Layer of Protection Analysis – kiedy zabezpieczenia w instalacji nie wystarczają i jak to wykryć

Layer of Protection Analysis – When Safeguards in an Installation Are Not Enough and How to Detect It

In many industrial installations, safeguards “exist” – valves, sensors, automation systems. The problem is that rarely does anyone verify whether they actually reduce risk to an acceptable level. That’s exactly what LOPA (Layer of Protection Analysis) is for. It’s a method that translates general safety assumptions into concrete numbers – and very quickly shows where the system is insufficient.

What is LOPA and why is it not just “another analysis”?

LOPA (Layer of Protection Analysis) is a semi-quantitative risk assessment method that makes it possible to determine whether existing safeguards in an installation are sufficient.

Unlike classical HAZOP, which identifies hazard scenarios, LOPA goes a step further. It answers a very concrete question: do the existing layers of protection actually reduce risk to an acceptable level?

And it does so in numerical terms. Not on the basis of “it seems safe,” but:

PROTECT YOUR EMPLOYEES AND PROPERTY!

Provide your company with a risk assessment that genuinely improves security.

BOOK A CONSULTATION
  • how many times per year can an initiating event occur,
  • what is the probability that a safeguard will function,
  • how much risk remains after accounting for them.

In practice, LOPA very quickly reveals something that appears regularly in audits: safeguards exist, but their combined effectiveness is overestimated.

How LOPA works – what are the layers of protection in an installation?

LOPA is based on analyzing so-called layers of protection (IPLs – Independent Protection Layers), which are meant to stop the development of a dangerous event.

Each layer of protection is an element that:

  • operates independently of others,
  • has a defined effectiveness,
  • is capable of interrupting a failure scenario.

In industrial practice, these can be:

  • automation systems (e.g., SIF – SIL safety functions),
  • safety valves,
  • gas detection systems,
  • operational procedures,
  • physical barriers (e.g., enclosures, separation).

The key word is independence. If two safeguards:

  • use the same sensor,
  • share power supply,
  • are controlled by the same system,

then in LOPA they are not treated as two layers of protection, but as one. This is one of the moments where many analyses “on paper” begin to diverge from reality.

How LOPA relates to SIL – where does the required safety level come from?

LOPA is one of the most commonly used methods for determining the required SIL level for a safety function.

The process looks as follows: first we identify the scenario (e.g., tank overfill), then we determine its frequency, then we account for existing layers of protection.

At the end, one question remains: how much risk is still left? If it’s too high, it needs to be reduced. And this is exactly where a safety function appears – SIF. LOPA allows us to determine what risk reduction is needed, namely:

  • whether SIL 1 is sufficient,
  • whether SIL 2 is required,
  • whether SIL 3 is necessary.

This is very important because in industrial practice two errors are commonly found:

  • underestimating SIL – the system is not sufficiently safe,
  • overestimating SIL – the system is too complicated and difficult to maintain.

LOPA makes it possible to find the real level – resulting from the risk, not from design assumptions.

How LOPA looks in practice – an example from an industrial installation

LOPA is always based on a specific failure scenario and numbers that can be assigned to each stage of the event.

Example:

  • storage tank for flammable liquid,
  • possibility of overfill,
  • risk of vapor emission and creation of explosive atmosphere.

Assumptions:

  • frequency of initiating event: 1 time per 10 years (10⁻¹/year),
  • safeguard 1: alarm system with operator response,
  • safeguard 2: shutoff valve,
  • safeguard 3: SIF safety function.

Each of these layers has its own effectiveness, for example:

  • operator: 10⁻¹,
  • valve: 10⁻¹,
  • SIF: depends on SIL.

LOPA involves multiplying these values.

The result? It may turn out that:

  • without SIF, risk is unacceptable,
  • with SIF at SIL 2 level, it drops to a tolerable level.

This is precisely the moment when the analysis ceases to be theoretical. It begins to directly influence the design of the installation.

When LOPA shows that the installation is not as safe as assumed

LOPA very often exposes a discrepancy between the “perceived” and actual safety level of an installation.

