Journal of Loss Prevention in the Process Industries xxx (2015) 1e11

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

On the use of LOPA and risk graphs for SIL determination

Alejandro C. Torres-Echeverria 1
Risktec Solutions Inc., 1110 NASA Parkway, Suite 203, Houston, TX 77058, USA

a r t i c l e i n f o a b s t r a c t

Article history: Safety Integrity Level (SIL), as defined in IEC 61511, is a widely used safety performance measure for
Received 28 April 2015 safety instrumented functions. The standard IEC 61511 suggests several methods for SIL determination,
Received in revised form ranging from fully quantitative methods to fully qualitative methods. The large number of safety func-
17 November 2015
tions to evaluate during plant design and the need to integrate multidisciplinary design and operation
Accepted 10 December 2015
knowledge to achieve effective risk reduction has made necessary the use of multi-disciplinary-team
Available online xxx
workshop approaches.
Two widely used methods in the Oil & Gas industry for SIL determination are Layer of Protection
Keywords:
Safety instrumented systems (SIS)
Analysis (LOPA) and Risk Graphs. Each of these methods has their own advantages and disadvantages.
Safety integrity level (SIL) LOPA allows the required risk reduction to be incorporated into the SIL values with higher precision. This
Layers of protection analysis (LOPA) enables a more detailed consideration of the available protection layers and leaves an objective traceable
Risk graph record of the decision-making process.
IEC 61508 In contrast, the simplicity of Risk Graphs makes them convenient for screening a large number of
IEC 61511 safety functions. This can make Risk Graphs useful as a first screening pass prior to using LOPA. However,
Risk Graphs are still widely used as a stand-alone method.
This paper seeks to explore the differences between LOPA and Risks graphs and to investigate whether
the Risk Graphs method can provide the same level of SIL determination rigor as LOPA. The paper aims to
determine if the simplicity of Risk Graphs can make that method more efficient for cases when the
number of safety functions to evaluate is considerable.
© 2016 Elsevier Ltd. All rights reserved.

1. Introduction when the number of safety functions to evaluate is considerable.

Two of the most widely used methods in the Oil & Gas Industry
for determination of Safety Integrity Levels (SIL) of Safety Instru- 2. International standards' requirements
mented Functions are Layer of Protection Analysis (LOPA) and Risk
Graphs. Each of these methods has their own advantages and dis- The international standard IEC 61508 (IEC, 2010a) addresses the
advantages. Safety Integrity Levels are defined in the standards IEC requirements for safety related systems based on electrical, elec-
61508 (IEC, 2010a) and IEC, 61511 (IEC, 2003a). LOPA allows a more tronic and programmable electronic technology. This is a generic
detailed consideration of layers of protection and required risk document, non-specific to any industry and relevant to a wide
reduction, at the time that leaves a traceable record of the decision range of different sectors. The international standard IEC 61511
making process. The Risk Graph method is less intensive, and its “Functional safety: Safety instrumented systems for the process in-
relative simplicity makes it convenient for screening large number dustry sector” (IEC, 2003a) was created as a derivation of IEC 61508
of SIFs. This paper makes a review of differences between LOPA and to cover specifically the process industry. The standard ANSI/ISA-
Risks graphs in order to determine whether the Risk Graphs 84.00.01 edition 2004 (ISA, 2004) later adopted the standard IEC
method can provide the same level of SIL determination rigor as 61511 in its entirety with some minimal modifications. Therein, any
LOPA and if the Risk Graph method can be more efficient for cases reference to IEC 61511 is equivalent to refer to ANSI/ISA-84.00.01
and vice versa.
A Safety Instrumented Function (SIF) is a safety protective
function implemented by a Safety Instrumented System (SIS), and
E-mail address: alejandro.torres@risktec.com. composed of any combination of sensors, logic solver and final el-
1
Present address: 15810 Park Ten Place, Suite 100, Houston, TX 77084, USA. ements (e.g. valves). A SIF must achieve a specific level of integrity,

http://dx.doi.org/10.1016/j.jlp.2015.12.007
0950-4230/© 2016 Elsevier Ltd. All rights reserved.

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
2 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11

Nomenclature ISA International Society of Automation

LOPA Layer of Protection Analysis
ANSI American National Standards Institute P Probability of Avoiding a Hazard
BPCS Basic Process Control System PFDavg Average Probability of Failure on Demand
C Consequence QRA Quantitative Risk Assessment
CCF Common Cause Failure RRF Risk Reduction Factor
CCPS Center for Chemical Process Safety SIF Safety Instrumented Function
F Occupancy SIL Safety Integrity Level
HAZID Hazard Identification Study SIS Safety Instrumented System
HAZOP Hazards and Operability Study W Demand Rate
IEC International Electrotechnical Commission W’ Initiating Event Frequency
IPL Independent Layer of Protection

represented by the Safety Integrity Level (SIL). Notice that the SIS, Table 1
Safety integrity levels for demand mode (IEC 61511 (2003a)).
and thus the SIFs, is independent from the plant control functions
performed by the Basic Process Control System (BPCS). SIL PFDavg Risk reduction factor
Per IEC 61511, definition of any SIFs must be based on a previous 4 105 to <104 >10,000 to 100,000
risk assessment. The risk assessment would determine the current 3 104 to <103 >1000 to 10,000
level of risk presented by the facility. This would be compared 2 103 to <102 >100 to 1000
against a tolerable risk level. The gap between the actual risk level 1 102 to <101 >10 to 100

