Safety Instrumented Systems (SIS), Safety Integrity Levels
(SIL), IEC61508, and Honeywell Field Instruments
Honeywell Field Instruments are ready for the new safety standards for the process industries
Background
In 1996, the Instrument Society of
America published standard ANSI/ISA S84.01-
1996 “Application of safety instrumented
systems for the process industries.” This
standard was accepted by the American
National Standards Institute (ANSI) in March
of 1997, and thus became enforceable under
OSHA’s process safety management (PSM)
and the EPA’s risk management program
(RMP).
During 1998 through 2000, the
International Electrotechnical Commission
(IEC) published the IEC 61508 and IEC 61511
standards.
The IEC 61508 standard, “Functional
Safety of Electrical/Electronic/Programmable
Electronic Safety-related Systems,” is for
suppliers of microprocessor-based
instrumentation to the process, medical, and
avionics industries.
The IEC 61511 standard, “Functional
Safety: Safety Instrumented Systems for the
Process Industry Sector,” is for end users and
engineering firms detailing the requirements
for design and implementation of safety
instrumented systems (SIS) for the process
industries.
IEC and ISA are working together to
standardize on IEC 61511 as the global SIS
standard, which would make IEC 61508 the
global standard for manufacturers.
Safety Instrumented Systems
End users (e.g., petrochemical plants)
are increasingly using safety instrumented
systems (SIS) to complement their process
control systems. A SIS is utilized when the risk
of an accident needs to be reduced. SIS is
defined by ISA S84.01 and IEC 61508 as:
SIS loop: “An SIS is a distinct, reliable
system used to safeguard a process to prevent a
catastrophic release of toxic, flammable, or
explosive chemicals.”
SIS loop scope: “System composed of
sensors, logic solvers, and final control
elements for the purpose of taking a process to
a safe state, when predetermined conditions are
violated.”
Every element in the loop is part of the
SIS, and needs to be considered when doing an
analysis of the SIS. This could include pressure
and temperature transmitters, a control system
or stand-alone controller, control valves or
other final control devices, electrical wiring,
process piping, power supplies, software, etc.
The function of the SIS is to monitor
the process for potentially dangerous
conditions (process demands), and to take
action when needed to protect the process.
Safety Integrity Level
The Safety Integrity Level (SIL) is a
statistical representation of the integrity of the
SIS when a process demand occurs. The
purpose of the SIS is to reduce risk, so SIL
levels can be defined in terms of the risk
reduction factor (RRF). The inverse of the RRF
is the probability of failure on demand (PFD),
so RRF = 1/PFD. IEC 61508 defines SIL levels Diagnostic Coverage: The fraction of the
1 through 4, with SIL level 1 representing the failure rate detected by the operation of
lowest acceptable risk level, and SIL level 4 internal diagnostic tests. This fraction is
representing the highest acceptable risk level. expressed as the ratio of the failure rates
that are associated with the detected
Safety Availability Probability to 1/PFD failures to the total failure rate in any
Integrity Required Fail on (RRF) mode. For this device, it is assumed that
Level Demand
options are set so that detected failures
4 >99.99% E-005 to 100,000 to
E-004 10,000 cause the unit to go to under-range.
3 99.90- E-004 to 10,000 to
99.99% E-003 1,000 Fail Dangerous Detected: Failure that is
2 99.00 - E-003 to 1,000 to potentially dangerous but that is
99.90% E-002 100 detected by internal diagnostics and
1 90.00 - E-002 to 100 to 10
99.00% E-001
converted to the selected fail-safe state.

For example, the end user can define a process
as a SIL 1 SIS, accepting the risk that the SIS
will be available 90% of the time (for a 10%
chance of failure). For instance, a low water
level on a storage tank will normally (90% of
the time) be expected to trip a sensor, which in
turn will control a valve to refill the tank. 10%
of the time, the SIS is expected to fail, and the
tank will not be refilled.
Fail Dangerous Undetected: Failure that is
dangerous and that is not being
diagnosed by internal diagnostics.
Fail Dangerous: Failure that deviates the
measured input state or the actual
output by more than 2% of span and
that leaves the output within active
scale.

