Dymenzions
The software that really makes the difference...
LOPA
Layer of Protection Analysis (LOPA) in the process industry
Introduction
Refineries and chemical plants rely on multiple independent layers of protection to prevent dangerous incidents. A single measure is rarely sufficient; therefore, methods such as Layer of Protection Analysis (LOPA) are used to systematically assess whether process safety is adequately assured. LOPA analysis helps to map the risks and determine which additional safety measures are needed to prevent unacceptable scenarios. In this article, we discuss what LOPA is, why it is necessary, practical examples from the chemical and oil and gas sectors, and relevant legislation and regulations (Netherlands vs. EU) regarding process safety.
What is LOPA?
LOPA (Layer of Protection Analysis)
LOPA (Layer of Protection Analysis) is a (semi-)quantitative risk assessment method within process safety. It is used to analyze in a relatively simple way whether the existing safety layers are sufficient to prevent an undesirable scenario.
In concrete terms, a LOPA study models a hazardous scenario by looking at the initiating events (causes) and their frequency, the Independent Protection Layers (IPLs) that can prevent or mitigate this scenario, and the consequences if all layers fail.
Each IPL is characterized by a certain reliability, often expressed as Probability of Failure on Demand (PFD), which indicates how likely it is that that layer will fail when needed. By multiplying the frequency of the initiating event with the failure probabilities of all relevant layers, the estimated probability of the undesirable consequence is calculated. This result is then compared to a predefined acceptable risk level. If the calculated risk is higher (“risk gap”), this is a signal that additional or improved layers of protection are needed.
Basic principles
A key principle in LOPA is that only independent protection layers are taken into account. An IPL must be effective for the specific scenario, sufficiently reliable, and – above all – independent of other layers and of the initiating cause. This prevents a common fault from shutting down multiple layers at once. Furthermore, Conditional Modifiers are sometimes used for factors such as occupancy (probability of someone being present) or ignition probability, to quantify the scenario more precisely.
Ultimately, LOPA provides a structured insight into which combination of causes and failed layers can lead to the accident, and how much risk reduction each layer provides. LOPA can therefore answer questions such as: “How many layers of protection do we need?” and “How much risk reduction should each layer provide?” This method is typically performed by a multidisciplinary team of experts, often as an extension of an earlier process hazard study.
Relation to other risk methods (HAZOP vs. LOPA)
In terms of depth and quantification, LOPA is somewhere between purely qualitative techniques and fully quantitative analyses. For example, a HAZOP (Hazard and Operability study) is usually performed prior to LOPA to identify hazardous situations. HAZOP is a qualitative method that examines the hazards and existing measures per scenario. LOPA builds on this by numerically assessing whether the risks fall within the tolerance for selected scenarios. Compared to a coarse risk matrix, LOPA offers more accuracy, but it is less complex than, for example, a fault tree or event tree analysis (QRA)
It is important that LOPA is complementary to HAZOP: it validates and deepens the HAZOP results by calculating the failure probabilities of protective layers per scenario. This can lead to new insights, for example that a certain scenario still requires additional measures despite the fact that it seemed to be sufficiently covered in the HAZOP. LOPA is also often used to determine the necessary To determine Safety Integrity Level (SIL) for instrumental safeguards.
In other words, based on LOPA results, one can determine whether, for example, a safety function with SIL-2 or SIL-3 is needed to further reduce the risk to an acceptable level. This makes LOPA a bridge between process safety and functional safety : it links the results of process hazard analyses to concrete requirements for technical safety systems
Why is LOPA needed?
Need for systematic risk assessment
In complex (petro)chemical installations, small malfunctions or human errors can escalate into serious accidents without sufficient protection. A systematic risk assessment such as LOPA is needed to ensure that sufficient independent safeguards are in place for each identified hazard scenario. The principle of multiple layers is often illustrated with James Reason’s “Swiss cheese model”: each protective layer is a slice of cheese with holes (imperfections), and a disaster only happens when all the holes in the layers are precisely aligned.
LOPA forces us to consider for each scenario whether there are enough slices of cheese and whether the holes are small enough – in other words, whether the risks have been sufficiently reduced. This prevents an overly optimistic assumption that “one single measure is sufficient”. In practice, it has been shown that serious accidents are almost always the result of an accumulation of failed barriers. LOPA formalises this insight and helps companies to plan their risk reduction in a targeted manner.
