PFDavg (the average Probability of Failure on Demand) is the probability that a system will fail dangerously, and not be able to perform its safety function when required. PFDavg can be determined as an average probability or maximum probability over a time period. IEC 61508 and IEC 61511 use PFDavg as the system metric upon which the SIL is defined. Each SIL rating has an associated PFDavg which increases an order of magnitude for each increase in SIL rating.  

The PFDavg is based on the dangerous failure rate , system diagnostics, proof test coverage, test interval salong with other variables.   


  1. Failure rates of each product including failure modes and diagnostic coverage;
  2. Redundancy of devices including common cause failures (an attribute of SIF design);
  3. Proof Test Intervals (assignable by end user practices);
  4. Mean Time to Restore (an attribute of end user practices); 
  5. Proof Test Effectiveness; (an attribute of the proof test method);
  6. Mission Time (an attribute of end user practices); 
  7. Proof Testing with process online or shutdown (an attribute of end user practices); 
  8. Proof Test Duration (an attribute of end user practices); and
  9. Operational/Maintenance Capability (an attribute of end user practices).

The standard does allow however for a simplified equation, but it leaves out and makes assumptions for possible critical variables.

PFDavg calculation is an extremely important part of safety engineering in low demand applications as it is probably the most difficult of three barriers the to meet if realistic assumptions are made and if realistic failure rates are used (like failure rates from 

Fun facts:

  • Target levels for PFDavg are defined in IEC 61508 for each of 4 levels of SIL
  • PFDavg is defined for low demand mode (for high/continuous demand mode see PFH).
  • The PFDavg calculation can be simplified to only 2 variables, or inclusive of up to 9! 
  • It’s one of the 3 design barriers that must be met for certification.
  • Typically, a “smart”, Type B device, such as a logic solver, will have a low PFDavg, with an associated high SIL rating, where a final element assembly may have a PFDavg the only meets SIL 1. (However, there are things that can be done with the diagnostics and proof test that would improve the PFDavg to SIL 2. Possibly improving one or more than one of the variables in your PFDavg calculation can help.)

Related Items

Back to Basics 01 - Functional Safety

Back to Basics 02 - Safety Integrity Level (SIL)

Back to Basics 03 - Safety Instrumented Function (SIF)

Back to Basics 04 - Safety Instrumented System (SIS)

Back to Basics 05 - What is a Safety Function?

Back to Basics 06 – IEC 61508

Back to Basics 07– Safety Lifecycle – IEC 61508

Back to Basics 08 – IEC 61511

Back to Basics 09 – Safety Lifecycle – IEC 61511

Back to Basics 10 – How Does a Product Get a SIL?

Back to Basics 11 – How is SIL Used by an End User?

Back to Basics 12 – What is IEC 61508 Certification?

Back to Basics 13 - How Do I Start IEC 61508 Certification?

Back to Basics 14 - Systematic Capability

Back to Basics 15 - Architectural Constraints

Tagged as:     silsafe     SIL     PFDavg     Loren Stewart     IEC 61511     IEC 61508     Failure Rates     dangerous failure rate     back to basics  

Other Blog Posts By Loren Stewart