Cover Page



Half Title page

Title page

Copyright page



Acronyms and Abbreviations

Chapter 1: Introduction

1.1. Audience

1.2. History of LOPA

1.3. Use of LOPA in the Process Life Cycle

1.4. Linkage to Other CCPS Publications

1.5. Annotated Outline of the LOPA book

Chapter 2: Overview of LOPA

2.1. Purpose

2.2. What Is LOPA?

2.3. What LOPA Does

2.4. When to Use LOPA

2.5. How LOPA Works

2.6. How to Implement LOPA

2.7. Limitations of LOPA

2.8. Benefits of LOPA

2.9. Introduction of Continuing Examples

Chapter 3: Introduction

3.1. Purpose

3.2. Consequences of Interest

3.3. Consequence Evaluation Approaches for LOPA

3.4. Continuing Examples

3.5. Link Forward

Chapter 4: Developing Scenarios

4.1. Purpose

4.2. LOPA Scenarios and Components

4.3. Identifying and Developing Candidate Scenarios

4.4. Continuing Examples

4.5. Link Forward

Chapter 5: Identifying Initiating Event Frequency

5.1. Purpose

5.2. Initiating Events

5.3. Frequency Estimation

5.4. Expression of Failure Rates

5.5. Continuing Examples

5.6. Limitations (Cautions)

5.7. Link Forward

Chapter 6: Identifying Independent Protection Layers

6.1. Purpose

6.2. Definition and Purpose of an IPL

6.3. IPL Rules

6.4. LOPA IPL Assessment

6.5. Examples of IPLs

6.6. Preventive IPLs versus Mitigation IPLs

6.7. Continuing Examples

6.8. Link Forward

Chapter 7: Determining the Frequency of Scenarios

7.1. Purpose

7.2. Quantitative Calculation of Risk and Frequency

7.3. Look-up Table Determination of Risk or Frequency

7.4. Calculation of Risk or Frequency with Integer Logarithms

7.5. Continuing Examples

7.6. Link Forward

Chapter 8: Using LOPA to Make Risk Decisions

8.1. Purpose

8.2. Introduction

8.3. Comparing Calculated Risk to Scenario Risk Tolerance Criteria

8.4. Expert Judgment

8.5. Using Cost-Benefit to Compare Alternatives

8.6. Comparison of Approaches, Pros and Cons

8.7. Cumulative Risk Criteria versus Scenario Criteria

8.8. Continuing Examples

8.9. Cautions

8.10. Link Forward

Chapter 9: Using LOPA to Make Risk Decisions

9.1. Purpose

9.2. Is the Company Ready for LOPA?

9.3. What Is the Current Foundation for Risk Assessment?

9.4. What Data Are Required?

9.5. Will the IPLs Remain in Place?

9.6. How Are the Risk Tolerance Criteria Established?

9.7. When Is LOPA Used?

9.8. Typical Implementation Tasks

Chapter 10: Using LOPA to Make Risk Decisions

10.1. Purpose

10.2. Using LOPA in Capital Improvement Planning

10.3. Using LOPA in Management of Change

10.4. Using LOPA in Mechanical Integrity Programs or Risk-Based Inspection/Risk-Based Maintenance Programs

10.5. Using LOPA in Risk-Based Operator Training

10.6. Using LOPA in Emergency Response Planning

10.7. Using LOPA to Determine a Credible Design Basis for Overpressure Protection

10.8. Using LOPA in Evaluating Facility Siting Risks

10.9. Using LOPA to Evaluate the Need for Emergency Isolation Valves

10.10. Using LOPA to Evaluate Taking a Safety System Out of Service

10.11. Using LOPA during Incident Investigations

10.12. Using LOPA in the Determination of SIL for SIF

Chapter 11: Using LOPA to Make Risk Decisions

11.1. Purpose

11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario

11.3. Summation of Risk for Multiple Scenarios

11.4. Using LOPA to Develop F/N Curves

11.5. Operator Response Issues

11.6. Normal Plant Operations as “Tests” of IPL Components

11.7. Focused Fault Tree/Event Tree Analysis of IPL Components

Appendix A: LOPA Summary Sheets for the Continuing Examples

Appendix B: Worked Examples from CCPS’s Safe Automation Book

B.1. Introduction

B.2. Problem Description

B.3. Problem Discussion

B.4. Design Modifications for Consideration

Appendix C: Documentation for a LOPA Study

C.1. Documentation to be Developed during LOPA

C.2. Uses of LOPA Documentation

Appendix D: Linkage with Other Publications

Appendix E: Industry Risk Tolerance Criteria Data

Appendix F: Appendix F

Appendix G: Additional Reading

G.1. General Risk

G.2. Target Risk

G.3. General Interest

G.4. Instruments and Safety Instrumented Systems (Interlocks) Design

G.5. International Topics

G.6. SIS Design as Part of the PHA Process

G.7. Cost-Benefit Analysis—Solution Prioritization


Glossary of Terms


