SPA Process Safety Open to connect
All insights
· 4 min read

What a LOPA revalidation should re-check

A five-year revalidation isn't about re-typing the old study. The real work is checking the assumptions underneath it, because those are the things that quietly go out of date.

  • LOPA
  • Revalidation
  • Risk assessment

Most of the LOPA revalidations I’m asked to look at start by asking the wrong question. The team opens the previous study and asks whether anything has changed. That sounds sensible, but it sends everyone off looking at the scenarios, when the things that have actually gone out of date are usually the assumptions sitting underneath those scenarios.

A quick reminder of what a LOPA is. It’s a way of checking, one scenario at a time, whether the safeguards you have add up to enough protection (CCPS, Layer of Protection Analysis: Simplified Process Risk Assessment). In practice it ends up as a set of numbers that all looked right on the day they were agreed. The trouble is that a few years later some of those numbers are still right and some quietly aren’t, and the whole point of a revalidation is to find the ones that have stopped being true.

There’s also a legal reason to do it. The US process safety management rule says a process hazard analysis has to be revisited and revalidated at least every five years so that it still matches how the plant actually runs (OSHA 29 CFR 1910.119(e)(6)). But five years is the longest you’re allowed to leave it, not the goal. What matters is whether the picture of the risk still matches the real plant.

Start with the protection layers

The first thing I check is each of the safeguards the study is leaning on, the ones it counts as independent protection layers. For one of these to count, it has to work on its own, separately from whatever started the problem and from the other safeguards, and you have to be able to show that it works (CCPS, Guidelines for Initiating Events and Independent Protection Layers). My checks are really just asking whether that’s still true after a few years of real operation.

  • The most fragile part is independence. A modification, a shared instrument, or a control and a trip that now both read from the same transmitter can quietly turn two separate safeguards into one, and nothing in the study will flag it, because nobody updated the study.
  • The next is whether the safeguard still actually works when it’s needed. A trip that spends three months of the year switched off for maintenance or operations isn’t giving you the protection the study assumed.
  • The last is upkeep. A safeguard only earns its credit if it’s tested often enough to stay reliable, and if that testing has quietly stretched out, the protection is weaker than the study claims.

None of this shows up if all you do is read the old scenario and compare it to the new one.

The other things that move

After the safeguards, the next things to check are the assumptions about people and conditions. How many people are usually nearby, how likely a leak is to find a source of ignition, how long the plant spends in the risky state: these were all estimates when the study was done, and operations changes them without thinking of it as a change to the LOPA. A unit that used to be manned and is now run with hardly anyone on it has a different number of people exposed, which changes how often a given outcome is acceptable, which can change how reliable an automatic safety system has to be (its safety integrity level, set out in IEC 61511). That’s a real finding, not a paperwork tidy-up.

Use the incident log and the list of changes

The two most useful inputs to a revalidation are the record of incidents and near-misses and the list of changes made since the last study, and I won’t sign one off that hasn’t been through both. Every near-miss is a hint that a scenario might be more likely than the study assumed, and every change is a possible change to a safeguard. Go through both properly and you’re genuinely revalidating. Skip them and all you’ve done is print the old study with a new date on it.

A simple test

Before I sign a revalidation off, I ask the team one question. Which of these numbers would we no longer be comfortable defending to a regulator? If the answer is “none of them”, then either nothing at all changed in five years, which is rare, or we haven’t looked hard enough, which is common.

A revalidation that changes nothing isn’t a clean bill of health. More often it’s a sign that nobody really re-tested the assumptions.

The aim was never to do all the work again. It’s to find the few places where the plant has moved on and the assessment of the risk hasn’t caught up.

References

  • OSHA 29 CFR 1910.119, Process safety management of highly hazardous chemicals, PHA update and revalidation at (e)(6).
  • CCPS (AIChE), Layer of Protection Analysis: Simplified Process Risk Assessment, and Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, for the LOPA method and what makes a safeguard count as a protection layer.
  • IEC 61511, Functional safety, safety instrumented systems for the process industry sector, for safety integrity levels.