At the design stage, everything looks good. There are sensors, alarms, procedures. The problem begins when we assign each of these layers a real effectiveness rather than an assumed “gut feeling” effectiveness.

And suddenly it turns out that:

  • the operator does not always respond in time,
  • the valve does not close in every condition,
  • the automation system is not tested as frequently as assumed.

In LOPA, each such uncertainty has its own numerical value. And these numbers are what often make the final result surprising. In practical audits, situations occur where: an installation has several safeguards, but their combined effectiveness does not even reach SIL 1 level.

This is the moment when real risk appears:

  • underestimation of hazard,
  • operation of the installation below the acceptable level,
  • creation of a scenario leading to a near-miss event.

LOPA does not “ruin the design.” LOPA shows where the design was too optimistic.

What input data determines the LOPA result?

The accuracy of LOPA depends directly on the quality of input data – they determine whether the result is reliable.

The most common error is treating the analysis as a formal exercise. Meanwhile, every parameter in LOPA matters.

Particularly critical are:

  • frequency of the initiating event,
  • effectiveness of protection layers (IPLs),
  • assumptions regarding independence,
  • real operating conditions of the installation.

Let’s take a simple example. A shutoff valve has a declared effectiveness of 10⁻¹. In the documentation, everything checks out. But in practice:

  • it operates in a corrosive environment,
  • it is not regularly tested,
  • its closing time has lengthened by several tens of percent.

Can we still accept the same value?

No. And this is precisely the point where many LOPA analyses lose their reliability.

The situation looks similar with the human factor. Operator response is often adopted as a layer of protection, but:

  • it requires time,
  • depends on workload,
  • is often omitted in non-standard situations.

Therefore, in a properly conducted LOPA analysis, the data is not “from the textbook.” It is adapted to the specific installation and its real operation.

LOPA and ATEX documentation – where it appears in practice at a facility

LOPA very often constitutes the missing link between HAZOP analysis and the requirements resulting from ATEX documentation.

In many facilities there are:

  • explosion hazard assessments,
  • Explosion Protection Document (DZPW),
  • Ex zone classification.

But there is a lack of an answer to one question: do the applied technical measures actually reduce risk to the allowable level? And this is exactly where LOPA plays a role.

The analysis makes it possible to:

  • link hazard scenarios with specific safeguards,
  • determine whether ignition sources are effectively eliminated,
  • indicate where additional layers of protection are needed.

In practice, this means that LOPA: supplements ATEX documentation with a quantitative aspect – i.e., the actual level of risk reduction.

This is why LOPA analysis increasingly appears as an element of:

  • installation modernization,
  • safety audits,
  • DZPW updates.

Particularly where explosive atmospheres and complex technological processes occur.

If you are unsure whether the safeguards in your installation actually reduce risk to an acceptable level, it is worth verifying this with numbers, not assumptions.

ATEX Doradztwo helps translate LOPA analysis into concrete technical decisions and real installation safety – we encourage you to contact us.

FAQ

What is LOPA in simple terms?

LOPA is a method that checks whether safeguards in an installation are sufficient to limit risk to an acceptable level.

How does LOPA differ from HAZOP?

HAZOP identifies hazards, while LOPA assesses whether applied safeguards are sufficient.

Is LOPA mandatory in ATEX?

Not always formally required, but in practice often essential to demonstrate that risk has been adequately reduced.

How does LOPA affect SIL selection?

LOPA makes it possible to determine what SIL level is required for a safety function to achieve an acceptable risk level.

Can LOPA be performed without numerical data?

Not fully. Without reliable data, the analysis loses its purpose because it is based on calculating risk reduction.

Post author

Andrzej Bobula

Safety expert in the field of ATEX and machinery safety, specialising in explosion risk assessment and the analysis of machinery used in the manufacture of explosives. Authorised to carry out work involving access to explosives (Military Institute of Armament Technology). He has extensive experience in the certification of machinery in accordance with ATEX standards and in assessing the conformity of machinery with the Machinery Directive 2006/42/EC (CE).

Similar Posts