A safety instrumented function achieves a SIL band when its design, installation, and proof testing together meet the required average probability of failure on demand. No single device is inherently a SIL.
A SIL target comes out of the hazard analysis and a method such as LOPA or a risk graph. Specifying hardware before that target exists usually leads to rework and weak documentation.
Process plant follows IEC 61511 (built on IEC 61508), while guarding and machinery interlocks follow ISO 13849 or IEC 62061. The metrics and the verification differ, so the boundary matters.
Functional safety is the part of overall plant safety that depends on a protection system operating correctly in response to its inputs. On Australian process plant it is governed by IEC 61511 for the process sector, which sits on top of the base standard IEC 61508. Machinery and guarding follow a separate path under ISO 13849 or IEC 62061. The common thread across all of them is a disciplined sequence: identify the hazard, decide how much risk reduction is needed, design a safety function that delivers it, and then prove it keeps delivering it over the life of the plant.
A Safety Integrity Level (SIL) is a target for how much risk reduction a safety function must provide. It is determined by the hazard analysis, not chosen by the engineer from preference or from the hardware that happens to be available. For delivery support, see functional safety and PLC, SCADA and HMI programming.
Functional safety has a layered standards structure, and knowing which document applies to which scope avoids a great deal of confusion.
In Australia these are adopted through the AS IEC and AS/NZS series and referenced by the wider safety and electrical framework. Standards Australia publishes the local adoptions, and operators generally work to the IEC numbering in day-to-day engineering (Standards Australia).
A SIL is a band, not a score on a device. For a safety function operating in low-demand mode, where it is called on less than once a year, integrity is expressed as the average probability of failure on demand, written PFDavg. The bands run as follows.
| SIL | PFDavg (low demand) | Risk reduction factor | Typical process application |
|---|---|---|---|
| SIL 1 | 0.1 to 0.01 | 10 to 100 | Pump trip on high pressure, agitator interlock, overfill protection |
| SIL 2 | 0.01 to 0.001 | 100 to 1,000 | High-integrity pressure protection, prevention of a toxic or flammable release |
| SIL 3 | 0.001 to 0.0001 | 1,000 to 10,000 | High-consequence release prevention, common in oil, gas, and petrochemical |
| SIL 4 | 0.0001 to 0.00001 | 10,000 to 100,000 | Very rare; usually avoided by changing the process or adding independent layers |
For a function in high-demand or continuous mode, where it is called frequently, integrity is expressed instead as a probability of dangerous failure per hour (PFH). Most process trips are low demand. Most machine guards are high demand. That distinction decides which metric and, often, which standard applies.
A SIL claim has two parts that must both be satisfied. The first is the random-failure target, the PFDavg or PFH calculated from device failure rates. The second is the architectural constraint, a minimum hardware fault tolerance set by the safe failure fraction of the devices, plus the systematic capability that covers design and software faults. A loop can meet the PFDavg number and still fail the SIL claim if its architecture or systematic capability falls short. Most Australian food, beverage, and general manufacturing sites work in the SIL 1 and SIL 2 range. SIL 3 is uncommon outside the resources and petrochemical sectors.
A safety instrumented function (SIF) is a single protective loop with a defined purpose, for example "close the inlet valve on high tank level to prevent overfill". It is built from three element groups in series: one or more sensors that detect the hazardous condition, a logic solver that decides, and one or more final elements such as a valve or contactor that bring the process to a safe state. A safety instrumented system (SIS) is the collection of all the SIFs on a plant. Each element contributes to the PFDavg, so the integrity of the function is only as good as its weakest credited element.
IEC 61511 organises the whole effort as a safety lifecycle, a cradle-to-grave sequence with verification at each stage:
Running underneath all of it is functional safety management: the plan, the competence of the people, the verification activities, and the records. Under IEC 61511 the operator owns the lifecycle and may delegate engineering to a competent integrator, but competence and management are themselves part of the compliance record, not an afterthought. This is the same lifecycle discipline that underpins systems integration and disciplined control panel engineering on a safety scope.
