LOPA Red Flags

Layers of Protection Analysis (LOPA) is a key technique to quantify the risks of a process scenario and provide insight into where controls need to be added and if they are justified. After the Buncefield incident in 2005, the UK HSE issued a recommended practice guide as part of the Process Safety Learning Group (PSLG) investigation report. This guidance was the genesis of the advanced form of LOPA which “couches” scenarios as a bowtie and structures the assessment within that framework. Other formulations of LOPA are equally as effective however all can be misused, abused or mistreated – this is the nature of risk assessment. The outcome of poor quality LOPAs can lead to:

  • Incorrect capital allocation to resolve risk
  • High or low SIL levels for SIFs (compared to what is needed)
  • Missing safety critical elements and assurance processes

Learnings for LOPA

Below are some of the learnings and red flags I have developed over the years from executing LOPAs, reviewing my colleagues' LOPAs, auditing and training in the topic. There are 4 broad areas of comment:

  1. Suggestions around LOPA Infrastructure – before the review
  2. Application of the technique.
  3. What to do with the outcome
  4. Red flags for auditors and regulators

LOPA graphic with text overlay

 

Safety Assessment Model updated graph

 

Find a LOPA Training Course to upskill HERE! We offer Consulting Services for LOPA Studies HERE!

Setting Yourself Up for Success – Before the Review

  1. LOPA Procedure & Rule Set – This is a critical piece of your LOPA puzzle. The procedure will define how you apply your methods, standardise the data you will use, and define how specific classes of situations should be handled.  A procedure helps you to develop consistency in your assessments. Your process safety or LOPA technical authority should be the gatekeeper for requests to deviate from the procedure. Often a lot of thought goes into these procedures and control of change is needed.

  2. There are many data references out there on how data can be applied to a LOPA study.  The Centre for Chemical Process Safety (CCPS)  guide or the OREDA handbook are examples. These types of references can become a smorgasbord of possibilities to reduce your risk numbers. Be careful when selecting data and ensure you justify the use of numbers.

  3. LOPA vs Risk Graph – in many countries LOPA has become the main technique for assessing the need for Safety Instrumented Functions (SIFs). LOPA is scenario-focused, Risk Graphs tend to be SIF focused and they naturally do not look at the “big picture” accounting for other Independent Protection Layers (IPLs), Initiating Events (IEs) and other risk-reducing factors. I have seen many historical risk graphs that have led to misleading and incorrect results. This has occurred because human error or additional causes have not been included in the analysis.

  4. Scenarios – do not LOPA scenarios that are managed by conventional Process Safety Management (PSM) techniques. Scenarios developed in your HAZOP that identify draining, isolations, venting or corrosion/ erosion as causes should be handled by applying good PSM practice. Also, LOPA should be performed on an event that can occur on a specific piece of equipment and not several pieces of equipment at the same time. For example, if you are assessing the likelihood of rupturing a vessel and there are several identical vessels, your assessment should keep to the specific vessel. If you need to aggregate or cumulate the risk, do this outside the scenario. Data selection (particularly enabling events and conditional modifiers) for cumulative scenarios is complex and hard to manage.

  5. Can HAZOP and LOPA be done at the same time or at the conclusion of the HAZOP? – HAZOP tends to have a lot of “possibles” and “probables”, that need further thinking and work before a LOPA is attempted. For example, is the scale of the event understood or does the IE frequency need a discussion with the site? Are all causes/ IEs credible? There is a benefit in keeping the review team together, however there is a risk that the LOPA requires several revisions to get it right. If logistics allow, a break of 1-2 weeks gives time for this pre-work to be done and reduces the need for multiple revisions.

  6. What is driving your need to do LOPA? - Some countries operate under an ALARP (As low as reasonably practicable) regime, some operate under a SFAIRP (so far as is reasonably practicable) regime, some operate under corporate standards, and some operate under jurisdictions that mandate the use of relevant standards (e.g. IEC61511). It is my observation that if your organisation is overly focused on a risk target, then this encourages a deterioration of the LOPA technique away from good practice. For example, this tends to encourage practitioners to bend the independence rules, overuse of modifiers etc. I have observed that LOPA practised in SFAIRP (e.g. AU/NZ) regimes (which don't require achieving a risk target, but a demonstration of good practice and effective application of risk reduction/management), the LOPA quality "can" be higher and more focused (e.g. it is ok to stop at a scenario risk of 1 x 10-4 fat/yr vs a target of 1 x 10-5 fat/yr if certain conditions can be demonstrated). This requires effective corporate management of the technique though. 

