Functional Safety at the Most Basic Level
Functional safety is the engineering discipline that is about making sure that when something goes wrong, the systems intended to protect people and the environment work when they are needed.
A simple illustration helps.
Over roughly 20 years, I have had about six driver’s side window regulators fail. Annoying—but not dangerous. If the window is used about three times per week, that’s roughly 3,120 operations. Six failures over that period corresponds to a probability of failure of about 1.92E-3 per demand. Is this acceptable? It has been annoying for me, but never once was a safety issue. It also was not a cost risk for the manufacturer since they all failed post-warranty. Now, imagine the regulator is a life safety device, that failure rate would be too high. Functional safety is the program that takes that failure rate and lowers it multiple orders of magnitude, to perhaps 1.92E-5. One cannot do that by building a “better” regulator. You can get there, but it would be via a layer of controls throughout the lifecycle of the regulator.
Driving failure probabilities down by orders of magnitude is the core driver of functional safety. It is not achieved by a single “better” device. It requires coordinated engineering: design choices, architecture, testing, diagnostics, maintenance, and governance across the life of the system. In the process industry, this structured approach is most commonly defined and implemented through IEC 61511-1, which provides the framework for how functional safety is applied across the lifecycle of a facility.
Functional safety is implemented through active protection functions that span the full loop—sensor, logic solver, and final element. When a hazardous condition is detected, this chain must act correctly to move the process to a safe state, whether that means closing a valve, stopping a motor, or isolating energy.
Just as important, that performance has to hold over time. Functional safety is not about working once—it is about continuing to meet required performance over years of operation, testing, maintenance, and change.
Why Functional Safety is Applied in the Process Industry
Consider a reactor that begins to over‑pressurize.
If nothing intervenes, the vessel could rupture, leading to injury, environmental release, or significant damage. Operators may not respond in time. Standard control systems can help, but systems designed for normal control are typically not sufficient for safety-critical action when consequences are severe.
A system that fails 1% of the time may be acceptable for control. It is often unacceptable for protection.
Functional safety via IEC 61511-1 is applied to reduce the probability that the protection fails when it is needed, thus making the process move to a safe state under abnormal conditions.
What Is Functional Safety?
Functional safety is an engineering discipline that ensures safety‑significant functions perform correctly when required. It is not a single device, calculation, or tool. It is a structured approach to designing, implementing, and managing systems so that their performance is sufficiently reliable for the hazards they control.
The core concept to understand is risk. A process will have hazards (such as a tank rupture) and that hazard has an associated level of risk. Risk is always the combination of probability and severity.
Functional safety contributes to risk reduction by lowering the probability that a hazardous outcome occurs and, in some designs, by limiting its severity.
How Functional Safety Reduces Risk
Every facility has hazards. But before the hazards are evaluated, the facility needs to determine what risks are acceptable. This is an odd concept for people new to process safety because one has to decide what is an acceptable amount of death or injury. This decision making is documented in a calibrated risk matrix. The next task is to understand those hazards, determine what risks they hold, are those risks tolerable, and reduce risk where they exceed the tolerable level.
Functional safety provides this method of reducing this risk.
The central metric is the probability of failure on demand (PFDavg). If a safety function has a PFDavg of 0.01, it will fail about 1% of the time when demanded and succeed about 99% of the time. This corresponds to a risk reduction factor (RRF) of 100. RRF = 1/PFDavg
In practical terms, this safety function reduces the probability of a hazardous outcome by a factor of 100. This quantified reduction is the mechanism by which functional safety works.
Standards Governing Functional Safety
Functional safety is applied across multiple industries, each with standards built on the same underlying principles. Examples include ISO 26262 for automotive systems, IEC 62061 for machinery, and EN 50126/50128/50129 for rail.
At the foundation is IEC 61508, which defines the general framework for functional safety of electrical, electronic, and programmable electronic systems.
IEC 61511-1 applies these principles to the process industry. It is not a separate concept; it is a sector-specific implementation of the IEC 61508 framework tailored to process facilities.
Note that in my experience as an engineer, almost all codes and standards are applicable to a certain area. Such as a country or perhaps the European Union. But functional safety is truly one of the few global standards. In almost all counties, if they implement a process safety approach, it will be functional safety. This is one of the reasons SIL Safe exists.
Hazard and Risk Assessment (H&RA)
The functional safety lifecycle begins with understanding hazards in your process. This is called the hazard and risk assessment (H&RA) which identifies scenarios that could lead to harm, estimates their risk (probability and severity), and determines whether risk is tolerable. Under IEC 61511-1, the H&RA is the starting point of the safety lifecycle, and it directly drives the identification of Safety Instrumented Functions (SIFs) and their required performance.
