Anda di halaman 1dari 17

Paper No.


Initiating Events and Independent Protection Layers for LOPA,

A New CCPS Guideline Book

John F. Murphy, PE
CCPS Staff Consultant

Wayne Chastain, P.E.

Engineering Associate
Eastman Chemical Company

William (Bill) Bridges

Process Improvement Institute, Inc.

Prepared for Presentation at

American Institute of Chemical Engineers
2009 Spring National Meeting
43rd Annual Loss Prevention Symposium
AIChE 2009 Spring National Meeting
Tampa Convention Center
Tampa, Florida
April 26 -30, 2009


AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications


LPS 2009 __________________________________________________________________ Paper 2F

Initiating Events and Independent Protection Layers for LOPA,

A New CCPS Guideline Book
Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing process risk.
The tool has grown greatly in popularity and usefulness since the publication of the first CCPS/AIChE
guidebook on the subject, Layer of Protection Analysis, Simplified Process Risk Assessment (LOPA).
CCPS chartered a subcommittee to develop a new text on initiating events failures and independent
protection layers. This paper will discuss the additional guidance provided by this new book including:

Additional choices and examples of initiating events (IEs).

Additional choices and examples of independent protection layers (IPLs).
More complete criteria of how to determine the value of each prospective IE and prospective IPL.
More elaboration on the practices that an organization should comply with to qualify an IE or IPL at a
given value.
Example IE and IPL data tables.

This book will be a necessary reference for those applying the LOPA methodology. This paper will
summarize this upcoming textbook, highlight some of the new IPLs and IEs, and highlight some of the
chief concerns the subcommittee wrestled with.

1. Introduction
Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing risk.
Basic LOPA uses order-of-magnitude estimates of frequency, probability, and consequence
severity, together with conservative rules related to ensuring all values used in the assessment as
defensible and maintainable. This tool has grown greatly in popularity and usefulness since the
publication of the first CCPS/AIChE guidebook on the subject (CCPS, 2001). This book builds
on that important text by
Providing additional choices and examples of initiating events (IEs) for analysis in tools such
as LOPA and similar approaches up to and including quantitative risk analyses (QRAs), that
use additional tools such as Fault Tree Analysis (FTA), Event Tree Analysis (ETA), and
Human Reliability Analysis (HRA)
Providing additional choices and examples of independent protection layers (IPLs)
Providing more complete criteria of how to determine the value of each prospective IE and
Providing more elaboration on the limitations that an organization should comply with to
qualify an IE or IPL at a given value; particularly defining the activities and documentation
required for a system feature or action to validate or prove the feature before it can be
credited at a given failure rate (for an IE) or a given probability of failure on demand (PFD)
for an IPL
Discusses the linkage to other publications.

LPS 2009 __________________________________________________________________ Paper 2F

2. Audience
This book is intended for:

Current practitioners of LOPA. It is assumed that readers of this book have read and
understood the first text (CCPS, 2001) on this topic. These practitioners can include process
engineers, risk analysts, and process safety and safety specialists who are also familiar with
other risk assessment methods (such as HAZOP, fault tree analysis, event tree analysis, etc.)
and who already have some experience with LOPA (analysts, participants, reviewers,
auditors, etc.). For this audience, Chapters 3 through 6 will provide additional details on
rules for LOPA, additional example IEs, and additional example IPLs. Chapter 7 and the
Appendices will contain guidance for analysts who find the need to supplement the basic
LOPA approach with the use of fully quantitative methods such as FTA, ETA, and HRA
(extensions beyond the basic, order of magnitude limits of LOPA).
Executives who are considering expanding their corporate strategy for managing risk by
adding LOPA to their existing risk analysis process. For the executive audience, Chapter 2
will summarize the LOPA method and its benefits and explain the new limitations and
interpretation of LOPA rules; and what these subtle changes in emphasis from the original
LOPA textbook might mean to the organization.
Project Managers who want to ensure that a new process or process modification has
sufficient layers of protection. LOPA is a tool for selecting and evaluating alternative layers
of protection and can be used in any phase of a capital project.
Engineers, chemists, operations and maintenance personnel, supervisors, department
managers, and others who must ensure that the technical and administrative requirements for
each IE and IPL are met to assure the risk of the facility is maintained as estimated by LOPA.
The chief ongoing effort is to maintain the IEs and IPLs at the stated failure rates. One goal
of this text is to reinforce the activities and documentation that assist in obtaining the
predicted order of magnitude risk reduction factor for each IE and IPL used by the facility.
Chapters 3 through 6 will be useful for this audience, with particular attention to the data
blocks and summary tables of validation criteria necessary for each IE and IPL. If these
validation activities (such as proof tests) are not planned for and performed, then the IE and
IPL are not valid.

