SIL Verification Cheat Sheet – Zohaib Jahan

SIL VERIFICATION CHEAT SHEET

IEC 61508 / IEC 61511 · Voting Architectures · PFDavg · Proof Test · Field-Ready Reference

IEC 61511 IEC 61508 SIS Design ESD / HIPPS / BMS FAT / SAT Reference

SIL Level Quick Reference

SIL Level	PFDavg Range (Demand Mode)	RRF Range	Risk Reduction	Typical O&G Application
SIL 1	≥ 10⁻² to < 10⁻¹	10 – 100	1 order of magnitude	General process shutdown, low-risk utilities trips
SIL 2	≥ 10⁻³ to < 10⁻²	100 – 1,000	2 orders of magnitude	ESD, BMS, compressor protection, HIPPS (lower tier)
SIL 3	≥ 10⁻⁴ to < 10⁻³	1,000 – 10,000	3 orders of magnitude	HIPPS, well head control, fire & gas critical SIFs
SIL 4	≥ 10⁻⁵ to < 10⁻⁴	10,000 – 100,000	4 orders of magnitude	Nuclear / rarely justified in Oil & Gas

Core Reliability Parameters

PFDavg — Avg Prob. of Failure on Demand

PFDavg ≈ λD × TI / 2

λD = dangerous failure rate (per hr), TI = proof test interval (hr). Valid for 1oo1, low DC.

RRF — Risk Reduction Factor

RRF = 1 / PFDavg

Directly tells you how much safer the SIF makes the process. SIL 2 needs RRF ≥ 100.

Dangerous Failure Rate (λD)

λD = λ × (1 − SFF) or from SERH/PDS

Always use certified/validated failure rate data — exida SERH, SINTEF PDS, or vendor SIL cert.

Safe Failure Fraction (SFF)

SFF = (λS + λDD) / (λS + λD)

Governs hardware fault tolerance (HFT) requirements per IEC 61508 Table 2/3. SFF >90% is Type B target.

💡

PFDavg is an Average — Not a Point Value

PFDavg represents the average probability over the entire proof test interval. It is NOT the instantaneous probability at any single moment. Just before the proof test is due, actual PFD is at its highest.

⚠️

SIL is for the Entire SIF Loop — Not Just One Device

SIL verification must cover the full loop: sensor(s) + logic solver + final element(s). A SIL-certified transmitter alone does NOT give you a SIL-rated SIF. Every element contributes to the overall PFDavg.

COLOUR CODE:

Sensor / Initiator

Logic Solver (DCS/SIS)

Final Element (Valve/Actuator)

Safe State / Healthy

Degraded / Risk Elevated

VOTING ARCHITECTURES — BLOCK DIAGRAMS & FORMULAS

1oo1 · 1oo2 · 2oo2 · 2oo3 · 2oo4 | Sensor, Logic Solver, Final Element focus

1oo1 SIL 1–2

PT
S1

→

SAFE

PFDavg

≈ λD × TI / 2

Single channel. Simple, no redundancy. Any dangerous failure means the SIF fails. Low cost, lower integrity.

Low-risk utility shutdowns · SIL 1 SIFs

1oo2 SIL 2–3

PT S1

PT S2

→

SAFE

PFDavg (no CCF)

≈ (λD × TI)² / 3

Either sensor trips the SIF. High availability, lower spurious trips than 2oo2. Watch common cause!

ESD sensors · Fire detectors · Well head PT

2oo2 SIL 2

PT S1

PT S2

→

LS
&

→

SAFE

PFDavg

≈ λD × TI (worse than 1oo1)

Both sensors must trip. Reduces nuisance trips. PFD is actually worse than 1oo1. Use only where spurious trips are expensive.

Compressor protection · Burner management · Critical valves

2oo3 SIL 2–3

PT S1

PT S2

PT S3

→ 2/3
VOTE →

→

SAFE

PFDavg (no CCF)

≈ 3 × (λD × TI / 2)² + β × λD × TI / 2

Industry gold standard. Best balance of safety integrity and availability. Tolerates one failure without spurious trip OR missed trip. β-factor (CCF) critical!

HIPPS · Main ESD · LNG / Refinery critical SIFs

2oo4 SIL 3

PT S1

PT S2

PT S3

PT S4

→ 2/4
VOTE →

→

SAFE

PFDavg (no CCF)

≈ 6 × (λD × TI / 2)³ (simplified)

Very high redundancy. Often used in logic solver subsystems (e.g. TMR controllers). Rarely seen at sensor level in O&G. High cost, complex proof testing.