The SRS is the hinge between the assessment and the design, and a weak SRS is one of the most common causes of trouble later. For each SIF it should capture, at minimum, the safe state and how it is reached, the process condition that triggers the function, the trip set point and any allowance for process dynamics, the required SIL, the demand mode, the proof test interval, the response time to reach the safe state, and the behaviour on loss of power or air. It should also state the environmental and process interfaces, the required reliability of spurious trip, and the bypass and reset philosophy.
A specification written at this level lets the verification engineer calculate PFDavg against real device data, lets the integrator select certified equipment with confidence, and gives the operator a clear basis to test against during validation. A vague SRS, by contrast, pushes those decisions into the build, where they are harder to defend and more expensive to correct.
Two methods dominate practice. A risk graph is a qualitative tool that walks through a small set of parameters, usually consequence severity, frequency of exposure, possibility of avoiding the hazard, and demand rate, and reads off a SIL from a calibrated matrix. It is quick, useful for screening many scenarios, and well suited to early studies where data is thin. Its weakness is that the calibration carries an organisation's risk criteria implicitly, and results near a band boundary can be hard to defend.
Layer of Protection Analysis (LOPA) is a semi-quantitative method that brings more rigour to scenarios that warrant it (LOPA overview). LOPA starts from one cause-consequence pair, assigns a frequency to the initiating event, and then multiplies in the probability of failure on demand of each independent protection layer (IPL) that genuinely sits between the cause and the consequence. The result is compared with a tolerable target frequency. Whatever gap remains becomes the job of the SIF, and that gap defines its required SIL. ISA technical reports on LOPA and on safety instrumented systems are a useful reference for the conventions (ISA, functional safety resources).
The choice between them is a matter of proportion. A risk graph is enough for routine screening. LOPA is the right tool when a scenario is important, when several protection layers are credited, or when a risk graph lands near a boundary and the answer needs to stand up to scrutiny.
The figures below are illustrative engineering numbers chosen to show the method. They are not drawn from any real Metromotion Controls project or named client.
Consider a jacketed mixing vessel in a food plant. The hazardous scenario is overpressure of the vessel from a blocked outlet while the feed pump continues to run, with the consequence being a vessel rupture that could seriously injure an operator working nearby.
A typical LOPA for that scenario might look like this:
Multiplying the initiating event by the modifier and the credited layer gives an intermediate frequency of 0.1 x 0.1 x 0.1 = 1 x 10^-3 per year. The tolerable target is 1 x 10^-5 per year. The gap between the two is a factor of 100, so the safety instrumented function must provide a risk reduction factor of 100, equivalent to a PFDavg of 0.01. That places the SIF at the boundary between SIL 1 and SIL 2, and good practice is to design for SIL 2 to keep margin against the band edge.
The SIF that fills the gap might be a pressure transmitter that trips the feed pump contactor through a certified safety logic solver when pressure exceeds the set point. The verification engineer then selects devices with published failure data, chooses an architecture (for example a single transmitter, or a 1oo2 pair if a single device cannot meet SIL 2 with the chosen proof test interval), and calculates PFDavg for the whole loop. If the number does not meet 0.01 with adequate margin, the answer is to improve the architecture, use better devices, or shorten the proof test interval, not to relax the target.
A SIL is a prediction about the future, and proof testing is what keeps that prediction true. Devices accumulate dangerous undetected failures that the on-line diagnostics cannot see. A proof test deliberately exercises the function end to end so those hidden failures are found and corrected, which resets the loop's reliability clock.
The proof test interval is an input to the PFDavg calculation, so it is not arbitrary. For a given architecture and device failure rate, lengthening the interval raises PFDavg, and the interval is therefore chosen so the loop stays inside its band with margin. Many low-demand SIL 1 and SIL 2 process loops are tested annually, but the correct figure always comes from the verification calculation for that specific loop.
