LOPA + FTA — closing the loop on SIS verification

Why LOPA and FTA are not the same calculation

It is a perennial source of confusion in process-safety teams that LOPA and FTA both produce probabilities and both involve protection layers. They are not duplicating each other. The two techniques live at different points in the IEC 61511 lifecycle and answer different questions:

• LOPA asks "how much risk reduction does this hazard need?" Inputs: the initiating-event frequency, the existing Independent Protection Layers (IPLs) and their PFDs, the tolerable consequence frequency. Output: a target PFD for any new SIF — equivalent to a SIL band — that closes the gap. LOPA sets the SIL.
• FTA asks "does this specific SIF design meet its PFD target?" Inputs: the SIF's sensor / logic solver / final element architecture, with per-component reliability data and proof-test intervals. Output: the SIF's actual PFD, derived bottom-up from component data. FTA verifies the SIL.

The structural relationship: LOPA produces a number the SIF must clear; FTA produces the number the SIF actually achieves. They share data sources (the same component reliability sheets, the same proof-test programme) but they don't share the equations. Treating them as the same analysis is the most common cause of safety cases that pass internal review and fail the operating company's own corporate-engineering audit, where someone spots that the LOPA target was 10⁻³ and the FTA-claimed PFD was 10⁻³ — a coincidence too clean to be the output of two independent calculations.

Step 1LOPA mechanics — from initiating event to SIL target

LOPA is structurally a single-path event tree with simplifying assumptions. Take a hazard, follow the path from initiating event to consequence through every protection layer that's in place, multiply the per-layer PFDs, and compare the resulting consequence frequency to the corporate tolerable frequency. The gap (if any) is the work the new SIF has to do.

The arithmetic on a single hazard scenario:

fconsequence = fIE × PFDIPL,1 × PFDIPL,2 × … × PFDIPL,n × PFDSIF

Solve for PFDSIF by setting fconsequence to the corporate tolerable level (typically derived from a corporate risk matrix, with values like 10⁻⁴/year for a single fatality, 10⁻⁶/year for multiple, 10⁻⁵/year for environmental release):

PFDSIF = ftolerable / (fIE × Π PFDIPL,i)

The SIL band is then read from IEC 61511 Table 4 (low-demand mode):

The structural rule LOPA imposes on its inputs is the independence of every IPL. An IPL has to be (a) capable of preventing the consequence on its own, (b) auditable (testable, maintainable), and (c) independent of the initiating event and of the other IPLs. CCPS' "Layer of Protection Analysis" book §3.4 lists the criteria; the standard auditor question is "show me the diversity argument that makes IPL 2 independent of IPL 1". Failure to defend independence collapses the LOPA — the PFDs stop multiplying and start co-correlating, and the credit for the dependent IPL is lost.

Three practical patterns in LOPA spreadsheets:

• Cap PFDs at 0.1 (RRF 10) per IPL. Standards-driven convention; no LOPA spreadsheet should claim a single IPL providing more than one order of magnitude of reduction. Beyond that the IPL is essentially a SIF in disguise and should be classified as one.
• Operator-response credit is heavily constrained. Operator action as an IPL is allowed only if the response window is > 30 minutes after a clear alarm with a defined procedure — typical PFD claim 0.1 (no better) per CCPS guidance.
• BPCS (basic process control) and SIS cannot share components. If the BPCS that's claimed as an IPL shares any sensor, logic solver, or valve with the SIF the IPL credit is voided. IEC 61511 §11.2.3 forbids this; LOPAs that include a BPCS-loop credit and then design a SIF reusing the BPCS sensors are the most common operational pitfall.

Step 2Worked LOPA — pressure-vessel high-pressure hazard

Process scenario, drawn from the FTA Studio process-pressure-vessel template: a continuously fed chemical reactor whose pressure can rise above design limit if the feed control valve fails open. Pressure-vessel rupture produces a fragment hazard plus toxic-vapour release in a unit with regular operator presence. Hazard classification per the operator's corporate risk matrix: multi-fatality, environmental release; tolerable consequence frequency 10⁻⁶ /year.