and the tolerable risk is the required level of risk reduction (Fig. 1),
also called the Risk Reduction Factor (RRF). The RRF is the relation
of the actual risk presented by the facility and the risk that must be 4. SIL determination methods
achieved as a target based on the acceptance criteria:
SIL Determination refers to the activity of selecting the required
RRF ¼ Actual Risk / Tolerable Target Risk SIL for a SIF. SIL determination is usually done after the risk
assessment has been performed and the SIFs required in the plant
An important consideration is that the tolerable risk level to be have been defined. There are several methods suggested in IEC 6511
used as baseline for risk assessment must be set by each individual and IEC 61508 for SIL determination. These methods range from
organization specific to each process or facility as their Corporate quantitative, semi-quantitative to qualitative. The most rigorous
Risk Criteria (CCPS, 2001; De Salis, 2011). and comprehensive methodology is based on a fully quantitative
analysis (see IEC 61508 Part 5 Annex D (IEC, 2010b), and IEC 61511
3. Safety integrity level concept Part 3 Annex B (IEC, 2003b)), such as a Quantitative Risk Assess-
ment (QRA). However, this method is not frequently used because it
SIL stands for “Safety Integrity Level”, which is a discrete per- is resource intensive. Three widely used approaches in the Oil & Gas
formance measure that indicates the range of maximum acceptable industry are Layers of Protection Analysis (LOPA), Risk Graphs and
probability of failure of a SIF to perform its intended function upon Safety Layer Matrix. The latter is briefly explained next, while LOPA
a demand to do so. The SIL levels are defined in terms of the average ad Risk Graphs are fully described in Sections 5 and 6 respectively.
Probability of Failure on Demand (PFDavg) for systems working on Risk Matrix. This is a qualitative method described in IEC 61508
demand mode of operation, as presented in Table 1. Part 5 Annex G (IEC, 2010b) and ISA IEC 61511 Part 3 Annex D (IEC,
2003b). IEC 61511 calls it Safety Layer Matrix, while IEC 61508
names it Hazard Event Severity Matrix. This method is based on
qualitative knowledge of the likelihood and consequences of haz-
ardous events, as well as the number of layers of protection avail-
able. It is based on the assumption that each added protection layer
provides a risk reduction of one order of magnitude. The matrix is
presented Fig. 2. The factors used in the matrix are:

 Severity rating
 Likelihood of the hazardous event
 Number of independent protection layers for the specific haz-
ardous event.

5. Layer of protection analysis (LOPA)

Layer of Protection Analysis (LOPA) is a simplified semi-

quantitative risk analysis methodology. This method is presented
in both IEC 6508 Part 5 Annex F (IEC, 2010b) and IEC 61511 Part 3
Annex F (IEC, 2003b). LOPA is described comprehensively in CCPS
Fig. 1. Risk reduction factor concept. (2001). The LOPA method consists on identifying (semi-

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11 3

Fig. 2. Safety layer matrix (IEC, 2010b).

quantitatively) the estimated likelihood and (qualitatively) the layers); and 3) auditable (its effectiveness must be capable of
severity level of an initiating event, and calculating the modified validation in some way).
likelihood of the hazardous event reduced by the probability of  Conditional modifiers (columns 9e10). One of several proba-
failure of existing independent protection layers (IPL). The resultant bilities included in scenario risk calculations that modify the
event likelihood is then compared against corporate risk criteria to frequency of the hazardous event having consequences.
determine the required additional risk reduction that would be  Intermediate Event Likelihood (column 11). The calculated fre-
provided by the SIF. quency at which the hazardous event frequency would occur
Fig. 3 shows an example of a LOPA table. The function of the with all the IPLs in place (excluding the SIF which SIL is being
columns of the table are described next. determined).
 Tolerable risk likelihood (column 12). The likelihood corre-
 Accident event and the potential severity level (columns 1e2). sponding to the specific event severity according to the corpo-
These come from a previous hazard identification study; e.g. rate risk criteria.
HAZOP, HAZID, etc.  Risk Reduction Factor (column 13). This is the RRF to be achieved
 Initiating cause description and its likelihood (columns 3e4). by the SIF (as discussed in Section 2). The RRF relationship to the
The single cause of the hazardous event. The likelihood is usu- system's Probability of Failure on Demand (PFD) (see Table 1)
ally expressed and frequency per year. can be calculated as PFDavg ¼ 1/RRF.
 Independent Protection Layer, IPL (columns 5e8). These col-
umns include the protection layers to prevent or mitigate the The analysis starts by recording the risk (severity and likelihood)
accident event. An IPL is a device, system or action that is of the initiating event of the hazardous scenario (columns 1e4). It
capable of preventing a scenario from proceeding to its unde- then calculates the likelihood of this event by multiplying it by the
sired consequence independently from the initiating event and probability of failure of the available IPLs (columns 5e8), and by the
any other layers of protection. An IPL must meet these condi- likelihood of enabling events and conditional modifiers (columns
tions: 1) Must be effective in preventing the consequence; 2) 9e10). Subsequently it compares the resultant risk likelihood
independent from the initiating event (and other protection (column 11) against the tolerable risk level (column 12) to

Fig. 3. Example of LOPA worksheet.

