LOPA Onions: Peeling
Back the Outer Layers
Robert F. Wasileskia and Fred Henselwoodb
a
NOVA Chemicals, Inc., U.S. Commercial Center, Moon Township, PA 15108; wasiler@novachem.com (for correspondence)
b
NOVA Chemicals Corporation, NOVA Chemicals’ Head Office, Calgary, AB, Canada T2P 5L5
Published online 27 April 2011 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.10427
Layer of protection analysis (LOPA) has quickly
gained acceptance in the chemical processing indus-
tries and has risen to be one of the leading risk assess-
ment techniques used for process safety studies. LOPA
generally uses more rigor and science than what is
encountered with qualitative risk assessments, while
still not becoming overly onerous when compared with
detailed quantitative risk assessments. In the interest of
balancing time and resources against science and ac-
curacy, certain tradeoffs and assumptions are made
within the LOPA assessment. In turn, these tradeoffs
and assumptions can lead to inaccurate conclusions.
For example, one issue that arises is with the treat-
ment of protection layers associated with mitigation of
consequences. LOPA teams have a choice to account
for mitigation layers in the consequence assignment or
alternatively treat these layers as independent protec-
tion layers (IPLs). Although this may appear to be an
inconsequential decision, it can in fact result in very
different conclusions. In the course of treating mitiga-
tion layers as IPLs, organizations must ensure the nec-
essary inspection, testing, and preventive maintenance
practices are in place for these layers. Furthermore,
recognizing this dichotomy in treatment, one can also
show that these mitigation layers should be designed so
as to achieve a balance between consequence reduc-
tion and desired reliability.
This article discusses alternative treatments of risk
mitigation layers that are commonly applied by LOPA
teams and demonstrates their impacts through case
studies. Ó 2011 American Institute of Chemical Engi-
neers Process Saf Prog 30: 122–125, 2011
Keywords: LOPA; layer of protection analysis; miti-
gation; risk
INTRODUCTION
Layer of protection analysis (LOPA) as a risk tool
differs from many other risk measurement methodol-
Ó 2011 American Institute of Chemical Engineers
122 June 2011
ogies in that LOPA is designed to assess only a single
cause–consequence pair, whereas risk is typically
expressed as a measure that is reflective of all poten-
tial cause–consequence pairs. As such, LOPA does not
measure the full risk associated with a situation but
rather attempts to focus on what is believed to be the
dominant cause–consequence pair, likely representing
a majority of the overall risk. The cause–consequence
pair selected for analysis in the LOPA study can gener-
ally be likened to one path within an event tree, with
an associated unique outcome (Figure 1).
Further, each outcome in the event tree will have
a unique frequency of occurrence. Using the event
tree shown in Figure 1 as an example, the frequency
of outcome ABCD can be calculated as follows:
f ABCD ¼ f A 3 PFDB 3 PFDC 3 PFDD ð1Þ
where ƒABCD 5 Frequency of outcome ABCD, yr21,
ƒA 5 Frequency of initiating event A, yr21, PFDn 5
Probability of Failure on Demand of the nth Inde-
pendent Protection Layer (IPL), dimensionless.
As LOPA is not a cumulative measure of risk, the
selection of cause–consequence pairs for analysis
becomes critical for the proper use of this tool and
the application of appropriate risk criteria.
From a risk evaluation perspective, the selection of
the appropriate cause–consequence pair is vital to
ensure that potentially unacceptable risks are identi-
fied and then managed. Also of importance is that
this cause–consequence pair path selection issue
defines a relationship between the optimum effective-
ness of a risk mitigation layer and the likelihood of
success for that risk mitigation layer (i.e., the effec-
tiveness of a risk mitigation layer should align with
the reliability of that risk mitigation layer).
BACKGROUND
Within LOPA, the IPLs that are allocated to the mit-
igation layer (i.e., postrelease protection) are typically
passive devices or features in a plant. For example,
Process Safety Progress (Vol.30, No.2)

Figure 1. Example event tree with four unique outcomes.
secondary-containment dikes, fireproofing, blast
walls, and underground drainage systems fall into
this category.
When assessing a risk mitigation layer of protection,
two possible cause–consequence pairs can be readily
identified; the first option being the risk mitigation
layer working successfully, resulting in a smaller (miti-
gated) anticipated consequence. The second option is
where the risk mitigation layer fails, resulting in a
larger (unmitigated) anticipated consequence. On a
relative basis within the LOPA approach, the first
option is likely to be associated with a higher fre-
quency, lower severity cause–consequence pair,
whereas the second option is likely to be associated
with a lower frequency, higher severity cause–conse-
quence pair. As such, depending on the relative
change in frequency versus the relative change in con-
sequences, one cause–consequence pair is likely to
result in a higher risk and, therefore, be the cause–
consequence pair that should be assessed.
