SIL in the process industry

Functional safety plays a key role in all process plants and the chemical industry has especially high requirements for the protection of people and the environment. Designing a standard-compliant safety circuit is no trivial matter. The best way to achieve this is with prudent design principles and reliable SIL data that can be used for calculations. We will be happy to provide you with the necessary data for your risk assessment and will support you during the implementation with our tried-and-tested components and redundant systems.

Safety integrity level (SIL)

To ensure that a system does not become a danger to people and the environment in the event of an emergency, you must design it systematically for functional safety. The SIL specifications are therefore a key criterion for plant engineering and construction, especially in the chemical process industry.

SIL stands for safety integrity level. It is an international measurement used to classify the functional safety of a system. There are four such levels, from SIL1 to SIL4, which poses the highest risk and therefore requires the strictest measures. What this means is that you use the failure probabilities of the components to perform an accurate risk assessment, take measures to minimize residual risk,select suitable devices and finally ensure the correct compliance of the SIL functions in recurring tests.

SIL safety standards

The SIL classification is based on two international standards: IEC 61508 and IEC 61511.

IEC 61508 (“Functional Safety of Electrical/Electronic/Programmable Electronic Safety Systems”) is the basic standard. It describes how to assess risks and the measures required to design suitable safety functions. It therefore also includes the requirements for the individual components of the safety circuit. These include sensors such as pressure sensors, temperature sensors, and level gauges or the evaluation and output unit plus automated process valves.

IEC 61511 (“Functional Safety – Safety Instrumented Systems for the Process Industry Sector”) applies specifically to process automation. This mainly focuses on low-demand applications with lower requirements, which are standard practice. Among other things, IEC 61511 contains the selection criteria for sensors and actuators, for example in terms of operational reliability.

SIL procedure in four steps

As the installer or operator of a plant that could endanger employees, residents, or the environment, you must keep the risk as low as possible. The IEC standards 61508 and 61511 prescribe four key steps for this:

1. Risk definition and assessment: You start by determining the respective failure probabilities for all components, from the sensor to the controller to the actuator, for the entire service life of the plant.

2. Definition and implementation of measures: You define and implement suitable measures to minimize the residual risk.

3. Use of suitable devices: The prerequisite for a successful SIL circuit test of your plant are components and groups that are suitable for the respective level and certified if necessary.

4. Recurring test: The operator monitors correct compliance with the safety functions at defined intervals.

1. Risk definition and assessment

What potential hazard does my plant pose? Every engineer of a process plant in the chemical industry must ask this question. You can help answer it with a risk graph that combines four defined parameters into a decision tree in accordance with IEC 61508 and 61511 helps to answer it:

1. Severity of damage (S): How serious are the foreseeable consequences?

2. Frequency and exposure time (F): How often and long are people in the danger zone?

3. Avoiding/mitigating the danger (P): Can I prevent or contain the event?

4. Likelihood of occurrence (W): How often do I have to expect an incident?

Practical experience shows that safety-relevant risks are usually in the details and often only come to light during operation. A systematic analysis can already identify such weaknesses during planning. At Festo, we support you with a guideline-compliant risk assessment and functional safety solutions tailored to your needs – whether through complete system solutions, carefully planned automation concepts or individual components. Please feel free to consult us during this phase.

2. Definition and implementation of measures

The systematic risk assessment of your plant also reveals which factors drive SIL requirements upwards. Some of these, for example the production location, are a given. Others are factors that can be adjusted.

The first thing to look at is the probability of failure. You can significantly increase availability and reliability first and foremost through fault-tolerant components and redundantly designed systems. Depending on the process, even solutions in which individual components can be tested and replaced during operation can be useful.

The structural safety measures, for example pressure relief systems, depend on the actual production in each case. In principle it is possible to consider how the processes can be made as low risk as possible. Structural measures and precautions also belong here, for example ventilation, overfill protection (e.g., in the case of acid tanks) or concrete casing (in the case of explosion hazard).

Choosing devices and components with proven performance that ensures a long and reliable service life of the plant is also recommended. This includes temperature-resistance, acid-resistant and corrosion-protected materials. In addition, we have developed standard-compliant solutions for almost all individual processes which have proven their worth in the chemical and electrochemical industries - from the valve terminal with integrated shutdown to the highly reliable 2oo3 actuator.

3. Suitable devices

When determining the safety integrity level, the design of the SIL circuit in all individual parts must also reach this level. This means that, as an engineer, you need devices and components with the necessary SIL suitability. Proof is required for this:

  • Manufacturer’s declaration: the manufacturers rate their devices themselves up to SIL2. An independent person performs the technical assessment for SIL1, for an SIL2 classification, it is performed by an independent department.
  • Certificate: above SIL 3, each device used in a safety circuit must be certified in accordance with IEC 61508 by an independent institution.

You will find all SIL certificates and manufacturer’s declarations for our products by entering the product type or part number in the search bar and on the product detail page under “Downloads and media".

4. Recurring test

The safety functions of your plant must undergo testing at regular intervals. This is exclusively required by the statutory provisions of the Ordinance on Industrial Health and Safety or accident prevention regulations; Under certain circumstances, local legal requirements also apply. The primary purpose of the SIL recurring test is to prevent personal injury, property damage and environmental damage but also to ensure system reliability by preventing unplanned downtimes and finally to safeguard the legal security of the engineers - in the event of damage, these tests can prove that the malfunction was not caused by device or design defects.

