Microsoft Word - 476hernandez.docx


 CHEMICAL ENGINEERING TRANSACTIONS  
 

VOL. 43, 2015 

A publication of 

The Italian Association 
of Chemical Engineering 
Online at www.aidic.it/cet 

Chief Editors: Sauro Pierucci, Jiří J. Klemeš 
Copyright © 2015, AIDIC Servizi S.r.l., 
ISBN 978-88-95608-34-1; ISSN 2283-9216                                                                               

 

Innovative LOPA-Based Methodology for the Safety 
Assessment of Chemical Plants 

Francesca Argenti, Elisabetta Brunazzi, Gabriele Landucci* 

Dipartimento di Ingegneria Civile e Industriale - Università di Pisa, Largo Lucio Lazzarino, 56126, Pisa, Italy  
gabriele.landucci@unipi.it 

The aim of the present work was the development and application of a methodology for the safety assessment 
of chemical plants based on LOPA (Layer of Protection Analysis) techniques.  
The approach integrates the use of consolidate hazard identification techniques (HazOp) and the adoption of 
quantitative literature models for consequence assessment (e.g., integral models) into the LOPA framework, 
allowing to limit the role played by expert judgment in the evaluation in order to reduce the causes of 
uncertainty in the results. Furthermore, a systematic and quantitative assessment of safety measures 
contribution to the reduction of plant residual risk was included in the analysis. 
In order to apply the methodology, a case study was defined taking into account an actual industrial facility. 
The results obtained allowed demonstrating the potentialities of the method.  

1. Introduction  

Process industry activities go hand in hand with major hazard potential that occasionally results in major 
accidents (Mannan, 2005). Hence, adequate management and control of such major hazards is essential to 
guarantee a long-term license to operate (Pasman and Reniers, 2014). In Europe, the implementation of a 
policy for control of major hazards involving chemical substances is regulated via the so-called Seveso 
legislation. Seveso directive 96/82/EC (EC, 1997) proposed a classification of installations based on the type 
and quantity of hazardous substances in order to identify those where the risk of a major accident occurrence 
is significant (Tugnoli et al., 2012a). The installations that fall under the obligations of Seveso directive are 
compelled to produce a safety report, in which the results of the plant risk analysis, together with the 
implemented safety measures, have to be detailed. The methodologies adopted in the preparation of safety 
report are well-known (Tugnoli et al., 2012b) but they require a considerable cost effort (mainly in terms of 
man-months needed) that are currently decreasing by the use of dedicated software (Cozzani et al., 2014). 
In the specific framework of chemical industries, an alternative methodology is currently becoming more 
diffused and applied: Layer of Protection Analysis – LOPA (CCPS, 2001). LOPA is very popular and widely 
utilized, because it fits perfectly with the advent of risk-based engineering standards, such as IEC 61511, 
specifying SIL (Safety Integrity Level) of Safety Instrumented Systems for reducing various categories of risk 
to a tolerable value (De Rademaeker et al., 2014). 
LOPA methodology is based on a simplified risk assessment, that integrates evaluations on the inherent 
hazard associated with hazardous materials (Cordella et al., 2009) and process operations (Tugnoli et al., 
2007) with issues related to the availability and efficiency of safety systems and/or maintenance policies 
focused on safety (Dowell, 1997). 
In the present work, a LOPA based methodology is developed in order to obtain an innovative simplified risk 
assessment tool specific for chemical industry installations. In particular, the methodology allows to establish 
whether the protection systems and prevention/mitigation measures implemented in a chemical site are 
sufficient to guarantee an acceptable level of residual risk. The application to an industrial case study is 
presented in order to test the potentialities of the method. 

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1543398 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Please cite this article as: Argenti F., Brunazzi E., Landucci G., 2015, Innovative lopa-based methodology for the safety assessment of 
chemical plants, Chemical Engineering Transactions, 43, 2383-2388  DOI: 10.3303/CET1543398

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1543398 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Please cite this article as: Argenti F., Brunazzi E., Landucci G., 2015, Innovative lopa-based methodology for the safety assessment of 
chemical plants, Chemical Engineering Transactions, 43, 2383-2388  DOI: 10.3303/CET1543398

2383



2. Methodology 

According to law prescriptions, the risk analysis to be applied to Seveso installations has to follow a step-wise 
procedure (EC, 1997). Preliminarily, all accidental events that may occur involving a significant release of 
hazardous substances have to be identified and their possible causes investigated. Next, the calculation of the 
frequency of occurrence and expected damages associated to the identified accidental events should be 
performed. Finally, the risk assessment and evaluation has to be carried out. 
The same framework was taken into account for the development of the novel LOPA-based method, whose 
steps are illustrated in Figure 1. 
As shown in Figure 1, the assessment procedure mainly grounds on concepts borrowed by the conventional 
LOPA technique (CCPS, 2001). Three main improvements were applied to the typical LOPA method:  

1. A systematic scenario identification method was introduced (step 2), based on consolidate hazard 
identification techniques (HazOp). 

