February 2020

Environment and Safety

LOPA: A comprehensive analytical tool for deriving SIL targets and applicability review

Many industrial facilities, especially those in the chemical, oil and gas and petroleum industries, involve inherent risks in operations due to the processing of material that is hazardous in nature. It is necessary to precisely identify and analyze hazards, operability issues, associated risks and consequences.

Many industrial facilities, especially those in the chemical, oil and gas and petroleum industries, involve inherent risks in operations due to the processing of material that is hazardous in nature. It is necessary to precisely identify and analyze hazards, operability issues, associated risks and consequences. Safety instrumented systems (SISs) are often used to reduce the risk associated with process or plant to acceptable or tolerable levels.1 The reliability of safety function(s) implemented through an SIS is determined by the magnitude of risk reduction and is expressed in terms of safety integrity level (SIL).

The determination of the SIL is the process of assigning the risk reduction magnitude to the safety instrumented function (SIF). Several techniques are used to establish the SIL to the SIF. These techniques are qualitative, quantitative or a mix of both, based on the application.

A layer of protection analysis (LOPA) is one of the prevailing methods to determine the SIL. This article establishes when, why and how to apply the LOPA to determine the SIL.

The SIL assignment is one of the most important activities in the SIS safety lifecycle phase. According to IEC 61511-1, the allocation of safety functions to the protection layer begins after the hazard and risk assessment is completed.2 However, a case exists where the safety allocation or the SIL assignment activity happens in parallel with the hazard and risk assessment study.

In practice, the LOPA method is performed for the safety functions with the high-consequence severity that in-depth analysis requires.3 The LOPA method begins with data developed in the hazard and operability analysis (HAZOP) study, and accounts for each identified hazard by documenting the initiating cause and the protection layers that prevent or mitigate the hazard. The total amount of risk reduction can then be determined, and the need for more risk reduction is analyzed. If additional risk reduction is required, and if it is to be provided in the form of an SIF, then the LOPA methodology allows for the determination of the appropriate SIL for the SIF.

Determining the SIL

The SIL assessment begins after completion of the HAZOP and execution of the recommendations and identified safety functions made during the HAZOP. IEC 61511-3 provides guidelines on different methods for determining the SIL for the SIF for each application. The method selection for each application depends on numerous factors, including:

  • Complexity of the application
  • Guidelines from regulatory authorities
  • Experience and skills of the personnel available to undertake the work
  • Information available on the parameters relevant to the risk.

Various methods used in the process industries for SIL allocation include:

  • Safety layer matrix method, risk matrix (qualitative)
  • Risk graph (qualitative)
  • Calibrated risk graph (semi-qualitative and semi-quantitative)
  • Fault tree and event tree analysis method (semi-quantitative)
  • LOPA (semi-quantitative).4

The ALARP (as low as reasonably practicable) principle is mainly used to establish the tolerable risk target for the facility under consideration, and is not used to actually determine the SIL. Practically, the ALARP principle is the basic fundamental technique for the management of risks and used in association with other SIL determination methods, such as the SIL risk matrix (safety layer matrix), the calibrated risk graph and the LOPA.

In some applications, more than one method may be used; however, in reality, the client/owner chooses the most suitable method for the facility under consideration. IEC 61511 states that the methods used to allocate the SIL to the SIF depend primarily upon whether the necessary risk reduction is specified explicitly in a numerical manner or in a qualitative manner. These approaches are termed quantitative and qualitative methods, respectively.

A qualitative method is used as a first-pass to determine the required SIL of all SIFs. Safety loops that are assigned a consequence severity level of 3 or 4 should then be more thoroughly analyzed, using a quantitative method to gain a more rigorous understanding of required safety integrity.


Safety layer matrix (risk matrix)

This qualitative method for risk evaluation can be used by combining the likelihood and the impact severity rating of hazardous events. A similar approach can be used to develop a matrix that identifies the potential risk reduction that can be associated with the use of an SIS protection layer. An example of a risk matrix is shown in FIG. 1, where the safety target level (i.e., the SIL) has been embedded in the matrix. In other words, the matrix is based on the operating experience and risk criteria of the specific company; the design, operating and protection philosophy of the company; and the level of safety that the company has established as its safety target level.

FIG. 1. A risk matrix that identifies the potential risk reduction that can be associated with the use of an SIS protection layer. Source: IEC 3020/02.
FIG. 1. A risk matrix that identifies the potential risk reduction that can be associated with the use of an SIS protection layer. Source: IEC 3020/02.

A safety layer matrix is occasionally used in the process industry and can be used for integrated HAZOP/SIL determination sessions. This method can also be used as a screening method to identify high-magnitude safeguards (SIL 2 and 3), which can be further evaluated in separate risk evaluation sessions.

