Safety Integrity Level 3

Three safety integrity levels (SIL) were described in the ANSI/ISA-84.00.01-1996 standard. Revised standard ANSI/ISA 84.00.01-2004 (IEC 61511-1 mod) now includes the higher SIL 4. SILs are a measure of system performance: the higher the number, the better the safety performance, such as lower probability of failure on demand.




  • Machine control

  • Robots

  • Machine vision

  • Open architecture

  • Signal conditioners

Three safety integrity levels (SIL) were described in the ANSI/ISA-84.00.01-1996 standard. Revised standard ANSI/ISA 84.00.01-2004 (IEC 61511-1 mod) now includes the higher SIL 4. SILs are a measure of system performance: the higher the number, the better the safety performance, such as lower probability of failure on demand. What the standard provides is a rational, uniform way to assess and mitigate risks. Properly used, the standard channels spending where it is necessary, allowing savings elsewhere. With this in mind, why use a higher performance safety system if it's not needed?

SIL-3 logic-solver ? SIL-3 system

Many end-users specify 'certified for use in SIL 3' redundant-logic solvers. There are numerous, redundant, programmable logic-solvers—often referred to as 'safety PLCs'—that are certified for use up to SIL 3. However, merely using one of these certified logic solvers does not create a SIL 3 system . A system includes sensors and final elements. Many have implemented redundant logic solvers using non -redundant field devices. The result is probably a SIL 1 system; after all, a chain is only as strong as its weakest link.

Only in very special cases can redundancy be avoided in true, SIL-3 safety systems. With input sensors, the logic solver and the final element (or actuator) will almost certainly need to be redundant in a SIL-3 design. Specifying a SIL 3 logic solver does not yield a SIL 3 system; and if SIL 3 is not needed, why pay the extra cost?

Section 11.4 of the standard states:

'A hardware fault tolerance of '1' means that there are, for example, two devices and the architecture is such that the dangerous failure of one of the two components or subsystems does not prevent the safety action from occurring.'

Rules for how much fault tolerance must be applied to field instruments at any given SIL level are clearly defined within the standard's Section 11.4.1 Note 2, see table and below:

'The minimum hardware fault tolerance has been defined to alleviate potential shortcomings in SIF (safety instrumented function) design that may result due to the number of assumptions made in the design of the SIF, along with uncertainty in the failure rate of components or subsystems used in various process applications.'

In other words, mandating a minimum level of fault tolerance will prevent the use of unrealistically low failure rates. And a short manual test in calculations used to verify the performance of a proposed conceptual design.

The standard describes cases where fault tolerance requirements—defined in the table—may be decreased by one. It also depicts cases where the numbers need to be increased by one.

Fault tolerance requirements can be relaxed where the field instrument is certified as having a particularly low level of dangerous failure modes or where there is detailed information about the hardware, such as failure rates, failure modes, and levels of internal diagnostics. The simplified table was included in IEC 61511 because it was felt most end-users would not have such detailed information and, in many cases, field instruments certified to have low levels of dangerous failure modes are simply not available.

Satisfying these requirements for final elements, typically valves, can be particularly problematic and expensive. An increased safety integrity level has a significant impact on the number of valves required and the installation's complexity to allow proper maintenance and proof testing. Much has been done to improve diagnostics by techniques such as partial stroke testing, but the valve remains a major contributor to failure probability for any 'loop', control or safety.

A true SIL-3 system typically requires triplicate transmitters, a triplicate (two-out-of-three) or 1oo2D (one-out-of-two with diagnostics) logic-solver, and either three valves in series, or dual valves in series incorporating partial stroke testing—or very frequent full stroke testing, which usually is not possible. Adding to SIL-3 systems' higher costs are extra transmitters, valves, and the like. There are also operational considerations such as insurance, availability, maintenance, and so on. Compare this to a typical SIL-2 system, with a less complex logic-solver and single- or dual-transmitters and valves—depending on the type chosen.

Sensible solution

When SIL determination techniques are effectively utilized, SIL 3 requirements should be extremely rare. In many cases, it is more effective to redesign the process to be less risky than it is to require a SIL-3 safety system; SIL 2 will often be most applications' highest true requirement.

General-purpose PLCs are only suitable for use in SIL 1 applications. Triplicate—and 1oo2D—SIL-3 approved safety PLCs are over-designed and unnecessarily expensive for SIL 2, in our experience. So, is the sensible resolution a SIL 2 solution?

Specifying a SIL-3 logic box is not the magic key to a safer facility. Merely specifying a certified-for-use in SIL-3 logic-box does not provide a SIL 3 system, nor does it mean the overall design conforms to the requirements of industry standards. Proper determination of safety integrity levels will often result in no more than SIL 2 requirements for most process applications. In such cases, using a safety platform that is similar to, and integrated with, the control platform—yet certified for use in SIL 2—can ease implementation and lower lifecycle costs.

Field-device hardware fault-tolerance requirements


Minimum hardware fault tolerance








See IEC 61508

Related reading
Other Control Engineering articles on similar topics include:

Author information
Paul Gruhn, co-author of this article, is also co-author of the ISA textbook, Safety Shut-down Systems: Design, Analysis and Justification, author of many articles, and the developer of a control and safety system modeling software package. He is a registered professional engineer, a Certified Functional Safety Expert (a TÜV certification), and an ISA Fellow.

SIL 2 safety net
MTL has recently introduced the Matrix SafetyNet, a comprehensive SIL-2 product for safety related applications, including PSD, ESD, and F&G applications. SafetyNet is built on the same platform as the Matrix Process Control System, enabling one platform to address process control and functional safety needs.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.