100% found this document useful (1 vote)

644 views109 pages

Layers of Protection Analysis

LoPA

Uploaded by

Debopriya Das

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

644 views109 pages

Layers of Protection Analysis

LoPA

Uploaded by

Debopriya Das

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 109

Layers of Protection Analysis

© 2022 General Electric Company

Contents

Chapter 1: Overview 1
Overview of the Layers of Protection Analysis (LOPA) Module 2
Access the LOPA Overview Page 2
LOPA Workflow 3

Chapter 2: Workflow 4
Layers of Protection Analysis: LOPA 5
Create LOPA 5
Define Enabling Event and Probability 6
Conditional Modifiers? 6
Define Conditional Modifiers 6
Add IPLs and Link Assets 6
Review SIL, PFD, and RRF Values 6
SIL Assessment 6
HAZOP Analysis 7
What-If Analysis 7

Chapter 3: Performing LOPA 8

About Performing Layer of Protection Analysis (LOPA) 9
About Safety Integrity Level (SIL) 9
About Qualitative Risk Rank Mapping from LOPA 10
About Integration Between Hazards Analysis and LOPA 12
About Integration Between SIS Management and LOPA 13
About Revision History 14
Access a Layer of Protection Analysis 15
Access the LOPA Summary 16
Create a Layer of Protection Analysis 17
Change the State of a LOPA 19
Access Revision History of a LOPA 22
Delete a Layer of Protection Analysis 26

ii Layers of Protection Analysis

Chapter 4: Conditional Modifiers 27
About Conditional Modifiers 28
Access a Conditional Modifier 29
Create a Conditional Modifier 30
Delete a Conditional Modifier 31

Chapter 5: Safeguards and IPLs 32

About Safeguards and Independent Protection Layers (IPL) 33
About Identifying an Independent Protection Layer 33
Access a Safeguard 35
Create a Safeguard 36
Assess if a Safeguard is an Independent Protection Layer (IPL) 37
Delete a Safeguard 39

Chapter 6: Admin 40
LOPA Admin Page 41
Query Paths 41
IPL Checklists 42
Active IPLs 46
Passive IPLs 50
Human IPLs 55
Initiating Events 59
Consequence Probabilities 64

Chapter 7: Deployment 68
Deployment and Upgrade 69

Chapter 8: Reference 70
General Reference 71
Family Field Descriptions 83
Catalog Items 99

iii
Chapter 9: Release Notes 101
Fourth Quarter of 2021 102
Second Quarter of 2021 102
Fourth Quarter of 2020 102

iv Layers of Protection Analysis

GE, the GE Monogram, and Predix are either registered trademarks or trademarks of General Electric
Company. All other trademarks are the property of their respective owners.
This document may contain Confidential/Proprietary information of General Electric Company and/or its
suppliers or vendors. Distribution or reproduction is prohibited without permission.
THIS DOCUMENT AND ITS CONTENTS ARE PROVIDED "AS IS," WITH NO REPRESENTATION OR
WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF DESIGN, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. ALL OTHER
LIABILITY ARISING FROM RELIANCE UPON ANY INFORMATION CONTAINED HEREIN IS EXPRESSLY
DISCLAIMED.
Access to and use of the software described in this document is conditioned on acceptance of the End
User License Agreement and compliance with its terms.

© 2022 General Electric Company v

Chapter

1
Overview
Topics:

• Overview of the Layers of

Protection Analysis (LOPA)
Module
• Access the LOPA Overview
Page
• LOPA Workflow

© 2022 General Electric Company 1

Overview of the Layers of Protection Analysis (LOPA) Module
Layers of Protection Analysis (LOPA) is a type of risk assessment that helps you evaluate the frequency of
occurrence of events that can cause a hazard, the likelihood of failure of independent layers of protection,
and the consequences, to provide an estimate of risk associated with a scenario. LOPA is a fully
quantitative assessment of risk and applicability of safeguards.
The Layers of Protection Analysis module is complementary to Hazards Analysis and SIL Assessment. It
uses GE Digital APM core functionality to create and manage LOPA. The LOPA assessment can help in:
• Evaluating scenarios generated in the Hazard Analysis.
• Identifying safeguards that can act as an Independent Protection Layer (IPL).
• Determining the Safety Integrity Level (SIL) for Instrumented Functions.
You can use the integration between the Layers of Protection Analysis module and SIS Management
module, and the integration between the Layers of Protection Analysis module and Hazards Analysis
module, to centrally manage LOPA for various scenarios and safety systems.

Access the LOPA Overview Page

About This Task
By default, the hierarchy level is set to Home and the information that appears on the LOPA Overview
page is related to all Hierarchy Levels, including records that are not associated with any Asset. You can
filter the information that appears on the page based on a specific Asset by selecting on the upper-left
corner of the page.

Procedure
In the module navigation menu, select Integrity > Layers of Protection Analysis.
The LOPA Overview page appears, displaying the following tabs:
• Under Review: Contains a list of LOPAs that are being reviewed and have not been approved. This
sections contains the following columns of information:
◦ LOPA ID: Contains the value from the LOPA ID field. You can select the link in the LOPA ID column
to access the LOPA.
◦ Initiating Event: Contains the value from the Initiating Event field.
◦ Frequency of Initiating Event: Contains the value from the Frequency of Initiating Event field.
• Approved: Contains a list of LOPAs that are approved (i.e., in the Complete state). The section
contains the same columns of information as the Under Review tab.

2 © 2022 General Electric Company

LOPA Workflow
This workflow provides the basic, high-level steps for using the Layers of Protection Analysis module. The
steps and links in this workflow do not necessarily reference every possible procedure.
1. Create a Layers of Protection Analysis by defining the type of Initiating Event, the required mitigated
consequence frequency, and the probability of the enabling event. You can also associate the LOPA
with a Functional Location and an Equipment.
2. Create Conditional Modifiers and define their probabilities.
3. Create Safeguards by defining the Safeguard type and linking an Asset to the Safeguard.
4. Specify a Safeguard as an Independent Protection Layer (IPL).
5. Evaluate the results by viewing the summary in the LOPA Summary workspace of the LOPA.

© 2022 General Electric Company 3

Chapter

2
Workflow
Topics:

• Layers of Protection Analysis:

LOPA
• Create LOPA
• Define Enabling Event and
Probability
• Conditional Modifiers?
• Define Conditional Modifiers
• Add IPLs and Link Assets
• Review SIL, PFD, and RRF
Values
• SIL Assessment
• HAZOP Analysis
• What-If Analysis

4 © 2022 General Electric Company

Layers of Protection Analysis: LOPA
This workflow describes the process of performing a Layer of Protection Analysis (LOPA) by defining the
initiating event, frequency of event, consequence, enabling events, safeguards, and conditional modifiers.
In the following workflow diagram, the blue text in a shape indicates that a corresponding description has
been provided in the sections that follow the diagram.

1. Create LOPA on page 5

2. Define Enabling Event and Probability on page 6
3. Conditional Modifiers? on page 6
4. Define Conditional Modifiers on page 6
5. Add IPLs and Link Assets on page 6
6. Review SIL, PFD, and RRF Values on page 6
7. SIL Assessment on page 6
8. HAZOP Analysis on page 7
9. What-If Analysis on page 7

Create LOPA
Persona: Analyst
Create a LOPA by defining the consequence, initiating event, initiating event frequency, and required
mitigated consequence frequency. To define these values, you can refer to the plant history, trip event
reports, or the expected frequency provided by the manufacturer. When you create a LOPA, you can also

© 2022 General Electric Company 5

define the Risk Severity and Risk Category of the consequence. When you use the LOPA for
SIL Assessment in a SIL Analysis, the severity and category of the risk defined in the LOPA is used to map
the unmitigated risk of the scenario on a Risk Matrix.

Define Enabling Event and Probability

Persona: Analyst
For each enabling event, provide the details of the event and the probability of its occurrence. This value
should be based on industry-accepted failure data for each device or system.

Conditional Modifiers?
Persona: Analyst
Determine if there are factors that can decrease the probability of the event. For example, if the event is
releasing flammable gas into an explosive atmosphere, then the presence of an operator for only 12 hours
a day can decrease the risk of injury.

Define Conditional Modifiers

Persona: Analyst
For each conditional modifier, create a Conditional Modifier record to define the probability.

Add IPLs and Link Assets

Persona: Analyst
Determine the Independent Protection Layers (IPLs) that have been set up to prevent a hazardous event
from occurring or to reduce the severity of the event. These protective layers must meet the
independence, specificity, dependability, and auditability requirements specified in IEC 61511. Link the IPL
to an Equipment and a Functional Location that correspond to the asset that acts as an independent
protection layer.

Review SIL, PFD, and RRF Values

Persona: Analyst
Review the Safety Integrity Level (SIL), Probability of Failure on Demand (PFD), and Risk Reduction Factor
(RRF) values based on the guidelines specified in IEC 61511.

SIL Assessment
Persona: Analyst
Go to the SIL Assessment workflow.

6 © 2022 General Electric Company

HAZOP Analysis
Persona: Analyst
Go to the HAZOP Analysis workflow.

What-If Analysis
Persona: Analyst
Go to the What-If Analysis workflow.

© 2022 General Electric Company 7

Chapter

3
Performing LOPA
Topics:

• About Performing Layer of

Protection Analysis (LOPA)
• About Safety Integrity Level
(SIL)
• About Qualitative Risk Rank
Mapping from LOPA
• About Integration Between
Hazards Analysis and LOPA
• About Integration Between SIS
Management and LOPA
• About Revision History
• Access a Layer of Protection
Analysis
• Access the LOPA Summary
• Create a Layer of Protection
Analysis
• Change the State of a LOPA
• Access Revision History of a
LOPA
• Delete a Layer of Protection
Analysis

8 © 2022 General Electric Company

About Performing Layer of Protection Analysis (LOPA)
LOPA can be used to make decisions regarding risk in a hazardous scenario. A scenario is an unplanned
event that results in an undesirable consequence. LOPA is usually applied to determine if a scenario is
within the risk tolerance criteria or if the risk must be reduced.
When you create a LOPA, you will define the following information:
• The risk or initiating event for which you are conducting the LOPA.
• The consequence that may occur if that risk is not prevented from proceeding into an undesirable
scenario.
• The enabling events and conditions that can help in initiating the undesirable event.
• The frequency of occurrence of events.
• The tolerable frequency of occurrence of event.
Additionally, a LOPA can be linked to the following:
• Conditional Modifier
• Safeguard
Based on the values that you enter for the fields in LOPA, Conditional Modifiers, and Safeguards, the SIL
value is calculated and stored in the Calculated SIL field in the LOPA. A summary of probabilities and
frequency values for the LOPA and its associated records appear in the LOPA Summary workspace.
Based on the summary, you can evaluate the scenario and make further decision on risk mitigation.
You can create a LOPA, and then link it to the following:
• A SIL Assessment for an Instrumented Function in SIS Management.
• A Cause-Consequence pair in Hazards Analysis.
If you have linked the LOPA with the SIL Assessment of an Instrumented Function, the SIL value calculated
in the LOPA represents the target Safety Integrity Level that the Instrumented Function must achieve (i.e.,
the amount of risk reduction that the Instrumented Function must provide).
If the LOPA is linked to the Cause-Consequence pair in Hazards Analysis, then the SIL value determines if
the safeguards that are currently in place reduce the risk to a tolerable level.

About Safety Integrity Level (SIL)

The SIL value is a measure of the reliability and availability of a safety system. It is the measurement of
performance of a safety system under all the stated conditions within a stated period of time.
LOPA is a quantitative method for determining the SIL level for the safety system. The LOPA process uses
information such as initiating event frequencies, the probabilities of failures of all safeguards, and the
tolerable frequency of risk mitigation to determine the required probability of failure of the safety system.
The required probability of failure is a number representing the probability that a safety system will fail in
a dangerous scenario.
The SIL value for the safety system is determined by comparing the required probability of failure to the
international standards of functional safety, defined in IEC 61508 and IEC 61511.
Based on the demand rate of the safety system, the SIL standards are classified into the following two
types:
• Low Demand Mode: The demand rate of the safety system is less frequent than once per year. In these
cases, the failure rate is measured by the average probability of failure on demand (PFD Avg).

© 2022 General Electric Company 9

• High Demand or Continuous Mode: The demand rate of the instrumented function is more frequent
than once per year. In this case, the failure rate is measured by the average probability of failure per
hour (PFH).
As per the industry standards, the required probability of failure are related to one of the four safety
integrity levels contained in the following table:

Safety Integrity Level (SIL) Required Probability of Failure

Low Demand Mode High Demand or Continuous Mode

Probability of Failure on Demand (PFD Probability of Failure per Hour (PFH)
Avg)

4 ≥ 10-5 to < 10-4 ≥ 10-9 to < 10-8

3 ≥ 10-4 to < 10-3 ≥ 10-8 to < 10-7

2 ≥ 10-3 to < 10-2 ≥ 10-7 to < 10-6

1 ≥ 10-2 to < 10-1 ≥ 10-6 to < 10-5

For example, if the required probability of failure for a safety system is 0.02, which is a value between 0.01
and 0.1, the Safety Integrity Level for the safety system is 1.

About Qualitative Risk Rank Mapping from LOPA

LOPA is used for quantitative assessment of the probability of occurrence of an incident or risk and for
assessing the SIL value. With GE Digital APM, you can use the values calculated in LOPA to quantitatively
assess the SIL and derive a qualitative risk rank mapping for an Instrumented Function in SIS
Management. You can then create recommendations that can be promoted to Asset Strategy
Management (ASM).

Details
GE Digital APM maps the quantitative values calculated using LOPA with the Risk Matrix configured for the
site to which the LOPA belongs, and then assigns the unmitigated risk in the Risk Matrix. The following
values in the LOPA are used to derive at the unmitigated risk rank:
• Risk Category: The value in the Risk Category field in the LOPA identifies the category of the driving risk
associated with the initiating event. This value is mapped to the Risk Category in the Risk Matrix.
• Risk Severity: The value in the Risk Severity field identifies the severity of the impact and is mapped to
the Consequence value in the Risk Matrix.
• Unmitigated Consequence Frequency: The value in the Unmitigated Consequence Frequency field is
mapped to the Probability value in the Risk Matrix in one of the following ways:
◦ The Probability that is equal to or less than the unmitigated consequence frequency is selected as
the Probability for the Risk Matrix.
◦ If the unmitigated consequence frequency is lower than the lowest Probability defined in the Risk
Matrix, the lowest Probability is selected as the Probability for the Risk Matrix.
Note: GE Digital APM assumes that you have created the Risk Matrix for your site using probability
values that have been standardized to be measured in terms of years.
Based on the Probability and Consequence values, GE Digital APM identifies the unmitigated risk rank
associated with the selected Risk Category. A Risk Assessment record, which stores details such as the
driving risk category and the unmitigated risk rank value, is created and linked to the LOPA.

