When a flow measurement failure can result in loss of life, serious environmental damage, or massive financial loss, you cannot use standard industrial instruments. You need safety-rated equipment certified to a specific Safety Integrity Level (SIL).
SIL ratings quantify the reliability and failure tolerance of safety-critical measurement and control systems. This guide explains how SIL works, how to select the right level, and how to implement SIL-capable flow metres in your safety instrumented system (SIS).
What is SIL? The Safety Integrity Level Framework
Safety Integrity Level (SIL) is defined in IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems) and IEC 61511 (Functional Safety – Safety Instrumented Systems for the Process Industry). SIL quantifies how reliably a safety system prevents a hazardous event.
SIL is not a product certification like ATEX or MID. Rather, it is a design philosophy applied to an entire safety instrumented system—from sensor through logic solver to final element. Your SIL rating depends on:
- Individual component failure rates (sensors, transmitters, logic controllers)
- System architecture and redundancy (how components are combined)
- Proof test intervals (how often you verify the system works)
- Maintenance and diagnostics (detecting and repairing faults before they cascade)
A SIL-2-rated transmitter paired with a simple on-off relay doesn't automatically make your system SIL 2. Your entire SIS architecture determines overall SIL capability.
SIL Levels: 1, 2, 3, and 4
SIL 1
PFD range:10' to 10' (1 in 100 to 1 in 1,000 chance of failure on demand per year).
Applicable to: Low-hazard applications where a single failure is detectable and correctable. Example: a low-pressure steam line with manual isolation available.
Architecture: Simple: 1oo1 (one sensor, one logic module). No redundancy required.
Proof test interval: Typically annual to biennial.
SIL 2
PFD range:10' to 10' (1 in 1,000 to 1 in 10,000 chance of failure per year).
Applicable to: Medium-hazard applications. Examples: pressure relief safety interlocks, blowdown protection on storage tanks, overfill prevention on tanker bays.
Architecture: 1oo2 (two sensors, voting logic: if one fails, the other takes action) or 2oo3 (three sensors, any two voting to trigger shutdown).
Proof test interval: Typically annual, with online diagnostics.
SIL 3
PFD range:10' to 10' (1 in 10,000 to 1 in 100,000 chance of failure per year).
Applicable to: High-hazard applications where a single failure could cause catastrophic loss. Examples: nuclear reactor safety systems, deepwater blowout preventers, chemical process runaway prevention.
Architecture: 2oo3 or higher redundancy with comprehensive diagnostics and proof testing.
Proof test interval: Quarterly or semi-annual with continuous monitoring.
SIL 4
PFD range:<10' (1 in 100,000 or better).
Applicable to: Extremely high-hazard applications (rare). Typically only specified for nuclear safety systems or aerospace applications.
Note: Most industrial flow metre applications max out at SIL 3. SIL 4 requires extreme redundancy and cost.
How SIL is Determined: PFD and MTBF
Probability of Failure on Demand (PFD)
PFD is the probability that a safety system will fail to perform its intended function when called upon. It is calculated from:
- Lambda (λ): Failure rate of individual components (e.g., sensor fails once per 50,000 hours of operation = λ = 1/50,000 failures/hour)
- Tau (τ): Proof test interval (e.g., annual = 8,760 hours)
- System architecture: How components are combined (1oo1, 1oo2, 2oo3, etc.)
Simple example (1oo1 architecture):
PFD = (λ × τ) / 2
If a sensor has λ = 0.00002 failures/hour and annual proof test (τ = 8,760 hours):
PFD = (0.00002 × 8,760) / 2 = 0.0876 ≈ 1 in 11 (SIL 1 range)
Mean Time Between Failures (MTBF)
MTBF is the inverse of lambda: MTBF = 1/λ. Manufacturers specify MTBF; you convert it to lambda for SIL calculations.
Example: A Coriolis metre with MTBF = 50,000 hours has λ = 1/50,000 = 0.00002 failures/hour.
