IS & Ex

The importance of understanding SIL ratings

September 2023 IS & Ex

Major industrial accidents around the world like the Bhopal chemical plant disaster have occurred due to insufficient and poorly designed safety systems. Safety Integrity Level (SIL) ratings were introduced as part of IEC 61508 in 1998, and seek to quantify the probability of dangerous system failure. Gary Bradshaw, director of alarm and safety system specialist Omniflex, explains how SIL ratings work, and the dangers of the misconceptions that exist around them.

Functional safety, as defined by IEC 61508, is the safety that control systems provide to an industrial process or plant. Its purpose is to prevent both direct and indirect risk to human life that could result from those industrial processes, including risk caused by damage to equipment, property or the environment. Functional safety is a focus across the industrial spectrum, from petrochemicals and tank farms to oil and gas, and nuclear safety.

The concept of functional safety was developed in response to the growing global need for improved confidence in safety systems. Major accidents in the late 20th century, like the Chernobyl reactor explosion and the Bhopal tragedy, and the advent of electrical and programmable electronic systems to carry out safety functions, have prompted a desire to engineer safety systems to ‘fail safely’ or control dangerous failures when they arise. One metric used to assess the risk of unsafe failure in industrial settings is SIL ratings, which correspond to the frequency and severity of hazards. They describe the probability of failure on demand (PFD) and the performance required for a safety instrumented function (SIF) to maintain safety.

The ratings go from SIL-1 up to SIL-4, and the higher the level, the higher the associated safety and the lower the probability that the system will fail to perform. However, the installation and maintenance costs, and the system complexity, typically increase along with the SIL rating. The levels are distinguished by their acceptable rate of failure, which increases each time by factors of ten: i.e., SIL-1 systems accept one failure in every ten demands; SIL-2 systems accept one failure in every 100 demands, and so on.

Bigger is better − right?

One misconception is that higher SIL ratings are always superior for every application. Although SIL-4 does indeed offer the most reliability, the complexity involved with redundant back-up systems, more regular performance testing, and hierarchical voting arrangements can be unwieldy and over-expensive if not necessary.

The correct SIL rating is application-dependent; for example, if you can rely on a human operator to take action on an abnormal condition, such as for an alarm going off, then a SIL-1 system will suffice. Indeed, a safety loop involving a human cannot be rated above SIL-1, as systems are required to operate independently of operators for SIL-2 and upwards.

While the most critical applications, such as aircraft flight systems or nuclear reactor protection, require SIL-4 protection, correct safety analysis during the design stage is vital to determine the minimum acceptable SIL rating. Adhering to this recommendation will provide an adequate level of functional safety while containing costs effectivity.

How are SIL ratings assigned?

SIL certification is a tool to measure the risk reduction provided by a SIF. To determine the safety integrity level of a SIF, the overall PFD must be calculated. This involves combining the failure rate data for each individual component within a SIF, such as sensors, programmable logic controllers and control elements, whether automated or human. The calculation must also account for the test frequency, redundancy and voting arrangements.

Companies such as TÜV Nord carry out independent assessments, although internal ratings can be done for systems up to SIL-1. Another common misunderstanding is that although individual modules can be SIL rated, it is only the overall systems that are assessed this way.

While regulatory processes would prevent installation of any insufficiently rated safety systems, it is not unheard of for industrial facilities to purchase higher rated systems than they need. The consequences here are mostly financial: not only will the components add unnecessary expense, but the installation process will be more complex, and therefore more disruptive to the facility’s daily production.

For these reasons, it is essential to engage a company with safety system expertise that understands the SIL hierarchy and different levels’ suitability for different applications.

Evaluating instrumentation

Independent validation of safety instruments is an important factor for customer confidence in every industrial sector. Evaluation International (EI), a member owned, not-for-profit organisation, offers consultation and evaluation services for electrical, control and instrumentation matters.

EI members operate across the industrial spectrum, from ExxonMobil USA in oil and gas exploration and refinement, and INEOS in energy production, to Intertek Polychemlab in chemical industry inspection and certification, and Suez Environment in environmental services and waste management.

In March 2007, EI evaluated Omniflex’s alarm annunciator unit, the Omni16C, and found that it passed the various functionality tests, and that the results were in accordance with Omniflex’s specifications. Reports like the one written about the Omni16C are useful for facility planners and functional safety managers, as they provide reliable information about validated and qualified instrumentation.

The difficulty of rating software

The normalisation of software-based or SMART components, as in those with embedded microprocessors, presented a new challenge in the early 21st century. While hardware assessments were straightforward, software verification in terms of safety function was less sure territory and led to reluctance in some industries to take advantage of technological developments.

