User login


You are here

Topic 21: Safety Integrity Level (SIL) of a system is important. What are the methods in place to assess the SIL of any system?

c.ejimuda's picture

Safety Integrity level is very vital in setting up a performance standards for Safety critical elements (SCEs). Highlight proven methods in place for assessing any system's integrity.


Uko Bassey's picture

A safety system is a system designed to protect people,
equipment, the environment, and the investment/assets. There are three (3)
basic components of a safety system: initiator, logic solver and final element.
The safety devices are classified according to the reliability of their safety
functions; these devices operate according to the safety oriented principles that
must be maintained in order to achieve the desired result and minimize the risk
of failure. Safety systems are rated using the Safety integrity level (SIL),
and it is classified into four (4) SIL1, SIL2, SIL3 and SIL4. These classifications
are based on a statistical approach called probability of failure on demand
(PFD). The two basic standards that guide the operational of a safety system
are: BS EN/ISO 61511 (Functional safety-safety instrumented system for the
process industry sector) and BS EN/ISO61508 (Functional safety of electrical/electronic
programmable electronic safety related systems. The system can employ emergency
shutdown (ESD) or process shutdown, at extreme cases high integrity pressure
protection system (HIPPS) for autonomous shutdown of the system.

Introduction to Subsea control and distribution (Lecture note by Dr Meir

Jonah Bassey.


Oluwatosin A. Oyebade's picture

For decades, industries have been required to reduce risks to a non-quantitative level that is considered As Low As Reasonably Practicable (ALARP). However, relatively recent developments due to increased complexit of safety systems have led to the upsurge of SIL in categorising safety and risks levels.

Safety Integrity Level (SIL) is a system that describes the reliabilty of a system (using specific numeral digits;usually 1,2,3,4), based on estimations of the probabilityof failure occurrence. It is veryy useful in evaluating the reliability of proposed or extant system. SIL 1 is the lowest reliability and is relatively easy to attain, with SIL 2,3, and 4 describing increasingly higher reliability levels and are harder t attain.

There exist 2 International safety authorities governing SILs, these are:

  • IEC (International Electrotechnical Commission) 61508: This governs the functional safety of electrical, electronic and programmable electronic safety systems e.g.:Production Inflow Control Devices (ICDs). Its is applied across all industries.
  • IEC 61511: This Governs the functional safety of safety instrumented systems. It is applied in the process industries.

Although SIL possesses multiple advantages in mitigating against risk occurence, it is not legally binding nor obligator, except in certain cases where companies are forced to abide by its terms.


Oyebade Oluwatosin A.

Msc Oil and Gas Engineering.

Mostafa Tantawi's picture

Mostafa Tantawi
Masters Of Subsea Engineering, University of Aberdeen

This is just to add to what Uko said, the ways to calculate the
SIL level is to calculate the probability of failure on demand which means to
calculate the probability of this particular part/ system to fail when you need
it to do and then see if your system is of high demand of low demand. Low
demand is based on how much you will need the system so it's time independent.
On the other hand High demand is more based on time.

To illustrate that, Low demand is PFD probability of failure on
demand while High demand is the probability of failure/ hour

Low Demand:


Range of average PFD


10^-5 < PFD< 10^-4








High Demand


Failures/ hours (α)


10^-9 < α< 10^-8








Andrew Allan's picture

One technique used to evaluate the required Safety Integrity level (SIL) of a particular safety control system is called Layers of Protection Analysis (LOPA). This technique often starts with HAZOP of the system and its design to identify any instances where there could potentially be a hazardous event.  In identifying all possible hazardous events related to a system it is then possible to identify whether there are sufficient layers of protection, of sufficient reliability to minimise the likelihood of that event materialising.

Firstly, you must assess the ultimate consequences of the hazardous event, this is often done using a companies risk assessment matrix or process. For instance, if the HAZOP identified a scenario which may lead to loss of containment and fire, the ultimate consequence may be that 5 or more people may be killed.  By equating this consequence to a taregt risk reduction frequency it allows designers to determine whether the controls and mitigations in place are sufficient or whether additional controls, or higher integrity control components are required for the given safety system.

Ultimately, a target reliability can be set for a given safety system and this reliability can be verified through manufacturer and industry data on the probability of failure of a given component.

