What is SIL?

The current Safety Integrity Level (SIL) international safety standard provides suppliers and
users with a common framework on which to design products and systems for safety related
applications. The standard also provides a more scientific, numerical approach to specifying
and designing safety systems, enabling the nature of risk to be quantified.
SIL means risk reduction to a tolerable level.
The two standards that relate to process plants are:

The required safety level of a process plant is classified in accordance with the
international IEC 61511 standard and depends on the risk constituted by a plant.

The IEC 61508 standard describes the requirements of electrical, electronic and
programmable electronic devices used in such plants. It relates to the functional safety
of products or systems whose failure to operate reliably could harm people.

There are 4 SIL Categories (3 under ISA and 4 under IEC) The higher the SIL number
is the more reliable or effective the system is.

Click the sample certificate image to view larger or click here to view a full certification pdf
SIL probability of safe failure:

SIL 1 90%

SIL 2 99%

SIL 3 99.9%

SIL 4 99.9%

As SIL relates to automated packages only, components (valve mounting kits and actuators)
have to be analysed separately, as packages could contain valves or actuators from other
manufacturers.
Supplying Actuators & Valves for a SIL system is an immense responsibility and
commitment. The Habonim Compact Actuators & Ball valves in the ESI portfolio have
attained SIL 2 / SIL 3 safety integrity level. SIL 3 is the highest rating used in the process
industries.

As a major supplier of manual and actuated Atomac and Durco valves, we are asked
about the suitability of these valves for use in systems of a particular SIL level. The
following notes provide background information on SILs, where they come from, and
how they apply to CRPs range of valves.
Introduction
To trace where the term SIL comes from, it is necessary to delve into the standards
published by the IEC (the International Electrotechnical Commission), a body set up in
1906 to, amongst other things, produce standards for use in the, then fledgling,
electrical industry. The standard in question is IEC 61508 (now BS EN 61508):
Functional Safety of Electrical/ Electronic/ Programmable Electronic Safety-related
Systems. This standard is split into 7 sections, with a total of 580 pages. It is a generic
standard and is concerned mainly with electrical, electronic and programmable electronic
systems whose failure could have an impact on the safety of people and/or the
environment. However, due to the integrated nature of safety systems, its remit also
covers mechanical components, such as actuated valves, that make up parts of safety
systems.
Due to the large size of IEC 61508, several spin off standards were developed for
particular industry sectors. Of relevance to valves is IEC 61511 (now BS EN 61511):
Functional Safety Safety Instrumented Systems for the Process Industry Sector. This
standard deals with the requirements for the specification, design, installation, operation
and maintenance of a Safety Instrumented System (SIS), so that it can be confidently
relied on to take a system to, and keep it in, a safe state. Typically an SIS is made up of
many Safety Instrumented Functions (SIF) see below for details.
Hazards, Risks and Risk Assessments
Before looking at SIFs in any detail, it is necessary to discuss risk assessment on process
plants. On any piece of process plant, strenuous efforts will be made to identify all of the
possible hazards (potential sources of harm), how often these hazards are likely to occur,
and what the consequences of them occurring would be. Roughly speaking, by
multiplying the hazard by the likelihood of it occurring gives a measure of risk, and so for
each hazard, a level of risk can be arrived at. For each hazard, a judgement then has to
be made about whether the level of risk is acceptable or unacceptable, either from a
damage to people, the environment, or to a companys bank balance perspective. For
risks that are deemed to be unacceptable, steps must be taken to reduce these to
acceptable levels. Clearly, risks can be reduced either by reducing the hazard, or by
reducing the likelihood of it occurring.

