Layers of Protection (LOPA) Analysis Procedure

PROCEDURE
Layers of Protection (LOPA) Analysis Procedure
DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

DIR Version: 00 DIR Status: RL
Location: All Sites Page 1 of 24
Printed copies of this document are uncontrolled unless contained in a site manual.
PROCEDURE
Contents
1 Purpose ........................................................................................................... 4
2 Scope .............................................................................................................. 4
3 Background ....................................................................................................... 4
4 Responsibilities .................................................................................................. 4
4.1 Chief Officer ............................................................................................... 4
4.2 Project Manager / Location Manager ................................................................. 4
4.3 Engineering Authority .................................................................................... 5
4.4 Technical Authorities .................................................................................... 5
4.5 LOPA Study Leader...................................................................................... 6
4.6 LOPA Study Scribe ...................................................................................... 6
4.7 LOPA Study Team members ........................................................................... 6
5 LOPA Study Preparations ...................................................................................... 6
5.1 LOPA Study Terms of Reference ...................................................................... 6
5.2 LOPA study team selection ............................................................................. 7
5.3 LOPA Study Leader...................................................................................... 7
5.4 LOPA Study team Roles ................................................................................ 8
5.5 LOPA Study Team Composition ....................................................................... 8
5.6 LOPA Study Schedule and facilities................................................................... 9
5.7 LOPA Study Documentation Requirements ........................................................ 10
6 Conducting the LOPA Study .................................................................................. 10
6.1 LOPA Team briefing / orientation ..................................................................... 10
6.2 LOPA Study Methodology ............................................................................. 11
6.3 Hazardous Events....................................................................................... 11
6.4 Determine Causes of Hazardous Event ............................................................. 12
6.5 Determine the Severity of the Hazardous Event ................................................... 13
6.6 Determine the Initiating Cause Frequency .......................................................... 13
6.7 Identify the Safeguards and Determine the Independent Layers of Protection ............... 14
6.8 Estimate the Probability of Failure for each Independent Layer of Protection ................. 15
6.9 Calculate the Likelihood of Occurrence of the Hazardous Event ................................ 15
6.10 Compare the Likelihood of the Hazardous Event to Acceptance Criteria ...................... 16
6.11 Propose Recommendations ........................................................................... 16
7 Records .......................................................................................................... 17
7.1 LOPA Study Record .................................................................................... 17
7.2 LOPA Study Report ..................................................................................... 17
PROCEDURE
7.3 LOPA Study Action Close Out and Close Out Report ............................................. 17
7.4 Record Keeping ......................................................................................... 18
8 Training and Competence .................................................................................... 18
9 Related documents ............................................................................................ 18
10 Definitions .................................................................................................... 19
11 Document Version Information ........................................................................... 20
List of Appendices
Appendix A LOPA Process Map .......................................................................... 21

Appendix B LOPA Worksheet ............................................................................ 22
Appendix C Initiating Cause Frequency .............................................................. 23
Appendix D Probability of Failure for Independent Layers of Protection ....................... 24
List of Tables
Table 1: LOPA Study Level Criteria 7

Table 2: LOPA Study Levels and LOPA Study Leader Experience Requirements 8
Table 3: Examples of Initiating Causes 12

PROCEDURE
1 Purpose
The purpose of this procedure is to specify responsibilities and the procedural
requirements for conducting Layer of Protection analyses LOPA) on Contact’s assets that
produce, transport, store or consume either energy, toxic or hazardous materials over their
lifetime from inception or acquisition through operating life to disposal or decommissioning.
2 Scope
This procedure is applicable to all Contact sites and facilities and applies to the entire
lifecycle of a facility. LOPA analysis is required when HAZID or HAZOP studies identify a
consequence ranking of 5 or 6 on the Contact Risk Tool Kit matrix.
The procedure is applicable to Greenfield and Brownfield projects, as well as modifications
to existing facilities, and as part of retrospective reviews of existing facilities.
Reference should be made to Asset Safety Lifecycle Management System Standard (SAP
DMS 10000014452) which outlines when LOPA studies shall be conducted, and the
relationship with other Process Hazard Analysis studies that shall be conducted on
Contact’s process equipment.
3 Background
LOPA studies consider the likelihood of a Major Accident Event (MAE) initiating and the
probability of failure of the safeguards in place. The outputs of HAZID and HAZOP studies
provide the process safety related hazard MAE scenarios.
LOPA studies are applied to previously identified process safety related hazards within a
proposed or operational facility or activity. The LOPA study is a semi quantified risk
analysis tool that analyses potential MAEs providing a risk numerical exposure level that
can be compared with the company risk tolerance criteria and the exposure level of other
potential MAEs.
4 Responsibilities
4.1 Chief Officer

The Business Unit Chief Officer’s responsibilities are as specified in the Asset Safety
Lifecycle Management System Standard. These responsibilities may be delegated to the
appropriate General Manager.
4.2 Project Manager / Location Manager