The test intervals are set by the operator. The risk assessment is performed, among other factors, on the basis of the safety characteristics of the individual SIL components. On the design side, durable solutions that can be exchanged without interruption when emergencies happen can be very beneficial. We are happy to give you recommendations in terms of time on our products.

SIL FAQ: Questions and answers

What do the SIL codes mean?

Product data sheets, certificates and model calculations on functional safety use a series of key figures and terms. Here are the most important for the SIL calculation:

  • λ (failure rate), the following assignments apply here: S for the overall rate of safe failures, SD for the rate of safe, detected failures, SU for the rate of safe, undetected failures, D for the overall rate of dangerous failures, DD for the rate of dangerous, detected failures, and DU for the rate of dangerous, undetected failures.
  • Device types: A is the code for a device for which the failure behavior of all components and the failure characteristics are adequately determined (e.g. through proven performance). Device type B, on the other hand, means that the failure behavior of at least one component and the behavior in the event of a failure are not adequately determined.
  • HFT (hardware failure tolerance): The ability to continue to execute the required function in the event of faults and deviations. With HFT0, a single fault can result in the loss of the safety function (e.g. in 1oo1 circuits). With HFT1, a safety loss only occurs if at least two faults occur simultaneously (e.g. in 1oo2 circuits). With HFT2, at least three faults must occur simultaneously (e.g. 1oo3 circuits).
  • High demand: Operating mode with a high frequency of demands - or continuous demands - to activate the safety system. It operates continuously or demands to activate the safety system more than once a year.
  • Low demand: Operating mode with a low frequency of demands to activate the safety system. It must not be activated more than once a year.
  • MTBF (mean time between failure): Mean time between two successive failures.
  • PFD (probability of failure on demand): Probability that a safety function will fail in low demand mode (demand rate/year < 10) = low demand.
  • PFH (probability of failure per hour): Probability that a safety function will fail during continuous use (demand rate/year > 10) = high demand.
  • SFF (safe failure fraction): Proportion of safe failures out of the total number of failures.

What does a safety system consist of?


An SIL circuit generally consists of three segments:

  • Sensors (e.g. pressure sensors, temperature sensors and level gauges)
  • Evaluation and output unit (e.g. safety PLC)
  • Automated process valve comprising air solenoid valve, actuator and process valve.

What is the PFD/PFH distribution?

The distribution of the failure probabilities to the subsystems of a safety function is as follows for single-channel systems: the greatest weight is given to the SD failure rate of the actuators.

SIL safety integrated system

Where can the values be found?

All failure probabilities required for the SIL calculation can be found in the manufacturer’s declarations or certificates (highlighted in blue). They are used to calculate the total probability of failure (the values ​​highlighted in gray) according to the SIL.

SIL calculation

When are certificates required?

The safer the required safety level of a plant, the higher the level of independence required by the standard for the body that assesses functional safety. According to IEC 61511, manufacturer's declarations are perfectly adequate up to SIL2. Above SIL3, the certificate must be issued by an independent organization.

Safety integrity level - assessing body

SIL1 - independent person

SIL2 - independent department

SIL3 - independent organization

SIL4 - independent organization

Where are the SIL certificates?

The SIL certificates and SIL manufacturer’s declaration for Festo products can be found on the respective product detail page under “Downloads and media”, category "certificates".

How can I control actuators redundantly?

SIL redundant systems

What SIL redundancy solutions are there?

SIL: Redundant valve block

Festo has the right redundant actuator for every safety requirement:

Redundant NAMUR block (1oo2, 2oo2): The NAMUR block permits the installation of two air solenoid valves with a NAMUR port pattern which are wired redundantly via the NAMUR interface. The blocks are available in fail-safe function (1oo2) or with increased availability (2oo2). You can mount the block directly on quarter turn actuators via the interface. Separate installation with suitable piping is also possible.

Redundant inline pneumatic valves (1oo2, 2oo2) With these compact systems, Festo is drawing on the tried-and-tested VOFD valve technology. The pneumatic valve’s redundant circuit ensures a redundant fail-safe function (1oo2) or provides increased availability (2oo2) for automated process valves. Thanks to the Ematal coating, these pneumatic valves meet the highest safety standards in process engineering and can withstand the toughest of ambient conditions.

Combined valve block (2oo3): The 2oo3 system combines both technologies, therefore providing the highest level of security and availability. This valve block is an inline variant that is integrated into your plant. The installed standards-based valves are defined and mounted on the block via the NAMUR interface in accordance with VDI/VDE 3845. This means that the block is installed once, only the pneumatic valves are replaced via the interface according to a service life/safety lifecycle plan. In addition, with this system the functions of the four pneumatic valves can be bypassed so that maintenance can take place during operation. The pressure gauge, mounted directly on the valve block, always give a reliable and swift indication if a pneumatic valve is pressurized.

Who needs to know this?

Consult with your specialists about what Festo can offer you. Share this link for our recommended solutions and sample applications.