2. A more objective consequence evaluation was considered (step 3), based on the application of 
integral models for the evaluation of physical effects associated to accidental scenarios (Van Der 
Bosh and Weterings, 1997). 

3. The possibility of assigning credit factors to specific maintenance procedures and safety training was 
explicitly considered (step 4). 

It is worth to remark that the present methodology, exactly as the LOPA quantitative assessment, considers 
the cause-accident-consequence combinations one by one. Hence, hereafter the term “scenario” will identify a 
single combination of accident cause and accident effect.

 

Figure 1: Methodology overview 

2.1 Hazard identification 
The adoption of LOPA requires a preliminary phase, supported by qualitative techniques, aimed at the 
identification of foreseeable accidental events. This phase is usually conducted by means of poorly structured 
approaches or past accident analysis.  
On the contrary, in the present study the Dow Fire & Explosion Index method (Dow Company, 1987), prescribed by 
SEVESO directive as a support tool for safety reports development, was proposed to divide the overall plant in 
pertinent process units and then rank them according to their hazard potential (step 1 in Figure 1). 
Next, a HazOp (Hazard and Operability) analysis was selected to the purpose of identifying the relevant 
accident events that might occur in the plant (step 1 in Figure 2). HazOp is a qualitative but systematic 
technique that analyses the deviations of process variables from normal operating conditions, in order to 
reconstruct cause-consequence chains related to the specific deviation (Mannan, 2005). Through the adoption 
of a systematic brainstorming technique by a multi-disciplinary team of experts, the risk of neglecting some 
relevant scenarios can be minimized in order to support consequence analysis in step 3. Event tree analysis 
(ETA) is then used to identify the relevant final outcomes (e.g., fires, explosions and toxic dispersions) 
associated to accident events. 

2.2 Consequence analysis and “target factor” evaluation 
Once the set of foreseeable final outcomes associated to the release scenarios has been determined, LOPA 
technique requires a consequences assessment phase, during which the magnitude of consequences is taken 
into account by means of a penalty score, namely “target factor” TF. The value to be attributed to TF increases 
as the severity of the accident impact on workers and population increases; however, the TF is often 
estimated according to expert judgment (CCPS, 2001) rather than on a sound objective basis. 
In the present study, the evaluation of TF was based on the results of detailed consequence evaluation 
through the use of quantitative integral models (Van Der Bosh and Weterings, 1997), in order to prevent the 
underestimation of the severity of accidents due to the adoption of rules-of-thumb ( e.g. arbitrary physical 
effects thresholds and arguable score attribution).  

1. Ranking of plant 
units according to 
hazard potential

2. Scenarios 
identification

3. Risk assessment: 
consequence 

analysis

4. Risk assessment: 
accident frequency 

evaluation

Dow F&E index HazOp and ETA Integral models
Protection 

systems and 
procedures

2384



Integral models allowed to evaluate the magnitude of physical effects deriving from accident releases at 
different location on the site map. The model outputs in terms of heat flux, overpressure and toxic 
concentration were analysed by comparison against the lethality thresholds reported in Table 1 in order to 
quantify the expected number of fatalities, considering the number of exposed workers and the population 
density in the plant surroundings. 

Table 1: Threshold values assumed for damage distance evaluation (LFL: lower flammability limit; IDLH: toxic 
concentration immediately dangerous to life and health) (adapted from Tugnoli et al., 2007). 

Physical effect Threshold Value 
Flash Fire 1/2 LFL 
Thermal radiation (pool fire, jet fire, fireball) 7 kW/m2 
Vapour cloud explosion 14 kPa 
Physical/mechanical explosion 14 kPa 
Toxic exposure IDLH 
 
Table 2 summarizes the scoring criteria adopted in the evaluation of TF. As it can be seen from Table 2, the 
involvement of people outside the plant boundaries is deemed as more critical and lead to the attribution of a 
higher penalty since plant personnel is usually trained to manage emergency situations. 
The target factor represents the first risk estimate, which is purely based on expected damage to people as 
calculated through consequence analysis. 

Table 2: Scoring criteria for target factor evaluation (adapted from (CCPS, 2001)) 

TF value Effects on workers Effects on population 
2 - 4 Minor injury  Safe condition 
3 - 5 Irreversible damage Evacuation possibly needed 
4 - 6 1 – 3 fatalities Irreversible damage 
5 - 7 3 – 10 fatalities 1 – 3  fatalities 
6 - 8 10 – 50 fatalities 3 – 10 fatalities 
7 - 9 50 – 200 fatalities 10 – 50 fatalities 
8 - 10 More than 200 fatalities 50 – 200 fatalities 
 

2.3 Credit factors evaluation and residual risk calculation 
According to the LOPA methodology, the target factor evaluation step is followed by the definition and evaluation of 
a set of compensation factors. In such a phase, credits are attributed to consider the credibility of the accidental 
scenario and the availability of independent protection layers (IPLs), thus modifying the first risk estimate obtained 
according to the procedure described in Section 2.2.  
The credibility is assessed as a function of the expected frequency of occurrence of the initiating cause and 
considering the presence of accident triggers and other aspects that may affect the final probability of occurrence of 
the scenario. Three different credit factors are defined to the purpose. 
First, all the possible initiating causes of the release scenarios identified through HazOp analysis have to be 
determined. Initiating causes may include process deviations, components malfunctioning, leakages, human errors 
and external causes such as domino effect (Di Padova et al., 2011) or natural events - NaTech (Salzano et al., 
2009). Clearly enough, initiating cause may be very different in nature and thus their frequency of occurrence may 
vary considerably; hence, each initiating cause-release event pair has to be analyzed independently as a “scenario”. 
Next, the frequency of occurrence of the initiating event f (events/year) is calculated: conservative order-of-
magnitude estimates are typically used for component failures and external causes, while human error frequency is 
usually estimated on the basis of operation complexity. The initiating event frequency of occurrence determines the 
value of Initiating Event Factor (FIE). 
In addition, the LOPA procedure includes the Enabling Factor (FEF) calculation. The FEF represents an 
environmental condition, whose occurrence contemporary to the initiating event leads to an accidental scenario 
featuring the characteristics and severity specified during the target factor evaluation phase (see Section 2.2). As an 
example, in the case of flammable release scenario, the enabling factor is related to the ignition probability (IP) that, 
in turn, depends on the amount of released substance and on its flammability characteristics.  
The third factor taken into account in the risk compensation phase is the “exposure time factor” (FET), which aims to 
quantify the time portion of the overall duration of plant production when the dangerous operation is actually carried 
out and when the operators are actually present in the impacted area. Two parameters contribute to the 
determination of FET: 

2385



- Time at Risk (TR) defined as the percentage between the number of hours during which the considered 
operation is performed and the overall number of hours in which the plant is in operation, on a yearly 
basis. This parameter is applicable only to plant operating in batch mode. 

- Probability of Exposure (PE), defined as the probability of operators presence in the proximity of the 
equipment involved in the accidental scenario. 

The role of available means of accident prevention and mitigation is quantified by assigning a credit to each IPL that 
may intervene against the considered scenario. More specifically, the value of the credit factor FIPL to be attributed is 
related to the IPL probability of failure on demand (PFD). The FIPL represent a quantitative index to synthetically 
describe the effectiveness of safety measures design. Protection systems (fireproofing, water spray systems, 
pressure relief devices, etc.) are considered in the IPL assessment as well as procedural measures, company 
standards on good design practice and mechanical integrity. A key issue was to include personnel training to 
manage emergencies and the implementation of dedicated safety procedures in the assessment of IPLs. The 
complete list of credit factors is presented in Table 3 together with the correspondent definition. 
As it can be seen from Table 3, FIE, FEF and FIPL are calculated as a function of frequency or probability estimates 
ranging from 0 to 10-1; TR and PE are used to correct the values of FET. Their contribution to the reduction of TF 
may become significant, corresponding to a credit FET at least equal to 1, only if their value fall below 10%. 
Finally, the initial level of residual risk R0 is calculated according to Eq(1), considering the contribution of both 
penalty and credit scores. 


=

−−−−=
N

i
iIPLETEFIE FFFFTFR

1
,0

     (1) 

where N is the total number of IPLs already in place intervening to the mitigation and/or prevention of the 
scenario under analysis and FIPL,i is the credit factor associated to the i-th IPL. 
If applying Eq(1) R0≤0, the residual risk is deemed acceptable and the implemented IPLs are considered 
adequate to guarantee operation within safety margins. On the contrary, if R0>0 is obtained, actions should be 
taken in order to add as many IPLs as needed to reduce the residual risk at least to a value equal to zero. 
Hence, the final risk value R will be obtained as follows: 


=

−=
M

j
jIPLFRR

1
,0

     (2) 

where M is the total number of IPLs needed to minimize the risk R and FIPL,j is the credit factor associated to 
the j-th IPL. 