APPROACHES
There are generally two approaches to handling
mitigation layers within the LOPA framework. In the
first approach where the risk mitigation layer is
viewed as working successfully, the LOPA team may
or may not make this decision deliberately. For
example, the LOPA team may intuitively assume that
because postrelease protection is in place, the sce-
nario with the higher severity consequence is not
credible. In doing so, the risk mitigation layer has
effectively been assigned a probability of failure on
demand (PFD) equal to zero. Furthermore, the worst-
credible scenario has likely been overlooked by
assuming the postrelease protection is completely
effective 100% of the time. A similar approach is of-
ten taken with Inherently Safer Design (ISD) features,
such as a pressure vessel that has been designed and
constructed to withstand the maximum pressure that
can be created by the system. In the case of ISD fea-
tures, it may be a valid approach to treat certain sce-
narios as ‘‘not credible’’ and thus eliminate them, pro-
Process Safety Progress (Vol.30, No.2) Published on behalf of the AIChE
15475913, 2011, 2, Downloaded from https://aiche.onlinelibrary.wiley.com/doi/10.1002/prs.10427 by Sk Innovation, Wiley Online Library on [27/07/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
vided the hazard has been eliminated through the
use of specific design features. However, the same
conclusion cannot be made for postrelease protection
layers as these layers will always have a nonzero
PFD.
An organization may also make a deliberate deci-
sion to consistently and uniformly treat mitigation
layers as working successfully 100% of the time. When
this reasoning is used, it is common to account for the
mitigation layers through the assignment of conse-
quence severity. Although the worst-credible scenario
may in fact be discussed by the LOPA team, it will not
necessarily be examined as a unique cause–conse-
quence pair. Rather, the risk mitigation layer(s) will be
assumed to work successfully, and the severity of con-
sequence will typically be adjusted downward to
account for this assumption. For example, when con-
sidering a large spill resulting from a tank overfill, this
approach would assume the secondary-containment
dike is 100% effective at preventing the release from
spreading beyond the dike walls. As a result, the conse-
quence selected for analysis would be that associated
with a large material spill contained inside the dike.
Whether or not the decision to treat postrelease
protection layers as 100% effective is deliberate, there
are impacts associated with this approach. First, lower
frequency, higher severity cause–consequence pairs
(scenarios) may not be explicitly evaluated, or may
not be considered at all. Second, the organization
will have erroneously assumed a PFD equal to zero
for these layers. Finally, the opportunity to under-
stand the optimal balance between required effective-
ness and desired reliability will have been missed.
The second approach recognizes the imperfect
reality of these postrelease protection layers and eval-
uates them against the LOPA rules used for IPLs. In
this approach, the mitigation layers are tested against
the rules for effectiveness, independence, and audit-
ability [1]. When the rules are found to be met, the
mitigation layer (i.e., the safeguard) can be treated as
an IPL in the LOPA and assigned an appropriate PFD
value.
DOI 10.1002/prs June 2011 123

This second approach—of evaluating mitigation
safeguards for eligibility as an IPL—can benefit an or-
ganization in a number of ways. First, when mitigation
safeguards are tested against the LOPA rules for an IPL,
deficiencies in design, physical condition, and testing
practices will often become apparent and understood.
Second, postrelease protection facilities in a plant,
such as dikes and fireproofing, are upheld to the
inspection, testing, and preventive maintenance prac-
tices required to maintain the PFD value claimed in the
LOPA study. In so doing, the mitigation layer becomes
an IPL in the organization’s process safety database
and must be periodically audited. Lastly, this approach
gives an organization a way to objectively compare
similar scenarios among multiple plants that may have
been designed using different standards or practices.
CASE STUDY: STYRENE MONOMER (FLAMMABLE MATERIAL) POOL FIRE
In this scenario, a transfer pump is used to transfer
styrene monomer from a storage area within the po-
lymerization unit to the reactor train. The LOPA team
desires to evaluate the risk associated with a pool fire
arising from a pump seal failure.
The pump operates on a continuous basis, trans-
ferring styrene at a controlled temperature of 508F.
The pump is also equipped with a double-mechani-
cal seal fitted with a failure alarm that alarms to the
board operator in the central control room. As the
pump is located in a fire hazard area, it is protected
by a pilot-operated water spray system. Further, struc-
tural steel members in this area have been fire-
proofed in accordance with API 2218 [2] and com-
pany standards, and drainage is present to prevent
excessive pooling of firewater.
