FUNCTIONAL SAFETY SERVICES
SIL ASSESSMENT AND
DETERMINATION
Define the right level of risk reduction. Build safety instrumented functions that perform when it matters most.
Not every safety function requires the same level of performance. Some hazardous events carry catastrophic consequences if a safeguard fails. Others carry manageable risk even without automatic protection. Safety Integrity Level, or SIL, is the structured method defined in IEC 61511 and IEC 61508 for establishing how reliable a Safety Instrumented Function needs to be relative to the risk it is controlling.
Getting SIL right at the start of a project prevents two costly problems. Underspecifying SIL means a safety function may not provide adequate risk reduction, leaving the facility exposed to hazard scenarios that the design should have controlled. Overspecifying SIL drives unnecessary cost into hardware selection, redundancy requirements, testing frequency, and maintenance burden, without a proportionate safety benefit.
SIL assessment and determination is the discipline that connects risk analysis to engineering specification. It provides the technical and documented basis for every safety instrumented system design decision that follows, from architecture selection through SRS development, verification, and commissioning.
SIL Determination
SIL determination establishes what level of risk reduction a Safety Instrumented Function (SIF) must provide. It answers the question: given the hazardous event this SIF is designed to prevent, what probability of failure on demand is required to reduce risk to a tolerable level?
The determination process considers the severity and frequency of the hazardous event, the existing independent protection layers and their reliability, the risk tolerance criteria for the facility or organization, and the residual risk that the SIF must address after all other safeguards are accounted for.
Common methods for SIL determination include:
- LOPA (Layer of Protection Analysis): a semi-quantitative method that assigns credit to independent protection layers and calculates the required SIF risk reduction factor, producing a direct SIL target
- Risk Graph: a qualitative method using consequence severity, occupancy, avoidance probability, and demand frequency to arrive at a SIL target
- Calibrated Risk Graph: a risk-graph approach calibrated to the organization's quantitative risk criteria for greater consistency
- Quantitative Risk Analysis (QRA): a full probabilistic method used where risk criteria are expressed in numerical terms, and simpler methods are insufficient
SIL Assessment
SIL assessment evaluates whether a proposed or existing Safety Instrumented System (SIS) design actually achieves the SIL required by the determination study. It confirms that the combination of hardware, architecture, software, and operating and maintenance procedures will deliver the required probability of failure on demand (PFD) or probability of failure per hour (PFH) over the proof test interval.
A complete SIL assessment examines:
- Hardware fault tolerance (HFT) relative to the architecture requirements of IEC 61511 Table 5 or IEC 61508
- Safe failure fraction (SFF) of the complete SIF, including sensor, logic solver, and final element subsystems
- Average probability of failure on demand (PFDavg) using failure rate data, redundancy configurations, and proof test intervals
- Systematic capability of the hardware and software against the required SIL
- Common cause failure (CCF) analysis and beta factor assessment
- Software lifecycle documentation and software systematic integrity requirements
- Operating and maintenance procedures that form part of the overall SIF design
Our SIL assessment and determination work is structured to meet the requirements of:
- IEC 61511: Functional safety of safety instrumented systems for the process industry sector. This is the primary standard governing SIS design in oil and gas, chemicals, and process manufacturing.
- IEC 61508: Functional safety of electrical, electronic, and programmable electronic safety-related systems. This is the foundational standard and governs the SIS component and software development.
- ISA 84 (ANSI/ISA-84.00.01): The North American equivalent of IEC 61511, with closely aligned requirements for process industry safety instrumented systems.
- ISA/IEC 62443: Where cybersecurity requirements interact with SIS design, particularly for networked or remotely accessible safety systems, we incorporate relevant security-by-design principles.
All assessments are documented in a format that supports audit, regulatory review, and downstream use in SRS development and verification activities.
IEC 61511 defines four Safety Integrity Levels for low-demand safety functions, each corresponding to a target range for the average probability of failure on demand (PFDavg):
- SIL 1: PFDavg between 0.1 and 0.01 (risk reduction factor of 10 to 100)
- SIL 2: PFDavg between 0.01 and 0.001 (risk reduction factor of 100 to 1,000)
- SIL 3: PFDavg between 0.001 and 0.0001 (risk reduction factor of 1,000 to 10,000)
- SIL 4: PFDavg between 0.0001 and 0.00001, rarely required in process industry applications
The SIL level drives architecture requirements, component selection, proof test frequency, and the rigor required in design documentation. Matching the SIL target precisely to the risk scenario, rather than defaulting to a higher level for conservatism, is one of the key outcomes of a well-executed determination study.
SIL determination does not stand alone. It draws directly from the output of HAZOP or HAZID studies, which identify the hazardous scenarios, their credible causes, existing safeguards, and the consequences of safeguard failure.