Typical activities in an H&RA include identifying credible scenarios, estimating probability and severity, and deciding where additional protection is required.
Common methods in the process industry include HAZOP and risk matrices. The outcome of this work will establish whether SIFs are needed.
When this occurs in the design process is important. The H&RA cannot be too early or too late in the process. If too early, much of the hazards would likely change, not exist, or only be a partial list. If done too late, you are asking for challenges as changes may need to be modified in existing equipment. Think cutting pipe to add a SIF. That is never fun.
See this full article for deeper dive into an H&RA.
Independent Protection Layers (IPLs)
Facilities rely on multiple layers of protection rather than a single safeguard. Meaning safeguards should be put in place BEFORE a SIF is needed. If this happens, then perhaps a SIF would not be needed or a SIF at a lower SIL level.
These layers can include the basic process control system (BPCS), relief devices, operator response, and safety instrumented systems. For layers to count independently, they must not fail for the same reasons. This collection of independent items that can protect a SIF are called Independent Protection Layers (IPL).
The key question is whether the existing layers reduce risk to tolerable levels. If they do not, additional protection is required.
This evaluation is often formalized through a Layer of Protection Analysis (LOPA), which builds directly on H&RA results. This is one of the most common methods used within IEC 61511-1 programs to determine the required SIL for each SIF. This asks…
- Is the risk associated with each hazard tolerable? This would assess the risk for each hazard against the calibrated risk matrix.
- If not, are there IPLs present or can they be added? This could be extra pressure relief valves, other instruments in the BPCS.
- Does each hazard scenario need a SIF? This compares the risk with the IPLs, against the tolerable risk. If the risk is not tolerable, a SIF is added to mitigate the risk of that hazard.
- How much risk must each SIF reduce? Generally, this is thought of in orders of magnitude via a calibrated risk matrix. Each box the hazard moves is considered one order of magnitude.
- What is the SIL level of each SIF? This is how many orders of magnitude the risk must be reduced to be tolerable.
Safety Instrumented Systems (SIS)
When existing protection is insufficient, a Safety Instrumented System (SIS) is the system that comes into play. The SIS is the core system involved in IEC 61511-1, although the standard also has lifecycle requirements. Meaning functional safety is not just the SIS.
A SIS is an independent system designed to detect hazardous conditions and move the process to a safe state. It operates separately from the basic process control system (BPCS), which manages normal operation. A typical SIS consists of sensors, a logic solver, and final elements such as shutdown valves or motor isolation devices.
A Safety Instrumented Function (SIF) is a single protection loop within the SIS. A facility may have one SIF or many, depending on the number of scenarios requiring protection. Again, it is the LOPA that dictates where the SIFs are and the SIL needed per SIF.
For example, a simple SIF could be a pressure switch sensing high pressure and turning off a pump with a contactor via the controls in a PLC. Then another SIF can sense a high level and open a dump valve to prevent an overflow. It goes to the same PLC as the first SIF. This would have two SIFs, both using the same PLC and together they would be the SIS.
Safety Integrity Levels (SIL)
Each SIF must meet the required level of reliability, expressed as a Safety Integrity Level (SIL).
SIL is always determined after the H&RA and during the allocation of safety layers, typically determined during the LOPA (which itself is typically done directly after the H&RA, often in the same long meeting). In the process industry, most applications are SIL 1 or SIL 2, with occasional SIL 3. SIL 4 is rarely used.
SIL is often associated with equipment ratings, which is technically correct. But more importantly, it defines the required performance of the safety function across design, implementation, and maintenance. For example, higher SIL levels will need more redundancy and would have different levels of controls and different rules about software. This can be complicated and best discussed elsewhere.
Below is the standard relationship between SIL, Risk Reduction Factor (RRF), and PFDavg for low demand mode:
| SIL | RRF (Risk Reduction Factor) | PFDavg Range | Interpretation |
| 1 | 10 to 100 | 1E-1 to 1E-2 | Reduces risk by 1–2 orders of magnitude |
| 2 | 100 to 1,000 | 1E-2 to 1E-3 | Reduces risk by 2–3 orders of magnitude |
| 3 | 1,000 to 10,000 | 1E-3 to 1E-4 | Reduces risk by 3–4 orders of magnitude |
| 4 | 10,000 to 100,000 | 1E-4 to 1E-5 | Rare in process industry; extreme risk reduction |
Other Design Considerations in Functional Safety
Designing a SIF involves more than selecting components. There are many other concepts that need to be considered, understood, and decided during the design phase.
