Guidance for Performing an Effective LOPA – Part Three

By Dr Esteban Bernechea, PhD FS Eng (TÜV Rheinland)

Dr Esteban Bernechea

Dr Esteban Bernechea


This work presents tips to help perform an effective LOPA. Part 1 introduced the LOPA methodology while presenting the tips and expanding on the first one: “Preparation is key”, while in Part 2, tips two through four, which are related to the calibration of risk targets, the competence of the team and the importance of traceability during the study, were expanded.

This last Part 3 is focused on tips five to nine, which focus on the appropriate timing for the study, technical matters (definition of consequences, IPL dependency issues or frequency justification) and finally, a very important tip on managing the LOPA results and keeping it alive during the lifecycle of the SIFs.

Guidance for Performing an Effective LOPA

5. Time it right

The optimum moment to carry out a LOPA is after the completion of a detailed PHA or process H&RA study (a HAZOP study is recommended) that allows for the specification of the SIFs to be developed, as stated in the introduction to IEC 61511 [1] and many of its clauses.

It is not useful to carry out a LOPA if a detailed H&RA study has not been previously performed and validated. A detailed H&RA study will allow identifying the SIFs present in the facility (whether its performed during design or operation stages) and the causes that lead to their activation (which will be the IEs during LOPA); it also allows identifying scenarios that may require further protection and for which a LOPA may be required to assess if the risk gap has been covered by the existing safeguards.

If the quality of the HR&A study is not sufficient, this will negatively impact the LOPA, as IEs may be missing, and protection layers may be poorly identified. It is necessary to be confident that the H&RA study is of sufficient quality before moving on to perform the LOPA.

6. Consequences must be defined

The consequences of the hazardous scenario must be clearly defined, considering the final effect on any of the potentially affected vectors, without considering any of the IPLs or SIFs that will act to prevent it. This means that the hazardous scenario needs to be fully developed until its final consequences without considering any safeguards; for example, it is not sufficient to say that a scenario will have an impact on people, the type of effect and group of people affected need to be specific (e.g. single fatality of personnel, multiple injuries to third parties). It is important to note that the consequences need to be specified for all potentially affected vectors, like environment, reputation or material assets, as detailed in IEC 61508 [3] Part 4 under the definition of Harm.

It is important that the description of the consequences be in accordance with the corporation’s consequence and tolerability risk targets categories. If this is not done, there will be no way to properly define what the risk target is for the SIF, making it impossible to calculate the required SIL.

7. Justify the Initiating Events and their frequencies

Identifying all the credible IEs that result in the activation of the SIF and defining appropriate frequencies of occurrence for them is a key step in carrying out an effective LOPA.

The most effective way to perform a LOPA is to have previously identified the IEs during a PHA session, and to prepopulate them in the tool that is used to perform the study, prior to the LOPA sessions taking place; this allows for significant time saving during the study. IEs can be any situation that leads to the activation of the SIF; these can be failures of control loops (considering sensing elements, logic solver or actuators), failures of rotating equipment, or situations related to human errors.

It is recommendable that the organization develops a list of typical IEs and assign frequencies of occurrence to each of them to ensure consistency across all LOPA studies. For example, assigning a frequency of occurrence of one in ten years for the failure of a control loop, or once per year for the failure of centrifugal pumps. It’s important to note that any typical values proposed MUST be compared with actual site operating experience and treated as the lower frequency limit, rather than a rule.

The frequency of occurrence selected for each IE (considering Human Error Probability (HEP) for events involving human error) must be justified by providing a source for the information; this can be a database like FARADIP [4], an internal document of the organization, or operational experience from the personnel involved in the process. If a figure cannot be justified, it is best to initially select a very conservative value for it, and to take an action to later investigate the IE further and confirm the frequency.

8. Avoid dependency issues (between PLs and between PLs and IEs)

A crucial aspect of LOPA is that all of the PLs considered for a single scenario during the analysis must be independent from each other, as well as from the IE. This means that none of the components of the PLs shall be shared between them, or by the IE.

A sensible strategy to avoid dependency issues between PLs during LOPA is to initially consider only one of each type of safeguarding device, for example, take into account only one alarm (with its associated operator response), one Basic Process Control System (BPCS) feature, one SIF, one mechanical device (Pressure Safety Valve, rupture disc), etc.; of course it is necessary to remember that all PLs must also be independent from the IE, so for example, if the IE is related to the control system, it would be better to avoid using BPCS PLs if possible. This is not to say that all analysis must be completed without considering more than one PL of each type, only that it is a good strategy to start the analysis in this way.

In some cases, it becomes necessary to use more than one protection layer of the same type in order to develop a risk model that is faithful to the reality of the scenario; however, care is necessary in these cases, and sufficient independency must always be maintained. For example, if the IE is related to human error, and an alarm is being considered as a PL, it may be necessary to demonstrate that the operator responding to the alarm is not the one that initially caused the IE.

Another important example is related to the use of BPCS as a layer of protection when the IE is related to a BPCS failure; in this case IEC 61511 [1] states the following in Part 1, Clause 9.3.4:

  • If it is not intended that the BPCS conform to the IEC 61511 [1] series, then:
    • no more than one BPCS protection layer shall be claimed for the same sequence of events leading to the hazardous event when the BPCS is the initiating source for the demand on the protection layer; or
    • no more than two BPCS protection layers shall be claimed for the same sequence of events leading to the hazardous event when the BPCS is not the initiating source of the demand.

Which is further clarified in IEC 61511 [1] Part 1, Clause 9.4.5:

  • When 9.3.4 applies, each BPCS protection layer shall be independent and separate from the initiating source and from each other to the extent that the claimed risk reduction of each BPCS protection layer is not compromised.

9. LOPA is a live study

The LOPA is not finished once the sessions are completed, as it is important to follow-up and close any outstanding actions resulting from it. As a result of an initial LOPA it is normal to obtain actions that can be implemented in order to decrease the requirements obtained for the SIFs. The management of the results obtained during the LOPA is a crucial step in the lifecycle of the functions.

It is important to understand that the results of a LOPA are not set in stone, and that the design of the installation can be improved so that the SIL requirement of the SIFs can be positively impacted. Indeed, if inherent safety is practicable, it should always be adopted in favour of SIFs. The LOPA has to be treated as a live document that will change as the process or facility also changes over time.

Reference Document

  1. IEC 61511, Functional safety – Safety instrumented systems for the process industry sector
  2. HSE document: Reducing risks, protecting people (R2P2), 2001, ISBN 0-7176-2151-0
  3. IEC 61508, Functional safety of electrical/ electronic/ programmable electronic safety related systems
  4. FARADIP -THREE V6.4, Reliability Data Base. Technis, 26 Orchard Drive, Tonbridge, Kent TN10 4LG, ISBN 0-951-65623-6
  5. ESC Internal SIL Determination Work Instruction: P001_WI001

If you have any questions or would like to leave us feedback please use the comments box below.