TMR Logic Solvers · High-integrity HIPPS · Nuclear-adjacent

Architecture Comparison at a Glance

1oo1

Channels

Fails to danger

High

Spurious trip

Low

PFDavg

λD·TI/2

Max SIL

SIL 2

1oo2

Channels

Fails to danger

Low

Spurious trip

Medium

PFDavg

(λD·TI)²/3

Max SIL

SIL 3

2oo2

Channels

Fails to danger

High

Spurious trip

Low

PFDavg

λD·TI

Max SIL

SIL 2

2oo3

Channels

Fails to danger

Low

Spurious trip

Low

PFDavg

3(λD·TI/2)²

Max SIL

SIL 3

2oo4

Channels

Fails to danger

Very Low

Spurious trip

Low

PFDavg

Very Low

Max SIL

SIL 3+

PROOF TESTING · DIAGNOSTICS · COMMON CAUSE FAILURE

What kills your SIL — and what protects it

Proof Test Interval (TI) Effect on PFDavg

✅ Short TI — Better PFD

Halving the test interval approximately halves the PFDavg. A 1oo1 loop with TI = 1 year has double the PFDavg of TI = 6 months. TI is one of the most powerful levers in SIL design.

⚠️ PTC < 100% — Residual Risk Remains

Proof Test Coverage (PTC) means the fraction of dangerous failures your test actually detects. A 90% PTC leaves 10% of dangerous failures undetected — they accumulate until device replacement or a real demand.

❌ Skipped Tests — SIL Degradation

Skipping or deferring proof tests invalidates your SIL claim. The verification assumes TI is met. Every overdue test is an unverified SIF. Operations must NOT skip proof tests without an MOPC process.

Proof Test Formulas

PFDavg with Proof Test Coverage

PFDavg ≈ (1−PTC) × λD × TI/2 + PTC × λD × TI/2

Residual = (1−PTC) × λD × TI term. Higher PTC → lower residual dangerous failures. Target PTC > 90%.

Diagnostic Coverage (DC) Effect

PFDavg_eff ≈ λDD/(λDD+λDU) × λD×MTTR/2 + (1−DC) × λD×TI/2

λDD = dangerous detected, λDU = dangerous undetected. Online diagnostics (e.g. HART, partial stroke) reduce TI contribution significantly.

β-Factor — Common Cause Failure

PFDavg_CCF = β × λD × TI / 2

β typically 1–10% for redundant architectures. CCF contribution dominates in high-redundancy systems. Physical separation, diversity, and different manufacturers reduce β.

2oo3 with CCF (Full Form)

PFDavg ≈ 3(λDU×TI/2)² + β×λDU×TI/2

Second term (β×λDU×TI/2) often dominates when redundancy is high. Reducing β via design diversity is critical to achieve SIL 3 in 2oo3.

Diagnostic Coverage — Field Devices

Device / Feature	Diagnostic Type	Typical DC	DC Level	PFDavg Impact
Simple 4-20mA transmitter (no HART)	None (manual proof test only)	< 60%	Low	Full TI contribution to PFDavg
HART transmitter with EDDL diagnostics	Online: sensor health, loop check	60–90%	Medium	Reduces residual PFDavg by detected failures
Smart transmitter + online proof test	Full end-to-end functional test	> 90%	High	Major PFDavg reduction. Supports longer TI.
Partial Stroke Test (PST) — ESD Valve	Automated valve movement test	60–80%	Medium	Significant reduction in final element PFDavg
Full Stroke Test (FST) — ESD Valve	Full travel proof test	≈ 99%	High DC	Near-complete dangerous failure detection
Logic Solver (SIL-certified, TMR)	Internal self-diagnostics, watchdog	> 99%	Very High	Logic solver PFDavg typically very small vs. field devices

⚠️

CCF Kills Redundancy

Two identical transmitters from the same vendor on the same impulse line share ALL the same failure modes. A plugged impulse line takes both out simultaneously. That is 100% CCF. Apply IEC 61508 Table D.4 separation guidelines.

✅

How to Reduce CCF (β Factor)

Physical separation · Different impulse tapping points · Diversity in technology (DP + radar for level) · Independent cable routing · Independent power supplies · Different vendor devices where justified by risk.

