Loss Prevention Bulletin 265 February 2019 | 13

Safety practice

Limitations and misuse of LOPA

Roger Casey, Cantwell Keogh & Associates, Ireland
as e.g. 43.2 x 10-4 yr-1. From the AIChE book, some examples
Summary of failure rates are given in Table 1.
Layers of Protection Analysis (LOPA) is a simplified form
of numerical risk assessment. It is an order of magnitude Item Failure Rate
approach and hence precise figures are not used. The Pipe failure / 100 m 1 x10-5 yr-1
technique does have significant limitations compared to
Impact from vehicle 1 x10-2 yr-1
more advanced techniques such as Fault Tree Analysis,
Cooling failure 1 x10-1 yr-1
QRA, etc.
This paper highlights some of the mistakes that are seen Large external fire 1 x10-2 yr-1

in its application and challenges some of the practices that LOTO procedure 1 x10-3 per opportunity
are occurring within LOPA calculations – in particular with
the use of conditional modifiers related to exposure times Table 1 – Example LOPA initiating event frequencies
which causes an underestimation of the risk.
As can be seen, they are all order of magnitude figures such
Keywords: Layer of Protection Analysis, LOPA, risk as 1x 10-3 yr-1. Probability of demand figures are similarly
assessment based on order of magnitude e.g. 0.1 or 0.01, etc. Hence
results are not precise. There is also a cumulative effect on
the final event frequency figure where the combination of a
Introduction number of conservative figures will make the final figure more
Layers of Protection Analysis (LOPA) is a simplified form conservative.
of numerical risk assessment. It is an order of magnitude To look at scenarios that involve a large number of initiating
approach and hence precise figures are not used. The events (which have different IPLs) other techniques such as
technique was published by the Centre of Chemical Process Fault Tree Analysis may be more suitable. For example, for
Safety (CCPS)1 of the American Institute of Chemical a bunded pool fire resulting from a storage tank spill there
Engineers (AIChE) in 2001. LOPA builds on qualitative studies may be up to ten possible initiating events. These include
such as HAZOP and the aim of the technique is to reduce risk overfilling, inlet pipeline leaks, outlet pipeline leaks, drain
by using Independent Protective Layers (IPLs). The purpose valves left open, pump leaks, pin holes in the tank, catastrophic
of LOPA is to determine if there are sufficient safeguards/ failure of the tank, etc. While possible with LOPA it would
IPLs for a particular scenario to reduce the risk of it occurring. require multiple simple LOPA sheets or more complex LOPA
LOPA applied properly provides a consistent basis for judging software and the situation would be further complicated if a

systems and
procedures
within a company or organisation so that similar results are number of outcomes, such as pool fire, flash fire, vapour cloud
obtained for similar situations. explosion, are to be included.
However, LOPA is a simplified form of numerical risk The AIChE book repeatedly mentions that LOPA analysis
analysis and hence has significant limitations. Also, from looks at a single cause–consequence pair, e.g. pool fire from
auditing and reviewing LOPA studies there is concern at the overfilling.
level of mistakes being made using the technique. LOPA is not suitable for analysing scenarios where there is
The purpose of this paper is to highlight some of the common cause failure as it cannot handle these mathematically.
mistakes being made and challenge some of the practices More detailed risk analysis such as Fault Tree Analysis uses
that are occurring within LOPA calculations. boolen algebra / minimum cut set analysis to factor in these
common cause failures.
Limitations of LOPA Also, the AIChE book states that LOPA may be inappropriate
for very high consequence events …….and it may be necessary
LOPA is a very useful technique, but like everything else it has to proceed to risk assessment techniques nearer to Chemical
its limitations. LOPA is a simplistic risk assessment technique Process Quantitative Risk Assessment (CPQRA) in such cases.
designed to be suitable for general technical personnel so
that, for example, process engineers who are not process
safety specialists can contribute to a LOPA team.
Misuse of LOPA
It is an order of magnitude risk calculation and hence uses The UK HSE commissioned a report2 post-Buncefield, on
figures such as i.e. 0.1, 0.01, 10-3 yr-1 not precise figures such overfill protection on storage tanks which reviewed LOPA

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
14 | Loss Prevention Bulletin 265 February 2019

studies performed by a number of companies and their cannot cope.