Impact of incidents without adequate protection
Without adequate protective layers, seemingly manageable situations can spiral out of control with catastrophic consequences. Think of explosions, large-scale fires or toxic emissions that lead to fatalities, environmental pollution and enormous financial losses. A classic example is the tank storage accident in Puerto Rico (CAPECO, 2009), where the lack of independent level monitoring caused a storage tank to overflow and create an explosive cloud.
This incident showed multiple shortcomings coming together: a defective level instrument, fully manual control and insufficient emergency stop layers. Such incidents show why LOPA is needed – in this case it could have identified the gaps in the layers, for example that an automatic tank shut-off valve was needed in addition to an alarm. In general, LOPA highlights “red flags” early in the design process or operation. It provides a structured approach to thoroughly evaluate all relevant hazards and ensures a balanced set of safeguards.
This allows organizations to proactively address risk areas before an accident occurs. In short, LOPA prevents critical risks from being overlooked and increases chemical safety by ensuring that every critical scenario has the necessary protection.
Practical examples of LOPA applications
A storage tank farm in the oil and gas industry. Overflowing storage tank scenarios are among the greatest hazards; LOPA helps assess whether multiple independent layers (such as overfill protection, alarm systems and inerting) are sufficient to prevent an explosion or environmental disaster.
Storage tank overfill (oil & gas)
A concrete example from practice is the aforementioned tank storage incident. In the CAPECO terminal, a petrol tank overflowed because the filling procedure was performed manually and a level gauge was defective; this formed a flammable gas cloud that led to an explosion. A previous HAZOP would have identified this hazard, but only LOPA would have quantified whether the existing layers – for example a high-level alarm with operator action – were sufficiently reliable.
In this scenario, LOPA would probably have shown that one independent layer (an alarm) was not sufficient and that an additional layer of protection was needed, such as an automatic overfill protection that stops the supply at a high level. Many companies in the oil and gas industry therefore use LOPA at tank farms to determine how many layers of protection are needed against overfilling. For example, a combination of a high-level alarm (with trained operator intervention), an independent high-level emergency valve, a pressure relief valve and a containment tank/dike are considered. LOPA calculates whether these layers together sufficiently reduce the risk of an overflow explosion to an acceptable level. If not, it recommends implementing additional measures (e.g. an improved alarm system or increased valve integrity).
Chemical reactor runaway (chemistry)
In the chemical sector, LOPA is often used for reactors or processes with heat generation. Suppose an exothermic reactor can overheat and explode in the event of a cooling failure. A HAZOP would make this hazard clear, and via LOPA one then analyses whether the present layers – for example a process control that shuts off the supply, an independent emergency stop (SIS) and a mechanical pressure relief valve – are together sufficient to control the risk. The frequency of initiating events (e.g. loss of cooling water or human operator errors) and the failure probability of each layer (PFD of temperature alarm + operator, PFD of the SIS, etc.) are taken into account.
If the calculated probability of a reactor accident is above the threshold, LOPA provides insight into which additional risk reduction measures are required. In practice, this may mean: designing a Safety Instrumented Function with a higher SIL level, installing a larger vent capacity, or taking procedural measures. For example, a LOPA study shows that a certain emergency cooling system must have a PFD of 0.1 to meet the risk, which amounts to the SIL 2 requirement for that system. In this way, LOPA directly helps to identify critical hazards and the necessary mitigations: it identifies which layers are truly essential and which performance requirements (reliabilities) must be set for them.
This approach allows companies to focus their investments on the most crucial safety improvements. Furthermore, a well-executed LOPA documentation provides a list of Safety Critical Elements (e.g. valves, instruments) that require special attention in maintenance and testing to ensure the claimed reliability.
Legislation and regulations:
Netherlands vs. EU
Dutch legislation and guidelines (process safety)
In the Netherlands, an employer is obliged under the Working Conditions Act to inventory and evaluate the risks in his company (RI&E) and to take appropriate measures. This also applies to process safety risks in the chemical industry. Although the use of LOPA is not explicitly required by law, such a detailed analysis can help to meet the duties of care. D Additional regulations apply to companies with larger quantities of hazardous substances. The Major Accident Risks Decree 2015 (Brzo 2015) is the Dutch implementation of the EU Seveso Directive (Seveso III). Under the Brzo 2015, so-called Seveso establishments (companies above certain threshold quantities of hazardous substances) must take all necessary measures to prevent major accidents and limit their consequences.