Andrew Allan's picture

While LOPA analysis is a semi quantitative tool for SIL targetting, Risk Graph is a coarser qualitative tool often used to screen out safety systems requiring a low safety integrty level which will easily be met by current industry equipment.

The risk graph technique considers the following categories in defining a target SIL level for a given system or component:

- The severity of the consequence given failure of the system

- The likelihood of personnel being adversely affected by a failure

- Alternative measure in place to avoid the event materializing

- How often the given sfaty sytem or component will be called upon to sevre its purpose

The process must start with identification of hazardous events and their potential consequences, this is often taken directly from the outputs from HAZID/HAZOP reviews.  The review team must then identify the safety systems or components which serve to mitigate this event.  A pre defined risk matrix is then used to select the severity, likelihood, presence of alternative mitigating measures and demand rate for a given event.  This allows a target Safety integrity Level to be assigned to a given system.

This can then be accepted as a suitable SIL level or further analysed using LOPA or a fully quantitative method to define the integrity requirements greater detail.  As with LOPA, the SIL target can be verified through calculation, using industry and vendor specific data on the failure rate of their components.

Abdulazeez Bello's picture

 Functional safety
also known as SIL analysis is using statistical tools to guarantee the safety
or Integrity of equipment. This method is subjective as it gives the vendor
room to manipulate the process. The rating though normally requested by the
client gives the vendor an opportunity to demonstrate the reliability of the equipment
without necessarily showing the weakness inherent in it and what is done to assuage
it. There is no way of the client verifying the value of the rating. The Design
Engineer reads the SRS as stated in IEC61508 and does FMECA on the equipment to
ascertain the credibility of the software, electronic and hardware when working
together.  These gives a numerical value as
would be stated in the SAR and are grouped into SIL. When these figures (SIL)
do not tally with the bench mark, the Engineer can go back and adjust the SRS
then start all over again. The levels are 0-4 with 4 being the highest while 0
means it doesn’t matter. Functional safety approach only help to push the evil
day forward and does no party good though when done properly can help minimize
failure and reduce risk.


SRS- the Safety Requirement Specification
FMECA- Failure Mode and Effects Critically Analysis
SAR- Safety Analysis Report
SIL- the Safety Integrity level

Lecture notes form Subsea Control class of Mr Gareth Davies 2012.

c.ejimuda's picture


 As the production of crude oil involves a lot of risk associated with its operation, the need for the operating system to be safe becomes very important. As rig owners (duty holder) need to demonstrate that major accident hazards in its operation have been identified, evaluated and assessed, there is a need for operators to create redundancies in the systems in place.

These redundancies in the operating system are aimed at mitigating a major accident from occurring. These redundancies are called Safety Critical Systems (SCS) or Safety Critical Elements (SCEs).

Safety Critical Elements or Systems can be defined as a system in put in place to reduced or prevent a major accident hazard from occurring. For instance, Blowout Preventer is a safety critical system required around the wellhead area in order to prevent a blowout from occurring.

Each SCE has an assigned performance standard which its performance should be measured to ensure it fulfils the required criteria.

In developing the performance standard for SCE, criteria to consider are as follows: (FARSI) [3]

Functionality: How does the SCE achieve its goal, what must it actually do?

Availability: Will the SCE be available when required to work?

Reliability: How reliable is the SCE, What is the failure rate of the SCE like?

Survivability: How long can it survive or work before failing?

Independency: Does the SCE require other system to function effectively well?

Safety Integrity level of a system is commonly used in the process industry to increase the reliability and redundancies in the system.

The concept of Safety Integrity levels (SILs) was developed during the development of EN 61508 (BSI 2002) as a measure of the quality or dependency of a system which has a safety function [1]. In the process industry, BS EN61508 is used to develop the SIL of the system.

Methods of Assessing the SIL

According to BS EN 61508, there are 3 proven methods in determining the Safety Integrity levels. They are as follows:

Quantitative method

Risk graph

Hazardous event severity matrix (also known as Qualitative method)

Also BS IEC 61511 uses the following methods:

Semi-quantitative method

Safety layer matrix method ( also known as semi-qualitative method)

Calibrated risk graph

Layer protection analysis (LOPA)


In carrying out SIL assessment, the risk graph method and LOPA is commonly used especially in the process industry.


