SIL in Plain English...

SIL in Plain English: How to Think About SIL2 for Gas & Flame Systems

Hook (why this matters now):

Across CGD, CNG, and process facilities, “SIL2” gets thrown around in specs and audits—often as a device label. In reality, SIL is a system property of a Safety Instrumented Function (SIF)—not of a single detector. This newsletter strips the jargon down so you can design, justify, and maintain SIFs that actually achieve the integrity you promised.

The quick map

• SIS (Safety Instrumented System): Sensors → Logic Solver → Final Elements.
• SIF (Safety Instrumented Function): One protective action (e.g., “If CH₄ > X% LEL, trip ESD within 3 s”).
• SIL: Target risk reduction level achieved by the whole SIF over its life.
• Low-demand mode: Typical for gas/flame SIFs; we use PFDavg (average probability of failure on demand).
• High/continuous demand: Uses PFH (probability of dangerous failure per hour).

What SIL2 actually means (low-demand)

For low-demand SIFs, target PFDavg ranges are:

• SIL1: 1e-2 to <1e-1
• SIL2: 1e-3 to <1e-2
• SIL3: 1e-4 to <1e-3

To live inside the SIL2 band, you balance:

• Architecture/voting: 1oo1 vs 1oo2 vs 2oo3. Voting can slash PFDavg but adds cost/complexity.
• Diagnostics (DC): Built-in self-tests catch dangerous failures early.
• Proof-test coverage (PTC) & interval (TI): Better coverage and more frequent tests reduce PFDavg.
• Common cause (β): Redundancy only helps if common-cause failures are controlled.

Why a “SIL2 detector” isn’t enough

Devices can be SIL-capable (assessed via FMEDA), but only a complete, verified SIF can claim SIL2. You still need suitable logic solver, final elements, power, bypass policy, proof testing, and documentation to hit the target PFDavg.

A simple mental model (low-demand)

For a 1oo1 SIF, a teaching-level approximation is:

PFDavg ≈ λᵈᵘ_eff × TI / 2,
where λᵈᵘ_eff = λᵈᵘ × (1 − DC) × (1 − PTC)

For 1oo2 (two sensors, one vote out of two), a common simplified form is:

PFDavg ≈ β·(λᵈᵘ_eff·TI/2) + (1−β)·(λᵈᵘ_eff·TI/2)²

These aren’t certification-grade, but they help you see levers: diagnostics, test coverage, voting, and test intervals.

Practical path to SIL2 (field-proven checklist)

1. Write an SRS for each SIF (trip points, response time, demand rate, proof-test method).
2. Pick SIL-capable components (sensors, logic solver, final elements) with data for λᵈᵘ, DC, PTC.
3. Choose architecture (1oo1 vs 1oo2) and estimate β; control common causes (separate power, routing, environment).
4. Define proof tests (who/what/how often) and target TI based on your PFDavg goals.
5. Plan bypass/override policy and logging; limit exposure time.
6. Validate before commissioning; then maintain records (calibration, proof tests, failures, repairs).
7. Recalculate PFDavg after significant changes (MoC).

Common Pitfalls (and fixes)

• “We bought SIL2 detectors, so we’re SIL2.” → Tie devices into a verified SIF with a logic solver and final elements; document the achieved PFDavg.
• Neglecting final elements. → Valves/ESD devices often dominate risk; include them in the proof test.
• Over-optimistic test coverage. → If in doubt, assume lower PTC and add a targeted on-bench test step.
• No response-time view. → Ensure trip + logic + valve times meet the SRS (e.g., <3 s for methane where required).
• Poor MoC. → Even minor set-point tweaks can invalidate your SIL claim—log and re-verify.