HAZOP and LOPA Explained: The Best Practitioner Guide for 2026

The first HAZOP I ever sat in ran for three weeks on a gas-to-liquids facility in Africa. I was the junior I&C engineer in the room, sitting between the process engineer who knew the chemistry and the operations supervisor who knew the plant. The facilitator worked through every node on the P&ID applying guide words — no flow, more pressure, less temperature, reverse flow — and the team debated causes, consequences, and existing safeguards for hours at a time.

By week two, I understood why these studies exist. By the end of week three, I understood why they take so long. And by the LOPA that followed, I understood that hazard analysis isn’t a single document — it’s a workflow that starts with HAZOP and ends with engineered safety functions designed to specific SIL targets.

This guide explains HAZOP and LOPA from a working I&C engineer’s perspective. Most online content on these topics is written by process safety consultants or process engineers. The I&C engineer’s seat in these sessions is genuinely different — different questions get asked, different contributions matter, different decisions get made. I’ll cover what HAZOP and LOPA actually are, how they fit together, what each team member brings to the room, and what mistakes I’ve seen on real projects.

If you’ve read our Safety Instrumented System guide and our SIL Ratings guide, this article is the missing piece — the upstream work that determines what your SIS actually needs to do.

TL;DR — Quick Answer: What Are HAZOP and LOPA?

HAZOP (Hazard and Operability Study) is a structured, team-based qualitative review that systematically identifies hazards in a process design. The team works through every process node, applying guide words like “no flow” or “more pressure” to identify deviations from design intent, their causes, their consequences, and existing safeguards.

LOPA (Layer of Protection Analysis) is a semi-quantitative method that takes HAZOP findings and determines whether existing protection layers are sufficient. For each hazard scenario, LOPA assigns numerical values to initiating event frequency, consequence severity, and protection layer credits, then calculates whether residual risk meets the tolerable threshold.

Together, HAZOP and LOPA form the upstream workflow that drives SIL assessment and SIS design. HAZOP identifies what can go wrong; LOPA quantifies how much risk reduction is needed; SIL assessment determines the integrity level required for each Safety Instrumented Function.

Both studies are governed by industry standards including IEC 61511 for process safety and CCPS guidelines from AIChE. They are conducted in workshop format with representatives from process engineering, operations, I&C, HSE, and often the SIS vendor.

What You Will Learn

This guide covers HAZOP and LOPA at working-engineer depth:

• What HAZOP is and how the methodology actually works in a workshop
• The HAZOP guide words and how deviations are systematically identified
• Who sits in the HAZOP room and what each team member contributes
• What LOPA is and how it differs from HAZOP
• Independent Protection Layers and how credits are taken
• The full workflow from HAZOP through LOPA to SIL assessment
• What the I&C engineer specifically brings to these sessions
• Common mistakes I’ve seen in real HAZOP and LOPA studies

What Is HAZOP — Hazard and Operability Study

HAZOP stands for Hazard and Operability Study. It is the most widely used hazard identification methodology in process industries — chemicals, oil and gas, petrochemicals, refining, pharmaceuticals, pulp and paper.

A HAZOP is fundamentally a structured brainstorming exercise. The team is given a P&ID, the facilitator picks a node (a pump, a vessel, a column, a heat exchanger), and the team applies a defined set of guide words to identify deviations from design intent. For each meaningful deviation, the team documents the cause, consequence, existing safeguards, and any recommended actions.

The methodology comes from chemical industry practice in the United Kingdom in the 1960s, formalized into international standards over subsequent decades. The current IEC standard IEC 61882 defines HAZOP methodology specifically, and the IEC functional safety portal is the authoritative source for the related IEC 61511 standard that governs how HAZOP feeds into SIS design. In the United States, the equivalent practice is governed by ANSI/ISA-84 from the ISA standards catalog.

In practice, HAZOP is qualitative — it identifies hazards and judges adequacy of existing safeguards using team judgment rather than numerical calculation. That’s where LOPA comes in afterward to add quantitative rigor.

The HAZOP Methodology — Guide Words and Deviations

The heart of HAZOP methodology is the guide word matrix. For each process parameter, the team applies guide words to identify deviations.

The standard HAZOP guide words are:

• NO or NONE — complete absence (e.g., no flow, no pressure)
• MORE — quantitative increase (more flow, more pressure, more temperature)
• LESS — quantitative decrease (less flow, less pressure, less temperature)
• REVERSE — opposite direction (reverse flow)
• AS WELL AS — additional unintended phase or substance (contamination)
• PART OF — partial completion (loss of one component in a mixture)
• OTHER THAN — completely different (wrong fluid in the line)
• EARLY / LATE — timing deviations on batch operations
• BEFORE / AFTER — sequence deviations

The team applies these guide words to process parameters — flow, pressure, temperature, level, composition, phase, sequence — and identifies which combinations represent credible deviations with meaningful consequences.

