Imagine. Marketing has just approached the engineering department and says your new safety product must have SIL 3 Capable certification instead of SIL 2 to be successful. You are in the engineering group developing this new product. Now what?
Let’s assume that the “change request” makes sense and has been approved for the product. This is an important first step, as changes in requirements and scope creep can wreak havoc on a project. It’s also important to demonstrate that your modification processes meets the 61508 requirements. Remember, you don’t want to operate outside the safety lifecycle!
Some of the main differences between SIL ratings involve:
• Hardware Fault Tolerance (HFT)
• Safe Failure Fraction (SFF)
• the techniques and measures applied to prevent systematic failures
SIL 3 requires a higher degree of safe failures for the same level of HFT. If you’re already above 90% for the SFF with a single channel architecture, you’ll meet SIL 2. However, you may find it more difficult to get above the 99% SFF to meet SIL 3. You may have to consider things like redundancy and common cause failure. Additional diagnostics may be necessary to reach the higher SFF, or the diagnostics you have may need improving. The requirements for prevention of systematic failures mean more rigorous techniques and measures are needed.
Some examples include:
• All programming statements and both sides of all branches must be tested for SIL 3, but only one branch needs to be tested for SIL 2.
• Semi-formal methods are highly recommended for SIL 3 software design and development, but only recommended for SIL 2.
• Defensive Programming techniques are highly recommended for SIL 3 development, but these techniques are only recommended for SIL 2.
There will be more to do for SIL 3 capability certification than for SIL 2. You’ll often need to choose techniques with higher effectiveness. But following the more rigorous path will ultimately make your product, and your customers, safer.