I’ve lost count of how many times I’ve heard “this transmitter is SIL 3” thrown around like it’s a checkbox on a datasheet. Every time, I ask one question back: SIL 3 at what HFT? Most of the time I get a blank stare.
That gap — between reading a SIL number and actually reading a Functional Safety certificate — is where a lot of engineers quietly lose credibility, and where a lot of SIS audits find their biggest findings. Knowing how to read the “Scope and Result” section properly isn’t academic. It’s the difference between specifying a SIF that holds up in a HAZOP/LOPA review and one that gets flagged two years later during an audit.
I recently went through a smart transmitter’s Functional Safety certificate line by line. Here’s what it actually said, and why every line matters more than the SIL label on the front page.
SIL Belongs to the SIF, Not the Transmitter
The certificate didn’t say “SIL 3.” It said:
- HFT = 0 → up to SIL 2
- HFT = 1 → up to SIL 3
That’s not a weak claim or a hedge — that’s exactly how IEC 61508 is structured. SIL is a property of the complete Safety Instrumented Function: sensor, logic solver, and final element together, not any single device in isolation.
A single transmitter used alone (1oo1, HFT = 0) gives you SIL 2 capability. To claim SIL 3, you need a redundant sensor architecture — typically 1oo2 — which raises the HFT to 1.
| HFT | Typical Architecture | Max SIL Claim (single sensor subsystem) |
|---|---|---|
| 0 | 1oo1 (single transmitter) | SIL 2 |
| 1 | 1oo2 (dual transmitter) | SIL 3 |
Based on the certificate’s stated HFT-to-SIL mapping — architecture-dependent, not a blanket device rating.
This is the most misunderstood part of functional safety in the field. I’ve seen “SIL 3 transmitter” written into requisitions, datasheets, even P&IDs, when what’s actually being installed is a single Type B device with SFF in the 90–99% band. The device isn’t lying — whoever quoted the label just skipped the architecture part.
Note: this is exactly why IEC 61508 makes you state HFT and SFF together. Neither number means anything on its own.
λDU — the Parameter That Actually Drives the Numbers
Once you get past the SIL label, the number that actually matters is λDU — the dangerous undetected failure rate. Everything downstream depends on it:
- PFDavg (Probability of Failure on Demand, average)
- Risk reduction achieved
- Proof test interval you can justify
- Whether you need 1oo1, 1oo2, or 2oo3 voting
For a 1oo1 architecture, the relationship is straightforward:
PFDavg = λDU × TI / 2
Where TI is the proof test interval. A low λDU is one of the strongest indicators of good diagnostic effectiveness in a smart transmitter — it means the device’s internal self-checks are catching failures before they become dangerous, undetected ones.
This is also why two transmitters carrying the same “SIL 3 capable” marketing line can behave very differently in service. The one with the lower λDU gives you more margin on proof test interval, or better PFDavg headroom, for the exact same architecture.
Why Voting Architecture Isn’t Just an HFT Formality
Moving from 1oo1 to 1oo2 doesn’t only buy you HFT = 1 on paper. It usually improves PFDavg too, because now two independent channels have to fail dangerously-undetected before the SIF is compromised, instead of just one.
I’m deliberately not writing out the 1oo2 PFDavg formula here — the moment you add redundancy, common cause failure (the β-factor) and your testing regime (staggered vs. simultaneous proof testing) start driving the number just as much as λDU does.
That’s a calculation worth running properly against your specific FMEDA data, not approximating from a generic formula. (Verify against your SIL verification tool or a competent functional safety engineer before using any redundant-architecture PFDavg figure in a real SIF.)
When PFDavg Looks Better Than the Architecture Allows
Here’s where it gets counterintuitive. The certificate’s reported PFDavg for this transmitter, in single-channel use, numerically fell inside the SIL 3 band (10⁻⁴ to 10⁻³). But the device is still capped at SIL 2.
Illustrative example — not the actual certificate’s figures:
Say λDU = 150 FIT (150 × 10⁻⁹ per hour) and TI = 1 year (8,760 hours):
PFDavg = (150 × 10⁻⁹) × 8,760 / 2 = 6.57 × 10⁻⁴
That number sits inside the SIL 3 range (10⁻⁴ – 10⁻³). If you only looked at PFDavg, you’d want to claim SIL 3. But this device is Type B, HFT = 0, SFF in the 90–99% band — and IEC 61508’s architectural constraints table caps that exact combination at SIL 2, regardless of how good the PFDavg number looks.
This is the part most people miss: quantitative reliability (PFDavg) and qualitative capability (architectural constraints) are two separate gates. You have to pass both. A great PFDavg doesn’t buy you out of an architecture limitation.
💡 Sanity check: halve the proof test interval to 6 months and PFDavg drops to roughly 3.3 × 10⁻⁴ — still SIL 3 territory numerically, still SIL 2 architecturally. The architecture gate doesn’t move just because you test more often.
SFF = 92.7% — Why a Single Number Has Teeth
The certificate listed SFF = 92.7%. On its own that looks like a good number — and it is. But what it actually unlocks depends entirely on device Type and HFT.
For a Type B device — any device with embedded software or complex electronics, which is basically every smart transmitter on the market — IEC 61508-2’s architectural constraints table (commonly referenced as the Route 1H table) reads roughly like this:
| SFF | HFT = 0 | HFT = 1 | HFT = 2 |
|---|---|---|---|
| < 60% | Not allowed | SIL 1 | SIL 2 |
| 60% – <90% | SIL 1 | SIL 2 | SIL 3 |
| 90% – <99% | SIL 2 | SIL 3 | SIL 4 |
| ≥ 99% | SIL 3 | SIL 4 | SIL 4 |
🔴 Verify the exact table against your edition of IEC 61508-2 before using it in a real SIL verification — this is Table 3 (Route 1H) as commonly cited, reproduced here for illustration.