Table 3: Credit factors definition 

Credit factor Definition Notes 

FIE )(log10 fFIE −=  
Related to the frequency of occurrence f 
(events/year) of the scenario initiating cause  

FEF )(log10 IPFEF −=  
Related to the ignition probability (PI) , which 
represents the enabling factor 

FET 
%101

1.001.01
01.02

<=
≤<=

≤=

TRforF
PEforF

PEforF

ET

ET

ET

 

Related to the probability of exposure (PE) 
and to the time duration of dangerous 
operation (TR) with respect to plant 
operations 

FIPL )(log10 PFDFIPL −=  
Related to protection system availability or 
probability of failure on demand (PFD) 

3. Application to a case study 

3.1 Definition of the case study 
The methodology described herein was applied to the risk assessment of an existing plant located in an Italian 
industrial complex, part of a harbour area. The plant layout is shown in Figure 2a. In order to exemplify the 
methodology application, an extract of the results obtained in the analysis concerning the 1,3-butadiene 
storage section of the plant is reported in the following. The section houses a 250 m3 storage tank operating at 
2.25 barg and ambient temperature (the tank position is indicated by an arrow in Figure 2a). In the complete 
risk assessment, all the relevant scenarios for the loading and production phase were identified and 
investigated. However, for the sake of brevity, only the analysis regarding the scenario “release of 1,3-

2386



butadiene (liquid phase) from a hole of 50 mm equivalent diameter into the catch basin, following the crane 
impact onto the tank shell” is detailed in the following.  

3.2 Results and discussion 
Figure 2b depicts the results of consequence analysis obtained using consequence analysis models (Van Der 
Bosh and Weterings, 1997). The most severe accidental scenario resulting from the release is represented by 
a flash-fire following the delayed ignition of butadiene vapors originating from the pool in the catch basin. 
According to Table 1, the lethality level for flash-fire is set to half of lower flammability limit concentration (1/2 
LFL), as shown in Figure 2b. According to the physical effect map drawn by the software and considering the 
number of workers on shift in the impacted area during normal plant operation, more than 10 fatalities are 
foreseen. On the basis of the criteria outlined in Table 1, a TF value of 8 is thus attributed. 
 

 
Figure 2: a) Plant layout; b) Consequence analysis of flash-fire scenario (LFL = lower flammability limit) 

The data adopted and the assumptions made in the evaluation of credit factors to the estimation of initial risk 
level R0 are summarized in Table 4. 

Table 4: Assessment of the initial level of risk R0 associated to the scenario in the case study 

Factor Value Notes 

TF 8 
According to consequence analysis results and TF evaluation criteria given in 
Table 2. 

FIE 2 Crane impact frequency of occurrence equal to approximately 10-2 events/year. 

FEF 0 
No credit. A mass of 20000 kg of butadiene is released within 15 minutes; 
hence there is a high ignition probability. 

FET 1 
Maintenance activities that require the use of a crane are carried out 
approximately once a year: TR<10%. 

FIPL,1 2 High design standards; good management and maintenance policy. 
FIPL,2 1 Procedure 1: direct operator supervision of maintenance activities. 
FIPL,3 1 Procedure 2: highly specialized and adequately trained personnel. 

R0 1 
By applying Eq(1): initial level of residual risk R0> 0 (not acceptable); 
additional IPLs are required 

Table 5: Assessment of residual risk R after the implementation of a novel safety procedure 

Factor Value Notes 

FIPL,4 1 

Procedure 3 (to be implemented): maintenance activities that require the use of 
a crane must not be performed if the filling level of butadiene storage tank is 
higher than 10%; limit the number of operators on site during maintenance 
activities. 

R 0 
By applying Eq(2) and taking into account Procedure 3 residual risk R=0, hence 
safety requirements are met 

 
The residual risk resulting from the analysis is positive. Therefore, additional measures are required to reduce 
the residual risk to an acceptable level; in the specific case, further IPLs may be implemented to remove the 
gap of 1 credit factor. The additional IPL consists in putting into action a new procedure concerning 

2387



maintenance operations that requires the use of a crane: prescriptions are introduced to avoid the 
maintenance operations when the tank filling level is higher than 10 % and to reduce the number of workers 
involved in the maintenance activities. Therefore by applying Eq(2) and taking into account the new procedure 
adoption, the evaluated risk level becomes acceptable as summarized in Table 5. 
The case study demonstrates that human actions based on specific procedures, or administrative controls 
which can directly implement the safety functions may have a key role in determining the risk associated to an 
installation (Paltrinieri et al., 2012). The present method, though simplified respect to conventional risk 
analysis methods, includes operational and organizational issues as key elements in the determination of risk. 

