Our LOPA methodology follows the guidance of the publications of the Center for Chemical Process Safety. In “Guidelines for Risk-Based Process Safety”, the Layers of Protection Analysis [LOPA] is described as a tool for simple risk analysis which is used to evaluate high-consequence scenarios, to determine if the combination of likelihood and severity of consequences meets a company’s risk tolerance. As described in “Layers of Protection Analysis”, the key questions that LOPA intends to address are “how safe is safe enough?”, “how many protection layers are needed?”, and “how much risk reduction should each layer provide?”
The LOPA method provides rational, semi-quantitative risk-based answers to these questions. In addition, this method provides clarity and consistency among analyses of equipment and processes at a plant site, while documenting the basis of each decision. Further, the LOPA report facilitates the understanding of the process hazards and the control of such hazards, among site personnel.
Typically, a high-consequence scenario – which usually involves a combination of equipment and human failures – is identified during a qualitative hazard evaluation, such as a Process Hazards Analysis or a Hazard and Operability study. Identification of a high-consequence scenario also could occur as a result of an investigation of a “near miss’, or during an evaluation of a Management of Change, or during a process-design review.
A LOPA can be visualized as a series of slices of Swiss cheese, where a high-consequence scenario could occur only if at least one of the holes in each slice “line-up”, to allow propagation of multiple failures, toward the consequence. Each of the protection layers [“slices”] is very likely to have “flaws” or a failure probability, as indicated by the number and sizes of the holes in the Swiss-cheese slices. For components of a process-control system, such as Safety Instrumented Systems and other components such as relief valves and rupture disks, it is important to know or estimate the probability of Failure on Demand. Also, it is important to verify that each of the Layers of Protection is an independent device or system, and to verify that the protection that is provided by a Layer is not influenced by the behavior of other devices or systems.
Thus, our analyst studies the process to identify the likely initiating events and to estimate the frequency of initiating-event occurrence. Our analyst then studies all of the process-control features and safeguards, to estimate the reliability of protection that is provided and to ensure the independence of each protection layer. Then the likelihood of occurrence [or probability, or frequency] of a given high-consequence scenario can be semi-quantitatively determined. When this likelihood is combined with the severity of the consequences of scenario occurrence, an evaluation of risk is obtained. A risk matrix is usually employed to show the possible combinations of likelihood and consequence severity. The risk thus obtained can be compared to the risk tolerance of the plant or corporation, for presentation to site and/or corporate management. A comprehensive study report is prepared to serve as a record of the completed analysis, including descriptions of the potential risks of a process with the existing safeguards and with recommendations for additional safeguards, where warranted.