For each meaningful deviation, the workshop records:

• Cause — what could lead to this deviation (pump failure, control loop fault, blockage, operator error)
• Consequence — what happens if the deviation occurs and isn’t addressed
• Safeguards — what existing protection layers respond (alarms, relief valves, interlocks, operator response)
• Recommendation — any additional protective measure the team thinks should be considered

This work is tedious. A large facility might have hundreds of nodes, each requiring dozens of guide word applications. I’ve sat in HAZOP sessions where one node took half a day because the team genuinely debated whether a particular consequence was credible. That debate is the value — it catches hazards that no individual engineer would identify alone.

The HAZOP Team — Who Sits in the Room

A HAZOP team needs the right mix of disciplines, and getting the team composition right is one of the most important factors in study quality.

The standard HAZOP team includes:

• Facilitator — an independent, trained HAZOP leader who runs the session, applies the methodology, and keeps the discussion productive
• Scribe — captures findings in the HAZOP worksheets in real time
• Process Engineer — knows the chemistry, the process design intent, and the hazard mechanisms
• Operations Representative — knows how the plant actually runs, where bypasses get used, what operators actually do during upsets
• I&C Engineer — knows the control loops, the interlock logic, the SIS architecture, and the instrumentation reliability
• Mechanical Engineer — knows the equipment limits, materials of construction, and mechanical failure modes
• HSE Representative — brings the regulatory perspective and consequence categorization framework
• Specialist Disciplines as needed — electrical engineer for power-dependent hazards, machinery engineer for compressors and turbines, pipelines engineer for export systems

The team composition varies with project scope, but the core five (facilitator, scribe, process, operations, I&C) are essentially universal.

What I bring to the room as the I&C engineer is specific — and we’ll get to that in detail later in this guide.

What Is LOPA — Layer of Protection Analysis

LOPA stands for Layer of Protection Analysis. It is a semi-quantitative methodology that takes HAZOP findings and determines whether the existing protection layers are sufficient to bring residual risk to a tolerable level — or whether additional risk reduction is required.

LOPA was developed by the AIChE Center for Chemical Process Safety (CCPS) in the late 1990s and early 2000s. It fills the gap between fully qualitative methods (like HAZOP alone) and fully quantitative methods (like full Quantitative Risk Assessment). The CCPS LOPA guidelines are the authoritative reference for the methodology, available through the CCPS publications catalog.

LOPA is conducted as a workshop, typically after the HAZOP is complete and findings have been documented. The same team members usually participate, though LOPA sessions are often shorter than HAZOP because the scope is narrower — only HAZOP scenarios that need quantitative evaluation get LOPA-analyzed.

The fundamental LOPA equation is:

Mitigated Event Frequency = Initiating Event Frequency × Π (Probability of Failure on Demand of each IPL)

If the mitigated event frequency is below the tolerable risk threshold, existing protection is sufficient. If it’s above, additional risk reduction is required — typically a new Safety Instrumented Function with a specific SIL target.

The LOPA Methodology — Quantifying Risk

LOPA assigns numerical values to each element of a hazard scenario:

Initiating Event Frequency.

How often does the initiating event occur? Pump failure causing loss of flow might be 0.1 per year. Control loop failure causing setpoint deviation might be 0.5 per year. These frequencies come from industry failure rate databases and project-specific data.

Consequence Severity.

What is the worst credible outcome? Categories typically range from minor injury or production loss through serious injury, single fatality, multiple fatalities, and major environmental damage. Each consequence category has an associated tolerable frequency threshold defined by the operating company’s risk matrix.

Independent Protection Layers (IPLs).

Each credible IPL gets a Probability of Failure on Demand credit, typically expressed as a factor of 10. A well-designed BPCS alarm with operator response might give a 10x risk reduction (PFD = 0.1). A relief valve might give 100x (PFD = 0.01). A SIS function at SIL 2 gives 100x to 1,000x.

The Calculation.

Multiply initiating event frequency by the PFD of each IPL. If the result is below tolerable risk, you’re done. If not, the gap is the required SIL of an additional Safety Instrumented Function.

For example: initiating event 0.1/year, two IPLs each at PFD 0.1, gives 0.1 × 0.1 × 0.1 = 0.001/year. If tolerable risk is 0.00001/year, the gap is 100x — meaning a new safety function at SIL 2 (RRF 100-1,000) is required to close it.