Risk graph

This qualitative method enables the SIL of an SIF to be determined from a knowledge of the risk factors associated with the basic process control system (BPCS). The risk graph is based on the principle that risk is proportional to the consequence and frequency of the hazardous event. It starts by assuming that no SIS exists, although typical non-SISs, such as BPCSs and monitoring systems, are in place. Consequences refer to harm associated with personnel, equipment and environmental damage.

This method must consider the following four risk parameters:

  • Consequence of the hazardous event (C)
  • Frequency of presence in the hazardous zone multiplied by the exposure time (F)
  • Possibility of avoiding the consequences of the hazardous event (P), or occupancy exposure time
  • Probability of the unwanted occurrence (W) or demand rate.

By combining these four risk parameters, a risk graph can be formed, which results in embedded SIL numbers. This risk graph should be separated for people, assets and environment risk, and the most conservative SIL number should be used as an overall SIL of the SIF under consideration.

Calibrated risk graph

This semi-qualitative method (FIG. 2) also enables the SIL of an SIF to be determined from a knowledge of the risk factors associated with the BPCS. Calibration of the risk graph is the process of assigning numerical values to risk graph parameters. This process forms the basis for the assessment of the process risk that exists and allows the determination of the required integrity of the SIL under consideration. The sequence steps involved in the methodology to determine the SIL include:

  • Describe the SIF
  • Evaluate the consequence parameter
  • Evaluate the frequency/exposure time parameter (occupancy factor)
  • Evaluate the possibility of avoiding the hazard parameter
  • Evaluate the demand rate parameter
  • Identify existing independent protection layers
  • Identify the integrity level, using a risk graph for safety, environment and assets
  • Assign the SIL of the SIF
  • Make recommendations, as appropriate.
FIG. 2. The general scheme of a risk graph. Source: IEC 1666/9B.
FIG. 2. The general scheme of a risk graph. Source: IEC 1666/9B.

Fault tree and event tree analyses

A fault tree (FIG. 3) and event tree are semi-quantitative and quantitative methods used to evaluate the process risk by determining the frequencies of hazardous events (FIG. 4). These frequencies are then used to compare with the predefined tolerable frequency. Any inadequacy is expressed in terms of SIL, and this SIL value is normally assigned to develop a new SIF. Both of these methods can be used independently, but are more powerful and rigorous methods for determining the SIL if used in combination. Fault tree and event tree analyses often require the use of specialized, quantitative risk assessment software. The main disadvantage of these methods is that they require skill in probabilistic modeling to apply properly.

FIG. 3. Fault tree for overpressure of a vessel. Source: IEC 3016/02.
FIG. 3. Fault tree for overpressure of a vessel. Source: IEC 3016/02.
FIG. 4. Hazardous events with existing safety systems. Source: IEC 3016/02.
FIG. 4. Hazardous events with existing safety systems. Source: IEC 3016/02.

Using LOPA

LOPA can be used at any point during the SIL allocation stage of the safety lifecycle of a plant or facility under consideration. Since it is a semi-quantitative method, it is used more rigorously after the initial qualitative SIL assessment has been completed. LOPA is normally applied after a qualitative hazard analysis has been completed, which provides the LOPA team with a list of hazard scenarios with associated consequence descriptions and potential safeguards for consideration.

Scenarios in which a more rigorous analysis tool like LOPA may be needed include:

  • As the other qualitative methods are intended to be conservative, the team may feel that the final outcome of such studies may be more conservative, are unjustified and may incur cost for identified safeguards (which may also be unjustified)
  • The team may be uncertain about the severity of consequences and believe that a qualitative assessment is not appropriate
  • If the corporate risk criteria is not met following the initial screening methods, then it is appropriate to conduct more rigorous analysis, such as LOPA, as a value add in making the SIL assignment decision.

Documentation used for LOPA

LOPA requires specific supporting documents during risk assessment.5 The minimum required list of supporting documents generally used in LOPA includes:

  • Corporate risk tolerance criteria and risk assessment data (consequence severity class for people, environment and assets; an example of initiating events and their frequency; an example of independent protection layer (IPL) and associated risk reduction factor (RRF); an example of consequence mitigation system with associated RRF, etc.)
  • Operating plan and procedures for the plant or facility
  • Process safety time data
  • Pressure safety valve design data
  • Vessel design data
  • Condition modifier (occupancy factor and time at risk)
  • Comprehensive and complete definition of all hazard scenarios, associated consequences and layers of protection, developed from HAZOP
  • Complete definition of instrumented system loops and their interrelationships
  • Cause and effect matrix, instrumented protective function (IPF) narratives
  • Piping and instrumentation diagrams (P&IDs) used in HAZOP
  • Previously determined SIL rating (if any) that requires re-evaluation.