The Project Manager or Location Manager responsibilities are as specified in the Asset
Safety Lifecycle Management System Standard.
Additional to the requirements of the Asset Safety Lifecycle Management System

PROCEDURE
Standard, the Project Manager/Location Manager shall:

 Ensure there is a schedule for ongoing LOPA in place for the facility and all
processes on the site. The schedule shall be agreed with the Engineering Authority;
 Discuss with and agree individual LOPA study details with the Technical authority –
details shall include but not be limited to:
o Study Terms of Reference (TOR);
o Study Team Leader and team composition;
o Study report including all actions initiated, action owners and timings for closure;
o Study action close out when completed.
 Discuss with and agree LOPA study planning, action, report and close out details
with the Engineering Authority when required and appropriate.
4.3 Engineering Authority

The Business Unit Engineering Authority responsibilities are as specified in the Asset
Safety Lifecycle Management System Standard.
4.4 Technical Authorities

Additional to the requirements of the Asset Safety Lifecycle Management System
Standard, the Technical Authority shall:
 Discuss and agree the TOR for LOPA studies with the location/project manager and
the Group Technical Authority as required;
 Ensure that suitably qualified LOPA Study Leader are appointed or engaged to lead
LOPA studies;
 Select LOPA study team members with required experience and competence;
 Ensure the LOPA study documentation requirements are met;
 Ensure that the LOPA study team members have the necessary documentation and
time to review documentation prior to the LOPA Study;
 Ensure that all LOPA records (e.g. study worksheets, marked-up LOPA Master
Drawings, and reports) are managed within a business-approved document control
system;
 Provide LOPA study reports to location/project managers and Group Technical
Authority for review and comment;
 Ensure that identified LOPA recommendations are assigned and actions tracked to
close out;
 Prepare and issue LOPA study close out Reports, referring to and discussing with
Location Manager and Group Technical Authority/ Engineering Authority as required
and appropriate.

PROCEDURE
4.5 LOPA Study Leader

The LOPA Study Leader shall:
 Review the Terms of Reference for the LOPA Study and clarify with Technical
Authority as required;
 Ensure that documentation provided is of an acceptable quality to conduct the LOPA
Study;
 Ensure the LOPA Study is conducted in accordance with this procedure;
 Ensure that the LOPA minutes and report are a true reflection of the Study; and
 Ensure that the reported close out actions are consistent with the actions identified in
the Study. (Note: This function may be performed by an appropriate Technical
Authority in the absence of the LOPA Study Leader.)
4.6 LOPA Study Scribe

The LOPA Study Scribe is responsible for:
 Recording the LOPA Study accurately; and
 Preparing the LOPA Study report.
4.7 LOPA Study Team members

LOPA study team members are responsible for:
 Reviewing the LOPA study TOR prior to the study;
 Reviewing the documentation provided prior to the LOPA study;
 Actively participating in the LOPA study, providing input commensurate with their
level of experience and expertise; and
 Complete and close out of assigned actions arising from recommendations from the
LOPA study.
5 LOPA Study Preparations
5.1 LOPA Study Terms of Reference

The Technical Authority shall create the TOR for the LOPA study. The TOR for the LOPA
study shall be agreed with the location/project manager and will require agreement by the
Group Technical Authority for studies of Level 2 and by the Engineering Authority for

PROCEDURE
studies of Level 3 (see Table 1 LOPA study level).

Table 1: LOPA Study Level Criteria
Level Process Difficulty
Level 0 Simple plant or process units, utilities and ancillaries.
Level 1 Simple plant or process units and minor plant modifications.
Plant or process units of an intermediate complexity and major plant

Level 2
modifications.
Detailed and complex plant or process units, and plant modifications with
Level 3
considerable process impact.
A LOPA Study TOR document shall include as a minimum:
 Scope of LOPA study;

 Objectives of LOPA study;
 Risk tolerance Criteria;
 Any screening criteria to determine which scenarios will be analysed
 Team Composition, including individuals roles in the LOPA study; and
 LOPA study recipients.
In addition, the TOR may include the study administrative arrangements, proposed
guidewords, and the templates that may be used during the Study.
5.2 LOPA study team selection

The Technical Authority shall co-ordinate the selection of the team as specified in the
LOPA study TOR, referring as required to the Project/Location Manager and the
Engineering Authority.
5.3 LOPA Study Leader

A suitably qualified LOPA Study Leader shall be selected or engaged by the Technical
Authority in accordance with the LOPA study level specified in Table 1 above and the
experience requirements specified in Table 2 (next page).
The LOPA Study Leader shall be independent of the project or facility being studied, i.e.
not have direct responsibilities in the execution of the project or the operation of the facility.
In situations of potential conflict of interest, perceived or otherwise, the Location Manager /

PROCEDURE
Project Manager and Engineering Authority shall decide on suitability.