Independent Protection Layers — What Counts and What Doesn’t

Not everything that looks like a safeguard counts as an Independent Protection Layer in LOPA. To take credit for a layer, it must meet specific criteria:

• Independence — the IPL must be independent of the initiating event and any other IPLs already credited. A control loop alarm cannot be credited if the initiating event is failure of that same control loop.
• Functionality — the IPL must actually prevent or mitigate the consequence in question.
• Auditability — the IPL must be designed, installed, tested, and maintained to a documented standard. You can’t credit something that exists informally.
• Specificity — the IPL must specifically address the hazard scenario being analyzed, not be a generic safeguard.

Common IPLs that typically qualify include:

• BPCS alarms with operator response — if the alarm is independent of the initiating cause and the operator has documented procedures and time to respond, typically 10x credit
• Mechanical relief valves — well-designed, regularly tested relief valves typically credit 100x to 1,000x depending on certification
• Safety Instrumented Functions — SIL 1 credits 10x to 100x, SIL 2 credits 100x to 1,000x, SIL 3 credits 1,000x to 10,000x
• Physical barriers — dikes, blast walls, containment, certain physical separations
• Emergency response — well-trained response teams with documented procedures, typically modest credit

Common items that do not qualify as IPLs include:

• BPCS control loops (these are the control function, not an independent protection layer)
• Operator action without specific alarm, procedure, and time available
• Maintenance procedures
• Training
• Generic safeguards not specific to the scenario

The discipline of evaluating IPLs strictly is what makes LOPA semi-quantitative rather than just informal scoring.

HAZOP vs LOPA — When You Use Each

HAZOP and LOPA serve different purposes in the safety lifecycle, and confusing them is one of the more common mistakes.

Aspect	HAZOP	LOPA
Purpose	Identify hazards	Quantify risk and determine SIL targets
Methodology	Qualitative, team-based brainstorming with guide words	Semi-quantitative, numerical calculation
Output	List of hazard scenarios with causes, consequences, safeguards	SIL targets for safety functions where risk gap exists
Position in lifecycle	First — identifies hazards	Second — evaluates HAZOP-identified scenarios
Time required	Weeks for a major facility	Days to weeks following HAZOP
Required for SIS design	Yes — feeds LOPA	Yes — sets SIL targets

HAZOP is the hazard identification step. LOPA is the risk evaluation step. You can’t do LOPA without HAZOP (because you don’t know what scenarios to evaluate), and HAZOP alone doesn’t give you SIL targets (because it’s qualitative).

In modern practice, some workshops integrate HAZOP and LOPA into a combined session for efficiency — applying LOPA scoring to each HAZOP finding as it’s identified. This works for some facilities but is not the only valid approach.

The Full Workflow — HAZOP, LOPA, SIL Assessment, SIS Design

The complete safety analysis workflow on a major project runs:

1. HAZOP — identify all credible hazard scenarios on the facility
2. LOPA — evaluate the scenarios identified by HAZOP that require quantitative analysis
3. SIL Assessment — for LOPA findings requiring new safety functions, formally assign SIL targets per IEC 61511
4. SIS Design — engineer the safety functions: sensors, logic solver, voting architecture, final elements, proof-test intervals
5. SIL Verification — calculate achieved SIL from the engineered design and confirm it meets the assessment targets
6. FAT and SAT — verify the engineered SIS performs as designed
7. Commissioning — verify each safety function works end-to-end with actual field devices
8. Operation — ongoing proof testing per intervals defined by SIL ratings

Steps 1-3 (HAZOP, LOPA, SIL assessment) are the upstream analysis work. Steps 4-7 are the engineering and execution work. Step 8 is the lifecycle commitment that runs for the life of the plant.

The whole workflow takes time. On the oil and gas mega-project in Asia I currently work on, the HAZOP and LOPA work alone consumed several months across multiple workshop campaigns. The SIS design, FAT, SAT, and commissioning together ran across years. Functional safety is a long game.

For deeper coverage of SIL assessment specifically, see our SIL Ratings Explained guide.

What the I&C Engineer Brings to HAZOP and LOPA Sessions

This is the section that distinguishes this guide from process-safety-consultant content elsewhere online. The I&C engineer’s seat in HAZOP and LOPA is genuinely different from the process engineer’s seat, and the contributions are specific.

Knowing the actual instrumentation.

The P&ID shows a pressure transmitter and a trip valve. The I&C engineer knows whether that transmitter is a SIL 2-capable certified device or a basic process transmitter. The team’s discussion of whether a particular interlock counts as a credible IPL depends entirely on what the actual instrumentation is, and the I&C engineer is the one who knows.