The information required for LOPA is contained in the data collected and developed in the HAZOP study (TABLE 1). The sequential steps of the methodology to determine the SIL using LOPA are discussed here.

Step 1—Impact event

Each impact event description (consequence) as determined from the HAZOP study is entered in Column 1 of TABLE 2 (a typical spreadsheet used for LOPA).

Step 2—Severity level

The consequence severity levels, classified as minor (M), serious (S) or extensive (E), as shown in TABLE 3, are next selected for the impact event and entered in Column 2 of TABLE 2.

Step 3—Initiating cause

All applicable initiating causes are listed in Column 3 of TABLE 2. Impact events may have many initiating causes, and it is important to list all of them.

Step 4—Initiation likelihood

Likelihood values of the initiating causes occurring (in number of events per year) are entered into Column 4 of TABLE 2. TABLE 4 shows the likelihood of typical initiating causes. The experience of the team is vital in determining the frequency of initiating causes.

Step 5—Protection layers

The next fields in the LOPA worksheet contain the protection layers. All applicable protection layers with their probability of failure average (PFDavg) values are identified and recorded in Columns 5, 6 and 7 of the LOPA worksheet (TABLE 2). The LOPA team must be careful while selecting the appropriate protection layers (TABLE 5), because protection layers that perform their function with a high degree of reliability may only qualify as IPLs.

The LOPA team should determine the appropriate PFDs for all mitigation layers and list them in an LOPA worksheet column. This includes mechanical, structural or procedural (e.g., pressure relief devices, dikes, restricted access).

Some mitigation layers may reduce the severity of the impact event but not prevent it from occurring. Examples include deluge systems for fire or fume release, fume alarms and evacuation procedures.

The criteria to qualify the protection layer as an IPL are:

  • The protection provided reduces the identified risk by a large amount
  • The protection function is provided with high degree of availability (0.9 or greater)
  • It has several important characteristics:
    • Specificity: An IPL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event (e.g., a runaway reaction, a release of toxic material, a loss of containment, a fire). Multiple causes may lead to the same hazardous event; therefore, multiple event scenarios may initiate action of one IPL.
    • Independence: An IPL is independent of other protection layers associated with the identified danger.
    • Dependability: It can be counted on to achieve its design purpose. Both random and systematic failure modes are addressed in the design.
    • Auditability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system are necessary.

Step 6—Intermediate event like-lihood

The intermediate event likelihood is calculated by multiplying the initiating likelihood (Column 4) by the PFDs of the protection layers and mitigating layers (Columns 5, 6 and 7). The calculated number is in units of events per year and is entered into Column 8.

It is important to consider that if the intermediate event likelihood calculated in Step 6 is less than the corporate criteria for events of this severity level, then additional PLs are not required. Further risk reduction should, however, be applied if it is economically appropriate.

If the intermediate event likelihood is greater than the corporate criteria for events of this severity level, then additional mitigation is required. Inherently safer methods and solutions should be considered before additional protection layers in the form of SIF are applied. If inherently safe design changes can be made, then the intermediate event likelihood is recalculated to check if it is below corporate criteria. If the above method attempts to reduce the intermediate likelihood below corporate risk criteria for failure, then an SIF is required.

Step 7—Safety integrity level

If a new SIF is needed, then the required integrity level can be calculated by dividing the corporate criteria for this severity level of event by the intermediate event likelihood. A PFDavg of the SIF below this number is selected as a maximum for the SIF and entered into Column 9.

Step 8—Mitigated event likelihood

The mitigated event likelihood is now calculated by multiplying Columns 8 and 9, and the result is entered into Column 10. This is continued until the team has calculated and mitigated the event likelihood for each impact event that can be identified.

Step 9—Total risk

The final step is to calculate the SIL number6 by adding up the mitigated event likelihood of Step 7 and Step 8.

For example, the mitigated event likelihood for all serious and extensive events that cause fire would be added and used in formulas, such as: the risk of fatality due to fire = (mitigated event likelihood of all flammable material release) × (probability of ignition) × (probability of a person in the area) × (probability of fatal injury in the fire).

It is important to properly apply conditional modifiers, such as time at risk and occupancy factor, in the formula to derive the total risk. This requires the expertise of the risk analyst specialist, the knowledge of the team and the work practices followed by the plant and affected community.

If the total risk (results from the criteria, as explained above) meets or is less than the corporate risk criteria for the population affected, then the LOPA is complete. However, since the affected population may be subject to risks from other existing units or new projects, it is wise to provide additional mitigation and risk reduction if it can be accomplished economically.

