Professional Documents
Culture Documents
Subject:
Layer of Protection Analysis (LOPA): Risk
Evaluation for Discrete Process Scenarios
Objective: This procedure provides guidance for the evaluation of prevention and mitigation
measures which contribute to the reduction of process risks to tolerable and acceptable
limits.
Target Group: This standard applies to all employees and contractor staff working in relation with
OMV Petrom Refining.It applies to all lifecycle stages of production units from concept
to decommissioning.
Notes:
1. In the interests of simplicity and readability the language of this statement is as far as possible gender neutral. Where
applicable, the masculine includes the feminine.
2. Hardcopies of this document may not represent the current applicable standard. Check for latest document on the
Regulations Platform
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
1 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
1. Introduction
Reliable and safe operation of refinery process plants usually requires the seamless and sustainable
interaction of prevention and mitigation measures. These measures may be technical or
organizational or a combination of both. Risk evaluation is required to balance the goals of reduction
of process risks and the efforts which are needed to achieve them.
The Layer of Protection Analysis (LOPA) is a semi-quantitative methodology to evaluate the
reliability of measures which are required to prevent undesired events and to reduce the risks in
process units to tolerable or acceptable limits.
This standard provides guidance on the application of the LOPA for OMV Petrom refinery process
units. It describes the workflow of risk evaluation and defines responsibilities and requirements.
The principles of the methodology are in accordance with the requirements of IEC61511 Part 3,
Appendix F [03].
Scope of the Standard
The LOPA method may be applied to process risks arising from hydrocarbon and chemical process
facilities initiated by a discrete initiating event (single scenarios). It is not intended to be used for the
assessment of more general business risk, financial risk, and project risk as well as more complex
aggregated risks.
LOPA is not a stand alone methodology for risk assessment as it requires the inputs of a previous
hazard analysis for identification of hazardous scenarios and evaluation of the potential
consequences (e.g. 04, 05). The layer of protection analysis (LOPA) shall be used if:
the consequences of the scenario are above the following critical values (equal or greater than
consequence level 3 as given in the OMV Corporate HSE Standard 020 [06])
Personnel: serious personnel injury
Economic (asset or production): loss greater than 100.000€ or shut down of a unit
a preliminary qualitatively risk assessment yield that the risks are ALARP or not acceptable
The standard especially applies for the classification of Safety Instrumented Functions (SIF) which
are used in low demand mode.[01] (e.g. emergency shut down systems). The standard is to be used
to determine the necessary Safety Integrity Level (SIL) or Asset Integrity Level (AIL) for each SIF.
Within this framework the usage of the standard is also recommended for operational interlocks to
show their adequacy (i.e. that they are not safety relevant). (Note: SIFs which are operated in
continuous mode are quite rare in refinery process units; the principles given in [07] shall be used.)
The standard applies for existing systems as well as for planned systems. Existing SIFs which have
been classified using any other risk evaluation system (e.g. Risk Graphs [03, 08]) may remain
untouched if the following two requirements are met: there are no doubts concerning the suitability
of the classification, and related technical standards and regulations have been checked regarding
compliance.
Rationale for Refining Standard
This standard harmonizes the available approaches throughout OMV Refining with the aim to
provide best practice and to optimize the efforts needed to achieve and maintain safe and reliable
production units. It contributes to the establishment of unambiguous and sustainable tools for
decision making and thus well-aimed investments to improve the safety and reliability of Refinery
production units.
