LOPA in Safety: 7 Decisions Before Quantifying Risk

Many serious incidents occur after a risk assessment has already declared the activity acceptable, because the document counted controls that were not independent, tested, or available at the moment of exposure. This guide explains seven decisions an EHS manager should make before using Layer of Protection Analysis, known as LOPA, for occupational safety and SIF prevention.

Why LOPA cannot become another risk matrix

LOPA is a semi-quantitative method that tests whether independent protection layers reduce a hazardous scenario to a tolerable level. IEC 61511 and IEC 31010 treat the method as part of the risk assessment family, but the value for occupational safety is not the calculation itself; the value is the discipline of asking which barrier really interrupts the event sequence.

A risk matrix often compresses uncertainty into a color, while LOPA forces the team to name the initiating event, the consequence, the safeguards, and the probability reduction expected from each layer. Across 25+ years leading EHS at multinationals, Andreza Araujo has observed that the color discussion often becomes political, because teams negotiate the rating instead of testing the control.

The practical rule is simple enough for a plant team to apply: if a layer cannot be inspected, tested, owned, and activated in time, it should not receive credit in LOPA. That rule protects the method from becoming a more elaborate version of the same weak risk register.

1. Define the hazardous scenario before listing controls

A valid LOPA starts with one hazardous scenario, not with a department, activity, or generic hazard. The scenario should connect an initiating event to a credible consequence, such as uncontrolled energization during maintenance leading to fatal contact, or loss of ventilation in a confined space leading to worker asphyxiation. For deeper context, see risk Matrix.

The mistake is to begin with a familiar control list, because the team then searches for reasons to justify what already exists. As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture appears in the gap between what the organization declares and what people actually do under pressure. In LOPA, that gap shows up when a written safeguard is counted even though the field condition does not support it.

Write the scenario in one sentence before the workshop starts, and reject wording that hides the failure path. A useful sentence includes the activity, the initiating event, the exposed person, and the final harm; without those four parts, the team will debate abstractions.

2. Separate safeguards from independent protection layers

A safeguard is anything that may reduce risk, while an independent protection layer is a specific control that can prevent or mitigate the consequence by itself. LOPA should credit only the second category, because duplicated paperwork, repeated training, and supervisor attention are often dependent on the same human decision.

This distinction matters in SIF exposure because several controls fail together when production pressure rises. A pre-job briefing, a permit signature, and a verbal instruction may look like three layers, although all three depend on the same supervisor noticing the same weak signal. That is why pre-task risk assessment must be treated as a decision aid, not as automatic risk reduction.

Before assigning credit, ask whether the layer has a separate failure mode, a named owner, a verification record, and a time window that fits the hazard. Four tests should be passed before a safeguard becomes a credited layer: independence, effectiveness, auditability, and availability during the exposure.

3. Use LOPA after screening, not before thinking

LOPA belongs after the team has screened the hazard with simpler methods and found a scenario that deserves deeper analysis. For many tasks, JSA, Bow-Tie, What-If, or FMEA will be enough; LOPA becomes valuable when the consequence is severe and the existing controls need a defensible test. For deeper context, see bow-Tie Analysis.

The sequence is important because LOPA can create false confidence when used too early. A team that has not mapped the event path may produce numbers that look precise but rest on weak assumptions. The better sequence is to identify the scenario with HAZOP, FMEA, or Bow-Tie, then use LOPA to test whether the credited protection layers are enough.

For an EHS manager, the decision point is not whether LOPA sounds sophisticated. The decision is whether the scenario could produce fatality, permanent disability, major fire, toxic exposure, or multi-person harm if the barriers fail.

4. Treat human action as a layer only when the system supports it

Human response can be a protection layer only when the operator receives a clear signal, has enough time, knows the required action, and is not blocked by workload, fatigue, hierarchy, or production pressure. Without those conditions, the response is a hope, not a barrier. For deeper context, see prevention through Design.

Andreza Araujo's work on behavioral observation is useful here because it separates real dialogue from ritual observation. In more than 250 cultural transformation projects, Andreza Araujo has seen that teams often count supervisor intervention as a control even when supervisors are covering multiple areas, answering production calls, and signing permits at the same time.

Use a human layer sparingly. If the scenario requires a worker to notice a faint alarm, stop the task, challenge a senior operator, and take action within seconds, the layer is probably too fragile to receive meaningful credit.

5. Connect LOPA to critical control verification

LOPA becomes operational when each credited layer turns into a critical control verification task. The question after the workshop is not whether the spreadsheet is complete, but whether the plant can prove that the credited layers are present, functional, and understood before the exposure begins.

The connection with Bow-Tie critical controls is direct. Bow-Tie helps visualize preventive and mitigative barriers, while LOPA tests whether selected layers carry enough risk reduction to justify the residual decision. When the two methods disagree, the field verification should decide, not the prettier diagram.

A practical verification plan names the layer, owner, test frequency, pass criteria, evidence, and escalation rule. Six fields are enough to move LOPA from calculation to execution, provided leaders actually review failed verifications and stop work when a credited layer is missing.

6. Reject false precision in probability claims

LOPA uses frequency and probability reduction, but occupational safety teams should avoid pretending that every number has laboratory-grade certainty. The method is useful because it structures judgment, not because it converts incomplete field knowledge into exact prediction.

The trap is especially visible when teams borrow generic probability values without checking whether local conditions match the assumption. During her tenure at PepsiCo South America, where the accident ratio fell 50% in six months, Andreza Araujo learned that improvement came from disciplined execution and leadership rhythm, not from numbers that looked impressive in a meeting.

Document the source of every probability factor and flag uncertain assumptions for field validation. If the team cannot defend the factor, use a conservative value and prioritize strengthening the layer rather than debating decimals.

7. Decide who can accept the residual risk

Residual risk acceptance is a governance decision, not an administrative signature at the end of the form. When LOPA shows that risk remains high, the decision should move to the level that controls budget, engineering change, shutdown authority, or operating limits. For deeper context, see management of Change.

This is where occupational safety often fails quietly. The EHS team calculates, the supervisor signs, and the executive who owns capital allocation never sees the gap. If a scenario can produce a SIF, the approval path should include leaders who can fund engineering controls, redesign work, or change production expectations.

Set a decision table before the first LOPA workshop. Low residual risk can stay with local management, medium risk should require plant leadership, and high SIF potential should go to the executive level with a written action plan and due date.

Comparison: weak LOPA vs decision-grade LOPA

Each month without disciplined LOPA for severe scenarios leaves the organization dependent on controls that may exist only in documents, while the same exposure continues in maintenance, construction, utilities, and process operations.

Conclusion: LOPA is a leadership test, not a spreadsheet

LOPA helps occupational safety teams make better risk decisions when it tests independent protection layers, rejects false precision, and connects severe scenarios to leaders who can change the work.

If your organization needs to move from risk paperwork to verified controls, start with a safety culture and critical-control diagnostic through Andreza Araujo, then use LOPA only where the consequence justifies the discipline.