Understanding common-cause failure modes.

When the team is debating whether two redundant pressure transmitters provide genuine independence, the I&C engineer is the one who knows whether they share power supplies, share signal conditioning electronics, share I/O cards, or share network paths. These are the failure modes that compromise apparent redundancy, and they’re invisible from the P&ID.

Loop integrity and SIS interface.

When the team is considering whether a particular safeguard counts, the I&C engineer knows whether the loop is BPCS or SIS, what the diagnostic coverage is, what the proof-test interval will need to be, and what the cause-and-effect interface looks like.

Realistic operator response.

When the team credits operator response to an alarm, the I&C engineer knows what the actual HMI looks like, where the alarm appears, how it’s prioritized among other alarms, and whether the response time being credited is realistic given the alarm load. This is one of the most consequential I&C contributions to LOPA — overcrediting operator response is a common LOPA mistake.

Vendor-specific knowledge.

I&C engineers with cross-vendor experience know how different SIS platforms handle voting, diagnostics, and proof testing. On a project where the SIS is Honeywell Safety Manager (which I work with daily on the oil and gas mega-project in Asia), the diagnostic coverage and failure rate data are specific to that platform. On projects with Triconex or Yokogawa ProSafe-RS, the numbers differ. For broader vendor context, see our Honeywell Experion PKS architecture guide.

Spurious trip awareness.

The I&C engineer knows what voting architecture choices mean for spurious trip frequency. The team might want to specify 1oo2 voting for higher availability — but if that voting scheme on this particular SIS will trigger frequent spurious shutdowns, the practical safety outcome is worse because operators will start bypassing the function. The I&C engineer flags this trade-off.

Realistic proof-test execution.

Proof testing is what keeps the achieved SIL at its design target. The I&C engineer knows what proof testing actually looks like on the plant — whether it can be done online or requires shutdown, whether operations will actually do it on the specified interval, whether the test procedure is realistic. Theoretical SIL assumes real proof testing.

Common HAZOP and LOPA Mistakes I’ve Seen

After sitting through many HAZOP and LOPA workshops on multiple projects, here are the recurring mistakes:

Inadequate node breakdown. Some teams try to HAZOP an entire process train as one node. The result is shallow analysis that misses deviations specific to individual equipment. Good HAZOP breaks the process into manageable nodes — typically one P&ID drawing per node.

Overcrediting operator response. “Operator sees alarm and intervenes within 10 minutes” is credited far too generously in many LOPAs. Real alarm response depends on alarm flood, shift workload, alarm priority, operator training, and procedural clarity. The I&C engineer needs to push back when operator credit looks unrealistic.

Treating the BPCS as an IPL. A BPCS control loop is not an independent protection layer against scenarios involving its own failure. This sounds obvious but it appears in LOPA worksheets routinely. The discipline of IPL evaluation has to be strict.

Skipping the documentation. HAZOP and LOPA outputs are documents that get archived for decades, audited by regulators, and consulted during MOC. Skipping documentation rigor “to save time” creates problems that surface years later. Use proper HAZOP/LOPA software (PHA-Pro, exSILentia, ScribePro) rather than improvised spreadsheets.

Going through the motions on revalidation. Most jurisdictions require HAZOP revalidation every 3-5 years. Treating this as a paperwork exercise rather than fresh analysis is a common pattern. The plant changes, instrumentation changes, operating modes change — revalidation should reflect that. Professional bodies such as the Institution of Chemical Engineers (IChemE) publish best-practice guidance on HAZOP revalidation that goes well beyond minimum regulatory requirements.

Team composition shortcuts. Running HAZOP without an I&C engineer in the room — or with someone insufficiently experienced in I&C — produces studies that miss instrumentation-specific hazards and overcredit instrumentation safeguards.

Mixing HAZOP and LOPA methodology errors. HAZOP is qualitative; LOPA is semi-quantitative. Trying to assign LOPA-style numerical credits during HAZOP, or trying to identify new hazards during LOPA, blurs the methodologies and weakens both outputs.

Treating LOPA results as fixed forever. LOPA assumes specific failure rates, specific maintenance practices, and specific operating modes. If any of these change — and over a plant lifecycle, many do — the LOPA needs to be revisited. MOC should include LOPA impact assessment for any change that touches a credited IPL.

Vendor pressure on IPL credits. SIS vendors sometimes push for higher credit on their products to influence SIL targets favorably. The team has to evaluate IPLs against the standard, not against vendor recommendations.

