LOPA (Layer of Protection Analysis) is a risk assessment method used to evaluate whether sufficient protection layers exist to reduce risk to an acceptable level.
In BowTiePro, the LOPA module helps users:
- Analyze threats and consequences
- Apply protection layers
- Configure risk reduction values
- Evaluate acceptance criteria
- Determine whether calculated risk levels are acceptable
LOPA assessments work alongside BowTie diagrams and help provide a more quantitative approach to risk analysis.
What LOPA Does
The LOPA module allows users to:
- Define initiating threat frequencies
- Apply enabling factors
- Configure condition modifiers
- Add Independent Protection Layers (IPLs)
- Configure Probability of Failure on Demand (PFD) values
- Apply acceptance criteria
- Calculate overall consequence frequency
This helps organizations better understand whether existing safeguards are sufficient.
Key Components of LOPA in BowTiePro
LOPA assessments in BowTiePro are built using several key elements.
Threat Frequency
Threat frequency defines how often a threat or initiating event may occur within a given period.
Example:
- 0.1 events per year
Enabling Factors
Enabling factors increase the likelihood of a threat occurring under specific conditions.
Example:
- Lack of level transmitter
- Poor maintenance conditions
Condition Modifiers
Condition modifiers are additional factors that influence consequence probability or severity. These are applied during LOPA calculations to refine the overall assessment.
Independent Protection Layers (IPLs)
IPLs are safeguards or controls designed to reduce risk independently.
Examples may include:
- Emergency shutdown systems
- High-level shutoff systems
- Safety instrumented systems
Each IPL may contain a Probability of Failure on Demand (PFD) value.
Acceptance Criteria
Acceptance criteria define whether calculated risk levels are considered acceptable.
BowTiePro supports configurable criteria such as:
- SIL 1
- SIL 2
- SIL 3
- SIL 4
These values help determine whether additional controls are required.
LOPA Results
After all values are configured, BowTiePro calculates:
- Consequence frequency
- Overall risk values
- Acceptance status
- Whether the assessment meets defined criteria
Results are displayed within the LOPA assessment screens and related hazard views.
Relationship Between BowTie and LOPA
LOPA assessments are linked directly to hazards, threats, and consequences already defined within BowTie diagrams.
This allows users to:
- Visualize hazards using BowTie methodology
- Validate protection effectiveness using LOPA calculations
- Identify areas requiring additional safeguards
The LOPA (Layer of Protection Analysis) module in BowTiePro allows users to create and manage quantitative risk assessments linked to hazards, threats, and consequences.
Users can access the LOPA module directly from the main navigation menu.
Accessing the LOPA Module
To access the LOPA module:
- Log in to BowTiePro.
- From the top navigation menu, click LOPA.
The system will open the LOPA List screen.
Understanding the LOPA List Screen
The LOPA List screen displays all available LOPA assessments for the selected case.
Each row represents a LOPA assessment linked to:
- A hazard
- A threat
- A consequence
The list helps users quickly review the status of existing LOPA analyses.
Available Filters
The top section of the page contains several filters used to narrow down displayed results.
Case
Select the case containing the required LOPA assessments.
Example:
- BowTieExample
Location
Filter LOPA items by location.
Users can:
- Select a specific location
- View all locations
Hazard
Filter assessments by hazard. This helps users quickly locate specific risk scenarios.
Display
The Display filter controls which LOPA items are shown.
Example:
- Only full LOPA items
Understanding LOPA Columns
The LOPA list includes several important columns.
Hazard
Displays the linked hazard.
Example:
- Overfill – High level in tank
Threat
Displays the initiating threat associated with the assessment.
Example:
- Tank level transmitter fails
Consequence
Displays the consequence being evaluated.
Examples:
- Spill
- Fire
Full LOPA
Indicates whether the assessment is configured as a full LOPA analysis.
Met?
Displays whether the calculated result meets the defined acceptance criteria.
Typical values:
- Yes
- No
Colour indicators may also be displayed for quick visibility.
Creating a New LOPA Assessment
To create a new assessment:
- Click the Create New button.
- Configure the required hazard, threat, and consequence information.
- Continue building the LOPA assessment.
Detailed configuration steps are covered in later articles.
Viewing Existing LOPA Assessments
Users can open existing LOPA assessments directly from the list.
This allows users to:
- Review calculations
- Update controls
- Modify frequencies
- Review acceptance status
BowTiePro allows users to create LOPA (Layer of Protection Analysis) assessments directly from existing hazards, threats, and consequences defined within BowTie diagrams.