3. Scope
The initial LOPA textbook (CCPS, 2001) set the guidelines for using LOPA as a middle ground
between purely qualitative analysis (also called hazard evaluation) and full quantitative analysis
methods. LOPA allows an order-of-magnitude risk estimate with fairly reproducible results
within an organization. This text builds on the foundation laid by the LOPA textbook by
clarifying key concepts and reinforcing limitations and requirements. The main scope of the
book is to provide more examples of IEs and IPLs and to provide more concrete guidance on the
protocols that must be followed to achieve and maintain these risk reduction systems and actions.
This book will not be a second edition of existing CCPS LOPA book and does not intend to
change any criteria established for LOPA in the first textbook on the topic. However, the
industry has developed further knowledge through experience and many practitioners have

LPS 2009 __________________________________________________________________ Paper 2F

requested more details on IEs and IPLs and the CCPS has seen the need to better explain the
validations necessary to claim a risk reduction value for an IPL (or for an IE as well).
This book will exclude detailed explanations of Safety Instrumented Systems (SIS) and the
related Safety Integrity Levels (SIL), or analysis of Protective Integrity Levels (PILs) afforded
by these instrumented systems, since the IPL values and requirements for maintenance of this
class of IPLs is covered in the book Guidelines for Safe and Reliable Instrumented Protective
Systems (IPS) (CCPS, 2007). Just as in the original LOPA text, this book will list the risk
reduction credits (IPL values) that can be obtained for each SIS or BPCS. But the design,
implementation, and mechanical integrity of these systems have to be demonstrated to meet the
criteria in IPS (CCPS, 2007) and the requirements of the related industry codes and standards
(ANSI/ISA 84.00.01 and IEC 61511). Otherwise, as with all other IPLs, the PFD claimed for a
PIL or SIL will not be valid.
This book will also exclude detailed explanations of conditional modifiers, which are probability
factors used to estimate likelihood of fires, explosions, and fatality given a release has occurred.
Conditional modifiers were discussed in LOPA (CCPS, 2001), but the topic is complex and
application specific, which is beyond the scope of this book.
4. Recap of LOPA
What Is LOPA?
LOPA is a simplified form of risk assessment. Risk is a combination of the frequency of the
scenario and the consequence of the scenario. LOPA typically uses order of magnitude estimates
for initiating event frequency, consequence severity, and the likelihood of failure of independent
protection layers (IPLs) to approximate the risk of a scenario. LOPA is an analysis tool that
typically builds on the information developed during a qualitative hazard evaluation, such as a
process hazard analysis (PHA), for example a hazard and operability analysis (HAZOP); LOPA
does not identify hazardous scenarios, but it does provide a streamlined method for estimating
the risk of scenarios. LOPA is implemented using a set of criteria that are more restrictive than
those typically used for event trees and fault trees.
LOPA one consequence-cause pair
One limitation of the LOPA technique is its restriction to a single cause consequence pair. By
comparison, other risk analysis methods such as fault tree or quantitative risk assessment
encompass multiple causes and can address multiple consequences in one analysis.
Like many other risk analysis methods, the primary purpose of LOPA is to determine if there are
sufficient layers of protection to reduce the risk of an accident scenario below the specified risk
criteria. A scenario may require one or many protection layers depending on the complexity of
the scenario and potential severity of the consequence. Note that for a given scenario; only one
layer must work successfully for the consequence being analyzed to be prevented. However,
since no layer is perfectly effective, sufficient layers of protection must be provided to lower the
risk below the specified risk criteria (e.g., second and third layer works when first fails).

