Proper Understanding of Valve SIL Certification and PFDavg

In the field of Functional Safety, SIL (Safety Integrity Level) has become an important reference for customers in the petrochemical, chemical processing, energy, and process industries when selecting equipment. However, in practical applications, there are often misunderstandings regarding the meaning of a valve SIL certificate and its relationship with PFDavg (Average Probability of Failure on Demand).

SIL Assesses a Safety Function, Not a Single Device

According to the international standards IEC 61508 and IEC 61511, SIL is assigned to a complete Safety Instrumented Function (SIF), not to an individual product or device.

A complete SIF typically consists of:

• Sensor
• Logic Solver
• Final Element

For example, in an emergency shutdown system, a pressure transmitter detects an abnormal pressure condition, the safety control system issues a trip command, and an Emergency Shutdown Valve (ESD Valve) or Shutdown Valve (SDV) executes the required shutdown action. Only when the entire safety function chain operates correctly upon demand can the intended risk reduction be achieved.

Therefore, the SIL level defined by IEC standards evaluates the reliability of the overall safety function rather than the performance of any single component within the system.

The Applicability of PFDavg and PFH Depends on Demand Mode

IEC standards specify that:

• In Low Demand Mode, SIL is evaluated using PFDavg (Average Probability of Failure on Demand).
• In High Demand Mode or Continuous Mode, SIL is evaluated using PFH (Probability of Dangerous Failure per Hour).

Therefore, whether PFDavg or PFH is used is not determined by the type of equipment but by the actual demand frequency of the safety function being performed.

For valves used in SIS applications, such as ESD valves, SDVs, MOVs, or XVs, if the valve is only required to operate during abnormal process conditions, it is generally considered a low-demand application. If the safety function is required to operate frequently, it may fall into high-demand or continuous mode, and a different evaluation methodology will apply.

Why a Valve SIL Rating Cannot Be Directly Used to Determine Its PFDavg

It is common to encounter statements such as:

“This valve has SIL 3 certification, therefore its PFDavg must fall within the SIL 3 range.”

However, this interpretation is incomplete.

In reality, an individual valve does not possess a single fixed PFDavg value.

PFDavg is typically a function of:

PFDavg = f (λDU, TI, PST, DC, Architecture)

Where:

• λDU = Dangerous Undetected Failure Rate
• TI = Proof Test Interval
• PST = Partial Stroke Test Interval
• DC = Diagnostic Coverage
• Architecture = System Architecture (e.g., 1oo1, 1oo2, 2oo3)

As a result, the same valve can produce different PFDavg values under different system designs and maintenance strategies.

In other words, PFDavg is not an inherent fixed property of the device itself. It must be calculated and verified based on the overall application conditions.

For example:

• Performing a proof test annually
• Performing a proof test every three years
• Implementing or not implementing Partial Stroke Testing (PST)
• Using a 1oo1 architecture versus a 1oo2 architecture

will all affect the final PFDavg result.

Therefore, a valve does not have one fixed and universally applicable PFDavg value.

What Does a Valve SIL Certificate Actually Represent?

Valve SIL certificates issued by third-party certification bodies such as TÜV or Exida often contain statements such as:

• Suitable for use in SIL 3 applications
• Capable for use in SIL 3 Safety Instrumented Functions

The true meaning of such certifications is that the device has been evaluated against the requirements of IEC 61508, including:

• Systematic Capability (SC)
• Safe Failure Fraction (SFF)
• Hardware Fault Tolerance (HFT)
• Relevant reliability assessment requirements

and has been determined to be suitable for use as part of a safety function designed to achieve a specified SIL level.

In other words, the certification demonstrates that the device is suitable for incorporation into a SIL 3 safety function design.

Conclusion

Selecting a SIL-certified valve is an important foundation for establishing a functional safety system. However, the SIL 2 or SIL 3 designation shown on a valve certificate does not directly mean that the valve itself independently achieves the PFDavg requirements associated with that SIL level, nor does it imply that the valve alone can provide a specific level of risk reduction.

According to the functional safety principles defined in IEC 61508 and IEC 61511, SIL compliance must be evaluated at the level of the complete Safety Instrumented Function (SIF), rather than at the level of an individual device.

Therefore, a certified valve should be considered one component within the overall SIF architecture and must be evaluated together with the sensors, logic solver, and final elements of the system. The determination of PFDavg and SIL verification must be based on actual application conditions, equipment reliability data, proof test strategies, maintenance practices, and operating environments.

Only through a comprehensive functional safety assessment and verification that accurately reflects real operating conditions can it be confirmed that the overall SIF achieves the target SIL level and that the safety function will perform its protective role reliably when required. This ultimately ensures that the required risk reduction objectives and functional safety requirements of the process facility are achieved.