Last edit: 07/08/2023
In low demand mode, the Reliability of a safety function is defined with the parameter PFDavg.
IEC 61508 divides the requirements into four safety integrity levels, SIL1, SIL2, SIL3, and SIL4, with SIL4 being the most reliable and SIL 1 being the least reliable.
However, it is not enough to have a safety instrumented function with a certain PFDavg value (for example, SIL 2), to decide that the SIF is a SIL 2 Safety instrumented Function.
Consider a SIF that operates in low-demand mode and assume that we have determined the PFDavg to be 5·10-3. Because this value is in the interval from 10-3 to 10-2, the system may fulfil the requirements for SIL 2 if it also fulfils the requirements for
- Systematic Safety Integrity
- Hardware Safety integrity.
Please refer to Figure 7
A SIF will therefore not automatically fulfil the SIL 3 requirements for example, when the PFDavg is within the interval for SIL 3. Let’s see an example for that.
Example
Let’s consider an Input subsystem made of a Pressure Transmitter as detailed in Table 3. It is an ABB model 2600T, 268 Safety.
It is a Type B Component with HFT=0.
SIL Capability is 2.
Let’s suppose the dangerous situation happens once every 10 years, we decide that a Proof Test has to be performed at least once every year.
The Reliability level of the subsystem is therefore:
The reliability level is SIL 3, however the safety subsystem can be used in a System that reaches SIL 2, as a maximum. There are 2 reasons for that:
- The first one is that the architecture constrains from table 4 limit the maximum SIL to SIL 2, if the transmitter is used as a single channel (HFT=0)
- The other reason is that the SIL capability limits the component to SIL 2, even if used with HFT higher than zero.