Page

4

of

10

The use of SFF for programmable logic solvers (for example safety PLC’s) is shown in BS EN 61511

Table 5, shown below.

SIL

Minimum Hardware Fault Tolerance

SFF < 60% SFF 60% to 90% SFF > 90%

1

1

0

0

2

2

1

0

3

3

2

1

4

Special requirements apply (see BS EN 61508)

Figure 3 - BS EN 61511 Ed 1 Table 5

However, for sensors, the use of the SFF methodology is accommodated within BS EN 61511 in

clause 11.4.5, stating that alternative fault tolerance requirements may be used providing an

assessment is made in accordance to the requirements of IEC 61508-2, Tables 2 and 3.

Hardware Fault Tolerance Requirements BS EN 61508-2 Ed 2 Tables 2 & 3

BS EN 61508 recognises two types of component used for SIFs. These are designated Type A

(simple) components and Type B (complex) components. For a sub-system to be designated Type A,

the components of the sub-system required to achieve the safety function must meet all of the

following:

a) The failure modes of all constituent components are well defined

b) The behaviour of the subsystem under fault conditions can be completely determined

c) There is sufficient dependable failure data from field experience to show that the claimed

rates of failure for detected and undetected dangerous failures are met.

Sub-systems that do not meet all three requirements are classed as Type B; for example,

programmable transmitters containing a ‘chip’ would not meet requirement (b) and would therefore

be classed as Type B.

For Type A components the maximum SIL that can be claimed for a subsystem is given in BS EN

61508-2 Table 2 shown below:

Subsystem with Type A Components

Safe failure fraction

Hardware fault tolerance (see note 1)

0

1

2

< 60 %

SIL1

SIL2

SIL3

60 % - < 90 %

SIL2

SIL3

SIL4

90 % - < 99 %

SIL3

SIL4

SIL4

≥ 99 %

SIL3

SIL4

SIL4

Figure 4 – BS EN 61508-2 Table 2

For Type B (complex) components the maximum SIL that can be claimed for a subsystem is given in

BS EN 61508-2 Table 3 shown below:-