Can a final element, such as an air-to-open control valve, be shared between a BPCS control loop that is the cause of a scenario, and an SIF that is an IPL for the same scenario?

If you used LOPA to determine if you need a SIF and to identify what SIL is required (if any), then you cannot share or partially share a final element.  So, if the BPCS control loop is the cause (initiating event) and that loop uses the final element in question, then that same final element cannot be used in an IPL (regardless of if the IPL is configured in the BPCS or via an SIS).  There are good reasons for this rule.  First, what failure modes lead to common cause failure?  Let’s say the valve in question needs to “close” to be safe.  Then what if the valve is stuck open due to cold welding into the open position because it happens to be full open nearly all of the time? What if the valve is left in manual control at the local valve control station?  What if the valve if manually locked or gagged open (such as with a nut on a stem) for testing of the control loop up to the final element? What is something is jammed in the valve that prevents valve closure (such as scale, a fragment of a upstream component such as filter, etc.)?  Then any of these common errors will also take out the SIF using the same valve. This is the types of mistakes in design that LOPA and SIS standards are trying to avoid.

So, per the rules of LOPA, the boundary of a BPCS extends to include anything touched by the BPCS “loop” including impulse lines and taps for the sensor portion (including level bridles, for instance), transmitters, conduit, input module, logic solver, output module, conduit, final element (without or without a solenoid to completely open the air to the valve, if an air-to-open valve is the final element).  LOPA would not allow the sharing of the final element.  In FTA, you could account for the common cause failures and common human errors described earlier, but nearly all folks who think they understand FTA, will do this common cause analysis wrong, especially the human error portion. For instance, some think that “if we write a procedure to control such common cause human errors then the errors are eliminated”… this is far from the truth.

Now, with all of that stated, we know of some reputable chemical companies that allow sharing of the final element if the install a separate solenoid to vent the air and close the valve .  They justify this using a FTA (not LOPA) and presumably accounting for and controlling the CC errors and failures. Many of us doubt they can keep control of the CC human errors for the life of the process.

One step further: Our understanding on the definition of degrees of freedom means that IEC 61511 (and therefore ANSI/ISA 84) would prohibit sharing of the final element in a SIL 3 SIF, with the BPCS (using the same valve) being the initiating event (cause) of the scenario.  (But, as a side note, we

[PII] do not believe a SIL 3 is achievable in the field for a continuous process, due to the human errors during interventions to test, etc., not being controllable to such extremely low error rates; and 98% of our clients agree and do not allow SIL 3 claims in their LOPA, FTA, or PHA/HAZOPs; so systems requiring SIL 3 protection from a SIF must be redesigned instead.)
By |2016-12-07T01:33:36+00:00January 29th, 2014|Uncategorized|2 Comments

About the Author:

William G. (Bill) Bridges is President of the Process Improvement Institute (PII). He has over 30 years of experience, including more than 20 in senior management and senior PSM advisory roles. Bill is considered one of the leading authorities on process safety engineering, risk management, and human error prevention.


  1. Kamran August 1, 2014 at 5:14 pm - Reply

    Very interesting report posted by you.
    I have a question .

    There is a scenario that initiating cause(bpcs loop failure) and IPL are sharing same bridle for level measurement.

    In my opinion we can not get credit for that IPL but client is insisting and explains his administrative znd maintenance on those.

    Would you please let me know if there is specific report/ reference/ standard of document clearly says about this?

    Appreciate your response

    Kamran FS engineer TUV

    • Bill Bridges August 2, 2014 at 11:38 am - Reply


      The rules for LOPA are clear; each loop only gets counted once in a scenario and the loop in your case begins at the level bridle and ends at the final isolation element (Valve, for example). It is NOT allowed to share a level bridle with an IPL in the same scenario. The first LOPA book was not this precise, but we meant it to be. In the new book (at the printers now) on Guidelines for Initiating Events and Independent Protection Layers, CCPS/AIChE, the text clearly states this; see the excerpt below from the new book:

      Independence is a basic tenet of LOPA. Independence is achieved when the performance of one IPL is not affected by the IE or by the failure of another IPL to operate. For example, could the sensor, logic solver, or final element used to implement the safety interlock malfunction and cause the initiating event?

      This rule implies that there are no shared devices in the IE and IPLs and that a human (or group of humans) is only used once in a hazard scenario. This text provides guidance and data tables for some IPLs that do not meet the strict rules of independence, e.g., taking credit for multiple layers that rely on humans or instrumentation. In each case, the guidance in the text and the data table should be strongly considered prior to making the IPL claim. Generally, this guidance recommends additional analysis, monitoring, or verification be performed to ensure that the lack of strict independence does not invalidate the IPL.

      Typical rules for independence of an IPL from the IE and from other IPLs in the same LOPA scenario include:

      • The device or system implementing each IPL is independent of the failure of the equipment that causes the IE as well as of other IPLs.

      The boundary for IEs and IPLs includes all devices, process connections, human interfaces, and support systems which must operate when required to stop the event propagation. Consideration of process connections should assess any lack of independence in instrument taps, level bridles, or impulse lines and the potential impact of these common connections to the achievable performance. For the human interfaces, the design and management of the alarm interfaces, bypass facilities, isolation valves, and manual shutdown facilities should be assessed to understand how human factors, access security, and management of change are addressed. When multiple layers rely on instrumentation, the independence of the procedures, personnel, and schedule for the maintenance and testing of instrumentation must be considered. When the same personnel, procedures, and schedules are used to maintain multiple instruments, there is a greater potential for human error to disable multiple layers of protection.

      Finally, also read the papers:



      which address the same issue at some point in each paper.

Leave A Comment