Basis 

of SIL Determination
& Introduction to
Layers of Protection Analysis (LOPA)

Fayyaz Moazzam, CFSE

Principal Consultant
PetroRisk Middle East, Abu Dhabi, United Arab Emirates
Email: info@petrorisk.com
 What is LOPA?

• Evaluate risks in orders of magnitude

of selected accident scenarios
• Builds on the information developed in
qualitative hazard evaluation e.g.
HAZOP
 Main Questions

• LOPA helps to answer the following

questions:
– What’s the likelihood of undesired events /
scenarios ?
– What’s the risk associated with the
scenarios?
– Are there sufficient risk mitigation
measures?
 Basic Principle

Cause or IPLs Failure

Initiating Undesired
Event Consequence

Independent Protection Layer (IPL)

Safeguard capable of preventing a
scenario from proceeding to its undesired
consequence.
Protection Layers 
The Ideal & Reality
Concept of Layers of Protection
 What is scenario ?

Cause + Consequence = Scenario

LOPA is limited to evaluating a single cause-

consequence pair as a scenario
 LOPA Five Basic Steps
1. Scenarios identification.
2. Identify the initiating event of the scenario
and determine the initiating event frequency
(events per year).
3. Identify the IPLs and estimate the probability
of failure on demand of each IPL.
4. Estimate the risk of scenario.
5. Compare the calculated risk with the
company’s tolerable risk criteria
 Basic Principle

Initiating
IPL IPL IPL Scenario
Cause #1

Initiating
Cause #2
Accident

Initiating
Cause #3

Scenario
 Components in a Scenario
Initiating Event
(Cause)
• Control failure IPL #1 IPL #2 IPL #2 Consequence
• Human error
• Leakage

Enabling Events Accident

& Conditions

Typical IPLs:
Conditional • Process control system (PCS) control loop
Modifiers • Alarms with operator response
• Pressure relief valve
• Probability of ignition
• Vessel rupture disk
• Probability of fatal injury
• Fire detection with water deluge system
• Probability of personnel
• Gas monitors with automated deluge
in affected area
• Check valve
• Flame arrestor
• Vacuum breaker
• Restrictive orifice
• Safety instrumented function (SIF)
• Process Design
 Enabling Condition
LAH-100
To compressor K-101
LAHH-101

SIL RRF PFDavg

V-101 Level
LIC
DP=
130 SIL-1 10-100 0.1 – 0.01
25 barg
SDV-110
SIL-2 100-1,000 0.01 – 0.001
SIL-3 1,000-10,000 0.001 – 0.0001
SIL-4 10,000-100,000 0.0001 – 0.00001
LCV-130
Safety Function: LAHH-101 to close SDV-110 on high high level in V-101
Scenario: Level Control Loops Fails; LCV-130 fail closed; Level in V-101 rises;
Carry over from V-101; Compressor K-101 mechanical damage of $810,000
Company’s Tolerable Frequency : 1.0E-05 or 0.00001
Frequency of control loop failure : 0.1 /yr
Probability of LCV-130 going in close position if control loop fails: 0.8
IPL-1: High Level Alarm (LAH-100) : 0.1 (Probability of failure)
Mitigated frequency: 0.1 x 0.8 x 0.1 = 0.008
Risk Reduction Factor = Actual Frequency / Company’s Tolerable Frequency
= 0.008 / 0.00001 = 800
or PFDavg = 0.00125
 Enabling Condition
LAH-100
To compressor K-101
LAHH-101

SIL RRF PFDavg

V-101 Level
LIC
DP=
130 SIL-1 10-100 0.1 – 0.01
25 barg
SDV-110
SIL-2 100-1,000 0.01 – 0.001
GV-1 SIL-3 1,000-10,000 0.001 – 0.0001
SIL-4 10,000-100,000 0.0001 – 0.00001
LCV-130
Safety Function: LAHH-101 to close SDV-110 on high high level in V-101
Scenario: GV-1 closed; Level in V-101 rises; Carry over from V-101; Compressor
K-101 mechanical damage of $810,000
Company’s Tolerable Frequency : 1.0E-05 or 0.00001
Frequency of operator error: 0.01 /yr
Enabling condition: Not applicable
IPL-1: High Level Alarm (LAH-100) : 0.1 (Probability of failure)
Mitigated frequency: 0.01 x 0.1 = 0.001
Risk Reduction Factor = Actual Frequency / Company’s Tolerable Frequency
= 0.001 / 0.00001 = 100
or PFDavg = 0.01
 Initiating Events

Types of Initiating Events:

• External events
– Earthquakes, tornadoes, hurricanes, or floods
– Major accidents in adjacent facilities
– Mechanical impact by motor vehicles
• Equipment failures
– Component failures in control systems
– Corrosion
– Vibration
• Human failures
– Operational error
– Maintenance error
Inappropriate Initiating Event
Examples of inappropriate initiating
events:
– Inadequate operator training /
certification
– Inadequate test and inspection
– Unavailability of protective devices
such as safety valves or over-speed
trips
– Unclear or imprecise operating
procedures
Initiating Events Frequency Estimation
Failure Rate Data Sources:
– Industry Data (e.g. OREDA, IEEE, CCPS, 
AIChE)
– Company Experience
– Vendor Data
– Third Parties (EXIDA, TUV etc.)
Initiating Events Frequency / 
Failure Rate Data Estimation
Choosing failure rate data
• It is a Judgment Call
• Some considerations:
– Type of services (clean / dirty ?)
– Failure mode
– Environment
– Past history
– Process experience
– Sources of data