- hardware fault tolerance (HFT) – Reliability requirements
- voting architecture – Such as 1oo1 voting, 2oo3, and others
- proof test interval (TI) – Duration between proof tests. See this in-depth article.
- proof test coverage (Cpt) – How good proof testing is at detecting failures. See this deeper dive on Cpt.
- mean time to restore (MTTR) – Facility’s time to repair a problem, relates to available spare parts. Read more about MTTR.
- spurious trip rate (STR) – The balance between safety and facility uptime
- diagnostic coverage (DC) – How good the on-board diagnostics are at detecting failures
- common cause failure (beta factor) – Redundant systems may jointly fail due to a common design flaw. Lean more on CCF in this article.
These parameters all interact. There is a push and pull between the terms and even departments in a facility. Decisions about testing, architecture, spare parts, and maintenance can materially change achieved performance via PFDavg. Each topic is substantial and better explored individually.
These concepts receive significant attention in functional safety engineering and certification exams. These will also take significant effort to decide and work through during the detailed design phase of the SIS.
Verifying Safety Instrumented Function Performance (PFDavg)
Once a SIF is designed, IEC 61511-1 requires that it be verified against its SIL requirement, per SIF. PFDavg calculations quantify whether the design meets the target. They account for failure rates of the SIF components, architecture, testing intervals, coverage, and repair assumptions.
The process of doing the calculations is complicated. There are simple equations and complex equations. Think of it as a specific PFDavg calculation stems from a series of decisions that are made by engineering. For example, if the SIF is tested only when the unit is shutdown versus bypassed – that impacts PFDavg in different ways. Generally, practitioners use software or Excel to facilitate.
There is a related approach called Markov Analysis which we will not get into here as it is a more advanced approach.
While central, PFDavg is only one step in a broader discipline. It verifies performance; it does not define the entire program. Inexperienced users may think PFDavg is all functional safety is about. But that is an over-simplification.
The simplest PFDavg equation is shown below. This is for a 1oo1 architecture.
- TI – proof test interval
- λDU – the dangerous undetected failure rate.
The Functional Safety Life-Cycle
Functional safety is governed by a structured life-cycle, and this is one of the most important concepts to understand. The structure of this lifecycle is defined in IEC 61511-1, and following it is what distinguishes a complete functional safety program from isolated design efforts. Many engineers initially approach functional safety as a design activity, but that is only one portion of the overall process.
The life-cycle defines how safety is managed from the earliest concept of a facility through to its eventual decommissioning. It ensures that safety functions are not only designed correctly, but also installed, operated, maintained, and periodically assessed in a consistent and auditable manner.
Typical phases include:
- Hazard and risk assessment (H&RA) such as a HAZOP
- Allocation of safety functions (such as via a LOPA)
- Design and engineering – detailed design of the SIFs and SIS
- Verification and validation
- Operation and maintenance
- Functional safety assessment (FSA)
- Decommissioning
Each of these phases has specific deliverables and expectations. For example, the design phase may define the architecture of a SIF, but the operation and maintenance phase ensures that proof testing is performed and that failures are addressed correctly.
The key point is continuity. Functional safety is not a one-time effort. A system that is properly designed but poorly maintained will not achieve its required performance over time.
An all-too-common scenario is that a compliant SIS is installed in a facility. The company is then bought by a firm in an adjacent industry that has never implemented, nor understands, IEC 61511-1. Over time, budgets can be cut or key people can navigate to other departments, companies, or retire. In this possible scenario various things could happen that could impact the SIS design. For example, proof tests being done at the wrong intervals or not in accordance with the requirements. Components could be replaced with non-SIL qualified versions, or the competency and training program could become weak. All of this is why the functional safety lifecycle is so important.
Regulatory Context
In the United States, regulatory frameworks such as OSHA’s Process Safety Management (PSM) and the EPA’s Risk Management Program (RMP) are the core two regulations. These get triggered if a certain weight of various materials is on site (called threshold quantity). These regulations do not prescribe exact methods for managing risk. Instead, they require that facilities follow sound engineering practices. IEC 61511-1 is not listed specifically as applicable in the Code of Federal Regulations (CFR), but both OSHA and EPA have stated in writing that using that standard is a sufficient and preferred way to meet the regulations. In other words, it is considered a RAGAGEP (recognized and generally acceptable good engineering practice).
Therefore, IEC 61511 is often used to demonstrate that a facility is meeting those regulations. It provides a structured and well-understood approach that regulators, auditors, and engineers recognize. Other countries have similar laws and regulations requiring the standard.
In practice, this means that even though IEC 61511 is not mandatory by law, it is frequently treated as if it were, because it defines what “good” looks like for functional safety in the process industry.
