Safety & Relief

LOPA & SIL — Functional Safety Fundamentals

How Layer of Protection Analysis quantifies risk reduction and how Safety Integrity Level verification proves a safety instrumented function meets its target under IEC 61511 / IEC 61508.

1. Layers of Protection

Process safety uses defence in depth: a hazard scenario is met by successive independent protection layers (IPLs) — process design, the basic process control system (BPCS), alarms with operator response, the safety instrumented system (SIS), relief devices, and physical containment/mitigation. LOPA (Layer of Protection Analysis) is the semi-quantitative method, defined by CCPS, that checks whether the credited layers reduce a scenario's risk to a tolerable level — and, if not, how much additional risk reduction the SIS must provide. That required reduction becomes the SIL target for the safety instrumented function (SIF).

2. LOPA Arithmetic

For one cause-consequence pair, the mitigated event frequency is the initiating-cause frequency multiplied by the probability of failure on demand of every independent layer that can stop that scenario:

fmitigated = finitiating × ∏ PFDIPL,i × (enabling/conditional modifiers)

This is compared to the owner's tolerable frequency for that consequence severity. If fmitigated is still too high, the gap is closed by a SIF whose required PFDavg = tolerable frequency ÷ (residual frequency without the SIF). The reciprocal of that PFD is the required risk reduction factor (RRF), which maps to a SIL.

3. What Qualifies as an IPL

CCPS requires every credited IPL to be independent of the initiating cause and of the other layers, specific (capable of detecting and acting on the scenario), dependable (its claimed PFD is justified), and auditable. A BPCS control loop and a SIF that share the same sensor or final element are not independent and cannot both be credited. Typical credited PFDs: a well-engineered BPCS loop ~1×10⁻¹ (≤ one credit per IEC 61511), a relief valve ~1×10⁻², an operator response to an independent alarm ~1×10⁻¹ (with adequate time).

4. SIL Bands & Risk Reduction Factor

IEC 61508/61511 define SIL by the average probability of failure on demand for low-demand mode (demand ≤ once/year, the normal process case):

SILPFDavg (low demand)Risk reduction factor (RRF = 1/PFD)
1≥ 10⁻² to < 10⁻¹10 – 100
2≥ 10⁻³ to < 10⁻²100 – 1,000
3≥ 10⁻⁴ to < 10⁻³1,000 – 10,000
4≥ 10⁻⁵ to < 10⁻⁴10,000 – 100,000

SIL 4 is rarely used in the process sector; IEC 61511 effectively expects SIL 4 needs to be designed out. Note the inequality direction — a smaller PFD is a higher SIL.

5. PFDavg & Proof Testing

For a simple non-redundant (1oo1) subsystem dominated by undetected dangerous failures, the average probability of failure on demand over a proof-test interval TI is approximately:

PFDavg ≈ λDU · TI / 2

where λDU is the dangerous-undetected failure rate. The whole SIF PFD is the sum of sensor, logic-solver and final-element subsystem PFDs (the final element usually dominates). Two levers improve PFD: shorter proof-test interval and redundancy (e.g. 1oo2 voting), the latter limited by common-cause failure (the β-factor). Because PFD scales with TI, the proof-test interval is a safety-critical assumption, not an operations convenience.

6. Architectural Constraints

Meeting the PFD target numerically is necessary but not sufficient. IEC 61508/61511 also impose architectural constraints — a minimum hardware fault tolerance (HFT) tied to the safe-failure-fraction (SFF) or to the device's route 2H proven-in-use/reliability data — and systematic-capability requirements on the design process. A device can be excluded from a given SIL by these constraints even if its computed PFD looks adequate.

7. References

  • IEC 61511 (Parts 1–3) — Functional safety: Safety instrumented systems for the process industry sector.
  • IEC 61508 (Parts 1–7) — Functional safety of E/E/PE safety-related systems (base standard; SIL tables, SFF/HFT).
  • ANSI/ISA-84.00.01 — US adoption of IEC 61511.
  • CCPSLayer of Protection Analysis: Simplified Process Risk Assessment (2001); Guidelines for Initiating Events and Independent Protection Layers (2015).

Ready to use the calculator?

→ Launch LOPA Calculator

Frequently Asked Questions

What is the relationship between PFDavg and the risk reduction factor (RRF)?

The risk reduction factor is the reciprocal of the average probability of failure on demand: RRF = 1/PFDavg. A SIF with a PFDavg of 1×10⁻³ provides an RRF of 1,000.

How are SIL bands defined for low-demand mode in IEC 61511?

For low-demand mode, IEC 61508/61511 define SIL 1 as PFDavg ≥ 10⁻² to < 10⁻¹ (RRF 10–100), SIL 2 as ≥ 10⁻³ to < 10⁻² (RRF 100–1,000), SIL 3 as ≥ 10⁻⁴ to < 10⁻³ (RRF 1,000–10,000), and SIL 4 as ≥ 10⁻⁵ to < 10⁻⁴ (RRF 10,000–100,000). A smaller PFD is a higher SIL.

How is the mitigated event frequency calculated in LOPA?

In LOPA the mitigated event frequency is the initiating-cause frequency multiplied by the probability of failure on demand of every independent protection layer that can stop the scenario: f_mitigated = f_initiating × ∏ PFD_IPL,i × (enabling/conditional modifiers).

What qualifies as an independent protection layer (IPL)?

CCPS requires every credited IPL to be independent of the initiating cause and the other layers, specific to the scenario, dependable (its claimed PFD is justified), and auditable. A BPCS loop and a SIF sharing a sensor or final element are not independent and cannot both be credited.

Why does the proof-test interval matter for SIF reliability?

For a 1oo1 subsystem dominated by undetected dangerous failures, PFDavg ≈ λDU · TI / 2. Because PFD scales with the proof-test interval TI, the interval is a safety-critical design assumption, not an operations convenience.