LPS 2009 __________________________________________________________________ Paper 2F

History of LOPA
The initial development of LOPA was done internally within individual companies. However,
once the method had been developed and refined, several companies published papers describing
the driving forces behind their efforts to develop the method, their experience with LOPA, and
examples of its use. In particular, the papers and discussion among the attendees at the CCPS
International Conference and Workshop on Risk Analysis in Process Safety in Atlanta in
October 1997 brought agreement that a book describing the LOPA method should be developed.
This led to the LOPA textbook (CCPS, 2001).
Experience and developments while using LOPA over the past 10 years led to the authoring of
the current book with a:

desire to improve the understanding of when IEs and IPLs are applicable
desire to provide more examples of IEs and IPLs,
need for clearer protocols for validating an IPL or IE value.

Common Elements of LOPA

While the LOPA methods used by various organizations differ, they share the following common

A means to assess or estimate consequence that can be applied throughout the organization.
Numerical risk criteria. Individual companies use different criteria which may include (but
not limited to):

Frequency of fatalities
Frequency of loss of containment
Economic loss
Frequency of a consequence category (which can include damage, fatality, etc.)
Required number of independent protection layer (IPL) credits

A method for identifying which scenarios require LOPA

Criteria for crediting safeguards as IPLs
Specified default data for initiating event frequencies and credits for IPLs.
A specified procedure for performing the required calculations.
A specified procedure for determining whether the risk associated with a scenario meets the
risk criteria for an organization and, if it does not, how this is resolved and documented.

5. When to Use LOPA

Hazards and risk are evaluated and judged (assessment) during every phase in the life of a
process. Throughout the process life cycle, there is an effort to choose the inherently safest and
most reliable process technology and an effort to locate the process so as to optimally minimize
risk to people, property, and the environment. Companies use hazard evaluation and risk
judgment as tools in this effort. As the design matures, the understanding of the risk of a process

LPS 2009 __________________________________________________________________ Paper 2F

also matures and this learning is in turn applied to the process design and operating philosophy.
In the detailed engineering and construction phases of a project, we further refine the design and
use an assortment of tools to help us determine plausible accident scenarios and judge the risk of
such scenarios. LOPA can help in the risk judgment aspect at any phase of a project (see
Bridges, et al, 2008). After a process is started up, the risk of the process must be maintained
and changes must be controlled. LOPA can be used to help make risk judgments of plant
modifications and procedural changes during these ongoing operational phases as well. Refer to
the LOPA Guideline (CCPS, 2001) for details or when and how to use LOPA over the lifecycle
of the process.
Figure 1 Types of Hazard/Risk Reviews (HR) Throughout the Life Cycle of a Process (each
type uses one or more of the HR [PHA] methods)

LOPA can be effectively used at any point in the safety life cycle of a process or a facility
(Figure 1), but it is most frequently used during:

The detailed design stage when the process flow diagram is essentially complete and the
P&IDs are being developed. LOPA is used to examine scenarios, often generated by other
process hazard assessment (PHA) tools, such as HAZOP, what-if, checklist, etc.; as part of
the SIS design; or as a risk screen; or as part of a design study on a system to classify the
various process alternatives and to select the best method.
Modifications to the process or its control or safety systems (i.e. management of change).
However, LOPA can also be used in all phases of the safety life cycle:

It can be used during the initial conceptual process design to examine basic design
alternatives and provide guidance to select a design that has lower initiating event
frequencies, or a lower consequence, or for which the number and type of IPLs are better

