Although safety professionals often use layers of protection analysis (LOPA) for risk assessment, some managers remain skeptical about its effectiveness. More often than not, the distrust stems from their not getting proper information about LOPA. This skepticism is healthy and provides a fine opportunity for safety professionals to educate managers about the technique's role and value.

Consider this incident: A busy plant manager freed some time to attend a LOPA facilitation being conducted for a large project for her plant. The facilitator profusely used acronyms and probability calculations in evaluating risk of unsafe events and, where appropriate, recommended additional safeguards. The LOPA process was technically sound but frustrated the manager. She said, "Although I see what you guys are doing, I have considerable trouble seeing its relevance in really reducing risk. I have had a lot of difficulty following your acronyms. Can't you folks talk in laymen's terms so that ordinary people can understand what LOPA really is? Are the LOPA recommendations justifiable economically?"

This isn't an uncommon incident. So, here, I'll share some tips to improve communication about LOPA to management.

THE BIG PICTURE
Managers typically are financially astute professionals with good people and communication skills. They focus on results. They aren't interested in myriad details about the LOPA process. So, to communicate effectively with them:

• Avoid technical jargon. Terms and acronyms useful in discussions with safety professionals can significantly hinder communications to management. If you must use jargon, explain its meaning in common terms.

• Use managerial language. Emphasize that LOPA is closely tied to a company's productivity and image. Of course, this will require relevant data that link risk and its associated cost. Stated differently, present additional safeguards to reduce risk in terms of their overall lifecycle cost and economic benefits.

• Be concise in your presentation. Keep in mind you have limited time to communicate key points of your LOPA work. Be strategic -- concentrate on "big impact" items. Don't get bogged down in minute details. Of course, spell out all the details of LOPA findings in the formal report.

• Keep readers in mind. In developing a LOPA report, focus the executive summary section on the key action items. Write the report so that all relevant readers -- managers, engineers, safety professionals, and plant operating/ maintenance personnel -- can understand it.

• Start facilitation with a brief presentation on LOPA. This will ensure the team is familiar with the use of LOPA terminology. It may be helpful to send the presentation in advance to each participant.

KEY QUESTIONS
Face-to-face communications with plant or corporate management, of course, require preparation. While it's hard to predict the exact type and number of questions managers may pose, certain questions arise regularly:

Why do we need LOPA? Our company is totally committed to safety. We follow recommendations of hazard and operability studies (HAZOPs), and, where necessary, install additional safeguards to reduce risk. Does LOPA really reduce risk further?

A HAZOP does help reduce risk. However, it is qualitative and subjective -- so, it could result in improper application of safeguards. Misapplied measures may not reduce risk to the desired extent. LOPA, on the other hand, quantifies risk, thus reducing subjectivity. LOPA typically takes place after a HAZOP and focuses on selected "high risk" issues. LOPA helps you choose among various alternative safeguards to get the one most economically justifiable. Of course, LOPA requires relevant data on the reliability of the safeguards.

From a regulatory perspective, the U.S. Occupational Safety and Health Administration requires companies to adhere to industry standards (e.g., ISA-84.00.01-2004, "Functional Safety: Safety Instrumented Systems for the Process Industry Sector") to comply with its Process Safety Management standard.

What is the meaning of "probability of failure on demand" and other LOPA terminology?

Probability of failure on demand (PFD) quantifies the chance that a specific safeguard won't perform its intended function when required. For instance, consider a shutdown valve that should close when a hazardous event (say, high level in a tank) arises. Failure of the valve to shut could result in a major consequence (such as a tank overflow). If that valve fails to close once every one hundred times, then its PFD is 0.01. Devices with smaller PFD values help reduce risk more than those with higher PFD values. Today, many electronic instruments are certified to have specific expected PFD values.

In a broad sense, failures come in two types: dangerous (as described above), and safe (ones that don't result in a hazardous situation). However, safe failures -- sometimes also known as spurious trips -- can have consequences such as plant interruptions.

Another common LOPA term is "independent protection layer" (IPL). This is a safeguard that works independently of others. Some examples are relief valves, basic process control systems, interlocks, and alarms (if they are maintained and give an operator adequate time to respond to prevent a hazardous event from occurring).

To be effective, an IPL should be:

• specific for preventing a given hazardous event;

• independent, that is, not influenced by the performance of other safeguards;

• dependable, that is, effective in reducing risk in accordance with its PFD value (which requires the IPL to be properly specified and installed); and

• auditable, that is, inspected and maintained at specific intervals.

LOPA also uses the term "acceptable risk." This indicates the number of occurrences a company can tolerate per year. For instance, 1.0e-04 per year means one event every 10,000 years. The acceptable risk level depends on a number of factors including the size of the event (those with offsite impact or that could cause injuries or fatalities will need to be very infrequent, for instance, 1e-05), litigation, and company reputation. In several countries, regulations dictate the acceptable risk level.

What is the LOPA process?

LOPA is performed on relatively "high risk" hazardous events identified by a HAZOP. For each such event, LOPA evaluates the extent of protection provided by the existing safeguards and compares that with a company's desired level of protection. If a deficiency exists, additional safeguards are recommended.

The process of risk assessment and risk management is not a one-time activity. It's a process that continues throughout the life of a project or a plant.

How many IPLs do I need?

The number depends on the specific hazardous event, its acceptable versus current risk level, and risk reduction (probability of failure) provided by each safeguard.

How do I determine the level of protection required?

This depends on the severity of a consequence and corporate risk-tolerance policy. Of course, a company can accept an event that could result in multiple injuries or a major environmental or public-image impact far less frequently than one that has relatively minor safety or other consequences.

In several countries, regulations drive the level of protection required.

Can LOPA go wrong?

Yes. The acronym GIGO (garbage in, garbage out) applies here. Assigning inappropriate PFD values renders a LOPA useless. Wrong PFD numbers or improper consideration of safeguards can lead to inadequate or excessive (and not economically justifiable) protection. LOPA, if not correctly applied, could become a mere number-crunching exercise (playing with PFD values). Having a seasoned facilitator, an experienced LOPA team, and updated relevant documents helps ensure a proper LOPA. Keep in mind that PFD numbers are average values. For a number of safeguards, average PFD values are available in the literature (e.g., in books from the Center for Chemical Process Safety, http://www.aiche.org/ccps); these values tend to be conservative.

Finally, selecting the right instruments, as well as proper application, installation and maintenance are the key elements to enhance safety in conjunction with LOPA.

G.C. SHAH, PE, CFSE, CSP, CIH, is a safety, environmental and industrial hygiene professional at Mustang Engineering, Houston. E-mail him at ghanshyam.shah@mustangeng.com.