In addition to RMP and PSM, other things could trigger using IEC 61511-1. This could be contracts between parties or insurance requirements. At times, projects for various reasons will not invoke IEC 61511 in full, but may require certain instruments or automated valve maintain a SIL certification. These SIL only requirements have become more typical as SIL rated components become more common. SIL Safe welcomes this change in the industry.
Common Misconceptions About Functional Safety
Functional safety via IEC 61511-1 is often misunderstood, particularly by those who are new to the discipline or who have only been exposed to portions of it.
One common misconception is that functional safety is primarily about calculations, especially PFDavg. While calculations are important, they are only one part of the overall process. Without proper hazard assessment, design, testing, and maintenance, calculations alone do not ensure safety.
Another misconception is that functional safety is only relevant during design. In reality, long-term performance depends heavily on proof testing, maintenance practices, and how changes are managed over time.
A third misconception is that higher SIL automatically means a better system. In practice, SIL is determined by the risk of the hazard along with the IPLs that exist. A higher SIL requirement often indicates a more severe hazard rather than a superior design choice.
Understanding these misconceptions is important because they often lead to incomplete or ineffective implementations of functional safety programs.
Why Functional Safety Programs Matter — and When Expertise Is Needed
Functional safety programs provide a structured way to manage risk across a facility. At a high level, they help ensure that hazards are identified, risks are evaluated, and appropriate protections are implemented and maintained over time.
Effective programs reduce the probability and severity of major accidents, support regulatory compliance, and provide confidence that safety systems will perform when required.
In practice, many organizations require additional expertise at certain points, such as:
- Implementing IEC 61511 for the first time
- Performing SIL determination or verification
- Preparing for and conducting functional safety assessments
- Modifying or upgrading existing SIS implementations
These situations often involve complex decisions, tradeoffs, and documentation requirements that benefit from experienced practitioners.
Q&A Section
- What is functional safety in simple terms?
Functional safety is the part of overall facility safety that depends on safety functions operating correctly when required. It focuses on ensuring that protection systems perform reliably enough to reduce risk to tolerable levels. It has the ability to take a typical failure rate of a safety system of perhaps 0.01 (1%) down multiple orders of magnitude. It does this through a layer of requirements throughout the lifecycle of the system.
Functional Safety is applied to various industries. SIL Safe focuses on its application to the process industry via IEC 61511-1.
- What is the difference between a SIF and a SIS?
A Safety Instrumented System (SIS) is the overall system that performs safety functions. A Safety Instrumented Function (SIF) is a single protection loop within that system, typically consisting of a sensor, logic solver (think a PLC), and final element (like a valve or contactor).
- If I have hazardous scenarios, why can’t I just add an extra instrument?
Adding an extra instrument and connecting that to your BPCS does not necessarily reduce risk enough. Risk reduction must be quantified, and the resulting protection must meet the required performance level. Without it, the hazard may still exceed tolerable risk.
For example, at times a SIF will have to have an architecture of 2oo3 (meaning three instruments at one point). One would not know that it was needed unless the process was followed and a PFDavg was calculated
- I’ve worked on projects where SIL 2 instruments were specified, but the facility was not doing functional safety in its entirety. What is happening there?
Some projects contractually require certain instruments or “safety instruments” to be SIL rated (for example SIL 2 transmitters or valves). This does not mean that the facility is implementing the full functional safety lifecycle. In many cases, companies attempt a compromise where equipment meets SIL capability requirements even if the broader IEC 61511 functional safety program is not fully implemented.
- What standards govern functional safety?
The foundational standard is IEC 61508, which defines the general framework for functional safety of electrical, electronic, and programmable electronic systems. For the process industry specifically, IEC 61511-1 defines how those principles are applied to Safety Instrumented Systems.
- What about machinery safety?
Machinery safety is important, of course. But it is distinct. Functional safety for the process industry is focused on reducing the risk (probability and severity) of a major accident. Machinery safety focuses on the user of the machine.
However, …. as SIL ratings are more common, what is happening is machinery safety risk assessment now will often require a SIL rated instrument. SIL Safe fully supports this excellent use of SIL instruments. However, this should not be construed as functional safety.
Conclusion
Functional safety via IEC 61511-1 combines hazard analysis, engineered protection systems, and structured life-cycle management to reduce the probability and severity of hazardous events.
It is not a single calculation or device, but a coordinated engineering approach that spans the entire life of a facility.
For engineers working in the process industry, understanding these concepts is essential to designing and operating safe systems.
Call to Action
If your facility is implementing or improving a functional safety program, expert guidance can make the process significantly more effective.
Contact SIL Safe to discuss consulting services for IEC 61511 programs, SIS design, and functional safety assessments.