The nuclear industry was no exception. Initially, each major UK nuclear operator launched separate verification programmes to show compliance with the Nuclear Installation Inspectorate’s safety certification. To help nuclear site inspectors, while eliminating redundancy and duplication of individual work, the EMPHASIS tool was developed.

EMPHASIS’ purpose is to achieve a common level of substantiation and assess SMART instruments for the nuclear industry against IEC 61508. Launched in 2005, it has been adopted by the Nuclear Industry SMART Instruments Working Group, made up of the significant entities in the UK’s nuclear industry.

Alarm annunciator systems are a vital layer of protection in plant safety strategy. They provide operators with early warnings of an abnormal condition, helping to facilitate action before hazards take effect and to enable human logic-driven intervention. The importance of these SMART safety tools meant that substantiation by EMPHASIS was essential for UK nuclear safety.

Sellafield, which manages the Sellafield nuclear site, approached Omniflex in 2008 to apply the EMPHASIS tool to its Omni16C range of alarm annunciators. After a thorough review of the design and production methods, the hardware and software were both evaluated to IEC 61508 SIL-1. This was the first, and remains the only, alarm annunciator product to be substantiated in this way.

SIL ratings have been an important metric for industrial functional safety for 25 years, but misinterpretations about their application linger on. To avoid incurring unnecessary cost and complexity, it is important for facility planners and managers to work with safety system suppliers who truly understand safety integrity levels.

For more information contact Ian Loudon, Omniflex Remote Monitoring Specialists, +27 31 207 7466,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Industrial signal conditioning
Omniflex Remote Monitoring Specialists Electrical Power & Protection
Automation for Industry 4.0, process control, data acquisition, and alarm processing all rely on the conversion of physical signals to a standardised, usable format, that engineered systems can reliably use to manage industrial processes.

Assessing the order of events
Omniflex Remote Monitoring Specialists Industrial Wireless
Being able to monitor plant alarms and events in real time, in chronological order, is critical when a plant experiences an avalanche of alarms caused by an abnormal event. Sequence of events modules can be used to cut unplanned plant downtime and reduce operational costs.

Leading the way in PDS technology
IS & Ex
Booyco Electronics, an original equipment manufacturer specialising in mine safety equipment, has witnessed a surge in demand for its proximity detection systems (PDS) and collision prevention systems (CPS) since the Mine Health and Safety regulation focusing on trackless mobile machinery was promulgated. These systems offer crucial vehicle-to-pedestrian and vehicle-to-vehicle detection capabilities.

Ensuring lone worker safety
IS & Ex
The Conextivity Group’s startup – Wearin’ – has developed a solution connecting the lone worker with the control centre. This was commissioned by concrete producer, Pro Beton to ensure the safety of its teams of machine operators and cleaners working on production sites during the day, night, and weekends.

Cathodic protection system for hazardous environments
Omniflex Remote Monitoring Specialists IS & Ex
When NSW Ports in Australia embarked on a two-year programme to rehabilitate the structures and combat corrosion levels at its Bulk Liquid Berth 1, it commissioned Melbourne-based consultancy Infracorr to deliver a bespoke cathodic protection) system. To deliver the system safely, Infraccor engaged cathodic protection specialist Omniflex to support the hazardous area and remote monitoring aspects of the CP system design.

Signal conditioning is the protective armour between plant and field
Omniflex Remote Monitoring Specialists Sensors & Transducers
Measurement and control of physical properties are the foundation of all critical industrial technologies. Ian Loudon, international sales and marketing manager at remote monitoring specialist, Omniflex explains the challenges of industrial signal conditioning and the importance of safety engineering.

Protecting Australia’s harbours from a silent threat
Omniflex Remote Monitoring Specialists Industrial Wireless
Omniflex has completed the addition of remote monitoring to the existing cathodic protection (CP) systems at five berths in Port Kembla, Australia. This will enhance their surveillance and provide accurate energy monitoring.

Safety breakthrough in live testing of large equipment
IS & Ex
While essential to effective maintenance, the live testing of mining vehicles and equipment can be hazardous and time consuming; but this has all changed with the SafeGauge range of digital testing systems. Developed in Australia, SafeGauge is now distributed in South Africa by Booyco Electronics, known for its leading role in promoting safety on mines through its proximity detection systems.

Explosion-protected control units
Pepperl+Fuchs IS & Ex
The new range of control units from Pepperl+Fuchs offers a clever solution for switching and controlling circuits in hazardous areas that are designated ATEX/IECEx Zones 1/21 and 2/22.

The argument for remote tank monitoring
Omniflex Remote Monitoring Specialists Industrial Wireless
When considering the potential consequences of inadequate tank farm monitoring, images of disasters like the Buncefield fire probably spring to mind first. However, with the development of safety regulations and equipment, these catastrophic events are becoming far less common over time.