BYPASS / OVERRIDE · WORKED EXAMPLE · COMMON MISTAKES

What degrades SIL in real operations — and how to manage it

Effect of Bypass / Override on SIL Integrity

🔶 SIF in Bypass

⚠ The SIF is effectively disabled — PFDavg becomes 1.0 (100% failure probability)
⚠ Any process demand during bypass period is unprotected
⚠ If bypass duration is significant vs. TI, your SIL number is degraded
⚠ Multiple concurrent bypasses = compounding integrity loss
✗ Bypass without MOC/MOPC = non-compliance with IEC 61511 Cl. 11.9

✅ Best Practice for Bypass Management

✓ Require written MOPC (Management of Process Change / Override) for every bypass
✓ Define maximum allowed bypass time in the SRS (Safety Requirements Specification)
✓ Compensating measures required: increased operator rounds, independent monitoring
✓ DCS/SIS should log bypass start/end time with operator ID for audit trail
✓ IEC 61511 requires bypass management procedure in your SMS (Safety Management System)

📐

Corrected PFDavg with Bypass Time

PFDavg_total = PFDavg_normal × (TI − t_bypass)/TI + 1.0 × t_bypass/TI
Where t_bypass = total bypass hours per interval. Even 24 hrs bypass per year on a 1-year TI SIF adds ~2.7% to PFDavg on top of baseline. For SIL 2 border cases, this can push you out of SIL 2 band.

Worked Example — ESD Pressure Trip (1oo2 Architecture)

High Pressure ESD — Separator Overhead · 2× PT + SIS + XV

STEP-BY-STEP

Scenario: Separator overhead ESD. Two pressure transmitters (1oo2 voting at sensor level). SIL-certified SIS logic solver. One ESD valve (XV). Proof test interval = 1 year. Sensor λDU = 5×10⁻⁷/hr, PTC=90%. Logic solver PFDavg = 1×10⁻⁴. ESD valve λDU = 8×10⁻⁶/hr (with PST, DC=70%). β = 5% (sensors).

Sensor PFDavg (1oo2)

3.8×10⁻⁴

3×(λDU×TI/2)² + β×λDU×TI/2
= 3×(0.0044)² + 0.05×0.0044
= 5.8×10⁻⁵ + 2.2×10⁻⁴ = 2.8×10⁻⁴

Logic Solver PFDavg

1.0×10⁻⁴

From SIL certificate. TMR internal diagnostics. Typically very small contribution.

Final Element PFDavg

3.0×10⁻³

PST + FST annually. ESD valves are often the dominant PFDavg contributor in the loop!

SIF Total PFDavg

≈ 3.4×10⁻³

Sum = 2.8×10⁻⁴ + 1.0×10⁻⁴ + 3.0×10⁻³ = 3.38×10⁻³
→ SIL 2 ✓ (10⁻³ to 10⁻²)
RRF ≈ 295

💡

Key Lesson from This Example

The ESD valve (final element) contributes ~88% of the total PFDavg. This is common. Investing in PST + FST on the valve is far more effective than adding a third sensor. Do NOT over-engineer the sensor side and ignore the valve.

Top 6 SIL Verification Mistakes in O&G Projects

SIL-certified ≠ SIL-capable loop

A certified transmitter does not make your SIF SIL-compliant. The entire loop must be verified. Device SIL cert is just one input.

Ignoring Final Element in PFD calc

ESD valve PFDavg is typically the largest contributor. Many engineers focus only on sensors and skip the valve — this is a serious error.

Wrong β value for CCF

Using default β = 1% when no physical separation exists between redundant sensors is unconservative. Properly assess using IEC 61508 Table D.4.

Proof test coverage claimed but not demonstrated

Claiming PTC = 90% without a written proof test procedure that actually achieves it. PTC must be demonstrated in the proof test plan, not assumed.

Architecture mismatch to SIL target

Specifying 2oo2 for a SIL 2 SIF — this often fails verification because 2oo2 has PFDavg worse than 1oo1. The SIL target drives architecture, not the other way.

Outdated failure rate data

Using MIL-HDBK-217 or old OREDA data for SIL verification. Use current PDS 2013 or exida SERH. Failure rates can differ by orders of magnitude.

FIELD ENGINEERING NOTES — FAT · SAT · MAINTENANCE

Practical lessons for design reviews, FAT, SAT, and ongoing SIS integrity management

Field Notes by Phase

🔬

Factory Acceptance Test (FAT)

Design Review → FAT Stage

‣ Proof test simulation in FAT must replicate the actual field proof test procedure — NOT just inject a signal at the marshalling cabinet
‣ Test each voting logic permutation. For 2oo3: test 1-trip, 2-trip, 3-trip and verify correct response at each
‣ Verify bypass function: engage bypass, confirm SIS does NOT trip on live signal, confirm bypass alarm activates in DCS
‣ Record all logic solver diagnostic alarms and verify correct annunciation in HMI
‣ Document proof test coverage achieved per device — this becomes your field baseline
‣ Test SIL-required response time: confirm the SIF trips within the required process safety time (PST)

🏭

Site Acceptance Test (SAT)

