LOPA & SIL: Practical Examples

When a HAZOP identifies a deviation with severe or even catastrophic consequences, it is often assumed that a LOPA must automatically follow, leading to the implementation of a Safety Instrumented Function (SIF) with a defined SIL.

However, consequence severity alone does not determine the need for a LOPA.

In the HAZOP process, the decision to proceed with a LOPA is not based on the severity of the scenario, but on the residual risk, expressed as the expected frequency of the hazardous event after existing protection layers have been taken into account.

If, considering the safeguards already in place and deemed creditable, the residual risk is consistent with the risk acceptance criteria, a LOPA is not technically required. Conversely, a LOPA is justified only when there is a demonstrable gap between the residual risk and the acceptable risk.

Many industrial processes are operated entirely through the Basic Process Control System (BPCS), with no SIL-rated functions, even when some scenarios appear severe at first glance.
This is because either the scenario is not credible, or its residual frequency is already extremely low thanks to the safeguards in place.

Many organisations define tolerable residual event-frequency targets, which can vary widely. Typical targets range from 10⁻⁵ to 10⁻⁷ events per year and refer to the frequency of the hazardous event after all credited safeguards have been applied.

When the residual frequency of a scenario is reduced to such low values, the event is often treated as non-credible for decision-making purposes. This does not imply physical impossibility, but reflects that the residual probability is sufficiently low to be considered acceptable within the organisation’s risk criteria.

HAZOP, LOPA, and Fast-Escalating Scenarios

Considering risk as the combination of event frequency and consequence severity, commonly expressed as:

Risk = Frequency × Consequence

the rigorous determination of the event frequency becomes the fundamental factor on which the analysis must focus.

In some industrial processes, events can develop very rapidly or involve intrinsically sensitive phenomena, such as fast runaway reactions, thermally unstable systems, hydrogen or H₂S services, or high-pressure operations. In these cases, process upsets can escalate quickly, leaving little margin for delayed or unreliable responses.

When a HAZOP is applied to processes with potentially severe consequences and very fast dynamics, the analysis will often show that the residual risk remains unacceptably high.

Typical safeguards such as procedures, emergency plans, basic process control systems, or non-certified relief devices are not sufficient to effectively prevent or control events that escalate on such short timescales.

When existing safeguards are not sufficient to reduce the risk to a tolerable level, and the required risk reduction depends on a demonstrable level of reliability, a Safety Instrumented Function becomes necessary. A defined SIL is then required to quantitatively justify that the safeguard provides the needed risk reduction.

A SIL function is a function for which a probability of failure on demand has been defined, designed, verified, and maintained to be consistent with the required risk reduction.

What is LOPA (Layer of Protection Analysis)?

A LOPA (Layer of Protection Analysis) is a semi-quantitative method used by process engineers to determine whether the existing layers of protection are sufficient.

The term “layers” reflects the fact that process safety relies on multiple protection barriers, all of which must fail for a hazardous event to occur.

LOPA is performed after the HAZOP. The HAZOP identifies deviations, causes, and potential incident scenarios; LOPA then evaluates whether the expected scenario frequency is still too high after all protection layers have been considered.

If the scenario frequency exceeds the organisation’s risk tolerance criteria, LOPA calculates the Risk Reduction Factor (RRF) required to bring that frequency down to the target value.
The RRF provides the basis for defining the target Safety Integrity Level (SIL) of the additional safety function required.

The LOPA demonstrates when a Safety Instrumented Function is required to achieve the necessary level of risk reduction.

What a SIL Actually Means (And What It Does Not)

A Safety Integrity Level (SIL) defines the target probability that a safety function will fail on demand (PFDavg) within a specific range. For low-demand mode safety instrumented functions:

• SIL 1 → PFDavg between 10⁻¹ and 10⁻²
• SIL 2 → PFDavg between 10⁻² and 10⁻³
• SIL 3 → PFDavg between 10⁻³ and 10⁻⁴

A SIL describes the required reliability of the entire safety loop: sensor(s), logic solver, and final element(s) – considered as a function. It does not describe the physical robustness, material quality, or “goodness” of an individual device in isolation.

For this reason, a SIL specifies the level of reliability required to reduce the likelihood of more critical events, by ensuring that the safety function has a demonstrably low probability of failing on demand, in line with the risk reduction factor identified by the LOPA.