At SFF = 92.7% and HFT = 0, you land exactly on SIL 2. Push HFT to 1 — typically by adding a second transmitter in 1oo2 — and the same SFF band unlocks SIL 3.
Compare this with a Type A device (simple, well-understood failure modes — think a basic mechanical pressure switch). At the same SFF band, Type A reaches SIL 3 at HFT = 0. That’s the whole reason a mechanical device can sometimes carry a higher single-channel SIL claim than an electronic one with a similar SFF — Type A and Type B don’t share the same table.
Note: don’t skip checking whether your device is genuinely Type A or Type B. Any device with a microprocessor or firmware — which covers most modern transmitters — is Type B by definition, even if the failure modes look simple on paper.
The 21.6 mA Line That Breaks Real SIS Audits
This is the line in the Safety Manual that I think gets the least attention, and causes the most trouble in operating plants:
“Output currents >21.6 mA shall be treated as a fault condition.”
This single sentence is doing a lot of work. The transmitter uses an out-of-range analog signal — driving upscale during internal diagnostics — as its way of telling the outside world “something’s wrong, don’t trust this reading.
” That’s a legitimate, well-established diagnostic technique, in the spirit of NAMUR NE43 practice for analog fault signalling. But it only works if the receiving end is actually listening for it.
Case 1 — AI card configured correctly: The safety PLC’s analog input is set up with extended range and fault-flag detection enabled. It sees >21.6 mA, correctly flags a diagnostic fault, and the SIS logic solver treats the channel as failed-safe. Diagnostic coverage matches what the FMEDA assumed. λDU stays valid.
Case 2 — AI card scaling clamps at 20 mA: Someone configured the analog input scaling to saturate at 20 mA and ignore anything above it — often “for cleaner trending,” or simply because nobody cross-checked the safety manual. The overrange fault signal gets silently absorbed. The PLC sees a flat 20 mA and has no idea the transmitter is trying to report a fault.
In Case 2, your diagnostic coverage on paper is not your diagnostic coverage in the field. The λDU value used in your PFDavg calculation assumed that fault would be detected.
If it isn’t, some of what you budgeted as “dangerous detected” quietly becomes “dangerous undetected” — and your achieved SIL no longer matches what was verified on paper.
I’ve seen this exact mismatch surface in SIS audits more than once — not because anyone did something obviously wrong, but because the person configuring the AI card and the person who ran the SIL verification calculation never cross-checked the safety manual’s fault current threshold against the actual PLC configuration.
Note: this is a genuinely easy thing to check during FAT or loop check — confirm your safety PLC’s AI card range and fault-detection settings actually match the number printed in the safety manual, not just “20 mA is 20 mA.”
What Real SIS Integrity Actually Requires
None of this — HFT, SFF, λDU, the mA threshold — is trivia. It’s the actual mechanics behind whether a “SIL 3” claim on a datasheet still means something once the loop is in service.
Real SIS integrity comes from getting all of these right, together:
- Correct architecture — HFT and voting that match what the SIL target actually requires, not what the datasheet label implies
- Proper diagnostic handling — safety PLC configuration that matches the safety manual’s fault-reporting scheme, not generic AI card defaults
- Effective proof testing — TI chosen to keep PFDavg inside the target SIL band, and actually executed on schedule
- Lifecycle management — per IEC 61511, changes to any of the above go through management of change, not ad-hoc field tweaks
- Operational discipline — bypass management, alarm response, and maintenance overrides that don’t quietly erode the SIF you verified on paper
Miss any one of these, and the SIL number on the datasheet stops being a promise and starts being a liability waiting for an audit to find it.
The Actual Advantage of Getting This Right
Here’s the part that doesn’t show up in the standard itself, but shows up everywhere in real projects.
A specification that quotes “SIL 3 transmitter” without stating HFT usually survives the requisition stage — nobody catches it at PO time. It gets caught later: at SIL verification, at FAT, or worst case, during an operating-plant SIS audit, when someone finally lines up the certificate against the loop drawing and the PLC configuration.
At that point it’s not a five-minute fix. It’s a rework of the SIL verification calculation, possibly a change to the field architecture, and a documented finding that someone has to explain.
Compare that to catching the same gap at the spec stage — where fixing it is just adding a second transmitter to the BOM, or correctly stating SIL 2 capability instead of an unverifiable SIL 3 claim. Same engineering, radically different cost and schedule impact, depending purely on when it’s caught.
That’s the practical advantage of actually reading the certificate: you catch the HFT/SFF/λDU mismatch at spec review, not at audit.
It’s also, not coincidentally, the kind of detail that senior engineers and hiring panels notice when they’re deciding who gets trusted with the harder functional safety work — the difference between someone who can quote a SIL number and someone who can defend it.
EndNote
If you’ve ever had a SIL claim challenged in a HAZOP, or an audit finding trace back to a mismatch like the 21.6 mA case above, I’d genuinely like to hear about it in the comments.
Real mismatches like this teach more than any textbook example — they’re usually where the standard stops being theory and starts being the thing standing between a “SIL 3” label and an actual SIL 3 loop.
you like this article, and if you want to know about thermowell design engineering. Procurement cycle for an instrumentation package Check out my previous article.
And you can also follow our LinkedIn group which is specially made for sharing information related to Industrial Automation and Instrumentation.