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
4 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11

determine if additional risk reduction measures are needed. If so, it  Occupancy factor F (frequency and exposure). Probability (based
evaluates the required level of risk reduction (RRF (column 13)). on fraction of time) that the exposed area is occupied at the time
LOPA is based on simplified assumptions regarding the numer- of the hazardous event. Typical values are: a) less than 10% of the
ical values of each of the components of the hazardous scenario. time, and b) 10% of the time or more.
These simplifications are intended to be conservative (CCPS, 2001).  Probability of avoiding the hazard P. This is assuming that all
The method allows identification of the layers of protection that are protection systems fail to respond. The likelihood of personnel
in place and determining subsequently if additional layers of pro- being able to avoid the hazard is dependent on available IPLs
tection are needed. The risk of the hazardous scenario is approxi- alerting the exposed people, the ability to shutdown the process
mated using orders of magnitude categories for each of the such that the hazard can be avoided or to enable personnel to
considered factors (IPLs, modifiers, etc.). escape to a safe area, and availability of means of escape. The
parameter's value is actually the probability of failing to avoid
the hazard.
6. Risk graph method  Demand rate W. This is the likelihood of the hazardous condi-
tion occurring in the absence of a SIF, usually in frequency per
The original Risk Graph is in principle a qualitative method. It year. This is determined by including all failures that can lead to
was primary published in the standard DIN V 19250 (DIN, 1994). the hazardous event and estimating the overall rate of occur-
The method was subsequently included in IEC 61508 Part 5 Annex E rence. The W factor should consider “external” risk reduction
(IEC, 2010b) and IEC 61511 Part 3 Annexes D and E (IEC, 2003b). The facilities.
Risk Graph method is described by some standards as qualitative
(IEC, 2010b) and by other as semi-quantitative (IEC, 2003b). There The target SIL is determined by following the path as per the
is, however, not substantial modification between the two graphs. selected parameters. The value in the box under the W parameters
This method allows selection of the SIL level by a simplified (Fig. 4) indicates the target SIL. If the box shows an “a” there is no
analysis based on the knowledge of the risk factors associated to the specific requirement for a SIL value. If the box shows a “b”, this
process and its control system (IEC, 2003b). The method consists of indicates that a single SIF is not sufficient to provide the required
a tree-like graph where each stage represents one risk factor and risk reduction.
the branches the different values that each factor can take. A Risk The parameters of the graph can include numeric factors or just
Graph intends to make a graded assessment of a hazardous sce- be qualitative. In any case, the values of the parameters should be
nario based on a series of parameters that represent those risk derived by calibrating the Risk Graph against the corporate risk
factors considering that there is not a SIF in place. The SIL is worked criteria. Calibration refers to the process of assigning numerical
out selecting each parameter from a pre-determined set of values. values to each of the Risk Graph parameters. Thus, corporate risk
Fig. 4 shows an example of Risk Graph from IEC-6511 Part 3 (IEC, criteria indicating risk tolerability levels would be embedded into
2003b). the calibrated graph parameters. Qualitative parameters' calibration
As defined by IEC 61511 (IEC, 2003b), the factors used in the is quite subjective and requires considerable judgment. When nu-
graph are: merical values are assigned to the Risk Graph parameters, this be-
comes a semi-quantitative method (named a Calibrated Risk Graph
 Consequence factor C (severity). This parameter accounts for the in IEC, 2003b). De Salis (2011) considers that a Risk Graph can be
potential number of fatalities and serious injuries when the area considered semi-quantitative only when it is properly designed and
is occupied. It should consider the area affected by the hazard calibrated. Table 2 presents the example of calibration provided by
and the vulnerability of the personnel (i.e. C ¼ No. People  IEC 61511 (IEC, 2003b). This is a summary made by the author of this
Vulnerability). paper. Please refer to the original source for the full table.

Fig. 4. Risk Graph in IEC 61511 part 3 Annex D (IEC, 2003b).

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11 5

Table 2
Example of risk graph calibration from IEC 61511 (2003b).

Risk parameter Classification Notes

(C) Ca e Minor injury The vulnerability is determined by the nature of the hazard being protected against. The
Consequence Cb e Range 0.01 to 0.1 following Vulnerability factors can be used:
Related to number of Cc e Range >0.1 to 1.0 V ¼ 0.01 Small release (flammable or toxic) material
fatalities Cd e Range >1.0 V ¼ 0.1 Large release (flammable or toxic)
C ¼ No. V ¼ 0.5 As above but also a high probability of catching fire or highly toxic material
People  Vulnerability V ¼ 1.0 Rupture or explosion
(F) Fa e Rare to more frequent exposure in the
Occupancy hazardous zone. Occupancy <0.1
Fb e Frequent to permanent exposure in the
hazardous zone
(P) Pa e Adopted if all conditions in column 3 are Pa should only be selected if all the following are true:
Probability of avoiding the satisfied -Facilities are in place which alert the operator that the SIS has failed.
hazardous event Pb e Adopted if all the conditions are not -Independent facilities are provided to shut down, such that the hazard can be avoided or
satisfied which enable all persons to escape to a safe area.
-The time between the operator being alerted and a hazardous event occurring exceeds 1
hour or is definitely sufficient for the necessary actions.
(W) W1 e Demand rate <0.1D per year For demand rates higher than 10 D per year higher integrity shall be needed.
Demand Rate W2 e Demand rate 0.1D and <D per year D is a calibration factor. The value of D is to be determined such that the Risk Graph results
W3 e Demand rate  D and 10 D per year in tolerable level of residual risk, considering other risks to exposed persons and corporate
criteria.

It is important to mention that this method does not take into mentions that several main players in the Oil & Gas industry and
account Common Cause Failure (CCF) (although neither LOPA does). chemical industry have a preference for LOPA. Also, ACM Facility
The Risk Graph method is not suitable for demonstrating if residual Safety (2006) believes that preference for the Calibrated Risk
risk has been reduced to a specific tolerable value. Graph method has waned and LOPA is becoming more popular, and
For a properly calibrated Risk Graph, corporate risk criteria that one factor driving this change is the growing need of com-
indicating risk tolerability levels is embedded (non-explicit) into panies to have a more defensible numerical approach that satisfy
the graph parameters, in contrast to LOPA where risk criteria is stakeholders such as management and regulators. Dowell (1998)
explicit. Qualitative parameters calibration is quite subjective and highlighted that inconsistency in determining SIL “often comes
requires considerable judgment, which should be based on the from a lack of clarity for the frequency of the initiating cause and the
corporate risk criteria, even if qualitative. target mitigated event frequency for which the risk is viewed as
tolerable”.