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
2 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
2. Regulatory Content
The Regulatory Content of this document is structured as follows:
Table of Contents
2.1 Principles of the Layer of Protection Analysis ................................................................... 4
2.1.1 Application & Goals.............................................................................................................. 4
2.1.2 Protection layer model ......................................................................................................... 4
2.1.3 Protection layer principles .................................................................................................... 5
2.1.4 Scenario modeling ............................................................................................................... 5
2.2 Performance, responsibilities and roles ............................................................................. 6
2.2.1 Performance of LOPA .......................................................................................................... 6
2.2.2 Input Requirements.............................................................................................................. 7
2.2.3 Responsibilities for performance of risk evaluation ............................................................. 7
2.2.4 Composition of the risk evaluation team .............................................................................. 7
2.2.5 Break-off condition for LOPA assessment & nomination of representatives ....................... 9
2.3 LOPA Process ........................................................................................................................ 9
2.3.1 Administrative information.................................................................................................. 10
2.3.2 Scenario description........................................................................................................... 11
2.3.3 Identification of initiating events ......................................................................................... 11
2.3.4 Identify enabling conditions................................................................................................ 11
2.3.5 Worst reasonable foreseeable consequences................................................................... 12
2.3.6 Conditional modifiers.......................................................................................................... 12
2.3.7 Initiating risk ....................................................................................................................... 13
2.3.8 Independent Protection Layers (IPL) ................................................................................. 13
2.3.9 Calculation of residual risk ................................................................................................. 13
2.3.10 Assessment of the residual risk ......................................................................................... 14
2.3.11 Action items........................................................................................................................ 14
2.3.12 Critical aspects for realization & operation......................................................................... 15
2.4 Documentation..................................................................................................................... 15
2.5 Audit & Review..................................................................................................................... 15
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
3 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
2.1 Principles of the Layer of Protection Analysis
Layer of protection analysis (LOPA) is a rule-based methodology. If these rules are systematically
applied the team will create very consistent and comparable results.
LOPA evaluates risk in a semi-quantitative way. This means that the values for the frequencies and
probability used in the calculation are representative values in the sense of their magnitude.
Consequently the resulting probability of a scenario has to be understood in a semi-quantitative
manner.
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
4 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Typical protection layers are:
Design of the process and plant (excluding any control or safety systems)
Mitigation system
Internal and external emergency response system (e.g. fire brigade, evacuation). Note: Usually
they are not considered in the LOPA calculation.
physical separation between different protection layers (e.g. separated conduct of wiring)
common cause failures between protection layers (e.g. plugging of a sensor may also cause
plugging of a relief valve)
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
5 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
top outcome (safe)
top outcome
enabling (unsafe)
event or state
initiating
event
residual
initiating
risk
risk
independent conditional
protection layers modifier
Figure 2 Scenario development (thickness of arrows represent the likelihood of the
respective condition)
Initiating events are the starting point for a scenario. Usually this is a technical or human failure.
Enabling events or states are precondition which are neither failures nor protection layers but
must be present that the initiating event may develop undesired outcomes.
Independent protection layers (IPL) are audible measures which have the capability to hinder
the development of the scenario to the worst reasonable foreseeable outcome. Their
functioning is either be preventing further consequences (e.g. blow down to flare) or mitigating
the severity of consequences (e.g. dike around tanks). The degree of independence
determines the degree of effectiveness of the protection layer and the credit it receives for
doing so. Within the risk analysis their effectiveness is considered in terms of reducing the
likelihood of the worst reasonable foreseeable scenario. Though mitigation measures reduce
the severity of the consequences the worst reasonable foreseeable consequences are still
possible but with a reduced likelihood.
Conditional modifiers (CM) are conditions or coincidences which influence the probability that
the given scenario results into the worst reasonable foreseeable consequences (e.g. probability
of ignition, probability of personnel being in the affected area). In contrast to an Independent
Protection Layer (IPL) a CM is not designed to perform an intended function in relation to the
specific scenario (e.g. camera supervision which is installed to detect any unusual
circumstances).
The initiating risk is the combination of the frequency of the initiating event which may lead to a
worst reasonable foreseeable outcome and the severity of that outcome. Relevant enabling
conditions or events as well as conditional modifiers are considered.
Residual risk is the combination of the severity of the worst reasonable foreseeable outcome
and the likelihood of its occurrence taking into consideration all measures, conditions and
safeguards installed.
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
6 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
procedures, organization or legislation as well as if significant information becomes available (e.g.
after incidents or near misses).
statistical information about event and failure frequencies (e.g. probability of failure of protection
layer)
preparation of information and documents which are required to perform the evaluation
distribution of the risk assessment protocols for implementation of the results (e.g. realization or
validation of classified safety instrumented functions (SIF), realization of identified action items)
follow up of action items which have been identified during evaluation
information of the Process Safety Engineer about planned sessions and their results
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
7 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Function Participation
Risk owner (plant manager/operations Mandatory
manager) (Note: for systems which are not clearly allocated to a distinct
production unit the roles of the Plant Manager shall be shifted to the
Operations Manager)
For assessments during projects the team has to be amended by the following person:
Function Participation
Conceptual Designer, Basic Designer, One of them mandatory depending on the phase of
Project Manager (for projects only) the project (see PMS [10])
Engineering contractor (for projects only)
Technology, Process Engineering (mandatory);
Electric & Control (mandatory); Project Manager
Contractor (recommended)
Table 2 Team composition LOPA assessment
Usually the LOPA evaluation team corresponds widely to the HAZID team [04]. Therefore,
performance of the LOPA assessment during HAZID (e.g. HAZOP) sessions is strongly
recommended.
