This is a question I’ve been asked many times, with some stating that as long as the PFDavg (or PFH) meets the target SIL then that’s fine.  Whereas this statement is partially true, it is not the full answer.  IEC61511 defines the criteria for meeting the requirements of an Independent Protection Layer (IPL) as SIDA:

S - The IPL must be specifically designed to prevent the consequences of the hazardous event 

I – The IPL must be completely independent from all other IPLs

D – The IPL must have sufficient defense against Random and Systematic failures

A – The IPL must be auditable in terms of being testable and maintainable

For a SIF to be considered an IPL and to meet its target SIL it has to meet 3 requirements:

1. Prove it has sufficient defense against Random Failures, which is the PFDavg or PFH
2. Prove it has sufficient defense against Systematic Failures, which is the Systematic Capability
3. Prove it meets the required architectural constraints, which is the Hardware Fault Tolerance (HFT)

This is not just a 1 out of 3 but it is a 3 out of 3 where all 3 have to be met.  Merely meeting the PFDavg or PFH is not enough.  Both the IEC61511 and IEC61508 provide tables to define the HFT for a given SIL.  For example, the table in IEC61511: 2016 allows for a HFT = 0 up to SIL 2 in low demand.  For SIL 3 this will require HFT = 1 (e.g. 2 valves).  The SIL achieved by the SIF design will be limited to the lowest SIL achieved out of all 3 requirements. For example, if the SIF PFDavg or PFH achieves SIL 1, the Architectural Constraints achieve SIL 2 and the Systematic Capability Achieves SIL 3, then the SIF will be limited to a SIL 1.

When it comes to the SIF design and the equipment used, the IEC61511 allows two and only two methods for qualifying the equipment: Use of IEC61508 certified devices or Prior Use Justification.  The other important point to note is that to achieve the SIL, the SIF has to include ALL the equipment for the SIF: the Sensor(s), any interposing relays, splitters, barriers, power supplies, logic solvers, solenoids, actuators, positioners, valves and even motor controllers.  In other words, tip to tail and everything in between.  This often leads to problems when certified equipment is not used or not available for certain devices; the use of certified equipment will identify the systematic capability, which is part of the IEC61508 certification process (i.e. a detailed analysis of the design process, competency and manufacturing/testing).  For non-certified equipment a Prior Use justification is required to examine field records to assess the contribution to dangerous failures due to systematic causes to ensure they are low enough for the SIL being claimed.

Many times, this is not fully understood, especially when sharing SIF equipment with the BPCS (e.g. control valve) since these devices are not certified and will lead to the SIF not meeting its Systematic requirement.

Therefore, in summary, for a SIF to achieve its SIL target designers must meet the 3 criteria: PFDavg/PFH (depending upon whether it’s low demand or high/continuous), Architectural Constraints and the Systematic Capability, which must include all the equipment used to perform the safety function.  Just believing that meeting the target SIL for the PFDavg/PFH is sufficient will not fully address the requirements of IEC61511.  

If you’d like to understand this in more detail, then check out our webinar on this topic: "How Does a SIF Achieve its SIL Target (exida webinar)"