7. SIL methods and phased approaches

8. Discussion on LOPA
There is no a single approach that is appropriate for every SIL
determination situation. Marszal et al. (1999) proposed a phased 8.1. Advantages
approach “that utilizes simpler techniques to screen lower risk oper-
ations and systematically progresses to more complex techniques to LOPA is a more quantitative method than Risk Graph, which
optimize the SIL selection process”. This approach uses three levels of allows documenting all considered factors and the rationale of risk
screening, going from qualitative, semi-qualitative, to fully quan- decisions, enabling traceability for proving due diligence. It is
titative. The latter is for high risks with high SIS costs. ACM Facility adequate for demonstrating that risk levels have been lowered to
Safety (2006) remarks that the rigor of a method can be defined satisfy tolerable risk criteria.
based on how quantitative it is and its completeness for safeguards LOPA facilitates the inclusion of all prevention and mitigation
evaluation. measures (Gulland, 2004), providing a clearer picture of safeguards
A fully quantitative technique provides a method that is explicit, and initiating events (ACM Facility Safety, 2006). In contrast, Risk
a documentation framework that allows good traceability of the Graph methods can incorporate mitigation measures, such as
activities and the decision-making process, and a better system for alarms and relief valves, only as additional adjustments (Gulland,
lifecycle management (Bhimavarapu and Stavrianidis, 2000). A 2004). LOPA includes its own calibration and facilitates the use of
fully quantitative technique is, however, resource intensive. Other corporate criteria in a clear explicit way. Since it is more quanti-
less intensive techniques, like semi-quantitative and qualitative tative than Risk Graphs is then more precise, but less resource
ones, require fewer resources and are simpler, but they may pro- demanding than fully quantitative methods. Other authors (ACM
vide less rigorous and traceable processes. Facility Safety, 2006) agree that LOPA is more rigorous and pro-
Qualitative techniques, such as Risk Matrix and Risk Graphs, vides more defensible conclusions.
tend to provide more conservative results (i.e. higher SIL). They De Salis (2011) believes that the Risk Graphs provided as ex-
have, however, not clear connection to tolerable risk levels. These amples in the IEC standards fail compared to LOPA. His argument is
techniques may “make the analysis easier; nevertheless the increment that LOPA enables to 1) define the frequency of the hazardous
of costs for each SIF can be significant, tens of thousands of dollars, event, 2) as well as the likelihood of each available layer of pro-
when increasing the SIL just one level. Using a more comprehensive tection; and 3) it calculates the probability of the unwanted event
analysis upfront can provide important savings” (Gruhn, 2004). with these layers of protection and then makes an explicit com-
It is under a phased approach that Risk Graphs are sometimes parison against the corporate risk criteria.
used for a first pass screening that allows analyzing a large number Summers (1998) brings to attention how difficult is for a team to
of safety functions. A second pass for the SIL-rated safety functions perform assignment of potential incident likelihood. This requires
can be done using a more rigorous method. Gruhn (2004), however, from the team to have a general understanding about the frequency

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
6 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11

of past incidents in the facility and the industrial group. Summers difficult to visualize (such as the parameter F including frequency of
believes that LOPA to some extent eliminates this burden. presence in the hazard area and potential exposure time); some
parameters being limited to only two values may give over con-
8.2. Drawbacks servative or over-optimistic results; definition of parameters can be
misleading by not differentiating between frequency and proba-
As described above, LOPA has important advantages. Never- bility units. In a subsequent paper (Baybutt, 2013) he added that the
theless, some authors have highlighted that LOPA still has some simplicity of risk matrices and Risk Graphs makes them appealing,
drawbacks. Compared to methods such as Risk Graphs, the method but that, in contrast, they present some difficulties that discourage
can be slower to be applied, time consuming and demand more their use. These difficulties include their limited capacity for ac-
resources on the assessment team (Gulland, 2004). The overall commodating hazardous events, the calibration by allocating risk
effort involved can be higher (ACM Facility Safety, 2006). De Salis tolerance criteria is challenging, and limited consideration of
(2011) comments that LOPA needs a specialist to execute the overall facility risk. The author considers LOPA and other more
method, and also special skill is needed to source the likelihood quantitative methods more capable of handling these issues.
numbers, discriminate which numbers to employ and format them. Risk Graph is a coarser method than LOPA. Its results can be
These figures are hard to find and require skills to be interpreted more inconsistent since much of the process is difficult to record
and converted. In addition, he believes that the numbers may be and depends to great extent on the expertise of the team
based on educated guesses and can give an illusion of accuracy, (Bhimavarapu and Stavrianidis, 2010). The assessment has to be
since the final answer only gives an order of magnitude assessment adjusted in several ways to include consideration of existing
rather than an accurate calculation. He also states that one of the protection and mitigation measures (Gulland, 2004). Risk Graphs
most significant drawbacks is that LOPA does not take into account are generally subjective when evaluating initiating events likeli-
CCF between risk reduction measures. hood and frequency values. Furthermore, calibration and alloca-
tion of corporate risk criteria is challenging (Baybutt, 2013).
9. Discussion on risk graphs Corporate risk criteria has to be embedded implicitly in a Risk
Graph. In contrast LOPA can use tolerable risk criteria in an explicit
9.1. Risk graphs published in IEC standards way.

