Demystifying SIL, SIS & SIF in Control Systems Engineering

You keep seeing SIL, SIS, SIF, PFD, HFT, and SFF scattered across P&IDs, HAZOP notes, and vendor certs. If you’ve ever felt a bit unsure about where a SIF ends and the SIS begins, or how a HAZOP risk ranking logically forces you to choose a specific hardware redundancy, you are not alone. Rather than grinding through a glossary page to memorise the acronyms, it's better to look at how they form one continuous logical chain that turns hazard identification into engineered protection across the functional safety lifecycle (IEC 61511-1:2016 Clause 8 to 16).

To clear up the overlap, we are going to weave a series of common safety concepts into a narrative thread. We will start by drawing the hard boundary between your normal control system (BPCS) and your independent safety layer (SIS). From there, we will zoom in on the specific functions (SIFs) designed to catch individual hazards, see how risk assessments assign them a strict performance target (SIL), and finally, look at the mathematical proof (PFD/HFT) that ensures your physical hardware actually meets the brief. Here is the shortest map that connects them all, built step by step using one running example.

The Core Chain

1. BPCS and SIS – All about separation

Your everyday control platform (BPCS – Basic Process Control System, e.g. a DCS – Distributed Control System – or PLC – Programmable Logic Controller) maintains normal operation: level, flow, temperature loops, and the alarm system that notifies operators of deviations (IEC 62682:2014 Alarm Management).
The SIS (Safety Instrumented System) is a completely independent layer governed by IEC 61508 (general functional safety) and IEC 61511 (process-industry specific). Its only job is to drive the process to a safe state when the BPCS cannot.

Independence is a strict designed-for property. The standard mandates that the BPCS be separate and independent to the extent that the functional integrity of the SIS is not compromised. Physical separation (separate sensors, logic solver, power, I/O) is the cleanest path, but functional independence is the hard rule: a common-cause failure that knocks out the BPCS must not also disable the safety layer (IEC 61511-1:2016 Clause 11.2.4; Exida: Shared Components Constraints). Furthermore, because a "cyber event" is now a recognized common-cause threat, IEC 61511 explicitly requires a security risk assessment to protect the SIS from programmable control compromise (IEC 61511-1:2016 Clause 8.2.4; ISA/IEC 62443 Series).

Example setup: Consider pressure management on a high-pressure natural gas separator vessel. The BPCS controls normal level and pressure. If pressure rises abnormally, the BPCS might try to open a control valve; if that fails, the independent SIS must act. (Overpressure scenarios and protection layering are deeply codified in industry guidance like API Standard 521.)

2. SIFs – The actual safety functions

Inside the SIS live one or more SIFs (Safety Instrumented Functions).
Each SIF targets one specific hazard scenario: detect a dangerous condition and execute a specific action within a defined response time to achieve or maintain a safe state (IEC 61511-1:2016 Clause 10.3.2).
SCAI (Safety Controls, Alarms, and Interlocks) are related but broader; many SIFs serve as the highly reliable, instrumented core of SCAI.

Example building: One SIF is defined as: detect high-high pressure (tagged PAHH) and close the inlet ESD valve (Emergency Shutdown valve) to isolate the vessel. The “high-high” designation denotes a safety trip setpoint mathematically separated from the normal BPCS “high” alarm. The physical objects are a pressure transmitter on the vessel top, the safety logic solver, and the actuated ESD valve on the inlet line. The unwanted event is vessel rupture, and we address the risk be attempting to eliminate the hazard of an unregulated high-pressure vessle.

3. SIL – The performance target

Every SIF is assigned a Safety Integrity Level from 1 to 4. Quantitative boundaries make the categories concrete, directly linking the required Risk Reduction Factor (RRF) to a target PFD_avg (IEC 61508-1:2010 Table 2):

The SIL is not eyeballed. It comes from formal risk assessment: HAZOP identifies the scenario (IEC 61882:2016), then LOPA (Layer of Protection Analysis) semi-quantifies it to determine the necessary target mitigated event likelihood (CCPS: Layer of Protection Analysis).

