SIL is a risk-reduction target, not a product rating
A safety instrumented function achieves a SIL when its design, installation and proof testing together meet the required probability of failure on demand. No single device is inherently a SIL.

A safety instrumented function achieves a SIL when its design, installation and proof testing together meet the required probability of failure on demand. No single device is inherently a SIL.
A SIL target comes out of the hazard analysis through LOPA or a risk graph. Specifying hardware before that target exists usually leads to rework and weak documentation.
Process plant follows IEC 61511, built on IEC 61508. Guarding and machinery interlocks follow ISO 13849 or IEC 62061. The metrics and the verification differ, so the boundary matters.
Functional safety is the part of plant safety that depends on a protection system responding correctly to its inputs. On Australian process plant the working standard is IEC 61511, the process-sector application of the base standard IEC 61508. Machinery and guarding follow a separate path under ISO 13849 or IEC 62061. The common thread is a disciplined sequence: identify the hazard, decide how much risk reduction is needed, design a safety function that delivers it, then prove it keeps delivering over the life of the plant.
A Safety Integrity Level (SIL) is a target for how much risk reduction a safety function must provide. It is determined by the hazard analysis, not chosen by the engineer or implied by the hardware that happens to be available. For delivery support, see functional safety and PLC, SCADA and HMI programming.
In Australia these are adopted through the AS IEC and AS/NZS series, and engineers generally work to the IEC numbering day to day (Standards Australia).
A SIL is a band, not a score on a device. For a safety function operating in low-demand mode, called on no more than once a year, integrity is expressed as the average probability of failure on demand, written PFDavg.
| SIL | PFDavg (low demand) | Risk reduction factor | Typical process application |
|---|---|---|---|
| SIL 1 | 0.1 to 0.01 | 10 to 100 | Pump trip on high pressure, agitator interlock, overfill protection |
| SIL 2 | 0.01 to 0.001 | 100 to 1,000 | High-integrity pressure protection, prevention of a toxic or flammable release |
| SIL 3 | 0.001 to 0.0001 | 1,000 to 10,000 | High-consequence release prevention, common in oil, gas and petrochemical |
| SIL 4 | 0.0001 to 0.00001 | 10,000 to 100,000 | Very rare; usually avoided by changing the process or adding independent layers |
For a function in high-demand or continuous mode, called frequently, integrity is expressed instead as a probability of dangerous failure per hour (PFH). Most process trips are low demand. Most machine guards are high demand. That distinction decides which metric, and often which standard, applies.
A SIL claim has two parts. The first is the random-failure target, the PFDavg or PFH calculated from device failure rates. The second is the architectural constraint, a minimum hardware fault tolerance for the claimed SIL, plus the systematic capability covering design and software faults. A loop can meet the PFDavg number and still fail the claim on architecture or systematic capability. Most Australian food, beverage and general manufacturing sites work in the SIL 1 to SIL 2 range; SIL 3 is uncommon outside resources and petrochemical.
A safety instrumented function (SIF) is a single protective loop with a defined purpose, for example "close the inlet valve on high tank level to prevent overfill". It comprises sensors that detect the hazardous condition, a logic solver that decides, and final elements such as a valve or contactor that bring the process to a safe state. The safety instrumented system (SIS) is the collection of all SIFs on a plant, and a function is only as good as its weakest credited element.
IEC 61511 organises the work as a safety lifecycle:
Underneath it all sits functional safety management: the plan, the competence of the people doing each activity, and the records. The operator owns the lifecycle and may delegate engineering to a competent integrator, but competence and management are part of the compliance record. The same lifecycle discipline carries through systems integration and control panel engineering on a safety scope.
The SRS deserves emphasis because a weak one is the most common cause of trouble later. For each SIF it should state the safe state and how it is reached, the trigger condition and trip set point, the required SIL and demand mode, the proof test interval, the response time, and the behaviour on loss of power or air. That level of detail lets the verifier calculate PFDavg against real device data and gives the operator a clear basis for validation. A vague SRS pushes those decisions into the build, where they cost more to correct.
Two methods dominate practice. A risk graph is qualitative: it walks consequence severity, frequency of exposure, possibility of avoidance and demand rate through a calibrated matrix and reads off a SIL. It is quick and suits screening many scenarios, but the calibration embeds the organisation's risk criteria, and results near a band boundary can be hard to defend.
Layer of Protection Analysis (LOPA) is semi-quantitative. It takes one cause-consequence pair, assigns a frequency to the initiating event, multiplies in the probability of failure on demand of each independent protection layer (IPL) that genuinely sits between cause and consequence, and compares the result with a tolerable frequency. Whatever gap remains is the job of the SIF, and that gap sets its required SIL (ISA technical reports document the conventions).
