Skip to content
Functional Safety and SIL Assessment for Australian Industrial Sites engineering guide from Metromotion Controls
Functional Safety · MAY 2026 · Updated JUNE 2026 · 10 min read

Functional Safety and SIL Assessment for Australian Industrial Sites

Key points

Key points
1

SIL is a risk-reduction target, not a product rating

A safety instrumented function achieves a SIL when its design, installation and proof testing together meet the required probability of failure on demand. No single device is inherently a SIL.

2

The assessment drives the design

A SIL target comes out of the hazard analysis through LOPA or a risk graph. Specifying hardware before that target exists usually leads to rework and weak documentation.

3

Process safety and machine safety use different rulebooks

Process plant follows IEC 61511, built on IEC 61508. Guarding and machinery interlocks follow ISO 13849 or IEC 62061. The metrics and the verification differ, so the boundary matters.

Functional safety is the part of plant safety that depends on a protection system responding correctly to its inputs. On Australian process plant the working standard is IEC 61511, the process-sector application of the base standard IEC 61508. Machinery and guarding follow a separate path under ISO 13849 or IEC 62061. The common thread is a disciplined sequence: identify the hazard, decide how much risk reduction is needed, design a safety function that delivers it, then prove it keeps delivering over the life of the plant.

A Safety Integrity Level (SIL) is a target for how much risk reduction a safety function must provide. It is determined by the hazard analysis, not chosen by the engineer or implied by the hardware that happens to be available. For delivery support, see functional safety and PLC, SCADA and HMI programming.

The standards that frame the work

  • IEC 61508 is the base standard for electrical, electronic and programmable electronic safety-related systems. It defines the SIL concept and the metrics device manufacturers certify against; every certified safety device traces its claims back to it.
  • IEC 61511 applies IEC 61508 to the process sector and is the working standard for operators and integrators designing safety instrumented systems on chemical, water, and food and beverage plant.
  • ISO 13849 and IEC 62061 cover the safety-related parts of machine control systems: guarding, interlocks and emergency stops rather than process trips. ISO 13849 uses Performance Levels; IEC 62061 uses SIL in a high-demand machinery context.

In Australia these are adopted through the AS IEC and AS/NZS series, and engineers generally work to the IEC numbering day to day (Standards Australia).

What a SIL actually measures

A SIL is a band, not a score on a device. For a safety function operating in low-demand mode, called on no more than once a year, integrity is expressed as the average probability of failure on demand, written PFDavg.

SILPFDavg (low demand)Risk reduction factorTypical process application
SIL 10.1 to 0.0110 to 100Pump trip on high pressure, agitator interlock, overfill protection
SIL 20.01 to 0.001100 to 1,000High-integrity pressure protection, prevention of a toxic or flammable release
SIL 30.001 to 0.00011,000 to 10,000High-consequence release prevention, common in oil, gas and petrochemical
SIL 40.0001 to 0.0000110,000 to 100,000Very rare; usually avoided by changing the process or adding independent layers

For a function in high-demand or continuous mode, called frequently, integrity is expressed instead as a probability of dangerous failure per hour (PFH). Most process trips are low demand. Most machine guards are high demand. That distinction decides which metric, and often which standard, applies.

A SIL claim has two parts. The first is the random-failure target, the PFDavg or PFH calculated from device failure rates. The second is the architectural constraint, a minimum hardware fault tolerance for the claimed SIL, plus the systematic capability covering design and software faults. A loop can meet the PFDavg number and still fail the claim on architecture or systematic capability. Most Australian food, beverage and general manufacturing sites work in the SIL 1 to SIL 2 range; SIL 3 is uncommon outside resources and petrochemical.

The safety function and the safety lifecycle

A safety instrumented function (SIF) is a single protective loop with a defined purpose, for example "close the inlet valve on high tank level to prevent overfill". It comprises sensors that detect the hazardous condition, a logic solver that decides, and final elements such as a valve or contactor that bring the process to a safe state. The safety instrumented system (SIS) is the collection of all SIFs on a plant, and a function is only as good as its weakest credited element.

IEC 61511 organises the work as a safety lifecycle:

  1. Hazard and risk assessment, typically a HAZOP, to identify hazardous scenarios.
  2. Allocation of risk reduction to protection layers, where SIL targets are set by risk graph or LOPA.
  3. Safety requirements specification (SRS), the controlling document for each SIF.
  4. Design and engineering, including SIL verification calculations.
  5. Installation, commissioning and validation against the SRS.
  6. Operation, maintenance and proof testing over the plant life.
  7. Modification under management of change, then decommissioning.

Underneath it all sits functional safety management: the plan, the competence of the people doing each activity, and the records. The operator owns the lifecycle and may delegate engineering to a competent integrator, but competence and management are part of the compliance record. The same lifecycle discipline carries through systems integration and control panel engineering on a safety scope.

The SRS deserves emphasis because a weak one is the most common cause of trouble later. For each SIF it should state the safe state and how it is reached, the trigger condition and trip set point, the required SIL and demand mode, the proof test interval, the response time, and the behaviour on loss of power or air. That level of detail lets the verifier calculate PFDavg against real device data and gives the operator a clear basis for validation. A vague SRS pushes those decisions into the build, where they cost more to correct.

SIL determination: risk graph and LOPA

Two methods dominate practice. A risk graph is qualitative: it walks consequence severity, frequency of exposure, possibility of avoidance and demand rate through a calibrated matrix and reads off a SIL. It is quick and suits screening many scenarios, but the calibration embeds the organisation's risk criteria, and results near a band boundary can be hard to defend.