Layer of Protection Analysis


This is one of a series of publications available from the Center for Chemical Process Safety. A complete list of CCPS books is available online:

Title Page


For over 40 years the American Institute of Chemical Engineers (AIChE) has been involved with process safety and loss control in the chemical, petrochemical, hydrocarbon process and related industries and facilities. The AIChE publications are information resources for the chemical engineering and other professions on the causes of process incidents and the means of preventing their occurrences and mitigating their consequences.

The Center for Chemical Process Safety (CCPS), a Directorate of the AIChE, was established in 1985 to develop and disseminate information for use in promoting the safe operation of chemical processes and facilities and the prevention of chemical process incidents. With the support and direction of its advisory and management boards, CCPS established a multifaceted program to address the need for process safety technology and management systems to reduce potential exposures to the public, the environment, personnel and facilities. This program entails the development, publication and dissemination of Guidelines relating to specific areas of process safety; organizing, conveningand conducting seminars, symposia, training programs, and meetings on process safety-related matters; and cooperating with other organizations and institutions, internationally and domestically to promote process safety. Within the past several years CCPS extended its publication program to include a “Concept Series” of books. These books are focused on more specific topics than the longer, more comprehensive Guidelines series and are intended to complement them. With the issuance of this book, CCPS has published 65 books.

CCPS activities are supported by the funding and technical expertise of over 80 corporations. Several government agencies and nonprofit and academic institutions participate in CCPS endeavors.

In 1989 CCPS published the landmark Guidelines for the Technical Management of Chemical Process Safety. This book presents a model for process safety management built on twelve distinct, essential, and interrelated elements. The foreword to that book states:

For the first time all the essential elements and components of a model of a technical management program have been assembled in one document. We believe the Guidelines provide the umbrella under which all other CCPS Technical Guidelines will be promulgated.

This Concept Series book supports several of the twelve elements of process safety enunciated in the landmark Guidelines for the Technical Management of Chemical Process Safety including Process Risk Management, Incident Investigation, Process Knowledge and Documentation, and Enhancement of Process Safety Knowledge. The purpose of this book is to assist designers and operators of chemical facilities to use Layer of Protection Analysis (LOPA) to evaluate risk and to make rational decisions to manage risk with a simplified methodology.


The American Institute of Chemical Engineers and the Center for Chemical Process Safety express their gratitude to all the members of the Layer of Protection Analysis Subcommittee for their generous efforts and technical contributions in the preparation of this Concept Series book.

Layer of Protection Analysis: Simplified Process Risk Assessment was written by the Center for Chemical Process Safety Layer of Protection Analysis Subcommittee.


Arthur M. Dowell, III, P.E. Rohm and Haas Company

The primary authors were

William G. Bridges ABS Consulting (includes former JBF Associates)

Arthur M. Dowell, III, P.E. Rohm and Haas Company

Martin Gollin Consultant, formerly of ARCO Chemical

Warren A. Greenfield International Specialty Products

John M. Poulson now retired from Union Carbide Corporation

William Turetsky International Specialty Products

Providing support and valuable contributions throughout the project were

John T. Marshall The Dow Chemical Company

Stanley A. Urbanik E. J. Du Pont de Nemours and Company

Providing important guidance in the conceptual phases of the book were

Rodger M. Ewbank Rhodia Inc.

