Layer of Protection Analysis (LOPA) was developed to improve decision-making by performing simplified quantitative risk assessments on individual accident scenarios having potential consequences of concern. These simplified risk assessments apply order of magnitude estimates of consequences and frequencies to determine if sufficient Independent Protection Layers (IPLs) are present, based upon a Company’s decision-making criteria. LOPA allows flexibility, including engineering judgement, in amending IPL determinations should analyst experience suggest the inherent conservatism built into the technique is at odds with engineering or operating reality. When appropriately used, LOPA can be a useful addition to other risk assessment procedures, including qualitative assessments (e.g. HAZOPs) and quantitative risk analysis (QRA).
Inappropriate or rigid application of LOPA has led to a number of significant issues, including:
- Applying LOPA to a wide range of scenarios for which it was not intended
- Excluding important safeguards from consideration
- Mischaracterizing risk, resulting in recommendations to add large numbers of instrumented protective systems
- Generating LOPA IPL requirements at variance with HAZOP assessments
- Bypassing inherently safe designs in favor of instrumented solutions
The above misapplications can result in appreciable, unnecessary cost, including installed equipment costs and long term documentation, maintenance, and inspection requirements. In addition, system complexity can be increased to the point where process units may become marginally operable, increasing the potential for a major incident and undermining LOPA’s original intent.
This paper will provide examples from actual LOPA studies that illustrate the above concerns, along with suggestions, based upon one Company’s approach, to address these concerns.