IEC 61511 Does NOT Require SIL-Certified Device

Many engineers believe that IEC 61511 requires the use of SIL-certified devices.

It sounds logical.
It is often written in specifications.
It is repeated in projects.

But it is not correct.

Neither IEC 61511 nor IEC 61508 requires “SIL-certified devices”.

In fact, the standards do not define certification as a requirement.

So where does this idea come from?

Where “SIL-Certified Devices” Actually Comes From

The requirement for certified devices does not come from the standards.

It comes from industry practice.

End users, EPC contractors, and engineering companies often require certified devices in their specifications.

And this makes sense.

End users, EPC contractors, and engineering companies:

• do not have the time
• do not have the detailed IEC 61508 and functional safety expertise
• do not have the resources

to assess every device in detail for compliance.

So instead, they rely on third-party certification as a form of assurance.

Certification becomes a practical shortcut.

But it is important to understand:

This is a business decision — not a requirement from IEC 61511 or IEC 61508.

What IEC 61511 Actually Requires

IEC 61511 requires that devices used in Safety Instrumented Functions are:

• appropriate for the application
• reliable enough for the required SIL
• supported by evidence

The standard does not prescribe certification.

It requires evidence.

The Three Routes to Compliance

To demonstrate that hardware is suitable for use in a safety function, IEC 61511 allows three distinct routes.

Understanding these routes is essential, because this is where many misunderstandings occur in practice.

1. Devices Developed According to IEC 61508 (Route 1H / 1S)

The most common approach is to use devices developed in accordance with IEC 61508.

These devices follow:

• Route 1H / 1S
• Based on hardware integrity and systematic integrity

These are typically the devices that are independently certified.

Certification provides confidence that:

• the development process followed IEC 61508
• failure behaviour is understood
• limitations and assumptions are documented

This is why many end users and EPCs prefer this route. This is also the route for new product developments.

2. Devices Proven in Use According to IEC 61508 (Route 2H / 2S)

IEC 61508 also allows devices to be justified based on proven reliability data.

These follow:

• Route 2H / 2S
• Based on field failure data and operational experience

In this case, the device manufacturer (supplier) collects and provides the data.

This route requires:

• sufficient and relevant failure data
• known operating conditions
• statistical confidence in reliability

The responsibility for demonstrating compliance lies primarily with the supplier.

3. Devices Based on Prior Use (IEC 61511)

IEC 61511 introduces a third option:

Prior use.

This is fundamentally similar to Route 2 — but with one key difference:

The data is collected and justified by the end user, not the supplier.

In this case, the user must demonstrate that the device is suitable based on their own operational experience.

This requires:

• documented usage history
• known application conditions
• recorded failures and performance
• evidence that the device behaves as expected

It is not sufficient to say:

“We have used this device before.”

The end user must be able to demonstrate and justify its reliability. Not really an option for “small” end users.

Key Insight

Route 2 and Prior Use are based on the same principle:

evidence from real operation.

The difference is:

• Route 2 → evidence provided by the manufacturer
• Prior Use → evidence provided by the end user

Devices Can Be SIL Compliant — But Not “Have a SIL”

The term SIL-certified device is widely used in industry.

While certification is valuable, it is important to understand what it represents.

A device does not “have a SIL” on its own.

SIL applies to the complete safety function, not to the individual devices.

Devices can be:

• developed in accordance with IEC 61508
• assessed for use up to a certain SIL capability
• supported by certification and failure data

In that sense:

Devices can be SIL compliant — but they do not “have a SIL” by themselves.

The SIL is achieved at the level of the complete safety function.

What Really Matters

The real question in functional safety is not:

“Is this device SIL-certified?”

The real question is:

Do we have sufficient evidence that this device is SIL compliant and will it perform its role in the safety function?

That evidence can come from:

• IEC 61508 compliance
• proven in use data
• prior use by the end user

Functional Safety Is About Evidence, Not Labels

Functional safety is not about selecting devices based on labels or certificates.

It is about demonstrating that the safety function:

• works when required
• achieves the required risk reduction
• performs reliably over time

Certification can support this.

But it does not replace engineering responsibility.

---