In the 1990s, companies and industry groups developed standards for designing, building and maintaining Instrumented Security Systems (SIS) (see Safety Lifecycle)
A key input to the tools and techniques needed to implement these standards was the required Probability of Failure on Demand (PFD) for each Safety Instrumented Function (SIF). Process Hazard Analysis (PHA) teams and project teams struggled to determine the required Safety Integrity Level (SIL) for the SIFs ("interlocks")
The concept of layers of protection and an approach to analyse the number of layers required was first published by the Center for Chemical Process Safety (CCPS). From these concepts, several companies developed internal procedures for Layer of Protection Analysis (LOPA).

LOPA is a semi-quantitative risk analysis technique that is applied after a qualitative hazard identification tool such as HAZOP. We describe LOPA as semi-quantitative because the technique uses figures and generates a numerical risk estimate. However, the figures are chosen in such a way that the failure probability is estimated conservatively. Usually this gives an order of accuracy rather than the actual performance of specific equipment. The result is intended to be conservative (an overestimate of the risk) and is usually sufficient to understand the required SIL for the SIF. Where a more complete or accurate understanding of the risk is required, more rigorous quantitative techniques are available, such as Failure Mode Effect Analysis (FMEA) orQuantitative Risk Analysis (QRA) Quantitative Risk Analysis .

LOPA begins with an unwanted consequence or consequence of an event with environmental, health, safety, business or economic consequences. These consequences are usually identified in a HAZOP.

The severity of the consequence is estimated using appropriate techniques, which can range from simple "look-up tables" to sophisticated software tools for modelling the consequences (also visit our page on award winning safety lifecycle software aeShield).

One or more initiating events (causes) may lead to the effect. Each cause-effect pair is called a scenario. LOPA focuses on one scenario at a time. The frequency of the initiating event is estimated (usually from look-up tables or historical data). Next, each identified security is evaluated on two important characteristics:

- Is the safeguard effective in preventing the scenario from reaching the consequence?
- AND, is the safeguard independent of the triggering event and the other IPLs (independent layers of protection)?

If the security meets BOTH tests, it is an IPL. LOPA estimates the probability of the undesired consequence by multiplying the frequency of the triggering event by the product of the PFDs for the applied IPLs. It may be that a further nuance to the estimated risk is warranted. For example, an operator may only be present part of the time or another condition may be required to initiate the scenario (enabling conditions and conditional modifiers).


The result of the LOPA is a measure of the risk of the scenario - an estimate of the probability AND the consequence. This estimate can be considered a "mitigated consequence frequency", as the frequency is mitigated by the independent layers of protection.
If additional risk reduction is required, more IPLs will have to be added to the design. Another option could be to redesign the process. Ideally, this can be done by implementing inherently safer design alternatives. 

"Focus on occupational safety in the prevention of process safety incidents is misleading at best and catastrophic at worst".

- – Enrico Lammers