The protection layers in place before the SIF

Combined residual frequency without the SIF, using fconsequence = fIE × Π PFDIPL:

fresidual = 1.0 × 0.1 × 0.01 = 1.0 × 10⁻³ /year

10⁻³/year vs the corporate tolerable of 10⁻⁶/year. The gap is three orders of magnitude — the SIF has to deliver an additional 10⁻³ reduction to close it.

The SIL gap — LOPA's output

PFDSIF target = ftolerable / fresidual
                = 10⁻⁶ / 10⁻³
                = 10⁻³     → SIL 3 (band 10⁻⁴ ≤ PFD < 10⁻³)

The SIF must achieve PFD ≤ 10⁻³ — at the upper boundary of SIL 3. The corresponding Risk Reduction Factor is 1000. This is what the LOPA spreadsheet hands to the SIS designer as the contractual Safety Requirements Specification entry: "SIF-101 shall achieve PFD_avg ≤ 10⁻³ in low-demand mode, SIL 3 development per IEC 61511 / IEC 61508".

Three practical observations from the worked LOPA that are worth pulling out before moving to the FTA verification:

• The PRV alone gives most of the reduction. 10⁻² of the 10⁻³ residual reduction comes from the PRV. If the PRV is degraded or out for maintenance, the residual frequency jumps from 10⁻³ to 10⁻¹/year — and the SIF would need to be SIL 5 (which doesn't exist) to close the new gap. Out-of-service PRVs are why operating procedures restrict campaign runs during PRV maintenance.
• The BPCS credit is contingent on physical separation from the SIF. If the SIF designed in Step 3 reuses the BPCS pressure transmitter or shares the same DCS hardware, IEC 61511 §11.2.3 voids the BPCS IPL credit — and the gap re-opens. The LOPA implicitly constrains the SIF architecture: separate transmitter, separate logic solver, separate final element. The SIF Bill of Materials has to honour the LOPA's IPL-independence assumptions.
• Operator response was credited at zero. The "no clear SOP, <5-minute response window" justification means the operator is not a layer in this LOPA. Some plant teams routinely claim 0.1 PFD for operator response without checking the CCPS minimum-window rule. A late-stage audit catching this voids the IPL and re-opens the gap by 10×; the SIF is then under-designed by an order of magnitude.

Step 3 takes PFDSIF target = 10⁻³ and shows what the FTA verification looks like for a candidate two-channel SIS architecture. The point of the FTA is to confirm — bottom-up from component data and proof-test programme — that the SIF actually clears the LOPA's target. Spoiler: the obvious 1oo1 architecture doesn't.

Step 3SIF FTA — verifying the LOPA target with bottom-up data

Standard process-industry SIF architecture is sensor → logic solver → final element, three subsystems in series. Failure of any one subsystem fails the SIF on demand, so the top event decomposes as a three-input OR:

SIF fails on demand
        │
        ▼ (OR)
   ┌────┼────┐
   PT   PLC  XV
   │    │    │
   pressure  safety  trip
   transmitter  PLC  valve

For each subsystem, IEC 61511 §11.9 / IEC 61508 partitions the failure rate into λDD (dangerous detected, by an internal diagnostic), λDU (dangerous undetected), and the safe-direction equivalents. Only λ_DU drives PFD, because λ_DD faults are caught and produce a safe-state trip before the demand. The standard low-demand-mode formula for a single (1oo1) element with proof test interval T_proof:

PFDavg(1oo1) ≈ λDU · Tproof / 2

SIL-rated component data (typical from exida / Sintef OREDA / vendor SILcert reports) for SIL 3 development:

First architecture — 1oo1 everywhere (the obvious starting point)

With T_proof = 1 year (8760 h, typical plant turnaround interval):

PFDPT(1oo1)   = 1×10⁻⁷ × 8760 / 2 = 4.38×10⁻⁴
PFDPLC(1oo1)  = 5×10⁻⁸ × 8760 / 2 = 2.19×10⁻⁴
PFDXV(1oo1)   = 5×10⁻⁷ × 8760 / 2 = 2.19×10⁻³

PFDSIF(1oo1)  = 4.38×10⁻⁴ + 2.19×10⁻⁴ + 2.19×10⁻³ = 2.85×10⁻³

2.85×10⁻³ vs the LOPA's 10⁻³ target. FAILS SIL 3 by a factor of 2.85. The valve dominates at 77% of the total — unsurprising for a single-body fail-close valve in a corrosive process service. Three credible architectural responses:

• Duplicate the dominant contributor. 1oo2 final elements (two valves in series, either suffices).
• Tighten the proof-test interval. Shorter T halves PFD linearly. Six-monthly proof testing on the valve drops PFD_XV from 2.19×10⁻³ to 1.10×10⁻³ but adds plant-turnaround disruption.
• Use a higher-integrity valve. Twin-body redundant XV with internal cross-compare; vendor PFD reports half a decade or more lower.

