SIL or PL? How can you tell if your safety system will actually work when it really matters?
In many industrial plants, it is assumed that the safety system will simply work when a hazard occurs. In practice, however, the question is different: what is the probability that it will work exactly when it is needed? That is precisely what the concepts of SIL (Safety Integrity Level) and PL (Performance Level) answer. These are two different languages of functional safety that allow you to measure something very specific – whether a safety function will actually reduce risk at a critical moment.
Why must a safety system work exactly when it is needed?
A safety system exists for one purpose only: to act at the moment of process or machine failure. Not sooner, not later – precisely when a hazard arises.
Imagine a simple scenario from the process industry. Pressure in a tank is rising because a control valve has become stuck. At a certain point, the system should respond: cut off the medium supply, open a relief valve, or shut down the installation. If this safety function fails to act, the consequence may be a system leak, fire, or explosion.
The problem is that safety systems… also fail. A sensor may become stuck. A safety valve may not close fully. A controller may not recognize a signal.
Provide your company with a risk assessment that genuinely improves security.
That is precisely why in safety engineering the question is not: “Will the system work?” Instead, a far more technical question is asked: “What is the probability that the safety function will fail when it is needed?”
This question leads directly to two concepts that frequently appear in technical documentation, audits, and risk analyses: SIL and PL.
In many plants, the first signal that a safety system is not working as intended comes in the form of near miss events – situations in which a serious incident was narrowly avoided. You can read more about them on our blog.
SIL – how does the process industry measure the reliability of a safety function?
SIL (Safety Integrity Level) is a measure of safety function reliability used in the process industry.
Simply put – SIL defines how much a given safety function reduces the risk of failure.
It does not apply to an entire installation or a device as such. Despite marketing shortcuts such as “SIL3 valve,” SIL is assigned to a specific safety function, known as a SIF – Safety Instrumented Function.
An example from a chemical installation:
SIF-01:
“If the pressure in the reactor exceeds 8 bar → close the feed valve and open the relief valve within <2 s.”
This is exactly a safety function. And it is for this function that the required SIL level is determined.
In the IEC 61508 and IEC 61511 standards, SIL levels describe the ability of a function to reduce risk. The higher the SIL level, the lower the acceptable probability of safety function failure.
Typical levels are:
- SIL 1 – basic risk reduction,
- SIL 2 – significant risk reduction,
- SIL 3 – very high reliability of the safety function.
In industrial practice, SIL 3 means a system that must function correctly almost every time it is triggered.
But note – SIL does not stem from a designer’s ambition. It always results from a process risk analysis.
PFD and PFDavg – the numbers behind the SIL level
Behind every SIL level lies a specific number describing the probability of safety function failure.
This number is called PFD (Probability of Failure on Demand).
It means exactly one thing: what is the probability that the safety function will fail to act when it is called upon.
In practice, however, a single moment is not analyzed – rather the average value over time is assessed, especially between periodic system tests. That is why the parameter used is:
PFDavg – the average probability of failure to perform the function on demand.
It is precisely PFDavg that determines the SIL level.
Typical ranges look as follows:
- SIL 1: approximately 10⁻² – 10⁻¹,
- SIL 2: approximately 10⁻³ – 10⁻²,
- SIL 3: approximately 10⁻⁴ – 10⁻³.
In other words – for SIL 3, the safety function may fail on average once per one thousand to ten thousand demands.
That is why risk analyses also frequently refer to the RRF – Risk Reduction Factor.
For example:
- SIL 1 reduces risk approximately 10–100 times,
- SIL 2 approximately 100–1,000 times,
- SIL 3 even 1,000–10,000 times.
These numbers reveal something very important: SIL is not a label – it is a mathematical description of how much a safety function reduces the risk of failure.
PL in machine safety systems – what is Performance Level?
While SIL dominates in the process industry, the world of machinery uses a different approach to safety assessment.
It is called PL – Performance Level and is described in the ISO 13849-1 standard.
PL applies to the safety-related parts of control systems, i.e., SRP/CS (Safety Related Parts of Control Systems).
Typical examples of such functions include:
- stopping a drive when a guard is opened,
- response of a light curtain,
- safety STOP button,
- access lockout to a hazardous zone.
PL describes the probability of a dangerous failure per hour of operation, i.e., the parameter PFHd.
Performance Level categories are designated by letters:
- PL a – lowest safety level,
- PL b,
- PL c,
- PL d,
- PL e – highest level of safety function reliability.
In practice, most stopping functions on high-risk machines reach PL d or PL e.
Notably, PL does not depend on a single device alone. The result is influenced by the entire control system architecture, including:
- MTTFd – mean time to dangerous failure,
- DC – diagnostic coverage,
- CCF – common cause failure,
- system structure (categories B–4).