Commissioning → Pre-Startup

‣ SAT is NOT a repeat of FAT. SAT verifies the installed loop in real field conditions — actual process connections, real cables, real earthing
‣ Loop test must be end-to-end: apply stimulus at the sensor, confirm trip at the final element
‣ Verify impulse lines: no plugging, correct slope, no dead legs, correct manifold configuration (5-valve vs. 3-valve)
‣ Confirm ESD valve stroking: record open/close time, check actuator spring return, verify fail-safe position
‣ Check all SIS panel earthing, cable shields, and cable segregation from HV/power cables
‣ Pre-startup SIS punch list must be cleared before mechanical completion sign-off

🔧

Maintenance & Proof Testing

Operations Phase · Ongoing

‣ Never miss a proof test deadline. Overdue tests invalidate the SIL claim — escalate to FSM if test cannot be performed on time
‣ Use the approved Proof Test Procedure (PTP) every time. Do not improvise or shortcut — PTC claim depends on it
‣ Document every proof test: start time, end time, as-found condition, as-left condition, technician ID, any deviations
‣ As-found failures must be reported to the Functional Safety Manager (FSM) and trigger a revalidation review
‣ PST frequency on ESD valves must match what was assumed in the SIL calculation — verify during management review
‣ Trend your as-found failure rates. If actual λD exceeds assumed λD, your SIL claim is degraded — revalidate

⛔

Design Review — Common Gaps

FEED / Detailed Design · SIL Verification Stage

‣ SRS (Safety Requirements Specification) missing or incomplete — IEC 61511 Cl.10 mandates it before design starts
‣ SIL allocation from LOPA not reviewed against hardware architecture — mismatch causes late redesign
‣ No defined proof test procedure at design stage — PTC assumptions in SIL calc cannot be verified later
‣ ESD valve SIL certificate does not cover the actual trim, body, and actuator combination in the datasheet
‣ Logic solver SIL certificate scope does not match installed configuration (e.g. different I/O modules than certified)
‣ Functional Safety Assessment (FSA) not scheduled — IEC 61511 Cl.5.2 requires FSA before startup

Key Standards Reference

Standard	Scope	Key Clauses for SIL Verification	Who Applies It
IEC 61511 (Ed.2)	SIS for Process Industry	Cl.10 SRS · Cl.11 SIS Design · Cl.12 Integration · Cl.16 Proof Test	Process plant engineers, FSM, EPC contractor
IEC 61508 (Ed.2)	Functional safety of E/E/PE systems	Part 2: Hardware · Part 3: Software · Part 6: Annex B (PFD formulas)	SIS vendors, system integrators, device manufacturers
IEC 61511-3	Guidance for LOPA & SIL determination	LOPA methodology · Risk graph · SIL allocation	Process safety engineers, HAZOP/LOPA team
ISA-84.00.01	US equivalent of IEC 61511	Aligns with IEC 61511 — additional US-specific guidance	US-based projects (refining, chemicals)

Architecture Selection Quick Guide

🎯 SIL 1 Target

1oo1 is usually sufficient. Simple, cheap, maintainable. If spurious trips are a concern, consider 2oo2 with a redundant sensor — but verify PFDavg still meets SIL 1. Check final element condition carefully — it dominates.

🎯 SIL 2 Target

1oo2 at sensor side is the most common solution. Provides redundancy without the availability penalty of 2oo2. For final elements, a single SIL-certified ESD valve with PST often suffices. Verify the whole loop — don't just count channels.

🎯 SIL 3 Target

2oo3 at sensor side is standard. Requires careful CCF analysis — β factor management is critical. Final element: two independent valves or one high-integrity valve with PST + FST + full SIL cert. Logic solver must be TMR or equivalent. Independent SIL verification tool required.

📌

Remember — SIL is a Lifecycle Concept, Not a Design-Phase Checkbox

SIL integrity must be maintained from HAZOP through decommissioning. A properly designed SIF that is poorly maintained, bypassed without control, or never proof-tested to plan is NOT a SIL-rated SIF — regardless of what the design report says. The Functional Safety Manager (FSM) owns this lifecycle.

SIL Verification for Safety Instrumented Systems - IEC 61511

SIL VERIFICATION CHEAT SHEET

VOTING ARCHITECTURES — BLOCK DIAGRAMS & FORMULAS

PROOF TESTING · DIAGNOSTICS · COMMON CAUSE FAILURE

BYPASS / OVERRIDE · WORKED EXAMPLE · COMMON MISTAKES

FIELD ENGINEERING NOTES — FAT · SAT · MAINTENANCE

Contact Me

LinkedIn Profile

Popular Posts