Layers of Protection (LOPA)

Created in Collaboration with Lydia Peters


A Layers of Protection Analysis (LOPA) is a semi-quantitative study that helps identify safeguards and determine if there are sufficient safeguards to prevent against a given risk. A LOPA is conducted to ensure that process risks are successfully mitigated to an acceptable level. Figure 1 below is a visual to represent the layers of protection for a given process. The layers in the diagram are ranked from 1-9 as most-least desirable safeguards.

9 circles with the smallest circle nested within the next largest and so forth, The nine circles are labelled from smallest to largest: 1. Process, 2. Basic Process Control System, 3. Alarms and Operator Intervention, 4. Safety Instrumented System, 5. Physical Protection (Relief Devices), 6. Physical Containment (Bunds), 7. Fire and Gas System, 8. Plant Emergency Response, and 9. Community Emergency Response.

Figure 1. Layers of Protection Example Visual [5]

A LOPA is developed on the basis of a risk identification analysis, such as a Hazard and Operability Study (HAZOP). A HAZOP is usually carried out first and is then followed by a LOPA study. A HAZOP is a structured analysis of process design to identify process safety incidents to which a facility is vulnerable. A detailed HAZOP overview can be found in the HAZOP tutorial.

Major hazardous scenarios, which have the potential to cause serious harm to people, environment, or business, that are discovered in a HAZOP are subjected to a LOPA. A HAZOP identifies potential hazards, while a LOPA quantifies the probability of the hazard, analyzes the system at risk, and identifies the mitigation measures that guard against the hazard. LOPA studies can be conducted with few resources, focus attention on major issues, eliminate unnecessary safeguards, establish valid safeguards to improve processes, and provides a basis for managing layers of protection. These mitigation safety measures, or “layers of protection” must meet the Center for Chemical Process Safety (CCPS) criteria of being Independent Protection Layers (IPL).

Definitions and Relevant Information

Independent– Not requiring or relying on anything else

Requirements for Independent Protection Layers (IPL)

  1. An IPL is effective in preventing the consequence
  2. An IPL functions independently of the initiating event of the scenario and functions independently of all other layers that are used for that same scenario
  3. An IPL is auditable (must be capable of validation including review, testing, and documentation)

There are many different possible independent protection layers that can be used in a process. Here is a list of examples of IPLs:

  • Inherently Safer Design
    • Elimination or significant reduction of certain hazards
    • Examples include reducing the quantity of material involved, changing process condition, eliminating flanges, using less hazardous material, etc.
  • Basic Process Control System (BPCS)
    • First layer of protection during normal operation which is designed to maintain process within a safe operating region.
    • It avoids operator intervention as process controls are done using control system.
    • Example could be a level transmitter controlling tank level by manipulating bottom control valve.
  • Alarm & Operator Intervention
    • Second level of protection which alerts operator of deviation in operating parameters.
    • Examples are high level alarm, high pressure alarm.
  • Safety Instrumented System (SIS)
    • Detects out of limit conditions and acts to bring the process back to a safe state.
    • Examples are Independent high-level switch, excess flow valves, automatic emergency shutdown etc.
  • Physical Detection Devices
    • Provide a high degree of protection against overpressure.
    • Examples are relief valves, rupture disc.
  • Passive Devices
    • Reduces the risk by preventing undesired consequences such as widespread leakage, widespread fire, etc.
    • Dike, Blast walls, flame arrestors

There are also many actions that are not considered independent layers of protection. Some examples of are NOT considered an IPL are fire brigade, manual deluge systems, and community responses.

Figure 2 below shows an example of an Independent IPL. It can be seen that each level transmitter has its own control logic and valve. If one of the control logic fails, then only one level transmitter fails to function, and the other is unaffected. Therefore, the level transmitters are independent.

Figure 3 below shows an example of a non-Independent IPL. It can be seen that the two level transmitters share the same control logic. If the control logic fails, then both the level transmitters fail to function Therefore, the level transmitters are not independent.

Figure 3. Example of a Non-Independent IPL
Figure 2. Example of an Independent IPL

Categories of Consequences

Potential consequences are ranked by their risk into categories 1-5. Category 1 includes the least severe consequences and category 5 includes the most severe. Consequences can put health, safety, and company finances at risk. Some consequences put safety and company finances at different levels of risk. For example, an incident could create a “category 5” consequence for safety but only a “category 3” consequence for finances. When determining the severity, consider the safety and business impacts independently and choose the highest severity.

See Tables 1 and 2 for more information on the different categories of consequence.

Table 1. Categories Based on Safety Impact

SeveritySafety Impact
Category 1SlightFirst Aid Treatment Case
Category 2MinorMinor Injury: Day
Away from Work
Category 3SevereSerious Injury:
Hospital Stay
Category 4MajorSingle Fatality
Category 5CatastrophicMultiple Fatalities

Table 2. Categories Based on Business Impact

SeverityBusiness Impact
Category 1Slight$0 – 100,000
Category 2Minor$100,000 -1 million
Category 3Severe$1 – 10 million
Category 4Major$10 – 100 million
Category 5Catastrophic$100 million

LOPA studies generally address approximately 5% of the significant risks issues. Most companies develop limits for LOPA studies, often focusing on major consequences of category 4 or 5 and accidents with fatalities. Most accidents occur during startup and shut down, consequently, a LOPA is often focused on consequences from incidents involving startup and shut down of equipment.