LPS 2009 __________________________________________________________________ Paper 2F

than alternatives. Ideally, LOPA could be used to design a process which is inherently
safer by providing an objective method to compare alternate designs quickly and
LOPA can be used during the regular cycle of PHAs (process hazard analyses) performed on
a process. Experience with LOPA at several companies has shown that its scenario-focused
methodology can reveal additional safety issues in fully mature processes that have
previously undergone numerous qualitative PHAs. In addition, its objective risk criteria have
proven effective in resolving disagreements on PHA findings that were based on qualitative
If the risk is currently too high, and if an SIS is the chosen risk reduction approach, then
LOPA can readily determine what SIL will be required.
SIS should not be the first choice in reducing the risk of a process, so LOPA also examines
alternatives to an SIS, such as modifying the process, adding other IPLs, etc.
LOPA can be used to identify equipment that, as part of an IPL, is relied upon to maintain the
process within the tolerable risk criteria of an organization. Such equipment may be denoted
as safety critical (ISA, 1995) and is subjected to specified testing, inspection and
maintenance. At least one company has found that LOPA has significantly decreased the
number of safety critical equipment; the list had grown over time by adding equipment on a
qualitative better safe than sorry basis, but many of the additional safeguards were not
necessary and diverted limited resources away from more critical risk control measures.
LOPA can be used to identify operator actions and responses that are critical to the safety of
the process. This will allow focused training and testing to be performed during the life of
the process and for the operating manuals to reflect the importance of a limited number of
process variables, alarms and actions.
Coordination of set points between various IPLs (e.g., alarms, SIF, relief devices)

LOPA can also be used for other risk assessment studies within an organization, including
terminal operations, tolling operations, auditing of third parties, loss prevention and insurance
issues, etc.
What risk assessment methods are best for helping a company judge risk? There is a spectrum of
answers to that question:


LPS 2009 __________________________________________________________________ Paper 2F

Figure 2 Spectrum of Risk Assessment Methods

The choice and use of the various qualitative to quantitative risk assessment methods vary
between organizations (Figure 2). However, best practice is:

determine (find or identify) accident scenarios using qualitative judgment in a team-based

setting (qualitative hazard evaluation) (PHAs, project risk reviews, HAZOP, etc.)
judge risk as well as possible by voting of the team (this typically completes the risk
judgment for 95% of accident scenarios).
if the team cannot make a good risk decision (because the scenario is too complex, too new
to them, or because the organization does not want them making the final decision for
scenarios with large consequences), then use simplified-quantitative risk judgment
techniques (such as LOPA) to aid in the risk judgment,
if the site must provide numerical documentation of mitigation of high risk scenarios, then
use simplified-quantitative risk judgment techniques (such as LOPA) to document all aspects
of the order-of-magnitude risk judgment,
if simplified quantitative analysis (e.g., LOPA) does not provide sufficient information for
analyst or management to make a decision that the company can rely on, then perform a fully
quantitative analysis (e.g., FTA, ETA, HRA) to create a more detailed model of the scenario
and hopefully produce a valid risk judgment.

Note that ALL accident scenarios are identified using a team setting and qualitative hazard
evaluation methods (one primary goal of qualitative hazard evaluation is hazard identification,
which is also accident scenario identification); but occasionally, the teams do not feel capable of
making the judgments without more elaborate modeling of the risk.

LPS 2009 __________________________________________________________________ Paper 2F

