SIL Levels Apply to Safety Instrumented Functions

I caught up with Riyaz Ali who is in our organization managing Emerson’s Fisher brand of valves and regulators. You may recall Riyaz from some earlier posts on safety valve local control panels, partial-stroke test in safety applications, and testing safety solenoid valves.

Riyaz has been hearing more and more questions from process manufacturers, consultants, integrators, and other automation professionals about the adoption of the IEC 61508 and IEC 61511 international safety standards. These questions tend to get very specific about the safety integrity levels (SIL) for the components within the Safety Instrumented Function (safety loop.) Today all components of the safety instrumented function (SIF) including the logic solver, sensor, and final control element may have microprocessors that can perform self-diagnostics and communicate these diagnostics digitally to the logic solver.

Riyaz wanted to help clarify some questions on SIL ratings and field devices. If a process manufacturer hears that that field device is “SIL 3-rated” in accordance with IEC 61508, this is not the case. Field devices alone are not capable of a particular SIL rating.

These devices may be suitable for use in a SIL 3-rated safety instrumented function. In other words, this SIL rating applies to the entire loop and not the individual components within the loop.

The second key point Riyaz made with me is that a single microprocessor-based device (categorized as Type B in the IEC 61508 part 2, table 3) cannot have suitability for use in a SIL 3 safety instrumented function without additional hardware fault tolerance per these IEC standards.

Obviously, there is quite a bit to these safety standards and their application, and I hope some of these blog posts on the topic of safety help you in your adoption of these standards in your facilities.

Posted Friday, April 27th, 2007 under Safety.



  1. Jeff Payne says:

    I agree that there is significant confusion in the usage of the term “SIL” in this market, where it is used to define the rating of a device (actually SIL capability as you describe) the rating of a safety function (SIF), and as a general reference to IEC 61508 / 61511 (“SIL Certified”).
    Hopefully this is something that we can educate our customers about, rather than defaulting to the inaccurate market lingo that is gaining too much ground.
    One concern about the following statement:
    “a single microprocessor-based device (categorized as Type B in the IEC 61508 part 2, table 3) cannot have suitability for use in a SIL 3 safety instrumented function without additional hardware fault tolerance”
    Part 2, Table 3 indicates that a type B device (subsystem) with a SFF of >= 99% does not require additional hardware fault tolerance for SIL 3 capability.
    Can you clarify with Riyaz what he intended? Granted, it can be quite challenging to develop a type B device with a 99% SFF, but that is a different issue.

  2. Riyaz Ali says:

    Jeff, I agree theoretically someone may show SFF>99% to get SIL3 SIF suitability without hardware fault tolerance of field device. But as you pointed out rightly that it will be a great challenge to get type B device to have >99% SFF. Secondly for SIL3 SIF loop to have single valve is far from reality. Based on discussions with oil giants, refineries, chemical and petrochemical HAZOP team, it has been pointed out that for output device like “Final Control Element” of SIF loop, it will not be a challenge but a mammoth task to show SFF>99%. The reason being that final control element not only has to withstand process conditions but external environmental conditions (humidity, temperature, corrosion etc) and also operating media (typically most of the on – off shut down valves are pneumatically operated by air. Certainly there are electrical MOV are also possible). This is the point I wish to share with end user community that may be few manufacturers who show SFF of 100% for their kind of device is just like a “mirage” and not a reality.

  3. Christian Beltran says:

    We are about to acquire a DCS in a thermoelectric Plant but we need to know how to establish the security instrumented level for this process. Is there any methodology we can apply!?? What is the typical SIL for a process in a boiler!??

  4. Thank you for your comment Christian. I checked with Chuck Miller who offered this guidance:

    As an answer to your question on the process of evaluating a boiler, I would direct anyone to begin with a hazards analysis as defined in IEC 61511.

    I’ll post any additional feedback I receive in another comment.

  5. Christian, Bob Gale adds the following thoughts:

    Chuck is correct; one must first begin with the PHA and identify the hazards. For each hazard one must assign the Unmitigated Risk associated with that hazard. At that point we would conduct a Layer of Protection Analysis (LOPA) to determine what safeguards may be present already, which would transform the Unmitigated Risk into a Mitigated Risk. The Mitigated Risk is then compared to one’s Tolerable Risk and the difference leads to the necessary SIL for the SIF.

    A good Rule of Thumb is that a hazard that can cause a single fatality will likely require at least SIL 2 protection from a Safety Instrumented Function.

Leave a Reply