December 2021

Environment and Safety

Assessment of independent protection layers in an LOPA study—Part 2

Industrial facilities, especially those operating in the chemical, oil and gas and petroleum industries, contain inherent risks in operations due to the processing of materials that are hazardous in nature.

Industrial facilities, especially those operating in the chemical, oil and gas and petroleum industries, contain inherent risks in operations due to the processing of materials that are hazardous in nature. Hazards, operability issues, associated risks and their consequences must be accurately identified and analyzed to ensure safe operations. Safety instrumented systems (SISs) are deployed to reduce risk to tolerable or acceptable levels to achieve safe operations.1 The reliability of safety functions implemented in an SIS are determined by the magnitude of risk reduction required and is expressed in terms of safety integrity level (SIL).

A layer of protection analysis (LOPA) is one of the methods used to determine the SIL of the safety instrumented function (SIF). During the LOPA study, the design is thoroughly examined for one or more independent protection layers (IPLs) in the design to assess whether the required risk reduction has been achieved. The success of the LOPA study depends on proper assessment of the protection layers and their contribution to risk reduction.

In Part 1 of this article (November 2021), three attributes of a LOPA study were discussed: independence, functionality and integrity. The contribution of the remaining three attributes—reliability, access security and auditability—will be discussed here.


This core attribute defines the reliability of an IPL, which means that the IPL performs its intended function completely without fail when needed. For an IPL to be reliable, it must be rigorously designed, operated, maintained and tested as per the guidelines/procedures mentioned in the safety lifecycle according to IEC 61511.2,3 Any gaps that are discovered must be fixed with proper management of change (MoC) procedures.

In the LOPA process, IPLs are rarely challenged, meaning that an IPL operates in low-demand mode (e.g., less than once per year). If an IPL is required to operate more than once per year, then it cannot be considered as an IPL and probability of failure on demand (PFD) credit cannot be claimed. In such scenarios, these IPLs should be considered as initiating events, and the impact consequences of such IPLs must be further analyzed in the LOPA study.

Consider an example for an independent core attribute, an IPL of an SIL-3 rated safety SIF used in the burner management system, to manage the start and shutdown sequence and controls of the entire incinerator burner system. The question is: how to ensure the reliability of this IPL?

The designer of the SIS must select the appropriate instruments, check their reliability using SIL verification calculations, determine the best proof test frequency for each instrument, and verify the SIL certificate submitted by the manufacturer for each device in a particular SIF.

As a result, when choosing such safeguards (e.g., an SIF with SIL-1/2/3) as a credible IPL—which can reduce the SIL target by a magnitude of 1, 2 or 3—the LOPA team should place a greater emphasis on maintaining such an IPL in accordance with IEC 61511’s safety lifecycle. The team should clearly document in the LOPA report that such IPLs must adhere to strict enforcement and meet the IEC 61511 functional safety lifecycle phases.

Access security

An access security core characteristic is the use of physical and/or administrative controls with procedures to reduce the possibility of unauthorized changes to the system that could compromise the safety function.

The basic process control system (BPCS) is traditionally used to control process parameters within acceptable limits. Process design and operator actions on alarms play an important role in controlling the processes. Additional layers of protection are available, such as SISs and other mitigation layers like fire and gas, pressure relief valves, dikes and community emergency plans. In any process industry, systems like the BPCS, SIS and FGS form the complete automation system that controls the plant automatically throughout its lifecycle, considering the safety of people, assets and environment.

Technological advancements and increased operational efficiency have enabled most companies to interface operation technology (OT) with enterprise-level information technology (IT) systems, potentially exposing the OT or automation system to cyber threats. Even a robust automation system is vulnerable. These cyber threats, intentional or unintentional, can ultimately result in an abnormal and undesirable shutdown of the plant. Recently, cyber-attacks have caused numerous industrial incidents, so it is essential to study these cyber threats in detail and apply cybersecurity to the automation system.