Layer of Protection Analysis (LOPA) is semi-quantitative. It takes one cause-consequence pair, assigns a frequency to the initiating event, multiplies in the probability of failure on demand of each independent protection layer (IPL) that genuinely sits between cause and consequence, and compares the result with a tolerable frequency. Whatever gap remains is the job of the SIF, and that gap sets its required SIL (ISA technical reports document the conventions).

The choice is one of proportion: a risk graph for routine screening, LOPA when a scenario is significant, when several layers are credited, or when the answer needs to survive scrutiny near a boundary.

A worked example, for illustration only

The figures below are illustrative only, not drawn from any Metromotion Controls project or named client.

Consider a jacketed mixing vessel in a food plant. The scenario is overpressure from a blocked outlet while the feed pump continues to run, with the consequence a vessel rupture that could seriously injure an operator nearby.

  • Initiating event: outlet blockage with the pump running, estimated at 0.1 per year.
  • Tolerable frequency for a serious injury: 1 x 10^-5 per year, set by the operator's risk criteria.
  • Conditional modifier, occupancy: an operator is in the area about 10 per cent of the time, a factor of 0.1.
  • Independent protection layer, basic process control: a high-pressure alarm with operator response, credited at a PFD of 0.1.

Multiplying through gives an intermediate frequency of 1 x 10^-3 per year against a target of 1 x 10^-5. The gap is a factor of 100, so the SIF must provide a risk reduction factor of 100, a PFDavg of 0.01. That sits at the boundary between SIL 1 and SIL 2, and good practice is to design for SIL 2 to keep margin against the band edge.

The SIF might be a pressure transmitter tripping the feed pump contactor through a certified safety logic solver. The verification engineer selects devices with published failure data, chooses an architecture (a single transmitter, or a 1oo2 pair if one device cannot meet SIL 2 at the chosen proof test interval) and calculates PFDavg for the whole loop. If the number misses 0.01 with margin, the fix is better architecture, better devices or a shorter test interval, not a relaxed target.

Proof testing keeps the SIL honest

A SIL is a prediction about the future, and proof testing is what keeps the prediction true. Devices accumulate dangerous undetected failures that on-line diagnostics cannot see; a proof test exercises the function end to end so those hidden failures are found and corrected. The test interval is an input to the PFDavg calculation, so it is not arbitrary: lengthening it raises PFDavg, and the interval is chosen so the loop stays inside its band with margin. Many SIL 1 and SIL 2 process loops are tested annually, but the correct figure always comes from the verification calculation for that loop.

Two points are often missed. The test must detect the failure modes the calculation assumes it detects; a test that exercises the logic but never confirms the valve fully strokes does not validate the final element. And coverage is rarely 100 per cent, so the uncovered fraction should be carried in the calculation. Partial stroke testing is one way to extend intervals on large valves where a full stroke is operationally difficult.

Machine safety is a different discipline

Where the hazard is a machine rather than a process, the rulebook changes. ISO 13849 expresses integrity as a Performance Level, PL a to PL e, derived from architecture category, component reliability (MTTFd), diagnostic coverage and common-cause resistance. IEC 62061 covers the same domain using SIL in a high-demand context. The deciding factor is demand mode: a guard interlock operates many times a shift and belongs under the machinery standards; a process trip called once a year is low demand under IEC 61511. Both worlds coexist on a real plant, so the boundary should be drawn explicitly in the design. Our guide to machine safety risk assessment covers the machinery side.

Australian context: duties and regulators

The legal driver sits in the Work Health and Safety framework rather than a standard that names SIL. Safe Work Australia's model Code of Practice on managing the risks of plant places a duty on those who design, supply, install and use plant to eliminate or minimise risk so far as is reasonably practicable, including the control systems that keep plant within safe limits (Safe Work Australia, managing the risks of plant). Where instrumented protection discharges that duty, IEC 61511 is the accepted way to demonstrate it is adequate and maintained. Major hazard facilities also owe a safety case, with SIL assessment a normal part of the evidence, and state and territory WHS regulators administer the duties locally.

In parallel, AS/NZS 3000 governs the installation work and AS/NZS 61439 the low-voltage assemblies that house the safety system, which matters whenever a safety scope touches a control panel. The same backdrop shapes automation upgrades and any change to existing protection under management of change.

Common mistakes that undermine a SIL claim

  • Choosing hardware before the assessment. A certified safety controller does not create a SIL on its own. Without a target from the hazard analysis and a verified PFDavg for the whole loop, the claim has no basis.
  • Counting dependent layers as independent. A LOPA layer only counts if it is independent of the initiating cause and of the other layers. Crediting the same sensor, logic solver or operator twice understates the SIL the SIF must deliver.
  • Verifying the logic solver but ignoring the final element. Valves are often the largest contributor to PFDavg. A claim built on the logic solver alone is optimistic.
  • Proof tests that do not match the calculation. If the procedure does not exercise the assumed failure modes, or coverage is treated as 100 per cent when it is not, the real integrity sits below the documented figure.
  • Mixing demand modes. Applying a low-demand PFDavg target to a high-demand machine guard, or the reverse, produces a result that looks rigorous and is wrong.

How to approach a SIL assessment

The order is fixed: hazard first, risk-reduction target second, design third, proof testing for the life of the plant. The cheapest place to get it right is the front end: a clear hazard study, a determination method matched to the scenario, a complete SRS and a verification calculation against real device data give a SIF that meets its target with margin and a record that stands up to scrutiny. Engaging functional safety competence early keeps the assessment driving the design rather than the design forcing the assessment.

References

About the author

Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.

Share:LinkedInX
Next step

Planning work in Functional Safety?

Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.