Features
3 Important Factors in Evaluating your SIL Certified Device
Today there is a growing trend by end-users to require equipment manufacturers to get their safety devices IEC 61508 (SIL) Certified. That is an excellent trend for a number of reasons. One reason is because in order to get a device SIL Certified, a company must first determine the device’s failure rates and failure modes. This is usually done by having a Failure Modes Effects and Diagnostic Analysis, (FMEDA) performed. Among other things, an FMEDA Report will detail the device’s Architectural Constraints and its λDU (Dangerous Undetected Failure Rate). With any given values for maintenance parameters, (Test Interval, Test Coverage, and Repair Time), you can determine the device’s PFDavg (Average Probability of Failure on Demand ). Both the Architectural Constraints and the PFDavg of a device, together with its IEC 61508 Certification, are critical in evaluating whether or not a given device may be suitable for use in a Safety Function with a given SIL requirement. And both of these characteristics, together with IEC 61508 Certification, are what concern a Safety Engineer in his evaluation.
A device’s Architectural Constraints determine immediately which level of Redundancy (HFT) is appropriate for use in a Safety Function with a given SIL requirement. The interpretation of a device’s PFDavg is more complex. It does not determine the product’s Safety Integrity Level (SIL). It determines the device’s contribution to the PFDavg of the Safety Function. As such, the device’s PFDavg must be considered together with the PFDavg’s of other devices with which it will be used, to determine the SIL of the Safety Function. This article will address these two characteristics separately, but first we will state a more basic concept regarding what is and what is not SIL 3. It has become very convenient to refer to a device as a SIL 1 device, or a SIL 2 device, or a SIL 3 device. Unfortunately that is a dangerous simplification. In fact there is no such thing as a SIL 1 device, or SIL 2 device, or SIL 3 device. The only thing that can be truly classified as SIL 1 or SIL 2 or SIL 3 is a Safety Function. That is why certified devices are classified on their certificates as SIL 1 Capable, or SIL 2 Capable, or SIL 3 Capable. That is a distinction with a very real difference and that difference will become very clear as you read further.
Architectural Constraints.
The architectural constraints of a device are a function of the device type, (Type A or Type B), and its Safe Failure Fraction (SFF). A type A device is a “non-complex” subsystem using discrete elements. A type B device is a “complex” subsystem, using micro controllers or programmable logic. For further details see 7.4.3.1.3. of IEC 61508-2.
As stated above, the Architectural Constraints of a device are a function of its Safe Failure Fraction (SFF), which is defined in the device’s FMEDA, and the device’s Type, (Type A or Type B) which are also specified in the FMEDA. We see from Table 1 that a Type A device with a Safe Failure Fraction between 60% and 90% can be used in a SIL 2 Safety Function as a single device. It is also suitable for use in a SIL 3 Safety Function when used in a redundant architecture such as 1oo2. But to refer to such a device, with a SFF between 60% and 90%, as a “SIL 3 Device” is misleading. If such a device were to be certified, its certificate would indicate: “SIL 2 Capable @ HFT=0” and “SIL 3 Capable @ HFT = 1.”