Second architecture — 1oo2 final elements with β-factor

Take the duplicate-the-valve route. Two ESD valves in series, each closing on its own command. The 1oo2 PFD formula (IEC 61508-6 Annex B, with β-factor common-cause):

PFDavg(1oo2) ≈ (1 − β) · (λDU · Tproof)² / 3 + β · λDU · Tproof / 2

With β = 0.05 (typical for separated valves on the same vendor's actuator package, defended via Article 5's β-factor analysis):

PFDXV(1oo2) ≈ 0.95 × (5×10⁻⁷ × 8760)² / 3 + 0.05 × 5×10⁻⁷ × 8760 / 2
              = 0.95 × (4.38×10⁻³)² / 3 + 0.05 × 2.19×10⁻³
              = 6.07×10⁻⁶ + 1.09×10⁻⁴
              = 1.15×10⁻⁴

The valve contribution drops from 2.19×10⁻³ to 1.15×10⁻⁴ — a 19× improvement. Critically, the β·λ·T/2 term (the common-cause contribution) is 1.09×10⁻⁴, dwarfing the (1−β)·(λT)²/3 independent-failures term at 6.07×10⁻⁶. β-factor dominates 1oo2 PFD whenever β is more than ~0.5%. Article 5's analysis of β is again the load-bearing artefact — defending β = 0.05 (rather than the textbook 0.10) is what makes the architecture work.

Combined SIF PFD with 1oo2 valves + 1oo1 PT + 1oo1 PLC:

PFDSIF = 4.38×10⁻⁴ + 2.19×10⁻⁴ + 1.15×10⁻⁴ = 7.72×10⁻⁴

7.72×10⁻⁴ vs the 10⁻³ target. PASSES SIL 3 with 22% margin. The architecture is verified.

Side-by-side summary

Three things the table makes structural:

• The valve was the gating constraint. Once 1oo2 valves bring the dominant subsystem under control, the PT and PLC become the next-largest contributors. The order of optimisation matters; redundancy on the smallest contributor first wouldn't have closed the gap.
• β = 0.10 fails the SIL 3 margin even with 1oo2 architecture. The β·λ·T/2 term scales linearly with β; doubling β doubles the dominant contribution. SIL 3 SIFs that don't have a defended β-factor analysis are routinely audit-flagged for exactly this reason — assumed β = 0.10 is conservative but wipes out the margin.
• 1oo2 PT buys further headroom but isn't required to clear SIL 3. Whether to add it is a cost-vs-margin trade-off, not a compliance question. Plants that operate near the SIL boundary often accept the cost to keep margin against future degradation.

Operational nuances IEC 61511 reviewers focus on

The PFD formulas above are the textbook versions. Three operational subtleties move the answer in real safety cases and routinely surface in audit:

Proof-test coverage (PTC) is rarely 1.0 in the field

The standard formula PFD = λDU·Tproof/2 assumes the proof test catches every dangerous undetected fault — proof-test coverage PTC = 1.0. Vendor PFD reports usually publish under that assumption. In practice, field proof tests (run by plant operators on the installed system) often achieve PTC = 0.7–0.9; the residual 10–30% of faults persist beyond the proof test and accumulate over the design lifetime T_M. The IEC 61508-6 §B.3.2.5 formula with imperfect proof testing:

PFDavg ≈ PTC · λDU · Tproof / 2 + (1 − PTC) · λDU · TM / 2

For our example with PTC = 0.9 and T_M = 25 years (typical plant design life):

PFDXV(1oo1, PTC=0.9) ≈ 0.9 × 5×10⁻⁷ × 8760 / 2 + 0.1 × 5×10⁻⁷ × 219000 / 2
                          = 1.97×10⁻³ + 5.48×10⁻³ = 7.45×10⁻³

Compare to the textbook PFD_XV(1oo1) of 2.19×10⁻³ — imperfect proof testing inflates the answer by 3.4×, putting the SIF a long way over the 10⁻³ target even with 1oo2 architecture. Reviewers ask: "what is your actual proof-test procedure, and what fraction of failure modes does it cover?". The right answer cites a documented Proof Test Procedure with explicit failure-mode-by-failure-mode coverage, not a generic claim.