Risk Graphs have become known to many people from IEC 9.4. Risk graph conservatism
61508 and IEC 61511. It is worthy highlighting that the Risk Graphs
shown in IEC standards are examples not intended to be used as Baybutt commented that Risk Graphs' emphasis on conse-
they appear in the standard without further design and calibration quences can lead to domination of too conservative solutions. He
(De Salis, 2011). As stated by that author, these examples are not considers that the parameters definitions (as provided by DIN V
designed nor calibrated, nor even properly fully documented, as an 19250 (DIN, 1994)) “are highly subjective and can lead to inconsistent
assessment tool for specific cases. They do not have relation to any results and possibly conservatism that may result in SIL over-
specific tolerable risk criteria or plant conditions case. ACM Facility estimation” (Baybutt, 2006). De Salis (2011) agreed that the IEC
Safety (2006) agrees that, in general, step-by-step directions to 61508 Risk Graph will usually provide SIL numbers that are higher
perform all the (SIS lifecycle) steps are not explicitly contained in than actually needed. Notice, however, this conservatism is an
the IEC 61511 standard. assumption that needs to be verified by ensuring that it gives
De Salis (2011) analyzed the IEC 61508 Risk Graph. He criticized conservative assessments indeed. The inherent uncertainty in the
that the Risk Graph does not include the availability of most of the range of residual risk (in Risk Graphs) can be managed to produce a
risk reduction measures (prevention and mitigation), nor the conservative outcome (Gulland, 2004). Some measures include
probability of failure of the BPCS. Since their action reduces the “calibrating the graph so that the mean residual risk is significantly
potential demand rate, these would need to be included in the below the target, and selecting the parameter values cautiously, i.e. by
assessment of parameter W. Furthermore, the IEC 61508 Risk Graph tending to select more onerous range whenever there is an uncer-
has no separate parameter for the probability of presence in the tainty”. Do not forget, in contrast, that this conservatism can incur a
danger zone. He believes that the simple range of the three col- financial penalty in terms of higher SIL requirements. Per Gulland,
umns W3, W2, W1 “is not enough to give sensible answers”. Risk Graphs “must be calibrated on a conservative basis to avoid the
danger they underestimate the unprotected risk and the amount of risk
9.2. Advantages reduction required. Higher SIL requirements (i.e. SIL 2 or higher) can
incur significant capitals costs (for rigorous engineering requirements
The simplifications inherent to the Risk Graph method actually and redundancy) and operating costs” (Gulland, 2004). At the end of
constitute some of its advantages. The method is simpler to apply, the day, De Salis (2011) says, high reliability functions are costly,
and thus requires less time, making it more amenable for applica- and the reliability required commands a proportional cost.
tion to analysis of a large numbers of SIFs (which is not uncommon
in process plants). It is a graphic method that allows visualizing to 9.5. Risk graph parameters
some extent the mechanism of hazards unfolding into potential
consequences. ACM Facility Safety (2006) considers that the inherent nature of
Risk Graphs is qualitative although some quantitative additions can
9.3. Drawbacks be used to complement them. Rating of parameters is usually made
subjectively based on engineering judgment and experience. In
Baybutt (2006) considers that, overall, “conventional Risk Graphs addition, he states that the theoretical foundations of both methods
are a simple but subjective way of determining SILs”. He finds that have been questioned by some authors. Gulland (2004) considers
there are not well defined consistent standards or guidelines for the that Risk Graphs are very useful but coarse tools for assessing SIL
Risk Graph method. He highlighted some disadvantages such as: requirements.
Factors such as enabling events and conditional modifiers are not Summers (1998) mentioned that in the Risk Graph method the
considered; the parameters lump together several factors, which is likelihood (of the demand rate) and consequences can be

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11 7

determined by considering the independent protection layers 10. Alternative risk graphs
during the assessment. She mentions that the demand rate
parameter W can accommodate prevention protection layers since Some authors have developed enhanced alternative Risk
they reduce the frequency of the initiating event, and the conse- Graphs. The approach and characteristics of these Risk Graphs are
quence parameter C can accommodate mitigation layers since they summarized below. The reader wishing to know further details is
reduce the consequences of the hazardous event. Gulland (2004) referred to the original sources of these works.
agreed that the C and W parameters are those mostly available to Baybutt (2006) proposed an alternative Risk Graph that intends
accommodate the graph calibration, since F and P are typically two- to use the same theoretical foundation as LOPA and QRA. The
range. A properly evaluated Risk Graph requires this extra effort by author mentions that this method can be used a first screening, and
considering those protection layers implicitly to determine the C that those scenarios requiring a SIL rated risk reduction can be
and W values. In contrast, LOPA makes consideration of these layers further analyzed using LOPA or QRA.
explicit and numeric, and thus clearer and less subjective. Additions
to the Risk Graph method made to determine and record these  This Risk Graph is focused on scenario risk rather than conse-
factors add complexity and resources requirements, thus closing quences. The graph starting point is the type of initiating cause
the gap with the LOPA resources demand. rather than its consequences (similar to LOPA). These initiating
Albeit layers of protection can be embedded mainly in the cause categories are descriptive hazard scenarios provided for
parameter W, consider, though, that estimating the demand rate W each value of the parameter based on frequency values. The
is actually one of the most notable difficulties of Risk Graphs (De frequency values are hidden (“not readily apparent to the ana-
Salis, 2011). De Salis emphasized that “the demand rate is a lysts, but built into the table”).
concept that is difficult for people to put numbers to when they are  The parameters used are Initiating causes (I), Enablers and
asked to say what its value is”. The demand rate “is the frequency with conditional modifiers (E), Safeguards (S) and Consequences (C).
which the safety function has to act as last resort, which is not the  Passive and active safeguards are treated by a different rank in
same thing as the initiating event. It is actually the number of times per the S parameter (different PFD/risk reduction can be claimed).
year that all other safety layers fail and the safety system actuates as  The values of the parameters are also based on order-of-
the last resort”. In contrast, LOPA actually calculates the safety magnitude values.
function's demand rate. “LOPA users are calculating the required  The S parameter allows taking credit for up to two safeguards,
probability of failure on demand without asking about the demand being “a deliberately conservative approach since not all safe-
rate at all” (De Salis, 2011). guards fail independently of each other” (i.e. CCF).