Robert J. Gardner now retired from E. I. Du Pont de Nemours and Company

Kumar Bhimavarapu Factory Mutual Research

John A. McIntosh The Proctor & Gamble Company

R. Peter Stickles A. D. Little

Arthur W. Woltman Equilon Enterprises LLC, formerly Shell

CCPS Staff Consultant

Robert E. Bollinger Center for Chemical Process Safety


Dr. Daniel A. Crowl Michigan Technological University

The Subcommittee acknowledges the support and contributions of their employer organizations in completing this book. Dr. Jack Weaver and Mr. Les Wittenberg of CCPS sponsored and supported this project and provided access to the resources of CCPS and its sponsoring organizations. The authors thank the following for their contributions in creation of figures and tables, setting up committee meetings and teleconferences and other administrative functions that were essential to the completion of this book: Ms. Jill Johnson and Mr. Paul M. Olsen, ABS Consulting; Ms. Sandy Baswell, Ms. Marge Killmeier, Ms. Angella Lewis and Ms. Jackie Rico’t, Rohm and Haas Company.

Before publication, all CCPS books are subjected to a thorough peer review process. CCPS also gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of the book.

Steve Arendt ABS Consulting (includes former JBF Associates)

Helmut Bezecny Dow Deutschland Inc.

Alfred W. Bickum Goodyear Tire and Rubber Company

Dennis Blowers, C.S.P. Solvay Polymers, Inc.

Michael P. Broadribb BP Amoco Company

David Campbell Concord Associates

Bill Carter CCPS Staff Consultant

Curtis Clements E. I. Du Pont de Nemours and Company

Kimberly F. Dejmek Wilfred Baker Engineering

Richard R. Dunn E. I. Du Pont de Nemours and Company

Jim Evans Union Carbide Corporation

Rodger M. Ewbank Rhodia Inc.

Dave Fontaine Chevron Corporation

Raymond A. Freeman ABS Consulting

Raymond W. French Exxon Mobil Corporation

Dallas L. Green Rohm and Haas Company

Dennis C. Hendershot Rohm and Haas Company

William H. Johnson E. I. Du Pont de Nemours and Company

Peter N. Lodal, P.E. Eastman Chemical Company

Donald M. Lorenzo ABS Consulting (includes former JBF Associates)

Vic Maggioli Feltronics Corporation

Rick Mann Union Carbide Corporation

Peter McGrath Olin Corporation

Norman McLeod ATOFINA Chemicals, Inc.

Steve Metzler Primatech Inc.

Dr. Hans Pasman TNO

Jack Philley, C.S.P. Det Norske Veritas (DNV)

