PM Group's Richard Coffey outlines a number of points to help improve communication and provide a better understanding of Layer of Protection Analysis (LOPA) among safety professionals, operations personnel and production managers


Although safety professionals often use layers of protection analysis (LOPA) for risk assessment, some managers can be sceptical about these techniques. More often than not, the distrust stems from not getting proper information about LOPA.

This scepticism is healthy and provides an opportunity for safety professionals to explain and educate managers about the technique’s role and value.

Consider this situation: a busy production manager attends a LOPA workshop being conducted for a large project for his plant. The facilitator profusely used acronyms and probability calculations in evaluating risk of unsafe events and, where appropriate, recommended additional safeguards.

The LOPA process was technically sound but frustrated the manager. He said: “Although I see what you guys are doing, I have considerable trouble seeing its relevance in really reducing risk.

“I have had a lot of difficulty following your acronyms. Can’t you talk in laymen’s terms so that operations personnel can understand what LOPA really is?”

This isn’t an uncommon incident. In this article, some points to improve communication and provide a better understanding of LOPA are shared.

Communicate better

Managers typically are financially astute professionals with good people and communication skills. They focus on results. They aren’t interested in myriad details about the LOPA process. The following measures should be taken to address this:
1.) Start the facilitation with a brief presentation on LOPA. This will ensure the team is familiar with the use of LOPA terminology. It may be helpful to send the presentation in advance to each participant.
2.) Avoid technical jargon. Terms and acronyms useful in discussions with safety professionals can significantly hinder communications to management. If you must use jargon, explain its meaning in common terms.
3.) Use managerial language. Emphasise that LOPA is closely tied to a company’s productivity and image. Of course, this will require relevant data that link risk and its associated cost. Stated differently, present additional safeguards to reduce risk in terms of their overall lifecycle cost and economic benefits.
4.) Be concise in your presentation. Keep in mind you have limited time to communicate key points of your LOPA work. Be strategic – concentrate on ‘big impact’ items. Don’t get bogged down in minute details. Of course, spell out all the details of LOPA findings in the formal report.
5.) Keep readers in mind. In developing a LOPA report, focus the executive summary section on the key action items. Write the report so that all relevant readers – managers, engineers, safety professionals, and plant operating/ maintenance personnel – can understand it.

Key questions

Face-to-face communication with plant or corporate management, of course, requires preparation. While it’s hard to predict the exact type and number of questions managers may pose, certain questions arise regularly: Why do we need LOPA? Our company is totally committed to safety.

We follow recommendations of hazard and operability studies (HAZOPs), and, where necessary, install additional safeguards to reduce risk. Does LOPA really reduce risk further?

A HAZOP does help reduce risk. However, it is qualitative and subjective – so, it could result in improper application of safeguards. Misapplied measures may not reduce risk to the desired extent.

LOPA, on the other hand, quantifies risk, thus reducing subjectivity. LOPA typically takes place after a HAZOP and focuses on selected ‘high risk’ issues.

LOPA helps you choose among various alternative safeguards to get the one most economically justifiable. Of course, LOPA requires relevant data on the reliability of the safeguards.

What is the meaning of ‘probability of failure on demand’?
Probability of failure on demand (PFD) quantifies the chance that a specific safeguard won’t perform its intended function when required. For instance, consider a shutdown valve that should close when a hazardous event (say, high level in a tank) arises.

Failure of the valve to shut could result in a major consequence (such as a tank overflow). If that valve fails to close once every one hundred times, then its PFD is 0.01.

What is the meaning of ‘SIL’?
Minimum Safety Integrity Levels (SIL) can be assigned to equipment at the design stage. This provides the designer with a degree of certainty over the overall failure levels of a plant. The standard SIL ratings are presented in the table below:

Another common LOPA term is ‘independent protection layer’ (IPL). This is a safeguard that works independently of others. Some examples are relief valves, basic process control systems, interlocks, and alarms (if they are maintained and give an operator adequate time to respond to prevent a hazardous event from occurring).

To be effective, an IPL should be:
1.) specific for preventing a given hazardous event;
2.) independent, that is, not influenced by the performance of other safeguards;
3.) dependable, that is, effective in reducing risk in accordance with its PFD value (which requires the IPL to be properly specified and installed); and
4.) auditable, that is, inspected and maintained at specific intervals.

LOPA also uses the term ‘acceptable risk’. This indicates the number of occurrences a company can tolerate per year. For instance, 1.0 x 10-4 per year means one event every 10,000 years.

The acceptable risk level depends on a number of factors including the size of the event (those with off-site impact or that could cause injuries or fatalities will need to be very infrequent, for instance, 1.0 x 10-5), litigation, and company reputation. In several countries, regulations dictate the acceptable risk level.

What is the LOPA process?
LOPA is performed on relatively “high risk” hazardous events identified by a HAZOP. For each such event, LOPA evaluates the extent of protection provided by the existing safeguards and compares that with a company’s desired level of protection. If a deficiency exists, additional safeguards are recommended.

The process of risk assessment and risk management is not a one-time activity. It’s a process that continues throughout the life of a project or a plant.

On the subject of the lifespan of equipment, another term commonly referred to is the ‘Bathtub Graph’. The ‘Bathtub’ graph reflects how the PFD rates reduce after new plant is installed and commissioned; remains steady for much of the lifetime of the plant and increases towards the end of plant life due to wear and tear.

How many IPLs do I need?
The number depends on the specific hazardous event, its acceptable versus current risk level, and risk reduction (probability of failure) provided by each safeguard.

How do I determine the level of protection required?
This depends on the severity of a consequence and corporate risk-tolerance policy.

Of course, a company can accept an event that could result in multiple injuries or a major environmental or public image impact far less frequently than one that has relatively minor safety or other consequences. In several countries, regulations drive the level of protection required.


LOPA is a powerful tool for reviewing major hazards and for evaluating the adequacy of existing safety measures. From a regulatory perspective, companies are increasingly obliged to utilise or adhere to industry standards (for example, IEC 61511-1 Functional Safety – Safety Instrumented Systems for the Process Industry Sector).

The technique however, if not correctly applied, can become a number-crunching exercise and provide misleading results. Having a seasoned facilitator, an experienced LOPA team and updated relevant documents helps ensure a proper LOPA.

For most safeguards, average PFD values are available in the literature (for example, in books from the Centre for Chemical Process Safety, and these values tend to be conservative.

Author: Richard Coffey CEng MIEI is a senior consultant in the environmental health and safety department of PM Group. PM Group, and engineering and construction management company, has clients within the biopharma, food, energy and healthcare sectors. The group is headquartered in Ireland. O'RiordanChemchemical,industry,occupational safety
Although safety professionals often use layers of protection analysis (LOPA) for risk assessment, some managers can be sceptical about these techniques. More often than not, the distrust stems from not getting proper information about LOPA. This scepticism is healthy and provides an opportunity for safety professionals to explain and educate...