Basic LOPA Steps

As mentioned earlier, it is assumed that readers of this book are familiar (and hopefully
practiced) in the LOPA method (CCPS, 2001). The following is a brief recap of the basic steps
of LOPA; late chapters will expand on the concepts of IEs and IPLs. Like all analytical
methods, LOPA has rules and steps:
Step 1: Select an accident scenario. LOPA is applied to one scenario at a time. The scenario
can come from other analyses (such as qualitative analyses, like a PHA or project risk review),
but the scenario describes a single causeconsequence pair. (From the perspective of QRA, an
individual scenario is analogous to one path through an ETA, usually where all IPLs have
failed.) The scenario is typically selected by the qualitative team because they are uncertain of
the risk (perhaps due to the complexity of the scenario) and therefore they request further
analysis (LOPA is typically performed outside of the qualitative team setting or with a
somewhat different team). But, a company may also require a LOPA of all scenarios above a
threshold consequence/ severity rating.
Note that LOPA and other risk assessment techniques all are highly dependent on
understanding of the accident scenario under evaluation. Therefore, as with any risk
assessment, improvement in the IE frequency and PFD data described in this book might
NOT result in an increase in the quality of the analysis. It is much better to find all possible
accident scenarios and understand each one as well as possible than it is to become overly
confident in the risk reduction values and risk estimation methods.
Step 2: Estimate the consequence of the scenario. The analyst evaluates the consequence
(including the impact) and estimates its magnitude. Some companies stop at the magnitude of a
release (of material or energy), which implies, but does not explicitly state, the impact to people,
the environment, the property, or profits. This uses a lookup table to determine the severity
category of an accident LOPA scenario. A few companies will model the release and more
explicitly estimate the consequence (and thereby the risk) to people, the environment, and
property/profits by accounting for the likelihood of harm resulting from a specific scenario, for
instance by also accounting for the probability of operators being in harms way during a release
scenario (this is use of Conditional Modifiers, which is beyond the scope of this book).
Step 3: Identify the initiating event (IE) of the scenario and determine the initiating event
frequency (events per year). The initiating event must lead to the consequence (given failure of
all of the safeguards). The frequency must account for background aspects of the scenario, such
as the frequency of the mode of operation for which the scenario is valid. Most organizations
provide guidance in the form of a lookup table for estimating the frequency of an IE; this helps
achieve consistency in LOPA results and limits overly optimistic risk estimates that may
otherwise occur. If there are multiple IEs for the same deviation or consequence, then multiple
LOPA scenarios must be evaluated, since the IPLs that can be credited are dependent on the IE
for the scenario.


LPS 2009 __________________________________________________________________ Paper 2F

Step 4: Identify the IPLs and estimate the probability of failure on demand (PFD) of each
IPL. Some accident scenarios will require only one IPL, while other accident scenarios may
require many IPLs, or IPLs of low PFD, to achieve a tolerable risk for the scenario. Recognizing
the existing safeguards that meet or can be made to meet the rules and proof requirements of
IPLs for a given scenario is the heart of LOPA. Most companies provide a predetermined set of
IPL values for use by the analyst, so the analyst may pick the values that best fit the scenario
being analyzed. This book builds on this practice and enhances it by illustrating the proof
criteria also necessary to value and maintain an IPL. It should be noted that each safeguard,
while likely to reduce the risk, does not contribute the full IPL risk reduction until it is fully
Step 5: Estimate the risk of the scenario by mathematically combining the consequence,
initiating event, and IPL data. Other factors may be included during the calculation,
depending on the definition of consequence (impact event). Approaches include arithmetic
formulae and graphical methods. Regardless of the methods, most companies provide a standard
form for documenting the results.
Step 6: Evaluate the risk to reach a decision concerning the scenario. This includes
comparing the risk of a scenario to a companys tolerable risk criteria and/or related targets.
Note that organizations may or may not have common risk tolerance criteria. Also, note that in
some cases, the IPL or IE values assigned within a company may be different, but that they may
end up at the same judgment on tolerance of risk for a scenario common to one at your company;
this may be due to a risk tolerable criteria that is offset to the same degree as the values they
assign to IPLs and IEs. So, a LOPA from one company cannot be compared to a LOPA from
another company (as a general rule) though perhaps the number and type of IPLs
implemented can be compared.
6. Extensions beyond basic LOPA
LOPA was originally developed as a streamlined, risk quantification method to be used after a
qualitative hazard review (such as a HAZOP-based, team oriented analysis). It was developed
because FTA and HRA (full QRA methods, see Guidelines for Chemical Process Quantitative
Risk Analysis, Second Edition, CCPS, 1999) (CPQRA) were seen as gross overkill for evaluation
of most scenarios that perplexed a qualitative team or a design team. However, the criteria of
basic LOPA are necessarily limiting (which allows the simplification of approach of LOPA) and
this has led some analyst to develop extensions of LOPA beyond the basic rules and
requirements specified in the LOPA book (CCPS, 2001). A first example of this was Approach
B for using a second basic process control loop as an IPL, as described in Chapter 11, Advanced
LOPA Topics, in the LOPA book (CCPS, 2001).
This book helps to clarify what fits within the context of the original basic method called LOPA
and what constitutes extensions of that method. It is a responsibility of an organization to define
and defend their risk assessment protocol. Chapter 6 of the new book provides guidance on
when extensions beyond basic LOPA may be appropriate, and how it may be used in conjunction
with the basic approach.