Michael E. G. Schmidt, P.E. Industrial Risk Insurers

Art Schwartz Bayer Corporation

Adrian Sepeda Occidental Chemical Corporation

Bastiaan Schupp Delft University of Technology

Robert Stankovich Eli Lilly and Company

Peter Stickles A. D. Little

Dr. Angela E. Summers, P.E. SIS-Tech Solutions, LLC

Clark Thurston Union Carbide Corporation

Anthony Torres Eastman Kodak

Jan Windhorst NOVA Chemicals

Acronyms and Abbreviations

AIChE American Institute of Chemical Engineers
ALARP As Low as Reasonably Practicable
ANSI American National Standards Institute
API American Petroleum Institute
ASME American Society of Mechanical Engineers
BI Business Interruption
BLEVE Boiling Liquid Expanding Vapor Explosion
B.P. Boiling Point
BPCS Basic Process Control System
C Consequence factor, related to magnitude of severity
CCF Common Cause Failure
CCPS Center for Chemical Process Safety, American Institute of Chemical Engineers
CEI Dow Chemical Exposure Index
CPQRA Chemical Process Quantitative Risk Assessment
CW Cooling Water
D Number of times a component or system is challenged (hr−1 or year−1)
DCS Distributed Control System
DIERS Design Institute for Emergency Relief Systems, American Institute of Chemical Engineers
DOT Department of Transportation
EBV Emergency Block Valve
ERPG Emergency Response Planning Guideline
EuReData European Reliability Data (series of conferences)
F Failure Rate (hr−1 or year1)
f Frequency (hr−1 or year1)
F&EI Dow Fire and Explosion Index
F/N Fatality Frequency versus Cumulative Number
FCE Final Control Element
FMEA Failure Modes and Effect Analysis
FTA Fault Tree Analysis
HAZOP Hazard and Operability Study
HE Hazard Evaluation
HRA Human Reliability Analysis
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronic Engineers
IPL Independent Protection Layer
ISA The Instrumentation, Systems, and Automation Society (formerly, Instrument Society of America)
LAH Level Alarm—High
LI Level Indicator
LIC Level Indicator — Control
LFL Lower Flammability Limit
LNG Liquefied Natural Gas
LOPA Layer of Protection Analysis
LOTO Lock-Out Tag-Out
LT Level Transmitter
MAWP Maximum Allowable Working Pressure
MOC Management of Change
N2 Nitrogen
OSBL Outside Battery Limits
OREDA The Offshore Reliability Data project
OSHA Occupational Safety and Health Administration (U.S.)
Pfatality Probability of Fatality
Pignition Probability of Ignition
Pperson present Probability of Person Present
P Probability
P&ID Piping and Instrumentation Diagram
PFD Probability of Failure on Demand
PHA Process Hazard Analysis
PI Pressure Indicator
PL Protection Layer
PM Preventive Maintenance
PSM Process Safety Management
PSV Pressure Safety Valve (Relief Valve)
R Risk
RV Relief Valve
SCE Safety Critical Equipment
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
T Test Interval for the Component or System (hours or years)
VCE Vapor Cloud Explosion
VLE Vapor Liquid Equilibrium
XV Remote Activated/Controlled Valve

Chapter 1


Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing risk. This book

This chapter

1.1. Audience

This book is intended for:

1.2. History of LOPA

In a typical chemical process, various protection layers are in place to lower the frequency of undesired consequences: the process design (including inherently safer concepts); the basic process control system; safety instrumented systems; passive devices (such as dikes and blast walls); active devices (such as relief valves); human intervention; etc. There has been much discussion among project teams, hazard analysts, and management about the number of and strength of protection layers (see text box below). Decisions were sometimes made using subjective arguments, emotional appeals, and occasionally simply by the loudness or persistence of an individual.

LOPA has its origins in the desire to answer these key questions using a rational, objective, risk-based approach. In LOPA, the individual protection layers proposed or provided are analyzed for their effectiveness. The combined effects of the protection layers are then compared against risk tolerance criteria. Characteristics of the answers provided by LOPA are listed in the text box above.


LOPA answers the key questions about the number and strength of protection layers by

The genesis of this method was suggested in two publications:

1. In the late 1980s, the then Chemical Manufacturers Association published the Responsible Care® Process Safety Code of Management Practices which included “sufficient layers of protection” as one of the recommended components of an effective process safety management system (American Chemistry Council, 2000). The Chemical Manufacturers Association is now the American Chemistry Council.

2. In 1993, CCPS published its Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b). Although it was called the risk-based SIS integrity level method, LOPA was suggested as one method to determine the integrity level for safety instrumented functions (SIFs). (See Table 7.4 in Safe Automation; CCPS, 1993b.) “Interlock” is an older, imprecise term for SIF. The method used was not as fully developed as the LOPA technique described in this book. However, it did indicate a path forward, which was pursued by several companies independently. The reasons for this effort included the desire to

The initial development of LOPA was done internally within individual companies, in some cases focusing on existing processes, e.g., converting a control system to DCS. However, once a method had been developed and refined, several companies published papers describing the driving forces behind their efforts to develop the method, their experience with LOPA, and examples of its use (Dowell, 1997; 1998; 1999a; 1999b; Bridges and Williams, 1997; Fuller and Marszal, 1999; Lorenzo and Bridges, 1997; Ewbank and York, 1997; Huff and Montgomery, 1997). In particular, the papers and discussion among the attendees at the CCPS International Conference and Workshop on Risk Analysis in Process Safety in Atlanta in October 1997 brought agreement that a book describing the LOPA method should be developed.

