Safety Integrity Level is Derived – Not Assigned

05 Jun 2026

Using Risk, Context, and Justified Decisions to Define SIL

A recent article I saw attempted to simplify Safety Integrity Levels (SILs) by mapping them directly to industries and application types. While well-intentioned, it reinforced a common and potentially costly misconception: that SIL is something you select upfront based on what you are working on.

In reality, SIL is not a label applied to an industry, product, or hazard. It is the outcome of a structured risk assessment and risk reduction process.

This misunderstanding is more than academic. It regularly leads to over-engineered solutions, unnecessary cost, and safety efforts that focus on justifying a number rather than reducing real risk.

SIL is derived – not assigned.

What is an SIL?

A Safety Integrity Level does not describe how dangerous something is. It defines how much risk reduction a safety function must provide to reduce a specific risk to a tolerable level.

That distinction matters. Without a defined risk, any SIL value is arbitrary. When SILs are selected first and justified later, engineering effort is misdirected and assurance activity loses its meaning.

SIL Is Not a Property of a Hazard or an Industry

A persistent misunderstanding in functional safety is that certain hazards or industries naturally “map” to specific SILs.

There is no such thing as a “SIL 3 hazard” or a “SIL 2 industry.” The same hazard can exist in very different contexts, with entirely different risk profiles.

Exposure frequency, duration, avoidance, existing safeguards, and those exposed all influence risk. Because these factors vary by application, SIL cannot be assigned based on precedent, sector norms, or simplified charts. It must be derived from the specific risk being addressed.

Risk Reduction Comes Before Safety Functions

Another common mistake is treating safety-related systems as the starting point for risk reduction. This reverses the intent of modern safety standards.

Functional safety is not the first step in risk reduction – it is one of the last.

Hazards should first be addressed through inherently safe design, physical safeguards, separation, and other non-instrumented measures. Only when these options have been exhausted should a safety-related function be introduced to address the remaining risk gap.

The required SIL depends entirely on how much risk remains after these measures are applied. Skipping this sequence inflates SIL targets and undermines the risk-based intent of functional safety standards.

Tolerable Risk Is a Decision, not a Constant

Perhaps the most overlooked aspect of SIL determination is tolerable risk.

Tolerable risk is not universal. It depends on context, regulatory expectations, and organisational risk criteria. Two organisations can legitimately derive different SIL requirements for the same system, provided their assumptions are explicit and justified.

This does not weaken functional safety. It strengthens it by making risk acceptance a conscious, defensible decision rather than an implicit assumption.

Why Simplified SIL Charts Cause Real Harm

Simplified SIL pyramids and industry mapping charts are appealing because they are easy to understand. Unfortunately, they often do more harm than good. They encourage premature SIL targets, blur the distinction between systems and safety functions, and turn SIL into a marketing shorthand rather than an engineering outcome.

Most concerning, they normalise the idea that SIL can be selected without a rigorous risk assessment – directly contradicting the intent of functional safety standards.

A Better Way to Think About SIL

Rather than asking “What SIL does this hazard or industry require?”, a better question is:

“How much additional risk reduction is required to reduce this specific risk to a tolerable level, after all other measures have been applied?”

Only once that question is answered does SIL have meaning. In that sense, SIL is not a ladder to climb. It is the result of a disciplined engineering process.

Conclusion

Functional safety rarely fails because standards are unclear. It fails when we oversimplify them.

SIL is not assigned. It is derived – from risk, context, and justified decisions.

When we treat it that way, we build safer systems, scope projects correctly, and restore SIL to what it was always intended to be: a measure of required risk reduction, not a label.

How Intertek Assurance Can Help

Understanding that SIL is derived – not assigned – is only the first step. Applying that principle correctly, consistently, and defensibly across real projects is where many organisations struggle.

Intertek Assurance supports manufacturers, integrators, and end users throughout the functional safety lifecycle – from early risk assessment and concept development through to design, verification, validation, and independent assessment. Our focus is not on assigning SIL targets in isolation, but on helping organisations justify them through robust risk assessment, appropriate risk reduction strategies, and clear, auditable evidence.

Whether you need support clarifying tolerable risk criteria, deriving SIL requirements, validating safety-related functions, or providing independent assurance aligned with IEC 61508 and related standards, Intertek’s Assurance team helps ensure that functional safety decisions are technically sound, proportionate, and defensible - not just compliant on paper.