The alternative Risk Graph proposed by De Salis (2011) is also

based on the same principles as LOPA. It has the following features:
9.6. Risk graph calibration
 It mixes the IEC Risk Graph and safety matrix features to include
Risk Graph requires being designed and calibrated in order to a more comprehensive set of parameters.
compete with LOPA. In contrast, LOPA does not require much more  It incorporates a parameter for including layers of protection
design and calibration, since it is a quite developed method as it into the assessment.
stands in the CCPS book (CCPS, 2001).  Uses the potential SIS initiating event frequency instead of the
Although there is much criticism for Risk Graphs, De Salis (2011) safety system demand rate W. It is more feasible to assign values
advocates that a well designed Risk Graph can provide a better to the initiating frequency than to the final demand rate.
assessment. He said that only a well designed and calibrated Risk  Discards the visual linearity of IEC 61508/61511 Risk Graph. The
Graph can deliver a proper semi-quantitative risk analysis, other- graph is a step sequence rather than visually linear. The author
wise this only provides a very coarse risk assessment. He affirmed considers that a truly linear Risk Graph is not visually linear,
that a Risk Graph that is designed and calibrated with a sound since this linearity is mathematically false, which has created
method can actually compete with LOPA and deliver similar results. confusion resulting in publications offering flawed Risk Graphs.
This may also eliminate the need for a phased approach (a first  Is based on a calibration axis line that incorporates the tolerable
screening pass and then using a second method). risk value.
According to De Salis (2011), calibration of a Risk Graph entails  Assign values that are kept as a record. Although the values are
to design a graph structure that include all relevant parameters, hidden from the user of the graph, a calibration record is kept.
and allows their proper definition with the possibility of assigning
them real values. The designer of the graph must consider how to De Salis (2011) emphasizes that the Risk Graph has to be
ask the team sensible questions, against which they can give designed/calibrated according to corporate practices and criteria
meaningful answers. The definition assigned to each parameter for specific facilities.
must “lead to the mathematical values to be used for that parameter”.
Each of the parameters will provide pre-determined data values 11. A note on common cause failure
such that “the SIL requirement is determined as an order of magnitude
final answer” (similar to LOPA, although LOPA explicitly provides As discussed above, one of the main pitfalls of LOPA is its failure
the required RRF and PFDavg). to take into consideration CCF. Nevertheless, it is important to
The process proposed by De Salis (2011) for designing a Risk remark that CCF cannot be handled by the Risks Graph method
Graph is: either. De Salis (2011) remarks that for LOPA either numbers can be
adjusted to account for CCF when this is not significant or discount
1) Choosing the right structure with sufficient parameters that one of the CCF layers in order to make a conservative assessment. In
allow a full assessment. contrast, a Risk Graph makes the numbers used in the mathematics
2) Define each parameter with and adequate range to allow the more rigid; unless the Risk Graph is specifically designed to allow
risk to be properly assessed. application of CCF factors there is no means of adjustment. In any
3) Calibrate the answers. case the inability of including CCF is a drawback shared by both

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
8 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11