LOPA Analysis: When a SIL Is Required and How to Evaluate It in Practice

Scenario 1 – Isopropyl Acetate (IPAC) Storage Tank BPCS (e.g., DCS or PLC-based system)(10 m³)

A major spill can lead to a pool fire or flash fire with serious consequences.

In this case, the event likelihood can be reduced to a very low value because several independent protections act together:

• The operating team is physically present during loading operations.
• Written procedures are in place and applied.
• A tightness test is performed on the loading hose before use.
• The BPCS (e.g., DCS or PLC-based system) continuously monitors flow, level, and LEL, and trips the transfer pump if abnormal conditions are detected.
• A containment basin and an appropriate drainage system limit the spread of the liquid in case of loss of containment.
• The tank is protected by a rupture disc that provides overpressure relief in case of vent failure.

Additional passive and organisational measures further reduce the chance of escalation:

• The fixed fire-fighting system covers the tank area.
• Foam can be applied inside the containment basin.
• The internal emergency plan ensures rapid intervention by trained personnel.

The HAZOP shows that a large spill with escalation requires several independent failures to occur in combination:

Ineffective BPCS (e.g., DCS or PLC-based system) control, procedures not followed, containment not functioning, rupture disc protection not available, and emergency response not effective.

Result:

The existing safeguards provide sufficient certainty to reduce the likelihood of the scenario to within the established risk acceptance criteria. As a result, no additional SIL-rated safety function is required.

For a much larger storage installation, or for a layout with higher potential for escalation or off-site impact, the residual risk may be significantly different, and a LOPA may become necessary.

Scenario 2: Hydrogen Reactor (Debenzylation Reaction, 4 barg)

In contrast to a storage scenario, where operator intervention and passive safeguards can still be effective, the behaviour of a hydrogenation reactor leaves no practical margin for recovery.

Loss of reaction control may lead to runaway, vessel overpressure, explosion, or significant hydrogen release.

In this case, the process characteristics do not allow the probability of loss of control to be reduced to a sufficiently low level using only the existing protections:

• Hydrogenation and similar reactions can accelerate very rapidly once certain temperature or concentration thresholds are exceeded.
• A runaway reaction cannot be reliably managed by operator intervention, because the time available to detect and respond is too short.
• Even with DCS temperature and pressure control, plus PSV and rupture disc protection, the remaining likelihood of an uncontrolled reaction remains high relative to the potentially catastrophic consequences.

Hydrogen systems combine:

• high flammability,
• very low ignition energy,
• rapid reaction kinetics, and
• the possibility of internal escalation within the reactor.

For these reasons, the available safeguards (procedures, operator actions, and basic control functions) do not provide the level of certainty needed to ensure that the probability of the incident remains acceptably low.

Here, a LOPA is required to quantify the risk gap. The analysis will:

• define the initiating event (e.g., loss of temperature control, excessive hydrogen feed),
• evaluate the independence and effectiveness of existing IPL (BPCS, relief devices, inerting, quench systems, etc.),
• compare the resulting frequency with the company’s tolerable risk criteria.

In most practical cases for such hydrogen reactors, the LOPA shows that an independent safety instrumented function is necessary – for example, a high-temperature or high-pressure trip implemented on a SIS – with a specific SIL target (often SIL 2) to provide the required risk reduction.

A SIL becomes necessary precisely because the dynamic nature of the reaction does not give the operator or the BPCS enough time to contain the deviation. When the basic protections are not sufficient to keep the likelihood at an acceptable level, a SIL-rated safety function must be implemented.

Result:
A LOPA is required to quantify the risk.
The outcome typically demonstrates the need for a SIL-rated SIF to control the scenario.

Conclusion

Understanding when a SIL is truly required does not depend on the severity of the scenario, but on whether the process — with all existing protection layers — can realistically keep the event frequency at tolerable levels.

LOPA provides a structured way to demonstrate this.
It distinguishes the scenarios that can be controlled with basic protections from those where the dynamics of the deviation demand a dedicated safety instrumented function with a defined SIL.

This ensures that SIL-rated systems are allocated where they add real value, and not where existing safeguards are already sufficient.

Ing. Ivet Miranda

Follow me on LinkedIn

⬆️ Back to Top

Related Process Safety & Risk Analysis Articles

• What-If Analysis vs HAZOP in Process Safety
• HAZOP Example: Material Compatibility Failure
• Safety Interlocks in Project Engineering
• Rupture Disc Activation in Process Safety
• Safety Relief Valves vs Rupture Discs: Key Differences

FAQ