Two points are often missed. First, the proof test must actually detect the failure modes the calculation assumes it detects; a test that energises the logic but never confirms the valve fully strokes does not validate the final element, and the real PFDavg is worse than the paper figure. Second, proof test coverage is rarely 100 per cent, and the residual uncovered fraction should be carried in the calculation. Partial stroke testing of large final-element valves is one technique for extending intervals where a full stroke is operationally difficult.
Where the hazard is a machine rather than a process, the rulebook changes. ISO 13849 assesses the safety-related parts of a machine control system and expresses integrity as a Performance Level (PL), from PL a to PL e, derived from the architecture category, the component reliability (MTTFd), the diagnostic coverage, and the resistance to common-cause failure (ISO 13849 overview). IEC 62061 addresses the same machinery domain but expresses integrity as SIL in a high-demand context.
The practical reason this matters is demand mode. A guard interlock or a light curtain operates many times a shift, so it is a high-demand function and belongs under ISO 13849 or IEC 62061, assessed with PFH or PL. A process trip that may be called once a year is a low-demand function under IEC 61511, assessed with PFDavg. Mixing the methods, for instance applying a PFDavg target to a high-demand guard, gives the wrong answer. On a real plant both worlds usually coexist, with process SIFs protecting the vessels and pipework and machine-safety circuits protecting people from moving equipment, which is why the boundary between them should be drawn explicitly in the design.
In Australia the legal driver for functional safety sits within the Work Health and Safety framework rather than in a standard that names SIL directly. Safe Work Australia's model Code of Practice on managing the risks of plant places a duty on those who design, manufacture, supply, install, and use plant to identify hazards and eliminate or minimise risk so far as is reasonably practicable, which includes the control systems that keep plant within safe limits (Safe Work Australia, managing the risks of plant). Where instrumented protection is relied on to discharge that duty, IEC 61511 is the accepted way to demonstrate the protection is adequate and maintained.
Major hazard facilities, those holding flammable, toxic, or explosive inventories above scheduled thresholds, carry additional obligations to prepare a safety case that demonstrates the adequacy of their protection layers, and SIL assessment is a normal part of that evidence. The state and territory WHS regulators administer these duties locally.
The electrical and assembly standards apply in parallel to the safety logic itself. AS/NZS 3000, the Wiring Rules, governs the installation work, and AS/NZS 61439 covers the low-voltage switchgear and controlgear assemblies where the safety system is housed, which matters whenever a safety scope touches a control panel. Confirming which standards apply, and to which part of the scope, belongs in the early study rather than on the day of the work. This regulatory backdrop is the same one that shapes automation upgrades and any change to existing protection under management of change.
A few patterns account for most of the trouble in functional safety projects:
Functional safety done properly is methodical and ordered: hazard first, risk-reduction target second, design third, and proof testing for the life of the plant. The cheapest place to get it right is the front end. A clear hazard study, an appropriately chosen determination method, a complete safety requirements specification, and a verification calculation against real device data give a SIF that meets its target with margin and a record that stands up to scrutiny. For Australian operators planning a new installation or modifying a plant with hazardous processes, engaging functional safety competence early is the lower-risk path, and it keeps the assessment driving the design rather than the design forcing the assessment.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
There is no single regulation that names SIL. The duty comes from the Work Health and Safety framework, where Safe Work Australia's model code on managing the risks of plant requires duty holders to identify hazards and control risk so far as is reasonably practicable. Where a process hazard can lead to serious injury, that duty usually leads an operator to a hazard study and, where instrumented protection is relied upon, to a SIL assessment under IEC 61511. Major hazard facilities carry additional safety case obligations. Many sites also adopt the lifecycle because insurers, corporate standards, or licence conditions expect a documented basis for any layer of protection that is credited with reducing risk.