4. Conclusions 

In the present contribution, a methodology for the simplified risk assessment of chemical plants was outlined. 
The methodology takes advantage of the adoption of a LOPA approach to assess all factors influencing the 
frequency of occurrence of an accident scenario. Moreover, the consequence analysis was based on the use 
of sound physical models rather than expert judgment.  
The results of methodology application to an existing plant were shown to exemplify the methodology. The 
case study demonstrated the effectiveness of the method in quickly detecting weaknesses in IPL design, 
enabling decision-makers to take prompt actions to keep plant residual risk under control. 

 
References 

Center of Chemical Process Safety (CCPS), 2001, Layers of Protection Analysis, Simplified Process Risk 
Assessment. American Institute of Chemical Engineers, New York, US. 

Cordella, M., Tugnoli, A., Barontini, F., Spadoni, G., Cozzani, V., 2009. Inherent safety of substances: 
Identification of accidental scenarios due to decomposition products, J. Loss Prev. Process Ind. 22 (4), 
455-462. 

Council of the European Union (EC), 1997, Council Directive 96/82/EC of 9 December 1996 on the control of 
major-accident hazards involving dangerous substances. Official Journal of the European Communities, 
L10/13, Brussels, Belgium. 

Cozzani V., Antonioni G., Landucci G., Tugnoli A., Bonvicini S., Spadoni G., 2014, Quantitative assessment of 
domino and NaTech scenarios in complex industrial areas, J. Loss Prev. Process Ind. 28, 10–22. 

De Rademaeker E., Suter G., Pasman H.J., Fabiano B., 2014. A review of the past, present and future of the 
European Loss Prevention and Safety Promotion in the Process Industries, Proc. Saf. Environ. Prot. 92, 
280-291. 

Di Padova A., Tugnoli A., Cozzani V., Barbaresi T., Tallone F., 2011, Identification of fireproofing zones in 
Oil&Gas facilities by a risk-based procedure, J. Hazard. Mater. 191(1-3), 83-93. 

Dow Company, 1987, Fire and Explosion Index- Hazard classification Guide, 6th Ed. Corporate safety, loss 
prevention and security, Midland, TX. 

Dowell, A. M., III, 1997, Layer of Protection Analysis: A New PHA Tool, After Hazop, Before Fault Tree, Proc. 
of International Conference and Workshop on Risk Analysis in Process Safety, CCPS/AIChE, Atlanta, GA. 

Landucci G., Antonioni G., Tugnoli A., Cozzani V., 2012, Release of hazardous substances in flood events: 
Damage model for atmospheric storage tanks. Reliab. Eng. Sys. Saf. 106, 200–216.  

Mannan S., 2005, Lees’ Loss Prevention in the Process Industries. Elsevier, Oxford, UK. 
Paltrinieri, N., Tugnoli, A., Buston, J., Wardman, M., Cozzani, V. Dynamic Procedure for Atypical Scenarios 

Identification (DyPASI): A new systematic HAZID tool, 2013, J. Loss Prev. Process Ind. 26 (4), 683-695.  
Pasman H., Reniers G., 2014, Past, present and future of Quantitative Risk Assessment (QRA) and the 

incentive it obtained from Land-Use Planning (LUP), J. Loss Prev. Process Ind. 28, 2-9.  
Salzano E., Garcia Agreda A., Di Carluccio, A., Fabbrocino, G., 2009, Risk assessment and early warning 

systems for industrial facilities in seismic zones, Reliab. Eng. Sys. Saf. 94 (10), 1577-1584. 
Tugnoli A., Cozzani V., Landucci G., 2007, A consequence based approach to the quantitative assessment of 

inherent safety. AIChE J. 53(12), 3171-3182. 
Tugnoli A., Gyenes Z., Van Wijk L., Christou M., Spadoni G., Cozzani V., 2012a, Scenario selection for land 

use planning purposes around “Seveso” establishments, Chemical Engineering Transactions, 26, 417-422.  
Tugnoli A., Landucci G., Salzano E., Cozzani V., 2012b, Supporting the selection of process and plant design 

options by Inherent Safety KPIs, J. Loss Prev. Process Ind. 25(5), 830-842. 
Van Der Bosh C.J.H., Weterings R.A.P.M., 1997, Methods for the calculation of physical effects (Yellow 

Book). Committee for the Prevention of Disasters, the Hague, the Netherlands. 

2388