SIL Requirements

A risk assessment determines whether a safety function requires SIL 2 or SIL 3.
ATTENTION:
The safety signature is required for the controller to operate at a SIL 2 or SIL 3 rating. Controller operation without a safety signature is only suitable during development.
IMPORTANT:
High-demand SIL 2 applications that follow the IEC 61511 standard require a Hardware Fault Tolerance of 1 and must use the guidance for SIL 3 requirements throughout this documentation.
High-demand SIL 2 applications that follow the IEC 62061 standard require a Hardware Fault Tolerance of 0 and must use at least the guidance for SIL 2 requirements throughout this documentation.

SIL 2 Requirements

The following applies to SIL 2 safety functions:
  • Controller redundancy is not required, but recommended for high availability.
  • There is no mean repair time (MRT) requirement. Timely system repair is not required, but is recommended for high availability.
IMPORTANT: If operating above 55 °C (131 °F) in a SIL 2 application, modules greater than 6.2 W must not be installed in slots that are next to a safety controller.

SIL 3 Requirements

To following applies to SIL 3 safety functions:
  • Controller redundancy is required, and you must monitor the system for a loss of redundancy.
  • There is a mean repair time (MRT) requirement. If a loss of redundancy occurs, timely system repair is required within your specified MRT.
  • If the system is not repaired within the MRT, you must take a specified action to maintain or achieve a safe state.
  • Upon power-up, SIL 3 safety functions are not permitted to be reset until controller redundancy is achieved.
IMPORTANT: The safety task can contain a number of safety functions. For a particular function to be SIL 3, the entire chain of devices and programming from the sensor to the actuator must be SIL 3. Be careful that you do not use a SIL 2 input signal for a safety function that requires SIL 3.
We recommend that you monitor the Redundancy Status bit (S:R) for a loss of redundancy and start a timer if the S:R bit goes to 0:
  • When the timer reaches your specified MRT, execute logic to achieve or maintain a safe state.
  • If system requalification causes the S:R bit to go to 1 before the timer expires, stop the timer and resume normal execution.
For more information about the S:R bit, see Redundancy Status.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal