SIL Part 3: Systematic Capability
SIL achievement requires that the design of a safety function meets three specific criteria as outlined in the standard. This section will concentrate on number 3 – System Capability.
What is functional safety?
Functional safety is the active detection of potentially dangerous conditions, resulting in a demand of a protective mechanism or function to prevent or reduce the impact of hazardous events that might occur.
Forming part of the overall safety of equipment under control (EUC), functional safety has focus on electronics and related software.
IEC 61508 is an international standard for “Functional Safety or electrical/electronic/programmable electronic safety-related systems”. As the umbrella standard for functional safety, it forms the foundation of many industry specific derivatives such as IEC 61511 for the process industry.
Following a safety lifecycle model, the standards formalize the management of functional safety and provide measures and techniques for the design of Safety Instrumented Systems (SIS) and associated Safety Instrumented Functions (SIF).
IEC 61511 Safety lifecycle
A key element of the safety lifecycle is the creation of the Safety Requirement Specification (SRS). Based on inputs from the hazard and risk assessment stages of the lifecycle, this document is the blueprint for the functionality, integrity and validation of the safety system design.
What is SIL?
The Safety Requirement Specification will document the level of any residual risk reduction required of the safety system design and assign a corresponding target SIL level.
SIL or Safety Integrity Level, is a relative level of risk reduction provided by a safety function. Four separate SIL levels from 1 to 4 are defined, with SIL 4 offering the highest level of safety integrity and corresponding risk reduction factor.
SIL | Risk Reduction Factor - RRF |
4 | > 10,000 to ≤ 100,000 |
3 | > 1000 to ≤ 10,000 |
2 | > 100 to ≤ 1,000 |
1 | >10 to ≤ 100 |
How is a specific SIL achieved?
SIL achievement requires that the design of a safety function meets three specific criteria as outlined in the standard.
These strict criteria are: Random hardware integrity, Architectural constraints and Systematic capability.
This section will concentrate on number 3 – System Capability. For information on Random Hardware Integrity and Architectural Constraints please click on the relevant links.
PR electronics offers a range of SIL certified devices to cover a wide selection of SIL applications.
What is systematic capability?
IEC 61508-2010 defines systematic capability as:
"A measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified Safety Integrity Level (SIL), in respect of the specified element safety function, when the element is applied in accordance with the instructions specified in the compliant item safety manual for the element."
Systematic faults are primarily the result of human failure. Whether it is in the design, engineering, operation or maintenance of a safety function, systematic failures can be introduced which will occur given the correct set of circumstances.
Systematic faults are often the result of inappropriate device or component specification, errors in operating or maintenance procedures or bugs in software. Systematic failures will continue to manifest themselves until there is a redesign of the offending root cause.
Systematic integrity therefore can be defined as the level of defense against systematic failures.
Demonstrating systematic safety integrity
IEC 61511 allows for 2 methods of demonstrating systematic capability:
- Use of IEC 61508 certified devices
- Prior-use justification
Use of IEC 61508 certified devices
Depending on the SIL level required, IEC 61508 puts stringent demands on the design, fault avoidance and testing of equipment. This ensures that manufacturers follow a strict and repeatable process with full accountability and accompanying documentation.
A selection of tables is provided with relevant techniques and measures for manufacturers to follow, and in turn to demonstrate compliance with the relevant SIL level.
Technique/measure |
See |
SIL 1 | SIL 2 | SIL 3 | SIL 4 |
Program sequence monitoring | A.9 | HR low |
HR low |
HR medium |
HR high |
Failure detection by on-line monitoring | A.1.1 | R low |
R low |
R medium |
R high |
Tests by redundant hardware | A.2.1 | R low |
R low |
R medium |
R high |
Standard test access port and boundary-scan architecture | A.2.3 | R low |
R low |
R medium |
R high |
Code protection | A.6.2 | R low |
R low |
R medium |
R high |
Diverse hardware | B.1.4 | - low |
- low |
R medium |
R high |
IEC 61508-2010 Table A.15 – Techniques and measures to control systematic failures caused by hardware design
The table above is one example of many, each of which focuses on a particular design aspect.
Depending on the SIL level required each technique/measure will have an indication as to whether it is Mandatory (M), Highly Recommended (HR), Recommended (R) or Not Recommended (NR). The table will also indicate the required effectiveness of the measure against systematic failures.
IEC 61508 certified devices will have undergone an accredited third-party audit of all the compliance requirements, ensuring all the relevant design, test and documentation techniques and measures have been applied appropriate to the SIL level.
SIL certificates should indicate the relevant SC level.
Prior-use justification
The consensus could be that a case is made for reliable use of the device if a particular user had extensive experience of a device, and they had sufficiently low failures.
However to fully justify this, it could be assumed that the user must have a robust system in place to fully document ALL failures and failure modes, together with strict version control of hardware and software variants which could impact previous experience. Also, to ensure consistency of the data, any new proposed application must have similar operating conditions to the historical data.
IEC 61511 clause 11.5.3 outlines the requirements for selecting devices based on a prior-use justification.
"Appropriate evidence shall be available that the devices are suitable for use in the Safety Instrumented System including:
- consideration of the manufacturer’s quality, management and configuration management systems
- adequate identification and specification of the devices
- demonstration of the performance of the devices in similar operating environments
- the volume of operating experience."
Higher SIL levels put additional demands on any prior-use justification, especially where software is included.
A prior-use justification can be very difficult for an end user to fully evidence, and as such many end users are taking advantage of the growing number of IEC 61508 certified devices to demonstrate systematic capability.
Demonstrating Systematic Capability does not in itself prove target SIL achievement. Consideration must also be given to Random Hardware Integrity and Architectural Constraints.