methods. Other quantitative methods, like Fault Tree Analysis, are RRF>10, since the resultant RRF of this example is just in the 10
required to be used to enable quantification of CCF. threshold, SIL 1 is assigned as a conservative approach that ac-
counts for uncertainties in the process).
12. Illustrative example Let us now solve the same problem using the IEC 61511 risk
graph. The parameters would be defined (as per Table 2) as follows:
This section presents a case study intended to demonstrate the
differences between the LOPA and Risk Graph methods.  Consequence (C): Since it is assumed that a fire will take place as
A hypothetical company AZ has a flammable gas compressor in a consequence of loss of containment then V ¼ 0.5. Given that
site. A shutdown valve is located at the inlet of the compressor three operators are usually present in the area C ¼ 3  0.5 ¼ 1.5,
(Fig. 5), which also is the compressor recirculation circuit. A hazard which corresponds to Cd.
identification study has identified that the valve might be closed by  Occupancy (F): Due to the lack of more detailed information, it
mistake when the compressor is running, causing damage to the should be assumed that exposure to the hazard zone is >0.1. This
compressor and its seals, and having as consequence loss of corresponds to Fb.
containment and a subsequent fire with potential fatalities.  Probability of avoiding the hazardous event (P): There is no
The compressor house is located near to a manned room. This information to conclude that the three required conditions are
room is not fire/blast resistant and it is usually manned by 3 true (e.g. no detail of facilities indicating a SIS has failed). Thus,
operators. this corresponds to Pb.
The compressor package has a basic control system that pro-  Demand rate (W): A conservative approach could be to assume
vides antisurge protection. The controller is expected to trip the that D ¼ 1. An alternative approach is to use D ¼ 0.3 (UKOOA,
compressor upon loss of inlet flow. Also, this BPCS will provide a 1999). With this, the W1 category would correspond to <0.03/
pre-alarm that would give the operator the opportunity to trip the year (since 0.1D x 0.3 ¼ 0.03, see Table 2). As suggested by
compressor manually. There is also an automatic fire & gas detec- Summers (1998), prevention safeguards can be accommodated
tion system with a firewater deluge system that protects the in quantification of W. Multiplying the likelihood of the shut-
compressor. down valve being erroneously closed times the compressor
The company has a risk criteria (consistent with HSE, 2001) that controller's PFD, it is obtained that W ¼ 0.003/year; i.e. W1.
indicates two categories:
Feeding those parameters into the risk graph, it can be seen that
 High severity level: Severe injuries or 1 fatality; tolerable risk: this corresponds to a SIL 3 system (Fig. 7).
1  104 per year. As discussed in Section 9.5, C and W are the main parameters of
 Very high severity level: More than 1 fatality; tolerable risk: the risk graph that can accommodate its calibration, and thus the
1  105 per year corporate risk criteria. The calibration can be done by selecting the
C parameter for one fatality (i.e. Cc), which is equivalent to the
It is assumed that the initiating event corresponds to human individual risk, and selecting the most conservative values for the
error during a non-routine task that is performed less than once per other parameters (i.e. Fb, Pb and W3 with D ¼ 1). This constitute
month, with a failure rate of 0.01/year. This value and the values of the calibration axis line (De Salis, 2011). Observe, that for one fa-
probability of failure of the protection layers has been taken from tality (Cc) with those selected parameters the SIS requirement
CCPS (2014). Notice that since the alarm is not independent from would be SIL 4; i.e. PFD ¼ 1  105. Assuming that the worst hazard
the compressor controller, this cannot be claimed as an additional of the facility would have an initiating frequency of 1 per year
IPL. The resulting LOPA table is shown in Fig. 6. (which is feasible by observing initiating events frequency values in
Since the risk reduction factor required is 10, the PDFavg is >0.1, CCPS, 2014), with no safeguards, the risk with a SIL 4 system would
which corresponds to a SIL 1 system (albeit the limits of SIL 1 are be reduced to 1  104 per year (since D ¼ 1, W3 corresponds to up

Fig. 5. Compressor Example.

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11 9

Fig. 6. LOPA table results.

Fig. 7. Risk Graph results.

to 10 demands per year), which corresponds to the acceptable risk another. Thus, the IPL rules of the LOPA method should be taken
criteria for one fatality used in this example. A hazard with a higher into account.
likelihood is used since the same risk graph with the same cali- The discussion above can provide the basis for a risk graph
bration needs to be used for every hazard of the facility evaluated. design and calibration. Basically, new parameters would need to be
It is possible to observe that the SIL value obtained with the risk added to accommodate the preventive and mitigation independent
graph is considerable higher than that obtained with LOPA: SIL 3 vs. protection layers. In addition, consideration can be given to remove
SIL 1; i.e. two orders of magnitude higher. Even if we had more the linearity of the graph, as discussed in Section 10.
detailed information to conclude that one of the parameters has a One alternative risk graph has been developed to solve the same
lower value, e.g. P parameter could be Pa, that would give a SIL 2 problem, which is presented in Fig. 8. This is based on the example
value, which still one order of magnitude higher than needed. In given by De Salis (2011). To construct this graph, the Consequence
addition, if we would consider the mitigation action of the Fire & parameter has been redefined, and now it needs to be input as the
Gas system to reduce the likelihood of fatalities, the parameter C number of people exposed to the hazard (3 in our example). In
would become C ¼ 3  0.5 x 0.1 ¼ 0.15 (i.e. Cc). This, together with addition, the Demand Rate has been replaced by the frequency of
the assumption of P¼Pa, could finally give a SIL 1 result. the initiating event and rebranded W'. Three separate columns
As it can be seen, to obtain a similar results with risk graphs with allow to count for zero, one or two or more IPLs respectively.
respect to LOPA, a series of adjustments (which would be part of the Calibration of the graph is maintained conservative. A risk graph
calibration process), need to be done to the method. The criteria for like this needs to be further calibrated for every single row and
those adjustments (accommodating mitigation protection layers column combination against the corporate risk criteria. The rest of
into the C parameter, accommodating preventive protection layers parameters follow the same definition as per Fig. 4 and Table 2.
into W, etc.) would need to be formulated before applying the Observe that the result obtained with this risk graph is SIL 1.
method. This would also require to record justification of the extra It is verified once more that similar results to LOPA method can
decision made for traceability. Also, care needs to be taken not to be achieved by a risk graph only after doing several adjustments or
include protection layers that are not truly independent from one modifications, which may include redesign and calibration of the

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
10 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11

Fig. 8. Alternative Risk Graph results.

