classic | mobile


SA Instrumentation & Control Buyers' Guide


Functional safety (SIL) basics for process control
May 2017, IS & Ex

There is a lot of information published on functional safety and safety integrity level (SIL) and it is difficult to know where to turn to or what to believe. I will try to provide a basic overview, cover some of the misconceptions, and consider some of the implications on a process control loop.

Gary Friend.
Gary Friend.

Functional safety is a culture, not a ‘certificate’

Safety Instrumented Systems (SIS), often referred to as Emergency Shutdown Systems (ESDs), are put in place in addition to the basic process control system (BPCS) e.g. DCS or PLC, to independently monitor the process and bring the plant to a safe state, as or when control is lost.

IEC/SANS 61508 and IEC/SANS 61511 provide a framework to assess risk and safety in process control environments. They are not prescriptive in how to implement safety, but compliance allows users and product designers to demonstrate best practice and to fulfil legal health and safety obligations. Importantly, the management of functional safety applies throughout the lifecycle of a process plant, from initial design through to decommissioning.

The SIL is an attribute of the complete safety instrumented function, not of a single device

In order to claim SIL capability, manufacturers of devices intended for use in functional safety applications should provide statistical data on the failure modes and failure rates (PFDavg) of the equipment. In addition, manufacturers must state how the requirements for architectural constraints are achieved for the specified SIL level and demonstrate how systematic errors have been controlled in the design, development and manufacturing processes.

The primary concern is that failures of individual elements of the SIF could lead to the failure or impairment of the overall safety function. Manufacturers should supply a safety manual that explains how to use the failure data and how to install, maintain and proof test the equipment to achieve safe operation. This is important, because the desired failure mode will depend on the way in which a product is used. As an example, one plant might be safe for a high temperature, whilst another might be safe if the temperature is low. One process might be safe with the valve failing to the open position, whilst another requires the valve to close on failure. It is also important to look at the complete loop from the sensor element (SE) e.g. temperature or flow transmitter to the ‘logic solver’ to the final element (FE) like a shut-off valve.

The whole loop, known as the safety instrumented function (SIF) has to be assessed together considering failure rate data and failure mechanisms.

There is a perception that if you buy several SIL3 devices and use a SIL3 logic solver, then the SIF will meet the requirements for SIL3. This is not necessarily the case. The situation is made worse in cases where suppliers state ‘Up to SIL3’ on datasheets.

What is SIL?

SIL stands for safety integrity level. A SIL is a measure of safety system performance, in terms of the average probability of failure on demand (PFDavg) or probability of dangerous failures per hour. This numerical convention was chosen to provide an objective measure for comparison of alternate designs and solutions.

There are four discrete integrity levels associated with SIL: SIL 1, SIL 2, SIL 3, and SIL 4; but SIL 4, the highest level of integrity, is not normally used in the process industries. The SIL is essentially a measure of the probability of success of a SIF to take a process to a safe state upon demand. This can also be expressed as the order of magnitude level of risk reduction provided by a SIF, i.e. >10 to 100 for SIL 1 up to >10 000 to 100 000 for SIL 4.

SANS/IEC 61508-2 includes two tables stating the relationship between SIL and PFDavg or dangerous failure rate. In general terms, ‘demand mode’ applies where the SIF is required to operate less than once per annum and ‘continuous mode’ more than once per annum.

From IEC 61508-1 Edition 2.0 2010: See Tables 2 and 3.

Table 2. Safety integrity levels – target failure measures for a safety function operating in low demand mode of operation.
Table 2. Safety integrity levels – target failure measures for a safety function operating in low demand mode of operation.

Table 3. Safety integrity levels – target failure measures for a safety function operating in high demand mode of operation or continuous mode of operation.
Table 3. Safety integrity levels – target failure measures for a safety function operating in high demand mode of operation or continuous mode of operation.