Table 2: LOPA Study Levels and LOPA Study Leader Experience Requirements
Level Process Difficulty Typical Experience Level
0 – 2 years working experience or;

Simple plant or process units,
Level 0 have participated in 3 HAZIDs Studies
utilities and ancillaries.
of the same type or less.
3 – 4 years working experience or;
Simple plant or process units and
Level 1 participated in 10 HAZID studies of
minor plant modifications.
the same type or less;
Plant or process units of an Professional Engineer level or; 5 – 10
Level 2 intermediate complexity and major years working experience or; have
plant modifications. lead 10 HAZID studies or less
Detailed and complex plant or Lead Engineer or Engineering
process units, and plant Manager level or; 10+ years working
Level 3
modifications with considerable experience or; have lead 10+ HAZID
process impact. studies
5.4 LOPA Study team Roles

The LOPA Study team shall consist of personnel with a good understanding of the process
and plant to be reviewed and should consist of at least five (5) members, including the
LOPA Study Leader and Scribe.
A LOPA Study session should not involve more than 10 participants (including LOPA Study
Leader and Scribe).
As a minimum the following roles shall be included in the LOPA Study Team and must be
in attendance at all LOPA sessions:
 A LOPA Study Leader;
 A LOPA Study Scribe who is familiar with the technology and terminology of the
study and competent to record the proceedings with minimum of direction from the
LOPA Study Leader;
 An Engineer who has an understanding of with the process/ facility design and
process intent;
 An Operations Representative who has appropriate operating experience in the type
of process or the facility under study; and
 An Instrument / Control Engineer who can provide information about overall control
and safeguarding philosophy, interlocks and alarms, plant shutdown system and
other Safety Instrumented Systems.
5.5 LOPA Study Team Composition

The actual composition of the LOPA study team will vary according to the type of plant and
process being reviewed and in the selection of the team; consideration should be given to

PROCEDURE
the following expertise:

 Independent Engineer i.e. not directly involved with the project or facility under study,
with appropriate knowledge and experienced in the type of process under study: role
is to question process design assumptions, ensure design is to appropriate
standards, advise the team about process technology, and assess likely causes and
consequences of identified hazards.
 Plant Engineer with understanding of operation of the facility under study: role is to
provide information about compatibility with existing plant, site utilities, plant layout,
and maintainability and reliability requirements.
 Maintenance Representative with appropriate experience in maintaining the type of
process or the facility under study: whose role is to provide information about
maintenance practices, potential issues and constraints.
 Instrument / Control Engineer: role is to provide information about overall control and
safeguarding philosophy, interlocks and alarms, plant shutdown system and other
Safety Instrumented Systems, e.g. Fire & Gas detection.
 Mechanical Engineer with appropriate experience in mechanical design, operation
and maintenance of equipment under study: role is to provide information about
specialist mechanical advice on potential issues and constraints etc.
 HSE Safety Advisers: role is to provide information about facility HSE systems,
standards, and information e.g. safety equipment, emergency response procedures,
previous incidents, environmental requirements etc.
 Reliability Engineer or Asset Team Member with appropriate experience in managing
asset inspection and management programs for the type of process or the facility
under study.
 Technical representative for licensed technologies and/or vendor package: role is to
provide specialist input and consideration of potential hazards.
 Other technical expertise as necessary.
An individual LOPA Study team member may cover more than one of the roles listed
above.
5.6 LOPA Study Schedule and facilities

The Technical Authority is responsible for planning and preparation for the LOPA Study in
consultation with the LOPA Study Leader as required.
LOPA Preparation should include the following:
 Development of a formal schedule showing the times and durations of the study
sessions, as well as required study team members;
 Listing of documents to be included in the review, including drawing and document
numbers, and revision numbers and dates; and
 Selection of the study location. This should be based on location of design
information, team members, or the facility to be reviewed. The study room should be
of sufficient size to comfortably accommodate the study team and any specialist

PROCEDURE
advisors, with sufficient working space for team members.
5.7 LOPA Study Documentation Requirements

Relevant documentation shall be made available for the LOPA study.
Key documents that shall be available during a LOPA Study are:
 References from which the initiating causes are to be sourced. E.g. HAZOP or
HAZID documentation;
 Piping and Instrumentation Diagrams (P&IDs);
 Failure Rate (probability data) and event (frequency data) references;
 Process description containing operating parameters, flow rates, volumes, etc., as
well as a brief summary of how each plant item functions, and any specific
maintenance requirements;
 Details of vendor packages, if applicable;
 Plant layout diagrams;
 Details of other existing PHA Studies (e.g. LOPA, QRA, Consequence Modelling)
that are relevant;
 Information on relevant incidents at the facility or similar facilities;
 This LOPA Procedure;
6 Conducting the LOPA Study
6.1 LOPA Team briefing / orientation

At the commencement of the study, the LOPA Study Leader shall orient the team, to
ensure that study team members are provided with sufficient background and context to
valuably contribute. This should include:
The study scope, objectives and expectations;
LOPA study methodology;
A thorough briefing on the design and operation of the facility;
Ground rules for the study and expectations of team members;
Study location specific information (e.g. venue emergency procedures and amenities
and timing of breaks, etc.).
In addition, the LOPA Study Leader may ask study team members to initially raise and
discuss:
 Known risks and hazards; and
 Previous experience and incidents.

