Understanding Safety Integrity Levels (SIL)

How Risk Frameworks Influence Safety Design

Understanding the philosophy behind risk regulation is key when designing safety instrumented systems (SIS) for hazardous environments. Safety Integrity Levels (SIL), as defined in IEC 61508 and application-specific standards like IEC 61511, which provide a foundation for determining appropriate SIL, reflect the level of risk considered tolerable in a given situation. But it can be a challenge to connect these abstract concepts to practical SIL implementation.

For safety engineers, system integrators, designers and project teams, understanding how regulators approach risk tolerability can help clarify why certain SIL requirements exist and how regulatory authorities evaluate the adequacy of safety systems across different jurisdictions.

The Tolerability of Risk Framework

While ALARP (As Low As Reasonably Practicable) is a familiar term, the broader tolerability framework provides the structured approach that determines when your SIL calculations translate into regulatory compliance. This framework, referenced throughout IEC 61508 Part 1 and elaborated in IEC 61511, describes how we decide if a safety system is good enough or if it still needs improvement, also known as functional safety.

The Three Zones of Risk in a SIL Context

International safety standards use a three-zone risk model to determine when SIL is needed:

Figure 1: HSE Framework for the Tolerability of Risk

Unacceptable Risk: Risks that cannot be justified regardless of the benefits.

Typically, this is applied when the risk of individual fatalities exceeds 1 in 1000 per year, too high to accept under any conditions. Unacceptable risk must be reduced to tolerable levels before any SIL assessment becomes relevant. The engineering implication is that your case for safety must demonstrate risk reduction below this threshold before SIL analysis begins. This often requires inherently safer design or passive protection.

Tolerable Risk: The operational space where most SIL implementations exist.

Individual risks are generally between 1 in 1000 and 1 in a million per year (this varies by jurisdiction and application). Tolerable risk means that risk is still present but can be justified. This requires demonstration that risks are ALARP or So Far As Reasonably Practicable (SFARP). The engineering implication here is where your SIL calculations are valuable - in proving that additional risk reduction becomes grossly disproportionate to the benefit gained.

Broadly Acceptable Risk: Generally non-SIL

Risk in this category is mostly below 1 in a million per year for individuals. The risk here is so low that little or no extra safety measures are needed beyond good engineering practice. This means over-engineering may not be cost-effective or necessary from a risk perspective.

Bridging the Gap Between Standards and Reality

IEC 61511 encourages a flexible, risk-based approach to SIL selection and operates within this tolerability framework, though the standard allows flexibility in how selection is implemented.

LOPA Integration with Tolerability

Layer of Protection Analysis (LOPA) breaks down a hazardous event and incorporates tolerability principles by systematically reducing risk. It adds layers of protection such as alarms, shutdown systems, or operator responses. Each layer reduces risk; the remaining risk is compared to tolerability thresholds. This creates a clear pathway from identifying the hazard to justifying SIL in a way that regulators can readily understand and validate.

Risk Graphs: A Visual Method

Risk graphs are a quicker, more visual way to estimate the required SIL. They provide an intuitive connection between tolerability concepts and SIL selection by factoring in the severity of a potential outcome, how often it could happen, and whether people are exposed to the hazard. These factors map onto SIL levels without requiring mathematical calculations.

Figure 2: Hazard Frequency and Consequence SIL Matrix

International Differences in Risk Tolerability

Countries and industries approach risk differently. This creates both challenges and opportunities for multinational projects, and variations mean that SIL decisions must consider both technical calculations and local regulators’ expectations.

Practical SIL Design for Real Life

The tolerability framework fundamentally changes how we scope a project and how deeply risk is evaluated.

High Risk Systems (e.g. SIL3) You’ll need to go beyond immediate process hazards to consider systemic organizational factors, like integration with other systems, operator interaction and potential startup and shutdown hazards.

Common External Risk Fires, flooding, power failure or even cyber-attacks must be evaluated regardless of their likelihood. The focus has to be on how severe the consequences would be as well as how likely they are.

More than Numbers SIL systems must meet baseline good engineering practices (GEP) no matter what your risk calculation says. Meeting both basic safety standards and risk-based justifications creates a balance between protection and practicality.

Responsibilities Across the Value Chain

Each stakeholder in the supply chain has distinct responsibilities when it comes to assessing risk. For example, machinery suppliers or OEMs typically follow EN 62061, focusing on hazards directly related to the machine itself, particularly those that could affect operators or maintenance personnel working in proximity.

The picture becomes more complex for end-users, such as process plant operators. They need to consider the immediate machine-level risks and the broader consequences that could arise from a malfunction and make the machine the cause of a fire or explosion. The risk extends beyond the equipment to include plant-wide safety and even public exposure. These risks are unlikely to be accounted for by the machinery supplier because they don’t have insight into how or where the machine will be used.

Basically, one size doesn't fit all when it comes to SIL. Understanding who is responsible for which risk helps ensure safety is addressed holistically, not just locally:

Managing Uncertainty in Tolerability Assessments

No safety assessment is flawless, and standards assume that you won’t always have all the data you need to make perfect predictions. That’s why they build guidelines for managing uncertainty:

Data Limitations

Proof Testing Limitations

Key Takeaways

• 1. Risk tolerability frameworks give structure to SIL decisions to make sure that safety systems are technically compliant and truly effective.
• 2. Understanding the philosophy behind these standards helps safety professionals meet engineering and societal expectations.
• 3. Using tolerability frameworks as a foundation for SIL decisions enables us to build systems that adapt to evolving technologies, regulatory shifts and ultimately keep users safer in the real-world environments in which they operate.

By David Beirne

Managing Director, Ntron Gas Measurement

To find out more about SIL and how you can implement a SIL-capable process, contact our experts.

Next in this series: "How to implement a SIL-capable analyzer in a Safety Instrumented System (SIS)"

Related Standards and Guidelines:

IEC 61508: Functional Safety of E/E/PE Safety-Related Systems

IEC 61511: Safety Instrumented Systems for the Process Industry Sector

ISO 12100: Safety of Machinery - General Principles for Design

ANSI/ISA-84.00.01: Application of Safety Instrumented Systems for the Process Industries

About the Author

David Beirne is the Managing Director of Ntron Gas Measurement. He has over 30 years of experience in oxygen measurement and safety systems and has led the development of advanced oxygen measurement and control technologies across pharmaceutical, chemical, and industrial safety applications. His focus is on delivering precise, reliable measurement systems that support process integrity, compliance, and operational excellence.

About Ntron

Ntron Gas Measurement, part of the DwyerOmega group, develops advanced oxygen analyzers and gas measurement systems for demanding industrial and process environments.

With expertise in applications ranging from chemical processing to inerting and glovebox monitoring, Ntron delivers solutions engineered for precision, reliability, and safety. Key innovations include the SILO2, a SIL 2-capable oxygen analyzer with a >remote sensor architecture, designed to support functional safety requirements for hazardous areas.

Ntron's systems are trusted worldwide to support process integrity, reduce risk, and ensure compliance with international safety and performance standards.