10 © 2022 General Electric Company

If you assess the SIL value for an Instrumented Function using a LOPA that is linked to a Risk Assessment,
and then create a recommendation for the Instrumented Function, the Mitigated Risk section appears in
the Recommendation. In the Mitigated Risk section, the following details appear:
• Total Risk: Contains the unmitigated risk rank stored in the Risk Assessment associated with the
LOPA.
• Driving Risk: Contains the Risk Category that you selected in the LOPA.
• Driving Risk Threshold: Indicates the Risk Threshold value for the unmitigated risk rank.

On the Risk Matrix, in the Risk Category that you selected in the LOPA, the icon appears on the cell
corresponding to the unmitigated risk rank. You can then select the mitigated risk rank for the category.

Example: Unmitigated Consequence Frequency Falls Between two Probability

values
Suppose that you have configured a Risk Matrix for Site X with the following values in
Risk Probability records for the Risk Category Operations:

Risk Probabi Failure Failure

Probabi lity Interval Interval
lity Units
Name

Frequen 1 1 years
t

Probable 0.1 10 years

Possible 0.01 100 years

Remote 0.001 1000 years

Improba 0.0001 10000 years

ble

In Site X, suppose that you created a LOPA with the following details:
• Risk Category = Operations
• Risk Severity = High
• Unmitigated Consequence Frequency = 0.005
For the above example, the probability value in the Risk Matrix that is less than the
unmitigated consequence frequency is 0.001. Therefore, on the Risk Matrix, the
unmitigated risk will be mapped to the cell corresponding to Probability value 0.001
and Consequence value High.

Example: Unmitigated Consequence Frequency is Lower than the Lowest

Probability value
Suppose that you have configured a Risk Matrix for Site X with the following values in
Risk Probability records for the Risk Category Operations:

© 2022 General Electric Company 11

Risk Probabi Failure Failure
Probabi lity Interval Interval
lity Units
Name

Frequen 5 .2 years
t

Probable 1 1 years

Possible 0.3 3.33 years

Remote 0.1 10 years

Improba 0.05 20 years

ble

In Site X, suppose that you created a LOPA with the following details:
• Risk Category = Operations
• Risk Severity = Medium
• Unmitigated Consequence Frequency = 0.001
For the above example, the unmitigated consequence frequency is lower than the
lowest probability value (i.e., 0.05) in the Risk Matrix. Therefore, on the Risk Matrix,
the unmitigated risk will be mapped to the cell corresponding to Probability value
0.05 and Consequence value Medium.

About Integration Between Hazards Analysis and LOPA

Integration between Hazards Analysis and LOPA helps in analyzing the risk in a hazardous scenario, and
developing appropriate Safeguards to mitigate the risk.
You can create or link a LOPA with a Consequence in Hazards Analysis (i.e., a HAZOP or a What If
Analysis). When you create or link a LOPA with a Consequence, the following information is mapped from
the Cause to the LOPA:
• Cause Type: The value in the CCPS Cause Type field from the Hazards Cause is mapped to the
Initiating Event Type field in the LOPA.
• Cause Frequency: The value in the Cause Frequency (per year) field from the Hazards Cause is
mapped to the Frequency of Initiating Event field in the LOPA.
Hence, though you create or link a LOPA from a Consequence, the LOPA is performed on a Cause-
Consequence pair. For each Cause-Consequence pair, you can perform a LOPA.

Safeguard sharing between Hazards Analysis and LOPA

When you create or link a LOPA with a Consequence in Hazards Analysis, the Safeguards that are
associated with the LOPA are automatically linked to the Consequence for which you performed the
LOPA. Similarly, the Safeguards that are associated with the Consequence are automatically linked to the
LOPA.
You can modify a Safeguard only if the Hazards Analysis and the LOPA with which the Safeguard is
associated are in the Planning state.

12 © 2022 General Electric Company

When you unlink a LOPA from the Consequence in Hazards Analysis, GE Digital APM system creates
copies of the Safeguards associated with the LOPA, and then links them to the Consequence. The copied
Safeguards appear in the Hazards Worksheet of the Hazards Analysis.

Illustration
The following image shows the data mapping between Hazards Analysis and LOPA.

About Integration Between SIS Management and LOPA

Integration between SIS Management and LOPA helps in assessing the SIL level for Instrumented
Functions.
To assess the SIL level for an Instrumented Function using LOPA:
1. Perform a LOPA for the risk that the instrumented function is designed to mitigate. A LOPA record will
be created.
2. Approve the LOPA by changing the state of the LOPA to Complete.
3. In the SIL Assessment section of the Instrumented Function, link the LOPA in the LOPA Assessment
datasheet. A LOPA Assessment record is created by mapping the following values from the LOPA
record that you linked.

This field in LOPA Assessment: ...is populated with the value in this field from LOPA:

Linked LOPA ID LOPA ID

Frequency of Initiating Event Frequency of Initiating Event

Mitigated Consequence Frequency Mitigated Consequence Frequency

Required Mitigated Consequence Frequency Required Mitigated Consequence Frequency

Required Probability of Failure Required PIF PFD

Risk Reduction Factor (RRF) Required PIF Risk Reduction Factor

Unmitigated Consequence Frequency Unmitigated Consequence Frequency

© 2022 General Electric Company 13

This field in LOPA Assessment: ...is populated with the value in this field from LOPA:

Total IPL PFD Total IPL PFD

Selected SIL Level Calculated SIL

If the LOPA is associated with a Risk Assessment, then a copy of the Risk Assessment is created and
linked with the LOPA Assessment.
4. You can then associate the LOPA Assessment with an Instrumented Function. GE Digital APM system
populates the following values in the SIL Assessment section of the Instrumented Function based on
the values in the LOPA Assessment:

This field in Instrumented Function: ...is populated with the value in this field from LOPA
Assessment:

Selected SIL Level Selected SIL Level

Required Probability of Failure Required Probability of Failure

Risk Reduction Factor Risk Reduction Factor (RRF)

The Instrumented Function is linked to the Risk Assessment associated with the LOPA Assessment.

Illustration
The following image illustrates the data mapping between LOPA and LOPA Assessment.

About Revision History

The Revision History feature allows you to manage the revisions made for an entire LOPA analysis. When
you perform a LOPA analysis, you link records from multiple families to the LOPA, which represents the

14 © 2022 General Electric Company

entire analysis. When you complete an analysis (i.e., the analysis has been approved), you will change the
state of the LOPA to Complete. When you do so, a snapshot of the LOPA and each record linked to it is
saved as a LOPA Revision record.
In other words, after the record state for the LOPA is changed to Complete, one Revision record is created
for each record that is linked to the LOPA. Records for the following families are created:
• LOPA Revision: One record for the LOPA.
• Hazards Analysis Consequence Revision: One record for each Conditional Modifier associated with the
LOPA.
• Hazards Analysis Safeguard Revision: One record for each Safeguard associated with the LOPA
• IPL Checklist Revision: One record per IPL criteria that is associated with each Safeguard associated
with the LOPA.
A Revision family contains all the fields that are in the source family. Each Revision record stores the
values for all the fields in the source record as it appeared when the state of the LOPA was changed to
Complete.
If you re-evaluate the LOPA, and then change the state of the LOPA to Complete, a second set of Revision
records will be created, and so on. The number of revisions performed on the LOPA appears in the upper-
right corner of the LOPA Summary workspace for the LOPA, which you can select to access the Revision
History. When you select the Show Changes button for a record, a list of values in the preceding revision
record and a list of values for all the fields that were modified (i.e., values in the latest revision record) are
displayed.

Access a Layer of Protection Analysis

Procedure
1. Access the LOPA Overview page.
2. On the LOPA Overview page, select one of the following tabs:
• Under Review: Select this tab if you want to view a LOPA record that is being reviewed and has
not been approved.
• Approved: Select this tab if you want to view a LOPA record that is in Complete state.
A list of LOPAs appears based on the tab that you selected.

3. In the LOPA ID column, select the link for the LOPA that you want to view.
The LOPA Summary workspace appears, displaying the Definition and Summary tabs. The
Definition tab is selected by default, displaying the datasheet for the selected LOPA.

© 2022 General Electric Company 15

Note: As needed, you can modify the values in the available fields, and then select to save your
changes. You can modify values for a LOPA only if the record in the Planning state.

The following tabs appear in the pane to the left of of the LOPA Summary workspace:
• Conditional Modifiers : Contains a list of Conditional Modifiers associated with the LOPA.
• Safeguards and IPLs : Contains a list of Safeguards associated with the LOPA.

Access the LOPA Summary

This topic describes how to access the LOPA Summary workspace, which provides an overview of
frequencies and probability values associated with various calculations in LOPA.

Before You Begin

• Create a Layer of Protection Analysis.
• Create Conditional Modifiers that you want to associate with the LOPA.
• Create Safeguards and specify if they are IPLs.

Procedure
1. Access the LOPA whose summary you want to view.
2. In the LOPA Summary workspace, select Summary.
The Summary section appears, displaying summary information for the LOPA and the associated
Conditional Modifiers and Safeguards.

16 © 2022 General Electric Company

The Summary section contains the following information:
• Initiating Event: Contains the description of the Initiating Event and the frequency of occurrence
of the initiating event.
• Enabling Event or Condition: Contains the description of the enabling event and the probability
of occurrence of the enabling event.
• Frequency of Unmitigated Consequence: Contains the frequency of occurrence of the
Consequence before any Safeguards and IPLs are considered.
• Conditional Modifiers: Contains the Conditional Modifier ID and the probability of occurrence of
the Conditional Modifier. One row appears for each Conditional Modifier that is associated with the
LOPA.
• Safeguards and IPLs: Contains the Safeguard ID and the probability that the Safeguard will fail on
demand (PFD). One row appears for each Safeguard that is associated with the LOPA.

Create a Layer of Protection Analysis

About This Task
This topic describes how to create a LOPA via the LOPA Overview page. You can also create a LOPA from
a Consequence in Hazards Analysis, which is then automatically linked to the Consequence.

Procedure
1. Access the LOPA Overview page.
2. On the LOPA Overview page, select the Under Review tab.
A list of LOPAs appears.

© 2022 General Electric Company 17

3. In the upper-left corner of the Under Review section, select .
A blank datasheet for LOPA appears, displaying the Definition section.

4. As needed, enter values in the available fields.

5. In the upper-right corner of the Definition section, select .
The LOPA is created.

Results
• If you selected a value in the Risk Category and Risk Severity fields, then a Risk Assessment record is
created and linked with the LOPA. The Risk Assessment record stores details about the unmitigated
risk, which will be used for qualitative risk analysis of an Instrumented Function.

18 © 2022 General Electric Company

Next Steps
• Link the LOPA to a Consequence in Hazards Analysis. For more information, refer to the Hazards
Analysis section of the documentation.
-or-
• Assess the SIL value of an Instrumented Function using the LOPA. For more information, refer to the
SIS Management section of the documentation.

Change the State of a LOPA

This topic describes how to change the state of a LOPA, while assigning the state of the LOPA to the
appropriate user.

Before You Begin

If a LOPA is used for SIL assessment of an Instrumented Function, a LOPA Assessment record is created
and associated with the LOPA. When you change the state of a LOPA to Complete, the associated LOPA
Assessment is also updated. Any change to the LOPA Assessment will also affect the associated
Instrumented Function and Protective Instrument Loops. Therefore, if the LOPA is linked to a LOPA
Assessment of an Instrumented Function in a SIL Analysis, then to change the state of the LOPA to
Complete, the SIL Analysis and the associated PILs must be in a modifiable state.
• The SIL Analysis must be in the Planning state.
• The Protective Instrument Loops associated with the Instrumented Function must be in the Design
state.

About This Task

Important: You can modify the state for a LOPA only if you are an administrator or a user who belongs to
the State Configuration Role configured for that state.

Procedure
• Change the State of a LOPA that is not Linked to a LOPA Assessment.
1. Access the LOPA whose state you want to change.
2. In the upper-right corner of the LOPA Summary workspace, select the button that indicates the
current state of the LOPA. For example, if the current state of the LOPA is Planning, select
Planning.
A menu appears, displaying the list of operations that you can perform on the LOPA to change its
state.

© 2022 General Electric Company 19

Note: You can view the states assigned to various users by selecting the Manage State
Assignments link. If not already done, you can assign the next state of the LOPA to the appropriate
user, and then select Done.
3. Select the necessary operation that will change the state of the LOPA, and then select Done. For
example, if you want to change the state of the LOPA from Planning to Active, select Begin, and
then select Done.
The state of the LOPA is changed.
• Change the State of a LOPA that is Linked to a LOPA Assessment
1. Access the LOPA whose state you want to change.
2. In the upper-right corner of the LOPA Summary workspace, select the button that indicates the
current state of the LOPA. For example, if the current state of the LOPA is Planning, select
Planning.
A menu appears, displaying the list of operations that you can perform on the LOPA to change its
state.

20 © 2022 General Electric Company

If the LOPA is in the Pending Approval state and you selected the operation Accept, a message
appears, indicating that when you change the state of the LOPA to Complete, the changes to the
LOPA will update the values in the associated LOPA Assessment and the Protective Instrumented
Loops.

a. Select OK.
If the associated SIL Analysis is not in the Planning state or the associated Protective
Instrument Loops are not in the Design state, a message appears, stating that the state of the
LOPA cannot be changed.

b. Select OK.
The state of the LOPA is not changed.
-or-
If the LOPA is not in Pending Approval state, the state of the LOPA is changed.

Results
• When you change the state of a LOPA to Complete, the number of revisions for the LOPA is
incremented by one, and appears in the upper-right corner of the LOPA Summary workspace.
• For each revision, a Revision record is created for the LOPA, and its associated Conditional Modifiers
and Safeguards.
• If you changed the state of LOPA linked to a LOPA Assessment of an Instrumented Function in a SIL
Analysis to Complete, then the values in the associated LOPA Assessment and Risk Assessment are

© 2022 General Electric Company 21

updated based on the values in the LOPA. If linked to a LOPA Assessment of an Instrumented Function
in a SIL Analysis, the following records are also updated:
◦ Instrumented Functions with which the LOPA Assessment is linked.
◦ Protective Instrument Loops associated with the Instrumented Functions.

Access Revision History of a LOPA

Procedure
1. Access the LOPA for which you want to access the revision history.
2. In the upper-right corner of the page, select Revisions.
A list of revisions for the LOPA appears.

3. For the row that contains the revision that you want to access, in the Revision Name column, select
the link.
The LOPA Revision datasheet for the selected revision appears, displaying the details of the LOPA for
that revision. The Conditional Modifiers tab and the Safeguards and IPLs tab appears in the left
pane.