Each LOPA assessment is linked to:
- A hazard
- A threat
- A consequence
This helps users evaluate whether existing safeguards reduce risk to acceptable levels.
Opening the LOPA Module
To begin:
- Log in to BowTiePro.
- From the top navigation menu, click LOPA.
The LOPA List screen will open.
Creating a New Assessment
To create a new LOPA assessment:
- Click the Create New button.
The system will open the Available Items screen.
Understanding the Available Items Screen
The Available Items screen displays combinations of:
- Hazards
- Threats
- Consequences
These items are pulled from existing BowTie hazard data.
Users can filter items using:
- Case
- Location
- Hazard
Selecting a Threat and Consequence
To create a LOPA assessment:
- Locate the required threat and consequence combination.
- Click the Create button next to the selected item.
BowTiePro will generate a LOPA assessment for that specific scenario.
Opening the LOPA Diagram
After creating the assessment, the system opens the LOPA Diagram view.
The diagram visually displays:
- Threat frequency
- Protection layers
- PFD values
- Hazard
- Consequence
- Risk calculation flow
Understanding the LOPA Diagram
The LOPA diagram provides a visual representation of the assessment.
Typical components include:
Threat
The initiating event being analyzed.
Example:
- Software does not meet requirements
Protection Layers
Independent Protection Layers (IPLs) used to reduce risk.
Examples:
- Regular peer reviews
- Functional specification review
- Software testing controls
Hazard
The central hazard associated with the scenario.
Example:
- Building Software
Consequence
The outcome being evaluated if safeguards fail.
Example:
- Loss of credibility
BowTiePro uses Threat Frequency values in LOPA assessments to estimate how often a threat is expected to occur before safeguards and protection layers are applied.
Threat frequency is one of the core components used in LOPA calculations and directly affects the overall risk evaluation of a scenario.
The frequency value works together with:
- Enabling factors
- Condition modifiers
- Independent protection layers (IPLs)
- Probability of Failure on Demand (PFD)
to calculate the final residual risk.
Using accurate threat frequency values helps organizations perform more realistic and reliable risk assessments.
Accessing Threat Frequency Settings
To configure or review a threat frequency value:
- Open the LOPA module from the top navigation menu.
- Open an existing LOPA assessment or create a new one.
- In the LOPA diagram, locate the Threat node on the left side.
- Click the small information (i) icon below the threat.
- Click Edit in the popup window.
This opens the Threat Details screen where the threat frequency can be configured.
Understanding Frequency in the LOPA Diagram
The LOPA diagram displays the threat frequency directly beneath the threat node.
Example:
- Frequency: 0
This value represents the estimated number of times the threat may occur annually before safeguards reduce the risk.
The displayed value automatically updates whenever changes are saved in the Threat Details screen.
Editing Threat Frequency
After clicking Edit, the Threat Details screen opens.
The following fields are available:
| Field | Description |
| Threat | Name of the identified threat |
| Frequency (per year) | Estimated annual occurrence rate of the threat |
| Justification | Optional explanation for the selected value |
| Enabling Factors | Additional conditions that increase threat likelihood |
Configuring Frequency Values
Enter the estimated occurrence rate in the Frequency (per year) field.
Examples:
| Frequency Value | Meaning |
| 1 | Expected once every year |
| 0.1 | Expected once every 10 years |
| 0.01 | Expected once every 100 years |
The selected value should ideally be based on:
- Historical incident data
- Industry standards
- Engineering analysis
- Expert judgement
- Operational experience
Using the Justification Field
The Justification field allows users to document why a particular frequency value was selected.
This helps:
- Maintain audit records
- Support compliance reviews
- Improve consistency across assessments
- Provide evidence during risk evaluations
Recommended information to include:
- Data source
- Assumptions
- Reference documents
- Historical observations
Understanding Enabling Factors
Enabling factors are additional conditions that may increase the likelihood of the threat occurring.
Examples include:
- Human error
- Poor maintenance
- Environmental conditions
- Equipment degradation
These factors can be added directly within the Threat Details screen and are included in the overall LOPA calculations.
Saving Threat Frequency Changes
After entering or modifying the threat frequency:
- Click Save
- Return to the LOPA diagram
- Verify the updated frequency is displayed beneath the threat node
The updated value will now be included in the overall LOPA risk calculations.
