SIL Determination Methods: Which is best for me?

With so many SIL Determination methods which is best for you? SIL Determination, Quantitative Assessment (ie FTA) or Layers of Protection Analysis (LOPA).

With so many SIL Determination methods which is best for you? Risk Graph / Risk Matrix, Quantitative Assessment (ie FTA) or Layers of Protection Analysis (LOPA).

Key to achieving Functional Safety is a robust process for identifying required levels of risk reduction, expressed in IEC 61508 / IEC 61511 as Safety Integrity Levels: SIL.

Once each hazardous event and the requirements for additional risk reduction (in the form of Safety Instrumented Functions – SIFs) have been identified, the next step is to determine the required SILs: ‘SIL Determination’.  There are several approaches to this, each with their own pros and cons.  None of which would be considered a “one size fits all” approach; the most suitable method will depend on several factors[1]:

  • The complexity of the scenario under consideration
  • The severity of the consequences – clearly more attention, in terms of analysis, should be paid to higher consequence events
  • The required risk reduction -the level of detail applied in the analysis should correspond to the size of the gap between the risk target and the estimated risk
  • the information available on the parameters relevant to the risk.

SIL Determination methods

So with the many SIL Determination methods out there – all tried and tested, which is best for you?

Risk Graph / Risk Matrix

Risk Graphs/ Risk Matrices are widely used as screening tools and methods for prioritising process risks. The Risk Matrix is a fully qualitative technique where the SIL requirement for a SIF is embedded in the matrix and is selected based on the Hazardous Likelihood, Severity (normally based on the company specific risk criteria) and the number of protection layers.

The Risk Graph is a, generally speaking, slightly more detailed approach, where the SIL requirement of a SIF can be based on the Consequence, Occupancy, Probability of Avoiding the Hazard and Demand Rate.

These techniques tend to produce inherently conservative results which is why they are commonly used as screening tools, especially where there are a large number of SIFs to assess.  A typical approach (as stated in IGEM/SR/15) would be to screen the SIFs, and those which have been identified as having a target of SIL 2 or greater would be subject to a more quantified approach such as Fault Tree Analysis (FTA) or LOPA.

These assessments rely heavily on the correct calibration of the matrix/graph, so it is essential that there is a record of all assumptions and information used in the decision-making process.

Quantitative Assessment (i.e. FTA)

A Fault Tree Analysis is a fully quantitative approach and tends to be the best method for complex scenarios or for higher integrity systems (i.e. SIL

3) where a linear approach such as a LOPA/Risk Graph may not be sufficient; think inter-twining scenarios where some Independent Protection Layers (IPLs) are only applicable to some initiating events. Perhaps you have conditional or common events; or maybe you have different SIFs mitigating against different initiating events for the same hazardous scenario.

A FTA, although more time consuming, provides the necessary level of detail for these more complex scenarios with a less conservative output compared to the Risk Graph technique.


Layers of Protection Analysis (LOPA) is probably the most popular and commonly-used method for SIL Determination in the Process Sector.

Why? It’s what we would say is a good all-rounder (in terms of conservativism and time efficiency) which makes it the ‘go to’ method suitable for the majority of scenarios.

The key to a successful LOPA is in the preparation; an agreed Terms of Reference which pre-defines the Initiating Event Frequencies, Conditional Modifiers and IPLs’ figures.

The systematic approach provides a methodical structure to assess the layers of protection (think famous onion diagram!), which prevent the initiating events from occurring and resulting in the unwanted consequence.

Another advantage of this method is that since numerical risk targets are assigned to specific consequence severity levels, the user can assess if the residual risk meets the corporate criteria. In the cases where it doesn’t, the SIF is required to meet the identified target failure measure (i.e. the risk gap), expressed in terms of SIL.

SIL Determination Methods at ESC

ESC’s Consultants have the experience and expertise to facilitate SIL Determination studies using the technique most suitable for your application.

Why not download our ProSET Software for a free 14-day trial to see how it can help you with compliance with IEC 61508/IEC 61511?

[1] IEC 61511-3: Functional safety – Safety instrumented systems for the process industry sector