Have you ever heard people say, “I’ve met the PFDavg target, so I’ve met my SIL target?”  It’s true that in low demand we need to meet the PFDavg (or PFH for High/Continuous mode) requirement for the Safety Instrumented Function (SIF) but this is just one of three requirements to be met for compliance with IEC 61511. 

Being a performance-based standard, 61511 requires that you first determine the specific risk reduction target needed for a SIF (SIL Determination).  Then you must verify that your design achieves the SIL target (SIL Verification).  

If the SIL Verification process is not executed correctly, the results can affect your entire facility:

•    Over-designed systems: Leading to unnecessary and excessive capital expenses.
•    Under-designed systems: Resulting in much higher operational risk than you realize.
•    Operational burdens: Specifying overly frequent proof tests that drain resources or nuisance (spurious) trips that disrupt production.

The Three Barriers of SIL Verification

A common pitfall in SIL Verification is focusing solely on the calculation of PFDavg / PFH. Instead, to meet the target SIL you must simultaneously satisfy the following three performance criteria:

1. PFDavg / PFH (Probabilistic Performance): This is the defense against Random Failures. You must prove the mathematical probability of failure on demand meets your target. (Using credible and realistic failure rate data as input).
2. Minimum Architectural Constraints (Hardware Fault Tolerance): Verifying that the hardware redundancy complies with IEC 61511 or IEC61508 standards.
3. Systematic Capability: This is the defense against Systematic Failures. You must ensure the equipment is designed and manufactured with the quality required for the specific SIL using SIL certified devices.

The SIL achieved is only as strong as its weakest link. All three criteria must comply to meet the SIL target. By taking the lowest of these three barriers (minimum selection), you are guaranteed a truly compliant and safe result (See infographic).

Download Infographic

exSILentia’s SIL verification module provides the data and performs the necessary calculation to evaluate all three criteria simultaneously. 

More about Hardware Fault Tolerance

IEC61511 and IEC61508 provide tables as guidance for the required Architectural Constraints (SILac) (i.e. Hardware Fault Tolerance (HFT) (read redundancy requirements)).  The IEC61508 has 3 tables, 2 under Route 1H that allocates the HFT required for either a Type A or Type B device, based upon the Safe Failure Fraction (SFF) and 1 under Route 2H, which has no SFF (to be covered in the webinar in more detail).  IEC61511 has 1 table that is equivalent to the Route 2H table for low demand in IEC61508.  According to IEC61511 the user has the option of using the tables in IEC61511 or IEC61508.  

Basically, the IEC61511 table states that an HFT = 0 is acceptable to meet SIL 1 or SIL 2.  However, just taking a SIL 2 sensor, a SIL 2 Logic Solver and a SIL 2 final element, doesn’t necessarily mean you will achieve a SIL 2 SIF since there are other considerations.  In addition, it doesn’t necessarily mean you will end up with an HFT = 0 for SIL 2 and is very dependent upon the SIF configuration and the equipment used (e.g. if the final element consists of a solenoid, actuator and valve as separate devices).

If this blog has piqued your interest, then check out the upcoming webinar on this topic: