In the energy and process industries, SIL analysis (Safety Integrity Level analysis) is one of the most critical activities for managing occupational and plant safety. Yet, too often it is misunderstood, rushed, or treated as a simple checkbox exercise. The result? Safety systems that do not perform as intended, production disruptions, and difficult questions from regulators and management.

Getting SIL analysis right means treating it as part of the safety lifecycle—from hazard identification to operation and maintenance—not just a single calculation. In this article, we explore why SIL analysis is frequently mishandled, what a robust approach looks like, and how energy operators can put it into practice.

A real-world example: when assumptions break

Imagine your plant has a Safety Instrumented System (SIS) designed to shut down a compressor when discharge temperature rises too high. During a maintenance stop, the team realizes that the proof-test interval in the field is longer than the one assumed in the SIL verification. This means the average probability of dangerous failure (PFDavg) calculated in the study no longer reflects reality.

On restart, the system trips more often than expected; weeks later, it fails to act when needed. Production halts, and management asks: “Was the SIL right?”

Scenarios like this are not uncommon. They occur when SIL analysis is treated as a one-time report instead of a lifecycle activity linked to real plant conditions.

The core problem: why SIL analysis is easy to get wrong

A SIL is not a badge you assign and forget—it is a risk-reduction target for a specific Safety Instrumented Function (SIF). Standards such as IEC 61508 and IEC 61511 emphasize that risk reduction depends on multiple factors:

  • Data quality (failure rates, proof test coverage)
  • Operating discipline (bypass handling, demand rates)
  • Maintenance practices (intervals, test effectiveness)
  • Management of change (hardware, procedures, assumptions)

If any of these elements are weak, the claimed SIL may collapse under real-world conditions. Regulators, including the UK HSE for COMAH sites, expect companies to prove not just that a SIL was determined, but that it is realistic and maintained.

What a robust SIL analysis requires

1. Start from hazards, not numbers

Identify credible scenarios and the risk reduction required for each. Use accepted methods such as LOPA (Layer of Protection Analysis), supported by plant data. Jumping to a “preferred” SIL without evidence embeds assumptions that will later fail.

2. Define clear Safety Requirements Specifications (SRS)

A precise SRS should detail:

  • Initiating events and trip points
  • SIF architecture (e.g., 1oo2, 2oo3)
  • Proof-test scope and coverage
  • Bypass and reset rules
  • Expected response of final elements (valves, drives)

Without this clarity, design and maintenance teams may work to different assumptions, making SIL verification meaningless.

3. Verify with realistic data

When calculating PFDavg or PFH, use credible failure data adjusted for your environment—process fluids, duty cycles, diagnostics, and common-cause factors. Verify that assumed proof-test intervals can actually be executed by maintenance.

4. Close the loop in operations

SIL is not static. Track spurious trips, bypass hours, demand events, overdue tests, and failures discovered during proof tests. Feed this evidence back into your SIL verification. In other words, keep the model aligned with reality.

A pragmatic path we use with clients

  • Frame the scope with the safety lifecycle. We align hazards, business priorities, and legal context with IEC 61511 practices.
  • Establish the required SIL with defendable methods. Through workshops, we validate initiating frequencies, IPL credits, and consequence categories with operations and maintenance.
  • Write a sharp SRS. Clear SIF definitions ensure design, procurement, and maintenance aim at the same target.
  • Perform SIL verification with real-world parameters. We model with the devices you plan to use and the proof tests you can realistically deliver.
  • Integrate with operations and change management. Overdue tests trigger actions, bypasses are managed, and operational evidence continuously informs the SIL lifecycle.

Mini case study

An LNG operator faced repeated shutdowns and questions about SIL targets for compressor trains. The original SIL verification assumed quarterly proof tests and flawless partial-stroke diagnostics. In reality, proof tests slipped to six months and diagnostics were inconsistent.

Rebuilding the SIL verification with actual data showed the SIF no longer met the claimed SIL. Options were presented: improve diagnostics and restore testing discipline, or redesign the final elements. The operator chose to enforce testing windows, upgrade diagnostics, and update bypass governance. Within six months, spurious trips fell and the safety report reflected a defensible, regulator-ready story.

What “good” looks like in your documentation

A strong safety case or COMAH report tells a clear and consistent story:

  1. Hazard identified
  2. Risk reduction required
  3. SIF designed and specified
  4. Performance verified with data
  5. Evidence that performance is maintained

If the narrative breaks at any point, inspectors will notice.

Conclusion: making SIL analysis work for you

For energy and process operators, SIL analysis is not just about meeting a standard—it’s about ensuring that safety systems really deliver the risk reduction your business depends on. Done poorly, SIL analysis creates gaps between paper assumptions and field reality. Done well, it strengthens safety, avoids production losses, and provides confidence with regulators.

At ProjectZero, we help clients carry out SIL analyses and verifications that stand up to both operational scrutiny and regulatory review.

👉 Want to know if your safety systems are set to the right SIL—and proven to deliver it in operation? Request a focused SIL review.