22 © 2022 General Electric Company

4. If you want to view the changes that have been made for the LOPA, in the upper-right corner of the
page, select Show Changes.
The Changes For Selected Datasheet window appears, displaying a list of values in the preceding
LOPA Revision record and a list of values in the latest LOPA Revision record for the selected LOPA.

© 2022 General Electric Company 23

5. If you want to view the changes that have been made for conditional modifiers associated with LOPA,
perform the following steps:
a) In the left pane, select Conditional Modifiers.
In the left pane, the Conditional Modifier records that are associated with the LOPA appear.

24 © 2022 General Electric Company

b) Select the record for which you want to view the revision, and then, in the upper-right corner of the
page, select Show Changes.
The Changes For Selected Datasheet window appears, displaying a list of values in the preceding
Conditional Modifier Revision record and a list of values in the latest Conditional Modifier Revision
record for the selected Conditional Modifier.
6. If you want to view the changes that have been made for safeguards and IPLs associated with LOPA,
perform the following steps:
a) In the left pane, select Safeguards and IPLs.
In the left pane, the Safeguard records that are associated with the LOPA appear.

© 2022 General Electric Company 25

b) Select the record for which you want to view the revision, and then, in the upper-right corner of the
page, select Show Changes.
The Changes For Selected Datasheet window appears, displaying a list of values in the preceding
Safeguard Revision record and a list of values in the latest Safeguard Revision record for the
selected Safeguard. The window also contains the old and new values for the IPL Checklist criteria
associated with the Safeguard.

Delete a Layer of Protection Analysis

Procedure
1. Access the LOPA that you want to delete.
2. On the upper-right corner of the LOPA datasheet, select , and then select Delete.
Note: You can delete a LOPA only if the LOPA is in the Planning state.
A confirmation message appears, asking you if you want to delete the LOPA.
Note: When you delete a LOPA, the relationship with the associated Consequence Modifiers and
Safeguards is removed.
3. Select Yes.
The LOPA is deleted.
Note: If you delete a LOPA linked to a Hazards Analysis, the Safeguards created in LOPA remain
associated with the Hazards Analysis.

26 © 2022 General Electric Company

Chapter

4
Conditional Modifiers
Topics:

• About Conditional Modifiers

• Access a Conditional Modifier
• Create a Conditional Modifier
• Delete a Conditional Modifier

© 2022 General Electric Company 27

About Conditional Modifiers
A conditional modifier is an action or event that can reduce the probability of an undesirable event.
Details about a conditional modifier are stored in Consequence Modifier records, which are linked to LOPA
records. Based on the modifier type that you selected when you create a Conditional Modifier, the
probability of occurrence of the modifier is determined using the default probabilities defined in the
Consequence Adjustment Probabilities record for the modifier type.
The product of probability of occurrence of conditional modifier and initiating event frequency is referred
to as Unmitigated Consequence Frequency on the Conditional Modifier datasheet.

Example
Suppose that the SIL analysis team is conducting a LOPA to investigate the risk
scenario illustrated in the following diagram, where each box represents a part of the
scenario, and each label indicates the family that stores the relevant information:

When Valve A-1001 fails, flammable gas is released into the atmosphere. If the
flammable gas reaches a potential ignition source (e.g., electric switch, motor),
causing a vapor cloud explosion in the vicinity of the operator, it could cause a fatal
injury.
In this risk scenario, the fatal injury is a consequence of the valve failure, and the
following events or actions are the conditional modifiers:
• The flame igniting
• The vapor cloud exploding
• The operator being in the vicinity of the explosion
Since these actions and events appear within the risk scenario, the probability
associated with the consequence occurring is increased exponentially. In other words,
if the operator was not in the vicinity of the blast, the probability of fatal injury would
be less. By examining the granular events that are associated with a risk, the SIL
analysis team can more accurately assess the SIL value for the safety system.
In this example, consider the following values:
• Probability of the operator being present in the vicinity of blast = 0.5 (i.e., 50%)
• Frequency of failure of Valve A-1001 = 0.2
For the above values, the Unmitigated consequence frequency of the scenario is
calculated as follows:
• Probability of the operator being present in the vicinity of blast x Frequency of
failure of Valve A-1001 = 0.5 x 0.2 = 0.1

28 © 2022 General Electric Company

Access a Conditional Modifier
Before You Begin
• As needed, modify the Consequence Adjustment Probabilities records, which store the default
probability for each modifier type.

Procedure
1. Access the Layer of Protection Analysis (LOPA) that is linked to the Conditional Modifier that you want
to access.
2. In the left pane, select Conditional Modifiers.
The Conditional Modifiers workspace appears, displaying a list of Conditional Modifiers linked to the
LOPA.

3. In the Consequence Modifier ID column, select the link for the Conditional Modifier that you want to
access.
The datasheet for the Conditional Modifier appears.

Note: As needed, you can modify the values in the available fields, and then select to save your
changes. You can modify values for a Conditional Modifier only if the associated LOPA datasheet is in
the Planning state.

© 2022 General Electric Company 29

Create a Conditional Modifier
Before You Begin
• Create a Layer of Protection Analysis (LOPA).
• As needed, modify the Consequence Adjustment Probabilities records, which store the default
probability for each modifier type.

Procedure
1. Access the LOPA for which you want to create a Conditional Modifier.
2. In the left pane, select Conditional Modifiers.
The Conditional Modifiers workspace appears, displaying a list of Conditional Modifiers linked to the
LOPA.

3. In the upper-left corner of the workspace, select .

A blank datasheet for the Conditional Modifier appears.

4. As needed, enter values in the available fields.

5. On the upper-right corner of the datasheet, select .

30 © 2022 General Electric Company

The Conditional Modifier is created and associated with the LOPA.

Results
• In the Conditional Modifiers workspace, the Conditional Modifier that you created appears in the list
of records.
• The unmitigated consequence frequency value and mitigated consequence frequency value for the
LOPA are recalculated.
• The summary of the LOPA is updated with the details of the Conditional Modifier.

Delete a Conditional Modifier

About This Task
You can delete a Conditional Modifier only if the associated LOPA record is in the Planning state.

Procedure
1. Access the Layer of Protection Analysis (LOPA) that is associated with the Conditional Modifier that
you want to delete.
2. In the left pane, select Conditional Modifiers.
The Conditional Modifiers workspace appears, displaying a list of Conditional Modifiers linked to the
LOPA.

3. Select the row containing the Conditional Modifier that you want to delete.
4. In the upper-right corner of the Conditional Modifiers workspace, select .
The Delete Modifier dialog box appears, asking you to confirm that you want to delete the Modifier.
5. Select OK.
The Conditional Modifier is deleted.

Results
• The unmitigated consequence frequency value and mitigated consequence frequency value for the
LOPA are recalculated to remove the effect of the deleted Conditional Modifier.
• The details of the Conditional Modifier is removed from the summary of the LOPA.

© 2022 General Electric Company 31

Chapter

5
Safeguards and IPLs
Topics:

• About Safeguards and

Independent Protection Layers
(IPL)
• About Identifying an
Independent Protection Layer
• Access a Safeguard
• Create a Safeguard
• Assess if a Safeguard is an
Independent Protection Layer
(IPL)
• Delete a Safeguard

32 © 2022 General Electric Company

About Safeguards and Independent Protection Layers (IPL)
Safeguard
A safeguard is a safety instrumented system or any other safety device that prevents a risk from occurring
or lowers the probability or severity identified by the risk assessment. Safeguard can also be an action
performed by a person (e.g., operator response to an alarm). In GE Digital APM, Safeguards can be linked
to an asset.

Independent Layer of Protection

When a safeguard is independent of the performance of other Safeguards, or the initiating event, the
safeguard is considered as an Independent Protection Layer (IPL). An independent layer of protection is
external to any other layer of protection or safety instrumented system. All independent layers of
protection are safeguards, but not all safeguards are independent layers of protection. To be specified as
an IPL, a Safeguard must satisfy a set of criteria.
The effectiveness of an independent layer of protection is quantified in terms of its probability of failure on
demand (PFD), which is a numeric value that represents the probability that the independent layer of
protection will fail to perform its specified safety function when required.
The following three types of IPLs are defined in the GE Digital APM:
• Active IPL: An active IPL is a device or system that changes from one state into another in response to
a change in process activity. For example, a pressure relief device is an active IPL that opens when
there is an abnormal change in the pressure inside a vessel and remains open until the pressure in the
vessel reduces to a value below the settings in the pressure relief device.
• Passive IPL: A passive IPL can achieve its risk reducing function without the requirement to take any
action or change the state of the system. For example, detonation arrestors and blast-walls are
passive IPLs that reduce the risk.
• Human IPL: Human IPLs involve the dependence on operators or other staff to take action to prevent
an undesired consequence, in response to alarms or following a routine check of the system.
Active, Passive, and Human IPLs are further classified as IPL Sub Types, and are defined in the Active IPL
family, Passive IPL family, and Human IPL family, respectively. For each subtype defined in the Active IPL,
Passive IPL, and Human IPL families, the probability of failure on demand (PFD) value is also defined.
Based on your selection of the IPL Type and the IPL Sub Type, the PFD for the Safeguard is determined
from the Active IPL, Passive IPL, or Human IPL records.
The PFD values for each of Safeguard that is an IPL is multiplied to populate the Total IPL PFD field in
LOPA. These values also modify the unmitigated and mitigated consequence frequency values in the
LOPA.

About Identifying an Independent Protection Layer

You must assess the independence of the safeguards to determine if the safeguard can be qualified as an
IPL. You must create one Safeguard for each layer of protection that exists. In the IPL Checklist section of
the Safeguards and IPLs workspace, a set of criteria appear as questions. To be classified as an IPL, a
Safeguard must meet all the criteria listed in the IPL Checklist section. These criteria can be modified in
the administrative settings for LOPA.
By default, the following criteria are defined for the IPL Checklist and are required to be true for a
safeguard to be considered as an independent protection layer:

© 2022 General Electric Company 33

• The safeguard must be independent of the initiating event such that a failure associated with the risk
will not cause the safeguard to fail.
• The safeguard must be testable and verifiable using an industry standard (e.g., a risk based inspection).
• The safeguard must be specific in detecting a potential hazard and taking action to prevent the hazard
from occurring.
• The safeguard must be capable and available at least 90 percent of the time.
• The safeguard must increase the Risk Reduction Factor (RRF) of the LOPA to a value greater than or
equal to 10.
To determine if a Safeguard is an IPL, you must select the criteria that are true for the Safeguard. If all the
criteria are true for a Safeguard, the Safeguard is classified as an IPL. The IPL Type field, IPL Sub Type field,
and PFD field are enabled. When you select the IPL Type and the IPL Sub Type, the corresponding PFD
value for the IPL is automatically populated.
When the IPL is saved, the Total IPL PFD field in the LOPA is updated with the calculated PFD value. If
there are more than one IPLs for the same LOPA, then the Total IPL PFD is calculated by multiplying the
values in the PFD fields of each Safeguard associated with the LOPA. These values also modify the
unmitigated and mitigated consequence frequency values in the LOPA.

Example
Suppose that in a hazardous scenario a high pressure separator releases liquid to
downstream equipment. If the liquid level in the high pressure separator decreases to
a certain level, pressure could be released to downstream equipment and cause it to
rupture. In this scenario, a controller monitors the liquid level. If the level gets too low,
the controller closes a valve so that the pressure is not released to downstream
equipment.
The low level alarm is an independent layer of protection for this scenario because it
meets all of the following criteria:
• The safeguard is independent because if the first controller fails, the low level
alarm has independent process connections and independent BPCS hardware
from the failed controller.
• The safeguard is auditable because the low level alarm can be routinely inspected.
• The safeguard is capable because it is available at least 90 percent of the time.
• The safeguard is specific because the alarm detects potential hazards by
measuring the liquid level and will alert the operator when the potential failure is
detected.
The low level alarm coupled with an operator response can reduce the risk associated
with the hazards scenario and can be considered an IPL.
For the above example, in GE Digital APM, the following IPL related information would
be stored in the record for the low level alarm Safeguard:
• IPL Type: Active IPL
• IPL Sub Type: Basic Process Control System
• PFD: 0.1
• Total IPL PFD value for the LOPA: 0.1

34 © 2022 General Electric Company

Access a Safeguard
Procedure
1. Access the Layer of Protection Analysis that is linked to the Safeguard that you want to access.
2. In the left-pane, select Safeguards and IPLs.
The Safeguards and IPLs workspace appears, displaying a list of safeguards linked to the LOPA.

3. In the Safeguard ID column, select the link for the Safeguard that you want to access.
The Safeguards and IPLs workspace appears, displaying the Definition and IPL Checklist tabs. The
Definition tab is selected by default, displaying the datasheet for the selected Safeguard.

Note: As needed, you can modify the values in the available fields, and then select to save your
changes. You can modify values for a Safeguard only if the associated LOPA is in the Planning state.
Additionally, if you have linked the LOPA to a Consequence in Hazards Analysis, you can modify the
Safeguard only if the Hazards Analysis is also in the Planning state.

© 2022 General Electric Company 35

Create a Safeguard
Before You Begin
• Create a Layer of Protection Analysis.

About This Task

This topic describes how to create a Safeguard.
Note: You can create a Safeguard only if the associated LOPA is in the Planning state. Additionally, if the
LOPA is linked to a Consequence in Hazards Analysis, you can create a Safeguard only if the Hazards
Analysis is also in the Planning state.

Procedure
1. Access the Layer of Protection Analysis for which you want to create a Safeguard.
2. In the left pane, select Safeguards and IPLs.
The Safeguards and IPLs workspace appears, displaying a list of safeguards linked to the LOPA.

3. In the upper-left corner of the workspace, select

A blank datasheet for the Safeguard appears, displaying the Definition section.

36 © 2022 General Electric Company

4. As needed, enter values in the available fields.
5. In the upper-right corner of the workspace, select .
The Safeguard is created and linked to the selected LOPA.

Next Steps
• Specify a Safeguard as an Independent Protection Layer (IPL)

Assess if a Safeguard is an Independent Protection Layer (IPL)

Before You Begin
• Create a Safeguard.
• As needed, modify the Active IPL, Passive IPL, or Human IPL records, which store the default
probability for each IPL Sub Type.

Procedure
1. Access the Safeguard that you want to assess to determine whether it is an IPL.
2. Select the IPL Checklist tab.
The IPL Checklist section appears, displaying a set of criteria to identify if the Safeguard is an IPL.

© 2022 General Electric Company 37

3. In the IPL Checklist section, next to each criteria that is applicable for the selected Safeguard, select
the check box.
The IPL Type box and the IPL Sub Type box are enabled.

Note: The IPL Type box and the IPL Sub Type box are enabled only if the check box for all the criteria
in the IPL Checklist section is selected.

