SIL determination in Australia. IEC 61511, in language a plant manager can use.

What SIL is and is not.

When was the last time a vendor told you a piece of equipment "is SIL 2" without explaining what that meant for your plant?

SIL is a property of a safety function (a complete safety instrumented function, or SIF), not of a single component. A SIL-2-rated valve is a valve whose certification permits it to be used inside a SIL 2 loop. It does not, on its own, make a loop SIL 2. The loop is the sensor plus the logic solver plus the final element, sized to deliver a specific average probability of failure on demand (PFD) for low-demand systems, or probability of failure per hour (PFH) for high-demand systems.

The reason this distinction matters in procurement is that "SIL 2 valve" is a useful claim, but a SIL 2 loop is a separate engineering deliverable. Vendors are not lying when they say a component is SIL-rated. They are giving you a procurement filter, not a designed loop.

IEC 61508 versus IEC 61511.

Two standards keep appearing in the same conversation. They do different things.

IEC 61508 — the generic parent.

The parent functional-safety standard. Generic across all electrical, electronic, and programmable electronic (E/E/PE) safety systems. This is the standard device manufacturers certify their products against. A SIL-2 certified logic solver, valve, or transmitter is rated under IEC 61508. The standard covers the full lifecycle of the device: design, validation, manufacture, deployment, modification, decommissioning.

IEC 61511 — the process-industry application.

The end-user standard. IEC 61511 governs how a plant designs, operates, and maintains a safety instrumented system (SIS) built from IEC 61508-certified components. It is what your SIL study follows. It is what auditors check the plant against. Industries adjacent to process — water and wastewater, food and beverage at certain hazard levels, pharmaceuticals — also work to IEC 61511 because the methodology fits the workflow even where the legal requirement is lighter.

The relationship in one sentence.

Device makers prove their components against IEC 61508. End users design and run their safety instrumented systems against IEC 61511, using IEC 61508-certified components to do it.

HAZOP and LOPA — what each one does.

Two distinct methodologies turn up in every SIL study. They do different cognitive work and are not interchangeable.

HAZOP — hazard identification.

A Hazard and Operability study is the structured qualitative review where a multidisciplinary team walks each node of a process, considers credible deviations from the design intent (using guide words: more, less, none, reverse, other than), and records the hazardous scenarios that result. The output is a list of credible scenarios, each with an initiating cause, consequence, and the existing safeguards. HAZOP is qualitative. It tells you what can go wrong. It does not tell you how much.

LOPA — risk assessment.

Layers of Protection Analysis takes the scenarios HAZOP identified and quantifies the risk-reduction gap. The method: estimate the initiating event frequency, count the existing independent protection layers (each contributing a defined risk reduction factor), and compare the mitigated frequency against the plant's tolerable risk frequency. The gap that remains is the risk reduction the safety instrumented function must provide. Expressed as a fractional reduction, the gap maps directly to a SIL target.

Why both.

HAZOP without LOPA produces a list of hazards without a clear answer on what to do about them. LOPA without HAZOP requires the analyst to invent the scenarios, which is less defensible and less complete. The standard workflow is HAZOP first, then LOPA on the scenarios HAZOP produced. Plants that try to skip straight to LOPA usually find themselves running an unstructured HAZOP-by-another-name two months in.

Scoping a SIL study.

A SIL study is not a fixed-size deliverable. The scope depends on the plant, the process, and what the study is intended to achieve.

The scoping questions that matter.

• What is the boundary? One unit operation, one process cell, one plant, or one project? Most useful studies bound tightly: the scope of a single new project, or a single unit operation under a brownfield re-assessment.
• What is the trigger? A new project, a regulatory audit, a modification under management of change, a near-miss, a corporate-parent requirement. Each leads to a slightly different scope and a different set of stakeholders in the room.
• What is the tolerable risk frequency the study is calibrated against? The plant has to have a written corporate risk matrix, agreed by management, that the study can reference. A study built on an undocumented tolerable risk number produces conclusions nobody owns.
• What protection layers will be claimed as Independent? An IPL has to be independent of the initiating event, auditable, dependable, and capable of detecting and responding to the hazard. A relief valve is usually an IPL. A control loop sharing a sensor with the safety loop is usually not. The Independent claim has to survive scrutiny.