Best Practices
To improve LOPA accuracy:
- Use evidence-based estimates whenever possible
- Avoid arbitrary values
- Document assumptions in the Justification field
- Review frequency values periodically
- Align calculations with organizational risk standards
- Validate calculations during risk review sessions
Conclusion
Threat frequency is a foundational component of LOPA analysis in BowTiePro. Properly configuring frequency values helps organizations produce more accurate risk calculations and better evaluate whether existing safeguards sufficiently reduce operational risk.
Using realistic values, documented assumptions, and properly configured enabling factors improves the overall reliability of the LOPA assessment process.
Enabling factors in BowTiePro are conditions or circumstances that increase the likelihood of a threat occurring. These factors are linked to threats within a LOPA assessment and help provide more accurate and realistic risk evaluations.
Enabling factors are commonly used to represent:
- Human errors
- Environmental conditions
- Equipment issues
- Operational weaknesses
- Process limitations
Adding enabling factors helps organizations better understand the conditions that may contribute to incidents.
Opening the Threat Details Screen
To add enabling factors:
- Open the LOPA module from the top navigation menu.
- Open an existing LOPA assessment diagram.
- Click the small information (i) icon below the threat.
- Click Edit from the popup window.
You will be taken to the Threat Details screen.
Adding a New Enabling Factor
Inside the Enabling Factors section:
- Click the green Add button.
- The Linked Enabling Factor Details screen will open.
- Select an enabling factor from the dropdown list.
- Enter justification or supporting notes if required.
- Click Save.
The enabling factor will now be linked to the selected threat.
Why Enabling Factors Matter
Enabling factors improve the quality of LOPA analysis by identifying additional conditions that may influence threat occurrence.
Benefits include:
- Better risk visibility
- More realistic threat evaluation
- Improved documentation
- Stronger audit and compliance records
- Enhanced operational risk understanding
Best Practices for Enabling Factors
When adding enabling factors:
- Use clear and meaningful names
- Avoid duplicate entries
- Add proper justification where possible
- Link only relevant factors to each threat
- Review factors regularly as processes change
Condition modifiers in BowTiePro are factors that influence the likelihood or effectiveness of risk scenarios within a LOPA (Layer of Protection Analysis) assessment.
These modifiers help organizations account for additional operational or environmental conditions that may impact the overall risk calculation.
Condition modifiers are commonly used for:
- Human performance conditions
- Environmental influences
- Operational complexity
- Temporary process conditions
- Special operational situations
Using condition modifiers helps create more realistic and accurate LOPA assessments.
Opening the LOPA Diagram
To configure condition modifiers:
- Open the LOPA module from the top navigation menu.
- Open an existing LOPA assessment.
- The LOPA diagram will display:
- Threats
- Controls
- Hazard
- Consequences
Opening the LOPA Control Details Screen
Condition modifiers are configured through the control/barrier settings.
To open the control details:
- Click the small information (i) icon below a control/barrier.
- A barrier information popup will appear.
- Click Edit.
You will be redirected to the LOPA Control Details screen.
Configuring Control Values and Modifiers
Inside the LOPA Control Details screen, you can configure how the control behaves within the LOPA calculation.
Available configuration options include:
- Use In Calculation
- Calculation Type
- System selection
- Define PFD (Probability of Failure on Demand)
- Justification notes
These values influence the effectiveness of the control and contribute to the final LOPA calculation results.
After entering the required values:
- Review the configuration carefully.
- Enter supporting justification if needed.
- Click Save.
Understanding PFD in Condition Calculations
PFD (Probability of Failure on Demand) represents the likelihood that a control or safeguard may fail when required.
Lower PFD values indicate stronger and more reliable safeguards, while higher values indicate weaker protection layers.
Accurate PFD values are important for:
- Reliable LOPA calculations
- Proper SIL evaluations
- Accurate risk reduction measurements
- Better operational safety decisions
Best Practices for Condition Modifiers
When configuring condition modifiers and control values:
- Use realistic and validated PFD values
- Document justification clearly
- Review calculations regularly
- Avoid overly optimistic assumptions
- Align values with operational standards and procedures
In BowTiePro LOPA assessments, controls are assigned PFD (Probability of Failure on Demand) values to calculate how effective a safeguard is at reducing risk.
PFD values represent the likelihood that a control may fail when required during a hazardous event.
Accurate PFD values are essential for:
- Reliable LOPA calculations
- Proper safeguard evaluation
- Risk reduction analysis
- SIL (Safety Integrity Level) assessment
- Operational safety planning
Opening the LOPA Diagram
To configure control PFD values:
- Open the LOPA module from the top navigation menu.
