Introduction
Safety Integrity Level (SIL) determination is the process of establishing how much risk reduction a Safety Instrumented Function (SIF) must deliver to bring residual risk to an acceptable level. Get it right, and the Safety Instrumented System (SIS) is sized appropriately — not over-engineered, not under-specified. Get it wrong in either direction and the consequences range from unnecessary cost to genuine safety failure.
Layer of Protection Analysis (LOPA) is the semi-quantitative method most widely used for SIL determination in the oil and gas industry. This article explains the methodology and highlights the practical issues most often encountered by process engineers encountering it for the first time.
Definitions
Safety Instrumented System (SIS): The combination of sensors, logic solvers, and final elements (typically valves) that implement the safety function. It is independent of the Basic Process Control System (BPCS).
Safety Instrumented Function (SIF): A specific safety function implemented by the SIS. An SIS may implement multiple SIFs. For example, high-pressure shutdown on a separator is one SIF; high-high level trip is another.
Safety Integrity Level (SIL): A discrete level (SIL 1, 2, 3, or 4) specifying the required probability of failure on demand (PFD) for a SIF. In oil and gas:
| SIL | Probability of Failure on Demand (PFD) |
|---|---|
| SIL 1 | 0.1 to 0.01 (1 in 10 to 1 in 100 demands) |
| SIL 2 | 0.01 to 0.001 (1 in 100 to 1 in 1,000) |
| SIL 3 | 0.001 to 0.0001 (1 in 1,000 to 1 in 10,000) |
SIL 4 is theoretically defined but rarely applied in the process industry.
The LOPA Methodology
LOPA works backwards from a tolerable consequence to determine how much risk reduction the SIS must provide. The steps are:
Step 1 — Define the Consequence
State the consequence scenario clearly: High pressure in separator V-101 leading to vessel rupture and hydrocarbon release, potential ignition, fatality. This must be a specific, credible worst-case outcome for the hazardous scenario.
Step 2 — Select a Tolerable Frequency
Most companies specify a maximum tolerable frequency for a fatality event — typically in the range of 1×10⁻⁴ to 1×10⁻⁵ per year (i.e., one in 10,000 to one in 100,000 years). This is the company risk tolerance criterion and should be established in the project risk matrix before LOPA begins.
Step 3 — Identify the Initiating Event and Its Frequency
The initiating event is the process deviation that, if not interrupted by a protection layer, leads to the consequence. Common initiating events and generic industry frequencies:
| Initiating Event | Typical Frequency (per year) |
|---|---|
| Control valve failure (stuck open/closed) | 0.1 – 1 |
| Regulator failure | 0.01 – 0.1 |
| Human error (operator action) | 0.1 – 1 per opportunity |
| External pipe rupture | 0.0001 – 0.001 |
| Loss of cooling utility | 0.1 |
| Pump seal failure | 0.01 – 0.1 |
Industry databases (OREDA, CCPS) provide guidance on initiating event frequencies. Using the correct frequency for the specific failure mode — not a generic "equipment failure" — is important for accuracy.
Step 4 — Identify Independent Protection Layers (IPLs)
An Independent Protection Layer is a safeguard that:
- Is independent of the initiating event and of other IPLs
- Is capable of preventing the consequence if it functions correctly
- Is auditable — its performance can be tested and verified
Common IPLs and their Probability of Failure on Demand:
| IPL | Typical PFD |
|---|---|
| BPCS control loop (preventing deviation) | 0.1 |
| BPCS high alarm + operator action (>10 min response time) | 0.1 |
| BPCS high alarm + operator action (<10 min response time) | 0.01 |
| Pressure Relief Valve (in correct service, maintained) | 0.01 – 0.1 |
| Rupture disc | 0.01 – 0.1 |
| Dike / bund (for liquid containment) | 0.01 |
Step 5 — Calculate the Mitigated Event Frequency
Multiply the initiating event frequency by the PFD of all independent protection layers:
Mitigated Frequency = IE Frequency × PFD(IPL1) × PFD(IPL2) × ... × PFD(IPLn)
Step 6 — Compare to Tolerable Frequency and Determine Required Risk Reduction
The required risk reduction from the SIS is:
Required PFD(SIS) = Tolerable Frequency / Mitigated Frequency (excluding SIS)
The SIL is then read from the PFD table above.
Worked Example
Scenario: High pressure in a gas compression suction drum, initiating event is compressor surge leading to reverse flow and overpressure of the suction drum.
- Initiating event frequency: 0.1/year (compressor surge)
- Tolerable frequency (fatality): 1×10⁻⁴/year
- Existing IPLs:
- Surge control system (BPCS): PFD = 0.1
- High-pressure alarm + operator response (>10 min): PFD = 0.1
- Pressure relief valve on suction drum: PFD = 0.01
Mitigated frequency (without SIS):
= 0.1 × 0.1 × 0.1 × 0.01 = 1×10⁻⁵/year
Required PFD from SIS:
= 1×10⁻⁴ / 1×10⁻⁵ = 10 (but mitigated frequency is already below tolerable)
In this case, the existing IPLs are already sufficient — no SIS is required. The LOPA has confirmed that the design is adequately protected.
Now suppose the PRV has a PFD of 0.1 (degraded service due to fouling):
Revised mitigated frequency:
= 0.1 × 0.1 × 0.1 × 0.1 = 1×10⁻⁴/year
This equals the tolerable frequency. Adding a SIS with PFD = 0.1 (SIL 1) would give:
Mitigated frequency = 1×10⁻⁴ × 0.1 = 1×10⁻⁵/year
This is below the tolerable limit. SIL 1 is required.
Common Mistakes in LOPA
Crediting non-independent layers. If the BPCS control loop is the initiating cause of the high-pressure scenario (e.g., control valve fails open), it cannot also be credited as an IPL. Independence means the IPL does not share sensors, logic, or final elements with the initiating event.
Stacking too many IPLs. LOPA allows multiple IPLs to be credited, but each must genuinely be independent and auditable. Crediting five IPLs to avoid specifying a SIS is a red flag — it usually means weak IPLs are being credited to avoid the cost of a proper SIS.
Using single initiating events when multiple apply. Where multiple failure modes can independently lead to the same consequence, each must be assessed separately. The LOPA table should have one row per initiating event.
Ignoring proof test intervals. SIF PFD is directly related to proof test interval. A SIF specified as SIL 2 with a five-year proof test interval will have a higher actual PFD than one proof-tested annually. The SIS designer must account for this in the Safety Requirements Specification.
From LOPA to SRS
The output of LOPA is a SIL requirement per SIF — e.g., SIF-001 (High-High pressure trip on separator V-101) requires SIL 1. This feeds into the Safety Requirements Specification (SRS), which defines:
- The required SIL and target PFD for each SIF
- The process demand rate
- The proof test interval
- The required response time (trip time)
- Environmental and operational constraints
The SRS is the document against which the SIS is designed and verified. Without it, SIS design cannot proceed in a systematic and auditable manner.
Conclusion
LOPA provides a structured, semi-quantitative basis for SIL determination — rigorous enough to be defensible in audit, practical enough to be used by engineers without specialised probabilistic analysis training. The methodology is straightforward when the underlying concepts are clear: one initiating event per row, genuine independence for each IPL, and a tolerable frequency that reflects the company's actual risk tolerance.
The goal is not to generate a SIL number. It is to determine whether the proposed protection layers — including any SIS — are adequate for the hazard. Sometimes LOPA confirms that no SIS is needed. Sometimes it confirms SIL 2 or SIL 3 is required for a consequence that engineering intuition underestimated. Both outcomes are valuable.