Example detail added: HAZOP flags the overpressure scenario. LOPA calculates: initiating event frequency 0.1 per year × consequence severity requires overall risk reduction of 10^-3; existing layers (relief valve + operator response) give only 10^-1 → the SIF must deliver the remaining 10^-2 reduction → SIL 2 target.

4. The proof – PFD, PFH, SFF and HFT

You verify the SIF meets its SIL with calculations based on architectural constraints and random hardware failures (IEC 61508-2:2010 Route 1H/2H):

• PFD_avg (average Probability of Failure on Demand) for low-demand mode functions (most process SIFs operating ≤ 1 demand/year; “avg” means averaged over the proof-test interval).
• PFH (average frequency of dangerous failure per hour) for high-demand or continuous mode (> 1 demand/year).
• Hardware metrics: SFF (Safe Failure Fraction) and HFT (Hardware Fault Tolerance). These strictly cap the maximum SIL you can claim based on the required redundancy and whether the device is Type A (simple) or Type B (complex) (IEC 61508-2:2010 Clause 7.4.4).

Voting architectures decide how many devices must “vote” to act. 1oo1 (HFT=0) is simple but single-point failure prone; 1oo2 (HFT=1) adds redundancy.

Example filled in: For the separator PAHH SIF (SIL 2), PFD_avg must stay below 10^-2. You model the loop: pressure transmitter (1oo1), logic solver (1oo2), solenoid + ESD valve (1oo1). Plug in failure rates and test intervals to get PFD_avg. Then verify the architecture satisfies SFF and HFT constraints for the route used. Fail any metric and you must redesign or change hardware.

5. Implementation tools inside the chain

ESD valves, certified safety PLCs and SCAI elements are simply the hardware that realises the SIFs. They must be proven to support the SIL via the metrics above, generally by adhering to IEC 61508 systematic capability requirements or a rigorous "prior use" justification, with both documented in the Safety Requirement Specification (SRS) (IEC 61511-1:2016 Clause 10.3 and 11.5).

Example complete: The inlet ESD valve on the separator closes within the required response time defined in the SRS so the process transitions to the safe state before the vessel ruptures. It is part of the verified SIL 2 SIF, documented end-to-end per IEC 61511.

Three traps control engineers still fall into

• Treating the safety PLC like just another BPCS I/O rack, which breaks the functional independence and cybersecurity resilience rules (IEC 61511-1:2016 Clause 11.2 and 8.2.4).
• Assuming BPCS alarms can substitute for an independent SIF. IEC 61511 strictly limits BPCS risk reduction claims (typically max 10–100× RRF) and mandates that BPCS safeguards are completely independent from the initiating event (IEC 61511-1:2016 Clause 9.3.4).
• Skipping the HFT/SFF checks because “the vendor cert says SIL 3.” A SIL certificate only provides element-level failure data; IEC compliance requires the SIF to be verified as a complete, end-to-end loop including proof-test assumptions and architectural constraints (ISA-TR84.00.04-2020 Part 1).

Your next move on any project

If you'd feel confident asking these three questions and understand what you are asking, you likely have a good command of the concepts. If it still reads like a foreign tongue, it might be worth spending more time getting familiar with the terminology.

1. Which SIFs protect this hazard, and what SIL target came from HAZOP/LOPA? (IEC 61882:2016; CCPS LOPA Guidelines)
2. Is the SIS functionally independent of the BPCS to the extent that BPCS failures, work, or cyber threats won't compromise the SIF? (IEC 61511-1:2016 Clause 11.2.4)
3. Has PFD_avg (or PFH) been calculated for the loop as installed, and do SFF/HFT constraints support the SIL claim? (IEC 61508-2:2010 Clause 7.4.4)

That is the full 10 000-foot view: one chain, one real example built step by step.

Make sure you are subscribed to the Academy newsletter to catch future (aspirational) posts on:
- A copy-paste SIL-2 PFD verification spreadsheet (separator example included).
- Safety PLC selection pitfalls in 2026.