1. Gulland, W.G. (2004) ‘Methods of Determining Safety Integrity Level (SIL) Requirements – Pros and Cons’ Safety-Critical Systems Symposium, London, 14th April 2012. United Kingdom [Online]. Available at: [Accessed 10 October 2012]


2. Magnetrol International Incorporated (2012) Understanding safety integrity level 2012 [Online]. Available at: [Accessed 10 October 2012]


3. Germanischer Lloyd Industrial Services (2008) Performance Standards 2008 [Online]. Available at: [Accessed 10 October 2012]

Chukwumaijem M Ejimuda

MSC Safety and Reliability Engineering.

Agba A. Imbuo's picture

 SILs can be defined as the relative level of risk reduction provided by a safety function. In other words it could mean a target level of risk reduction. This concept of safety integrity levels (SILs) was introduced during the development of BS EN 61508 (BSI 2002) as a measure of the quality or dependability of a system which has a safety function. A safety function is a measure of the confidence with which the system can be expected to perform that function. It is also used in BS IEC 61511(BSI 2003) (Functional Safety of Safety Instrumented Systems for the Process Industry Sector) and BS EN 61508(Functional Safety of Electrical / Electronic / Programmable Safety Related Systems).SIL is determined based on a number of qualitative and quantitative factors such as safety life cycle management and development process. But in general, there are three methods in accessing the SIL level of a component;

1)      Risk matrix

2)      Risk graph

3)      Layers of protective analysis (LOPA)

There are four levels of classification of SIL. SIL 1, 2, 3 and 4 with SIL 1 the highest probability of failure on demand (PFD) and SIL 4 the lowest (PFD).





c.ejimuda's picture

 Good morning gents

Nice start Uko, Mostafa, Andrew, Abdulazeez and Agba.


For futher discussions, can we consider the advantages, disadvantages/limitations of each assessment methods. Comparison of different methods will also be welcome.


Chukwumaijem M Ejimuda

MSC Safety and Reliability Engineering.

talal slim's picture

Thought of giving more details on the Quantitative Requirements that shall be met in order to fulfil a given safety integrity level (SIL) of a safety instrumented system (SIS). According to IEC 61508 (part 4 , section 3.5.12) ,where the SIS operates in a low demand mode ( frequency of demand is no more than once a year) the probability of failure on demand (PFD) is used as quantitative measure.

IEC 61508 requires that reliability targets are assigned to each safety instrumented function (SIF) that is implementd into a SIS, and uses SIL as a measure of reliability. Each SIF shall fulfil a safety integrity requirement , where SIL 1 has the lowest level of safety integrity and SIL 4 is the most stringent. SIL 1 (PFD : 10-2 to 10-1 ) , SIL 2(PFD : 10-3 to 10-2) , SIL 3(PFD:  10-4 to 10-3) , SIL 4 ( PFD : 10-5 to 10-4).

So, it is clear that a major objective of the  Quantitative Methods is to conduct the reliability calculations i.e. calculate the PFD for the identified SIF. There are different methodologies to calculate PFD and will touch on those in a different comment.  

Reference : IEC 61508 : Functional Safety of electrical/electronic/programmable electronic safety-related ystsems : International Electrotechnical Commission (edition 2 -2010/04)

talal slim's picture


In response to your comment, I would like to give a brief comparison between two approaches to calculate the Probability of Failure on Demand i.e. the methodolgy used by IEC 61508 versus the PDS methodology.

Document number OLF 070 , produced by the Norwegian Oil Industry Association , is a good guide about the different methods that can be used to calculate PFD. One of the most widely used methods in the offshore industry is the PDS method which is considered to be an established and suitable method for assessing the reliability of safety related systems.

The PDS method is in line with the main principles in the IEC 61508 standard, but offers an approach somewhat different from IEC 61508 for some challenging areas like failure classification, modelling of common cause failures (CCF) and how to treat systematic failures.

The following is an example about the differences between the two methods with regards to failure classification.