Flow Metre Technologies and SIL Capability
Coriolis Metres
SIL capability: Typically SIL 2, some manufacturers certify SIL 3 with dual-line configurations.
Advantages: Excellent reliability, direct mass flow (no temperature/pressure compensation required), built-in diagnostics (drive gain, tube frequency, damping).
Typical MTBF: 50,000–100,000 hours.
Proof test requirement: Annual functional test of electronics and mechanical response. Flow reversal or valve bypass is typical.
Electromagnetic Metres
SIL capability: Typically SIL 2 with proper electronics redundancy.
Advantages: No moving parts, low pressure drop, excellent for water/conductive fluids.
Typical MTBF: 40,000–80,000 hours (electrode degradation is a failure mode).
Proof test requirement: Electrode impedance testing, signal quality verification.
Vortex Metres
SIL capability: Typically SIL 1–2 depending on manufacturer and electronics design.
Advantages: Robust to vibration and pressure transients, good for steam and gas.
Typical MTBF: 30,000–60,000 hours.
Proof test requirement: Signal quality and frequency stability checks.
Turbine Metres
SIL capability: SIL 1–2, limited by bearing wear and bearing friction variances.
Disadvantages: Moving parts introduce mechanical wear. Less preferred for modern safety-critical applications.
Differential Pressure (Orifice Plates)
SIL capability: Depends entirely on the transmitter. The orifice plate itself is passive (no certification). A SIL-rated DP transmitter can achieve SIL 1–2.
Disadvantages: Requires separate temperature and pressure measurement for mass flow; adds complexity and failure points.
SIL Architecture: 1oo1, 1oo2, 2oo3
1oo1 (One-Out-Of-One): No Redundancy
A single sensor measures flow. If the sensor fails, the safety function fails. Suitable only for SIL 1.
Cost: Lowest.
Example: A single transmitter triggers an alarm if flow exceeds a low-hazard threshold.
1oo2 (One-Out-Of-Two): Voting Redundancy
Two identical sensors measure flow. If both agree (within tolerance), the system proceeds. If they disagree, the safety function (shutdown, alarm) is triggered.
Advantage: One sensor failure is detected immediately. Achieves SIL 2–3 depending on proof test intervals and component MTBF.
Cost: Double sensor hardware. Logic solver required (simple relay or PLC).
Example: A blowdown protection system on a storage tank uses two pressure transmitters. If one drifts (indicating failure), the tank is vented.
2oo3 (Two-Out-Of-Three): Triple Redundancy
Three sensors measure flow. Any two in agreement trigger the safety action; if all three disagree, a fail-safe state is assumed (shutdown).
Advantage: Tolerates one sensor failure without false alarm. Can achieve SIL 3.
Cost: Three sensors + logic solver. Highest cost.
Example: Nuclear reactor safety systems often use 2oo3 voting for safety-critical measurements.
Proof Test Intervals
A proof test is a periodic full functional check of the safety system. It verifies that:
- The sensor still responds correctly to the measured variable
- The transmitter signal is in the correct range
- The logic solver logic is functioning
- The final element (solenoid, valve) actuates in response to a test signal
SIL 1: Annual or biennial proof test.
SIL 2: Annual proof test, often combined with online diagnostics that catch ~90% of failures between tests.
SIL 3: Quarterly to semi-annual proof test, with continuous online diagnostics (HART, digital protocols).
Proof test cost: GBP 500–2,000 per test per transmitter, depending on accessibility and complexity. For a SIL 3 system with three transmitters tested quarterly, expect GBP 6,000–24,000 annually in proof test labour.
