LOPA is a semi-quantitative risk assessment tool used to analyze hazardous process scenarios with potentially high consequences. It builds on qualitative methods (like HAZOP) by assigning order-of-magnitude frequencies and probabilities to events, then comparing the estimated risk to defined tolerance criteria. In LOPA, a hazardous scenario is examined to see if existing safeguards (independent protection layers) can reduce the likelihood of a bad outcome to acceptable levels. If the calculated risk exceeds the company’s or regulator’s tolerable risk criterion, then LOPA identifies additional protection layers or design changes to close the “risk gap”. In practice, LOPA is widely used in the process industries (chemicals, oil & gas, refining, etc.) as a structured way to gauge safety and to help set Safety Integrity Levels (SILs) for safety systems.
LOPA follows a step-by-step workflow for each hazard scenario. A typical LOPA process is illustrated below (Figure). Briefly, the steps are:
This structured approach ensures consistency. By focusing on one IE–consequence pair at a time, LOPA keeps calculations transparent and repeatable. It bridges qualitative PHA methods and full quantitative risk assessment, yielding defendable, order-of-magnitude risk estimates.
Click HERE for Process Safety (HAZOP Study, LOPA, QRA, HIRA, SIS), Quality Management, Engineering, ISO Management Systems, Project Management, Lean Six Sigma & Process Improvement Self-paced Training Courses
In LOPA, an initiating event (IE) is the failure or action that directly causes the hazardous scenario to begin. This could be a stuck control valve, a pump shaft break, a human error, or an external event like a fire. The frequency of the IE (FOIE) is estimated from data tables or past experiences. For example, a typical initiating event might be “pump seal failure”, with an assumed FOIE of 10^-1/yr. The IE’s frequency effectively sets the starting risk before any safeguards.
Independent Protection Layers (IPLs) are measures that prevent the unwanted consequence after the IE but before the final event. By definition, each IPL must be independent (no shared failure modes) and effective (at least 10× risk reduction).
Common IPL examples include:
Not every safeguard counts as an IPL. For example, a fire brigade or a manual fire pump would not be considered an independent layer in LOPA (they are too slow or not independent of the IE). IPLs must be proven and maintained. Because LOPA requires independence, auditors often focus on ensuring no common-cause failures (e.g. redundant sensors must not share the same power supply or design flaw).
LOPA compares the calculated risk to pre-defined risk criteria. These may be company or industry benchmarks for how much individual or societal risk is acceptable. For example, a company might set a target of 10^-4 fatalities per year for a given scenario (individual risk tolerance), or limits on the frequency of catastrophic releases (societal risk). The LOPA worksheet will flag a scenario as acceptable or not by comparing the mitigated frequency (e.g. 10^-5/yr) against the target.
It is essential that the chosen risk criteria are compatible with what the LOPA actually measures. Both individual risk (to a single person) and societal risk (across a group) criteria may apply. In practice, teams often use a risk matrix: the frequency (calculated by LOPA) versus severity (e.g. injury or environmental loss) is placed on a colored risk grid. If the point falls in the “tolerable” (green) zone, no further action is needed; if it is “ALARP” or unacceptable (amber/red), more layers must be added.
Because risk tolerance varies by country, company, and context, LOPA results are not directly comparable across different studies. A rule of thumb is that LOPA targets are often set by HSE guidelines or corporate safety policy. For example, one source notes that CCPS guidelines allow organizations to allocate overall facility risk to individual scenarios via their criteria. In summary, LOPA’s role is to check “is the risk low enough?” and, if not, quantify how much more protection is needed.
Click HERE for Process Safety (HAZOP Study, LOPA, QRA, HIRA, SIS), Quality Management, Engineering, ISO Management Systems, Project Management, Lean Six Sigma & Process Improvement Self-paced Training Courses
LOPA has been applied in many real-world chemical and refining cases. A classic example is the 1996 CAPECO gasoline tank explosion in Puerto Rico. In this incident, operators overfilled a storage tank (due to a manual level calculation error) and gasoline vapor leaked, causing a fatal explosion. A LOPA performed on this scenario (after a HAZOP identified the risk) went as follows:
This example shows how LOPA quantifies risk and highlights gaps. Another case study involved a refinery’s hydrofluoric (HF) alkylation unit. LOPA was applied to high-temperature deviations in an acid regenerator. Engineers estimated an IE frequency of 10^-3/yr (valve failure) and counted multiple IPLs: process design features, control systems, and procedures, each with PFD ~10^-2. When multiplied through, the overall mitigated frequency came out around 10^-9/yr. In other words, the existing safeguards reduced the event rate by at least a million-fold, indicating that hazard was extremely low. Such LOPA findings helped the plant confirm that no additional safety systems were needed for that particular scenario.
Across the industry, LOPA studies have influenced safety systems design. For example, LOPA often leads to Safety Instrumented Functions with specific SILs. In many cases, a LOPA will show that a certain SIS must achieve a target PFD (e.g. 10^-3) – which corresponds to requiring SIL 2 or 3 under IEC 61511. Thus, LOPA results frequently feed directly into SIL determination and SIS design.
LOPA usually fits between qualitative PHA and full quantitative analysis. In a typical safety analysis, a team will first perform a HAZOP or What-If study to find potential hazards. Then, the most serious hazard scenarios (those with large consequences or unclear safeguards) are selected for LOPA. The HAZOP provides the scenario descriptions and nominal causes, which LOPA quantifies.
If LOPA finds a risk gap, it may trigger further detailed analysis (full QRA, fault trees, event trees) for those scenario. Conversely, if LOPA shows that risk is already below the target, the team can usually conclude that no additional safety system is required. In this way, LOPA provides a defensible “screening” or intermediate risk assessment: more rigorous than a HAZOP heat table, but less time-consuming than a full QRA.
LOPA is also closely tied to Functional Safety (SIS/SIL). Under IEC 61511 (process industry safety), every safety instrumented function must achieve a certain Safety Integrity Level. LOPA often calculates the risk reduction achieved by a proposed SIS and thus helps allocate the required SIL. In fact, LOPA was introduced to bridge process safety and functional safety by defining which safety functions are “risk‑significant” and warrant the highest integrity. Many companies use LOPA as part of their PHA toolkit so that SIS design is tied directly to risk outcomes.
Moreover, LOPA complements other tools like Bow-Tie diagrams or Swiss Cheese models by providing the quantitative backbone. It forces the team to list specific layers (the “slices of cheese”) and assign numerical effectiveness to each, rather than relying on vague statements. By doing so, LOPA clarifies exactly how each layer (alarm, interlock, procedure, relief valve, etc.) contributes to risk reduction.
Click HERE for Process Safety (HAZOP Study, LOPA, QRA, HIRA, SIS), Quality Management, Engineering, ISO Management Systems, Project Management, Lean Six Sigma & Process Improvement Self-paced Training Courses
LOPA’s structured approach provides several advantages. It is much faster and simpler than a full quantitative risk assessment, yet more rigorous and auditable than pure qualitative judgment. By using standardized frequency and failure data, LOPA cuts through subjective debate and gives everyone a common “risk score” to discuss. Teams consistently report that LOPA clarifies thinking: it forces precise definition of cause and consequence, highlights which safeguards are critical, and identifies exactly how much more protection (if any) is needed. In practice, a good LOPA study results in a list of Safety Critical Elements – equipment or functions that must be maintained/tested at high reliability. It also provides documentation of why certain risks were deemed acceptable. In regulatory or management reviews, LOPA spreadsheets serve as evidence that risk was evaluated systematically.
Despite its utility, LOPA has well-known limitations. Importantly, it is order-of-magnitude only – one should never interpret LOPA outputs as precise probabilities. The frequency and PFD values are rounded (0.1, 0.01, etc.), so small numerical differences (e.g. 5×10^-4 vs 8×10^-4) are not meaningful. LOPA examines one cause–consequence pair at a time, so scenarios with multiple simultaneous failures or common-cause issues can be missed or double-counted. It is not suitable for very large complex events; for example, a bunded tank fire with ten possible leak sources would be cumbersome in LOPA and is better handled by detailed event/fault-tree analysis.
LOPA also should not be applied to all hazards. It typically addresses major process safety risks, not routine industrial accidents or external events. For example, LOPA is not used for slip‑and‑fall hazards or natural disasters like floods – other safety analyses would cover those. In the process industry context, authors note that LOPA is inappropriate for high-consequence scenarios if the remaining risk is still very large; such cases should proceed directly to full QRA.
Additionally, quantifying mitigative layers (like fire brigades or passive firefighting systems) can be difficult, so LOPA usually excludes those or treats them with conservative assumptions.
Finally, misuse of LOPA can occur if risk criteria are mismatched or if conditional modifiers (occupancy, ignition probability) are applied incorrectly. Teams must ensure consistency in data and assumptions, or else LOPA’s simplicity can give a false sense of accuracy. Nonetheless, when used judiciously within its scope, LOPA remains a powerful tool for bridging qualitative hazard studies and detailed risk analysis.
Layer of Protection Analysis provides a balanced, semi-quantitative framework for process hazard analysis. It helps engineers and safety managers ask: “Given what can go wrong, do we have enough independent safeguards?” By quantifying initiating event frequencies and IPL effectiveness, LOPA shows whether the residual risk lies within tolerable limits. It guides investment in safety by highlighting critical safety systems and design changes.
While LOPA is not a substitute for full quantitative risk assessment, its structured methodology and clear logic make it an indispensable part of modern process safety management.
Click HERE for Process Safety (HAZOP Study, LOPA, QRA, HIRA, SIS), Quality Management, Engineering, ISO Management Systems, Project Management, Lean Six Sigma & Process Improvement Self-paced Training Courses