Risk owner (plant manager/operations manager)
The risk owner is always the person who has the control about the resources to amend the risk and
is accountable for the residual risk. For process risk this will be in most of the cases the plant
manager or the operations manager for more wide ranging scenarios. The risk owner is the ultimate
instance to agree on the results of the LOPA assessment (see also [06]) and approves the risk
evaluation report.
Risk evaluation team leader
A team leader shall be nominated who is responsible for leading the assessment and for checking
the risk assessment protocol. He must be familiar with the assessment procedure and must have
sufficient knowledge on process risk assessment.
If appropriate the role of the team leader can be covered by an external person. For LOPA
assessment which is done in the framework of HAZOP studies the HAZOP moderator may also take
the role of the LOPA moderator (compare also OMV Standard HAZID [04]).
Risk evaluation team
The risk assessment team shall ensure that all relevant information and knowledge is available to
evaluate the risk (i.e. hazards, possible consequences, safeguards) and to decide on the
requirement for additional actions. The accountability for the evaluation results should be aligned
with the competency of the respective person as given e.g. in their job description.
The team member should have a basic understand about probability theory and shall be familiar
with the methodology and its rules as required by their role in the team. If the rules are not
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
8 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
understood and consistently applied credit for risk reduction measures may be given in the wrong
way and risks might be undervalued (safety issue) or overvalued (cost issue).
By the nomination the risk assessment team member assumes the responsibility to contribute to the
assessment with technical knowledge and expertise (e.g. failure rates, feasibility of proposed SIFs).
The accountability for results is according to the role of the team member and aligned with the
competency as given e.g. in the job description.
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
9 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Precondition to start LOPA
Hazard identification & evaluation:
(see section 2.1)
Review
(see section 2.2.1)
Figure 3 LOPA Process Overview
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
10 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Signatures (see also responsibilities and accountabilities 2.2.3)
after completion of the classification the assessment shall be signed
Responsibility for checking the classification lies at the risk assessment leader; this
comprises the formal check of the protocol and the suitability of the data entered
Responsibility for approval lies at the risk owner
all credible outcomes should be considered (including different operation modes, e.g.:
normal operation, start-up, shutdown, maintenance, process upset, emergency shutdown)
Relevant safeguards for risk reduction
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
11 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
2.3.5 Worst reasonable foreseeable consequences
The consequences have to be considered for the consequence to personnel, environmental and
asset. These consequence categories correspond to those given in OMV Corporate standard - Risk
Assessment and Evaluation Criteria [06] as follows:
Personnel (P) = Human: short, medium or long-term effects on the physical or psychological
condition of people
Environmental (E) = Environment: short, medium or long-term impacts to environment (air,
water, soil, fauna & flora)
Asset (A) = Financial: Short, medium or long-term losses of assets, production, sales, quality,
or business; (Note: this includes damage to asset as well as production losses)
The consequence levels which are selected shall correspond to the levels given in the Risk Matrix
for the evaluation of single scenario in OMV Corporate standard - Risk Assessment and Evaluation
Criteria [06]. (These data are already incorporated in the LOPA template to this standard [TA01]).
Consequences with respect to reputation are not considered explicitly in the LOPA, as for process
risks they are usually a subsequent loss from personnel, environmental or asset damages. In their
impact to the business they result for the most part into further financial losses (e.g. loss in revenue)
which may be considered at the Asset category of LOPA.
The level should represent the worst reasonable foreseeable outcome of the scenario without
consideration of safeguards which reduce the likelihood of occurrence. The consequences should
be assessed in a realistic manner and relevant safeguards for mitigation shall be considered
appropriately. For example many scenarios within a production area will only cause a single fatality
since during normal operation only the field operator might be present. For a particular situation e.g.
maintenance work when more people might be around but the time they are around will be
delimited. This aspect will have to be considered by the conditional modifiers (see 2.3.6). It is the
task of the evaluation team to assess whether the normal operating condition or any other particular
situation yields the higher initiating risk.
