1. Overview
SIL verification is the process of confirming that a safety instrumented function (SIF) achieves the safety integrity level (SIL) determined during the SIL determination phase (LOPA or risk graph). The verification must demonstrate three aspects: target PFD is met (random hardware), architectural constraints are satisfied, and systematic capability is adequate.
Random Hardware
PFD Calculation
Probability of failure on demand from component failure rates and test intervals.
Architecture
Hardware Fault Tolerance
Minimum redundancy based on SIL target and component SFF.
Systematic Capability
SC Rating
Software quality, design process, and management of systematic failures.
Common Cause
Beta Factor
Fraction of failures that affect all redundant channels simultaneously.
Three-legged stool: SIL verification requires ALL three requirements to be met: (1) PFD_avg within the SIL target range, (2) architectural constraints satisfied per IEC 61508 tables, and (3) all subsystem components have systematic capability rating equal to or greater than the SIL target. Failing any one requirement means the SIF does not meet the SIL target.
2. SIL Targets & PFD
SIL Levels for Low-Demand Mode
| SIL | PFDavg Range | Risk Reduction Factor | Availability |
|---|---|---|---|
| SIL 1 | 0.01 to < 0.1 | 10 to 100 | 90-99% |
| SIL 2 | 0.001 to < 0.01 | 100 to 1,000 | 99-99.9% |
| SIL 3 | 0.0001 to < 0.001 | 1,000 to 10,000 | 99.9-99.99% |
| SIL 4 | 0.00001 to < 0.0001 | 10,000 to 100,000 | 99.99-99.999% |
Low-Demand vs High-Demand Mode:
Low-demand mode (most oil & gas SIF):
Demand rate < 1 per year (or < 2x proof test rate)
Performance metric: PFD_avg (probability per demand)
SIL defined by PFD range (table above)
High-demand / continuous mode:
Demand rate > 1 per year
Performance metric: PFH (per hour failure frequency)
SIL 1: 10^-6 to 10^-5 per hour
SIL 2: 10^-7 to 10^-6 per hour
SIL 3: 10^-8 to 10^-7 per hour
Most process industry SIF operate in low-demand mode.
3. PFD Calculation Methods
Simplified PFD Formulas
1oo1 Architecture (Single Channel):
PFD_avg = (λ_DU × T_proof) / 2
Where:
λ_DU = Dangerous undetected failure rate (per hour)
T_proof = Proof test interval (hours)
Example:
Pressure transmitter: λ_DU = 2.5 × 10^-7 /hr
Logic solver: λ_DU = 0.5 × 10^-7 /hr
ESD valve: λ_DU = 5.0 × 10^-7 /hr
Test interval: 1 year = 8,760 hours
PFD_sensor = 2.5e-7 × 8760 / 2 = 0.00110
PFD_logic = 0.5e-7 × 8760 / 2 = 0.00022
PFD_valve = 5.0e-7 × 8760 / 2 = 0.00219
PFD_SIF = 0.00110 + 0.00022 + 0.00219 = 0.00351
This meets SIL 2 (0.001 to 0.01) ✓
1oo2 Architecture (Redundant):
PFD_avg = [(λ_DU × T_proof)² / 3] + β_DU × λ_DU × T_proof / 2
Where:
β_DU = Common cause failure fraction (typically 0.02-0.10)
The first term represents independent double failures
(both channels failing before the next test).
The second term represents common cause failures
that defeat both channels simultaneously.
For small β and moderate failure rates:
Common cause term often dominates
Redundancy provides ~10x improvement (not 100x+)
2oo3 Architecture (Triple Modular Redundant):
PFD_avg = [(λ_DU × T_proof)²] + β_DU × λ_DU × T_proof / 2
2oo3 provides:
- Same dangerous failure PFD as 1oo2
- Better spurious trip rate than 1oo2
- Higher availability (fewer false trips)
- More expensive (3 channels)
Spurious trip rate for 2oo3 is much lower because
two channels must fail safe simultaneously.
Diagnostic Coverage Effect
| Parameter | Definition | Effect on PFD |
|---|---|---|
| λ_D (dangerous) | Total dangerous failure rate | Determines base failure probability |
| DC (diagnostic coverage) | Fraction of dangerous failures detected | Splits λ_D into DD and DU |
| λ_DD (detected) | λ_D × DC | Detected quickly, repaired before demand |
| λ_DU (undetected) | λ_D × (1 - DC) | Only found by proof test, drives PFD |
4. SIF Architecture Selection
Architectural Constraints (IEC 61508 Route 1H)
| SIL Target | SFF < 60% | SFF 60-90% | SFF 90-99% |
|---|---|---|---|
| SIL 1 | HFT = 1 | HFT = 0 | HFT = 0 |
| SIL 2 | HFT = 2 | HFT = 1 | HFT = 0 |
| SIL 3 | HFT = 3 | HFT = 2 | HFT = 1 |
| SIL 4 | Not allowed | HFT = 3 | HFT = 2 |
Key Definitions:
SFF = Safe Failure Fraction
= (λ_S + λ_DD) / (λ_S + λ_D)
= (Safe failures + Detected dangerous) / Total
HFT = Hardware Fault Tolerance
= Number of faults that can be tolerated
1oo1: HFT = 0 (no fault tolerance)
1oo2: HFT = 1 (tolerates one fault)
2oo3: HFT = 1 (tolerates one fault)
1oo3: HFT = 2 (tolerates two faults)
IEC 61511 Route 2H (Simplified):
SIL 1: HFT = 0 (no redundancy required)
SIL 2: HFT = 1 (redundancy in one subsystem)
SIL 3: HFT = 1 (all subsystems) or HFT = 2
Route 2H does not require SFF data and is widely
used in the process industry per IEC 61511.