PROCEDURE
6.2 LOPA Study Methodology

LOPA is executed with the study team following Figure 1 (next page) for all identifiable
hazardous events.
The findings assumptions calculations decisions and recommendations of the team shall
be recorded on a LOPA worksheet – see Appendix B.
Figure 1 LOPA analysis Flow Chart
Determine the Initiating Causes of a

Hazardous Event
Determine the Severity of the Hazardous Event
Determine the likelihood of each Initiating

Cause and express as a frequency per year
Identify controls and determine the

independent layers of protection
Estimate the probability of failure for each

independent layer of protection
Estimate the likelihood of the hazardous event

by multiplying the initiating cause frequency
by the probability of failure of all the
independent layers of protection
Compare the likelihood of the hazardous event

occurrence with the risk acceptance criteria
Make recommendations as necessary
6.3 Hazardous Events

LOPA is not a tool for developing hazardous events; event scenarios need to be identified
before LOPA can begin.
Scenarios may be obtained from the following sources: HAZOP studies, HAZID studies,
PROCEDURE
What If studies, FMEAs, experience, checklists and past incidents. Consequences

identified during HAZOP studies are hazardous events where their severity exceeds the
Contact Risk Criteria. Note: un-mitigated risk is being considered here.
Each hazardous event shall be entered on the LOPA worksheet then the event factors
included in the worksheet decided investigated and included in calculation of the likelihood
of the MAE happening.
6.4 Determine Causes of Hazardous Event

If multiple Initiating causes are identified for a defined hazardous event, they are treated
individually then the likelihood of each cause will be added to determine the overall
likelihood of the hazardous event.
Typical Initiating causes that can lead to a Hazardous Event are displayed in Table 3.
Table 3: Examples of Initiating Causes
External Events Equipment Failures Human Failures

Natural external events Mechanical failures Human failures
• Earthquakes • Corrosion • Operational error
• Tornadoes • Vibration • Maintenance error
• Hurricanes • Erosion • Critical response error
• Floods • Flow surge or hydraulic • Programming error
• High winds hammer
• Lightening • Seal/gasket/flange failure
• Relief device stuck open
• Puncture
• Fracture
• Fabrication defects
• Brittle fracture
Human external events Control systems failures
• Major accidents Incidents in • Sensors failure
adjacent facilities • Logic solver failure
• Incidents in adjacent • Final elements failure
processes
• Field wiring failure
• Incidents within the process
• Communication interface
• Mechanical impact by motor failure
vehicles
• Software failures or crashes
Utility failures
Interruptions to the supply of:
Pneumatics, electricity, fuel
gas, nitrogen, water, cooling
medium, etc.

PROCEDURE
6.5 Determine the Severity of the Hazardous Event
The severity of the hazardous event should be described and the consequence rating
should be determined using the Contact Risk Matrix. It is important that the final likelihood
result is appropriate for the consequence being analysed.
6.6 Determine the Initiating Cause Frequency
The Initiating Cause Frequency needs to be expressed in number of “times per year”. This
value may be derived from actual Contact data, industry data or team judgement and
experience. The justification for the estimate needs to be clearly documented.
The team needs to gather data on how often the activity occurs or how often the Initiating
cause occurs. The LOPA study team can use Contact incident data or draw on their
experience and knowledge of incidents within Contact or within the Industry. The LOPA
study team can also use the Initiating
Cause frequency guidelines are provided in Appendix B – these have been compiled using
generic industry data and LOPA literature.
It is helpful during the Initiating Cause Frequency discussion to consider that this is the
likelihood of the undesirable event without any controls.
Conditional Modifiers
When considering the likelihood of a hazardous event it will often be appropriate to modify
the frequency of an event for factors such as:
 Time at risk (for processes that occur for only part of a year);
 Occupancy:
o If the consequence requires people to be in the vicinity;
o Restricted access reducing exposure of personnel.
 Ignition probability;
 Vulnerability (event may not result in the consequence);
 Location;
 Environmental factors;
 Experience level of operators.
The basis for any such modifier must be documented and when applied to an event must
be noted on the LOPA worksheet.
Example 1: Liquid into a compressor leading to a fire/explosion during compressor start-
up.
Initiating Cause Frequency comment: The compressor is shut down for maintenance once
every two years. Site experience is that liquid has been present in the compressor during
this activity. The likelihood of getting liquid into the compressor during the start-up was
considered to be a probability of 1. The probability of liquid in the compressor leading to a
major incident is one in ten as it is a large centrifugal compressor and unlike a
reciprocating compressor, a centrifugal compressor can cope with a degree of liquid.