In a typical project sequence, HAZOP identifies a hazardous scenario and flags that a Safety Instrumented Function is required as a safeguard. LOPA then takes that scenario, assigns credit to all independent protection layers identified in the HAZOP, quantifies the remaining risk gap, and determines what risk reduction factor the SIF must provide. That risk reduction factor translates directly into a SIL target.
When HAZOP and SIL determination are conducted by the same team with a consistent methodology, the traceability between hazard scenarios and SIL targets is clean and auditable. Disconnects between the two studies are a common source of compliance gaps, and our integrated approach is designed to prevent them.
Common triggers include:
- Following HAZOP completion, when safety instrumented functions have been identified as required safeguards
- New SIS design projects where the required SIL must be established before architecture and hardware selection can proceed.
- Brownfield projects where existing SIS designs must be assessed against current IEC 61511 requirements
- Major modifications to existing safety systems where SIL adequacy needs to be reconfirmed
- Digital transformation and OT modernization projects involving the replacement of legacy logic solvers, sensors, or final elements
- Pre-commissioning validation, where SIL achievement must be confirmed before startup
- Periodic revalidation as part of functional safety management obligations
We treat SIL determination and assessment as integrated activities within the broader functional safety lifecycle, not standalone exercises. That means every output is structured to feed directly into what comes next.
Scope Alignment and Hazard Scenario Review
We review the HAZOP output, identify the safety instrumented functions requiring SIL determination, and confirm the risk criteria and independent protection layer definitions that will be used in the LOPA or risk graph analysis. Alignment on these inputs at the start prevents rework and keeps the study defensible.
SIL Determination via LOPA or Risk Graph
We conduct structured LOPA workshops or risk graph analysis for each SIF in scope. Each scenario is documented with cause, consequence, initiating event frequency, independent protection layer credits, and the resulting required risk reduction factor. SIL targets are assigned and recorded with full rationale.
SIL Assessment of the Proposed Architecture
For each SIF with a confirmed SIL target, we assess the proposed or existing architecture against the requirements of IEC 61511. This includes PFDavg calculation, hardware fault tolerance verification, SFF analysis, CCF assessment, and systematic capability review for both hardware and software components.
Documentation and Lifecycle Integration
We produce a complete SIL determination and assessment report structured to support SRS development, design verification, and functional safety assessments. Action items are documented clearly so that engineering and instrumentation teams can close gaps before the design advances.
- A defensible, traceable SIL target for every Safety Instrumented Function, grounded in risk analysis rather than engineering conservatism or assumption.
- Confidence that safety system design meets IEC 61511 and IEC 61508 requirements before hardware procurement and detailed engineering proceed
- Clear input for Safety Requirement Specification development, with SIL targets and performance requirements already established
- Avoidance of both underspecification and overspecification, reducing unnecessary cost in hardware, redundancy, and maintenance, without compromising risk reduction
- Audit-ready documentation that supports regulatory submissions, internal assurance reviews, and third-party functional safety assessments
- A solid foundation for downstream activities, including SRS, design verification, proof test procedure development, and FSA preparation
- SIL determination report with scenario register, LOPA worksheets or risk graph records, and SIL targets with rationale
- LOPA documentation, including initiating event frequencies, IPL credits, required risk reduction factors, and SIL assignments
- SIL assessment report covering PFDavg calculations, HFT and SFF analysis, CCF assessment, and systematic capability review
- Action list with owner, priority, and closure guidance for gaps identified during assessment
- Summary table of all SIFs with SIL targets, architecture configurations, and PFDavg results
- Structured inputs for SRS development and functional safety assessment activities
Safety Instrumented Systems in modern industrial environments are no longer purely mechanical and electrical. They run on programmable logic controllers, communicate over OT networks, and in many cases integrate with enterprise systems that introduce cybersecurity considerations directly relevant to SIL achievement.
- Integrated functional safety and OT/ICS security perspective: we understand how networked control architectures affect systematic capability assessments and SIL achievement
- Rigorous LOPA facilitation with consistent IPL definitions and traceable documentation that holds up under regulatory and third-party scrutiny
- Practical outputs that align SIL targets with what is achievable in the field, not just what looks correct on paper
- Seamless connection between SIL determination and SRS development, keeping the safety case coherent across lifecycle phases
- Deep operational experience across high-consequence sectors, including oil and gas, energy, pharmaceuticals, and process manufacturing
- We do more than assign SIL numbers. We help engineering teams understand what performance their safety systems must deliver, where current designs fall short, and which actions close the gap in a way that is practical, proportionate, and fully documented.
Ready to Define Your SIL Requirements?
Reach out to our functional safety team. We will confirm the scope, the SIL determination method most appropriate for your risk criteria, and the outputs your project needs to move forward with confidence.