From NewMarsWiki
(Redirected from SIL/)
Jump to: navigation, search


Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF). Bellow shows a table [1] which gives, the SILL level, PDF (probability of failure on demand) and the RDF (risk reduction factor).

1 0.1-0.01 10-100
2 0.01-0.001 100-1000
3 0.001-0.0001 1000-10,000
4 0.0001-0.00001 10,000-100,000

Selection of SIL

There are many methods to select the safety Integrity Level, these include, Risk Matrix, Risk Graph, Layers of Protection Analysis (LOPA). With regards to LOC NASA has considerably lower levels of safety then in comparison to industry because, the crew are not considered civilians, and the gains of space exploration to be with the risk at least in terms of LOC.

Bellow is what is a graph of what is considered acceptable and intolerable in terms of fatalities by (HSE Books 2001)[2]. Of course these graphs would very depending on the size of the population and the significance of the endeavor.

Fatality graph.JPG

Sill Selection Matrices

A SIL matrix tells us how reliable a safety function must be given the likely hood and the severity of an event. Bellow a 3D sill selection matrix is shown [3]. If you can achieve the desired safety levels independently of the other layers then a 3D sill section matrix may not be necessary. However, there may be a maximum amount of reliability we can achieve from a given safety function and therefore we must consider how each layer of protection contributes to the reliability of the overall system. For instance, it was suggested in the Augastine commission that an abort system only reduces your LOC (Loss of crew) by about a factor of 10. If this does not give the required reliability in terms of loss of crew, then we must consider the reliability of the other layers of the system.


Generally a separate SIL selection matrix is done for each type of consequence, these can include, Loss of mission, Loss of Crew, Environmental impact and Damage to the reputation of the organization. Generally each type of consequence is considered separately and it is the type of consequence which requires the greatest level of safety which drives the design.

LOPA (Layers of Protection Analysis)

Risk Graphs

Risk Graph.JPG

Figure from:

Different SIL (Safety Integrity Level) Selection Techniques Can Yield Significantly Different Answers By Paul Gruhn, PE, CFSE President L&M Engineering Houston, TX [3]

Nuclear Power and Space

In order to reduce the consequences of a failure, NASA uses hard ceramics, to minimize the environmental impact of launch failure. With regards to nuclear propulsion, it is general considered a much greater environmental risk if the reactor is turned on before the rocket reaches a stable orbit, then if it is turned on after it reaches a stable orbit. The required reliability necessary for such a consequence is a matter of debate but no doubt the necessary safeguards to prevent this incident will likely add significantly to the weight and reliability of the overall rocket.



[2] - - Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons by W G Gulland (4-sight Consulting)


[4] - Techniques for Assigning A Target Safety Integrity Level Angela E. Summers, Ph.D. This paper was published in ISA Transactions 37 (1998) 95-104.