Benefits of LOPA

LOPA is a systematic methodology for examining defense in depth and assigning the SIL target. Advantages that justify investment include:

  • Collaboration among team members leads to more appropriate result for SIL allocation.
  • It has proven effective in resolving disagreements related to qualitative hazards analysis findings.
  • It can be integrated with a commercially available SIL software tool that simplifies complex mathematical equations and calculations.
  • A more quantitative method than a risk graph allows documentation of all considered factors and the rationale of risk decisions, enabling traceability for proving due diligence.
  • Careful application can ensure a defined and consistent level of safety across all processes and plants.
  • Demonstrates that risk levels have been lowered to satisfy tolerable risk criteria.
  • LOPA provides more defensible comparative risk judgments than qualitative methods due to the more rigorous documentation and the specific values assigned to frequency and consequence aspects of the scenario.
  • LOPA facilitates the inclusion of all prevention and mitigation measures, providing a clearer picture of safeguards and initiating events. LOPA considers all applicable safeguards, even low-end safeguards, for credit to achieve maximum possible risk reduction.
  • It is more precise, but less resource-demanding than fully quantitative methods.
  • It includes its own calibration and facilitates the use of corporate criteria in a clear, explicit way.

LOPA limitations

While LOPA has many important advantages for SIL allocation methodology, it has some drawbacks or limitations:

  • Compared to methods like risk graphs, LOPA application can be slower; the process can be more time-consuming and can demand more resources on the assessment team. The overall effort involved can be higher.
  • LOPA requires a specialist to execute the method, and special skills are needed to source the likelihood numbers, determine which numbers to employ and format them. These figures are difficult to find and require interpretation and conversion skills.
  • Risk comparisons of scenarios are valid only if the same LOPA method and comparisons are based on the same risk tolerance criteria, or on the risk of other scenarios determined by LOPA. The numbers generated by a LOPA calculation are not precise values of the risk of a scenario. This is also a limitation of quantitative risk analysis.
  • One of the most significant drawbacks is that LOPA does not consider common-cause failure between risk reduction measures. LOPA is more difficult to perform as a team exercise, makes heavier demands on team members’ time and is not as visual.
  • Results are more rigorous than the risk matrix or risk graph, but less rigorous than the fault tree/event tree.
  • Differences in risk tolerance criteria and LOPA implementation between organizations means that results cannot normally be directly compared from one organization to another.


Any SIL selection method, if not used properly, may lead to an inappropriate SIL target with a potentially intolerable level of risk.

Qualitative methods are simple and easy to use, less time-consuming and can be used in the early stages of a project to screen a large number of SIFs. However, this can be more conservative and may result in a higher SIL requirement, which eventually leads to higher costs.

Semi-quantitative methods are more quantitative in nature and, therefore, more precise than qualitative methods. They can be used during the detailed engineering stage of the project, or when it is required to validate/review previous results from qualitative/semi-qualitative methods. However, this is more time-consuming and requires more resources than a qualitative method.

While a quantitative risk assessment (QRA) is the most resource-intensive method, it is not commonly used in the process industries except to analyze cases where the risk is extremely high. The FTA or ETA methodologies are used to evaluate the scenarios in detail and provide more exact results—e.g., the minimum RRF value that is required for the SIF. These techniques may be recommended for critical safety functions or to define exact values of risk reduction or a PFDavg target for the SIF.

LOPA allows the SIL allocation team to examine a predefined scenario and estimate the risk of the scenario in a consistent and simplified manner. Since LOPA is a semi-quantitative method that uses numbers, the final results express the precise risk reduction required of the scenario. The more rigorous LOPA procedure frequently clarifies inaccurate scenarios resulting from qualitative hazard reviews. HP


The author would like to thank Amit Aglave, FS Engineer (TÜV Rheinland); Amit Kapil, Control System Head of Department, Fluor Daniel India Pvt. Ltd.; and Fluor New Delhi senior management for their encouragement, guidance, motivation and support in the completion of this article. 


  1. American National Standards Institute, ANSI/ISA-84.00.01-2004, “Application of safety instrumented systems for the process industries,” 2004.
  2. International Electrotechnical Commission, IEC 61511, “Functional safety: Safety instrumented systems for the process industry sector, Parts 1-3.”
  3. International Electrotechnical Commission, IEC 61508, “Functional safety of electrical/electronic/programmable safety-related systems, Parts 1–7.”
  4. “Layers of protection analysis: Simplified process risk assessment,” Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, New York, 2001.
  5. Thomas, H., “PHA to LOPA: Part II,” online: https://www.exida.com/Blog/PHA-to-LOPA-Part-II
  6. Risktec, “Closing the safety gap—Safety integrity level selection using LOPA,” online: https://www.risktec.tuv.com/risktec-knowledge-bank/functional-safety/closing-the-safety-gap-safety-integrity-level-selection-using-lopa/

The Author

Related Articles

From the Archive



{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}