Demand mode matters for the formula choice

IEC 61511 distinguishes low-demand mode (demand frequency < 1/year and ≤ twice the proof-test frequency) from high-demand / continuous mode. SIFs in low-demand mode use the PFD_avg formulas above. High-demand SIFs use a per-hour failure rate (PFH) target instead, and the PFD/PFH translation is not straightforward. A SIF designed against PFD that's actually operating in high-demand mode is over- or under-conservative by an unknown factor. The classification is a Step-1 LOPA input that has to be defended.

Architectural constraints (SFF + HFT) — separate from PFD

IEC 61508 §7.4.4 / 61511 §11.4 imposes architectural-constraint requirements in addition to the PFD target. Each subsystem must meet a Hardware Fault Tolerance (HFT) and Safe Failure Fraction (SFF) requirement based on its claimed SIL — a SIL 3 sensor needs HFT ≥ 1 and SFF ≥ 90% (or HFT ≥ 0 with SFF ≥ 99%, per Route 1_H) regardless of how good its PFD looks. A SIF that passes PFD verification can still fail the architectural-constraint check. Article 7's PMHF / SPFM / LFM math is the automotive-side equivalent of the same idea: PFD/PMHF is necessary but not sufficient.

Five pitfalls a SIS auditor will catch

• BPCS-as-IPL credit while the SIF reuses BPCS components. The single most common operational pitfall. LOPA gives the BPCS a 0.1 PFD credit; the SIF designer reuses the BPCS pressure transmitter to save a wired sensor; the BPCS IPL credit is now void per IEC 61511 §11.2.3 and the LOPA gap re-opens. Caught by tracing the SIF Bill of Materials back to the LOPA's IPL list.
• Vendor PFD report swallowed without context check. Vendor SILcert reports state PFD assuming specific T_proof, PTC = 1.0, and ambient operating conditions. The plant operates at 80 °C with 70% relative humidity and proof-tests every 18 months. Field PFD is then 2–4× the vendor figure. Reviewers ask for the application-specific PFD adjustment.
• β-factor assumed conservatively at 0.10 instead of being scored. Conservatism eats the SIL 3 margin (cf. Step 3 table). Scoring β properly via IEC 61508-6 Annex D usually yields 0.02–0.05 with defended evidence — the difference between a SIF that passes and one that doesn't. Article 5's β-factor scoring sheet is the artefact.
• Architectural constraints (SFF/HFT) ignored. SIFs that pass PFD by virtue of redundancy (1oo2 final elements) sometimes have insufficient SFF on the individual valves to claim SIL 3 by Route 1_H. The architectural-constraint check is a separate audit item. A SIF that passes PFD but fails SFF/HFT requires either Route 2_H with proven-in-use evidence or a different valve choice.
• Demand-mode classification wrong. A SIF placed in low-demand mode for the LOPA but actually called several times per shift is operating in high-demand mode; PFD_avg isn't the right metric. Caught by comparing the LOPA's f_IE against twice the proof-test frequency. SIFs at the boundary often need formal reclassification mid-lifecycle.

Where to go next

• Build the SIF FTA. Open FTA Studio — the process_pressure_vessel_rupture template ships as one of the eight industry trees. Adjust the basic events to your specific SIF architecture and proof-test programme.
• For β-factor scoring, Article 5 covers the IEC 61508-6 Annex D scoring sheet that IEC 61511 inherits. Scoring β properly is what makes the SIL 3 margin work.
• For the cross-domain comparison, Article 6 (automotive) and Article 9 (rail) cover the equivalent regulatory frameworks for top-tier integrity claims. The structural patterns repeat with vocabulary variations.
• For PFD calculation, our browser-only lambda-to-PFD calculator implements the IEC 61508-6 Annex B formulas (1oo1, 1oo2, 2oo3) with PTC and β as parameters.