Limits of LOPA

Article by Roger Casey

Limitations and misuse of layers of protection analysis

Layers of protection analysis (LOPA) is a simplified form of numerical risk assessment. It builds on qualitative studies such as HAZOP and it aims to reduce risk by using independent protection layers (IPLs).

From my experience of auditing and reviewing LOPA studies I have concerns at the level of mistakes being made using the technique. LOPA is a very useful technique, but is a simplified form of numerical risk analysis and hence has limitations. These include:

It is an order-of-magnitude risk calculation and hence uses figures such as 0.1, 0.01 /y, not precise figures such as 43.2 x 10^-4 /y. This has a cumulative effect where the combination of a number of conservative figures will make the final figure more conservative.
When looking at scenarios that involve a large number of initiating events (which have different IPLs) other techniques such as fault tree analysis may be more suitable. For example, for a bunded pool fire resulting from a storage tank spill there may be up to ten possible initiating events. The CCPS book on LOPA¹ repeatedly mentions that LOPA analysis looks at a single cause-consequence pair, eg pool fire from overfilling.
Where there are scenarios where there is common cause failure, LOPA is not suitable for the analysis as it cannot handle these scenarios mathematically. More detailed risk analyses, such as fault tree analysis, use Boolean algebra or minimum cut set analysis to factor in these common cause failures.

The following is an example of a LOPA study that I came across where there the use of LOPA was dubious.

It involved a solvent recovery area in a pharmaceutical company where a 220 m pipeline was pumping solvent 45% of time and was empty 55% of the time.

From Reference 1 the pipe failure rate/100 m is 1 x10^-5 /y for a full-bore rupture.

The analyst multiplied the pipe failure rate by 0.45, ie the failure rate of solvent spill is:

= 2.2 x 10^-5 /y x 0.45 = 9.9 x 10^-6 /y

This type of de-rating of failure by dividing use time/total time has become commonplace.

However, the use of a factor of 0.45 raises an issue. It implies the pipeline can’t be damaged, degraded, or interfered with when not in use.

For example, if the pipe is subjected to corrosion under insulation (CUI) the failure rate may not be reduced by the reduced pumping time. Ageing of gaskets at flanges will not be reduced by the reduced pumping time. Also if someone leaves a drain valve open, the leak will simply occur the next time the pipeline is used.

Hence the failure rate of the system is unlikely to be linear with use time and the conditional modifier of 0.45 is highly questionable.

Further examples are given in the full Loss Prevention Bulletin article which you can read, free of charge, here. The purpose of the paper is to highlight some of the mistakes being made and challenge some of the practices that are occurring within LOPA calculations. A number of the examples relate to incorrect use of “conditional modifiers”

So why are the types of mistakes and errors of judgement occurring? In all the cases, the personnel involved had been trained in the technique and in some cases the personnel involved were quite experienced.

There appears to be a problem with the use of conditional modifiers (particularly in batch-type processes) with time at risk factors. Before using such factors, people need to think carefully and do a reality check as to whether the conditional modifier used is correct and appropriate to the situation being studied.

One uncomfortable question is: has LOPA over simplified risk assessment, and have the various spreadsheets that are available for LOPA allowed people to plug in data and get answers without fully understanding or thinking through the issues involved?