Financial loss calculation & relevant systems to mitigate financial risks
For asset consequences additionally the cost estimation shall be given which is the base for
selection of the consequence level. These may include costs due to asset damage, repair, direct
and indirect production losses, compensation, etc.
For the calculation of the financial losses relevant redundant equipment or system shall be
considered which is dedicated to mitigate consequence of the respective scenario (e.g. a redundant
circulating gas compressor by which the operation of the overall system can be continued).
Corresponding information shall be given in the LOPA protocol.
If the LOPA results in the requirement to install new or updated systems in order to reduce financial
risk the costs for installation (CAPEX) shall be calculated against the benefit for operation (OPEX)
following the principles of cost benefit analysis (see ALARP principle 2.3.10 and [06]).
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
12 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Local Amendments [LA03]). (The reference data are already incorporated in the LOPA template to
this standard [TA01]).
Independency of the initiating event and the components of any other IPL already claimed for
the same scenario (Potential reduction in the effectiveness of risk reduction due to common
cause failure between the safety layers need to be considered in the analysis.)
Are auditable which means that the assumed effectiveness in terms of consequence prevention
must be capable of validation and/or verification by documentation, calculation, proof, review,
testing, etc.
Within LOPA their risk reduction capability of the IPLs is considered by the probability that the IPL
fails on demand (PFD). Thus their effectiveness in risk reduction is expressed by the reduction of
the frequency that the scenario develops to its worst reasonable foreseeable outcome. According to
this assumption SIFs can only be considered as IPL here if operated in low demand mode (i.e. there
demand frequency is low in comparison to the test frequency).
Effective mitigation layers (e.g. redundant systems which reduce production losses) shall be
considered at the selection of reasonable foreseeable consequences.
Typical layers of protection are process design, functions of the basic process control system
(BPCS) or distributed control system (DCS), Safety Instrumented Functions (SIF), physical
protection, or post release protection.
In the protocol a description of the assumptions made on probable demand rates, equipment failure
rates, and of any credit taken for operational constraints or human intervention shall be given.
Guidance for the selection of Independent Protection Layers including reference data for their
probability of failure on demand (PFD) is given in the appendix to this standard [SU03]. The
applicability of these data has to be verified and adjusted for the respective refinery site and the
scenario under investigation (see also Local Amendments [LA03]). (The reference data are already
incorporated in the LOPA template to this standard [TA01]).
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
13 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Calculation of the safety integrity level of a safety instrumented function which would be needed
to reduce the risk to acceptable or tolerable limits.
Calculation of the LOPA gap
LOPA gap below 1: This is the PFD which an additional protection layer needs to reduce
the risk to acceptable or tolerable limits. Alternatively this gap may also be closed by the
improvement of the PFD of an existing protection layer.
LOPA gap above 1: This is the remaining safety margin by which the PFD of an existing
protection layer may be decreased or existing layers may be removed while still keeping
the acceptability and tolerability limits.
Intolerable: These are unacceptable risks (red area in the risk matrix). Additional measures are
required to reduce them to at least to ALARP. These measures have to be implemented
even if they require significant resources or fundamental changes in the activities and
systems.
The risk evaluation shall be completed by checking the need for additional risk reduction measures.
They may be required:
if requested by law or state of the art regardless if the risk evaluation yields tolerable or
acceptable risks
if the residual risk is considered as intolerable
For the specification of additional risk reduction measures the risk reduction philosophy (see 2.1.3)
has to be adhered (e.g. rerate by calculation if a design is capable for higher pressures instead of
installing safety instrumented function).
If further risk reduction is required these measures shall be recorded in the action item list. The
action item list shall comprise at least the following information:
Number, responsible, action item and due date
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
14 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
2.3.12 Critical aspects for realization & operation
The information given here should specify basic requirements which need to be addressed in
engineering and operation of the system:
Legal requirements: all relevant legislation which apply to the scenario or the system
configuration (e.g. Seveso Directive, ATEX99 Directive)
Applicable standards: relevant standards which apply to the scenario or the system or the
system configuration (e.g. EN746-2, EN61508)
Interlock sequences: verbal description of the conditions which initiate the identified safeguards
to react and of the actions which are required to bring the system into safe conditions (i.e.
cause and effect)
Operational requirements: basic requirements for operating the system such as operational
bypass (e.g. start-up), set-points, switch/alarms/pre-alarms, response time, principle
architecture, test intervals; here only those information should be given which is critical for
operation and which shall be explicitly considered in engineering; more detailed requirements
will be given in functional specification of the respective system
2.4 Documentation
The assumption and the results of the LOPA assessment shall be recorded in a LOPA sheet. It is
recommended to use the LOPA template related to this standard [TA01]. If alternative records are
prepared the information which is described above and indicated in the template shall be given as
minimum.
