Created in Collaboration with Lydia Peters
A Layers of Protection Analysis (LOPA) is a semi-quantitative study that helps identify safeguards and determine if there are sufficient safeguards to prevent against a given risk. A LOPA is conducted to ensure that process risks are successfully mitigated to an acceptable level. Figure 1 below is a visual to represent the layers of protection for a given process. The layers in the diagram are ranked from 1-9 as most-least desirable safeguards.
Figure 1. Layers of Protection Example Visual 
A LOPA is developed on the basis of a risk identification analysis, such as a Hazard and Operability Study (HAZOP). A HAZOP is usually carried out first and is then followed by a LOPA study. A HAZOP is a structured analysis of process design to identify process safety incidents to which a facility is vulnerable. A detailed HAZOP overview can be found in the HAZOP tutorial.
Major hazardous scenarios, which have the potential to cause serious harm to people, environment, or business, that are discovered in a HAZOP are subjected to a LOPA. A HAZOP identifies potential hazards, while a LOPA quantifies the probability of the hazard, analyzes the system at risk, and identifies the mitigation measures that guard against the hazard. LOPA studies can be conducted with few resources, focus attention on major issues, eliminate unnecessary safeguards, establish valid safeguards to improve processes, and provides a basis for managing layers of protection. These mitigation safety measures, or “layers of protection” must meet the Center for Chemical Process Safety (CCPS) criteria of being Independent Protection Layers (IPL).
Definitions and Relevant Information
Independent– Not requiring or relying on anything else
Requirements for Independent Protection Layers (IPL)
- An IPL is effective in preventing the consequence
- An IPL functions independently of the initiating event of the scenario and functions independently of all other layers that are used for that same scenario
- An IPL is auditable (must be capable of validation including review, testing, and documentation)
There are many different possible independent protection layers that can be used in a process. Here is a list of examples of IPLs:
- Inherently Safer Design
- Elimination or significant reduction of certain hazards
- Examples include reducing the quantity of material involved, changing process condition, eliminating flanges, using less hazardous material, etc.
- Basic Process Control System (BPCS)
- First layer of protection during normal operation which is designed to maintain process within a safe operating region.
- It avoids operator intervention as process controls are done using control system.
- Example could be a level transmitter controlling tank level by manipulating bottom control valve.
- Alarm & Operator Intervention
- Second level of protection which alerts operator of deviation in operating parameters.
- Examples are high level alarm, high pressure alarm.
- Safety Instrumented System (SIS)
- Detects out of limit conditions and acts to bring the process back to a safe state.
- Examples are Independent high-level switch, excess flow valves, automatic emergency shutdown etc.
- Physical Detection Devices
- Provide a high degree of protection against overpressure.
- Examples are relief valves, rupture disc.
- Passive Devices
- Reduces the risk by preventing undesired consequences such as widespread leakage, widespread fire, etc.
- Dike, Blast walls, flame arrestors
There are also many actions that are not considered independent layers of protection. Some examples of are NOT considered an IPL are fire brigade, manual deluge systems, and community responses.
Figure 2 below shows an example of an Independent IPL. It can be seen that each level transmitter has its own control logic and valve. If one of the control logic fails, then only one level transmitter fails to function, and the other is unaffected. Therefore, the level transmitters are independent.
Figure 3 below shows an example of a non-Independent IPL. It can be seen that the two level transmitters share the same control logic. If the control logic fails, then both the level transmitters fail to function Therefore, the level transmitters are not independent.
Categories of Consequences
Potential consequences are ranked by their risk into categories 1-5. Category 1 includes the least severe consequences and category 5 includes the most severe. Consequences can put health, safety, and company finances at risk. Some consequences put safety and company finances at different levels of risk. For example, an incident could create a “category 5” consequence for safety but only a “category 3” consequence for finances. When determining the severity, consider the safety and business impacts independently and choose the highest severity.
See Tables 1 and 2 for more information on the different categories of consequence.
Table 1. Categories Based on Safety Impact
|Category 1||Slight||First Aid Treatment Case|
|Category 2||Minor||Minor Injury: Day|
Away from Work
|Category 3||Severe||Serious Injury:|
|Category 4||Major||Single Fatality|
|Category 5||Catastrophic||Multiple Fatalities|
Table 2. Categories Based on Business Impact
|Category 1||Slight||$0 – 100,000|
|Category 2||Minor||$100,000 -1 million|
|Category 3||Severe||$1 – 10 million|
|Category 4||Major||$10 – 100 million|
|Category 5||Catastrophic||$100 million|
LOPA studies generally address approximately 5% of the significant risks issues. Most companies develop limits for LOPA studies, often focusing on major consequences of category 4 or 5 and accidents with fatalities. Most accidents occur during startup and shut down, consequently, a LOPA is often focused on consequences from incidents involving startup and shut down of equipment.
Frequency of Initiating Event (FOIE)
FOIE describes how often the initiating event, which is the failure that causes the given consequence, will occur. Initiating events can passive or active. Initiating events could be a natural phenomenon, control system failure, human error, etc. Probabilities of a given initiating event occurring can be found in Appendix A. When human error is deemed the initiating event, please follow the steps here:
- Find the opportunity rate (the number of times that an activity is carried out by human annually)
- Find human error probability (HEP). This represents probability of human mistakes in a given opportunity. The value is normally taken as 10-2/Opportunity
FOIE= Opportunities/year x HEP
Probability of Failure of IPL on demand (PFD)
PFD describes how often the protection layer will fail. Probabilities that a given layer will fail can be found in Appendix B.
Mitigated consequence frequency (MCF)
MCF describes how often an initiating event will occur and the IPL will fail. MCF is the frequency that a given consequence (see examples in Table 1) will occur. MCF is calculated by the given formula:
MCF = PFD 𝑥 FOIE
The following method can be used for conducting a LOPA for any given system that possesses potential hazards:
- Identify a single consequence to a potential process safety hazard
- Identify an accident scenario and cause associated with the consequence
- Identify the initiating event for the scenario and estimate the frequency of initiating event(FOIE).
- Identify the independent protection layers that are available for this particular consequence and estimate the probability of failure on demand (PFD) for each protection layer
- Combine the frequency of initiating event (FOIE) with the probability of failure (PFD) of the independent protection layer (IPL) to determine the mitigated consequence frequency (MCF) for the given initiating event
- Plot the consequence frequency vs consequence severity to estimate the level of risk as seen below in Table 2. Each point will fit somewhere on this risk matrix.
𝑅𝑖𝑠𝑘 = 𝑀𝐶𝐹 𝑥 𝑆𝑒𝑣𝑒𝑟𝑖𝑡𝑦
- Compare risk found in step 6 to an acceptable level of risk and evaluate if additional IPLs are necessary
While you are completing a LOPA, please consider the following:
- All the IPLs are maintained and working properly
- Number of injuries/fatalities/economic loss as per CSB report
- An initiating event cannot be taken as an IPL
- If there are multiple IPLs in the system, then PFD of system will be product of each independent IPL PFD
𝑃𝐹𝐷 = 𝑃𝐹𝐷1 ∗ 𝑃𝐹𝐷2 ∗ 𝑃𝐹𝐷3
- If there are no IPLs present, the PFD value is 1
This tutorial includes a LOPA Example for the explosion at the Caribbean Petroleum Company (CAPECO), which has been used in the first Material & Energy Balances Safety Module.
There is a LOPA knowledge check quiz available.
Appendix A: Frequency of Initiating Event (FOIE) Values 
|Initiating Event||FOIE Value (per Year)|
|Pressure vessel residual failure||10−6|
|Piping leak (10% section)||10−3|
|Atmospheric tank failure||10−3|
|Third-party intervention (e.g. external impact by|
|Safety valve opens unexpectedly||10-2|
|Cooling water failure||10-1|
|Pump seal failure||10-1|
|Basic process control system (BPCS) instrument loop failure||10-1|
Appendix B: Probability of Failure on Demand (PFD) Values 
|IPL||Comments and Definitions||PFD Value|
|Dike||Reduces the frequency of large consequences of a tank|
overfill, rupture, spill, etc.
|Reduces the frequency of large consequences of a tank|
overfill, rupture, spill, etc.
|Open vent||Prevents overpressure||10−2|
|Fireproofing||Reduces rate of heat input and provides additional time for|
depressurizing, firefighting, etc.
|Blast wall or bunker||Reduces the frequency of large consequences of an|
explosion by confining blast and by protecting equipment,
|Single Check Valve/ Slide|
|Reduces the frequency of reverse flow by allowing flow in|
only one direction
|Dual Check Valve/ Slide|
|More efficient than single check valve in reducing|
frequency of reverse flow
|Inherently safer design||If properly implemented, can eliminate scenarios, or|
significantly reduce the consequences associated with a
|Flame or detonation|
|If properly designed, installed, and maintained, can|
eliminate the potential for flashback through a piping
system or into a vessel or tank
|Relief Valve/Rupture Disk||Prevents system from exceeding specified overpressure.||10−2|
|Alarms||Alarms can be programmed to alert the operator to take an|
|Basic process control|
|Alarms can be programmed to alert the operator to take an|
|Safety Instrumented System|
|SIS does not depend upon any operator interaction and|
works automatically to bring system to a safe state during
an undesired event
|Manual activation of button to shut down entire process||0.4|
 “LOPA – Layer of Protection Analysis.” Process and HSE Engineering, 2 Feb. 2012, hseengineer.wordpress.com/lopa-layer-of-protection-analysis/.
 Summers, Angela E. (July 2014). “Introduction to Layer of Protection Analysis” (July 2014). SIS-Tech.
 “Risk Assessment .” Chemical Process Safety: Fundamentals With Applications, by Daniel A. Crowl and Joseph F. Louvar, 3rd ed., Pearson, 2011, pp. 577–587.
 Gate Inc. “Introduction to Layer of Protection Analysis (LOPA)”. Gate Keeper: A Technical Newsletter for the Oil & Gas Industry (July 2014).
 Spencer, Gabi. “Multiple Layers of Protection & Mitigation.” ESC, 26 Jan. 2109,
 Shuttleworth, Mike. “Qualitative and Quantitative Risk Analysis. What Is the Difference?”
Project Risk Manager, 13 Oct. 2019, www.project-risk-manager.com/blog/qualitative-and-quantitative-risk-analysis/
 “Independent.” Merriam-Webster, Merriam-Webster, www.merriam-webster.com/dictionary/independent
 Crowl, Daniel A., and Joseph F. Louvar. Chemical Process Safety: Fundamentals with Applications. Pearson, 2019.