Frequency of Initiating Event (FOIE)

FOIE describes how often the initiating event, which is the failure that causes the given consequence, will occur. Initiating events can passive or active. Initiating events could be a natural phenomenon, control system failure, human error, etc. Probabilities of a given initiating event occurring can be found in Appendix A. When human error is deemed the initiating event, please follow the steps here:

  1. Find the opportunity rate (the number of times that an activity is carried out by human annually)
  2. Find human error probability (HEP). This represents probability of human mistakes in a given opportunity. The value is normally taken as 10-2/Opportunity

FOIE= Opportunities/year x HEP

Probability of Failure of IPL on demand (PFD)

PFD describes how often the protection layer will fail. Probabilities that a given layer will fail can be found in Appendix B.

Mitigated consequence frequency (MCF)

MCF describes how often an initiating event will occur and the IPL will fail. MCF is the frequency that a given consequence (see examples in Table 1) will occur. MCF is calculated by the given formula:


LOPA Process

The following method can be used for conducting a LOPA for any given system that possesses potential hazards:

  1. Identify a single consequence to a potential process safety hazard
  2. Identify an accident scenario and cause associated with the consequence
  3. Identify the initiating event for the scenario and estimate the frequency of initiating event(FOIE).
  4. Identify the independent protection layers that are available for this particular consequence and estimate the probability of failure on demand (PFD) for each protection layer
  5. Combine the frequency of initiating event (FOIE) with the probability of failure (PFD) of the independent protection layer (IPL) to determine the mitigated consequence frequency (MCF) for the given initiating event
  6. Plot the consequence frequency vs consequence severity to estimate the level of risk as seen below in Table 2. Each point will fit somewhere on this risk matrix.

𝑅𝑖𝑠𝑘 = 𝑀𝐶𝐹 𝑥 𝑆𝑒𝑣𝑒𝑟𝑖𝑡𝑦

  1. Compare risk found in step 6 to an acceptable level of risk and evaluate if additional IPLs are necessary

While you are completing a LOPA, please consider the following:

  1. All the IPLs are maintained and working properly
  2. Number of injuries/fatalities/economic loss as per CSB report
  3. An initiating event cannot be taken as an IPL
  4. If there are multiple IPLs in the system, then PFD of system will be product of each independent IPL PFD

𝑃𝐹𝐷 = 𝑃𝐹𝐷1 ∗ 𝑃𝐹𝐷2 ∗ 𝑃𝐹𝐷3

  1. If there are no IPLs present, the PFD value is 1

This tutorial includes a LOPA Example for the explosion at the Caribbean Petroleum Company (CAPECO), which has been used in the first Material & Energy Balances Safety Module.

Knowledge Check

There is a LOPA knowledge check quiz available.


Appendix A: Frequency of Initiating Event (FOIE) Values [8]

Initiating EventFOIE Value (per Year)
Pressure vessel residual failure10−6
Piping leak (10% section) 10−3
Atmospheric tank failure 10−3
Third-party intervention (e.g. external impact by
Safety valve opens unexpectedly 10-2
Cooling water failure 10-1
Pump seal failure 10-1
Basic process control system (BPCS) instrument loop failure 10-1
External fire 10-1
Operator failure10−2/𝑜𝑝𝑝𝑜𝑟𝑡𝑢𝑛𝑖𝑡y

Appendix B: Probability of Failure on Demand (PFD) Values [8]

IPLComments and DefinitionsPFD Value
DikeReduces the frequency of large consequences of a tank
overfill, rupture, spill, etc.
Underground draining
Reduces the frequency of large consequences of a tank
overfill, rupture, spill, etc.
Open ventPrevents overpressure 10−2
FireproofingReduces rate of heat input and provides additional time for
depressurizing, firefighting, etc.
Blast wall or bunkerReduces the frequency of large consequences of an
explosion by confining blast and by protecting equipment,
buildings, etc.
Single Check Valve/ Slide
Reduces the frequency of reverse flow by allowing flow in
only one direction
Dual Check Valve/ Slide
More efficient than single check valve in reducing
frequency of reverse flow
Inherently safer designIf properly implemented, can eliminate scenarios, or
significantly reduce the consequences associated with a
Flame or detonation
If properly designed, installed, and maintained, can
eliminate the potential for flashback through a piping
system or into a vessel or tank
Relief Valve/Rupture DiskPrevents system from exceeding specified overpressure. 10−2
AlarmsAlarms can be programmed to alert the operator to take an
Basic process control
system (BPCS)
Alarms can be programmed to alert the operator to take an
Safety Instrumented System
SIS does not depend upon any operator interaction and
works automatically to bring system to a safe state during
an undesired event
Manual Emergency
Shutdown (ESD)
Manual activation of button to shut down entire process0.4


[1] “LOPA – Layer of Protection Analysis.” Process and HSE Engineering, 2 Feb. 2012,

[2] Summers, Angela E. (July 2014). “Introduction to Layer of Protection Analysis” (July 2014). SIS-Tech.

[3] “Risk Assessment .” Chemical Process Safety: Fundamentals With Applications, by Daniel A. Crowl and Joseph F. Louvar, 3rd ed., Pearson, 2011, pp. 577–587.

[4] Gate Inc. “Introduction to Layer of Protection Analysis (LOPA)”. Gate Keeper: A Technical Newsletter for the Oil & Gas Industry (July 2014).

[5] Spencer, Gabi. “Multiple Layers of Protection & Mitigation.” ESC, 26 Jan. 2109,

[6] Shuttleworth, Mike. “Qualitative and Quantitative Risk Analysis. What Is the Difference?”
Project Risk Manager, 13 Oct. 2019,

[7] “Independent.” Merriam-Webster, Merriam-Webster,

[8] Crowl, Daniel A., and Joseph F. Louvar. Chemical Process Safety: Fundamentals with Applications. Pearson, 2019.