risk graph. In contrast, the LOPA method is already more well and lower resource requirements. It may be necessary to evaluate if
established and documented and does not require all those extra the effort will be cost-effective, for instance in cases where LOPA
adjustments. may require considerable higher resources for data gathering,
conversion and interpretation.
13. Concluding remarks Even properly designed, Risk Graphs do not allow demon-
strating explicitly that the residual risk has been reduced to a
Risk Graph methods are intended to be simple and conservative. specific tolerable value in accordance to the corporate risk criteria.
Compared to Risk Graphs, LOPA is considered, in general, more Risk Graphs and LOPA Methods share similar limitations
rigorous, more precise and more resource intensive. However, since regarding the inability of including Common Cause Failure (CCF)
no single technique is adequate for every SIL determination situa- quantification.
tion, Risk Graphs are still considered a valid method.
Risk Graphs can be useful as a first screening tool in a phased Disclaimer
approach, especially when a large number of safety functions needs
to be analyzed. This would screen out safety functions that do not The views expressed in this article are those of the author and
require being SIL rated. The SIL rated functions can then be re- do not necessarily reflect the views or procedures of his company of
assessed using a more rigorous method. affiliation.
Risk Graphs tend to be more conservative than LOPA. Conser- Please notice that the two risk graphs presented in Section 12
vative results can entail a considerable financial cost, since SIL rated are only illustrative examples, developed exclusively for demon-
equipment is costly and require higher implementation, mainte- stration of the subject matter discussed in this paper. Any real-life
nance and inspection costs. In any case, the analyst must not just SIL determination case needs to be catered with a calibrated risk
assume, but verify, that the Risk Graphs are calibrated to give re- graph designed specifically for the company and the facility to be
sults on the conservative side rather than not. analyzed.
Risk Graphs presented by the IEC standards are examples not to
be used un-calibrated. Risk Graphs must be designed and calibrated
for the specific application in order to provide a proper risk References
assessment, what becomes even more important if the they will be ACM Facility Safety, 2006. SIL determination techniques report. ACM Autom. Inc.
used as a standalone method (rather than in a phased approach). Retrieved from http://www.iceweb.com.au Last date accessed April 22, 2015.
Risk Graphs can be improved by appropriate design and cali- Baybutt, P., 2006. An improved risk graph approach for determination of safety
integrity levels (SILs). Process Saf. Prog. 26 (1), 66e76.
bration, and complemented with an adequate documentation
Baybutt, P., 2013. The use of risk matrices and risk graphs for SIL determination.
framework. This framework must record the design process, cali- Process Saf. Prog. 33 (2), 179e182.
bration rationale and discussions for decision-making. This has the Bhimavarapu, K., Stavrianidis, P., 2000. Safety integrity level analysis for processes:
potential to enable Risk Graphs to become closer to LOPA in rigor issues and methodologies. Process Saf. Prog. 19 (1), 19e24.
CCPS, 2001. Layer of Protection Analysis. Simplified Process Risk Assessment.
and results, but also equivalent in level of effort and resource needs. American Institute of Chemical Engineers, Center for Chemical Process Safety.
This extra effort may eliminate its inherent benefits of simplicity Wiley-AIChE, New York.

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007
 A.C. Torres-Echeverria / Journal of Loss Prevention in the Process Industries xxx (2015) 1e11 11

CCPS, 2014. Guidelines of Initiating Events and Independent Protection Layers in Switzerland.
Layer of Protection Analysis. American Institute of Chemical Engineers, Center IEC, 2003b. IEC 61511 Functional Safety e Safety Instrumented Systems for the
for Chemical Process Safety. Wiley-AIChE, New York. Process Industry Sector - Part 3: Guidance for the Determination of the
De Salis, C., 2011. Using risk graphs for safety integrity level assessment. A user- Required Safety Integrity Levels. International Electrotechnical Commission,
guide for chemical engineers. The Institution of Chemical Engineers. IChemE, Geneva, Switzerland.
UK. IEC, 2010a. IEC 61508 Functional Safety of Electrical/Electronic/Programmable
DIN, 1994. DIN V 19250 Control Technology: Fundamental Safety Aspects to Be Electronic Safety-related Systems. Part 1: General Requirements, second ed.
Considered for Measurement and Control Equipment. German Institute for International Electrotechnical Commission, Geneva, Switzerland.
Standardization (DIN), Berlin, Germany. IEC, 2010b. IEC 61508 Functional Safety of Electrical/Electronic/Programmable
Dowell III, A.M., 1998. Layer of protection analysis for determining safety integrity Electronic Safety-related Systems. Part 5: Examples of Methods for the Deter-
level. ISA Trans. 37 (3), 155e165. mination of Safety Integrity Levels, second ed. International Electrotechnical
Gruhn, P., 2004. Different SIL (safety integrity level) selection techniques can yield Commission, Geneva, Switzerland.
significantly different answers. Proc. ISA Autom. West. ISA, 2004. ANSI/ISA 84.00.01-2004 (IEC 61511 Mod) Functional Safety: Safety
Gulland, W.G., 2004. Methods of determining safety integrity level (SIL) re- Instrumented Systems for the Process Industry Sector e Part 1: Framework,
quirements e pros and cons. In: Redmill, F., Anderson, T. (Eds.), Practical Ele- Definitions, System, Hardware and Software Requirements. The International
ments of Safety. Proceedings of the 12th Safety-critical Systems Symposium. Society of Automation, North Carolina, USA.
Springer-Verlag, London, pp. 105e122. Marszal, E.M., et al., 1999. Comparison of safety integrity level selection methods
HSE, 2001. Reducing Risks, Protecting People. HSE's Decision-making Process. and utilization of risk based approaches. Process Saf. Prog. 18 (4), 189e194.
Health and Safety Executive. Her Majesty’s Stationery Office, Norwich, UK. Summers, A., 1998. Techniques for assigning a target safety integrity level. ISA Trans.
IEC, 2003a. IEC 61511 Functional Safety e Safety Instrumented Systems for the 37 (2), 95e104.
Process Industry Sector - Part 1: Framework, Definitions, System, Hardware and UKOOA, 1999. Guidelines for Instrument-based Protective Systems. Issue No. 2. UK
Software Requirements. International Electrotechnical Commission, Geneva, Offshore Operators Association, London, UK.

Please cite this article in press as: Torres-Echeverria, A.C., On the use of LOPA and risk graphs for SIL determination, Journal of Loss Prevention in
the Process Industries (2015), http://dx.doi.org/10.1016/j.jlp.2015.12.007