The choice is one of proportion: a risk graph for routine screening, LOPA when a scenario is significant, when several layers are credited, or when the answer needs to survive scrutiny near a boundary.
The figures below are illustrative only, not drawn from any Metromotion Controls project or named client.
Consider a jacketed mixing vessel in a food plant. The scenario is overpressure from a blocked outlet while the feed pump continues to run, with the consequence a vessel rupture that could seriously injure an operator nearby.
Multiplying through gives an intermediate frequency of 1 x 10^-3 per year against a target of 1 x 10^-5. The gap is a factor of 100, so the SIF must provide a risk reduction factor of 100, a PFDavg of 0.01. That sits at the boundary between SIL 1 and SIL 2, and good practice is to design for SIL 2 to keep margin against the band edge.
The SIF might be a pressure transmitter tripping the feed pump contactor through a certified safety logic solver. The verification engineer selects devices with published failure data, chooses an architecture (a single transmitter, or a 1oo2 pair if one device cannot meet SIL 2 at the chosen proof test interval) and calculates PFDavg for the whole loop. If the number misses 0.01 with margin, the fix is better architecture, better devices or a shorter test interval, not a relaxed target.
A SIL is a prediction about the future, and proof testing is what keeps the prediction true. Devices accumulate dangerous undetected failures that on-line diagnostics cannot see; a proof test exercises the function end to end so those hidden failures are found and corrected. The test interval is an input to the PFDavg calculation, so it is not arbitrary: lengthening it raises PFDavg, and the interval is chosen so the loop stays inside its band with margin. Many SIL 1 and SIL 2 process loops are tested annually, but the correct figure always comes from the verification calculation for that loop.
Two points are often missed. The test must detect the failure modes the calculation assumes it detects; a test that exercises the logic but never confirms the valve fully strokes does not validate the final element. And coverage is rarely 100 per cent, so the uncovered fraction should be carried in the calculation. Partial stroke testing is one way to extend intervals on large valves where a full stroke is operationally difficult.
Where the hazard is a machine rather than a process, the rulebook changes. ISO 13849 expresses integrity as a Performance Level, PL a to PL e, derived from architecture category, component reliability (MTTFd), diagnostic coverage and common-cause resistance. IEC 62061 covers the same domain using SIL in a high-demand context. The deciding factor is demand mode: a guard interlock operates many times a shift and belongs under the machinery standards; a process trip called once a year is low demand under IEC 61511. Both worlds coexist on a real plant, so the boundary should be drawn explicitly in the design. Our guide to machine safety risk assessment covers the machinery side.
The legal driver sits in the Work Health and Safety framework rather than a standard that names SIL. Safe Work Australia's model Code of Practice on managing the risks of plant places a duty on those who design, supply, install and use plant to eliminate or minimise risk so far as is reasonably practicable, including the control systems that keep plant within safe limits (Safe Work Australia, managing the risks of plant). Where instrumented protection discharges that duty, IEC 61511 is the accepted way to demonstrate it is adequate and maintained. Major hazard facilities also owe a safety case, with SIL assessment a normal part of the evidence, and state and territory WHS regulators administer the duties locally.
In parallel, AS/NZS 3000 governs the installation work and AS/NZS 61439 the low-voltage assemblies that house the safety system, which matters whenever a safety scope touches a control panel. The same backdrop shapes automation upgrades and any change to existing protection under management of change.
The order is fixed: hazard first, risk-reduction target second, design third, proof testing for the life of the plant. The cheapest place to get it right is the front end: a clear hazard study, a determination method matched to the scenario, a complete SRS and a verification calculation against real device data give a SIF that meets its target with margin and a record that stands up to scrutiny. Engaging functional safety competence early keeps the assessment driving the design rather than the design forcing the assessment.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
Functional safety assessment, SIL determination, safety instrumented functions and machine safety to IEC 61508, IEC 61511 and ISO 13849.
Industrial control panels, MCC design, switchboard automation and EPLAN documentation.
Commissioning engineers, FAT, SAT, loop checks, startup support and control system audits.
Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.
Planning an upgrade without losing production on a live Australian manufacturing site.

Practitioner guide to scoping industrial automation for Melbourne manufacturers: control stack scope, greenfield versus brownfield, and choosing an integrator.
Key point
Scope from the operating constraint
Published 8 Apr 2026

Buyer guide to PLC programming in Melbourne: process-first design, modular code, language choice, diagnostics, FAT discipline and operator support.
Key point
Process understanding comes before code
Published 7 Apr 2026

How beverage automation reduces variability: recipe and batch control, versioned recipes you can trace back in time, work orders as a single live source of truth, and a historian that records exactly how every batch was made.
Key point
A single live source of truth
Published 3 June 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.