38 © 2022 General Electric Company

4. As needed, select values in the available fields.
5. In the upper-right corner of the workspace, select .
The Safeguard is specified as an IPL.

Results
• Based on your selection in the IPL Type and IPL Sub Type fields, the Probability of Failure on Demand
(PFD) value is calculated for the safeguard.
• In the Summary section of the LOPA Summary workspace, the Probability column for the row
containing the Safeguard is updated with the calculated PFD value.
• In LOPA, the Total IPL PFD field is updated with the calculated PFD value. If there are more than one IPL
for the same LOPA, then the Total IPL PFD value is calculated by multiplying the values in the PFD field
of each Safeguard associated with the LOPA.

Delete a Safeguard
About This Task
Note: You can delete a Safeguard only if the associated LOPA is in the Planning state. Additionally, if you
have linked the LOPA to a Consequence in Hazards Analysis, you can delete the Safeguard only if the
Hazards Analysis is also in the Planning state.

Procedure
1. Access the Layer of Protection Analysis that is associated with the Safeguard that you want to delete.
2. In the left pane, select Safeguards and IPLs.
The Safeguards and IPLs workspace appears, displaying a list of Safeguards linked to the LOPA.

3. Select the row containing the Safeguard that you want to delete.
4. In the upper-right corner of the Safeguards and IPLs workspace, select .
The Delete IPL/Safeguard dialog box appears, asking you to confirm that you want to delete the
safeguard or IPL.
5. Select OK.
The Safeguard is deleted.

Results
• If the deleted Safeguard was an IPL, then the Total IPL PFD field on the LOPA datasheet is updated with
the recalculated PFD value to remove the effect of the deleted Safeguard.
• If you have linked the LOPA to a Consequence in Hazards Analysis, the Safeguard that you deleted in
the LOPA is also removed from the Hazards Worksheet of the Hazards Analysis.

© 2022 General Electric Company 39

Chapter

6
Admin
Topics:

• LOPA Admin Page

• Query Paths
• IPL Checklists
• Active IPLs
• Passive IPLs
• Human IPLs
• Initiating Events
• Consequence Probabilities

40 © 2022 General Electric Company

LOPA Admin Page
Access the LOPA Admin Page

Procedure
In the module navigation menu, select Admin > Application Settings > Layers of Protection Analysis.
The LOPA Admin page appears, displaying the Query Paths workspace.

Query Paths
About Query Paths
On the LOPA Overview page, when you select the tabs in the workspace, the following queries are
executed:
• LOPA Under Review Query: This query retrieves a list of LOPA that are not in the Complete state. This
query is executed when you select the Under Review tab on the LOPA Overview page, and
populates the Under Review section with the list of LOPA that is retrieved.
• LOPA Approved Query: This query retrieves a list of LOPA that are in the Complete state. This query is
executed when you select the Approved tab on the LOPA Overview page, and populates the
Approved section with the list of LOPA that is retrieved.
You can, however, specify different search queries for LOPA by replacing the default queries.

Specify Different Query Path

About This Task

This topic describes how to specify different search queries for LOPA by replacing the default queries.

© 2022 General Electric Company 41

Procedure
1. Access the LOPA Admin page.
2. In the Query Paths workspace, next to the query that you want to replace, select the Select button.
The Select a query from the catalog window appears.

3. Navigate to the folder that contains the query that you want to specify.
4. Select the query that you want to specify, and then select Open.
In the box corresponding to the query that you want to replace, the complete path to the query that
you selected appears.
5. In the upper-right corner of the LOPA Admin page, select Save.
The default query is replaced by the query that you selected.

IPL Checklists
About IPL Checklist
A safeguard is a safety instrumented system or any other safety device that prevents a risk from occurring
or lowers the probability or severity identified by the risk assessment. When a safeguard is independent
of the performance of other Safeguards, or the initiating event, the safeguard is called an Independent
Protection Layer (IPL).

42 © 2022 General Electric Company

All independent layers of protection are safeguards, but not all safeguards are independent layers of
protection. To be classified as an IPL, the Safeguard must meet a predefined set of criteria. In the
Application Settings for LOPA, you can configure the criteria that a safeguard must meet to be classified
as an IPL. By default, the following criteria are defined in GE Digital APM database:
• Is the IPL Independent of the initiating cause of the hazardous scenario?
• Is the IPL Specific in that has the ability to detect the hazardous scenario?
• Is the IPL Auditable with applicable industry standard?
• Is the IPL Capable with respect to its availability?
• Is the Risk Reduction Factor (RRF) >= 10?
In the Application Settings for LOPA, you can add any additional criteria that a Safeguard must satisfy to
be classified as an IPL. You can also delete any criteria that is not required to be true for a Safeguard to be
designated as an IPL. To modify the criteria, you must be a user belonging to the Security Group MI
SIS Administrator or MI HA Administrator.
The list of criteria that you define in the IPL Checklist workspace, appears on the IPL Checklist section
of the Safeguard datasheet when you create a new Safeguard. To specify that a Safeguard is an IPL, all the
criteria that are in the IPL Checklist section of the Hazards Analysis Safeguard datasheet must be
satisfied. When you select the check boxes for all the criteria, the IPL related fields are enabled for
modification. You can then specify values in the IPL Type and IPL Sub Type fields in the IPL Checklist
section, based on which the PFD value for the Safeguard will be automatically populated.

Access a Criteria Configured for the IPL Checklist

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select IPL Checklist.
The IPL Checklist workspace appears, displaying a list of criteria defined for a Safeguard to be
specified as an IPL.

3. In the row for the criteria that you want to access, in the Preference Name column, select the link.
The page for the selected criteria appears, displaying the datasheet for the record.

© 2022 General Electric Company 43

Note: As needed, modify values in the available fields, and then select to save your changes.

Configure Criteria for the IPL Checklist

About This Task

This topic describes how to configure criteria for the IPL Checklist, which appears in the IPL Checklist
section of the Safeguard datasheet.
Note: You can configure criteria for the IPL checklist only if you are a user belonging to the Security Group
MI SIS Administrator or MI HA Administrator.

3. In the upper-left corner of the workspace, select .

A blank datasheet for Asset Safety Preferences appears.

44 © 2022 General Electric Company

4. As needed, enter values in the available fields.
5. In the upper-right corner of the workspace, select .
The criteria is configured for the IPL Checklist.

Results
• When you add a new Safeguard to a LOPA, the criteria that you included appears on the IPL Checklist
section of the Safeguard datasheet.

Delete a Criteria from the IPL Checklist

About This Task

This topic describes how to delete a criteria from the IPL Checklist.
Note: You can delete a criteria from the IPL checklist only if you are user belonging to the Security Group
MI SIS Administrator or MI HA Administrator.

© 2022 General Electric Company 45

3. Select the row that contains the criteria that you want to delete.
4. In the upper-right corner of the workspace, select .
The Delete IPL Criteria dialog box appears, asking if you want to delete the criteria.
5. Select OK.
The criteria is deleted from the IPL Checklist.

Results
• When you add a new Safeguard to a LOPA, the criteria that you deleted does not appear on the IPL
Checklist section of the Safeguard datasheet.
Note: The criteria that you deleted would still appear in the IPL Checklist section of existing
Safeguards that you created using the criteria.

Active IPLs
About Active IPLs
An active IPL is a device or system that changes from one state to another in response to a change in
process activity. For example, a pressure relief device is an active IPL that opens when there is an
abnormal change in the pressure inside a vessel and remains open until the pressure in the vessel reduces
to a value below the settings in the pressure relief device.
In LOPA, you can create an Active IPL record for each type of active IPL. This record stores the
recommended probability of failure on demand (PFD) of the active IPL device or system. The PFD value
indicates the likelihood that the active IPL system will fail to perform its safety function when required.
The Active IPL records populate the IPL Sub Type field in the IPL Checklist section of the Safeguard, which
is of type Active IPL.

Default Active IPL Records

By default, the following Active IPL records are available in GE Digital APM:

46 © 2022 General Electric Company

Active IPL ID Lower Range Upper Range Default Value

Rupture disc 1E-05 0.1 0.01

Relief Valve 1E-05 0.1 0.01

Basic Process Control System 0.01 0.1 0.1

Access an Active IPL

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Active IPL.
A list of available Active IPLs appears.

3. In the Active IPL ID column, select the link for the Active IPL that you want to access.
In the Record Manager, the page for the selected record appears, displaying the datasheet for the
record.

© 2022 General Electric Company 47

Note: To modify the Active IPL, as needed, modify values in the available fields, and then select to
save your changes. The values in the existing Safeguards that have used the modified Active IPL will
not be affected by the changes. If you want to apply the changes to an existing Safeguard, in the IPL
Checklist section of the Safeguard, in the IPL Sub Type box, you must reselect the Active IPL that you
modified.

Create an Active IPL

Before You Begin

• For the Active IPL that you want to create, you must create a system code in the MI_ACTIVE_IPL
System Code Table. The System Code Table populates the Active IPL ID box. When you create the
Active IPL, in the Active IPL ID box, you must select the value that you entered in the System Code
Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Active IPL.
A list of available Active IPLs appears.

3. In the upper-left corner of the workspace, select .

A blank datasheet for Active IPL appears.

48 © 2022 General Electric Company

4. As needed, enter values in the available fields.
5. In the upper-right corner of the workspace, select .
The Active IPL record is created.

Results
• In the IPL Checklist section of the Safeguard of type Active IPL, the Active IPL that you created
appears in the list of values in the IPL Sub Type box.

Delete an Active IPL

Before You Begin

• Before you can delete an Active IPL, you must delete the corresponding System Code that you created
in the MI_ACTIVE_IPL System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Active IPL.
A list of available Active IPLs appears.

© 2022 General Electric Company 49

3. In the row for each Active IPL that you want to delete, select the check box.
In the upper-right corner of the workspace, the button is enabled.
4. Select .
The Delete Active IPL dialog box appears, asking you to confirm that you want to delete each
selected Active IPL.
5. Select OK.
Each selected Active IPL is deleted.

Results
• In the IPL Checklist section of the Safeguard of type Active IPL, the Active IPL that you deleted does
not appear in the list of values in the IPL Sub Type box.
Note: The values in the existing Safeguards that have used the deleted Active IPL will not be affected
when you delete the Active IPL record.

Passive IPLs
About Passive IPLs
A passive IPL can achieve its risk reducing function without the requirement to take any action or change
the state of the system. For example, detonation arrestors and blast walls are passive IPLs that reduce
the risk.
In LOPA, you can create a Passive IPL record for each type of passive IPL. This record stores the
recommended probability of failure on demand (PFD) of the passive IPL device or system. The PFD value
indicates the likelihood that the passive IPL system will fail to perform its safety function when required.
The Passive IPL records populate the IPL Sub Type field in the IPL Checklist section of the Safeguard,
which is of type Passive IPL.

Default Passive IPL Records

By default, the following Passive IPL records are available in GE Digital APM:

50 © 2022 General Electric Company

Passive IPL ID Lower Range Upper Range Default Value

Blast-wall/Bunker 0.001 0.01 0.001

Fireproofing 0.001 0.01 0.01

Open Vent 0.001 0.01 0.01

Underground Drainage System 0.001 0.01 0.01

Flame/Detonation Arrestors 0.001 0.1 0.01

Dike 0.001 0.01 0.01

Inherently Safe design 1E-06 0.1 0.01

Access a Passive IPL

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Passive IPL.
A list of available Passive IPLs appears.

3. In the Passive IPL ID column, select the link for the Passive IPL that you want to access.
In the Record Manager, the page for the selected record appears, displaying the datasheet for the
record.

© 2022 General Electric Company 51

Note: To modify the Passive IPL, as needed, modify values in the available fields, and then select to
save your changes. The values in the existing Safeguards that have used the modified Passive IPL will
not be affected by the changes. If you want to apply the changes to an existing Safeguard, in the IPL
Checklist section of the Safeguard, in the IPL Sub Type box, you must reselect the Passive IPL that
you modified.

Create a Passive IPL

Before You Begin

• For the Passive IPL that you want to create, you must create a System Code in the MI_PASSIVE_IPL
System Code Table. The System Code Table populates the Passive IPL ID box. When you create the
Passive IPL, in the Passive IPL ID box, you must select the value that you entered in the System Code
Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Passive IPL.
A list of available Passive IPLs appears.

52 © 2022 General Electric Company

3. In the upper-left corner of the workspace, select .
A blank datasheet for Passive IPL appears.

4. As needed, enter values in the available fields.

5. In the upper-right corner of the workspace, select .
The Passive IPL record is created.

Results
• In the IPL Checklist section of the Safeguard of type Passive IPL, the Passive IPL that you created
appears in the list of values in the IPL Sub Type box.

© 2022 General Electric Company 53

Delete a Passive IPL

Before You Begin

• Before you can delete a Passive IPL, you must delete the corresponding System Code that you created
in the MI_PASSIVE_IPL System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Passive IPL.
A list of available Passive IPLs appears.

3. In the row for each Passive IPL that you want to delete, select the check box.

In the upper-right corner of the workspace, the button is enabled.

4. Select .
The Delete Passive IPL dialog box appears, asking you to confirm that you want to delete each
selected Passive IPL.
5. Select OK.
Each selected Passive IPL is deleted.

Results
• In the IPL Checklist section of the Safeguard of type Passive IPL, the Passive IPL that you deleted does
not appear in the list of values in the IPL Sub Type box.
Note: The values in the existing Safeguards that have used the deleted Passive IPL will not be affected
when you delete the Passive IPL record.

54 © 2022 General Electric Company

Human IPLs
About Human IPLs
Human IPLs are IPLs that require operators or other staff to take action to prevent an undesired
consequence, in response to alarms or following a routine check of the system.
In LOPA, you can create a Human IPL record for each type of human IPL. This record stores the
recommended probability of failure on demand (PFD) of the human IPL. The PFD value indicates the
likelihood that the Human IPL will fail to perform its safety function when required. The Human IPL
records populate the IPL Sub Type field in the IPL Checklist section of the Safeguard, which is of type
Human IPL.

Default Human IPL Records

By default, the following Human IPL records are available in GE Digital APM:

Human IPL ID Lower Range Upper Range Default Value

Human Action with BPCS/ 0.01 1 0.1

alarm-4 min response time

Human Action with >10 min 0.1 1 0.1

response time

Human Action with >40 min 0.01 0.1 0.1

response time

Access a Human IPL

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Human IPL.
A list of available Human IPLs appears.

© 2022 General Electric Company 55

3. In the Human IPL ID column, select the link for the Human IPL that you want to access.
In the Record Manager, the page for the selected record appears, displaying the datasheet for the
record.

Note: To modify the Human IPL, as needed, modify values in the available fields, and then select to
save your changes. The values in the existing Safeguards that have used the modified Human IPL will
not be affected by the changes. If you want to apply the changes to an existing Safeguard, in the IPL
Checklist section of the Safeguard, in the IPL Sub Type box, you must reselect the Human IPL that
you modified.

