Page
4
of
10
The use of SFF for programmable logic solvers (for example safety PLC’s) is shown in BS EN 61511
Table 5, shown below.
SIL
Minimum Hardware Fault Tolerance
SFF < 60% SFF 60% to 90% SFF > 90%
1
1
0
0
2
2
1
0
3
3
2
1
4
Special requirements apply (see BS EN 61508)
Figure 3 - BS EN 61511 Ed 1 Table 5
However, for sensors, the use of the SFF methodology is accommodated within BS EN 61511 in
clause 11.4.5, stating that alternative fault tolerance requirements may be used providing an
assessment is made in accordance to the requirements of IEC 61508-2, Tables 2 and 3.
Hardware Fault Tolerance Requirements BS EN 61508-2 Ed 2 Tables 2 & 3
BS EN 61508 recognises two types of component used for SIFs. These are designated Type A
(simple) components and Type B (complex) components. For a sub-system to be designated Type A,
the components of the sub-system required to achieve the safety function must meet all of the
following:
a) The failure modes of all constituent components are well defined
b) The behaviour of the subsystem under fault conditions can be completely determined
c) There is sufficient dependable failure data from field experience to show that the claimed
rates of failure for detected and undetected dangerous failures are met.
Sub-systems that do not meet all three requirements are classed as Type B; for example,
programmable transmitters containing a ‘chip’ would not meet requirement (b) and would therefore
be classed as Type B.
For Type A components the maximum SIL that can be claimed for a subsystem is given in BS EN
61508-2 Table 2 shown below:
Subsystem with Type A Components
Safe failure fraction
Hardware fault tolerance (see note 1)
0
1
2
< 60 %
SIL1
SIL2
SIL3
60 % - < 90 %
SIL2
SIL3
SIL4
90 % - < 99 %
SIL3
SIL4
SIL4
≥ 99 %
SIL3
SIL4
SIL4
Figure 4 – BS EN 61508-2 Table 2
For Type B (complex) components the maximum SIL that can be claimed for a subsystem is given in
BS EN 61508-2 Table 3 shown below:-