The SIL applies to the whole SIF, rather than to an individual element. To achieve the required reliability of a SIF then, multiple parallel or redundant instrument loops are often needed, with voting in the ‘logic solver’ to resolve the status. Thus, the SIF, or sub-systems within the SIF, may be structured as 1oo1 (One out of One), 1oo2, 2oo3 to achieve the requisite low probability of failure. The use of such redundant architectures is described by the term ‘Hardware Fault Tolerance’ (HFT), where HFT > 0 implies a level of redundancy.

This also follows from the need to follow SANS/IEC 61508 and SANS/IEC 61511 requirements for HFT. The HFT requirements in SANS/IEC 61511 are more onerous than in SANS/IEC 61508. As can be seen from the table in SANS/IEC 61511, SIL3 requires HFT=1. This means that redundant hardware is required so that a single dangerous failure does not compromise the integrity of the SIF. Redundancy increases the availability of the SIF.

From IEC 61511-1 Edition 2.0 2016: See Table 6.

Table 6. Minimum HFT requirements according to SIL.
Table 6. Minimum HFT requirements according to SIL.

Specification of SIL for a process plant

It is the responsibility of the plant operator to determine the number of SIFs, and their required SIL, for a process plant. This will typically follow from an identification of process risks identified during the ’HAZOP’ process. In a well-designed plant, there are likely to be very few SIL3 SIFs, because SIFs of this level imply the requirement to control potentially catastrophic event scenarios. However, in many cases there is a general over-specification to SIL3 without understanding the implications and costs. In the author’s opinion <5% of loops on a nuclear plant should be SIL3 – even less on a petrochemical plant.

The process should be reviewed and/or redesigned to eliminate the SIL3 requirement by other means. This could include design changes to reduce inventory, improve layout or use mechanical means of protection, such as pressure relieve valves in an over-pressure scenario. In the author’s experience, SIL3 is often requested without realising that significant hardware has to be redundant – HFT; 1oo2; 2oo3 as previously discussed, i.e. redundant field devices and intrinsically safe interfaces within the SIS.

Something to think about

A safety function aiming at SIL3 is designed to achieve a risk reduction factor of between 1000 and 10 000, i.e. without that safety function in place, the risk of a calamitous event is more than 1000 times greater than is acceptable according to the Tolerable Risk Definition for the plant. Do you trust a single device to give that level of protection? How are you going to maintain that single instrument loop and operate the plant while it is out of action? Which instrument manufacturer will offer a process transmitter that is rated at greater than SIL2 for a single device? For applications in the process industry, SANS/ IEC 61511 sector standard is followed. This is more likely to require hardware redundancy of instrument loops to meet the Hardware Fault Tolerance requirements.

Summary – facts of life

• SANS/IEC 61508 is aimed at manufacturers and device suppliers, or OEMs. SANS/IEC 61511 is aimed at users and system integrators in the process industries.

• SANS/IEC 61508 is not mandatory, but considered best practice worldwide.

• Certification of elements intended for use in functional safety applications is not mandatory, but the availability of credible failure data is in order to determine the SIL achieved for a SIF.

• A safety manual is required for all elements intended for use in functional safety applications.

• Design of safety function is the responsibility of the user not the vendor.

• Only complete SIFs can have a SIL.

• The SIL of a safety function is limited by the systematic SIL capability of the components.

Useful to remember

• An item is highly reliable if it adequately performs its objective to a high degree, for the period of time specified, under the operating conditions specified. Therefore there is a high probability that it will perform its intended function for a specified period of time, usually operating hours, without requiring corrective maintenance. This is normally expressed as Probability of Failure on Demand (PFDavg).

• An item is highly available if it does not fail very often and, when it does, it can be quickly returned to service. Therefore, there is a high probability that the device will be operating successfully at a given moment in time. This is a measure of the uptime and is defined in units of percent.