16
Initiating Event Frequency

• If initiating event frequency data is not

available then it can be estimated using
Fault Tree Analysis.
Initiating Events Frequency Estimation
Example
A plant has 157 relief valves which are tested annually.
Over a 5 year period 3 valves failed to pass the function
test. What is the failure rate for this plant’s relief valves?

Number of Events
Event Frequency =
Time in Operation

Failure Rate for Relief Valve = 3 function test failures

157 valves x 5 years

= 0.0038 failures per year per valve

Conditional Modifiers 
 Probability of ignition

 Probability of fatal injury

 Probability of personnel in affected area

19
Conditional Modifiers 
Probability of Ignition
– Chemical’s reactivity
– Volatility
– Auto-ignition temperature
– Potential sources of ignition that are
present
Conditional Modifiers 
Probability of Personnel in the Area

– Location of the process unit;

– The fraction of time plant personnel (e.g.
personnel from operation, engineering
and maintenance) spent in the vicinity
Conditional Modifiers 
Probability of Injury
– Personnel training on handling accident
scenario
– The ease of recognize a hazardous
situation exists in the exposure area
– Alarm sirens and lights
– Escape time
– Accident scenario training to personnel
Independent Protection Layers
• All IPLs are safeguards, but not all
safeguards are IPLs.
• An IPL has two main characteristics:
– How effective is the IPL in preventing the
scenario from resulting to the undesired
consequence?
– Is the IPL independent of the initiating
event and the other IPLs?

23
Independent Protection Layers
Typical layers of protection are:
• Process Design
• Basic Process Control System (BPCS)
• Critical Alarms and Human Intervention
• Safety Instrumented System (SIS)
• Use Factor
• Physical Protection
• Post‐release Protection 
• Plant Emergency Response 
• Community Emergency Response

24
Independent Protection Layers
Safeguards not usually considered IPLs
• Training and certification
• Procedures
• Normal testing and inspection
• Maintenance
• Communications
• Signs
• Fire Protection (Manual Fire Fighting etc.)
• Plant Emergency Response & Community 
Emergency Response
Characteristics of IPL
1. Specificity: An IPL is designed solely to prevent or to mitigate
the consequences of one potentially hazardous event (e.g., a
runaway reaction, release of toxic material, a loss of
containment, or a fire). Multiple causes may lead to the same
hazardous event, and therefore multiple event scenarios may
initiate action of one IPL.
2. Independence: An IPL is independent of the other protection
layers associated with the identified danger.
3. Dependability: It can be counted on to do what it was
designed to do. Both random and systematic failure modes
are addressed in the design.
4. Auditability: It is designed to facilitate regular validation of the
protective functions. Functional testing and maintenance of the
safety system is necessary.
Use of Failure Rate Data
Component Failure Data
• Data sources:
– Guidelines for Process Equipment Reliability Data,
CCPS (1986)
– Guide to the Collection and Presentation of
Electrical, Electronic, and Sensing Component
Reliability Data for Nuclear-Power Generating
Stations. IEEE (1984)
– OREDA (Offshore Reliability Data)
– Layer of Protection Analysis – Simplified Process
Risk Assessment, CCPS, 2001
Use of Failure Rate Data
Human Error Rates
• Data sources:
– Inherently Safer Chemical Processes: A life
Cycle Approach , CCPS (1996)
– Handbook of human Reliability Analysis
with Emphasis on Nuclear Power Plant
Applications, Swain, A.D., and H.E.
Guttman, (1983)
Safety Instrumented Function (SIF)
• Instrumented loops that address a specific risk
• It intends to achieve or maintain a safe state for 
the specific hazardous event.  
• A SIS may contain one or many SIFs and each is 
assigned a Safety Integrity Level (SIL).
• As well, a SIF may be accomplished by more 
than one SIS. 
Understanding Safety Integrity Level (SIL)
• What does SIL mean?
– Safety Integrity Level 
– A measure of probability to fail on demand (PFD)
of the SIS.
– It is statistical representation of the integrity of the 
SIS when a process demand occurs.
– A demand occurs whenever the process reaches 
the trip condition and causes the SIS to take 
action.
 SIL Classification
SIL Probability Category
1  1 in 10  to  1 in 100 
2  1 in 100  to  1 in 1,000 
3  1 in 1,000  to  1 in 10,000 
4  1 in 10,000  to  1 in 100,000 

1 in 10 means, the function will fail once in a total of 10 process demands

1 in 1000 means, the function will fail once in a total of 1000 process
demands
 SIL Classification
Safety Integrity Levels

SIL Probability of failure on demand

Level (Demand Mode of Operation) Risk Reduction Factor
-5 -4
SIL 4 >=10 to <10 >=0.00001 to <0.0001 100000 to 10000
-4 -3
SIL 3 >=10 to <10 >=0.0001 to <0.001 10000 to 1000
-3 -2
SIL 2 >=10 to <10 >=0.001 to <0.01 1000 to 100
-2 -1
SIL 1 >=10 to <10 >=0.01 to <0.1 100 to 10
Setting Tolerable Frequency
For example, if there are 10,000 plants in the country and the
operating company accepts the risk equivalent to one
catastrophic accident leading to multiple fatalities every 10
years, then the tolerable frequency of the operating company for
such an accident would be:

Tolerable Frequency = 1 occurrence per 10,000 plants every 10 years

= 1 / 10,000 / 10
= 1.0E-05 occurrence per year per plant

Or probability of catastrophic accident leading

to multiple fatalities per year per plant
It would be wrong to take inverse of 1.0E-05, which would be
100,000 years, and say that a plant will have catastrophic
failure every 100,000 years
Frequency Calculation
For example, if the statistical data indicates that 1 out of 300
smokers die every year, then the frequency can be calculated as
follows:

Frequency = 1 death per 300 smokers every year

= 1 death / 300 smokers / 1 year
= 3.3E-03 deaths per smoker per year
Or probability of a smoker
dying per year

It would be wrong to take inverse of 3.3E-03, which would be

300 years, and say that a smoker would die every 300 years
 Tolerable Frequencies
Tolerable People Environment Assets Reputation
Frequency

2E-05 /yr Multiple fatalities Massive Effect- Substantial or a total Extensive adverse
or permanent Persistent severe loss of operations coverage in
disabilities environmental (>$10,000,000) international media.
damage

2E-04 /yr Single fatality or Major effect- severe Partial operation loss National public
permanent environmental and/or prolonged concern. Extensive
disability damage shutdown adverse coverage in the
(<$10,000,000) national media.

2E-03 /yr Serious injuries Localized effect- Extended plant Regional public
(lost time cases) Limited loss of damage and/or partial concern. Extensive
discharge of known shutdown adverse coverage in
toxicity (<$500,000) local media.

2E-02 /yr Minor injuries Minor Effect Moderate plant Some local public
(medical treatment Contamination damage and/or brief concern. Some local
cases) operations disruption media coverage.
(<$100,000)

2E-01 /yr Slight injuries (first Slight release Local Minor plant damage Public awareness may
aid cases) Environment damage and no disruption to exist, but there is no
Operations (<$10,000) public concern.
 SIL Calculation
PAH-100

PSHH-101
PIC-80
150 barg

SIL RRF
Level
SIL-1 10-100
V-101
LIC
DP= SIL-2 100-1,000
130
25 barg SIL-3 1,000-10,000
PCV-501 SDV-110
SIL-4 10,000-100,000

1. Tolerable Frequency: 2E-04 (single fatality)

2. Initiating Events:
PCV-501 Fail Opened 4. Actual Frequency:
Initiating Event Frequency  0.1/yr 0.1/yr x 0.1 = 0.01/yr
3. Independent Protection Layers (IPLs): 5. Risk Reduction Factor:
High Pressure Alarm, PAH-100 =Actual Frequency / Tolerable Frequency
Prob. of Failure on Demand  0.1 =0.01/2E-04
=50 (SIL-1)
 SIL Calculation PAH-100

PSHH-101
PIC-80
SIL RRF
150 barg

Level
SIL-1 10-100

SIL-2 100-1,000
V-101
LIC-130 SIL-3 1,000-
DP= 10,000
25 barg
PCV-501 SDV-110 SIL-4 10,000-
100,000

1. Tolerable Frequency: 2E-05 (multiple fatalities)

2. Initiating Events:
PCV-501 Fail Opened 4. Actual Frequency:
Initiating Event Frequency  0.1/yr 0.1/yr x 0.1 = 0.01/yr
3. Independent Protection Layers (IPLs): 5. Risk Reduction Factor:
High Pressure Alarm, PAH-100 =Actual Frequency / Tolerable Frequency
Prob. of Failure on Demand  0.1 =0.01/2E-05
=500 (SIL-2)
SIL Calculation PSV-150
PAH-100

PSHH-101
PIC-80
150 barg

SIL Level RRF

V-101 SIL-1 10-100
DP= LIC-130
25 barg SIL-2 100-1,000
PCV-501 SDV-110
SIL-3 1,000-10,000

SIL-4 10,000-100,000

1. Tolerable Frequency: 2E-05

(multiple fatalities)
2. Initiating Events:
5. Risk Reduction Factor:
PCV-501 Fail Opened
=Actual Freq. / Tolerable Freq.
Initiating Event Frequency  0.1/yr
=0.001/2E-05
3. Independent Protection Layers (IPLs): =50 (SIL-1)
High Pressure Alarm, PAH-100; PFDavg  0.1
Pressure Safety Valve, PSV-150; PFDavg  0.01
4. Actual Frequency: 0.1/yr x 0.1 x 0.01 = 0.001/yr
(Alarm) (PSV)