LPS 2009 __________________________________________________________________ Paper 2F

7. Additional guidance provided

7.1 Additional choices and examples of initiating events (IEs).
The book has included a list of additional examples of IEs. The first LOPA book only listed
about a dozen IEs; the new book contains about double that number of IEs. Below is a listing of
IEs that are defined in the new book:
Loss of Containment Events (these are discussed, but for the most part, these will not be used
as IEs, since for most of these IEs there are no valid IPLs against the consequence of interest).

Atmospheric tank catastrophic (instantaneous or 10 minute release) failure

Atmospheric tank continuous leak (10 mm diameter)
Pressure vessel (instantaneous or 10 minute release) failure
Piping failure, full breach (pipe size less than or equal to 150 mm)
Piping failure, full breach (pipe size > 150 mm)
Piping leak (pipe size less than or equal to 150 mm)
Piping leak (pipe size > 150 mm)
Gasket; supported by rings, etc.
Gasket Packing blowout Boxed flanges, and clamped Pump seal failure (any type)
Pump seal failure (double mechanical seal failure)
Catastrophic pump seal failure (any type)
Hose failure, catastrophic rupture
Premature opening of spring loaded relief valve

Triggering Events/initiating causes (this list has been expanded since LOPA (CCPS 2001) and
also contains new criteria for when the failure rates provided in the data tables are valid.

BPCS loop failure (includes pneumatic control loop failure)

Pressure regulator failure (single stage)
Temperature control valve failure
Spurious Failure of Instrumented Protective Device
Premature opening of spring loaded relief valve
Pump (typically centrifugal), Electric Driven, Spurious Stop (includes loss of local power
Compressor, Electric Driven, Spurious Stop
Fan (induced drafted)
Fan (Forced draft)
Rotating equipment (pumps, fan, and compressors)
Screw conveyor failure (premature stoppage)
Screw conveyor over-heating of materials (and overheating caused by screw rubbing on
Loss of supply
Excess of supply
Loss of power (localized)

LPS 2009 __________________________________________________________________ Paper 2F

Loss of power (plant/unit-wide)

Inerts in Process Supply
Single Check Valve Fails Open (with scenario related to large backflow, not leakage past
check valve)
Double Check Valve in series (1oo2) (with scenario related to large backflow, not leakage
past check valve)
Human error for a routine task that is performed once per day or more often, with a checklist
as a memory aid
Human error for a routine task that is performed once per month or more often, with a
checklist as a memory aid
Human error for a non-routine task that is performed once per year or more often, with a
checklist as a memory aid
Impact by vehicle, backhoe, crane movement, crane load dropped
Lightning strike
Fire, small
Fire, large
Loss of agitation

7.2 Additional choices and examples of independent protection layers (IPLs).

The list of IPLs has been expanded about 6 fold. The new list will include:

Deflagration Flame Arrester or Stable Detonation Arrester installed inline between an

ignition source (e.g. TOX) and a source of flammable or combustible vapors
Unstable (overdriven) Detonation Arrester installed inline between an ignition source (e.g.,
TOX) and a source of flammable or combustible vapors
Fire suppression system (water; water and foam; other suppressants); automatic
Fire suppression system (non-aqueous including dry agent) for room; automatic
Fire Suppression; Local Application (non-aqueous including dry agent; automatic)
Explosion suppression system (dry agent) for process equipment; automatic
Fire proof insulation and cladding on vessel or other equipment
Gas Monitors with automatic deluge
Single BPCS loop (no human intervention required)
BPCS Loop (no human intervention required) as second IPL or as IPL when Initiating Event
is BPCS Failure (Approach B)
Pneumatic control loop
Pressure regulator
Spring-Operated Pressure Relief Valve in clean service with no history of blockage or
fouling and with no block valve upstream or downstream or with a block valve u/s or d/s
with admin control that meets code for ensuring the block valve
Dual Redundant Spring-Operated Pressure Relief Valve in Clean Service, with each relief
valve adequately sized for scenario under consideration so that full redundancy is present, the
valves as in clean (non-fouling) service and no extra block valves upstream or downstream.
Multiple PSVs that all must open to meet relief capacity