For example, suppose there is a hazard that, if it were to occur, would cause a single
fatality. Now if the likelihood of it occurring is once in 100 years, this may be deemed to
be an unacceptable risk. However, by reducing the likelihood of it occurring to once every
10000 years, the risk may then be deemed to be acceptable.
In terms of reducing the hazard, if the system is still at the design stage, it may be
possible to alter the process, or the design of the process plant to reduce the hazard
level, and hence the risks. Alternatively, it may be possible to reduce hazard level by the
use of passive safety features, e.g. to build a protective wall between a hazardous area
and an area where people work.
Safety Instrumented Functions (SIF) - Overview
On a process plant, it is often not practical to reduce a particular risk to an acceptable
level by reducing the hazard level, and so the focus has to be on reducing the likelihood
of the hazard occurring. In such circumstances it may be possible to do this by means of
passive safety features, but often it is necessary to employ active safety systems, called
Safety Instrumented Functions (SIF) in IEC 61511. Typically a SIF is a single control
loop which monitors a particular aspect of a process, say its temperature, and if this
goes out with pre-set limits, the control loop reacts to bring the process to a safe
condition, for instance by cutting the power supply to the heaters. It is important to note
that this SIF is not part of the control system of the process, it sits outside it and only
carries out a safety function. Now, if a SIF is to bring a risk down to an acceptable level,
it must reduce the risk by some predetermined amount, such as by a factor of 100.
Safety Integrity Levels (SIL)
Safety Integrity Levels (SIL) also refer to this reduction in risk. There are 4 SILs, 1 being
the lowest, 4, the highest. Each level refers to a different amount of risk reduction as
shown in the table below. Another way of expressing SILs is in terms of Probability of
Failure on Demand (PFD), i.e. what is the chance that the SIF will fail when I really,
really need it to work?
SIL Level

Risk Reduction

PFD

10 100 times

0.1 0.01

100 1,000 times

0.01 0.001

1,000 10,000 times

0.001 0.0001

10,000 100,000 times

0.0001 0.00001

Safety Instrumented Functions (SIF) Testing & Failure Rates

Typically a SIF will comprise several components, such as a sensor, a programmable
electronic controller, a power supply, an actuated valve etc. Clearly, there is a possibility
that such a system could fail, due to the failure of one, or more, of its individual
components. To ensure that a particular SIF will bring the risk down to an acceptable
level, the system designer needs to know what the PFD for that SIF is, to ensure that it
meets the required SIL.
The next concept that needs to be considered is that of testing a SIF, and the associated
test interval (TI), which is the time, in years, between tests. Now, if a SIF is tested
today, the likelihood of it not working (PFD) tomorrow is extremely small. However, as
time passes, the likelihood of it failing steadily increases, until it is decided that it should
be retested, at which point the probability of failure on demand (PFD) is reset to zero.
Hence with regular testing, the graph of PFD level versus time of a particular SIF would
look like a saw tooth. Consequently, the term used by system designers is average value
of PFD (PFDavg), and it is this that decides what SIL level a particular SIF has.
Conveniently, with this shape of graph, the PFDavg is half the peak level of the PFD.
At this stage another piece of terminology is required:

d = the failure rate for a

particular component. It is defined as 1/expected time to failure in years. Hence, if a

component is expected to work without failure for 100 years, its failure rate would be
1/100 = 0.01.
It is now possible to write a formula to determine the PFDavg for a particular SIF.
It is: P FDavg = 0.5 *

d * TI,

Where:

d= the sum of the individual d values for each component of the SIF.
TI = test interval in years for the particular SIF.
This formula allows plant designers to calculate the PFDavg for a proposed SIF, thus its
SIL, and therefore decide its suitability for the proposed duty.
Notes
If it is necessary to reduce the value of PFDavg, to meet a higher SIL, one possible way
to achieve this is to reduce the test interval. If the test interval is reduced from 1 year to
0.5 years, this will halve the PFDavg value. However, there is an associated cost in terms
of the cost of testing, and possible plant downtime to carry out the tests. Another way to
reduce the PFDavg is to build in duplicate independent systems into a particular SIF, so
that if one fails, there is a second one to operate. Once again there is a cost penalty in
terms of the purchase price of more equipment, increased amounts of maintenance, and
an increased likelihood of false alarms.

 It is impossible for CRP to provide the SIL for a valve, or even an actuated valve, since
by itself it does not make up a complete SIF, nor is the proposed test interval known.
However the value of d can be provided in most circumstances (provided that the
component manufacturers can supply the information to CRP). However, great care must
be taken with the published d values for valves, because it will likely have been
determined from laboratory tests in ideal conditions, and not those found on particular
process plants.
Glossary
IEC International Electrotechnical Commission
SIS Safety Instrumented System
SIF Safety Instrumented Function
SIL Safety Integrity Level
PFD Probability of Failure on Demand
PFDavg Average Probability of Failure on Demand
d

Failure Rate (measured in the reciprocal of years)

TI Test Interval (measured in years)

Disclaimer
The views expressed in this document are CRPs best understanding of the subject, and
every effort has been taken to ensure its accuracy. However, CRP is not expert in these
areas, and therefore the reader must not rely upon the views expressed herein, nor can
CRP be held responsible for any errors, omissions or mistakes.