Frequently Asked Questions

What is the difference between HAZOP and LOPA?

HAZOP is a qualitative team-based hazard identification methodology using guide words. LOPA is a semi-quantitative risk evaluation methodology that takes HAZOP findings and determines whether existing protection layers reduce risk to tolerable levels. HAZOP identifies hazards; LOPA quantifies them.

Which comes first, HAZOP or LOPA?

HAZOP comes first. You can’t do LOPA without knowing what scenarios to evaluate, and that comes from HAZOP. Some workshops integrate the two methodologies into combined sessions, but the conceptual order is always HAZOP first.

How long does a HAZOP take?

A small facility might HAZOP in a few days. A major refinery, gas plant, or LNG facility can take weeks of workshop time across multiple campaigns. The first HAZOP I participated in ran three weeks on a single facility.

Is LOPA required by regulation?

LOPA is one of several IEC 61511-compliant methods for setting SIL targets. Risk graphs are another. The standard does not mandate LOPA specifically, but LOPA is the most widely used method in North America and is required by many corporate safety standards globally.

What does IPL stand for in LOPA?

IPL stands for Independent Protection Layer. An IPL is a safeguard that meets specific criteria — independence from the initiating event, demonstrated functionality, auditability, and specificity to the hazard — and therefore qualifies for risk reduction credit in LOPA calculations.

Can a BPCS alarm count as an IPL?

A BPCS alarm with operator response can count as an IPL if the alarm is independent of the initiating cause, the operator has documented procedures, and there is sufficient time to respond. The typical credit is 10x risk reduction (PFD = 0.1). Generous crediting of operator response is one of the most common LOPA mistakes.

Do I need an I&C engineer in a HAZOP?

Yes. The I&C engineer brings essential perspective on instrumentation reliability, common-cause failure modes, realistic operator alarm response, and SIS-specific considerations that the process engineer alone cannot provide. Running HAZOP without I&C expertise produces studies that miss critical hazards.

What is the output of a LOPA?

The primary output of LOPA is identification of required safety functions with target SIL ratings. For each hazard scenario where existing protection is insufficient, LOPA specifies the additional risk reduction needed and the SIL of the safety function that must provide it. This feeds directly into SIS design.

How often does HAZOP need to be revalidated?

Most operating company standards require HAZOP revalidation every 3-5 years. Many regulatory frameworks (OSHA PSM, COMAH, Seveso) require periodic revalidation. Material changes to process, instrumentation, or operating mode also trigger HAZOP review through Management of Change.

Conclusion

HAZOP and LOPA are not paperwork. They are the engineering work that determines what your safety instrumented system actually needs to do. The HAZOP identifies what can go wrong. The LOPA quantifies how much risk reduction is required. Together they drive every downstream decision about SIS architecture, SIL ratings, sensor selection, voting schemes, and proof-test intervals.

For an I&C engineer, sitting in HAZOP and LOPA sessions is not a passive activity. Your specific contributions matter — knowing the actual instrumentation, understanding common-cause failure modes, evaluating realistic operator response, and flagging spurious trip implications. The studies are better when an experienced I&C engineer is in the room.

The work is tedious. Multi-week HAZOP campaigns are mentally exhausting. LOPA sessions involve detailed arguments about IPL credits and tolerable risk. The documentation overhead is substantial. None of this is glamorous. All of it is foundational.

If you’re new to functional safety, sitting through your first HAZOP teaches more about hazard analysis than any textbook. If you’ve been participating for years, the methodology probably feels familiar enough that you have your own list of recurring mistakes you see in workshops. Either way, the discipline is genuinely valuable when done well.

For broader context on safety systems and the standards that govern them, see our Safety Instrumented System cornerstone guide and SIL Ratings Explained guide. For overall DCS architecture context, see the What Is a DCS cornerstone guide.

---

About the Author

Daniel Reed is an Instrument and Controls Engineer with 14+ years of oil and gas EPC experience across onshore and offshore projects in Asia and Africa. He currently works as a client-side I&C completion engineer on a large oil and gas mega-project in Asia, where he has been involved with Honeywell Experion PKS and Safety Manager since 2018.

His earlier work covered Yokogawa CENTUM and Triconex SIS on an offshore brownfield in Africa (2015-2018), and Yokogawa CENTUM and ProSafe-RS on a gas-to-liquids facility in Africa. His focus is engineering deliverable review, control and safety system commissioning, HAZOP/SIL/SIF participation, FAT/SAT execution, and vendor coordination across Honeywell, Yokogawa, Triconex, Allen-Bradley, and Siemens platforms.