Localized Pool Fire with Minor-to-Moderate
Equipment Damage (A)
Using the first approach, the LOPA team has
assumed that because fireproofing and drainage are
present, the consequence-of-interest resulting from a
major pump seal failure (Initiating Event, 1 3 1021
events/year) is a localized process fire. This results in
minor equipment damage and business interruption,
with a Tolerable Risk Criteria (TRC) frequency of 1 3
1022 events/year. The LOPA team identifies one IPL
in this scenario (i.e., the seal failure alarm 1 operator
response) and assigns it a Risk Reduction Factor
(RRF) of ‘‘10’’ (i.e., a PFD 5 0.1). The risk gap is fur-
ther calculated with the following equation:
MEF
Risk Gap ¼ ð2Þ
TRC
where MEF 5 Mitigated Event Frequency, yr21, TRC
5 Tolerable Risk Criteria frequency, yr21
Note : MEF ¼ f IE 3 PEE 3 PCM 3 PFDIPL ð3Þ
where ƒIE 5 Frequency of the initiating event, yr21.
PEE, n 5 Probability of occurrence of the nth Ena-
bling Event, dimensionless, PCM, n 5 Probability of
occurrence of the nth Conditional Modifier, dimen-
124 June 2011 Published on behalf of the AIChE
15475913, 2011, 2, Downloaded from https://aiche.onlinelibrary.wiley.com/doi/10.1002/prs.10427 by Sk Innovation, Wiley Online Library on [27/07/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
sionless, PFDIPL, n 5 PFD of the nth IPL, dimension-
less.
One conditional modifier is used for the probability
of ignition (Pign 5 0.5) in this scenario. The calculated
risk gap in this scenario is equal to ‘‘1,’’ and thus, the
scenario risk is determined to be acceptable.
Large Pool Fire with Widespread Damage (B)
Using the second approach, the LOPA team has
chosen to evaluate a higher severity consequence,
and judge the area fireproofing and drainage system
against the rules for an IPL. The LOPA team agrees
that if the fireproofing and underground drainage sys-
tem meets the requirements for an IPL, the fireproof-
ing would be eligible to receive a RRF of ‘‘100’’ (i.e., a
PFD 5 0.01) and similarly the drainage system would
be eligible for a RRF of ‘‘10’’ (i.e., a PFD 5 0.1). Spe-
cifically, the fireproofing must meet the following
requirements to be considered an IPL:
1) Effectiveness: Structural steel supports located
within the fire hazard area envelope must be fire-
proofed commensurate with the guidelines of API
2218. The fireproofing must be applied up to the
support level on all structural members of vessels
and pipe racks. Fireproofing must have a 2.5 h rat-
ing as per UL-1709 [3].
2) Independence: The fireproofing may not share
any devices or common-cause failures with the
initiating event (pump seal failure) or the other
IPLs in this scenario (pump seal failure alarm and
the underground drainage system).
3) Auditability: A visual inspection of the condition
of the fireproofing in the unit must be conducted
every quarter. In addition, a civil inspection of the
fireproofing must be performed every 3 years. The
results of these inspections must be documented
and maintained on file.
In similar fashion, the underground drainage sys-
tem must meet the following requirements to be con-
sidered an IPL:
1) Effectiveness: The design capacity of the under-
ground drainage system must be equal to or greater
than the combination of: (i) the deluge/sprinkler
system flow in the immediate area of concern, (ii)
the two adjacent deluge/sprinkler systems, (iii) two
hose streams, and (iv) the anticipated quantity of
spilled process material [4]. The ground within the
fire hazard area must be sloped or otherwise
graded (1–2%, depending on surface material) to-
ward a process catch basin. Catch basins must be
equipped with valves that remain operable under
fire conditions. Drain ditches in the area must be
designed such that ignited flammables may be
safety consumed (e.g., a wicking trench design; see
NFPA 15, Annex A [5]).
2) Independence: The underground drainage system
may not share any devices or common-cause fail-
ures with the initiating event (Pump seal failure)
or the other IPLs in this scenario (Pump seal fail-
ure alarm and the fireproofing).
DOI 10.1002/prs Process Safety Progress (Vol.30, No.2)

3) Auditability: A visual inspection of the catch
basins and drain ditches for debris and other accu-
mulations that can hinder performance must be
conducted every quarter. In addition, a flow test
must be performed every 3 years, using the fire-
water capacities described in the requirements for
effectiveness. The results of these flow tests must
be documented and maintained on file.
During the assessment of the ability (effectiveness)
of the fireproofing to prolong the structural strength
and integrity of steel members during a fire event, it is
noted that the fireproofing has either deteriorated over
the years or has been intentionally removed in many
areas for maintenance reasons but not replaced. Addi-
tionally, while reviewing the results of the most recent
flow (proof) test (Auditability) conducted on the
underground drainage system, the LOPA team discov-
ered that the system failed the proof test. During the
test, large quantities of firewater pooled throughout
the unit and encompassed buildings and pipe racks
beyond the fire hazard area envelope.
