Fail Safe Detected (SD)
Fail Safe Undetected (SU)
Fail Dangerous Undetected (FDU)
Fail Dangerous Detected (FDD)
Fail High(FH)
Fail Low(FL)
No Effect(NE)
Annuncitaion Undetected(AU)
1H uses HFT and SFF concepts. What this really means is that this is applicable to items with diagnostics as SFF is only applicable to diagnostics.
- 1H is the most common for new modern components. Using SFF would not be problematic.
- 2H is typically for things with that are mechanical items with no or minimal diagnostics Imagine a rack and pinion actuator. Even if it does have some diagnostics it won’t be sufficient to capture all failure modes. So this would be a 2H path.
- 2H is often used on legacy equipment without a SIL Certificate. For example something that predates IEC 61508.
- 2H can be used for industry specific equipment with published field data
The “S” paths are generally for manufactures and the Certification Body (CB) doing the analysis, but at times (and confusingly) can be done by the facility if the facility.
- A 61508 certified instrument with a SIL certificate and Safety Manual giving all the parameters needed would definitely be 1S.
- 1S is used by the manufacturer in partnership with a CB.
- The 2S path needs data. That can be done by a CB (and would include a SIL Certificate) or be done by the facility with a lot of leg work (without a SIL Certificate).
- 2S uses proven in use and proven in use means route 2S.
Key Points:
- 1H/2H: “H” is for hardware – these are hardware fault tolerance routes. This decision is typically made by the facility.
- 1S/2S/3S: “S” is for “systematic capability” – systematic capability routes based on certification, prior use, or quality. For a component that is certified to IEC 61508, 1S is the default setting. If the SIL Certificate doesn’t state that, it is implied.