PROCEDURE
Initiating Cause Frequency = 0.5 x 1 x 0.1

Example 2: Pump leak leading to a fire/explosion during normal operation.
Initiating Cause Frequency Comment: The pump operates continuously and it is only taken
out of service for maintenance once every three years. The pump is five years old and has
no history of issues or failures. Industry data for pump failure is once every ten years.
Group agreed to use the Initiating Cause Frequency of 0.1 (as per Appendix B).
6.7 Identify the Safeguards and Determine the Independent Layers of

Protection
The LOPA study team should note any safeguards or controls identified during preceding
HAZID and HAZOP studies and confirm whether these meet the requirements of an
Independent Protection Layer (IPL). Note that not all safeguards or controls will be IPLs.
An Independent Protection Layer is defined as any independent mechanism that reduces
risk by control, prevention or mitigation (AS IEC 61511.1-2004 § 3.2.59).
Protection layers that perform their function with a high degree of reliability may qualify as
Independent Protection Layers (IPL).
The criteria to qualify a Protection Layer (PL) as an IPL are:
1. The protection provided reduces the identified risk by a large amount, that is, a
minimum of a 10-fold reduction.
2. The protective function is provided with a high degree of availability (90% or greater).
3. The protection layer has the following important characteristics:
a) Specificity: An IPL is designed solely to prevent or to mitigate the consequences
of one potentially hazardous event (e.g., a runaway reaction, release of toxic
material, a loss of containment, or a fire). Multiple causes may lead to the same
hazardous event; and, therefore, multiple event scenarios may initiate action of
one IPL.
b) Independence: An IPL is independent of the other protection layers associated
with the identified danger.
c) Dependability: It can be counted on to do what it was designed to do. Both
random and systematic failures modes are addressed in the design.
d) Auditability: It is designed to facilitate regular validation of the protective
functions. Proof testing and maintenance of the safety system is necessary.
During LOPA discussions on whether a control is independent, it is important to consider if
there are common modes of failure.
Example 1:
If two controls require manual intervention by the same Operator then they are not
independent and need to be considered together with the Operator actions as one layer of
protection.
Example 2:
An instrumented system such as a level device may provide level indication, an alarm and
a shutdown but if the level tapping becomes plugged then the indication, alarm and
PROCEDURE
shutdown will not prevent the undesirable event. These controls have a common mode of
failure and need to be considered as the one layer of protection.
Additional Mitigation
Mitigation systems and arrangements that reduce the severity of the Impact Event but not
prevent it from occurring may be applicable in a LOPA study.
Mitigation layers can be:
 Structural such as blast walls, bunds, dikes, pressure relief devices, smoke proof
doors;
 Systematic such as deluge systems, evacuation alarms, illuminated escape routes;
and
 Procedural such as practised evacuation procedures.
The LOPA team should determine if there are applicable additional mitigations considering
any as independent protection layers. They are entered on the LOPA worksheet.
6.8 Estimate the Probability of Failure for each Independent Layer of

Protection
The LOPA Study team need to establish and document the probability of failure for each
Independent Protection Layer (IPL). The probability for each level is to be entered on the
LOPA worksheet. This includes probability if failure of additional mitigations.
The probability of failure of a protection levels is termed “Probability of failure on demand”
Guidelines on Probability of Failure are available in Appendix C. Alternative values may be
used at the discretion of the LOPA study team, provided the basis is documented clearly in
the LOPA study.
The team needs to document the associated justification for the probability of failure
assigned.
6.9 Calculate the Likelihood of Occurrence of the Hazardous Event
The Likelihood of the hazardous event can be calculated by multiplying the Initiating Cause
Frequency by the Probability of Failure of each Independent Protection Layer (IPL).
Likelihood = Initiating Cause Frequency x Probability of Failure IPL1 x Probability of Failure
for IPL2 x Probability of Failure for IPL3 etc.
In the case where there is more than one cause for a Hazardous Event then the
frequencies can be added to give the overall frequency of the undesired outcome.
Likelihood = (Initiating Cause Frequency Cause 1 x Probability of Failure of IPLs) +
(Initiating Cause Frequency 2 x Probability of Failure of IPLs)
For example: Vessel overfill frequency = frequency of overfill when pumping from the ship
+ frequency of overfill when pumping from a truck. In this example there would be different
IPLs involved for these two Initiating Causes.
For each hazardous event scenario, the group should review the final outcomes and

PROCEDURE
ensure the numbers being used are logical and defendable.

