IndustryHub
LEARN / FUNCTIONAL SAFETY

From risk to SIL: how a protection is sized

← Functional safety
Practitioner 8 min

From risk to SIL: how a protection is sized

SIL is not a label you pick, it is a level you calculate from the risk. Here is the chain of reasoning, from the hazard to the required integrity level — with the numbers.

The SIL is not chosen, it is calculated

A common mistake: “let’s go with SIL 3 to be on the safe side.” The SIL is not a comfort level you buy, it is the result of a calculation that starts from the actual risk. Aiming too high is expensive and does not make things safer if the rest does not keep up; aiming too low leaves an unacceptable risk.

The chain of reasoning

1. Identify the hazard. What serious event could occur? An overpressure, an overflow, a runaway reaction. We use structured methods such as the HAZOP (hazard and operability study).

2. Assess the risk. Risk combines two factors:

Risk=Severity×Frequency\text{Risk} = \text{Severity} \times \text{Frequency}

How severe are the consequences (injuries, fatalities, environmental damage)? How often can the scenario occur? You then compare with the tolerable risk, whose typical order of magnitude for individual risk is 10⁻⁴ to 10⁻⁵ per year.

3. Determine the necessary risk reduction. The gap between the risk without protection and the tolerable risk is the risk reduction factor (RRF) the safety function must provide. The common method is the LOPA (layer of protection analysis).

From the reduction factor to the SIL

Each reduction factor maps to a SIL, and each SIL maps to a band of average probability of failure on demand (PFDavg\mathrm{PFD}_{avg}), linked by:

RRF=1PFDavg\mathrm{RRF} = \frac{1}{\mathrm{PFD}_{avg}}

SILRisk reduction (RRF)PFDavg (low demand)
SIL 110 – 10010⁻¹ – 10⁻²
SIL 2100 – 1,00010⁻² – 10⁻³
SIL 31,000 – 10,00010⁻³ – 10⁻⁴
SIL 410,000 – 100,00010⁻⁴ – 10⁻⁵

These bands apply in low-demand mode (the function is called on less than once a year) — the process case. In high-demand or continuous mode, you no longer reason in PFDavg but in PFH (probability of dangerous failure per hour). The risk reduction → SIL calculator and the PFD → SIL calculator perform these conversions directly.

PFD is built up, not decreed

Once the SIL is known, it becomes a target for the safety instrumented function (SIF), implemented by a safety instrumented system (SIS). The PFD of a SIF is the sum of its subsystems’ contributions:

PFDavg=PFDsensor+PFDlogic+PFDfinal\mathrm{PFD}_{avg} = \mathrm{PFD}_{sensor} + \mathrm{PFD}_{logic} + \mathrm{PFD}_{final}

Sensor PFD ≈ 1.2·10⁻³ Logic solver PFD ≈ 2·10⁻⁴ Final element PFD ≈ 4·10⁻³ PFDavg ≈ 5.4·10⁻³ → SIL 2 RRF = 1 / PFDavg ≈ 185

In this example the final element (the valve) dominates the PFD: it is almost always the weak link of a SIF, being the least reliable mechanical part. Reaching a SIL is therefore not just a number: it also requires the architecture (redundancy) and robustness to failures. A 1oo2 architecture tolerates one failure (hardware fault tolerance HFT = 1); the SFF (safe failure fraction) must also reach a minimum threshold imposed by the standard. This point is developed in the article Functional safety and IEC 61508.

The mistake you must never make

Entrusting protection to the system that already handles control. The control loop that drives the process must not be the one that protects it: if it fails, you lose both at once. The safety system is independent of the control system — a fundamental principle, detailed in the control loop and framed by the standards IEC 61508 and IEC 61511.

Go further

The control loop: the heart of automation SIL SIS SIF PFD PFDavg RRF HAZOP LOPA HFT SFF safety/pfd-to-sil safety/rrf-sil IEC 61508 IEC 61511