- Open an existing LOPA assessment.
- The LOPA diagram will display:
- Threats
- Controls/barriers
- Hazard
- Consequences
Opening the LOPA Control Details Screen
PFD values are configured within the control settings.
To open the control details:
- Click the small information (i) icon below a control/barrier.
- A barrier information popup will appear.
- Click Edit.
You will be redirected to the LOPA Control Details screen.
Configuring the PFD Value
Inside the LOPA Control Details screen, locate the Define PFD field.
To configure the value:
- Ensure Use In Calculation is enabled.
- Select the required Calculation Type.
- Enter the desired PFD value in the Define PFD field.
- Add justification or supporting notes if required.
- Click Save.
The configured PFD value will now be used in the LOPA calculation process.
Understanding PFD Values
PFD values determine how reliable a control is during demand situations.
General interpretation:
- Lower PFD values = stronger and more reliable safeguards
- Higher PFD values = weaker safeguards with higher failure probability
For example:
- A PFD of 0.01 indicates a highly reliable safeguard
- A PFD of 1 indicates no effective protection
Organizations should use validated engineering or operational data when assigning PFD values.
Best Practices for Configuring PFD Values
When configuring PFD values:
- Use realistic operational data
- Avoid overly optimistic assumptions
- Review safeguard performance regularly
- Document justification clearly
- Align values with industry safety standards
- Validate values during audits and reviews
Why Accurate PFD Values Matter
Incorrect PFD values can lead to:
- Inaccurate risk calculations
- Misleading LOPA results
- Poor safeguard decisions
- Incorrect SIL determination
- Increased operational risk exposure
Properly maintained PFD values improve both safety and compliance.
In BowTiePro LOPA assessments, the overall consequence value represents the final calculated risk associated with a specific consequence after considering threats, controls, enabling factors, and condition modifiers.
This value helps users understand whether the remaining risk level is acceptable or if additional protection layers are required.
Viewing Consequence Values
To review consequence values:
- Open the LOPA module.
- Open an existing LOPA assessment.
- Navigate to the LOPA Details page.
- Scroll down to the Consequence section.
The consequence section displays the consequence linked to the selected threat and top event.
Understanding How Consequence Values Are Determined
The final consequence value is influenced by several elements within the LOPA assessment, including:
- Threat frequency
- Enabling factors
- Independent protection layers (IPLs)
- Condition modifiers
- Control PFD values
- Consequence controls
BowTiePro combines these values to determine the remaining risk level after safeguards are applied.
Reviewing Threat and Consequence Controls
Controls directly affect the calculated risk value.
Threat controls reduce the likelihood of the event occurring, while consequence controls reduce the severity or impact after the event occurs.
Each control can include:
- PFD (Probability of Failure on Demand)
- Justification details
- Inclusion or exclusion from calculations
Understanding the Final Result
The overall consequence value helps users determine whether:
- Existing safeguards are sufficient
- Additional IPLs are needed
- The scenario meets acceptable risk criteria
- SIL requirements may be necessary
The value is continuously updated based on the inputs configured throughout the assessment.
Viewing Consequences in the LOPA Diagram
Users can also visually review consequences directly within the LOPA diagram.
The diagram provides a simplified visual representation of:
- Threats
- Controls
- Top events
- Consequences
- Relationships between protection layers
This helps users better understand how each protection layer contributes to overall risk reduction.
Best Practices
When reviewing overall consequence values:
- Ensure threat frequencies are accurate
- Verify all IPLs are properly configured
- Review PFD values carefully
- Add clear justifications for controls
- Confirm condition modifiers reflect realistic scenarios
- Regularly update assessments when operational changes occur
Accurate configuration ensures more reliable LOPA calculations and better risk management decisions.
After configuring threats, controls, enabling factors, and condition modifiers, BowTiePro calculates the final Layer of Protection Analysis (LOPA) results.
These results help users determine whether existing safeguards reduce risk to acceptable levels.
Viewing LOPA Results
To review LOPA results:
- Open the LOPA module.
- Select an existing LOPA assessment.
- Review the assessment list and detailed analysis screens.
The LOPA List page provides a quick overview of all assessments, including:
- Hazard
- Threat
- Consequence
- Full LOPA status
- Final result status
Understanding the “Met?” Status
The Met? column indicates whether the calculated risk level meets the configured acceptance criteria.