The LOPA analysis is an order of magnitude frequency assessment; LOPA is used to
compare hazardous events and determine which hazardous events are well controlled and
which hazardous events need further recommendations.
6.10 Compare the Likelihood of the Hazardous Event to Acceptance Criteria
The team will compare the final calculated likelihood of the undesired outcome to the
company risk tolerance criteria and or regulatory requirements determining if further risk
reduction is needed.
If the risk is greater than the company risk tolerance then;
1. The likelihood on one or more initiating causes occurring must be reduced or
2. The probability of failure of one or more of the independent protection layers must be
reduced or
3. An additional Independent Protection layer is required.
Note that with the calculation of likelihood in engineering units to powers of base 10 the SIL
level requirement for 2 and 3 above is determined by the power difference between
calculated likelihood and tolerance criteria. For example calculated likelihood 10-7 and
company risk tolerance 10-9 there is a SIL requirement of 2 for a reduced IPL PFD or an
additional IPL.
6.11 Propose Recommendations
For projects the LOPA team should carefully consider whether each proposed IPL is the
optimal method for mitigating the risk of the hazardous event, taking into account the full
lifecycle cost of the IPL.
For operating equipment the LOPA team should carefully consider the hazardous events
when their calculated frequency it is close to the Contact risk criteria. Are there additional
layers of protection required or are there ways to reduce the probability of failure of any of
the existing layers.
When the need for further risk reduction is identified, actions shall be implemented and
recommendations made consistent with the risk management action table 2 above.
Where an additional layer of protection is to be recommended or an existing layer’s
probability of failure is to be reduced the Probability of Failure value can be assigned to the
recommendation and once the recommendation is implemented then the improved
Probability of Failure can be assigned to the improved control.
The LOPA Study Leader shall ensure that the LOPA recommendations are clear and
complete and that there is consensus from the LOPA Study team on the recommendations.
Recommendations should be:
 Written to be stand-alone (understandable without the benefit of the study report);
 Written in terms of “what needs to be done”, “where it needs to be done”, and “why it

PROCEDURE
needs to be done”;
 Written so that recommendations are accomplishable and have a clear point of
closure;
 Where the team cannot reach consensus on a particular matter then the LOPA Study
Leader is the final arbiter.
Recommendations arising from the LOPA Study shall be assigned to the appropriate
member of the LOPA Study Team to action.
7 Records
7.1 LOPA Study Record
The LOPA Study shall be recorded in full.

Recommended actions arising from the LOPA Study shall be uniquely identifiable with
appropriate numbering.
The LOPA Study Leader shall ensure that the names, expertise of team members and
participants, and attendance for each LOPA session are documented for the LOPA Study
record.
7.2 LOPA Study Report
At the conclusion of the Study, the LOPA study report should be prepared by the LOPA
study scribe detailing:
 Administrative details, including the LOPA study team members, location and dates;
 Documents and drawings reviewed, quoting revision numbers used by the LOPA
study team;
 The LOPA study worksheets and LOPA study recommendations.
This report shall be endorsed as a true record by the LOPA Study Leader.
The report should then be issued by the Technical Authority and addressed to the recipient
identified in the TOR.
7.3 LOPA Study Action Close Out and Close Out Report
At the conclusion of each LOPA Study action, a record of the action close out shall be
prepared by the action assignee, and reviewed by the LOPA Study Leader.
By completion of the project phase, or an allotted timeframe for operating facility LOPAs, a
LOPA study close out report shall be issued by the Technical Authority.

PROCEDURE
7.4 Record Keeping
Study documents should be collected and archived for future reference, including:
 LOPA study worksheets;
 LOPA study report;
 Action close out records; and
 LOPA study close out report.
The responsibility for doing this rests with Technical Authority.

LOPA Study documentation (including initial and revised reports) shall be retained for the
life of the process facility. Study reports should be prepared and filed in accordance with
local document control procedures.
8 Training and Competence

All LOPA Study Leaders shall have completed LOPA Study Leaders Training Course
approved by the engineering Authority and be included on the list of approved LOPA
Leaders.
All members of the LOPA study team should have completed a Contact Energy approved
LOPA attendee’s course.
9 Related documents
Employees involved with the LOPA process shall be aware of the requirements of the
following documents referenced within this procedure:
Asset integrity Directive CEN-HSE-DVE-005 SAP DMS 10000015830
Risk management Directive CEN-RM-DVE-001
Risk Management tool Kit Version 2.1
IEC / ISO 31010:2009, Risk Management - Risk Assessment Techniques
Asset Safety Lifecycle Management System Standard SAP DMS 10000014452
Process Safety Management Standard SAP DMS 10000011181
Process Safety Governance Standard SAP DMS 10000014170
Bowtie Procedure SAP DMS 10000011084
HAZOP Study Procedure SAP DMS 10000011100
HAZID Study Procedure SAP DMS 10000011320
LOPA Study Procedure SAP DMS 10000011322

PROCEDURE
10 Definitions
Term Definition
A type of failure in which diverse components can be disabled by the same
Common Mode Failure single cause. Failure of two or more channels in the same way, leading to a
system failure (AS IEC 61511.1:2004 § 3.2.6.2)
As per the Contact Risk Toolkit, consequences can be broadly categorised as
Consequence
harm to Personnel, Environment, Community, Property Damage or Loss
Category
(Financial), Reputation, or Legal
As per the Contact Risk Toolkit: (1)-Minor, (2)-Moderate, (3)-Serious, (4)-Major,
Consequence Rating (5)-Critical, (6)-Catastrophic; with selection based on the explanations within
the consequence descriptions of each category.
A clear and concise statement that explains how the process is expected to
Design Intent
behave.
HAZID Hazard Identification Study, Refer SAP DMS 10000011320
HAZOP Hazard and Operability Study, Refer SAP DMS 10000011100
Independent Any independent mechanism that reduces risk by control, prevention or