If Safety Instrumented Functions (SIF) are required to achieve the necessary risk reduction the
LOPA report is part of the documentation as required by the safety plan.
Is the information given in the risk assessment report understandable and sufficient for follow-
up?
Is the evaluation sound and sufficient?
Are the selected frequency and PFD data appropriate to the given situation?
Were the risk judgment appropriate and any necessary further actions to reduce the risk
identified?
Were identified actions completed and their results incorporated accordingly?
Does the team covers all required disciplines and is sufficiently competent?
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
15 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
3. Terms and Abbreviations
Term Definition
Asset Integrity Level The asset integrity level is a measure for a safety instrumented function to
reduce the risk of potential economic loss caused by system failure.
Basic Process Control System which responds to input signals from the process, its associated
System equipment, other programmable systems and/or an operator and
generates output signals causing the process and its associated
equipment to operate in the desired manner. The BPCS does not perform
any safety instrumented function with a claimed SIL ≥ 1 and its failure
does not affect the core attributes of any safety instrumented function.
Conditional Modifiers see chapter 2.3.6
Distributed Control A system which divides process control functions into specific areas
System interconnected by communications to form a single entity. A DCS does
not perform any safety instrumented function with a claimed SIL ≥ 1 and
its failure does not affect the core attributes of any safety instrumented
function.
Frequency Number of occurrences of an event per unit time [10].
Functional Safety Part of the overall safety relating to the process and the basic process
control system which depends on the correct functioning of the safety
instrumented systems and other protection layers [01].
Independent see chapter 2.3.8
Protection Layer
Likelihood A measure of the expected probability [case/cases] or frequency
[case/year] of occurrence of an event [10].
Mitigation Action causing a consequence to be less severe [10].
Prevention The act of causing an event not to happen [10]
Probability Expression of the likelihood of success or failure of an event on demand.
Probability is expressed as a dimensionless number ranging from 0 to 1
[10].
Safeguard Any engineered system of administrative control that would likely interrupt
the chain of events following an initiating cause or mitigate its
consequence [10].
Safety Instrumented Safety function with a specified safety integrity level which is necessary to
Function achieve functional safety and which can be either a safety instrumented
protection function or a safety instrumented control function [01].
Safety Integrity Level Discrete level (one out of four) for specifying the safety integrity
requirements of the safety instrumented functions to be allocated to the
safety instrumented systems. Safety integrity level 4 has the highest level
of safety integrity; safety integrity level 1 has the lowest [01].
Single scenario A scenario based on a discrete initiating event which has been identified
in a hazard analysis. The consequence of a single scenario may also be
derived from other single scenarios. From the process point of view it is
not useful to develop the initiating event of a single scenario (e.g. pump
failure) into further primary events (break of shaft, failure of motor, etc.).
Abbreviation Meaning
AIL Asset Integrity Level
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
16 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
Abbreviation Meaning
ALARP As Low As Reasonable Practicable
BPCS Basic Process Control System
DCS Distributed Control System
FSM Functional Safety Management
HAZID Hazard identification
HAZOP Hazard and operability analysis
IPL Independent Protection Layer
LOPA Layer of Protection Analysis
SIF Safety Instrumented Function
SIL Safety Integrity Level
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
17 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
[07] EN62061: Safety of machinery - Functional safety of electrical, electronic and
programmable control systems; 2005
[08] VDI/VDE 2180: Sicherung von Anlagen der Verfahrenstechnik mit Mitteln der
Prozessleittechnik (PLT); Part 1 - 3; 2007 (German only)
[09] OMV Refining Standard 5000: Project Management System for Technical Projects
[10] Guidelines for Safe and Reliable Instrumented Protective System; CCPS/AIChE; 2007
6. Obsolete Regulations
None
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
18 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved