SIL Verification: Understanding PFDavg and Redundancy (1oo1 vs. 1oo2)

Functional Safety (per IEC 61508 and IEC 61511) is not about buying certificates; it is about managing the probability of failure. The goal of any Safety Instrumented Function (SIF) is simple: when the process goes haywire, the safety loop must act. It must close the valve, stop the pump, or kill the power.

However, no device is perfect. Every sensor, PLC, and solenoid valve has a chance of failing. If that failure happens to be a "Dangerous Undetected" failure (e.g., the pressure transmitter is stuck at 10 bar, but the pressure is actually 50 bar), the safety system is blind. This is where PFDavg comes in.

The "Weakest Link" Principle

A Safety Instrumented Function (SIF) is a chain. It consists of:

1. Sensor Subsystem: Pressure/Temp/Level transmitters.
2. Logic Solver: The Safety PLC.
3. Final Element: The shutdown valve, actuator, and solenoid.

Here is the trap: You can buy a "SIL 3 Capable" pressure transmitter and a "SIL 3 Certified" PLC. But if you connect them to a standard industrial ball valve that gets stuck if not operated for six months, your entire loop is likely SIL 0.

The Final Element usually accounts for 50% to 70% of the total PFD of the loop. Focusing on the sensor while ignoring the valve is a classic rookie mistake.

Calculate Your Loop SIL

Voting Logic: 1oo1 vs. 1oo2

When a single sensor isn't reliable enough to meet the target SIL level, we use redundancy. This changes the architecture of the loop.

1oo1 (One out of One)

This is a single transmitter. If it works, you are safe. If it fails dangerously, you are unsafe.
Pros: Cheap. Simple.
Cons: High PFD. Hard to achieve SIL 2 without frequent testing. High nuisance trip rate (if the sensor fails "safe," the plant trips unnecessarily).

1oo2 (One out of Two)

You install two transmitters. The logic is: "If Transmitter A OR Transmitter B says trip, then trip."
Pros: Extremely safe. If one sensor fails dangerously (blind), the other one still protects the plant. This architecture drastically lowers PFDavg, making SIL 2 or SIL 3 easier to achieve.
Cons: High Spurious Trip Rate (STR). If either transmitter fails "safe" (e.g., a loose wire), the plant trips. You have doubled your chance of a false alarm.

2oo3 (Two out of Three)

The gold standard. You use three transmitters. The logic is: "Trip only if two sensors agree."
Pros: High safety (SIL 3 capable) AND high availability. One sensor can fail safe without tripping the plant.
Cons: Expensive. Requires three process penetrations and complex logic.

The Hidden Variable: Proof Test Interval (T)

PFD is not a static number. It gets worse every day the device is in service. As time passes, the probability of a "stuck" component increases.

The only way to reset this probability is a Proof Test. This is a full functional test where you inject a pressure signal, watch the PLC logic react, and visually verify the valve closes fully and within the required time.

If you calculate your SIL level assuming a proof test every 12 months (T = 1 year), but operations only allows you to test every 3 years (T = 3 years), your PFD triples. You might drop from SIL 2 to SIL 1 just by delaying maintenance.

Check Effect of Test Interval

Conclusion: Architecture Wins Over Certification

Do not be lulled into a false sense of security by "SIL Certified" stickers on instruments. A SIL certificate is just a piece of paper stating the device's failure rates (λ_DU, λ_DD).

Real safety comes from the design. It comes from choosing a 1oo2 voting architecture for critical hazards. It comes from selecting high-quality valves that don't stick. And most importantly, it comes from the discipline of rigorous, periodic Proof Testing.