Protection Layer (IPL) mitigation. Specific criteria are provided in AS IEC 61511.3:2004 § F.9
The chance that an event will occur – interchangeable with Probability
Measured in the number of events that can be expected per year for
Likelihood
continuous exposure or in the number of repetitions before the event occurs in
non-continuous exposure.
The relevant parameter for the condition(s) of the process (e.g. pressure, flow,
Parameter
temperature, composition).
A value that indicates the probability of a system failing to respond to a
Probability of Failure
demand. The average probability of a system failing to respond to a demand in
on Demand (PFD)
a specified time interval is referred as PFDavg.
A measure of how often a particular event will happen if something is being
done repeatedly – interchangeable with Likelihood.
Measured in the number of events that can be expected per year for
Probability
continuous exposure or in the number of repetitions before the event occurs in
non-continuous exposure.
Can be expressed as decimal fractions or in engineering units
Safety Instrumented A function implemented by a SIS, other technology safety-related system or

Function (SIF) external risk reduction facilities, which is intended to achieve or maintain a safe
state for the process, in respect of a specific hazardous event.
Safety Integrity Levels is a as a measure of the quality or dependability of a
system which has a safety function – a measure of the confidence with which
Safety integrity level
the system can be expected to perform that function.
(SIL)
Safety integrity level 4 has the highest level of safety integrity; safety integrity
level 1 has the lowest.
A form of process control implemented in industrial processes to achieve or
Safety instrumented
maintain a safe state of the process when unacceptable or dangerous
system (SIS)
conditions are detected

PROCEDURE
11 Document Version Information
Authorised for use Brendan Bleasdale

Author: John Rickerby
Owner Peter Moffat
Document Approver Brendan Bleasdale
Unique Document 10000011322
Number:
Date of first Issue:
Review due date:
Current Version Synopsis of amendments to previous version

Number Date (brief commentary noting section)
00 9 March 2016 First Issue

PROCEDURE
Appendix A LOPA Process Map
Initiation Preparation Review Execution Reporting Close out

Engineering
Discuss and Discuss and Discuss and

Authority
Approve when Approve when Approve when

risk potential is risk potential is risk potential is
high or extreme high or extreme high or extreme
Facility Manager/
Project Manager
Discuss and
Approve LOPA Approve LOPA Approve LOPA
Approve LOPA
Study Leader & Study Report Study Action
Study Terms of
Team Selection quality Close out quality
Reference (TOR)
Technical
Authority
LOPA Study Monitor LOPA Issue LOPA

Issue LOPA LOPA Study Preparation
Study Terms of Leader, Scribe & Study Quality if Issue LOPA Closeout Report
(Documentation venue
Reference (TOR) Team Selection resources, Team not one of Study Study Report (Recipients Identified in
TOR)
Identification) Team
Team Leader
LOPA Study
LOPA Study
Preparation Review and Review LOPA
(Review documents
Team Briefing Lead / Facilitate
(TOR, Documents Endorse LOPA Study Action
TOR, Venue Team LOPA Study
make-up) Venue Sessions) Study Report Closeouts
LOPA Study
Scribe
LOPA Study
Briefing Participate in Record LOPA Prepare LOPA
(TOR, Documents LOPA Study Study Study Report
Venue Sessions)
LOPA Study
Team
LOPA Study Address and

Briefing Participate in
close LOPA
(TOR, Documents LOPA Study
Venue Sessions)
Actions

PROCEDURE
Appendix B LOPA Worksheet
Hazardous Event Description Severity
Conditional modifiers applied Additional mitigations

to Initiating causes included in protection layers
Event
Initiating Protection Layers Company likelihood
Initiating Event Comment
Cause risk / risk
Causes Likelihood recommendation
Frequency PL1 PL2 PL3 PL4 Mitigation 1 Mitigation 2 tolerance tolerance
delta
Describe PL Describe PL Describe PL Describe PL Describe PL Describe PL
Describe Calculate Enter PFD for Enter PFD for Enter PFD for Enter PFD for Calculate Enter Calculate
PL1 PL2 PL3 PL4 Enter PFD Enter PFD

PROCEDURE
Appendix C Initiating Cause Frequency
The Initiating Cause Frequency can be based on actual failure rate data, site incident history,
industry typical data or team judgement. Industry typical data is listed below.
Cause Likelihood Of Failure (Events / Year)

Control loop failure 1 x 10-1
Regulator failure 1 x 10-1
Human error - (routine task undertaken once per 1 x 10-1 per opportunity
day)
Human error - (routine task, once per month) 1 x 10-1 per opportunity
Human error - (non-routine task, low stress) 1 x 10-1 per opportunity
Well trained Operator failure to execute routine 1 x 10-2 per opportunity
procedure (low stress, low fatigue)
Lockout/tag-out procedure failure 1 x 10-3 per opportunity
Pressure vessel residual failure 1 x 10-6
Piping full failure per 100m 1 x 10-5

