What is in a SIL Safety Certification

20121011-085412.jpgexida’s Dr. William Goble and Emerson’s Afton Coleman presented, What’s is in a SIL Safety Certification?, at the 2012 Emerson Exchange conference. Their abstract:

How is a product “certified” for use in a safety instrumented system? What does this mean, and how do I use this information? Is the FMEDA data the same as in the SIL certificate? Bill Goble, principal partner of exida, will discuss the methods used during product certification to IEC 61508, using the analysis of the FIELDVUE SIS instruments as an example.

Bill has worked in the field of functional safety for 25 years. Afton is the product manager for the FieldVue DVC [digital valve controller] safety products.

IEC 61508 is an international standard for functional safety. It is the world standard for product functional safety certification. It requires a detailed review and analysis of the design process. The objective is to design in high quality from the start. It uses failure probability limits to assure safety.

A functional safety certificate comes from a certification body. Experience understanding the complex IEC 61508 standard is what exida provides to safety product providers. Design process analysis includes the design, review, documentation, and testing procedures are audited against IEC 61508 requirements. The design process includes minimum levels of automatic diagnostics for the SIL level. The process includes internal execution testing. Failure mode and failure probability analysis must include safety integrity.

exida developed the FMEDA technique for hardware probabilistic failure analysis. The technique is based on component data compiled from hundreds of field failure studies with over 20 billion unit operational hours of field experience. The FMEDA technique goes far beyond individual failure analysis by studying each part within the product and how its function is impacted by the known failure modes of the part (microprocessors, capacitors, resistors, etc.) The supplier must supply their field failure information for their components.

Bill described the process from accumulating the field failure data and its root cause analysis. These are compared against the component failure database to help spot differences that may be caused by design issues. This data is used in the FMEDA analysis. Cycle testing is useful for mechanical components to determine wear-out mechanisms to help predict failure rates in applications where constant movement is done. These results do not represent typical low demand process industry applications as failure rates and failure modes are quite different. Cycle testing is good for products used in dynamic (constantly moving applications) but not for mostly static applications such as safety shutdown valves.

Afton discussed the Fisher DVC6200 SIS safety digital valve controller. Failure rates are provided and published as part of the FMEDA analysis. This testing is in addition to the ISO testing requirements of all Fisher brand products. The DVC6200 SIS achieved the functional safety certificate for applications up to SIL 3. Many safety and diagnostic features were included to help achieve this level. The FMEDA analysis including both electronic and mechanical failure mode and failure rate data.

The Fisher technology team worked with exida on the procedures to follow a high quality design with extensive FMEDA testing to achieve certification.


  1. Rakesh Parasher says:

    how we can get approval of SIL 2, ??
    is it self certification ? if product as per certain standard.

  2. Rakesh Parasher says:

    how we can get approval of SIL 2, ??
    is it self certification ? if product as per certain standard

    • Hi Rakesh, Thanks for your question. Suppliers of equipment for safety instrumented systems–logic solvers, sensors, and final control elements follows the IEC 61508 standard in the design and implementation of the product. This process is checked by a body such as exida, TUV, etc. who perform the failure analysis. It is not a self certification process. Hope that helps!

  3. IEC 61508-1 Table 5 tells that the assessment can be done by an Independent department upto SIL2. Can we self declare FSM based on this assessment? Or Do we require to go with third party certification from agencies?

    • Surya, thanks for your questions. I checked with some friends who manage our
      Fisher brand of valves & instruments.

      They shared back, “Table 5 of IEC61508-1 (2010) provides guidelines for the
      minimum levels of independence of those carrying out a functional safety
      assessment (applying to overall safety lifecycle phases 9 and 10, including all
      phases of E/E/PE system and software safety lifecycles). Please closely
      evaluate 8.2.16 and Notes 1, 2, and 3, as well as 8.2.15, 8.2.18 of IEC61508-1
      to help determine whether your organization is capable of conducting an
      independent assessment. If you still have questions, please consult a third
      party safety consultant who will be able to advise based on the details of your
      specific organization and application.”

  4. Dr. Mohammad says:

    Kindly advise on the recommended background or discipline proffered to take take the SIL certification. Is it limited to only instrument/electrical engineers/technician?

  5. Jim Cahill says:

    Dr. Mohammad, Thank you for stopping by the blog and for your question. I know that the ISA offers training for SIL selection and verification. See https://www.isa.org/Training/CertificatePrograms/ . I’m not sure what is required as far as prerequisites. Another place to look to become a safety certified professional is http://www.bcsp.org/SH-E-Practice/7-Steps-to-Safety-Certification .

    I hope these help!

Leave a Reply