Create a Human IPL

Before You Begin

• For the Human IPL that you want to create, you must create a system code in the MI_HUMAN_IPL
System Code Table. The system code populates the Human IPL ID box. When you create the Human
IPL, in the Human IPL ID box, you must select the value that you entered in the System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Human IPL.
A list of available Human IPLs appears.

56 © 2022 General Electric Company

3. In the upper-left corner of the workspace, select .
A blank datasheet for Human IPL appears.

4. As needed, enter values in the available fields.

5. In the upper-right corner of the workspace, select .
The Human IPL record is created.

Results
• In the IPL Checklist section of the Safeguard of type Human IPL, the Human IPL that you created
appears in the list of values in the IPL Sub Type box.

© 2022 General Electric Company 57

Delete a Human IPL

Before You Begin

• Before you can delete a Human IPL, you must delete the corresponding System Code that you created
in the MI_HUMAN_IPL System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Human IPL.
A list of available Human IPLs appears.

3. In the row for each Human IPL that you want to delete, select the check box.

In the upper-right corner of the workspace, the button is enabled.

4. Select .
The Delete Human IPL dialog box appears, asking you to confirm that you want to delete each
selected Human IPL.
5. Select OK.
Each selected Human IPL is deleted.

Results
• In the IPL Checklist section of the Safeguard of type Human IPL, the Human IPL that you deleted does
not appear in the list of values in the IPL Sub Type box.
Note: The values in the existing Safeguards that have used the deleted Human IPL will not be affected
when you delete the Human IPL record.

58 © 2022 General Electric Company

Initiating Events
About Initiating Events
Initiating events represent the various types of causes that can result in a hazardous scenario. In LOPA,
you can create an Initiating Event record for each type of initiating cause. When you create a LOPA, these
records are used to populate the frequency of occurrence of the Initiating Event.

Default Initiating Event Records

By default, the following Initiating Event records are available in GE Digital APM:

Initiating Event ID Lower Boundary Upper Boundary Default Value

Gasket/packing blowout 1E-06 0.01 0.01

LOTO(lock-out-tag-out) 0.0001 0.001 0.001

Unloading/loading hose failure 0.01 1 0.01

Cooling water failure 0.01 1 0.01

Atmospheric tank failure 1E-05 0.001 0.001

Crane load drop 0.0001 0.001 0.0001

Piping residual failure-100m- 1E-06 1E-05 1E-05

Full Breach

Pump seal failure 0.01 0.1 0.1

Piping leak(10% 0.0001 0.001 0.001

section)-100m

Pressure Vessel Residual 1E-07 1E-05 1E-06

Failure

Large external fire(aggregate 0.001 0.01 0.01

causes)

Safety valve opens spuriously 0.0001 0.01 0.01

BPCS instrument loop failure 0.01 1 0.1

Regulator failure 0.1 1 0.1

Operator failure 0.0001 0.1 0.01

Small external fire(aggregate 0.01 0.1 0.1

causes)

Lightning strike 0.0001 0.001 0.001

© 2022 General Electric Company 59

Initiating Event ID Lower Boundary Upper Boundary Default Value

Third party 0.0001 0.01 0.01

intervention(external impact
by backhoe, vehicle, etc.)

Turbine/diesel engine 0.0001 0.001 0.0001

overspeed with casing breach

Access an Initiating Event

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Initiating Events.
A list of available Initiating Events appears.

3. In the row for the Initiating Event that you want to access, in the Initiating Event ID column, select
the link.
In the Record Manager, the page for the selected record appears, displaying the datasheet for the
record.

60 © 2022 General Electric Company

Note:

To modify the Initiating Event, as needed, modify values in the available fields, and then select to
save your changes. The values in the existing LOPA and Hazards Analysis Cause records that have used
the modified Initiating Event, will not be affected by the changes.
• If you want to apply the changes to an existing LOPA, on the LOPA datasheet, in the Initiating
Event Type box, you must reselect the Initiating Event that you modified.
• If you want to apply the changes to an existing Cause, on the Hazards Analysis Cause datasheet, in
the CCPS Cause Type box, you must reselect the Initiating Event that you modified.

Create an Initiating Event

Before You Begin

• For the Initiating Event that you want to create, you must create a system code in the INIT_EVENT
System Code Table. The System Code Table populates the Initiating Event ID box. When you create
the Initiating Event, in the Initiating Event ID box, you must select the value that you entered in the
System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Initiating Events.
A list of available Initiating Events appears.

© 2022 General Electric Company 61

3. In the upper-left corner of the workspace, select .
A blank datasheet for Initiating Event appears.

4. As needed, enter values in the available fields.

5. In the upper-right corner of the workspace, select .
The Initiating Event record is created.

Results
• On the LOPA datasheet, the Initiating Event that you created appears in the list of values in the
Initiating Event Type box.
• On the Hazards Analysis Cause datasheet, the Initiating Event that you created appears in the list of
values in the CCPS Cause Type box.

62 © 2022 General Electric Company

Delete an Initiating Event

Before You Begin

• Before you can delete an Initiating Event, you must delete the corresponding System Code that you
created in the INIT_EVENT System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Initiating Events.
A list of available Initiating Events appears.

3. In the row for each Initiating Event that you want to delete, select the check box.

In the upper-right corner of the workspace, the button is enabled.

4. Select .
The Delete Initiating Events dialog box appears, asking you to confirm that you want to delete each
selected Initiating Event.
5. Select OK.
Each selected Initiating Event is deleted.

Results
• On the LOPA datasheet, the Initiating Event that you deleted does not appear in the list of values in
the Initiating Event Type box.
• On the Hazards Analysis Cause datasheet, the Initiating Event that you deleted does not appear in the
list of values in the CCPS Cause Type box.
Note: The values in the existing LOPA and Hazards Analysis Cause records that have used the deleted
Initiating Event will not be affected when you delete the Initiating Event record.

© 2022 General Electric Company 63

Consequence Probabilities
About Consequence Probabilities
Consequence Probabilities represent the probability of occurrence of various modifier types and are
stored in the Consequence Adjustment Probability records. When you create a Conditional Modifier in
LOPA, these records are used to populate the probability for the selected modifier type.

Default Consequence Adjustment Probabilities Records

By default, the following Consequence Adjustment Probabilities records are available in GE Digital APM:

Modifier ID Default Value

Probability of Ignition 0.5

Probability of Escape and Incident 0.5

Others 0.5

Probability of person present 0.5

Access a Consequence Probability

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Consequence Probabilities.
A list of available Consequence Probabilities appears.

3. In the row for the Consequence Probability that you want to access, in the Modifier ID column, select
the link.
In the Record Manager, the page for the selected record appears, displaying the datasheet for the
record.

64 © 2022 General Electric Company

Note: To modify the Consequence Probability, as needed, modify values in the available fields, and
then select to save your changes. The values in the existing Conditional Modifiers that have used
the modified Consequence Probability will not be affected by the changes. If you want to apply the
changes to an existing Conditional Modifier, on the Consequence Modifier datasheet, in the Type box,
you must reselect the Consequence Probability that you modified.

Create a Consequence Probability

Before You Begin

• For the Consequence Probability that you want to create, you must create a system code in the
MI_CONSQ_ADJ_PROB System Code Table. The System Code Table populates the Modifier ID box.
When you create the Consequence Probability, in the Modifier ID box, you must select the value that
you entered in the System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Consequence Probabilities.
A list of available Consequence Probabilities appears.

3. In the upper-left corner of the workspace, select .

A blank datasheet for Consequence Adjustment Probabilities appears.

© 2022 General Electric Company 65

4. As needed, enter values in the available fields.
5. In the upper-right corner of the workspace, select .
The Consequence Probability is created.

Results
• On the Consequence Modifier datasheet, the Consequence Probability that you created appears in the
list of values in the Type box.

Delete a Consequence Probability

Before You Begin

• Before you can delete a Consequence Probability, you must delete the corresponding System Code
that you created in the MI_CONSQ_ADJ_PROB System Code Table.

Procedure
1. Access the LOPA Admin page.
2. In the left pane, select Consequence Probabilities.
A list of available Consequence Probabilities appears.

66 © 2022 General Electric Company

3. In the row for each Consequence Probability that you want to delete, select the check box.

In the upper-right corner of the workspace, the button is enabled.

4. Select .
The Delete Consequence Probability dialog box appears, asking you to confirm that you want to
delete each selected Consequence Probability.
5. Select OK.
Each selected Consequence Probability is deleted.

Results
• On the Consequence Modifier datasheet, the Consequence Probability that you deleted does not
appear in the list of values in the Type box.
Note: The values in the existing Consequence Modifiers that have used the deleted Consequence
Probability will not be affected when you delete the Consequence Probability.

© 2022 General Electric Company 67

Chapter

7
Deployment
Topics:

• Deployment and Upgrade

68 © 2022 General Electric Company

Deployment and Upgrade
Deployment and Upgrade content for various GE Digital APM modules has been consolidated into a single
document. For more information, refer to the module-specific information in the APM Module Deployment
and Upgrade document.

© 2022 General Electric Company 69

Chapter

8
Reference
Topics:

• General Reference
• Family Field Descriptions
• Catalog Items

70 © 2022 General Electric Company

General Reference
LOPA Data Model
The following diagram shows how the families used in LOPA are related to one another.

Note: In the diagram, boxes represent entity families and arrows represent relationship families that are
configured in the baseline database. You can determine the direction of the each relationship definition
from the direction of the arrow head: the box from which the arrow originates is the predecessor, and the
box to which the arrow head points is the successor.
The Has LOPA relationship between Hazards Analysis Consequence and LOPA is used only if you create or
link a LOPA with a Consequence in Hazards Analysis.
Apart from the families shown in the data model, the following families are also used in LOPA to populate
certain fields in datasheets:
• Initiating Event
• Active IPL
• Human IPL
• Passive IPL
• Consequence Adjustment Probability
• Safety Integrity Level

LOPA Security Groups

The following table lists the baseline Security Groups available for users within this module, as well as the
baseline Roles to which those Security Groups are assigned. In Predix APM, Roles are assigned to Security
Users through permission sets.
Important: Assigning a Security User to a Role grants that user the privileges associated with all of the
Security Groups that are assigned to that Role. To avoid granting a Security User unintended privileges,

© 2022 General Electric Company 71

before assigning a Security User to a Role, be sure to review all of the privileges associated with the
Security Groups assigned to that Role.

Security Group Roles

MI HA Administrator MI HA Administrator

MI Safety Admin

MI HA Facilitator MI HA Facilitator

MI Safety Admin

MI Safety Power

MI Safety User

MI HA Member MI HA Member

MI Safety Admin

MI Safety Power

MI Safety User

MI HA Owner MI HA Owner

MI Safety Admin

MI Safety Power

MI Hazards Viewer MI APM Viewer

MI Hazards Viewer

MI Safety Admin

MI Safety Power

MI Safety User

MI SIS Administrator MI Safety Admin

MI SIS Administrator

MI SIS Engineer MI Safety Admin

MI Safety Power

MI Safety User

MI SIS Engineer

72 © 2022 General Electric Company

Security Group Roles

MI SIS User MI Safety Admin

MI Safety Power

MI Safety User

MI SIS User

MI SIS Viewer MI APM Viewer

MI Safety Admin

MI Safety Power

MI Safety User

MI SIS Engineer

MI SIS Viewer

The baseline family-level privileges that exist for these Security Groups are summarized in the following
table.

Family MI HA MI HA MI HA MI HA MI MI MI MI SIS MI
Administr Facilitato Member Owner Hazards SIS Admin SIS Engin User SIS Viewe
ator r Viewer istrator eer r

Entity Families

Active IPL View, View View View View View, View View View
Update, Update,
Insert, Insert,
Delete Delete

Asset View, View View View View View, View View View
Safety Update, Update,
Preference Insert, Insert,
s Delete Delete

Conseque View, View View View View View, View View View
nce Update, Update,
Adjustmen Insert, Insert,
t Delete Delete
Probability

Conseque View, View, View View View View, View, View View
nce Update, Update, Update, Update,
Modifier Insert, Insert, Insert, Insert,
Delete Delete Delete Delete

Conseque View, View, View View View View, View, View View
nce Update, Update, Update, Update,
Modifier Insert, Insert, Insert, Insert,
Revision Delete Delete Delete Delete

© 2022 General Electric Company 73

Family MI HA MI HA MI HA MI HA MI MI MI MI SIS MI
Administr Facilitato Member Owner Hazards SIS Admin SIS Engin User SIS Viewe
ator r Viewer istrator eer r

Hazards View, View, View View, View View, View, View View
Analysis Update, Update, Update, Update, Update,
Safeguard Insert, Insert, Insert, Insert, Insert,
Delete Delete Delete Delete Delete

Hazards View, View, View View, View View, View, View View
Analysis Update, Update, Update, Update, Update,
Safeguard Insert, Insert, Insert, Insert, Insert,
Revision Delete Delete Delete Delete Delete

Human IPL View, View View View View View, View View View
Update, Update,
Insert, Insert,
Delete Delete

Initiating View, View View View View View, View View View
Event Update, Update,
Insert, Insert,
Delete Delete

IPL View, View View View View View, View, View View
Checklist Update, Update, Update,
Insert, Insert, Insert,
Delete Delete Delete

IPL View, View View View View View, View, View View
Checklist Update, Update, Update,
Revision Insert, Insert, Insert,
Delete Delete Delete

LOPA View, View, View View View View, View, View View
Update, Update, Update, Update,
Insert, Insert, Insert, Insert,
Delete Delete Delete Delete

LOPA View, View, View View View View, View, View View
Revision Update, Update, Update, Update,
Insert, Insert, Insert, Insert,
Delete Delete Delete Delete

Passive IPL View, View View View View View, View View View
Update, Update,
Insert, Insert,
Delete Delete

Safety None None None None None View, View View View
Integrity Update,
Level Insert,
Delete

Relationship Families

74 © 2022 General Electric Company

Family MI HA MI HA MI HA MI HA MI MI MI MI SIS MI
Administr Facilitato Member Owner Hazards SIS Admin SIS Engin User SIS Viewe
ator r Viewer istrator eer r

Conseque View, View, View View, View View, View, View View
nce Update, Update, Update, Update, Update,
Revision Insert, Insert, Insert, Insert, Insert,
Has Delete Delete Delete Delete Delete
Safeguard
Revision

Has View, View, View View View View, View, View View
Conseque Update, Update, Update, Update,
nce Insert, Insert, Insert, Insert,
Modifier Delete Delete Delete Delete

Has View, View, View View View View, View, View View
Conseque Update, Update, Update, Update,
nce Insert, Insert, Insert, Insert,
Modifier Delete Delete Delete Delete
Revision

Has View, View, View View, View View, View, View View
Functional Update, Update, Update, Update, Update,
Location Insert, Insert, Insert, Insert, Insert,
Delete Delete Delete Delete Delete

Has View, View, View View View View, View, View View
Independe Update, Update, Update, Update,
nt Insert, Insert, Insert, Insert,
Protection Delete Delete Delete Delete
Layer

Has IPL View, View, View View, View View, View, View View
Checklist Update, Update, Update, Update, Update,
Revision Insert, Insert, Insert, Insert, Insert,
Delete Delete Delete Delete Delete

Has LOPA View, View, View View View View, View, View View
Update, Update, Update, Update,
Insert, Insert, Insert, Insert,
Delete Delete Delete Delete

Has LOPA View, View, View View View View, View, View View
Revision Update, Update, Update, Update,
Insert, Insert, Insert, Insert,
Delete Delete Delete Delete

© 2022 General Electric Company 75

Family MI HA MI HA MI HA MI HA MI MI MI MI SIS MI
Administr Facilitato Member Owner Hazards SIS Admin SIS Engin User SIS Viewe
ator r Viewer istrator eer r

Has Risk View, View, View View, View View, View, View View
Update, Update, Update, Update, Update,
Insert, Insert, Insert, Insert, Insert,
Delete Delete Delete Delete Delete

Is View, View, View View, View View, View, View View

Independe Update, Update, Update, Update, Update,
nt Insert, Insert, Insert, Insert, Insert,
Protection Delete Delete Delete Delete Delete
Layer

LOPA URLs
There is one URL route associated with LOPA: asset-safety/lopa. The following table describes the
various paths that build on the route, and the elements that you can specify for each.

