Features
What does Proven In Use imply?
The functional safety standards, IEC 61508 [1], IEC 61511 [2], and ANSI/ISA 84.01 [3] each specify the Safety Integrity Level performance parameter for Safety Instrumented Functions. For a Safety Instrumented Function to meet a specific Safety Integrity Level the sum of the average Probability of Failure on Demand (PFDavg) of all components, part of that Safety Instrumented Function, needs to fall in the PFDavg bandwidth related to that Safety Integrity Level.
Besides the average Probability of Failure on Demand requirement for a specific Safety Integrity Level, the IEC 61508 and IEC 61511 standards define the concept of architectural constraints. This concept puts additional requirements on equipment items that are part of the Safety Instrumented Function. The architectural constraints are expressed in the required minimum level of Hardware Fault Tolerance. The achieved level of Hardware Fault Tolerance is a function of the equipment item’s Safe Failure Fraction (SFF), the type of equipment item, and the desired Safety Integrity Level. The IEC 61511 standard allows a reduction in the required level of Hardware Fault Tolerance for field equipment when the equipment item under consideration can be deemed Proven In Use. Specific Proven In Use requirements are listed in the standard that need to be followed before an equipment item can be called Proven In Use, however interpretation of these requirements is arguable. This article provides an overview of the Proven In Use requirements as listed by the IEC 61508 and IEC 61511 standard. Furthermore a practical interpretation of the Proven In Use requirements used by exida will be discussed.
For compliance with the IEC 61508 or IEC 61511 functional safety standards, the achieved Safety Integrity Level of a Safety Instrumented Function is determined by the lower of two calculated SILs, i.e. the SIL based on the average Probability of Failure on Demand and the SIL based on the Architectural Constraints. This is also illustrated in figure 1. The SIL based on the average Probability of Failure on Demand is often represented by SILpfd. The SIL based on the Architectural Constraints is often represented by SILac [4].