That is why machine audits very often reveal that: a component carries a PL e declaration… but the entire control system achieves only PL c or PL d.
And that is precisely why a SIL or PL analysis should never end with checking a single component.
SIL vs PL – key differences and when each standard applies
SIL and PL describe the same problem – safety function reliability – but were developed for entirely different technical environments.
Simply put:
- SIL dominates in the process industry,
- PL in the world of machinery and production automation.
In process installations, we deal with SIS (Safety Instrumented Systems) – sensors, safety logic, and an actuating element form the SIF, which responds to a process event.
Typical examples:
- high pressure in reactor → close isolation valve,
- high level in tank → stop pump,
- gas leak → cut off medium supply.
Here, the language of safety is SIL.
In the world of machinery, however, safety most often concerns human interaction with mechanical motion.
An operator opens a guard. A robot works in a work zone. A conveyor can draw in a hand.
In such situations, safety functions are carried out by control elements:
- light curtains,
- guard limit switches,
- safety STOP buttons,
- safety PLCs.
And here, Performance Level – PL is applied. In engineering practice, approximate PL ↔ SIL mappings exist, because both approaches are based on the probability of safety function failure.
However, caution is required. This is not a one-to-one conversion.
They differ in:
- calculation methodology,
- standard structure,
- scope of application.
That is why in safety projects it is more important to consistently apply the correct standard rather than attempt to artificially “convert” between them.
How to assess whether a safety function meets the required SIL or PL?
Assessing a safety function always begins with one step: defining exactly what the system is supposed to do.
This may sound trivial, but in many installations safety functions are described very generally – e.g., “tank protection system.”
Yet a safety analysis requires specifics.
A safety function should be described unambiguously:
what it detects → what it does → within what time → under what conditions.
Example of a well-defined function:
SIF-02:
“If the level in the tank exceeds 95% → close the feed valve and stop the pump within <1 s.”
Only then can you proceed to the subsequent stages.
A typical process looks as follows:
- Risk analysis
- in processes, often the LOPA or HAZOP method,
- in machinery, the risk graph from ISO 13849-1.
- in processes, often the LOPA or HAZOP method,
- Determination of the required risk reduction
- result: SIL 1 / SIL 2 / SIL 3 or PL a–e.
- result: SIL 1 / SIL 2 / SIL 3 or PL a–e.
- Analysis of the safety system architecture
This is where concepts such as the following appear:
- 1oo1 – one sensor, one channel,
- 1oo2 – sensor redundancy,
- 2oo3 – two-out-of-three channel voting.
- Probabilistic calculations
Depending on the standard, the following are calculated:
- PFDavg or PFH for SIL,
- PFHd for PL.
If the result does not meet the requirements, the design must be revised.
Most commonly through:
- sensor redundancy,
- shortening test intervals,
- increasing diagnostics,
- using components with better reliability.
This is precisely where real installation safety is built – at the system architecture design stage.
In practice, determining the required SIL or PL level always results from a risk analysis of the installation and the identification of potential ignition sources that could lead to a hazardous event.
Expert support – when is it worth conducting a SIL or PL analysis?
In many plants, safety systems were built at various stages of installation development. Some safeguards were designed many years ago; others were added during modernization or expansion of the process line.
As a result, it often turns out that:
- safety functions are not clearly defined,
- there are no current PFDavg or PFHd calculations,
- the system architecture does not match the current risk level.
In such situations, it is worth conducting an independent functional safety analysis. And this is exactly where we can help.
At ATEX Doradztwo, we support industrial plants in, among other things:
- SIL and PL analyses,
- identification of safety functions (SIF / SRP/CS),
- PFDavg, PFH, and PFHd calculations,
- HAZOP and LOPA analyses,
- compliance audits with ATEX and Machinery Directive requirements.
The goal of such analyses is not to “raise the SIL level,” but to ensure that the safety function will actually work at the critical moment.
What is the difference between SIL and PL?
SIL is used primarily in the process industry, while PL is used in machine safety systems. Both approaches describe safety function reliability, but they use different standards and calculation methods.
Is SIL 3 always better than SIL 2?
No. The required SIL level results from a risk analysis. An excessively high level can lead to unnecessary system complexity and maintenance difficulties.
Does a component with a SIL certificate guarantee the SIL level of a function?
No. A component certificate only means that the element can be used in a system of a given SIL level. The final level depends on the entire system architecture.
What does PFDavg mean?
PFDavg is the average probability that a safety function will fail to act on demand. This value is what determines the SIL level.
Can PL be converted to SIL?
Approximate mappings between PL and SIL exist, but it is not an exact 1:1 conversion, as the standards use different calculation methods.
Do periodic tests affect the SIL level?
Yes – and significantly so. Extending the test interval can substantially increase PFDavg and, consequently, lower the SIL level of the safety function.