In parallel with these efforts, discussions took place on the requirements for the design of safety instrumented functions (SIF) to provide the required PFDs (probability of failure on demand). United States (ISA S84.01, (ISA, 1996)) and international standards (IEC 61508, (IEC, 1998) and IEC 61511, (IEC, 2001)) described the architecture and design features of SIFs. Informative sections of the ISA and IEC standards suggested methods to determine the required SIL (safety integrity level), but LOPA was not mentioned until the draft of IEC 61511, Part 3 appeared in late 1999. These issues were summarized in the CCPS workshop on the application of ISA S84.01 (CCPS, 2000c).

In response to all this activity, CCPS assembled in 1998 a team from A. D. Little, ARCO Chemical, Dow Chemical, DuPont, Factory Mutual, ABS Consulting (includes former JBF Associates), International Specialty Products, Proctor and Gamble (P&G), Rhodia, Rohm and Haas, Shell (Equilon), and Union Carbide to tabulate and present industry practice for LOPA in this book.

This book extends the method outlined in Safe Automation of Chemical Processes (CCPS, 1993b) by

While the LOPA methods used by various companies differ, they share the following common features:

frequency of fatalities,

frequency of fires,

required number of independent protection layers (IPLs), and

maximum frequency for specified categories of consequence based on release size and characteristics or lost production;

1.3. Use of LOPA in the Process Life Cycle

LOPA can be effectively used at any point in the life cycle of a process or a facility (see Figure 1.1), but it is most frequently used during:

FIGURE 1.1. The process life cycle showing where LOPA is typically used (after Inherently Safer Chemical Processes: A Life Cycle Approach, CCPS 1996b)

However, LOPA can also be used in all phases of the process life cycle:

LOPA can also be used for other risk assessment studies within an organization, including transportation studies (road, rail, pipeline), terminal operations, toll conversion operations, auditing of third parties, loss prevention and insurance issues, etc.

In some companies LOPA is now used for a wide variety of purposes beyond the initial use for which it was developed (see Chapter 10).

1.4. Linkage to Other CCPS Publications

CCPS has published many books dealing with process safety issues in the chemical industry. LOPA depends on techniques described in the following CCPS books. Connections with other publications are cited in Appendix D.

A key input to LOPA is scenarios obtained from hazard identification. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples (CCPS, 1992a) describes methods used to identify and assess the significance of hazardous situations found in process operations or activities involving hazardous chemicals. Generally, LOPA uses scenarios developed by hazard identification methods — usually qualitative (HAZOP, what-if, etc). However, companies have found that LOPA will often uncover scenarios overlooked by other methods because of the rigor in applying the concept of IPLs to the scenario. LOPA should be considered an extension to the Guidelines for Hazard Evaluation book as it provides a consistent, objective, semiquantitative method for addressing the issues covered.

LOPA is a semiquantitative approach. It can be viewed as a simplification of the quantitative risk analysis methods described in Guidelines for Chemical Process Quantitative Risk Analysis (CCPS, 1989a) and the Second Edition (CCPS, 2000a). CCPS (2000a) builds upon the information contained in CCPS (1989a) to demonstrate how to make quantitative risk estimates for the hazards identified by the techniques described in the Guidelines for Hazard Evaluation book. LOPA adds simplifying assumptions concerning the numerical values for the components of the scenario (initiating event frequency, enabling event/condition, number of IPLs, numerical value for an IPL) and in the calculation techniques employed. The simplifications are intended to be conservative so that, if a study were to be performed using a full quantitative analysis (event tree, fault tree, etc.), the results would show less risk associated with the scenario when compared to the results of an LOPA analysis. In order to ensure this, an analyst must understand the issues involved in performing a full quantitative risk analysis and what issues are important. Chapter 11 describes situations where a focused quantitative study can be performed on one component of a LOPA scenario to provide useful additional confidence in the numerical values used.

Evaluating Process Safety in the Chemical Industry: A User’s Guide to Quantitative Risk Analysis CCPS (2000b) is a brief and relatively inexpensive introduction to the concepts of CPQRA. These concepts also apply for using LOPA.

The LOPA book is a direct extension to concepts briefly described in Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b). The LOPA book shows how to determine the required safety integrity level (in terms of the probability of failure on demand or PFD) of safety instrumented functions (SIF) that may be implemented in a safety instrumented system (SIS).