The PDS method develops the failure classification given in IEC 61508 further  by introducing a more detailed classification . The following failure modes are considered by the PDS method :

1) Dangeours Detected  Failures (DD)

2)Dangerous Un-Detected Failures (DU)

3) Spurious Trip Failures (ST)

4) Non-Critical Failures  (NONC)

 So according to PDS method , the total failure rate λ =λ(DD) +λ(DU) +λ(ST) +λ(NONC)

On the contrary, IEC 61508 does not distinguish between crtical and non-critical failures and uses safe failures as a collective term for both ST and NONC failures. In addition , IEC 61508 does not include random detection by personnel as part of DD failures.


OLF, The Norwegian Oil Industry Association , Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry , Revision 02, Document No. OLF 070, October 2004.

SINTEF, Reliability Prediction Method for Safety Instrumented Systems -The PDS Method Handbook, SINTEF, 2010

c.ejimuda's picture


Thank you very much for the comparison between IEC 61508 and PDS. 

Good job.

More contributions is needed.

Kind regards

Chukwumaijem M Ejimuda

MSC Safety and Reliability Engineering.

Ekaterina Pavlichenko's picture

It would seem that we are all familiar with SIL concepts and how to identify the correct SIL category for equipment to be installed on site; but who has thought about where individual SIS’s or indeed SIF’s are heading?  

We defer to IEC 61508, which is a multi-industrial international standard covering functional safety for all automatic systems and to clarify, the term “functional safety” is not the same as electrical safety or hazardous area safety. This standard does not deal with shock hazards, burn hazards, or explosive atmospheres! As we all know, it covers the correct operation of a device (its reliability) and more importantly, about how a device fails. But at the moment we only consider random and systematic failures of the device!

Should we not also be investigating more throughly how these failure modes are analysed?  

Ekaterina Pavlichenko's picture

IEC 61508 functional-safety standard offers far too much freedom in the assessment of functional safety; studying IEC 61508 you’ll find that it does not require the certifier to hold any specific accreditation, as is required for example by those who would issue certification on electrical safety devices.

IEC 61511 standard (process industry-specific functional safety standard) even resorts to statements such as "meets the requirements of IEC 61508" rather than using the statement "certified to." Consequently it’s possible to decide that anyone can perform a functional safety evaluation of a sensor device per IEC 61508.....

Obviously the requirements for certification require to be reviewed, particularly as we head into a world in which all process system instrumentation will eventually be certified.

c.ejimuda's picture


Thank you very much for your contributions and giving more insight into the difference between IEC 61508 and IEC 61511.


Discussion on limitations, advantantages or comparing them will be helpful too.


More contributions on SIS and SIL relationship.


Chukwumaijem M Ejimuda

MSC Safety and Reliability Engineering.

Richard Sedafor's picture


As already discussed above, SIL is a very important tool in measuring the quality or dependability of a system which has a safety function. There are generally 3 methods of determining SIL requirements. These are Qualitative Method, Risk graph Method and Hazardous event severity Matrix. These are methods that are widely used in the industry. 

I would want to do a comparison between the Risk graph Method and the Layer of protection Analysis (LOPA)developed by the Institution of Chemical Engineers U.S.A as a method of assessing the Safety integrity level of SIFs.


1. The Risk graph method can be applied relatively rapidly to a large number of functions to eliminate those with little or no safety role whilst the  LOPA  can be used relatively as a coarse filtering tool and for more precise analysis.

2. the Risk graph method Can be performed as a team exercise involving a range of
disciplines and expertise whilst the LOPA Can also be performed as a team exercise, at least for a semiquantitative assessment.

Generally, the LOPA has more advantages than the Risk graph method. Some other advantage that is worth stating is that the LOPA "When used quantitatively,uncertainty about residual risk levels can be reduced, so that the assessment does not need to be so conservative "[1]



Keqin Chen's picture

SIL (Safety Integrity Level) is an important criterion of system to weigh the safety funtion of SIS (Saftey Instrument System) e.g. the ESD (Emergency Shutdown) system or HIPPs in offshore oil and gas platforms.

Generally, three main parts are concluded in one whole control loop: initiator, logic solver and final element. And SIL of should be calculated on the perfomance of three parts together instead of focusing on the logic solver itself only. Actually, the biggest risk of the loop generally happens on the final element such as ESD valves for various reasons of valve.