  7. Is there a LOPA procedure in place? Is there a good procedure in place that documents how facilitators and teams should apply the technique, use data and guidance on what to do if the procedure can't be fully followed (e.g. escalate to LOPA Technical Authority for decision.)

Application of the Technique

  1. Initiating Events (IE) – the main types of initiating events are equipment, control/ instrument failures and human error. External events such as earthquakes, impact or corrosion should not be included in a LOPA. A good test is to assess if there are existing or proposed protection layers (IPLs) available to reduce the risk. External events do not have IPLs. These causes should be managed outside of a LOPA (PSM/ qualitative assessments). In my experience, approximately 30-50% of causes/ IEs identified in a HAZOP are not appropriate to move across to a LOPA.

  2. Independent Protection Layers (IPLs) – These must be independent, specific to the IE, and have assurance processes in place. If you are crediting an IPL that involves an operator response, ensure this person and the equipment are independent of the IE and other IPLs.

  3. Do not overuse conditional modifiers (CMs) and enabling events (EE). I do not allow mine to reduce below 0.1 unless there is a solid justification (e.g. backed up by consequence modelling). Overuse of CMs and EE can lead to a reduced need for IPLs. If your “risk reduction” attributable to CMs and EEs amounts to 100 or more, then this should be reviewed and documented.

  4. Localisation of the data? – The data used within the study should reflect your local conditions, however, do not build in non-performing equipment/instrumentation into your study – fix the controls that are not currently performing to expectations.

  5. Double-dipping: IE frequency data may naturally include IPLs, so the IPL in this case should not be credited. For example, the failure of a double mechanical seal may be considered to occur once in 100 years. This data probably includes the presence of a seal monitoring system, so the seal monitoring system should not also be included as an IPL.

  6. Mitigation IPLs – generally do not apply as they do not meet the criteria of an IPL. A mitigation IPL acts after the loss of containment/control,  to prevent escalation. There may be specific mitigating IPLs (such as a specific drain gas detector) that do meet the requirement of an IPL, however, they are rare.  Are you able to test this IPL in real-world conditions to demonstrate it will work? Due to the problematic nature of mitigation IPLs, I tend to include these in the likely outcome.

  7. Do all causes identified in a HAZOP move to a LOPA? – No. This has been discussed above.

  8. Consequence Modelling – Understanding the scale of an event helps you verify your data usage personnel exposure and probability of ignition conditional modifiers. Doing this before the LOPA review removes the need to revisit this at a later date.

What Do I Do with the Results?

  1. Assurance – IPLs and IEs need assurance processes – this means testing. Most IPLs can be tested, however, if you want to take credit for a non-return valve, determine how it can be tested/ verified.

  2. You may or may not identify a risk gap as a result of your study.  This can be closed by the addition of IPLs, redesign, removal of causes etc. LOPA will help you identify the weak aspects of your scenario, so you can focus investment on where the benefit is. The bow-tie formulation is particularly powerful in this respect as it highlights the main contributors to high risk.

  3. If your country has legislated “risk management” approaches, then it is generally expected that you apply what is considered good industry practice. The cost of additional IPLs is generally not a consideration if you have not applied good practice to a scenario. This is a large topic, and I will not delve further into this in this blog.

  4. LOPA can facilitate the cost-benefit analysis of IPL investment vs the risk reduction. This is sometimes a controversial topic, but a practical issue for hazardous operations.

Red Flags for Auditors, Regulators and Reviewers

  1. Challenge the use of small numbers
  2. Enabling events and conditional modifiers with a PFD of < 0.1 – need clear justification supported by evidence.
  3. Are there more than two orders of magnitude credited for enabling and conditional modifiers?
  4. Is there a procedure in place?
  5. Has the use of data been justified?
  6. Have all credible IEs been considered in the study including human error?
  7. Is the IPL being tested?
  8. Are IPLs independent from the IEs
  9. Has the user credited mitigating (not preventative) IPLs? Do they need the criteria of an IPL (normally hard for mitigating controls)

 

We at Safety Solutions feel that because critical capital decisions for risk reduction are made from this activity, an independent check is needed on the LOPA study quality. We do this internally using the following checklist and embed this into the LOPA report.

Download LOPA Study checklist

Need a best-in-class LOPA workbook that mimics a bowtie, has a data library and is engaging for all users? Download our template below.  Both IChemE and we utilise this tool in our LOPA training courses. Click on the link to watch the LOPA workbook "How to use video".

Download LOPA Workbook Template

View LOPA tool "How to" Video