5. Proof Test Optimization
Proof Test Interval vs PFD:
PFD_avg = λ_DU × T / 2 (for 1oo1)
This is linear: doubling T doubles PFD.
To achieve a target PFD:
T_max = 2 × PFD_target / λ_DU
Example (SIL 2, PFD < 0.01):
λ_DU = 5 × 10^-7 /hr
T_max = 2 × 0.01 / 5e-7 = 40,000 hours = 4.6 years
With partial stroke test (PST) credit:
λ_DU splits into:
λ_DU_PST (detectable by PST): 60-70%
λ_DU_FT (requires full test): 30-40%
PFD = λ_DU_PST × T_PST / 2 + λ_DU_FT × T_FT / 2
Monthly PST can extend full test to 3-5 years
while maintaining the same PFD.
Proof Test Coverage
| Test Type | Coverage | What It Tests |
|---|---|---|
| Partial valve stroke | 60-70% | Valve movement, actuator, solenoid |
| Full valve stroke | 90-95% | Full closure, seat integrity |
| Transmitter simulation | 70-80% | Electronics, output signal |
| Transmitter process test | 90-95% | Sensing element, process connection |
| Logic solver validation | 95-99% | Input/output, logic execution |
Less-than-perfect testing: If proof test coverage is less than 100%, a residual undetected failure probability accumulates over the life of the SIF. This must be included in the PFD calculation as: PFD_residual = λ_DU × (1 - coverage) × T_life / 2, where T_life is the expected SIF lifetime (typically 15-25 years).
6. Systematic Capability
Systematic capability (SC) addresses failures caused by design errors, specification mistakes, software bugs, and manufacturing defects. Unlike random hardware failures, systematic failures cannot be quantified probabilistically. Instead, IEC 61508 requires that the development process meets defined quality requirements.
Systematic Capability Assessment:
Each SIF subsystem component must have an SC rating
≥ the SIL target. Sources of SC rating:
1. IEC 61508 certification (TUV, exida, FM):
Component certified to SC 1, SC 2, or SC 3
This is the most reliable evidence
2. Prior use (IEC 61511 Clause 11.5):
Documented operating history in similar service
Minimum 10 device-years of experience
No dangerous systematic failures observed
Configuration management maintained
3. Proven-in-use (conservative approach):
Extensive field history with positive results
Supported by manufacturer data
Requirement:
All components in the SIF must have SC ≥ SIL target
The weakest link determines the maximum achievable SIL
7. Practical Application
SIL Verification Workflow
Step-by-Step Verification Process:
1. Define SIF: sensors, logic solver, final elements
2. Obtain failure rate data (λ_D, λ_S, DC, β)
Sources: exida SERH, OREDA, manufacturer data
3. Select architecture (1oo1, 1oo2, 2oo3)
4. Set proof test interval and coverage
5. Calculate PFD_avg for each subsystem
6. Sum subsystem PFDs for total SIF PFD
7. Check against SIL target PFD range
8. Verify architectural constraints (HFT)
9. Verify systematic capability of all components
10. Document in SIL verification report
Common Pitfalls
| Pitfall | Impact | Prevention |
|---|---|---|
| Ignoring common cause | Overestimates redundancy benefit | Always include β factor (0.02-0.10) |
| Assuming 100% test coverage | Underestimates residual PFD | Use realistic coverage (70-95%) |
| Missing systematic capability | SIL not truly achieved | Verify SC for all components |
| Ignoring process demand rate | May need high-demand analysis | Verify demand rate < 1/yr for low-demand |
| Not accounting for MTTR | DD failures add to PFD if repair is slow | Include mean time to repair in PFD model |
Failure Rate Data Sources
| Source | Coverage | Use |
|---|---|---|
| exida SERH | Sensors, logic, valves, solenoids | Primary source for SIL calculations |
| OREDA Handbook | Offshore equipment focus | Supplementary, subsea equipment |
| IEC 61508 SN 29500 | Electronic components | Logic solver component-level data |
| Manufacturer FMEDA | Specific product data | Most accurate for selected hardware |
SIL is not just a number: Achieving a SIL target requires more than passing the PFD calculation. The complete SIS lifecycle from hazard analysis through design, installation, commissioning, operation, maintenance, and decommissioning must follow the systematic requirements of IEC 61511. A properly verified SIF with inadequate maintenance procedures will not maintain its SIL rating over time.
Ready to verify a SIL target?
→ Launch SIL Verification Calculator