Menu

Layer of Protection Analysis (LOPA): Counting Your Barriers Honestly

LOPA explained: how Layer of Protection Analysis quantifies whether safeguards reduce process risk enough, with a worked order-of-magnitude example.

Layer of Protection Analysis (LOPA) is a semi-quantitative process safety method that answers a question hazard studies leave open: are the safeguards around a dangerous scenario actually enough? It takes one scenario at a time, estimates how often the initiating event happens, multiplies through the failure probabilities of each independent protection layer, and compares the resulting frequency against a tolerable risk target, all in transparent orders of magnitude.

Where LOPA sits among safety studies

A HAZOP is superb at finding scenarios: what deviations can occur and what could follow. It is qualitative by design. LOPA picks up the scenarios that look serious and asks the quantitative follow-up: initiating cause frequency, consequence severity, and how much risk reduction the existing layers really deliver. Full quantitative risk assessment goes deeper still, but LOPA covers the middle ground fast enough to apply to dozens of scenarios per unit.

What counts as an independent protection layer

Not every safeguard qualifies. An IPL must be independent of the initiating cause and of other layers, effective against the specific scenario, and auditable. A basic control loop, an alarm with credited operator response, a safety instrumented function, a relief valve, and a dike can each be IPLs. Two alarms landing on the same overloaded operator are not two layers, and a safeguard that shares the failed sensor with the initiating cause counts for nothing.

A worked example, in orders of magnitude

Scenario: loss of cooling on an exothermic reactor leading to runaway and rupture. Initiating event: cooling water pump failure, estimated once per 10 years (0.1 per year). Layers: the high-temperature alarm with credited operator action, probability of failure on demand 0.1; a safety instrumented function that dumps quench, PFD 0.01; the relief system sized for the case, PFD 0.01. Mitigated frequency: 0.1 x 0.1 x 0.01 x 0.01 = 0.000001 per year, one in a million years. If the corporate target for this consequence class is one in a hundred thousand years, the scenario passes with a factor of ten to spare; if the SIF did not exist, it would miss by a factor of ten and something must be added or improved. The arithmetic is deliberately simple; the honesty about independence is the hard part.

Where the numbers quietly rot

Every PFD in that multiplication assumes the layer is tested and maintained: relief valves inspected, SIF proof tests done on schedule, alarms functional and not permanently acknowledged. A LOPA credit taken on paper and never proof-tested in the plant is fiction with a decimal point. This is where process safety meets everyday maintenance discipline: overdue proof tests and bypassed trips are not housekeeping items, they are missing protection layers. Changes to any credited layer must also flow through management of change, or the analysis silently stops describing the plant.

Running LOPA well

  • Screen scenarios from HAZOP; spend LOPA effort where consequences are serious.
  • Use agreed corporate lookup tables for frequencies and PFDs; consistency beats precision.
  • Document every credit with its test requirement and owner.
  • Revisit when the process, chemistry, or staffing assumptions change, and after any near miss that challenged a layer (see near miss versus incident).

Where Fabrico fits

Fabrico is not a process safety analysis tool and does not perform LOPA. What it protects is the assumption underneath every credited layer: that testing and maintenance actually happen. Proof tests, relief valve inspections, and interlock checks run as scheduled work orders with completion evidence; overdue safety-critical work is visible instead of buried; and the asset history shows every test result when the audit asks. The safety study stays on the safety engineer’s desk; the discipline that keeps it true lives in the CMMS. EU-built, with EU data residency.

Frequently Asked Questions

How is LOPA different from a risk matrix?

A risk matrix scores likelihood and severity judgmentally in one step. LOPA decomposes likelihood into an initiating frequency and explicit failure probabilities per protection layer, which exposes exactly where the risk reduction comes from and what happens if a layer degrades.

Who should be in a LOPA session?

A trained facilitator, process engineering, operations, instrumentation and controls, and maintenance. Maintenance presence matters more than teams expect: they know which safeguards are actually tested, bypassed, or chronically failing.

What comes after LOPA if risk is still too high?

The gap is expressed as required additional risk reduction, which typically becomes a new or upgraded safety instrumented function with a target integrity level, an inherently safer design change, or an additional independent layer. The follow-through is engineering work, tracked to closure.

Want proof tests and safety-critical work orders that never silently lapse? Book a Fabrico demo to see preventive scheduling and asset history keep your protection layers real.

Das Neueste aus unserem Blog

Definieren Sie Ihren Zuverlässigkeitsfahrplan
Überzeugen Sie sich selbst!
Definieren Sie Ihren Zuverlässigkeitsfahrplan
Indem Sie auf die Schaltfläche „Akzeptieren“ klicken, erklären Sie sich mit der Nutzung einverstanden.Cookies beim Zugriff auf diese Website und bei der Nutzung unserer Dienste. Erfahren Sie mehrWeitere Informationen zur Verwendung und Verwaltung von Cookies finden Sie in unserem Datenschutzrichtlinie und Cookie-Erklärung