Apart from automation cybersecurity, various methodologies are used in the process industries to reduce or prevent the possibility of unauthorized changes to the system, including:

  • When changing any parameter of the BPCS and SIS, the security password should be used. Access is limited to those who have been given permission.
  • Utilize lock and car seals for valves and/or equipment/devices. This includes the provision of locking the valve or device in the required position.
  • Key locking systems are used to ensure that valves or devices are operated in a pre-defined manner and in sequence. A main key is first released from a device or valve from a required position, and then inserted to any remaining devices in the sequence to alter its position as per the predefined sequence documented.
  • Use open, close and intermediate position limit switches on isolation or bypass valves that are displaying the actual position to the operator on a human-machine interface (HMI) screen.
  • Key lock-type switches should be provided for maintenance override switches and emergency shutdown switches on an operator console to avoid inadvertent operation.
  • SIS marshalling panels and system panels should be provided with a unique type of door key and cannot be opened with the door keys of other panels.

During the LOPA study, the team must verify that the facility under consideration has access security systems like those defined here, which must be used under strict administrative controls with proper documentation to be effective. In the LOPA study, such administrative control is examined when a particular safeguard is considered as a credible IPL. Various examples of consequence mitigation systems (CMS) with related risk reduction factors (RRF) and probability of failure on demand are given in IEC 61511-3, Table G7 (PFD).

An interesting example can be seen from that table: an overflow line can be credited as a consequence mitigation system with a risk reduction factor of 100, provided that the overflow line is built to discharge into a containment area that is large enough to handle the hazardous situation. Also, any valves in the line must be administratively regulated for the CMS to be available when needed.


Safeguards that can be claimed as an IPL in the LOPA study must be auditable. This requires a robust safety management plan implemented throughout the facility. The audit must be performed to confirm whether the design, operation, maintenance and testing are being implemented as per the guidelines and the procedures mentioned in the functional safety standards. An audit can also help measure the effectiveness of the system and procedure implementation and can be corrected for any gaps. In process industries, the LOPA process is also audited to verify its contents and alignment with the advancement in technologies, reliability data and standards. In this way, the entire LOPA process can be re-validated.

As a result, the team should refer to the Safety Plan document for a specific project during the LOPA study to see whether the requirement for an audit process is specified or not. If an audit requirement is listed, the team should review the content for appropriateness—if not, the team should make a recommendation.

Considering human action as an IPL

Opinions vary when considering human action as a credible IPL in a LOPA study. This includes operator action in response to an alarm within the required time duration, which may depend on various factors like operator experience, operator alertness in response to the alarm, an operator’s positive state of mind, documented procedures and the number of multiple tasks being performed by the operator at a time. The overall effectiveness of human action is often less reliable than the automatic actions performed by other means. However, it is too conservative not to consider well-defined human action as a credible IPL.

In the LOPA analysis, human response to an alarm should be considered a reliable IPL. During an actual plant procedure, the operator must monitor many important process parameters to ensure that the process runs smoothly. When all process parameters are normal and within reasonable limits, the operator can relax and observe the process. However, if one of the process parameters reaches the permissible control limits, the operator is under pressure to correct the situation, including conducting comprehensive research. The BPCS system begins sending warnings and alarms to the operator, increasing the difficulty for the operator to control an incident. The operator must take the required measures to ensure that the process returns to its normal operating parameters and that an unwanted shutdown is avoided.

As a result, the operator’s function and actions become crucial to restore the process to a safe state. When a human action is considered a reliable ILP in a LOPA analysis, the operator’s actions must be carefully observed, evaluated and recorded. That operator’s knowledge and awareness should be shared through a robust mechanism such as theoretical training and realistic demonstration through simulation softwares.

PFD values for IPLs

Once the safeguards have been properly analyzed and identified as credible IPLs, the next question is how much credit should be considered as risk reduction measures. The international standard IEC 61511-3 provides examples for the PFD values to be considered for IPLs. However, the final values to be considered in the LOPA study will depend on each organization and its tolerable risk criteria. This will further vary from one process plant to another, as each process has its unique hazards and consequences. Some industrial data are available to consider the PFD value for IPLs, but these should be verified and documented by an organization before conducting the HAZOP/LOPA study.

