Contact Us
Home / Glossary Terms /

Routes (1H, 2H, 1S, 2S, 3S)

Definition:
Routes define the methods for demonstrating hardware and systematic capability compliance for functional safety equipment. They are applicable to the manufacturer and defined in IEC 61508 series. Different routes trigger different tables and rules within the program. Routes are applied at the element level. The SIF / SIS is an aggregation of those elements. This is a notoriously confusing part of Functional Safety and IEC 61508/61511.

Broadly speaking,

  • the “H”‘s are for hardware approach. “S”‘s are systematic capability.
  • the Route 1 uses prescriptive architectural constraints (SFF and HFT tables) while Route 2 uses reliability data and operational evidence to justify performance.

Routes are more relevant to the equipment manufacturer and certification bodies and less to the FuSa engineer at the facility (see prior use for a similar discussion). Note that the route may trigger the facility FuSa Engineer to perform a SFF calculation per SIF or not.

The “H” paths ensure that the equipment meets fault tolerance, ensuring a foundation for hardware integrity. 1H has requirements for HFT and SFF (similar to 1S). 2H focuses on the hardware structural resilience and prior use data.

  • 1H is by far the most common for new modern components. This uses IEC 61508-2 table 2 and 3 HFT vs SFF tables along with FMEDA data.
  • 2H is typically for things with that are mechanical items with no or minimal diagnostics. Imagine a rack and pinion actuator. Even if it does have some diagnostics, it won’t be sufficient to capture all failure modes. So this would be a 2H path.
  • 2H is often used on legacy equipment without a SIL Certificate. For example, something that predates IEC 61508.

The “S” paths focus on minimizing systematic failures by managing the equipment and the functional safety process. 1S has requirements for HFT and SFF (similar to 1H)

  • 1S must follow IEC 61508-2 table 2 and 3 HFT vs SFF. It focuses on the design process / systematic capability. Often a well established technology. Compared to 1H, it is less data-heavy, more design justification heavy.
  • 2S needs data. This can be gathered by the manufacturer and be provided to a Certification Body (CB). The CB would evaluate the data and issue the SIL Certificate.
  • 2S uses the proven in use (PIU) process.
  • 3S is proven in use for sofware

Key Points:

  • Routes are applied at the component level.
  • 1H/2H: “H” stands for hardware
  • 1S/2S/3S: “S” stands for “systematic capability”
  • For a component that is certified to IEC 61508, 1S is the default setting. If the SIL Certificate doesn’t state that, it is implied.

Example:
A manufacturer of a legacy spring-return pneumatic actuator — purely mechanical, no diagnostics — wants a SIL 2 certification. Because the device has no meaningful diagnostic coverage, Route 1H is not viable; the SFF would fail the architectural constraint tables. They pursue Route 2H instead. Working with a CB, the manufacturer submits field operational history, failure rate data, and evidence of fail-safe behavior on loss of air supply. The CB evaluates the hardware integrity argument and issues a SIL Certificate under Route 2H — no SFF or FMEDA required.

See Also: SIL certificate, type, HFT, SFF, systematic capability, PIU

Cited Source:

Part Of: system or component category