HAZOP vs LOPA: When to Use Each and How They Complement Each Other

Process hazard analysis (PHA) is the cornerstone of process safety management (PSM) under OSHA 1910.119, and two methodologies dominate the field: HAZOP (Hazard and Operability Study) and LOPA (Layer of Protection Analysis). Engineers sometimes treat these as competitors—one to be chosen over the other. This is a mistake. HAZOP and LOPA are complementary tools designed to answer different questions at different stages of the risk assessment process. Understanding when and how to apply each one is essential for an efficient and defensible PHA program.

HAZOP: Finding What Can Go Wrong

A HAZOP study is a systematic, team-based examination of a process using guide words (No, More, Less, Reverse, As Well As, Part Of, Other Than) applied to process parameters (flow, pressure, temperature, level, composition) at each node of the P&ID. The output is a list of deviations, their causes, their consequences, and the existing safeguards that prevent or mitigate them.

HAZOP is inherently qualitative. When the team identifies a deviation where the existing safeguards are judged insufficient, the HAZOP worksheet records a recommendation—typically for an additional safeguard, a design change, or a further study. Crucially, the HAZOP team does not quantify the risk. The decision to make a recommendation is based on the collective engineering judgment of the team, not on numerical risk targets.

A HAZOP for a medium-complexity process unit (e.g., a distillation column with feed preheat, reflux, and reboiler systems) typically requires 20–40 team-hours per P&ID and generates 50–150 recommendations. The breadth of a HAZOP is its strength: it systematically examines every line on every P&ID and forces the team to consider deviations they would not otherwise discuss.

LOPA: Quantifying Whether the Safeguards Are Enough

LOPA takes over where the HAZOP recommendation list leaves off. When a HAZOP scenario is judged to have potentially severe consequences (fatality, major environmental release, asset damage exceeding $1 million), LOPA quantifies whether the existing Independent Protection Layers (IPLs) reduce the risk to a tolerable level.

A LOPA analysis for a single scenario follows this structure:

1. Initiating Event Frequency (IEF): The expected frequency of the initiating cause (e.g., control loop failure, operator error, external event). Typical values are drawn from industry databases (CCPS, OREDA, IEEE 493): control loop failure = 1 × 10⁻¹ per year, operator error for a routine task = 1 × 10⁻² per opportunity, loss of cooling water = 1 × 10⁻¹ per year.

2. Probability of Failure on Demand (PFD) for Each IPL: An IPL must be independent, specific, and auditable. The PFD values are categorized by Safety Integrity Level (SIL):

   • SIL 1: PFD = 1 × 10⁻¹ to 1 × 10⁻²
   • SIL 2: PFD = 1 × 10⁻² to 1 × 10⁻³
   • SIL 3: PFD = 1 × 10⁻³ to 1 × 10⁻⁴

3. Consequence Severity: Categorized on a scale aligned with the facility's risk matrix (e.g., Category 1 = first aid, Category 5 = multiple fatalities).

4. Calculated Scenario Frequency: IEF × PFD₁ × PFD₂ × … × PFDₙ. If the scenario frequency exceeds the tolerable frequency for the consequence category, additional IPLs are required.

A LOPA reduces a HAZOP recommendation like "consider installing a high-pressure trip" into a quantified requirement: "Install a high-pressure trip with SIL 2 certification, independent of the basic process control system, with a maximum PFD of 5 × 10⁻³."

When to Go Straight from HAZOP to LOPA

Not every HAZOP recommendation requires a LOPA. The filtering criteria are:

• Proceed directly to LOPA: The scenario involves potential fatality, off-site impact, or environmental damage exceeding the reportable quantity. The HAZOP team's recommendation suggests a safety instrumented function (SIF) may be required, and the required SIL must be determined.
• HAZOP recommendation is sufficient: The recommendation addresses an operability issue (e.g., "add a local pressure gauge at the pump discharge for troubleshooting") or a minor environmental concern (e.g., "route the sample station drain to the oily water sewer"). LOPA adds no value because the consequence severity is below the threshold for formal quantitative analysis.
• Use a simplified risk matrix in the HAZOP: For scenarios of moderate severity, the HAZOP team can assign a qualitative risk ranking (e.g., "Medium-High") and agree on a recommendation without formal LOPA. This accelerates the PHA process by reserving LOPA for the highest-risk scenarios that genuinely require SIL determination.

The HAZOP–LOPA Gap No One Talks About

HAZOP and LOPA agree on the definition of an IPL: a device, system, or action that is capable of preventing a scenario from proceeding to its consequence, independent of the initiating event and of all other IPLs claimed for the same scenario. The problem arises when a HAZOP team claims a safeguard that does not meet the independence test under LOPA scrutiny.

Example: A HAZOP for an exothermic reactor identifies a high-temperature deviation. The team notes that the operator can manually close the steam valve and that there is also a basic process control system (BPCS) temperature controller. The HAZOP worksheet lists both as safeguards. In LOPA, however, the BPCS is also the initiating event for the scenario (if it fails, it causes the deviation), and the operator response depends on the BPCS alarm—which may also fail. Neither qualifies as an IPL.

This is why LOPA must be facilitated by someone who can rigorously test each claimed IPL for independence, specificity, and auditability. The LOPA facilitator should not be the same person who led the HAZOP; an independent reviewer is more likely to catch over-claimed safeguards.

Integrating HAZOP and LOPA into a Single Workflow

The most efficient approach is to schedule LOPA within two weeks of the HAZOP, while the team's knowledge is fresh but with enough distance for the LOPA facilitator to review the HAZOP worksheet critically. The workflow:

1. HAZOP Session: Team identifies scenarios, records recommendations. The facilitator marks scenarios with potentially severe consequences with a "LOPA Required" flag in the worksheet.
2. Post-HAZOP Screening: The PHA leader and LOPA facilitator review the flagged scenarios and select those that meet the LOPA entry criteria (fatality potential, off-site impact, major asset damage).
3. LOPA Sessions: For each selected scenario, the LOPA facilitator leads a smaller team (2–3 people: process engineer, controls engineer, operations representative) through the quantitative analysis. The HAZOP worksheet serves as the starting point; the LOPA validates or challenges each claimed safeguard.
4. SIL Determination: If LOPA shows that a SIF is required, the target SIL and PFD are documented. The SIF is then designed, installed, and tested according to IEC 61511.
5. Recommendation Closeout: HAZOP recommendations that pass LOPA validation are closed on the PHA tracking system. Recommendations that fail LOPA are escalated for additional IPLs or design changes.

Common Mistakes and How to Avoid Them

• Mistake 1: Running LOPA for every HAZOP recommendation. This wastes resources and dilutes focus on the truly high-risk scenarios. Use the consequence severity filter ruthlessly: if the worst-case consequence does not involve potential fatality or off-site release, HAZOP recommendation tracking is sufficient.
• Mistake 2: Allowing the HAZOP team to claim the BPCS as an IPL. The BPCS can be an initiating event, and it is not independent of itself. Only a separate safety instrumented system (SIS) qualifies as an IPL for BPCS-initiated scenarios.
• Mistake 3: Skipping LOPA because "the process is similar to another unit that was already analyzed." Similar is not identical. A difference in operating pressure, inventory, or siting can change a scenario from tolerable to intolerable.

HAZOP finds the hazards; LOPA measures whether the protection is enough. Use them together, and use them in the right order. The combination is the most defensible and efficient approach to process hazard analysis in use today.