Element Description Accepted Value(s) Notes

asset-safety/lopa/admin: Displays the LOPA Admin page.

asset-safety/lopa/overview: Displays the LOPA Overview page.

asset-safety/lopa/<EntityKey>: Displays the LOPA Summary workspace of the LOPA with the specified
Entity Key.

<EntityKey> Specifies the Entity Key of the Any numeric Entity Key that This value is required to access
LOPA that you want to access. corresponds to an existing an existing LOPA and its
LOPA. related records (i.e.,
Safeguards and Conditional
Modifiers) from a URL.

asset-safety/lopa/overview/<AssetKey>: Displays the LOPA Overview page. The information on the

page is filtered by the asset specified by the Asset Key.

<AssetKey> Specifies the Asset Key of the Any numeric Asset Key that None
asset based on which you corresponds to an existing
want to filter information on asset.
the LOPA Overview page.

asset-safety/lopa/revision/lopa/<EntityKey>: Displays the Revision History workspace of the

LOPA with the specified Entity Key.

<EntityKey> Specifies the Entity Key of the Any numeric Entity Key that This value is required to access
LOPA whose Revision History corresponds to an existing the Revision History of an
you want to access. LOPA. existing LOPA and its related
records (i.e., Safeguards and
Conditional Modifiers) from a
URL.

76 © 2022 General Electric Company

URLs

Example URL Destination

asset-safety/lopa/ The LOPA Summary workspace

2996482 of the LOPA with the Entity Key
2996482.

asset-safety/lopa/ The LOPA Overview page

overview/ appears. In the Under Review
and Approved section, the list
64251832823
of LOPAs associated with the
asset whose Asset Key is
64251832823 and with all
assets within the hierarchy level
of the specified asset appears.

asset-safety/lopa/ The Revision History

revision/lopa/ workspace of the LOPA with the
Entity Key 2996482.
2996482

LOPA System Code Tables

The following table lists the System Code Tables that are used by the Layers of Protection Analysis
module.

Table ID Table Description Function

INIT_EVENT Initiating events for LOPA Populates the Initiating Event ID field in
Initiating Event records.

MI_CONSQ_ADJ_PROB Consequence Adjustment Probabilities Populates the Modifier ID field in the

Consequence Adjustment Probabilities
records.

MI_IPL_TYPES_SAFEGUARD Types of IPL Populates the Type field in the Safeguard

record.

MI_ACTIVE_IPL Types of Active IPL Populates the Active IPL ID field in Active
IPL records.

MI_PASSIVE_IPL Types of Passive IPL Populates the Passive IPL ID field in

Passive IPL records.

MI_HUMAN_IPL Types of Human IPL Populates the Human IPL ID field in

Human IPL records.

MI_HAZOP_SAFEGUARD_TYPE Types of Safeguards Populates the Safeguard Type field in the

Safeguard record.

© 2022 General Electric Company 77

About Calculations in LOPA

Calculating Unmitigated Consequence Frequency

Unmitigated Consequence Frequency = Frequency of Initiating Event x Probability of occurrence of
Enabling Event x Probability of occurrence of Conditional Modifier
Where,
• Frequency of Initiating Event is the value in the Frequency of Initiating Event field in LOPA.
• Probability of occurrence of Enabling Event is the value in the Enabling Event/Conditional Probability
field in LOPA.
• Probability of occurrence of Conditional Modifier is the product of value in Probability field of all the
Conditional Modifiers associated with the LOPA.
If Enabling Event/Condition Probability field is blank, a default value of 1 will be used in the calculation.

Calculating Total IPL PFD

Total IPL PFD = Product of value in PFD field of all the Safeguards associated with the LOPA

Calculating Mitigated Consequence Frequency

Mitigated Consequence Frequency = Unmitigated Consequence Frequency x Total IPL PFD
Where,
• Unmitigated Consequence Frequency is the value in the Unmitigated Consequence Frequency field in
LOPA
• Total IPL PFD is the product of value in the PFD fields of all the Safeguards associated with the LOPA
If there are no IPLs associated with the LOPA, then Mitigated Consequence Frequency is equal to the
Unmitigated Consequence Frequency.

Calculating Required PIF PFD

Required PIF PFD = Required Mitigated Consequence Frequency / Mitigated Consequence Frequency
Where,
• Required Mitigated Consequence Frequency is the value in Required Mitigated Consequence
Frequency in LOPA.
• Mitigated Consequence Frequency is the value in the Mitigated Consequence Frequency field in LOPA.

Calculating Required PIF Risk Reduction Factor

Required PIF Risk Reduction Factor = 1/ Required PIF PFD
Where,
• Required PIF PFD is the value in Required PIF PFD field in LOPA.

Calculated SIL Value

This value is derived based on the industry standard for SIL values.

Example of Calculations in LOPA

The following table contains the data used in the example and only lists fields that are
required and contain a value.

78 © 2022 General Electric Company

Field Value

Suppose that you create a LOPA with the following values:

LOPA ID Lopa_Example

Unacceptable Consequence Explosion

Initiating Event Type Gasket/packing blowout

Frequency of Initiating Event 0.01

Required Mitigated 1E-05 (i.e., 0.00001)

Consequence Frequency

Fields that are automatically populated in LOPA

Unmitigated Consequence 0.01

Frequency

Mitigated Consequence 0.01

Frequency

Required PIF Risk Reduction 1000

Factor

Required PIF PFD 0.001

Calculated SIL 2

Create a Conditional Modifier with the following values:

Conditional Modifier ID Modifier1

Type Probability of Ignition

Probability 0.5

Fields that are updated in LOPA after adding a Conditional Modifier

Unmitigated Consequence 0.005

Frequency

Mitigated Consequence 0.005

Frequency

Required PIF PFD 0.002

Required PIF Risk Reduction 500

Factor

Calculated SIL 2

Create a Safeguard and specify as IPL with the following values:

Safeguard ID Safeguard1

IPL Type Human IPL

IPL Sub Type Human Action with >10 min

response time

PFD 0.1

Field Value

Fields that are updated in LOPA after adding a Safeguard that is an IPL

Total IPL PFD 0.1

Unmitigated Consequence 0.005

Frequency

Mitigated Consequence 0.0005

Frequency

Required PIF PFD 0.02

Required PIF Risk Reduction 50

Factor

Calculated SIL 1

LOPA State Management

The following states are configured for the LOPA family:
• Planning: Indicates that the analysis is in the Planning state. You can modify or delete a LOPA and its
related records (i.e., Conditional Modifiers and Safeguards) only if the LOPA is in Planning state.
Additionally, if you have linked the LOPA to a Consequence in the Hazards Analysis, then to add or
modify a Safeguard, the Hazards Analysis with which the Consequence is associated must also be in
the Planning State.
• Active: Indicates that the LOPA is active.
• Review: Indicates that the LOPA has been sent for review.
• Pending Approval: Indicates that the LOPA has been reviewed and is awaiting approval.
• Complete: Indicates that the analysis is approved. After the state of the LOPA is changed to Complete:
◦ A LOPA Revision is created, which stores a snapshot of the LOPA when the state was changed to
Complete.
◦ The number of revisions for the LOPA is incremented by one, and appears in the upper-right corner
of the LOPA Summary workspace.
◦ If the LOPA is linked to a LOPA Assessment in an Instrumented Function, then the values in the
associated LOPA Assessment are updated based on the values in the LOPA.

Illustration of LOPA State Configuration

State Configuration Roles

The following table lists the baseline states, the operation that can be performed on each state, and the
State Configuration Roles assigned to each state:

State Operation User Role

Planning Begin MI Safety Admin, MI Safety Power, MI

Safety User

Active Propose MI Safety Admin, MI Safety Power, MI

Safety User

Review Submit MI Safety Admin, MI Safety Power, MI

Safety User

Pending Approval Accept MI Safety Admin, MI Safety Power

Reject

Complete Modify/Reassess MI Safety Admin, MI Safety Power

LOPA Site Filtering

Site filtering in LOPA is achieved by specifying a site on the Definition section of a LOPA and that site
assignment is applied to all the related records. Users must have privileges for the relevant site to access
records for the specified site. Users can be assigned to one or many sites. They will be able to see only the
records that are assigned to their site(s) or those that are global records.
Site filtering is enabled for the following families:
• LOPA: When you create a LOPA, you can assign it to any site. After you save the changes, you cannot
modify the site for the LOPA.
• Consequence Modifier: A Conditional Modifier will inherit the site from the associated LOPA.
• Hazards Analysis Safeguard: A Safeguard will inherit the site from the associated LOPA.

Example
Consider an organization that has three sites, Site X, Site Y, and Site Z and contains
the following records:
• LOPA 1: Assigned to Site X
• LOPA 2: Assigned to Site Y
• LOPA 3: Assigned to Site Z
Scenario 1: User assigned to only Site X
When this user accesses the LOPA Overview page, the user will be able to see the
records that are assigned to Site X:
• LOPA 1: Assigned to Site X
The user will also be able to see the Consequence Modifiers and Safeguards
associated with LOPA 1.
Scenario 2: User assigned to both Site X and Site Y
When this user accesses the LOPA Overview page, the user will be able to see the
records that are assigned to Site X and Site Y:
• LOPA 1: Assigned to Site X
• LOPA 2: Assigned to Site Y
The user will also be able to see the Consequence Modifiers and Safeguards
associated with LOPA 1 and LOPA 2.
Scenario 3: Super User

When this user accesses the LOPA Overview page, the user will be able to see the
records that are assigned to any of the sites:
• LOPA 1: Assigned to Site X
• LOPA 2: Assigned to Site Y
• LOPA 3: Assigned to Site Z
The user will also be able to see the Consequence Modifiers and Safeguards
associated with LOPA 1, LOPA 2, and LOPA 3.
Scenario 4: Hazop or What If Analysis Assigned to Site X
When the user searches for LOPA to link with the Consequence for a Hazop or What If
analysis assigned to Site X, the user will be able to see the LOPA records that are
assigned to Site X:
• LOPA 1: Assigned to Site X
Scenario 5: Instrumented Function Assigned to Site X
When the user searches for LOPA to link with an SIL Assessment of an Instrumented
Function assigned to Site X, the user will be able to see the LOPA records that are
assigned to Site X:
• LOPA 1: Assigned to Site X

Family Field Descriptions

Active IPL Records
Active IPL records store information about the probability of failure of various types of active IPLs. This
topic provides an alphabetical list and description of the fields that exist for the Active IPL family. The
information in the table reflects the baseline state and behavior of these fields.
Important: The records in this family can be modified only by users who belong to the Security Groups MI
SIS Administrator or MI HA Administrator.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Active IPL ID Character Identifies the type of Active This field appears a list that is
IPL. populated by the
MI_ACTIVE_IPL System Code
Table.

Default Value Numeric Indicates the default You can enter a value
probability that the Active IPL manually.
will fail to mitigate the risk.

Field Data Type Description Behavior and Usage

Lower Range Numeric Indicates the lower range for You can enter a value
the probability that the Active manually.
IPL will fail to mitigate the risk.

Upper Range Numeric Indicates the upper range for You can enter a value
the probability that the Active manually.
IPL will fail to mitigate the risk.

Asset Safety Preferences Records

Asset Safety Preferences records are used to store information about the criteria that a Safeguard must
meet to be classified as an IPL. This topic provides an alphabetical list and description of the fields that
exist for the Asset Safety Preferences family and appear on the Asset Safety Preferences datasheet. The
information in the table reflects the baseline state and behavior of these fields. You can modify the
records in this family only if you belong to the Security Group MI SIS Administrator or MI HA Administrator.
This family is not enabled for site filtering, which means that records in this family can be accessed by any
user with the appropriate license and family privileges. For more information, refer to the Sites section of
the documentation.

Field Data Type Description Behavior and Usage

Preference Category Character Indicates the type of This field is automatically

preference that you are populated with the following
defining. value: IPL.

Important: You must not

modify the value in this field.

Preference Name Character Indicates the name for the You can enter a value
IPL criteria. manually.

Preference Value Character Indicates the criteria that you You can enter a value
want to configure for a manually.
Safeguard to be identified as
This field appears in the IPL
an IPL.
Checklist section of the
Safeguard datasheet.

Consequence Adjustment Probabilities Records

Consequence Adjustment Probability records are used to determine the probability that a conditional
modifier event may occur, thereby adjusting the frequency of unmitigated consequence. This topic
provides an alphabetical list and description of the fields that exist for the Consequence Adjustment
Probability family and appear on the Conditional Modifier datasheet. The information in the table reflects
the baseline state and behavior of these fields. These records in this family can be modified only by users
who belong to the Security Groups MI SIS Administrator or MI HA Administrator.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Default Value Numeric Indicates the default value for You can enter a value
probability of occurrence of manually.
the conditional modifier.

Modifier ID Character Identifies the type of This field appears a list that is
conditional modifier. populated by the
MI_CONSQ_ADJ_PROB System
Code Table.

Consequence Modifier Records

Consequence Modifier records store details about conditional modifiers (i.e., an event or action that can
increase or decrease the probability that a risk may occur if not mitigated). This topic provides an
alphabetical list and description of the fields that exist for the Consequence Modifier family and appear on
the Conditional Modifier datasheet. The information in the table reflects the baseline state and behavior
of these fields.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Conditional Modifier ID Character The identification for the The value entered in this field
conditional modifier. must be unique.