Piping 10% leak per 100m 1 x 10-3
Atmospheric tank failure 1 x 10-3
Gasket/packing failure 1 x 10-2
Hose failure 1 x 10-1
Exchanger tube failure 1 x 10-1
Pump failure 1 x 10-1
Compressor failure 1 x 10-1
Cooling water service failure 1 x 10-1
Diesel engine over-speed with casing failure 1 x 10-4
External impact 1 x 10-2
E.g. backhoe, crane or vehicle
Crane lift failure 1 x 10-4 per lift
Lightning strike 1 x 10-3
Safety valve fails open 1 x 10-2
Small external fire (all causes) 1 x 10-1
Large external fire (all causes) 1 x 10-2
DIR Number: 10000011322 Printed: 21/11/2017

03:49 PM
PROCEDURE
Appendix D Probability of Failure for Independent Layers of
Protection
Safeguard Estimated Comment
Probability of
failure
SIL level 0 1 to 0.1 To meet required SIL level controls must be manufactured
and tested to the required specifications
SIL level 1 0.1 to 0.01 Typically consist of a single sensor, single logic processor
and single final element
SIL level 2 0.01 to 0.001 Typically consist of multiple sensors, multiple channel logic
and multiple final element
SIL level 3 0.001 to Requires specialist design and frequent proof testing
0.0001
Basic control 0.1
loop
Alarm and 0.1 Operator would need to have more than ten minutes to
operator respond to the alarm
response
Emergency 0.1 Includes evacuation, emergency services, fire fighting
Response Plan facilities
Deluge system 0.1 (1 to 0.1)
Fire proofing 0.1
Blast Wall 0.1
Bunding 0.1
Flame Arrestors 0.01 If properly designed, installed and maintained, should
eliminate potential for flashback through piping system or
vessel.
Excess Flow 0.1 If clean service and tested
Valve or non
return valve
PSV 0.01 (0.1 to PSV probability of failure should be determined based on
0.001) testing frequency and previous testing results. Factors such
as type of service and age need to be considered.
Procedure 0.1 Consideration should be given to training, routine, non
routine nature of the procedure. Additionally, stress and
fatigue should be considered when estimating the probability
of failure. Procedures that involve signed checklists and
multiple operators can be assigned 0.01 if this can be
justified.
DIR Number: 10000011322 Printed: 21/11/2017

03:49 PM

Layers of Protection (LOPA) Analysis Procedure

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Layers of Protection (LOPA) Analysis Procedure

Uploaded by

Copyright:

Available Formats

PROCEDURE

Layers of Protection (LOPA) Analysis Procedure

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

Appendix A LOPA Process Map .......................................................................... 21

Table 1: LOPA Study Level Criteria 7

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

4.1 Chief Officer

4.2 Project Manager / Location Manager

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

Standard, the Project Manager/Location Manager shall:

4.3 Engineering Authority

4.4 Technical Authorities

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

4.5 LOPA Study Leader

4.6 LOPA Study Scribe

4.7 LOPA Study Team members

5 LOPA Study Preparations

5.1 LOPA Study Terms of Reference

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

studies of Level 3 (see Table 1 LOPA study level).

Level Process Difficulty

Level 0 Simple plant or process units, utilities and ancillaries.

Level 1 Simple plant or process units and minor plant modifications.

Plant or process units of an intermediate complexity and major plant

A LOPA Study TOR document shall include as a minimum:

 Scope of LOPA study;

5.2 LOPA study team selection

5.3 LOPA Study Leader

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

Project Manager and Engineering Authority shall decide on suitability.

Level Process Difficulty Typical Experience Level

0 – 2 years working experience or;

5.4 LOPA Study team Roles

5.5 LOPA Study Team Composition

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

the following expertise:

5.6 LOPA Study Schedule and facilities

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

advisors, with sufficient working space for team members.

5.7 LOPA Study Documentation Requirements

6 Conducting the LOPA Study

6.1 LOPA Team briefing / orientation

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

6.2 LOPA Study Methodology

Determine the Initiating Causes of a

Determine the Severity of the Hazardous Event

Determine the likelihood of each Initiating

Identify controls and determine the

Estimate the probability of failure for each

Estimate the likelihood of the hazardous event

Compare the likelihood of the hazardous event

Make recommendations as necessary

6.3 Hazardous Events

What If studies, FMEAs, experience, checklists and past incidents. Consequences

6.4 Determine Causes of Hazardous Event

External Events Equipment Failures Human Failures

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

6.5 Determine the Severity of the Hazardous Event

6.6 Determine the Initiating Cause Frequency

DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM

Initiating Cause Frequency = 0.5 x 1 x 0.1

6.7 Identify the Safeguards and Determine the Independent Layers of

6.8 Estimate the Probability of Failure for each Independent Layer of