• In functional safety terms, a system is considered to be safe if it is reliable in performing its safety function. The system may fail more frequently in modes that are not considered to be dangerous – in which case these spurious failures will occur as ‘nuisance trips’ of the Safety Instrumented System.

• Consequently, a safety system may have a lower availability in total, due to safe failures, than a non-safety system performing a similar function. However, nuisance trips could also potentially be dangerous.

• SIL is not a guarantee of quality or reliability, except in a defined safety context.


IEC61511:2003 – equivalent to SANS61511: some parts are 2015 and others 2016. The SANS document needs updating to IEC61511:2016. IEC61508:2010 – equivalent to SANS61508:2013.

For more information contact Gary Friend, Extech Safety Systems, +27 (0)11 791 6000,,

Supplied By: Extech Safety Systems
Tel: +27 11 791 6000
Fax: +27 11 792 8294
Share via email     Share via LinkedIn   Print this page

Further reading:

  • Innovative approach to machine safety
    February 2018, Deebar, IS & Ex
    Food and beverage manufacturers use a series of packaging machinery to label, bottle and package their products before they are dispatched for distribution and final consumption. One of the latest trends ...
  • Safety in the cloud
    February 2018, Phoenix Contact, IS & Ex
    At the SPS IPC Drives 2017 trade fair, Phoenix Contact presented a cloud application for recording and analysing safety-related data. With the Proficloud solution, companies receive important information ...
  • Modular HMI for hazardous areas
    January 2018, Pepperl+Fuchs, IS & Ex
    PC solution extends modular system At the beginning of the year, the VisuNet GXP product family was grown to include a PC solution. The new computing unit is optimally suited for mechanical engineers, ...
  • Radiation protection systems go wireless
    January 2018, Omniflex Remote Monitoring Specialists, IS & Ex
    Omniflex has announced the release of the Teleterm W3 ISA100 Wireless Interface Node. Based on well proven technology and substantiated by the nuclear industry, the Teleterm W3 is the latest device to ...
  • Safety interlocks for automotive production
    January 2018, Deebar, IS & Ex
    The automobile industry is heavily automated and can be hazardous if not safeguarded properly. Ensuring safety whilst delivering productivity is vital to the industry and therefore safeguarding operators ...
  • Ex and marine approval for LSIS equipment
    January 2018, Ana-Digi Systems, IS & Ex
    Due to the dangers prevalent in petrochemical, mining and marine applications there is a need for equipment that is non-volatile and would by extension, not be the cause of explosions and fires. This ...
  • How to calculate IS loop approval: Part 3 – impact of Gas Group on loop approval cable lengths
    January 2018, Extech Safety Systems, IS & Ex
    Further to my previous articles: ‘How to calculate an intrinsically safe loop approval’ ( and ‘Calculating intrinsically safe loop approvals – Part 2’ (
  • Room integrity testing
    January 2018, Alien Systems & Technologies, IS & Ex
    Alien Systems and Technologies (AST) is the first company in Africa to offer room integrity testing (RIT). The company’s performance in the industry is supported by its highly qualified, specialised team, ...
  • Achieving safety during CIP
    December 2017, Deebar, IS & Ex
    IP69K-rated interlocks and safety switches.
  • Cordex introduces the Toughpix Digitherm pocket-size digital and thermal imaging camera
    December 2017, Extech Safety Systems, Sensors & Transducers
    Compact enough to fit into any work pocket, but rugged enough to take the hits, Toughpix Digitherm is a go-anywhere camera providing the power and resilience to get the job done. Rugged, powerful and ...
  • Low-profile strip lights
    December 2017, RET Automation Controls, IS & Ex
    Banner Engineering has announced the release of the WLS15, a professional grade LED striplight that makes it easy and cost effective to illuminate machines, work spaces and mobile equipment for improved ...
  • Stay safe with SICK Automation
    November 2017, SICK Automation Southern Africa, IS & Ex
    Components evolve into ready to install safety systems.

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual


    classic | mobile

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.