Safety Integrity Level, SIL
Safety integrity level, SIL is a quantified bracket of how reliable a safety function must be. Per IEC 61511, ISA 84, every safety instrumented function gets a SIL allocation, 1, 2, 3, or 4 based on the consequence of failure and the risk reduction required. Higher SIL means more redundant hardware, tighter proof-test intervals, and stricter design rules.
Read one of your own drawings.
Drop a P&ID, instrument index, or schedule. Tagsight reads it to the tag and opens a workspace you keep when you sign in.
PDF · DWG · DXF · TIFF · PNG · XLSX
SIL is the risk-reduction target for a specific safety instrumented function, SIF. A SIF is a single safety action. Close ESDV-201 when high-high pressure is detected. The SIL tells you how often that action can fail on demand without exceeding the tolerable risk for that hazard scenario. The allocation is driven by the gap between the unmitigated consequence frequency and the tolerable risk limit set by the owner-operator or regulator, calculated during a layer of protection analysis, LOPA. SIL is not a property of a component. It is a property of the complete SIF loop, from the initiating sensor through the logic solver to the final element. A SIL 2 transmitter installed in a SIL 1 loop with a poorly maintained valve does not deliver SIL 2 protection. Both IEC 61511, process industries and IEC 61508, generic functional safety define SIL. IEC 61511 is the relevant standard for process plant design.
SIL in practical numbers.
SIL 1. Probability-of-failure-on-demand, PFD between 0.1 and 0.01, giving one order of magnitude of risk reduction. SIL 2. PFD between 0.01 and 0.001, two orders of magnitude. SIL 3. PFD between 0.001 and 0.0001, three orders of magnitude. SIL 4. PFD below 0.0001, rarely used in process industries because achieving it requires hardware redundancy and proof-test frequency that is impractical for most facilities. High-consequence services that need SIL 4 protection are typically addressed with multiple independent SIL 3 layers instead. The allocation for each SIF is recorded in the safety requirement specification.
How SIL is determined. LOPA.
Layer of protection analysis is the most common method for assigning SIL. LOPA works by estimating the frequency of the initiating event, reducing that frequency by the risk-reduction factor, RRF of each independent protection layer, IPL that exists, and comparing the result to the tolerable risk limit. If the gap between remaining risk and the tolerable limit requires one more order of magnitude of reduction, a SIL 1 SIF is specified. Two orders of magnitude means SIL 2. LOPA is documented per scenario. The LOPA worksheet is the audit trail for every SIL allocation in the safety requirement specification.
Voting architectures.
Higher SIL typically requires voting redundancy in the initiating sensors. A 1-out-of-1, 1oo1 architecture trips if the single sensor triggers. A 1-out-of-2, 1oo2 architecture trips if either of two sensors triggers, increasing availability but lowering spurious-trip protection. A 2-out-of-3, 2oo3 architecture requires two of three sensors to agree before tripping, balancing spurious-trip protection with reliability. 2oo3 is common for SIL 2 transmitter installations in gas detection and high-pressure trip services. The voting topology is annotated on the P&ID near the field instruments.
Proof-test interval and its effect on PFD.
A safety function that is never tested degrades over time as components age. The proof-test interval sets how often the full trip path is verified from sensor to final element. Shorter proof-test intervals drive down the average PFD over the proof-test cycle, allowing simpler hardware to meet a given SIL target. SIL 1 functions are commonly tested on a 1 to 5-year schedule depending on component failure rates. SIL 2 typically requires 1 to 2 years. SIL 3 commonly requires 6 to 12 months. The proof-test interval is one of the design variables that the functional safety engineer optimizes against hardware cost and maintenance resource.
IEC 61511 vs IEC 61508.
IEC 61508 covers the generic safety lifecycle for electrical, electronic, and programmable electronic systems. It is the certification standard for components. A logic solver or transmitter is IEC 61508-certified at a given SIL. IEC 61511 applies the 61508 framework specifically to process industries. Process-plant SIS design follows IEC 61511. The components used in that design are certified to IEC 61508. When a vendor says their device is SIL 2-capable, they mean it is certified to IEC 61508 for use in systems designed per IEC 61511.
Frequently asked.
Who assigns SIL.
The owner-operator's process safety team during a LOPA or HAZOP workshop. The assignment is recorded in the safety requirement specification. The integrator implements to the assigned SIL but does not change it unilaterally. SIL changes after the SRS is approved require a formal MOC review.
Can SIL be assigned to a BPCS loop.
No. SIL applies only to safety instrumented functions implemented in the SIS. A BPCS regulatory loop can be credited as an independent protection layer during LOPA, but it does not carry a SIL number. Crediting the BPCS as an IPL requires demonstrating its independence from the initiating event being analyzed.
How is SIL verified in practice.
Through a SIL verification calculation that uses each component's certified failure-rate data, from the safety manual provided by the manufacturer per IEC 61508, the voting topology, diagnostic coverage factor, common-cause beta factor, and proof-test interval. The result must fall within the target SIL's PFD band. The calculation is documented in the SIS design basis and reviewed during pre-startup safety review.
What happens if the I/O list does not capture SIL allocation.
The SIS vendor and integrator need the SIL allocation for each tag to specify the appropriate hardware, wiring separation, and cabinet design. An I/O list that flags SIS tags but omits their SIL level forces the integrator to go back to the safety case for every SIS row. Most projects add a SIL column or a system flag to the I/O list to carry this information forward from the safety requirement specification.
Is SIL 4 used in practice.
Rarely in process industries. Achieving SIL 4 PFD requires hardware redundancy and proof-test frequency that is very difficult to sustain operationally. Most high-consequence applications address the risk with multiple independent SIL 3 layers, each crediting a separate RRF in the LOPA, rather than attempting a single SIL 4 SIF.