LPS 2009 __________________________________________________________________ Paper 2F

Single Spring-Operated Pressure Relief Valve in potential pluggage service

Pilot-Operated Pressure Relief Valve in clean service, and with no history of fouling or
PSV protected by RD
Rupture Disk
Emergency pressure relief valve, weight loaded, (also known as a conservation vent) in clean
service with no history of blockage or fouling [this entry is for non ASME code certified
devices designed to relieve systems at less than 1 barg]
Emergency pressure relief valve, spring loaded, (also known as a conservation vent) in clean
service with no history of blockage or fouling [this entry is for non ASME code certified
devices designed to relieve systems at less than 1 barg]
Buckling pin relief device in clean service with no history of blockage or fouling
Buckling pin emergency shutdown device
Vent (explosion) panels for prevention of rupture in low pressure equipment
Frangible roofs on flat-bottom tank
Explosion panels for internal dust or vapor/gas deflagration explosions
Explosion walls/panels for buildings
Explosion barriers
Vacuum Breaker
Continuous Ventilation wo/ performance monitoring capability
Continuous Ventilation w/ performance monitoring and alarming for diagnosis
Emergency Ventilation
Overflow line from tank/vessel/drum with additional hardware with a liquid seal leg.
Overflow line or roof-top vent lines (and goose necks) from tank/vessel/drum
Gas Balance/ Adjustable Set Pressure Surge Relief Valve
Human responds to an annunciation (alarm light and sound) without distractions from other
alarms, and he/she has 10 minutes to accomplish the required action if in field or 5 minutes if
by manual mode in the control room
Human responds to an annunciation (alarm light and sound) and he/she has 24 hours to
accomplish the required action
Human responds to a field reading or sample analysis where the time between samples or
field readings is at least twice the time expected for a IE to propagate to the consequence
Human double-check, as specified in a written procedure, independent work group with
Car seal
Chain & lock
Administrative Access Controls
Special Personal Protective Equipment (PPE)
Pipeline Surge Dampening Vessel
Double wall piping
Double wall vessels/tanks (such as ammonia storages tanks, LNG storage tanks, etc.)
Single Check Valve (with scenario related to large backflow, not leakage past check valve)


LPS 2009 __________________________________________________________________ Paper 2F

Single Check Valve - High Test Frequency (with scenario related to large backflow, not
leakage past check valve)
Double Check Valve in series (1oo2) (with scenario related to large backflow, not leakage
past check valve)
Double Check Valve in series (1oo2) (with scenario related to large backflow, not leakage
past check valve)
Bubble tight check valve (class 5; class 6 tightness)
Mechanical stop that limits travel (adjustable)
Mechanical stop that limits travel (non-adjustable, after initial installation)
Restrictive Orifice in clean service (with scenario related to excess flow rate)
Excess flow valve
Mechanical over-speed trip on a turbine
Emergency scrubber/absorber consumes (removes) components of concern prior to release to
Flare consumes/combusts components of concern prior to release to atmosphere
Generic Emergency effluent/discharge systems
Continuous Pilots; capable of keeping 50% of pilots lit.
Mechanically-Activated Emergency Shutdown/Isolation Device
SIL 1 Safety Instrumented Function
SIL 2 Safety Instrumented Function
SIL 3 Safety Instrumented Function
Inerting system.