As a result, the LOPA team agrees that neither the
fireproofing in the area or the underground drainage
system meets the requirements for an IPL. Accord-
ingly, the LOPA team assigns each a RRF of ‘‘1’’ (i.e.,
a PFD 5 1). Moreover, given the catastrophic nature
associated with a large pool fire in the unit, the TRC
frequency for this scenario is 1 3 1025 events/year.
The calculated risk gap in this scenario is equal to
‘‘500,’’ and thus, the scenario risk is determined to be
unacceptable.
Analysis of Case Example
Several potential shortcomings have been high-
lighted in the previous case example, by illustrating
two different treatments of the risk mitigation layer.
Where the mitigation layers have been accounted for
in the consequence assignment (A), the analysis
failed to identify flaws in these layers, yet still con-
cluded the risk was acceptable. This oversight was in
part due to the erroneous assumption that the mitiga-
tion layers have a PFD equal to zero. Further, the
analysis did not explicitly evaluate the lower fre-
quency, higher severity cause–consequence pair asso-
ciated with the failure of these two mitigation layers.
Conversely, where the mitigation layers were eval-
uated as IPLs (B), the analysis identified deficiencies in
these layers, resulting in a substantial risk gap. Clearly,
an organization benefits from understanding where
these exposures exist. However, this example also
underscores the level of conservatism found in the
LOPA technique. As the mitigation layers did not meet
the criteria for an IPL, they did not contribute a RRF to
the analysis (i.e., their assigned PFD 5 1). Although
this is mathematically consistent with the basic (order-
of-magnitude) LOPA approach, it is in all likelihood
overly conservative and an overstatement of the risk.
THE RELATIONSHIP BETWEEN RELIABILITY AND EFFECTIVENESS
In situations where a mitigation safeguard meets
the requirements for an IPL, a limit on the PFD value
Process Safety Progress (Vol.30, No.2) Published on behalf of the AIChE
15475913, 2011, 2, Downloaded from https://aiche.onlinelibrary.wiley.com/doi/10.1002/prs.10427 by Sk Innovation, Wiley Online Library on [27/07/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
for that mitigation layer can be proposed based on
the degree of consequence reduction provided by
that layer [6]. This relationship can be established
through assessing both LOPA scenarios: the path
where the mitigation layer functions and the path
where the mitigation layer fails. Through assessing
both paths, it may be demonstrated that there is little
benefit to managing a mitigation layer at a PFD value,
which goes beyond the predicted consequence
reduction to be provided by that layer. Further, in
cases where the PFD value is small relative to the
consequence reduction, the path associated with suc-
cess of the mitigation layer may prove to dominate
the overall risk contribution.
CONCLUSIONS
LOPA provides organizations with a practical risk
assessment technique that attempts to bridge the gap
between purely qualitative methods and precise
quantitative risk assessment. In doing so, the LOPA
technique exhibits a number of shortcomings, created
by the inherently conservative rules for application,
the focus on single cause–consequence pairs, and the
selection alternatives faced by LOPA analysts [7].
Organizations must have a full understanding of these
limitations when applying the LOPA technique.
In conclusion, organizations applying the LOPA
technique must consider these dichotomies and seek
to implement policies that result in consistent applica-
tion of the technique [8]. Moreover, LOPA analysts
must recognize the spectrum of outcomes associated
with a given initiating event and evaluate all of the
cause–consequence pairs that provide a substantial
contribution to the overall risk.
LITERATURE CITED
1. Center for Chemical Process Safety, Layer of Pro-
tection Analysis: Simplified Process Risk Assess-
ment, ISBN0-8169-0811-7, American Institute of
Chemical Engineers, New York, NY, 2001.
2. American Petroleum Institute, Fireproofing Prac-
tices in Petroleum and Petrochemical Processing
Plants,Second Edition, American Petroleum Institute
(API) Publication: Washington, DC, 2218, 1999.
3. Underwriters Laboratories Inc., Rapid Rise Fire Test
of Protection Materials for Structural Steel, UL-1709,
Underwriters Laboratories Inc.: Camas, WA.
4. NOVA Chemicals Inc., Sewers and Drains, NOVA
Chemicals Loss Prevention Standard 6.12, Rev. No.
5, December 2006.
5. NFPA 15, Standard for Water Spray Fixed Systems
for Fire Protection, 2007 Edition.
6. R. Wasileski and F. Henselwood, LOPA: Going
Down the Wrong Path, 6th Global Congress on
Process Safety, San Antonio, TX, 2010; Paper 22b.
7. K.A. Study and J.W. Champion, LOPA misapplied:
Common errors can lead to incorrect conclusions,
Process Saf Progr 28(2009), 300–307.
8. W.B. Bridges and T. Clark, Key issues with imple-
menting LOPA, Process Saf Progr 29( 2010), 103–
107.
DOI 10.1002/prs June 2011 125