consultants. The report raised issues such as the quality of In this example, the particular product was only made for
data used, over optimistic human error probabilities, degree approximately three months of the year. The LOPA analyst
of rigour applied, misunderstanding of risk targets and invalid multiplied the initiating event frequency by 0.25 to allow for this.
logical arguments. Another comment in the report was that Also, the batch time in the reactor was 14 hours but the actual
LOPA may appear to be an easy method to apply at first but reaction time was 4 hours. The analyst took the view that it did
this may be deceptive. not matter if the agitator fails during other times e.g. during vessel
The following are examples that the author has inerting, solvent loading, etc. The initiating event (agitator failure
encountered where mistakes have been made or where there rate, a Basic Process Control System failure1) was multiplied by
is dubious use of the technique. While none of these led to 0.285 (4/14) to account for this. There was also a bursting disk
incidents, the event frequency and risk was or may have been (sized for the scenario) which a probability of failure on demand
significantly underestimated. of 0.011 was correctly allowed for. The analyst calculated the
Some of the examples relate to the use of conditional event frequency as:
modifiers. A conditional modifier is defined1 as enabling
events or conditions that have to occur or be present before 0.1 yr-1 (agitator failure) x 0.25 x 0.285 x 0.01 (disk) = 7.125 x 10-5 yr-1
the initiating event can result in the consequence. Examples
of conditional modifiers are: At first glance, the use of 0.285 for reaction time to batch time
seems reasonable. However, it raises the question that if the
• Probability of ignition of a flammable spill; agitator fails before the reaction how will it be picked up? Just
• An event exposure time e.g. a major toxic leak reaching hoping that the operator will see the agitator failure is not
a football stadium and effecting the 20,000 crowd. reliable and certainly not consistent with the conservative
However, the large numbers will only be present say 20 nature of LOPA. If there was something reliable to pick up
times a year for 3-4 hours. agitator failure, such as an independent speed sensor on the
agitator shaft, this would have been used as an IPL in the
Example 1 – Pipeline failure rate adjustment calculation. Hence, as a latent failure, the time-at-risk factor
of 0.285 is not appropriate and should not have been used in
This involved a solvent recovery area in a pharmaceutical this case.
company where a 220 m pipeline was pumping solvent 45% The use of a factor of 0.25 to allow for the particular product
of time and is empty 55% of the time. being only made for three months is also dubious. The plant
From reference 1 the pipe failure rate / 100 m is 1 x10-5 yr-1 in question was a multipurpose batch plant with a wide variety
for a full-bore rupture. The analyst multiplied the pipe failure of hazardous reactions most of which had runaway reaction
rate by 0.45 i.e. the failure rate of solvent spill is: hazards. Hence for the rest of the year the operator is exposed
to the same hazard but from a different process in the same
= 2.2 x 10-5 yr-1 x 0.45 = 9.9 x 10-6 yr-1 vessel. So again, this time-at-risk factor is not appropriate and
should not have been used.
However, the use of a factor of 0.45 implies the pipeline
If the other processes used in the vessel for the other nine
cannot be damaged / degraded or interfered with when
months were all relatively non-hazardous, the factor of 0.25
not in use. For example, if the pipe is subjected to corrosion
would have been a reasonable conditional modifier.
under insulation (CUI) the failure rate may not be reduced
by the reduced pumping time. Ageing of gaskets at flanges Ignoring these conditional modifiers, the event frequency is
will not be reduced by the reduced pumping time. Also, if only 1 x 10-3 yr-1.
a fitter unbolts the wrong flange, or someone leaves a drain
Example 3 – Adjustment of hose and regulator
valve open, the leak will occur next time the pipeline is used.
Hence the failure rate of the system is unlikely to be linear failure frequencies
with use time. Based on this logic the conditional modifier of The author has seen a number of cases where equipment
0.45 should not have been used. Essentially its use led to an failure frequencies are being multiplied by the hours used per
underestimate of the event frequency. day. This has, in some cases become an almost standard practice
What would be a reasonable conditional modifier in a and is often done without thinking through the logic. Common
similar but different case would be where solvent was being examples are flexible hose failure or pressure regulators. If a
pumped 45% of time and water 55% of the time. It would not flexible hose or regulator is used for one hour a day the failure
be a major hazard if the pipe failed during water pumping and frequency is multiplied by 1/24. Again, it should be questioned
the site would be very likely aware of the water release event whether this is really appropriate. Yes, a flexible hose used once
which would prevent the next solvent pumping operation. a day is likely to last longer than one which is under pressure
more often, but it is doubtful that the failure rate relationship
Example 2 – Runaway reaction exposure time is linear. Again, the use of 1/24 implies that the hose often
Consider the case in a batch chemical reaction where a left outside exposed to the elements, cannot be damaged or
runaway reaction is caused by agitator failure and re-start. degraded when not in use.
This is usually caused in controlled additions over time For road tanker unloading hoses the UK HSE FRED document3
where the agitator fails, reagent is still being added and has detailed failure rate data related to the number of times a
accumulating but not reacting and if the agitator is re-started, hose is used in transfer operations. However, for process hoses
the whole uncontrolled reaction occurs and the cooling or items such as pressure regulators, factoring in use time to the

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
 Loss Prevention Bulletin 265 February 2019 | 15