The levels describe order-of-magnitude bands of risk reduction for a function operating in low-demand mode. SIL 1 corresponds to an average probability of failure on demand (PFDavg) between 0.1 and 0.01, which is a risk reduction factor of 10 to 100. SIL 2 is 0.01 to 0.001 (100 to 1,000), and SIL 3 is 0.001 to 0.0001 (1,000 to 10,000). Each step up by one SIL is a tenfold tightening, and it usually demands better device data, a higher hardware fault tolerance, more frequent proof testing, or redundant voting architectures to meet both the random-failure target and the architectural constraints.
No. A safety instrumented function needs a logic solver certified to IEC 61508 with published failure-rate and diagnostic-coverage data, so that its contribution to PFDavg can be calculated and its systematic capability can be claimed. A standard PLC does not provide that evidence, does not meet the architectural and diagnostic requirements, and must be kept functionally separate from the safety function. The same logic applies to the sensors and final elements: each element in the loop needs failure data and a defined proof test, not just the logic solver.
Layer of Protection Analysis is a semi-quantitative method that starts from a single cause-consequence scenario, applies an initiating event frequency, and then credits each independent protection layer with a probability of failure on demand to see whether the residual risk meets a tolerable target. The gap that remains defines the SIL for the safety instrumented function. A risk graph is faster and more qualitative, useful for screening many scenarios or where data is thin, but it is calibrated to an organisation's risk criteria and can be coarse. LOPA is preferred when a scenario is important enough to justify the rigour, when several protection layers are claimed, or when a risk graph gives an answer near a band boundary that needs defending.
The proof test interval is an input to the PFDavg calculation, not a fixed number. For a given architecture and device failure rate, a longer interval raises PFDavg, so the interval is chosen so the loop stays inside its SIL band with margin. Many low-demand SIL 1 and SIL 2 loops on process plant are tested annually, but the correct figure comes from the verification calculation for that specific loop. The proof test procedure must also be designed to detect the dangerous undetected failures the calculation assumes it finds, otherwise the real PFDavg is worse than the number on paper.
They address different risks with different metrics. IEC 61511 governs safety instrumented systems on process plant and expresses integrity as SIL with a PFDavg for low-demand functions. ISO 13849 governs the safety-related parts of machine control systems and expresses integrity as a Performance Level (PL a to e) tied to categories and a probability of dangerous failure per hour, while IEC 62061 expresses machine integrity as SIL in a high-demand context. A guard interlock that operates many times a shift is a high-demand function and is usually assessed under ISO 13849 or IEC 62061, whereas a high-pressure trip that may be called once a year is a low-demand process function under IEC 61511. Getting the boundary right matters, because the methods, the data, and the verification are not interchangeable.
Functional safety assessment, SIL determination, safety instrumented functions and machine safety to IEC 61508, IEC 61511 and ISO 13849.
Industrial control panels, MCC design, switchboard automation and EPLAN documentation.
Commissioning engineers, FAT, SAT, loop checks, startup support and control system audits.
Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.
Planning an upgrade without losing production on a live Australian manufacturing site.
A practical guide to machine safety risk assessment in Australia: ISO 12100 methodology, hazard identification, the hierarchy of risk reduction, Performance Level to ISO 13849-1, SILcl to IEC 62061, the AS/NZS 4024 series, and Safe Work Australia plant duties.
Key point
Risk assessment comes before safety design, not after
Published 9 May 2026
A practical engineering guide to planning an automation upgrade on a live Australian plant: obsolescence and lifecycle assessment, risk ranking, phased versus big-bang cutover, brownfield constraints, spares, and standards continuity.
Key point
Lifecycle assessment sets the timing, not the failure
Published 9 May 2026
A practical ISA-88 batch control guide for Australian food and beverage manufacturers, covering when you need it, the physical, procedural and recipe models, phase states, FSANZ traceability, platform choice and brownfield migration.
Key point
ISA-88 gives batch control a consistent structure
Published 9 May 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.