LOPA & SIL: Practical Examples

When a HAZOP identifies a deviation with severe or even catastrophic consequences, it is often assumed that a LOPA must automatically follow, leading to the implementation of a Safety Instrumented Function (SIF) with a defined SIL.

However, consequence severity alone does not determine the need for a LOPA.

In practice, the decision to perform a LOPA is not driven by consequence severity alone, but by the need to determine whether the residual risk exceeds the applicable risk acceptance criteria after creditable safeguards have been considered.

If, after considering the safeguards already in place and judged creditable, the residual risk is consistent with the applicable risk acceptance criteria, a LOPA is not technically required. Conversely, a LOPA is justified only when a demonstrable gap remains between the residual risk and those criteria.

Many industrial processes are operated entirely through the Basic Process Control System (BPCS), with no SIL-rated functions, even when some scenarios appear severe at first glance.
This is because either the scenario is not credible, or its residual frequency is already extremely low thanks to the safeguards in place.

Many organizations define their own tolerable residual event-frequency targets, often in the order of 10⁻⁵ to 10⁻⁷ per year for severe scenarios, depending on corporate risk criteria and consequence category.

HAZOP, LOPA, and Fast-Escalating Scenarios

Considering risk as the combination of event frequency and consequence severity, commonly expressed as:

Risk = Frequency × Consequence

the rigorous determination of the event frequency becomes the fundamental factor on which the analysis must focus.

In some industrial processes, events can develop very rapidly or involve intrinsically sensitive phenomena, such as fast runaway reactions, thermally unstable systems, hydrogen or H₂S services, or high-pressure operations. In these cases, process upsets can escalate quickly, leaving little margin for delayed or unreliable responses.

When a HAZOP is applied to processes with potentially severe consequences and very fast dynamics, the analysis may show that the residual risk remains unacceptably high.

Typical safeguards such as procedures, operator response, BPCS functions, or pressure-relief devices may be insufficient when the scenario develops faster than they can reliably prevent or control the hazardous event.

When existing safeguards are not sufficient to reduce the risk to a tolerable level, and the required risk reduction depends on a demonstrable level of reliability, an independent safety instrumented function may be required. A SIL target is then assigned to demonstrate that the function can deliver the necessary risk reduction.

A SIL function is a function for which a probability of failure on demand has been defined, designed, verified, and maintained to be consistent with the required risk reduction.

What is LOPA (Layer of Protection Analysis)?

A LOPA (Layer of Protection Analysis) is a semi-quantitative method used by process engineers to determine whether the existing layers of protection are sufficient.

The term “layers” reflects the fact that process safety relies on multiple protection barriers, and the hazardous event occurs only if the relevant credited layers fail or are unavailable when needed.

LOPA is performed after the HAZOP. The HAZOP identifies deviations, causes, and potential incident scenarios; LOPA then evaluates whether the expected scenario frequency is still too high after all protection layers have been considered.

If the scenario frequency exceeds the organization’s risk tolerance criteria, LOPA calculates the Risk Reduction Factor (RRF) required to bring that frequency down to the target value.
The RRF provides the basis for defining the target Safety Integrity Level (SIL) of the additional safety function required.

The LOPA demonstrates when a Safety Instrumented Function is required to achieve the necessary level of risk reduction.

What a SIL Actually Means (And What It Does Not)

A Safety Integrity Level (SIL) defines the target probability that a safety function will fail on demand (PFDavg) within a specific range. For low-demand mode safety instrumented functions:

• SIL 1 → PFDavg between 10⁻¹ and 10⁻²
• SIL 2 → PFDavg between 10⁻² and 10⁻³
• SIL 3 → PFDavg between 10⁻³ and 10⁻⁴

A SIL describes the required reliability of the entire safety loop: sensor(s), logic solver, and final element(s) – considered as a function. It does not describe the physical robustness, material quality, or “goodness” of an individual device in isolation.

For this reason, a SIL specifies the level of reliability required to reduce the likelihood of more critical events, by ensuring that the safety function has a demonstrably low probability of failing on demand, in line with the risk reduction factor identified by the LOPA.

LOPA Analysis: When a SIL Is Required and How to Evaluate It in Practice

Scenario 1 – Isopropyl Acetate (IPAC) Storage Tank, 10 m³

A major spill can lead to a pool fire or flash fire with serious consequences.