Possible outcomes include:
- Yes — The scenario meets acceptable risk requirements.
- No — Additional safeguards or protection layers may be required.
A “No” result typically indicates that:
- Existing controls are insufficient
- Threat frequency is too high
- PFD values are inadequate
- Additional IPLs may be needed
Reviewing the LOPA Diagram
Users can visually review the assessment using the LOPA diagram.
The diagram displays:
- Threats
- Independent protection layers (IPLs)
- Top events
- Consequences
- Control relationships
- Frequency paths
This visual representation helps users understand how each safeguard contributes to risk reduction.
Reviewing Detailed LOPA Information
Detailed calculation-related information is available within the LOPA Details page.
The details page includes:
- Threat frequency values
- Justifications
- Enabling factors
- Threat controls
- Consequence controls
- Condition modifiers
- PFD values
This information is used by BowTiePro to calculate the final assessment result.
Understanding Risk Reduction
LOPA calculations evaluate how effectively controls reduce the likelihood or impact of hazardous events.
Risk reduction is influenced by:
- Number of protection layers
- Quality of controls
- PFD values
- Threat frequency
- Condition modifiers
- Consequence mitigation measures
Higher-quality and independent safeguards generally improve overall results.
Using Results for Decision Making
LOPA results help organizations:
- Identify weak safeguards
- Determine if additional controls are required
- Improve operational safety
- Support SIL-related evaluations
- Prioritize risk mitigation activities
- Maintain compliance with risk management standards
Best Practices
When reviewing LOPA results:
- Verify all threat frequencies are accurate
- Review all control PFD values carefully
- Ensure IPLs are independent
- Regularly update assessments
- Document clear justifications
- Reassess scenarios after operational changes
Acceptance criteria and Safety Integrity Levels (SIL) are important concepts within Layer of Protection Analysis (LOPA).
BowTiePro uses these concepts to help organizations determine whether existing safeguards reduce risk to acceptable levels.
What Are Acceptance Criteria?
Acceptance criteria define the maximum level of risk considered acceptable for a specific scenario.
Within a LOPA assessment, BowTiePro evaluates whether the calculated residual risk meets these predefined criteria.
If the calculated risk exceeds acceptable limits, additional safeguards or protection layers may be required.
Reviewing Acceptance Status
Users can review acceptance status directly from the LOPA assessment list.
The Met? column indicates whether the scenario satisfies the configured risk acceptance requirements.
Possible results include:
- Yes — Risk is within acceptable limits
- No — Additional risk reduction measures may be needed
Understanding SIL Levels
SIL (Safety Integrity Level) is a measurement used to evaluate the effectiveness and reliability of safety functions and protection systems.
SIL assessments help determine how much risk reduction is required for hazardous scenarios.
Higher SIL requirements generally indicate that stronger or more reliable safeguards are needed.
How BowTiePro Supports SIL-Related Analysis
BowTiePro uses LOPA calculations to help users understand whether current safeguards provide sufficient protection.
The assessment considers:
- Threat frequencies
- Independent protection layers (IPLs)
- PFD values
- Enabling factors
- Condition modifiers
- Consequence controls
These elements collectively contribute to overall risk reduction.
Reviewing Risk Reduction in the LOPA Diagram
The LOPA diagram provides a visual representation of how controls reduce risk between threats and consequences.
The diagram helps users identify:
- Existing protection layers
- Weak or missing safeguards
- Relationships between threats and consequences
- Areas requiring additional controls
Reviewing Detailed Assessment Information
Detailed LOPA calculation information is available within the LOPA Details page.
The details page includes:
- Threat frequency values
- Control PFD values
- Control justification
- Enabling factors
- Condition modifiers
- Consequence information
This information supports risk evaluation and SIL-related decision making.
Understanding “Met” and “Not Met”
A scenario marked as Met generally indicates that:
- Existing safeguards provide adequate risk reduction
- Residual risk is acceptable
- Current controls meet assessment expectations
A scenario marked as Not Met may indicate that:
- Additional IPLs are required
- Existing safeguards are insufficient
- Threat frequency is too high
- PFD values need improvement
Best Practices
When evaluating acceptance criteria and SIL-related assessments:
- Ensure frequencies are realistic and validated
- Use accurate PFD values
- Verify control independence
- Regularly review protection layers
- Document clear justifications
- Reassess after operational changes
Properly configured LOPA assessments help organizations improve safety, strengthen risk management, and support informed operational decisions.