LOPA is an alternative method to the techniques described in Tools for Making Acute Risk Decisions with Chemical Process Safety Applications (CCPS, 1995c). CCPS (1995c) discusses methods used for decision making where risks have been assessed. In addition to chemical process risk, other factors, including financial cost, corporate image, employment of workers, etc., may be involved in a decision. The Making Acute Risk Decisions book (CCPS, 1995c) provides a collection of decision aids to assist a company in making a decision. LOPA should be considered an alternate method for making such decisions as it employs objective, quantified risk tolerance criteria. Some of the more qualitative factors (company image, morale, etc.) cannot be directly included, but that is the case for all other objective methodologies. Some LOPA risk tolerance criteria include a range where a cost-benefit study—or another type of judgment—is required to assist in making the decision on whether a risk should be tolerated or mitigated. Analysts using LOPA should be familiar with the techniques in the Making Acute Risk Decisions book (CCPS, 1995c).

More detailed links to other CCPS books and other publications are shown in Appendices D and E.

1.5. Annotated Outline of the LOPA book

Chapter 1 (this chapter) is an Introduction to the book.

Chapter 2 (Overview of LOPA) provides an outline of the LOPA process, discusses concepts and definitions unique to LOPA, and introduces the continuing examples used throughout the book.

Chapter 3 (Estimating Consequences and Severity) describes the concept of consequence, and its definition, in the LOPA process and provides examples of consequence categories used by some companies.

Chapter 4 (Developing Scenarios) discusses the concept of a scenario as used in LOPA, including the components that comprise a scenario. A format for presenting the results of LOPA studies is presented.

Chapter 5 (Identifying Initiating Event Frequency) discusses various initiating and enabling events and summarizes typical frequency data. The importance of using consistent initiating event frequencies for LOPA studies within an organization is emphasized.

Chapter 6 (Identifying Independent Protection Layers) discusses independent protection layers (IPLs). The requirements for a device, system, or action to be considered an IPL are defined and the concept of the probability of failure on demand (PFD) for an IPL is presented and discussed. Examples of active, passive and human IPLs are given together with typical ranges of PFD.

Chapter 7 (Determining the Frequency of Scenarios) presents the calculations for the continuing example problems using several methods. These show how different organizations would combine the individual components of a scenario to calculate the frequency of the consequence type specific to their method.

Chapter 8 (Using LOPA to Make Risk Decisions) discusses how the results of calculations are used to make decisions on whether the frequency of the consequence for a given scenario meets the risk tolerance criteria for a particular organization. Methods from various companies are used to demonstrate the concepts.

Chapter 9 (Implementing LOPA) discusses the implementation of LOPA within an organization. Reference materials, standards, and procedures, together with personnel expertise and training issues, are discussed.

Chapter 10 (Using LOPA for Other Applications) discusses other uses, apart from risk assessment, for which LOPA may be considered.

Chapter 11 (Advanced LOPA Techniques) discusses advanced LOPA topics. Situations where some of the inherently conservative assumptions made in LOPA may be modified are reviewed. The use of LOPA for other risk assessment applications is discussed.

Appendix A (LOPA Summary Sheets for the Continuing Examples) contains the complete LOPA sheets for all of the scenarios in the continuing examples using all of the methodologies discussed in the book.

Appendix B (Worked Examples from CCPS’s Safe Automation Book) provides an analysis of the problem discussed in Chapter 7 of CCPS (1993b). Important issues regarding the application of the rules for an IPL are discussed.

Appendix C (Documentation for a LOPA Study) summarizes the minimum documentation requirements for a LOPA study and discusses why such information is required, the appropriate level of detail, and other uses of the documentation.

Appendix D (Linkage with Other Publications) discusses other publications. Included are the use of LOPA to address regulatory or other process safety issues, and how other publications can assist in the implementation of LOPA.

Appendix E (Industry Risk Tolerance Criteria Data) lists typical data related to risk tolerance criteria.

Appendix F (High Initiating Event Frequency Scenarios) describes LOPA calculations when the initiating event frequency is high compared to the test frequency of the independent protection layer.

Appendix G (Additional Reading) is a list of other books and articles that may be of interest to the reader.