At the same time, if you'd like to achieve to higher level of SIL such as SIL 3 or SIL 4, the whole investment will increase dramatically. For example, the first part initiator (sensor)  and the third part valve often should be equipped redundantly.

Generally, the process in offshore platform is not complex like a refinery or petrochemical plant and SIL 2 is fairly enough to use. 

Keqin Chen

Msc of Oil and Gas Engineering


Azeezat's picture


I would like to add this to the points my colleagues have written above.

 Definition and Basis for SIL

 Safety Integrity Level (SIL) is defined as a relative level of
risk-reduction provided by a safety function, or to specify a target level of
risk reduction. In simple terms, SIL is a measurement of performance required
for a Safety Instrumented Function (SIF). Ref {1}

SIL is a representation of the required safety on unavailability (average
Probability of Failure on Demand (PFD)) of a Safety Instrumented Function (SIF).

SIL is expressed as a level 1 through level 4, which my colleagues have expressed in the above comments.

The basis for undertaking SIL can be found in a number of standard and
industry guidelines documents including:

IEC-61511-3: Functional Safety; safety instrumented system for the process industry
sector, Part 3, guidance for the determination of the required safety integrity
level, 1st Ed, 2003

Guide to the application of IEC 61511 to Safety Instrumented System,
Publication 222, Edition 1, 2009

Guide, Application of IEC 61508 AND IEC 61511 in the Norwegian Petroleum Industry,
Rev. 2, 2004.


Methods for SIL Determination

In practice, there are 2 methods of establishing SIL for safety instrumented

These methods are based on the standard and guidelines indicated above
and include:

1.      Risk graph

2.      Layer of Protection Analysis(LOPA)

 There are several problems inherent
in the use of Safety Integrity Levels. These can  be summarized as follows:

harmonization of definition across the different standards bodies which utilize

metrics for derivation of SIL

of SIL based on reliability estimates

complexity, particularly in software systems, making SIL estimation difficult
to impossible

 While the above methods are widely
used in the process industry, they have inherent
advantages and disadvantages enumerated in the Table below {Ref. 2}.


1.      Can be used both as a relatively
coarse filtering tool and for more precise analysis.


2.      Can be performed as a team exercise,
at least for a semi-quantitative assessment.


3.      Facilitates the identification of all
relevant risk mitigation measures, and taking credit for them in the


4.      When used quantitatively, uncertainty
about residual risk levels can be reduced, so that the assessment does not need
to be so conservative


5.      Can be used to assess the requirements
of after-the event functions



1.      Relatively slow compared to risk
graph methods, even when used semi-quantitatively.

2.      Not so easy to perform as a team
exercise; makes heavier demands on team members’ time, and not so visual.


Advantages of Risk Graph Methods.

1.      Can be applied relatively rapidly to
a large number of functions to eliminate those with little or no safety role, and
highlight those with larger safety roles.


2.      Can be performed as a team exercise
involving a range of disciplines and expertise


Disadvantages of Risk Graph Methods.

1.      A coarse method, which is only
appropriate to functions where the residual risk is very low compared to the
target total risk.


2.      The assessment has to be adjusted in
various ways to take account of other risk mitigation measures such as alarms
and mechanical protection devices.


3.      Does not lend itself to the assessment
of after-the event functions








SIL essentially is a measure of the quality or dependability of a system which has a safety function.The concept of safety integrity levels (SILs) was introduced during the development of BS EN 61508 and it was also used in BS IEC 61511(BSI 2003). Both Safety standards define various and slightly distinct methods of assessing SIL.BS EN 61508 offers 3 methods of determining SIL requirements:

  • Quantitative method.

  • Risk graph, described in the standard as a qualitative method.

  • Hazardous event severity matrix, also described as a qualitative method.

BS IEC 61511 offers:

  • Semi-quantitative method.

  • Safety layer matrix method, described as a semi-qualitative method.

  • Calibrated risk graph, described in the standard as a semi-qualitative method, but by some practitioners as a semi-quantitative method.

  • Risk graph, described as a qualitative method.

  • Layer of protection analysis (LOPA). 

Of these, the Risk graphs and LOPA are the most popular methods for determining SIL requirements, particularly in the process industry sector. 

Henry Tan's picture

Since the contents in your post are so close to the above post by Azeezat, you should at least mention something already discussed in this blog.

