IEC 61511 Does NOT Require SIL-Certified Devices
Many engineers believe that IEC 61511 requires the use of SIL-certified devices. It sounds logical. It is often written in specifications. It is repeated in projects. But it is not correct — and understanding why matters for every functional safety project.
Neither IEC 61511 nor IEC 61508 requires "SIL-certified devices". The standards do not define certification as a requirement. So where does this idea come from?
Where "SIL-Certified Devices" Actually Comes From
The requirement for certified devices does not come from the standards. It comes from industry practice.
End users, EPC contractors, and engineering companies often require certified devices in their specifications — and this makes sense. They typically do not have the time, the detailed IEC 61508 expertise, or the resources to assess every device in detail for compliance.
So instead, they rely on third-party certification as a form of assurance. Certification becomes a practical shortcut.
Important: Requiring certified devices is a business decision — not a requirement from IEC 61511 or IEC 61508.
What IEC 61511 Actually Requires
IEC 61511 requires that devices used in Safety Instrumented Functions are:
- appropriate for the application
- reliable enough for the required SIL
- supported by evidence
The standard does not prescribe certification. It requires evidence. This is a critical distinction that affects how you specify, select, and justify devices on every SIS project.
The Three Routes to Compliance
To demonstrate that hardware is suitable for use in a safety function, IEC 61511 allows three distinct routes. Understanding these routes is essential — this is where most misunderstandings occur in practice.
Route 1 — Devices developed according to IEC 61508
The most common approach. Devices are developed in accordance with IEC 61508 (Route 1H / 1S), based on hardware integrity and systematic integrity requirements.
These are typically the devices that are independently certified. Certification provides confidence that the development process followed IEC 61508, that failure behaviour is understood, and that limitations and assumptions are clearly documented.
This is why many end users and EPCs prefer this route. It is also the required route for new product developments.
Route 2 — Devices proven in use according to IEC 61508
IEC 61508 allows devices to be justified based on proven reliability data (Route 2H / 2S). The device manufacturer collects and provides field failure data and operational experience.
This route requires sufficient and relevant failure data, known operating conditions, and statistical confidence in reliability. The responsibility for demonstrating compliance lies primarily with the supplier.
Route 3 — Prior use (IEC 61511)
IEC 61511 introduces a third option: prior use. This is fundamentally similar to Route 2 — but with one key difference:
The user must demonstrate that the device is suitable based on their own operational experience. This requires documented usage history, known application conditions, recorded failures and performance data, and evidence that the device behaves as expected.
It is not sufficient to say "we have used this device before." The end user must be able to demonstrate and justify its reliability. In practice, this is not a realistic option for smaller end users who lack the data infrastructure to support such a justification.
Key Insight — Route 2 and Prior Use Follow the Same Principle
Both Route 2 and Prior Use are based on evidence from real operation. The difference is who collects and owns that evidence: Route 2 — the manufacturer. Prior Use — the end user.
Devices Can Be SIL Compliant — But They Do Not "Have a SIL"
The term SIL-certified device is widely used in industry. While certification is valuable, it is important to understand what it actually represents.
A device does not "have a SIL" on its own. SIL applies to the complete safety function — not to individual devices. Devices can be developed in accordance with IEC 61508, assessed for use up to a certain SIL capability, and supported by certification and failure data.
Devices can be SIL compliant — but they do not "have a SIL" by themselves. The SIL is achieved at the level of the complete safety function.
The Right Question to Ask
The real question in functional safety is not: "Is this device SIL-certified?"
The right question is: Do we have sufficient evidence that this device is SIL compliant and will perform its role in the safety function reliably?
That evidence can come from IEC 61508 compliance, proven in use data, or prior use by the end user. The route matters less than the quality of the evidence.
Functional Safety Is About Evidence, Not Labels
Functional safety is not about selecting devices based on labels or certificates. It is about demonstrating that the safety function works when required, achieves the required risk reduction, and performs reliably over the required lifetime.
Certification can support this — and in many cases it is the most practical way to obtain the necessary evidence. But it does not replace engineering responsibility, and it is never a requirement in itself.
Go deeper — IEC 61511 Certification Course
This article covers one of the most misunderstood topics in IEC 61511. Our certification course covers device selection, the three compliance routes, SIS lifecycle implementation, and audit preparation — for engineers who want precision, not shortcuts.
Explore the course → Ask us a question