In concrete terms, this requires a demonstrable safety management system (with process safety procedures, maintenance, training, etc.) and, for higher threshold companies, a comprehensive safety report. This safety report includes scenario analyses of major accidents, including the existing security layers and residual risks. In the Netherlands, HAZOPs and LOPAs are therefore common practice within Brzo companies to fulfil these obligations – they form the basis for the described scenarios and risk assessments. In addition to the Brzo, the Netherlands has the ARIE scheme (Supplementary Risk Inventory & Evaluation).
This applies to companies that fall just below the Brzo thresholds or handle certain very risky substances. An ARIE requires an additional deepening of the RI&E focused on major accident risks, comparable to a simplified safety report. Here too, methods such as LOPA can be used to demonstrate that the hazards have been systematically assessed and addressed.
European directives (Seveso) and impact on companies.
At EU level, the main regulation is the Seveso III Directive (Directive 2012/18/EU) – named after the disaster in Seveso, Italy (1976) – which has been transposed into national law in all Member States. The aim of this directive is to prevent major chemical accidents and to minimise the impact on people and the environment. Core obligations under Seveso are similar to those in the Netherlands: companies that exceed certain stock limits of hazardous substances must implement a major accident prevention policy, implement a safety management system and – for higher categories – submit a detailed Safety Report to the government.
This should include all identified hazards, scenario analyses, risk assessment and protective measures taken are documented. Although the terminology may vary from country to country, these requirements aim at the same thing: to demonstrate that “everything necessary” has been done to prevent major accidents. Companies typically achieve compliance by following internationally recognized best practices, such as performing Process Hazard Analyses (PHAs) with HAZOP and LOPA, and implementing instrumented protections according to standards (e.g. IEC 61511 for SIS with a certain SIL level).
The European legislation sets the framework, but the implementation is company-specific. In practice, this means that a chemical company in the Netherlands must take similar steps as the same company in, for example, Germany or France – thanks to Seveso, there is a harmonised minimum level of process safety management in the EU. Dutch companies must therefore comply with both national regulations (Arbowet, Brzo/Omgevingswet) and the EU directive, but these are seamlessly connected because the Brzo stems directly from the Seveso directive.
In fact, as of 2024, the Brzo 2015 will be incorporated into the new Environmental Act, but the Seveso obligations (and thus the importance of thorough risk analyses such as LOPA) will remain in full force.
In short, both nationally and in Europe, process industry companies are expected to systematically manage their process safety risks – and LOPA has become an accepted instrument to give substance to this.
Conclusion
Summary
Layer of Protection Analysis (LOPA) has become an indispensable technique in the modern process industry for analyzing risks and testing protection layers . We have seen that LOPA offers a structured, (semi-)quantitative approach to determine per scenario whether the combination of independent safety measures is sufficient to prevent an incident. Compared to purely qualitative methods (such as HAZOP), LOPA provides additional depth and substantiation, which is crucial, for example, when defining SIL requirements for safety-critical systems.
Importance to the industry
The need for LOPA is evident from both practice and legislation: past incidents show that a lack of effective layers can lead to catastrophic accidents , and legislation (Brzo/Seveso) obliges companies to demonstrably thoroughly assess and manage risks . LOPA helps companies meet this obligation by providing insight into their risk profile and identifying any gaps in their protection strategy. In the chemical and oil and gas sectors – where process safety is a top priority – LOPA is therefore an integral part of safety management. It enables organisations to take targeted risk reduction measures where they are most needed, and to use their resources efficiently for the most critical safety measures in the process industry .
In summary, LOPA enhances chemical safety by ensuring that there are sufficient “safety nets” behind every potential accident scenario. As such, it is not just an analytical tool, but an essential part of a proactive safety culture. A properly performed LOPA analysis provides peace of mind that all reasonable precautions have been taken – something that is invaluable to both companies and society.
In the process industry, LOPA has thus developed into a standard that bridges the gap between hazard identification and actual risk control: an indispensable link in the process safety chain.
LOPA analysis, protective layers, process safety, risk assessment, HAZOP vs LOPA, SIL, Seveso directive, chemical safety, oil and gas industry, risk reduction, process industry safety measures