PFD value data are available for IPLs, documented in literature from industry experience and good engineering practices. For example, one such source of literature is from the Center for Chemical Process Safety (CCPS)4, which has documented the ranges for PFD values of IPLs used in different companies. For example, the passive IPL like Dike can have PFD values ranging from 1 × 10–2 to 1 × 10–3; another example would be an active IPL relief valve with PFD values that vary from 1 × 10–1 to 1 × 10–5; and a BPCS as an IPL can claim the PFD credit ranging from 1 × 10–1 to 1 × 10–2.

Safeguards are not considered as an IPL

The core attributes mentioned must be verified to qualify safeguards as IPLs—not every safeguard can qualify as an IPL, but every IPL serves as a safeguard. It is essential that the LOPA team analyze each safeguard in detail against the core attributes explained here and decide which safeguards will be credited as an IPL in the LOPA study, as well as the risk reduction magnitude. It has always been difficult for LOPA teams to determine a credible IPL, so IPLs can always be challenged. However, the CCPS has listed some of the safeguards that may not be considered a credible IPL:

  • Training and certification
  • Procedure (SOP, maintenance procedures, etc.)
  • Inspection and testing (FAT, SAT, etc.)
  • Any kind of maintenance work
  • Display signs and communication
  • Fire and gas systems.

Management of Change (MoC)

Changes can occur at any stage during a plant’s lifecycle (i.e., during the design stage, startup/commissioning or even once the plant is up and running). It is critical that changes be captured at every point and carried out in accordance with a strict MoC protocol. It is possible that new hazards introduced by the changes will affect the current system’s integrity, necessitating a new SIL assignment for the existing system.

The functional safety standards recommend that any modifications or changes in the design are properly evaluated, examined, tested and validated before being put into operation. Any additional risk due to these changes or modifications must be re-evaluated and proper risk reduction measures will be applied. Such activities and their documentation will be performed in accordance with proper MoC procedures.


In a particular overpressure scenario, the LOPA team can accept the pressure relief valve (PRV) as an IPL and credit that PRV in the SIL analysis to arrive at the remaining risk reduction magnitude. Due to the time constraints of a LOPA study, the LOPA team generally does not check the actual design of the PRV (e.g., whether the PRV is designed for all required scenarios, selected as per the design basis, designed as per required flow at scenario conditions, installation details, inspection frequency, and whether testing and maintenance are carried out properly). Rather, the LOPA team only ensures that a PRV is available on the P&ID for the particular scenario in question.

Once the LOPA session is over, the LOPA SIL target result is usually not revalidated or challenged until and unless it will create any major issue in design at later stage. The purpose of this example is to emphasize the importance of the selection of a proper IPL in the LOPA study. Because the selected IPL contributes to major risk reduction in the LOPA study, it must be properly analyzed and validated for its intended purpose. In this example of a PRV as a credible IPL, it is validated by auditing the documentation proof for the PRV against requirements like sizing criteria, design basis, installation details, inspection and testing report, maintenance, proof testing procedures, etc.

During the LOPA session for SIL determination, the LOPA team should use data developed from the HAZOP study and follow the LOPA worksheet for further analysis and evaluation, exploring all possible situations or conditions and considering core attributes like independence, functionality, integrity, reliability, access security and auditability before selecting the safeguard as an IPL. If the safeguard under analysis qualifies the relevant and required core attributes, it should be considered as a credible IPL in the LOPA study. HP


  1. American National Standards Institute/International Society of Automation, ANSI/ISA-84.00.01-2004, “Application of safety instrumented systems for the process industries,” 2004.
  2. International Electrotechnical Commission, IEC 61508, “Functional safety of electrical/electronic/programmable safety-related systems,” Parts 1–7.
  3. International Electrotechnical Commission, IEC 61511, “Functional safety: Safety instrumented systems for the process industry sector,” Parts 1–3.
  4. Center for Chemical Process Safety, American Institute of Chemical Engineers, Layers of protection analysis: Simplified process risk assessment, New York, New York, October 2001.

The Author

Related Articles

From the Archive



{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}