7.3 More complete criteria of how to determine the value of each prospective IE and
prospective IPL.
Table 1 provides a snippet of the IPL summary tables which will be included in the new
guideline. The criteria that must be met to claim any listed IPL dominates the IPL tables. These
criteria must be met for the PFD for the IPL to be valid.
An example is a flame arrester (see Table 1). There is a full description of the IPL and a value of
0.01 is suggested.
IPL Description
Deflagration Flame Arrester or Stable Detonation Arrester installed inline between an ignition
source (e.g., TOX) and a source of flammable or combustible vapors.
The value is only appropriate if the special conditions are met.

The piping between the ignition source and arrestor is well below the run-up distance
required to allow a transition to detonation (DDT) for Deflagration type or formation of
Unstable Detonation for a Stable Detonation type.


LPS 2009 __________________________________________________________________ Paper 2F

Location considered (avoid "hot side" on bottom of vertically mounted arrester since this
decreases endurance burn; avoid accumulation of liquids in arrester, use drains to remove
Device does not impose excessive flow restriction on the process and any fouling issues have
been addressed.
Temperature monitoring with a thermocouple directly in contact with the hot side of the
device is highly recommended to allow operations to recognize when device is being

7.4 More elaboration on the practices that an organization should comply with to qualify an IE
or IPL at a given value.
This is likely the most important improvement over the first LOPA book.
For a flame arrester the following proof methods and frequency requirements must be met:
Proof Method

Device is included on a routine maintenance schedule which specifies shutting down the line
and opening the device for inspection.
Device is always inspected if it is suspected to have stopped a flame or if process upset could
compromise its integrity.
Inspection includes determining whether the device is plugged and whether corrosion might
compromise its capability to arrest a flame in accordance with most industry standards.

Proof Frequency
Initially, every 12 months or per vendor recommendation, then adjust the interval to 24, 35, or up
to a maximum of 4 years, if no signs of corrosion.
Each IPL listed also has a proof method and frequency requirement.



Table 1. Example Extracted from the IPL/IE Guideline (CCPS, pending 2010)

LPS 2009 ___________________________________________________________________________________________________ Paper 2F

LPS 2009 __________________________________________________________________ Paper 2F

8. Concerns of the committee

There is concern that the data tables will be misused. Users need to understand the background
associated with the data tables to be sure the data is applicable to their situation as discussed
Adherence to the LOPA rules of efficacy, independence, validation, and auditing of safeguards is
required before the safeguard can be considered as an independent protection layer (IPL) for
LOPA. This means that to be an IPL, it must perform the task it was designed to do (e.g., a relief
valve must relieve at the design pressure and prevent system rupture). An IPL must be validated
to ensure that it works when needed (results of the validation must be recorded). Of course, the
IPL must be independent of other layers of protection (e.g., common cause failure will Not result
in failure of other IPLs). Finally, there must be management systems in place to ensure auditing
of the systems to make sure IPLs are only used in LOPA if the meet the criteria and if they are
The LOPA method can be misused. LOPA is a risk assessment tool to be used in selecting IPLs
for a single cause-consequence scenario, but LOPA does not identify scenarios or represent the
actual risk of a process scenario. It is a tool for assessing the need for additional layers of
protection to prevent the scenario being analyzed.
9. Summary
In summary this new guideline book will be a complement to the original book on LOPA. It will
provide examples of initiating events and layers of protection and provide data that can be used
in the LOPA analysis. The book will be a necessary addition to the LOPA users library. It will
be available to purchase in early 2010.
10. References
1. Layer of Protection Analysis: Simplified Process Risk Assessment; (LOPA) CCPS, 2001.
2. Safe and Reliable Instrumented Protective Systems; (IPS), CCPS, 2007.
3. Bridges, WG, et al, Controlling Risk During Major Capital Projects, 24th CCPS International
Conference and Workshop on Process Safety (CCPS), New Orleans, LA, April 2008.

4. Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition; (CPQRA),
CCPS, 1999.
5. ISA, ANSI 84.00.01-2004 (IEC 61511 modified) Functional Safety: Safety Instrumented
Systems for the Process Industry Sector, Research Triangle Park, NC, 2004.