Tad of > 320oC) which would subsequently lead to a violent

decomposition of the product reaction mixture in a reactor.
FS TT PT The HAZOP team had concluded that the runaway event was
un-ventable even with the largest possible bursting disk on
the vessel and recommended duplicate interlocks or a single
interlock with a higher SIL rating in lieu of this.
As the scenario related to over-pressure, the engineer
performing the SIL calculation allowed a relief valve on the
4,000 L vessel to be used as an IPL with a probability of
failure of demand of 0.011. However, the relief device was
a 3”/4” relief valve which would not be any use for such an
exothermic event in question. While part of the problem
was that the SIL assessor did not study the HAZOP report
Figure 1 – Pump set up properly, nevertheless to an experienced process safety
engineer familiar with DIERS (Design Institute of Emergency
Relief Systems) methodology, the thermal data which
basic failure rate is not simple and probably requires further was available was such that it would be very unlikely that
research into failure rates in such situations. this event could be vented. The SIL assessor didn’t have
the knowledge to question whether the relief device was
Example 4 – Pumping thermally unstable appropriate.
material In effect, the person in question did not have the
qualifications, knowledge or experience to make the risk
A reaction mixture which was prone to a violent thermal
decisions they were making. This problem was alluded to
decomposition was being pumped from the reaction vessel to
in an article in TCE5 in relation to SIL assessments when it
another vessel for further processing. Dead heading the pump
was stated that it is possible to attend courses…..and obtain
and heat input leading to decomposition was identified as an
certification – giving the impression of expertise without
issue and a LOPA calculation was performed. There was one
any proper understanding of the underlying principles and
manual valve between the two vessels. There were a number
mathematics involved.
of instrumented trips to protect against this. The plant typically
ran 9 am – 5.30 pm five days a week. The situation is depicted
in Figure 1. Discussion
The initiating event was taken as the manual valve being So why are these types of mistakes / errors of judgement
closed in error. The valve was used once a fortnight for a occurring?
cleaning procedure. A failure rate of operator error 0.01 per In all the cases above, the personnel involved had been
opportunity was used (Reference 1 — routine procedure, well trained in the technique. Inexperience may have been
trained, not fatigued, etc) The analyst also factored in the plant the problem in a number of the examples. Just because a
operating hours as a conditional modifier to give the following person has attended a training course does not make them
adjusted initiating event failure rate: competent in a subject. Years of practical experience in
the application of risk assessment techniques is required
0.01 (per opportunity) x 26 (opportunities/yr) x for competence. Conducting LOPA in a team setting may
0.24 (40/168 hrs) = 0.062 yr-1 help counter this problem. Like any element of a safety
management system LOPA studies need to be subjected to
Reflecting on this, the factor of 0.24 is inappropriate, should
auditing and any calculations by less experienced engineers
have not been used and leads to underestimation of the
frequency. The frequency of the initiating event is related only need to be checked.
to how often the valve is used. If for example, the plant moved There appears to be a problem with the use of conditional
to a 24/7 operation, the cleaning would be likely to occur modifiers (particularly in batch type processes) with time at
more often, and the valve error failure rate would be adjusted risk factors. Before using such factors, people need to think
accordingly. carefully and do a reality check as to whether the conditional
The HSE document on Standards for Fuel Storage Sites4 modifier used is correct and appropriate to the situation being
discusses this type of human error calculation and states that studied. Again, auditing and supervision are important.
the time at risk is already included in the number of times One has to question whether LOPA has over simplified risk
the task is carried out in a year and no further factor should assessment and hence allowed inexperienced personnel to
be applied. perform calculations? In any risk analysis, judgements have
to be made. The use of the various spreadsheets that are
Example 5 – SIL calculation for batch runaway available for LOPA may be allowing people to plug in data
and get answers without fully understanding or thinking
reaction through the issues involved. A similar situation exists with
An (non-chemical) engineer was performing a SIL assessment consequence modelling packages.
calculation using the LOPA technique to determine the rating People using the technique need to be aware of the other
for independent interlocks recommended at a HAZOP for a risk assessment techniques available and when LOPA is / is
very strong exothermic reaction (adiabatic temperature rise not appropriate. LOPA was only ever meant to be an order

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
16 | Loss Prevention Bulletin 265 February 2019

of magnitude risk estimate of relatively simple scenarios. Personnel carrying out LOPA studies must be experienced and
Appropriate coverage in training courses of where LOPA fits competent and where necessary adequately supervised.
in with other techniques is important.
The use of a consistent set of data within a company References
for common initiating events, IPLs, etc is also important to
1. Layer Of Protection Analysis Simplified process risk
ensure consistency of studies by different analysts within an
assessment, CCPS, AIChE, 2001
organisation.
2. A review of Layer Of Protection Analysis (LOPA) analyses
Conclusion of overfill of fuel storage tanks, Prepared by the Health
and Safety Laboratory for the Health and Safety Executive,
LOPA applied properly is a very useful technique in the 2009
toolbox of the risk analyst. However, people must always
3. Failure Rate and Event Data for use within Land Use
be aware of its limitations compared to more advanced
Planning Risk Assessments, UK HSE, 2012.
techniques such as Fault Tree Analysis, QRA, etc. While
LOPA is a relatively simple technique, common mistakes are 4. Safety and environmental standards for fuel storage sites,
occurring particularly with the use of conditional modifiers Process Safety Leadership Group Final Report, UK HSE,
related to exposure times which causes an underestimation 2009
of the risk. Analysts need to be sure conditional modifiers are 5. IEC 61508: uses and abuses, David J Smith, The Chemical
appropriate and correct for the situation under assessment. Engineer Magazine, February 2012.

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00