look at the "big picture" accounting for other Independent Protection Layers (IPLs), Initiating Events (IEs) and other risk reducing factors. I have seen many historical risk graphs that have led to a misleading and incorrect result. This has occurred because human error or additional causes have not be brought into the analysis.
  4. Scenarios - do not LOPA scenarios that are managed by conventional Process Safety Management (PSM) techniques. Scenarios developed in your HAZOP that identify draining, isolations, venting or corrosion/ erosion as causes should be handled by applying good PSM practice. Also, LOPA should be performed on an event that can occur on a specific piece of equipment and not several pieces of equipment at the same time. For example if you are assessing the likelihood of rupturing a vessel and there are several identical vessels, your assessment should keep to the specific vessel. If you need to aggregate or cumulate the risk, do this outside the scenario. Data selection (particularly enabling events and conditional modifiers) for cumulative scenarios is complex and hard to manage.
  5. Can HAZOP and LOPA be done at the same time or at the conclusion of the HAZOP? - HAZOP tends to have a lot of "possibles" and "probables", that need further thinking and work before a LOPA is attempted. For example, is the scale of the event understood or is the IE frequency needing a discussion with site? Are all causes/ IEs credible? There is benefit in keeping the review team together, however there is a risk that the LOPA requires several revisions to get it right. If logistics allow, a break of 1-2 weeks gives time for this pre-work to be done and reduces the need for multiple revisions.

Application of the Technique

  1. Initiating Events (IE) - the main types of initiating events are equipment, control/ instrument failures and human error. External events such as earthquakes, impact or corrosion should not be included in a LOPA. A good test is to assess if there are existing or proposed protection layers (IPLs) available to reduce the risk. External events do not have IPLs. These causes should be managed outside of a LOPA (PSM/ qualitative assessments). In my experience approximately 30-50% of causes/ IEs identified in a HAZOP are not appropriate to move across to a LOPA. 
  2. Independent Protection Layers (IPLs) - These must be independent, specific to the IE, and have assurance processes in place. If you are crediting an IPL that involves an operator response, ensure this person and the equipment is independent of the IE and other IPLs.
  3. Do not overuse conditional modifiers (CMs) and enabling events (EE). I personally do not allow mine to reduce below 0.1 unless there is a solid justification (eg backed up by consequence modelling). Overuse of CMs and EE can lead to the a reduced need for IPLs. If your "risk reduction" attributable to CMs and EEs amounts to 100 or more, then this should be reviewed and documented.
  4. Localisation of the data? - The data used within the study should reflect your local conditions, however do not build in non-performing equipment/instrumentation into your study - fix the controls that are not currently performing to expectations.
  5. Double-dipping: IE frequency data may naturally include IPLs, so the IPL in this case should not be credited. For example the failure of a double mechanical seal may be considered to occur once in 100 years. This data probably includes the presence of a seal monitoring system, so the seal monitoring system should not also be included as a IPL.
  6. Mitigation IPLs - generally do not apply as they do not meet the criteria of an IPL. A mitigation IPL acts after the loss of containment/control,  to prevent escalation. There may be specific mitigating IPLs (such as a specific drain gas detector) that do meet the requirement of an IPL, however they are rare.  Are you able to test this IPL in real world conditions to demonstrate it will work? Due to the problematic nature of mitigation IPLs, I tend to include these in the likely outcome.
  7. Do all causes identified in a HAZOP move to a LOPA? - No. This has been discussed above.
  8. Consequence Modelling - Understanding the scale of an event helps you verify your data usage personnel exposure and probability of ignition conditional modifiers. Doing this before the LOPA review removes the need to re-visit this at a later date. 
  9. Overpressure Events - There are 2 approaches here:
    1. Only LOPA major incident rupture events that require a significant amount of overpressure to rupture. I normally consider that a significant event requires an exposure of 200% of design pressure. Many other companies apply this approach. 
    2. Consider the % of overpressure and apply an enabling event that relates the % overpressure to the likelihood of rupture - this a less popular approach, but does exist within industry. 
    3. There are other factors such as historical plant conditions, inspection records and hydrotest pressures that influence how you apply the above. I try to keep the approach as simple as practicable.

What Do I do with the Results?

  1. Assurance - IPLs and IEs need assurance processes - this means testing. Most IPLs can be tested, however, if you want to take credit for a non-return valve, determine how it can be tested/ verified. Your assurance processes should 
  2. You may or may not identify a risk gap as a result of your study.  This can be closed by addition of IPLs, redesign, removal of causes etc. LOPA will help you identify the weak aspects of your scenario, so you can focus investment on where the benefit it. The bow-tie formulation is particularly powerful in this respect has it highlights clearly the main contributors to high risk.
  3. If you country has legislated "risk management" approaches, then it is generally expected that you apply what is considered good industry practice. Cost of additional IPLs is generally not a consideration if you have not applied good practice to a scenario. This is a large topic and I will not delve further into this in this blog.
  4. LOPA can facilitate the cost benefit analysis of IPL investment vs the reduction in risk. This is sometimes a controversial topic, but a practical issue for hazardous operations.  

Red Flags for Auditors, Regulators and Reviewers

  1. Challenge the use of small numbers
  2. Enabling events and conditional modifiers with a pfd of < 0.1 -  need clear justification supported by evidence.
  3. Is there is a procedure in place?
  4. Has use of data been justified?
  5. Have all credible IEs been considered in the study including human error?
  6. Is the IPL being tested?
  7. Are IPLs independent from the IEs

We at Safety Solutions feel that because critical decisions are made from this activity, an independent check is needed on the LOPA study quality. We do this internally using the following checklist and embed this into the LOPA report. 

Download LOPA Study checklist