IEC 61508 and Honeywell Fail High: Failure that will result in an output
current that is higher than 20 mA.
One of the steps required to achieve
Fail Low: Failure that will result in an output
functional safety certification per IEC 61508 is
current that is lower than 4 mA.
a Failure Modes, Effects, and Diagnostic
Analysis (FMEDA). Companies like TUV and
Fail Safe Detected: Failure that leads to a safe
Exida offer their services to perform the
state and that is detected by internal
FMEDA. The result is a certificate, which
diagnostics.
contains the information that the end user needs
to complete a statistical analysis of the SIS.
Fail Safe Undetected: Failure that leads to a
Honeywell used Exida to perform the
safe state and that is not detected by
FMEDA for the ST 3000® pressure
internal diagnostics.
transmitters, and model STT25H HART*
temperature transmitter. Attached to this note is
Fail Safe: Failure that results in the
a copy of the certificate for the pressure
presentation of the selected fail-safe
transmitters. The certificates are also available
input or output condition independent
online at http://field-measurement.com/.
of the actual input state.
The following definitions will be useful
Safe Failure Fraction: The fraction of the
when reading the FMEDA:
overall failure rate of a device that
results in either a safe fault or a
diagnosed unsafe fault.
 ST 3000 Pressure Transmitter FMEDA
Certificate
Date: ______________________________
Honeywell ______________________________
Model:
Serial ______________________________
Number:
Tag ______________________________
Number:
Customer ______________________________
PO
Number:
A Failure Modes, Effects and Diagnostics Analysis is one of the steps taken to achieve functional safety certification
per IEC61508 of a device. From the FMEDA, failure rates and safe failure fraction are determined for the analog
operating modes with either the HART or DE Protocol. The failure rates for the ST Integral Meter were also
evaluated. This FMEDA includes all hardware, electronic and mechanical. For full certification purposes all
requirements of IEC61508 must be considered including the software of the transmitter.

The ST 3000 transmitter is an isolated two-wire 4 to 20mA smart device classified as Type B according to IEC61508.
It contains self-diagnostics and is programmed to send its output to a specified failure state, either high or low, upon
internal detection of a failure.

The failure rates, safe failure fraction and PFDavg calculation for the ST 3000 pressure transmitter with HART
Protocol operating in a clean service are as follows*:

λH = 47.88 * 10-9 failures per hour

λL = 296.70 * 10-9 failures per hour
λ DU
= 145.84 * 10-9 failures per hour
SFF = 70.26%
PFDavg = 6.41E-4 for a one year time interval

The failure rates, safe failure fraction and PFDavg calculation for the ST 3000 pressure transmitter with DE Protocol
operating in a clean service are as follows*:

λH = 47.88 * 10-9 failures per hour

λL = 292.60 * 10-9 failures per hour
λ DU
= 139.74 * 10-9 failures per hour
SFF = 70.90%
PFDavg = 6.14E-4 for a one year time interval.

Based on a 35% PFDavg budget for the sensor subsystem, both transmitters would meet the PFDavg requirements
of SIL2 in a single configuration. Both transmitters would meet the architectural constraint requirements in IEC61508
at a level of SIL1 for a single configuration.
Summary calculations in accordance with the
international IEC 61508 standard. It helps users
As the process industry moves toward adopting carry out a quantitative analysis of the
the newer safety standards, Honeywell Field reliability (safety integrity) of the designed
Instruments are poised to meet the challenge. safety-instrumented functions. It can carry out
The FMEDA certificate, available for the complicated reliability calculations fast and
ST 3000 pressure transmitters and the HART accurately.
temperature transmitter (STT25H), are only a
part of what Honeywell has to offer. Further information about the TPS system can
Honeywell’s TPS system is the industry leader be found at
in building plant safety, with the Fail Safe http://www.acs.honeywell.com/ichome/
Control (FSC®) safety system. In addition, the
FSC SafeCalc is a software tool that was
specially developed by Honeywell Safety
Management System to perform SIL validation

ST 3000® and FSC® are registered trademarks of Honeywell International Inc.

*HART is a trademark of the HART Communications Foundation.

U.S.A.: Honeywell Industrial Measurement and Control, 16404 North Black Canyon Hwy., Phoenix, AZ 85053 Canada: The Honeywell Centre, 155 Gordon
Baker Rd., North York, Ontario M2H 3N7 Latin America: Honeywell Inc., 480 Sawgrass Corporate Parkway, Suite 200, Sunrise, Florida 33325 Japan:
Honeywell K.K. 14-6 Shibaura 1-chome, Minato-ku, Tokyo, Japan 105-0023 Asia: Honeywell Pte. Ltd., Honeywell Building, 17 Changi Business Park Central
1, Singapore 486073 Pacific Division: Honeywell Pty Ltd., 5 Thomas Holt Drive, North Ryde NSW Australia 2113 Europe and Africa: Honeywell S.A.,
Avenue du Bourget 3, 1140 Brussels, Belgium Eastern Europe: Honeywell Praha,s.r.o. Budejovicka 1, 140 21 Prague 4, Czech Republic Middle East:
Honeywell Middle East Ltd., Technology Park, Cert Complex, Block Q, Murror Rd., Abu Dhabi, U.A.E.

Industrial Measurement and Control

http://www.honeywell.com/imc
w.pdf 5006 7/2002 © Honeywell International Inc.