SPA Process Safety Open to connect
All insights
· 2 min read

What a LOPA revalidation should actually re-check

A five-year revalidation is not a re-typing exercise. The value is in the assumptions that have quietly drifted since the last study.

  • LOPA
  • Revalidation
  • Risk assessment

Most LOPA revalidations I am asked to look at start from the wrong question. The team opens the previous worksheet and asks, “has anything changed?” That is the right instinct, but it points everyone at the scenarios when the real drift is usually in the assumptions underneath them.

A LOPA is a stack of numbers that were defensible on the day they were agreed. Five years later, some of those numbers are still true and some are quietly false. The job of a revalidation is to find the false ones.

Start with the independent protection layers

The first thing I re-test is whether each claimed IPL is still independent, still effective, and still being maintained as if it mattered.

  • Independence erodes through modifications. A new tie-in, a shared instrument, a control and trip that now read off the same transmitter — any of these can collapse two layers into one without anyone touching the LOPA.
  • Effectiveness erodes through bypasses and standing overrides. An IPL that spends a quarter of the year inhibited is not delivering the risk reduction the study claims.
  • Maintenance erodes silently. If the proof-test interval that justified the PFD has slipped, the credit no longer holds.

None of this shows up if you only compare scenario text to scenario text.

Re-check the enabling conditions and conditional modifiers

Occupancy, ignition probability, time at risk — these were estimates, and operations changes them. A unit that moved from a manned to a minimally-manned philosophy has a different occupancy factor, which changes the tolerable frequency, which can change the SIL. That is a real result, not a paperwork update.

Close the loop with incidents and MoC

The two richest inputs to a revalidation are the incident log and the change history since the last study. Every near-miss is a hypothesis about a scenario you may have under-rated. Every MoC is a candidate change to a safeguard. If the revalidation does not explicitly walk both, it is not a revalidation — it is a re-issue.

A simple test

Before signing a revalidation, I ask the team one question: which numbers in this study would we no longer be willing to defend in front of a regulator? If the answer is “none,” either nothing changed in five years — rare — or we have not looked hard enough.

A revalidation that produces zero changes is not a clean bill of health. It is usually a sign the assumptions were never re-tested.

The point of the exercise is not to redo the work. It is to find the handful of places where the plant has moved and the risk picture has not caught up.