This field is required.

Description Character The description of the You can enter a value

conditional modifier. manually.

Field Data Type Description Behavior and Usage

Modifier Type Character The type of conditional This field is required. This field
modifier. is labeled Type on the
Consequence Modifier
datasheet.

This field is populated with the

value in the Modifier ID field of
Consequence Adjustment
Probabilities records.

Probability Numeric The probability that the This field is disabled on the
conditional modifier can occur. datasheet.

Based on your selection in the

Type field on the Consequence
Modifier datasheet, this field is
populated with the value in
the Default Value field in the
Consequence Adjustment
Probability record.

This value is multiplied by the

value in the Enabling Event/
Condition Probability field on
the Layer of Protection
Analysis (LOPA) datasheet to
calculate the final probability
for the initiating event.

Hazards Analysis Safeguard Records

Hazards Analysis Safeguard records store details on safeguards that can be used to mitigate the risk. If
the safeguard is an IPL, then these records also store the details of the IPL Type and the corresponding
PFD value. This topic provides an alphabetical list and description of the fields that exist for the Hazards
Analysis Safeguard family. These fields appear on the Hazards Analysis Safeguard datasheet and in the
IPL Checklist section of the Safeguards and IPLs workspace. The information in this table reflects the
baseline state and behavior of these fields. This list is not comprehensive.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Equipment ID Character The identification of the You can select an Equipment

Equipment that is linked to the to associate with the
Safeguard through the Safety Safeguard.
Analysis Has Equipment
When you associate an
Relationship family.
Equipment with the Safeguard,
the Functional Location to
which the Equipment belongs
is automatically associated
with the Safeguard, and
appears in the Functional
Location ID box on the
datasheet.

Equipment Key Numeric The Entity Key of the This field does not appear on
Equipment whose ID appears the datasheet by default.
in the Equipment ID field.

Functional Location ID Character The identification of the You can select a Functional
Functional Location that is Location to associate with the
linked to the Safeguard Safeguard.
through the Has Functional
Location Relationship family.

Functional Location Key Numeric The Entity Key for the This field does not appear on
Functional Location whose ID the datasheet by default.
appears in the Functional
Location ID field.

IF ID Character The ID of the Instrumented You can select an

Function that is linked to the Instrumented Function to
Safeguard. associate with the Safeguard.

IF Key Numeric The Entity Key for the This field does not appear on
Instrumented Function whose the datasheet by default.
ID appears in the IF ID field.

IPL Credits Numeric Indicates the order of You can select a value from 1
magnitude by which the through 10 from the drop-
independent protection layer down list box.
reduces the risk.
This field appears in the IPL
Checklist section of the
Safeguards and IPLs
workspace.

IPL Reference Key Numeric The Entity Key for the This field does not appear on
Independent Layer of the datasheet by default.
Protection that is linked to the
Hazards Analysis Safeguard.

Field Data Type Description Behavior and Usage

IPL Sub Type Character Indicates the classification of This field is disabled by default,
the independent layer of indicating that the safeguard is
protection that you selected in not an independent layer of
the IPL Type field in the protection.
Safeguard records.
If the safeguard is an
independent layer of
protection, then this field is
enabled.

Based on your selection in the

IPL Type field of the Safeguard
datasheet, this field contains a
list of values defined in one of
the following records:

• Active IPL record if the

value in the IPL Type field
is Active IPL.
• Passive IPL record if the
value in the IPL Type field
is Passive IPL.
• Human IPL record if the
value in the IPL Type field
is Human IPL.

PFD Numeric A number representing the By default, this field is

probability that the disabled.
independent layer of
Based on you selection in the
protection will fail to mitigate
IPL Sub Type field, this field is
the risk.
populated with the value in
the Default Value field of one
of the following record:

• Active IPL record if the

value in the IPL Type field
is Active IPL.
• Passive IPL record if the
value in the IPL Type field
is Passive IPL.
• Human IPL record if the
value in the IPL Type field
is Human IPL.

This field appears on the IPL

Checklist section of the
Safeguards and IPLs
workspace.

Field Data Type Description Behavior and Usage

IPL Type Character Indicates the type of risk You can select one of the
reduction that is provided by following values in this field:
the independent layer of
• Consequence Reducing
protection.
IPL
• Frequency Reducing IPL

This field is labeled as Risk

Reduction Type and appears
on the IPL Checklist section
of the Safeguards and IPLs
workspace.

Safeguard Comment Text A comment about the You can enter a value
safeguard. manually.

Safeguard Description Text A detailed description of the You can enter a value
safeguard. manually.

Safeguard ID Character The identification of the You can enter a value

safeguard. manually.

This field is required.

Safeguard Type Character The type of the safeguard. This field contains the
description of the system
codes that exist in the
MI_HAZOP_SAFEGUARD_TYPE
System Code Table. You can
select a value from the
following options:

• Process Design
• Process Control System
• PSV
• Operations
• Deluge System
• Fire Alarm
• Process Alarm
• SIS

Field Data Type Description Behavior and Usage

Sequence Number Numeric A number that represents the This field is used to populate
position in which the the Safeguard Number field.
Safeguard appears in the grid,
This field does not appear on
relative to the other
the datasheet by default.
Safeguards that are linked to
the same Consequence.

Type Character If the safeguard is an By default, this field is

independent layer of disabled, indicating that the
protection , this value safeguard is not an
indicates the type of risk the independent layer of
independent layer of protection.
protection mitigates.
If the safeguard is an
independent layer of
protection, then this field is
enabled.

This field contains the

description of the system
codes that exist in the
MI_IPL_TYPES_SAFEGUARD
System Code Table. You can
select a value from the
following options:

• Active IPL
• Passive IPL
• Human IPL

This field is labeled IPL Type in

the IPL Checklist section of
the Safeguard datasheet.

Human IPL Records

Human IPL records store information about the probability of failure of various types of human IPLs. This
topic provides an alphabetical list and description of the fields that exist for the Human IPL family. The
information in the table reflects the baseline state and behavior of these fields.
Important: The records in this family can be modified only by users who belong to the Security Groups MI
SIS Administrator or MI HA Administrator.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Default Value Numeric Indicates the default You can enter a value
probability that the Human IPL manually.
will fail to mitigate the risk.

Human IPL ID Character Identifies the type of Human This field appears a list that is
IPL. populated by the
MI_HUMAN_IPL System Code
Table.

Lower Range Numeric Indicates the lower range for You can enter a value
the probability that the manually.
Human IPL will fail to mitigate
the risk.

Upper Range Numeric Indicates the upper range for You can enter a value
the probability that the manually.
Human IPL will fail to mitigate
the risk.

Initiating Event Records

Initiating Event records are used to determine the frequency of occurrence of an initiating event. This
topic provides an alphabetical list and description of the fields that exist for the Initiating Event family and
appear on the LOPA datasheet. The information in the table reflects the baseline state and behavior of
these fields.
This family is not enabled for site filtering, which means that records in this family can be accessed by any
user with the appropriate license and family privileges. For more information, refer to the Sites section of
the documentation.

Field Data Type Description Behavior and Usage

Default Value Numeric Indicates the default value for You can enter a value
the frequency of the Initiating manually.
Event.
This field populates the
following fields:

• Frequency of Initiating
Event field on the LOPA
datasheet
• Cause Frequency (per
year) field on the Hazards
Analysis Cause datasheet.

Initiating Event ID Character Identifies the type of Initiating This field appears a list that is
Event. populated by the INIT_EVENT
System Code Table.

Field Data Type Description Behavior and Usage

Lower Boundary Numeric Indicates the lower boundary You can enter a value
value for the frequency of the manually.
Initiating Event.

Upper Boundary Numeric Indicates the upper boundary You can enter a value
value for the frequency of the manually.
Initiating Event.

IPL Checklist Records

IPL Checklist records store your selection for the criteria that are used to determine if a Safeguard is an
IPL. The IPL Checklist family is linked to the Safeguard family using the Is Independent Protection Layer
relationship family. This topic provides an alphabetical list and description of the fields that exist for the
IPL Checklist family. The information in this table reflects the baseline state and behavior of these fields.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

IPL Criteria Character Describes the criteria that can This field contains a value from
be used to determine if the the list of criteria that you
safeguard can be considered configured for IPL Checklist.
an IPL.

IPL Criteria Value Boolean Indicates if the criteria By default, this field is cleared.
described in the IPL Criteria
If the field is selected, then the
field is true for the safeguard.
criteria is true for the
safeguard.

LOPA Records
LOPA records store details about the LOPA that they represent. This topic provides an alphabetical list
and description of the fields that exist for the LOPA family and appear on the LOPA datasheet, unless
otherwise specified. The information in the table reflects the baseline state and behavior of these fields.
This list is not comprehensive.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Analysis Type Character The type of the analysis that This field does not appear on
you are performing. the datasheet and is
populated automatically with
the value LOPA.

Calculated SIL Numeric The SIL value that is required This field is disabled and
to mitigate the risk that is populated with the SIL value
associated with the that is associated with the
Consequence to which this value in the Required PIF PFD
LOPA is linked. field.

Comments Text Additional information about You can enter a value

the LOPA. manually.

Description Text A description for the LOPA. You can enter a value
manually.

Description of Initiating Event Character A description of the initiating You can enter a value
event that is specified in the manually.
Initiating Event Type field.

Enabling Event/Condition Character A description of the enabling This field does not appear on
Description event, which is a condition the datasheet.
that must occur
simultaneously with an
initiating event to allow the
specific cause for a scenario to
propagate to a consequence.
(e.g., an explosive atmosphere
acts as an enabling event that
can increase the probability of
the flammable gas being
released).

Enabling Event/Condition Numeric A number that represents the You can enter a value
Probability probability of occurrence of manually. The value must be
the enabling event. This value greater than 0 and less than or
is used to determine the equal to 1. For example, if the
probability of an unmitigated equipment operates only for
event occurring. nine months a year, then
provide a value of 0.75 in this
field.

This value is multiplied by the

value in the Frequency of
Initiating Event field to
determine the value in
Unmitigated Consequence
Frequency field. If this field is
empty, a default value of 1 will
be used in that calculation.

Field Data Type Description Behavior and Usage

Equipment ID Character A unique value that identifies You can select an Equipment
the Equipment that you want to associate with the LOPA.
to link to the LOPA.
After you select an Equipment,
the Equipment Technical
Number appears as a link in
this field. You can select the
link to access the datasheet
for the Equipment.

When you create a LOPA from

a Hazards Analysis
Consequence, this field is
populated with the Equipment
Technical Number of the
Equipment that is linked to the
corresponding Hazards
Analysis Cause record.

Equipment Key Numeric The Entity Key of the This field does not appear on
Equipment that is linked to the datasheet. When you link
this Instrumented Function. an Equipment to the LOPA, the
details of the Equipment are
retrieved based on the value in
this field.

Frequency of Initiating Event Numeric A number representing the This field is disabled.
number of times per year that
A baseline rule exists to
the initiating event specified in
populate this field with the
the Initiating Event Type field
default value of frequency
will occur.
specified in the Initiating Event
record based on your selection
in the Initiating Event Type
field.

This value is multiplied by the

value in the Enabling Event/
Condition Probability field to
determine the value in
Unmitigated Consequence
Frequency field.

Field Data Type Description Behavior and Usage

Functional Location ID Character A unique value that identifies You can select a Functional
the Functional Location that is Location to associate with the
linked to the LOPA. LOPA.

After you select a Functional

Location, the Functional
Location ID appears as a link in
this field. You can select the
link to access the datasheet
for the Functional Location.

When you create a LOPA from

a Hazards Analysis
Consequence, this field is
populated with the Functional
Location ID of the Functional
Location that is linked to the
corresponding Hazards
Analysis Cause record.

Functional Location Key Numeric The Entity Key of the This field does not appear on
Functional Location that is the datasheet. When you link
linked to this LOPA. a Functional Location to the
LOPA, the details of the
Functional Location are
retrieved based on the value in
this field.

Initiating Event Type Character A brief description of the event This field with the values in the
that could cause the risk that Initiating Event ID field in the
is described in the Initiating Event records.
Unacceptable Consequence
If the Frequency of Initiating
field to be mitigated.
Event field does not contain a
value, then a value is required
in this field.

When you create a LOPA from

a cause-consequence pair in
the Hazards Analysis module,
this field is disabled and
populated automatically with
the value in the CCPS Cause
Type field in the associated
Consequence.

Field Data Type Description Behavior and Usage

LOPA ID Character The ID for the Layer of This field is required and must
Protection Analysis. be unique among all the LOPA
records linked to an
instrumented function.

You can enter your own value

manually.

The value in this field appears

in the list of assessments for
an instrumented function and
is used to distinguish the LOPA
from the others.

Mitigated Consequence Numeric Indicates the frequency of the This field is disabled and
Frequency mitigated consequence (i.e., populated automatically.
the frequency of consequence
The value is calculated by
after layers of protection have
multiplying the value in the
been added).
Unmitigated Consequence
Frequency field by the value in
the Total IPL PFD field.

Required Mitigated Numeric The maximum allowable This field is required.

Consequence Frequency frequency at which the
This field appears in the LOPA
initiating event can occur for
Definition section of the LOPA
the risk that is described in the
datasheet as a list and
Unacceptable Consequence
contains the following hard-
field.
coded values:

• 1E-04
• 1E-05
• 1E-06

You can select a value from

the list or enter your own
value that is greater than 0
(zero). If you modify this value
to be less than 0 (zero), a
message will appear, and
when you select OK, the
modified value will revert to its
original value. If you enter a
value other than the baseline
values in the list, it will then be
added to the list.

Field Data Type Description Behavior and Usage

Required PIF PFD Numeric A number representing the This field is disabled and
target probability that a failure populated automatically.
will occur.
This value is calculated
automatically by dividing the
value in the Required
Mitigated Consequence
Frequency field by the value in
the Mitigated Consequence
Frequency field.

This value is used to

determine the values in the
Required PIF Risk Reduction
Factor and Calculated SIL Level
fields.

Required PIF Risk Reduction Numeric A number representing the This field is disabled and
Factor factor by which the risk should populated automatically with
be reduced. the inverse of the value in the
Required PIF PFD field.

Risk Category Character The category of the driving risk This field appears as a list that
associated with the initiating is populated with the values in
event. the Category Name field in
Risk Category records
associated with the Risk
Matrix for the site to which the
LOPA belongs.

Note: This field does not

contain the Financial Risk
Category associated with the
Risk Matrix.

If you change the value in this

field, you must reselect a value
in the Risk Severity field.

Risk Severity Character The level of severity of the This field appears as a list that
driving risk associated with is populated with the values in
the initiating event. the Description field in
Consequence records
associated with the category
that you selected in the Risk
Category field.