Specifying a SIL-Capable Flow Metre
- Step 1: Determine your system's required SIL (SIL 1, 2, or 3) from your functional safety assessment or Hazard and Operability (HAZOP) study
- Step 2: Identify whether you need 1oo1, 1oo2, or 2oo3 architecture
- Step 3: Request a SIL-certified transmitter from the manufacturer, with documented failure rate data (λ or MTBF)
- Step 4: Calculate your system's PFD using the manufacturer's data and your architecture
- Step 5: Have an independent functional safety engineer review and certify your design
- Step 6: Document your safety case (technical dossier) for your safety instrumented system
Manufacturer documentation to request:
- Failure rate data (λ in failures/year or MTBF in hours)
- Failure modes and effects analysis (FMEA)
- Diagnostics capability (what faults can be detected online vs. only by proof test)
- Common-cause failure analysis (what causes multiple redundant sensors to fail together)
- Proof test procedures and expected duration
Common Pitfalls in SIL Implementation
Pitfall 1: Confusing SIL-Capable with SIL-Certified
A "SIL-capable" transmitter means the manufacturer has documented failure rate data and proof test procedures. A "SIL-certified" system is your complete design (sensor + logic + final element) that has been reviewed by an independent safety engineer and documented in a safety case.
You cannot buy SIL 3 off-the-shelf. You design it into your system.
Pitfall 2: Over-Specifying Redundancy
A 2oo3 SIL 3 system costs three times as much as a 1oo1 SIL 1 system. Many applications only require SIL 1–2. Conduct a rigorous risk assessment before committing to triple redundancy.
Pitfall 3: Neglecting Proof Test in the Budget
SIL systems require ongoing proof testing. Budget GBP 5,000–25,000 annually depending on the number of transmitters and test frequency. Many operators underestimate this recurring cost.
Pitfall 4: Mixing Components from Different Manufacturers
If you use a Coriolis transmitter from Emerson and a logic solver from Siemens, ensure compatibility and that common-cause failures are addressed in your functional safety assessment. Some combinations are not rated together.
Pitfall 5: Ignoring Online Diagnostics
Modern transmitters (Coriolis, EM, vortex) include online diagnostics (HART, Profibus, 4-20 mA with status bits) that detect ~80–95% of failures before they reach the proof test interval. Utilizing these diagnostics can allow you to extend proof test intervals and reduce cost while maintaining SIL.
Real-World Example: SIL 2 Pressure Relief System
Scenario
A natural gas compression facility has a pressurised storage vessel. To prevent overpressure, a safety interlock measures tank pressure and triggers a blow-down valve if pressure exceeds 30 bar.
Hazard
If the pressure transmitter fails high (reads safe when tank is overpressure), the blow-down valve will not open, and the tank may rupture. Catastrophic.
Required SIL
HAZOP assessment determines SIL 2 is required (acceptable risk given mitigating factors like operator awareness and annual inspection).
Design: 1oo2 Architecture
- Two pressure transmitters (Rosemount 3051S or Emerson DPharp) measure tank pressure independently
- A safety PLC (Siemens S7-1200F) receives both signals and compares them. If they disagree by more than 2 bar, a shutdown is triggered
- Each transmitter has MTBF = 60,000 hours (λ = 0.00001667 failures/hour)
- Annual proof test (τ = 8,760 hours)
PFD Calculation (1oo2 with annual proof test)
Using the simplified formula for 1oo2:
PFD_system ≈ 2 × (λ × τ / 2) = λ × τ ≈ 0.0001458 ≈ 1 in 6,900 per year = SIL 2
Cost & Timeline
- Two SIL-capable transmitters: GBP 2,500
- Safety PLC: GBP 3,000
- Solenoid blow-down valve: GBP 1,500
- Engineering & installation: GBP 5,000
- Annual proof test labour: GBP 1,500
- Total first-year cost: GBP 13,500
Next Steps
1. Conduct a risk assessment: Determine your required SIL level (SIL 1, 2, or 3) based on hazard severity and frequency.
2. Select your flow metre technology: Choose based on your fluid, accuracy needs, and SIL capability. Coriolis and EM metres are best for SIL 2–3.
3. Design your architecture: Decide between 1oo1, 1oo2, or 2oo3 based on your SIL requirement and cost tolerance.
4. Request SIL documentation: Get MTBF/λ data, FMEA, and proof test procedures from your chosen manufacturer.
5. Engage a functional safety engineer: Have your design reviewed and certified before implementation.