The value of this post could be improved by including discussions.

There are two fundamental evaluation steps.
1)Confirm that hazard and risk analysis has been taken by qualitative or quantitative methods to determine the requirement of risk reduction level for each safety instrumentation function;
2)Confirm that existing safety instrumentation functions has been evaluated to ensure they meet the requirement of risk reduction level
Based on the above principle, the evaluation process for safety integrity level (SIL) of entire safety instrumentation system (SIS) includes the following steps.
1)Collect process flow data;
2)Analyze hazards to determine safety instrumentation functions of SIS;
3)Analyze risks to determine targeted SIL of SIS;
4)Determine operation mode for SIS;
5)Determine structure constraint of SIS;
6)Determine reliable data of SIS;
7)Calculate SIL (the methods to calculation SIL mainly include simplified equation, fault tree analysis, markov analysis, reliability block diagrams);
8)Evaluate the SIL of SIS.

Thomas James Smith's picture

In the UK the most common used method for assessing the functional safety level of an assigned safety function is IEC 61508 and 61511.  

Hazards are identified as part of a group review, and mitigation measures are put in place.  Any mitigation that requires an instrument protective function will require that safety function is reviewed as part of a SIL review to determine the required integrity level for the protective function.  Once the SIL level is established it is important to then verify that the designed protective function meets the assigned functional safety levels.  Calculation should be completed to calculate the probability of failure on demand of the protective function. 

Manuel Maldonado's picture


All the comments focus on how to assess the Safety Integrity Level, but I was not able to see a clear definition of the SIL and what it is used for, apart from the concepts given by Chen. The idea of knowing what SIL is and what it intends to do can give us a reason of why it is important, why it needs to be assessed and how it can be assessed.

The SIL is a measure of the safety performance in terms of probability of failure on demand for a safety function or a safety instrumented system. A high SIL level is related to a high associated safety level and lower probability that a system will fail to perform properly. The selection of a needed SIL level for a process plant depends on the levels of risks which can be considered to be acceptable to personnel and assets. It is always done based on the business strategies, budgets, insurance levels and also companies wealth.  The SIL system then become very important to ensure the process plants are protected and fail to safe conditions when a risk event or a safety or integrity threat is perceived by the safety systems.

The SIL requirements can be defined by the used of different methods such as: quantitative methods, risk graps (qualitative method), hazardous event severity matrix and Layer protection analysis (LOPA). The risk graph es a very conservative approach intending to avoid any effects or risks being underestimated by the tool. It is used when a number of functions protect the plants against different hazards. The method involves a team of members from different disciplines of the organization or disciplines required by the plant operations. The LOPA is used for more précised analysis. It facilitates the identification of all risk mitigation measures. Uncertainty of residual risk can be minimized when it is used quantitatively.

Mehran Vakil's picture

SIL, the abbreviation of safety integrity level is a concept described as a decrease in probability of risk and functional tendency of instruments towards reliable manner( Magnetrol, 2012).
There are three main methods in order to assessing SIL ( Wikipedia, 2012):
1)risk matrices                           2) risk graph                             3)layer of protection analysis(LOPA)
*LOPA is a widespread method for SIL assignment. For definition, I would cite that, during the industrial processes( e.g. installation, operation and decommission) ,the occurrence of risks are inescapable. However, setting up and organizing a number of supportive layers could be more helpful against tackling hazardous impacts and reduce the undesired consequences. Thus, by arranging a table and allocating each raw and column to probability and severity of event, we can identify the likelihood of risks and then cope with them by a quiet few protection layers. I wonder that the origin of ABS brake is come from LOPA idea.
Remember, it is impossible to attain the 100% reliability.

1)GULLAND, W. G. 2004. Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons [Online]. Available: [Accessed 26/11 2012].
2)MAGNETROL. 2012. UNDERSTANDING SAFETY INTEGRITY LEVEL [Online]. Available: [Accessed 26/11 2012].
3)WIKIPEDIA. 2012. Safety Integrity Level [Online]. Available: [Accessed 26/11 2012].

Subscribe to Comments for "Topic 21: Safety Integrity Level (SIL) of a system is important. What are the methods in place to assess the SIL of any system?"

Recent comments

More comments


Subscribe to Syndicate