In this case, the likelihood can be reduced to a very low value because several safeguards act together:

• The operating team is physically present during loading operations.
• Written procedures are in place and applied.
• A tightness test is performed on the loading hose before use.
• The BPCS (e.g., DCS or PLC-based system) continuously monitors flow, level, and LEL, and trips the transfer pump if abnormal conditions are detected.
• A containment basin and an appropriate drainage system limit the spread of the liquid in case of loss of containment.
• The tank is protected by a rupture disc that provides overpressure relief in case of vent failure.

Additional passive and organizational measures further reduce the chance of escalation:

• The fixed fire-fighting system covers the tank area.
• Foam can be applied inside the containment basin.
• The internal emergency plan ensures rapid intervention by trained personnel.

The HAZOP shows that a large spill with escalation requires several independent failures to occur in combination:

Ineffective BPCS (e.g., DCS or PLC-based system) control, procedures not followed, containment not functioning, rupture disc protection not available, and emergency response not effective.

Result:

The existing safeguards may provide sufficient risk reduction to bring the scenario within the applicable risk acceptance criteria. As a result, no additional SIL-rated safety function may be required.

For a much larger storage installation, or for a layout with higher potential for escalation or off-site impact, the residual risk may be significantly different, and a LOPA may become necessary.

Scenario 2: Hydrogen Reactor (Debenzylation Reaction, 4 barg)

In contrast to a storage scenario, where operator intervention and passive safeguards can still be effective, the behavior of a hydrogenation reactor leaves no practical margin for recovery.

Loss of reaction control may lead to runaway, vessel overpressure, explosion, or significant hydrogen release.

In this case, the process characteristics do not allow the probability of loss of control to be reduced to a sufficiently low level using only the existing protections:

• Hydrogenation and similar reactions can accelerate very rapidly once certain temperature or concentration thresholds are exceeded.
• A runaway reaction cannot be reliably managed by operator intervention, because the time available to detect and respond is too short.
• Even with DCS temperature and pressure control, plus PSV and rupture disc protection, the remaining likelihood of an uncontrolled reaction remains high relative to the potentially catastrophic consequences.

Hydrogen systems combine:

• high flammability,
• very low ignition energy,
• rapid reaction kinetics, and
• the possibility of internal escalation within the reactor.

For these reasons, the available safeguards (procedures, operator actions, and basic control functions) do not provide the level of certainty needed to ensure that the probability of the incident remains acceptably low.

Here, a LOPA is required to quantify the risk gap. The analysis will:

• define the initiating event (e.g., loss of temperature control, excessive hydrogen feed),
• evaluate the independence and effectiveness of existing IPLs (BPCS, relief devices, inerting, quench systems, etc.),
• compare the resulting frequency with the company’s risk acceptance criteria.

In hydrogen-reaction scenarios with fast escalation potential, the analysis may show that an independent SIF is required, with the target SIL determined by the specific frequency assumptions, consequence severity, and credited IPLs.

A SIL-rated safety function may become necessary because the dynamic nature of the reaction does not give the operator or the BPCS enough time to contain the deviation. When the basic protections are not sufficient to keep the likelihood at an acceptable level, an independent SIF may be required.

Result:
A LOPA is required to quantify the risk.
The outcome typically demonstrates the need for a SIL-rated SIF to control the scenario.

Conclusion

Understanding when a SIL is truly required does not depend on the severity of the scenario, but on whether the process — with all existing protection layers — can realistically keep the event frequency at tolerable levels.

LOPA provides a structured way to demonstrate this.
It distinguishes the scenarios that can be controlled with basic protections from those where the dynamics of the deviation demand a dedicated safety instrumented function with a defined SIL.

This ensures that SIL-rated systems are allocated where they add real value, and not where existing safeguards are already sufficient.

⬆️ Back to Top

Other Articles You May Find Useful

• What Is HAZOP Analysis? Example and Template
• HAZOP Example: Material Compatibility Failure
• Pressure Safety Valve vs Rupture Disc: Key Differences
• Rupture Disc Installation: Where to Place It
• The 4 Pillars of a Safety Management System

FAQ