The deliverables that consistently work.

A defensible SIL study produces a HAZOP record, a LOPA worksheet per scenario showing the calculation, a SIL target per safety instrumented function, an architecture description, a maintenance/proof-test plan, and a written validation procedure. The architecture and the proof-test plan tend to be the parts that get short-changed in cheap studies and bite during operation.

What Australian studies actually conclude.

Plants approaching their first SIL study often arrive with the expectation that a meaningful number of loops will need SIL 2 or SIL 3 protection. The data from finished studies suggests otherwise.

Most loops in most Australian plants come out at SIL 1 or non-SIL. The reason is straightforward: the existing protection layers (relief valves, mechanical interlocks, operator response with a written procedure and adequate response time, basic process control loops on a separate sensor) typically absorb one to three orders of magnitude of risk reduction between them. A risk-reduction requirement of one or two orders of magnitude is well within the reach of those layers, leaving the SIF either non-required or sized at SIL 1.

SIL 2 is achievable but requires deliberate architecture. The component cost is meaningfully higher, the proof-test discipline is more demanding, and the operational paperwork is heavier. Plants that end up at SIL 2 do so because the consequence is severe (catastrophic equipment damage, multi-fatality potential, or significant environmental release) and the existing layers are insufficient.

SIL 3 is uncommon in Australian food, beverage, water, or general manufacturing. It appears regularly in hydrocarbon processing, large chemical sites, and some infrastructure (rail, power). SIL 4 is rare; it is sometimes claimed and rarely justified once a competent reviewer audits the assumptions.

The plant manager preparing for a first study is right to assume the answer will be modest. The honest output of a competent study is usually less expensive than the budgets that fund it.

Australian regulator stance.

SIL determination is not directly mandated by Safe Work Australia's model WHS regulations or by the Food Standards Code. Where SIL-rated safety instrumented systems become effectively compulsory is through industry guidance, insurance, and corporate parent requirements.

Major hazard facilities (MHFs) governed by state-based MHF regulations (Work Health and Safety Regulations under each state) require Safety Reports that name and justify each control measure for major hazard scenarios. SIL studies are the standard methodology used to justify safety instrumented controls within those Safety Reports. Plants below the MHF threshold rarely have a regulator at the door asking for a SIL study by name. They have insurers asking. They have corporate parents asking. They have customers in the supply chain asking.

The practical conclusion: Australian regulator stance on SIL is permissive rather than prescriptive. The pressure to run SIL studies comes from elsewhere, and the studies are typically commissioned at the project-engineering stage, not the audit stage.

Pac Technologies' consultancy practice handles SIL scoping and study management as part of project FEED work and brownfield re-assessment. We do not certify devices; we work alongside accredited functional-safety engineers and bring the controls-engineering perspective that makes the SIS work in the plant rather than on the page.

Common questions.

Sources and further reading.

Standards and industry references for the SIL methodology claims above. Retrieved 18 May 2026.

• IEC 61511. Functional safety — Safety instrumented systems for the process industry sector. International Electrotechnical Commission.
• IEC 61508. Functional safety of electrical/electronic/programmable electronic safety-related systems. International Electrotechnical Commission.
• eFunctionalSafety. A guide to SIL determination in IEC / ISA 61511. efunctionalsafety.com
• ISA. HAZOP and LOPA to Calculate a Safety Instrumented System. isa.org
• Safe Work Australia. Major Hazard Facilities. safeworkaustralia.gov.au

This article sits under Pac Technologies' consultancy service. For the machine-safety side (PL, AS 4024, ISO 13849), see the AS 4024 machine safety article. For the brownfield context in which most SIL re-assessments happen, see the Brownfield upgrade guide.