Field Data Type Description Behavior and Usage

Total IPL PFD Numeric The PFD value that is This field is disabled and
associated with all the IPLs in populated in the Definition
place for this consequence. section of the LOPA datasheet.

The value is calculated by

multiplying the values in the
PFD fields of each Independent
Layer of Protection associated
with the LOPA together.

Unacceptable Consequence Character A description of the risk for This field is populated with the
which you are conducting the value in the Consequence
Layer of Protection Analysis. Description field in the
associated Instrumented
Function.

You can modify this value if

needed.

Unmitigated Consequence Numeric Indicates the frequency of This field is disabled and
Frequency unmitigated consequence (i.e., populated automatically.
the frequency consequence
This value is calculated by
before the layers of protection
multiplying the value in the
have been added).
Frequency of Initiating Event
field by the value in the
Enabling Event/Condition
Probability field.

Safety Integrity Level Records

Safety Integrity Level records are used to determine the SIL value and contain the boundary values for the
required probability of failures for different safety integrity levels. This topic provides an alphabetical list
and description of the fields that exist for the Safety Integrity Level family. The information in the table
reflects the baseline state and behavior of these fields. This list is not comprehensive.
This family is not enabled for site filtering, which means that records in this family can be accessed by any
user with the appropriate license and family privileges. For more information, refer to the Sites section of
the documentation.

Field Data Type Description Behavior and Usage

Lower Bound Numeric The lower boundary value for You can enter a value
the Safety Integrity Level. manually.

Mode of Operation Character Indicates whether the record You can enter a value
defines the SIL value for a manually.
safety system operating on
low demand mode or on
continuous mode.

Field Data Type Description Behavior and Usage

Safety Integrity Level Numeric The SIL value for which the You can enter a value
boundary values are defined in manually.
the record.

Upper Bound Numeric The upper boundary value for You can enter a value
the Safety Integrity Level. manually.

Passive IPL Records

Passive IPL records store information about the probability of failure of various types of passive IPLs. This
topic provides an alphabetical list and description of the fields that exist for the Passive IPL family. The
information in the table reflects the baseline state and behavior of these fields.
Important: The records in this family can be modified only by users who belong to the Security Groups MI
SIS Administrator or MI HA Administrator.
This family is enabled for site filtering, which means that records in this family can be assigned to a
specific site, and will only be accessible to users who are assigned to the same site and have the
appropriate license and family privileges. For more information, refer to the Sites section of the
documentation.

Field Data Type Description Behavior and Usage

Default Value Numeric Indicates the default You can enter a value
probability that the Passive IPL manually.
will fail to mitigate the risk.

Lower Range Numeric Indicates the lower range for You can enter a value
the probability that the manually.
Passive IPL will fail to mitigate
the risk.

Passive IPL ID Character Identifies the type of Passive This field appears a list that is
IPL. populated by the
MI_PASSIVE_IPL System Code
Table.

Upper Range Numeric Indicates the upper range for You can enter a value
the probability that the manually.
Passive IPL will fail to mitigate
the risk.

Catalog Items
Queries Folder
The Catalog folder \\Public\Meridium\Modules\LOPA\Queries contains the following items.

Query Name Behavior and Usage

LOPA Approved Query Returns the list of LOPA that are in the Complete state. This
query populates the Approved section on the LOPA Overview
page with the list of LOPA that is retrieved.

LOPA Under Review Query Returns the list of LOPA that are not in the Complete state. This
query populates the Under Review section of the LOPA
Overview page with the list of LOPA that is retrieved.

ALL LOPA Query Returns the list of LOPA associated with a specific Site. This
query is used to display a list of LOPA that you can link to a
Hazards Analysis Consequence.

Consequence Modifier LOPA Query Returns the list of Conditional Modifiers that are associated
with a LOPA.

Safeguard LOPA Query Returns the list of Safeguards that are associated with a LOPA.

LOPA Page Filter Query Returns the list of LOPA that are associated with the Equipment
or Functional Location that you choose.

LOPA_ASSET_CONTEXT_APPROVED Returns the list of LOPA that are in the Complete state and are
associated with the Equipment or Functional Location that you
choose.

LOPA_ASSET_CONTEXT_UNDER_REVIEW Returns the list of LOPA that are not in the Complete state and
are associated with the Equipment or Functional Location that
you choose.

IPL Checklist Admin Query Returns the list of IPL criteria that have been configured in the
LOPA Application Settings. This query is used to display the
criteria in the IPL Checklist workspace in LOPA Application
Settings.

Active IPL Query Returns the list of Active IPL records. This query is used to
display the Active IPL ID and the Default Value fields in the
Active IPL workspace in LOPA Application Settings.

Consequence Adjustment Probabilities Query Returns the list of Consequence Adjustment Probabilities
records. This query is used to display the Modifier ID and the
Default Value fields in the Consequence Adjustment
Probabilities workspace in LOPA Application Settings.

Human IPL Query Returns the list of Human IPL records. This query is used to
display the Human IPL ID and the Default Value fields in the
Human IPL workspace in LOPA Application Settings.

Initiating Event type query Returns the list of Initiating Events. This query is used to display
the Initiating Event ID, Default Value, Lower Boundary, and
Upper Boundary fields in the Initiating Events workspace in
LOPA Application Settings.

Passive IPL Query Returns the list of the Passive IPL records. This query is used to
display the Passive IPL ID and the Default Value fields in the
Passive IPL workspace in LOPA Application Settings.

Chapter

9
Release Notes
Topics:

• Fourth Quarter of 2021

• Second Quarter of 2021
• Fourth Quarter of 2020

Fourth Quarter of 2021
Release Date: October 8, 2021
This topic provides a list of product changes released for this module on this date.

Table 1: Resolved Issues

The following issues, which existed in one or more previous versions, have been resolved.
Description Tracking ID

Previously, when you changed the state of a Layers of Protection Analysis (LOPA) from Planning DE157928
to another state, the IPL Checklist datasheet was not disabled. This issue has been resolved.

Previously, when you upgraded the GE Digital APM and you attempted to modify the Layers of DE157636
Protection Analysis, the Calculated SIL value changed. This issue has been resolved.

Previously, in the IPL Checklist section of the Safeguard and IPLs workspace, the value DE157623
displayed in the PFD field while loading was the calculated value instead of the database value.
This issue has been resolved.

Second Quarter of 2021

Release Date: June 4, 2021
This topic provides a list of product changes released for this module on this date.

Table 2: Resolved Issues

The following issues, which existed in one or more previous versions, have been resolved.

Description Tracking ID

Previously, when you upgraded the GE Digital APM to the latest version , and you attempted to DE156529
modify the Layers of Protection Analysis, the Calculated SIL value changed. This issue has been
resolved.

Fourth Quarter of 2020

Release Date: October 2, 2020
This topic provides a list of product changes released for this module on this date.

Table 3: Resolved Issues

The following issues, which existed in one or more previous versions, have been resolved.

Description Tracking ID

Previously, when you attempted to access the Layers of Protection Analysis module, a blank page DE140611
appeared without any indication that you did not have access to the module in the following
conditions:

• You did not have an active Hazards Analysis or SIS Management license.
• Your user account was not assigned to the roles or groups that are necessary to access the
module.

This issue has been resolved.

Safety Instrumented System Design - Techniques and - 240202 - 184149
100% (1)
Safety Instrumented System Design - Techniques and - 240202 - 184149
433 pages
Example Alarm Philosophy
33% (3)
Example Alarm Philosophy
3 pages
SIL Working Method Report
92% (12)
SIL Working Method Report
35 pages
TinoVC - TUV FSE Course Preparation Info Rev 2019 R
100% (1)
TinoVC - TUV FSE Course Preparation Info Rev 2019 R
110 pages
TÜV Functional Safety Program: WWW - Prosalus.co - Uk
100% (3)
TÜV Functional Safety Program: WWW - Prosalus.co - Uk
267 pages
LOPA
100% (7)
LOPA
84 pages
Exida - Overview of IEC 61511 PDF
100% (5)
Exida - Overview of IEC 61511 PDF
138 pages
FSA Guidance Document - As Published 08.03.2019 1.0
No ratings yet
FSA Guidance Document - As Published 08.03.2019 1.0
31 pages
Day 2 Slides Rev. 13-0 - Tab 2-1
100% (2)
Day 2 Slides Rev. 13-0 - Tab 2-1
64 pages
Exida Webinar Benchmarking Practices For The Use of Alarms As Safeguards and IPLs PDF
100% (3)
Exida Webinar Benchmarking Practices For The Use of Alarms As Safeguards and IPLs PDF
41 pages
White Paper Rouse 2h Sil Verification For Rosemount Type B Transmitters With Type A Components Data
No ratings yet
White Paper Rouse 2h Sil Verification For Rosemount Type B Transmitters With Type A Components Data
16 pages
2007-04 NHT Reformer LOPA
100% (1)
2007-04 NHT Reformer LOPA
195 pages
Layer of Protection Analysis (LOPA) : Timothy Stirrup
100% (1)
Layer of Protection Analysis (LOPA) : Timothy Stirrup
14 pages
Chastainw Advancesinlayerofprotectionanalysis PDF
100% (1)
Chastainw Advancesinlayerofprotectionanalysis PDF
37 pages
LOPA and Risk Graphs For SIL Determination
100% (1)
LOPA and Risk Graphs For SIL Determination
11 pages
Functional Safety Practices For Operations
100% (3)
Functional Safety Practices For Operations
14 pages
Functional Safety: Sil Assessment & Verification: Do Proof Test Practices Affect P&Ids?
100% (1)
Functional Safety: Sil Assessment & Verification: Do Proof Test Practices Affect P&Ids?
32 pages
Example Results
100% (1)
Example Results
5 pages
FSE 1 Rev 3.4 Slides (Modo de Compatibilidade)
No ratings yet
FSE 1 Rev 3.4 Slides (Modo de Compatibilidade)
299 pages
Ida E: Functional Safety Engineering II SIS Design - SIL Verification
100% (4)
Ida E: Functional Safety Engineering II SIS Design - SIL Verification
273 pages
Applying IEC 61511 To Industrial Turbines: Chris O'Brien
100% (1)
Applying IEC 61511 To Industrial Turbines: Chris O'Brien
45 pages
Addressing Enablers in LOPA
No ratings yet
Addressing Enablers in LOPA
14 pages
Safety Alarm Rationalisation
100% (2)
Safety Alarm Rationalisation
21 pages
SIS DesignBasisRevalidation
100% (1)
SIS DesignBasisRevalidation
13 pages
FSE 1 Rev 3.3 Exercise Solutions
100% (1)
FSE 1 Rev 3.3 Exercise Solutions
19 pages
Alarm Shelving Exida Ebook PDF
100% (3)
Alarm Shelving Exida Ebook PDF
26 pages
Sis PDF
No ratings yet
Sis PDF
2 pages
ExSILentia User Guide
100% (1)
ExSILentia User Guide
180 pages
Safety Instrumented Systems: Global
100% (2)
Safety Instrumented Systems: Global
410 pages
PHA-LOPA Report Rev 0-2 PDF
100% (1)
PHA-LOPA Report Rev 0-2 PDF
39 pages
exSILentia User Guide v3 PDF
No ratings yet
exSILentia User Guide v3 PDF
180 pages
Hima Fscs - Tuv Fse White Papers 2012
100% (2)
Hima Fscs - Tuv Fse White Papers 2012
160 pages
HSE Methodology For Sociatal Risk
No ratings yet
HSE Methodology For Sociatal Risk
27 pages
Certificate Sil 3 Assessment Report Topworx en 82490
No ratings yet
Certificate Sil 3 Assessment Report Topworx en 82490
24 pages
CFSE Whitepaper Updated
100% (1)
CFSE Whitepaper Updated
16 pages
CFSE Webpage Exam Sample Q and A-4-6
No ratings yet
CFSE Webpage Exam Sample Q and A-4-6
3 pages
Management of Functional Safety Guideline Process
0% (1)
Management of Functional Safety Guideline Process
13 pages
Functional Safety and Explosion Protection
No ratings yet
Functional Safety and Explosion Protection
10 pages
Technical Note:: Process and Guidewords For Procedural Hazops
No ratings yet
Technical Note:: Process and Guidewords For Procedural Hazops
9 pages
Key Variables Needed For PFDavg Calculation
No ratings yet
Key Variables Needed For PFDavg Calculation
15 pages
ExSILentia User Guide
No ratings yet
ExSILentia User Guide
167 pages
Introduction Chaz Op
100% (1)
Introduction Chaz Op
44 pages
SIL Verification of Legacy System V3
No ratings yet
SIL Verification of Legacy System V3
12 pages
Functional Safety - IEC 61511 Introduction: New Plymouth, 11 April 2013
100% (4)
Functional Safety - IEC 61511 Introduction: New Plymouth, 11 April 2013
74 pages
Sil As Per Iec
No ratings yet
Sil As Per Iec
157 pages
2019-01-26-SIL Course-Rev. 2
100% (2)
2019-01-26-SIL Course-Rev. 2
144 pages
SIL (LOPA) Analisys Procedure
88% (8)
SIL (LOPA) Analisys Procedure
20 pages
SIS ESD Sistems For Process Industries Using IEC 61508 Unit7 SIL Selection
100% (1)
SIS ESD Sistems For Process Industries Using IEC 61508 Unit7 SIL Selection
100 pages
Safety Equipment Reliability Handbook: Second Edition
0% (1)
Safety Equipment Reliability Handbook: Second Edition
20 pages
Lopa With Hazop
100% (2)
Lopa With Hazop
72 pages
GMInternational SIL 3 Definitive Guide
100% (1)
GMInternational SIL 3 Definitive Guide
13 pages
SIS Overview
100% (4)
SIS Overview
50 pages
17 CASS TOES For FSM Assessment From IEC 61511-1 2016 v1
No ratings yet
17 CASS TOES For FSM Assessment From IEC 61511-1 2016 v1
7 pages
Proof Test of Safety Instrumented Systems SIS According To IEC 61511
No ratings yet
Proof Test of Safety Instrumented Systems SIS According To IEC 61511
38 pages
Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis
From Everand
Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis
CCPS (Center for Chemical Process Safety)
5/5 (1)
Safety engineer The Ultimate Step-By-Step Guide
From Everand
Safety engineer The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis
From Everand
Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis
CCPS (Center for Chemical Process Safety)
5/5 (1)
Safety Integrity Level (SIL)
100% (1)
Safety Integrity Level (SIL)
20 pages
Layer of Protection Analysis
No ratings yet
Layer of Protection Analysis
23 pages
Topic I Layers of Protection and Analysis - Safety Integrity Level
No ratings yet
Topic I Layers of Protection and Analysis - Safety Integrity Level
16 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.