The difference between Route 1H and Route 2H

Last edit: 02/08/2023

THE DOUBT: What is the difference between Route 1H and Route 2H?

Let’s try to place the subject into the main picture. When you hear about Route 1H and 2H you are probably in the domain of Low Demand Mode Safety Instrumented Systems and the main standard is IEC 61511. However the definition is in IEC 61508-2.

You know that to use a component in a Safety Instrumented Systems reliability data are needed, but that is not enough! The component needs a certain value of Safe Failure Fraction to understand how good it intrinsically is. That was the way defined since the first edition of IEC 61508 series to guide both the component manufacturer and the process designer in defining safety components and safety systems: the method was defined Route 1H. But let’s enter into the details.

 

ROUTE 1H

Historically, that was the only way to determine the maximum SIL that can be claimed by a Safety Function. Here are the steps to be followed (please refer to IEC 61508-2, § 7.4.4.2)

  1. Divide the Safety-related system in subsystems.
  2. For each subsystem calculate the Safe Failure Fraction for all elements in the subsystem separately. In case of redundant element configurations, the SFF may be calculated by taking into consideration the additional diagnostics that may be available (e.g. by comparison of redundant elements).
  3. For each element, use the achieved Safe Failure Fraction and Hardware Fault Tolerance of 0 to determine the maximum safety integrity level that can be claimed from column 2 of Table 1 (same as table 2 of IEC 61502-2) for Type A elements; in case of Type B elements, Table 2 should be used (same as table 3 of IEC 61502-2).
  4. The maximum safety integrity level that can be claimed for an E/E/PE safety-related system shall be determined by the subsystem that has achieved the lowest safety integrity level.

For a Route 1H, each safety component must have all the failure rates coming from a FMEDA Analysis.

Safe Failure Fraction of an element

Hardware fault tolerance

0

1

2

SFF < 60 %

SIL 1

SIL 2

SIL 3

60 % ≤ SFF < 90 %

SIL 2

SIL 3

SIL 4

90 % ≤ SFF < 99 %

SIL 3

SIL 4

SIL 4

SFF ≥ 99 %

SIL 3

SIL 4

SIL 4

Table 1: Maximum allowable safety integrity level for a safety function carried out by a Type A safety-related element or subsystem

 

Safe Failure Fraction of an element

Hardware fault tolerance

0

1

2

SFF < 60 %

Not Allowed

SIL 1

SIL 2

60 % ≤ SFF < 90 %

SIL 1

SIL 2

SIL 3

90 % ≤ SFF < 99 %

SIL 2

SIL 3

SIL 4

SFF ≥ 99 %

SIL 3

SIL 4

SIL 4

Table 2: Maximum allowable safety integrity level for a safety function carried out by a Type B safety-related element or subsystem

 

ROUTE 2H

The concept of Route 2H was introduced for the first time, in the 2010 edition of IEC 61508. Its use is linked to the concept of Proven in Use (IEC 61508) or Prior Use (IEC 61511-1).

Basically, it is possible to reach a Reliability level without information on the SFF of the component, provided the Failure rate field data are both available and reliable. Therefore, the Reliability data used when quantifying the effect of random hardware failures shall be:

  1. based on field feedback for elements in use in a similar application and environment; and,
  2. based on data collected in accordance with international standards and,
  3. evaluated according to:
  1. the amount of field feedbacks; and,
  2. the exercise of expert judgement; and, where needed,
  3. the undertaking of specific tests; 

With Route 2H, the maximum SIL achievable based upon the HFT of a subsystem is indicated by the following rules:

[IEC 61508-2: 2010] 7.4.4.3 Route 2H

7.4.4.3.1 The minimum hardware fault tolerance for each subsystem of an E/E/PE safety related system implementing a safety function of a specified safety integrity level shall be as follows:

NOTE In the following clauses, unless otherwise specified, the safety function may be operating in either a low demand mode of operation or a high demand or continuous mode of operation.

  1. a hardware fault tolerance of 2 for a specified safety function of SIL 4 unless the conditions in 7.4.4.3.2 apply.
  2. a hardware fault tolerance of 1 for a specified safety function of SIL 3 unless the conditions in 7.4.4.3.2 apply.
  3. a hardware fault tolerance of 1 for a specified safety function of SIL 2, operating in a high demand or continuous mode of operation, unless the conditions in 7.4.4.3.2 apply.
  4. a hardware fault tolerance of 0 for a specified safety function of SIL 2 operating in a low demand mode of operation.
  5. a hardware fault tolerance of 0 for a specified safety function of SIL 1.

Route 2H is not allowed in High Demand mode, this step is present in both IEC 62061 and EN ISO 13849-1, i.e. within the two reference standards on Functional Safety in High Demand.

[EN ISO 13849-1] 6.1.2 Correlation              between             performance     level      and        safety   integrity              level      (SIL)

When a safety function is designed using one or more subsystem, each subsystem shall be designed either using PLs according to this document, or using SILs according to IEC 62061 or IEC 61508. Subsystems designed according to IEC 61508 or IEC 62061 may be used but shall be restricted to those designed for high demand or continuous mode that use Route 1H (see IEC 61508-2:2010, 7.4.4.2). Subsystems are to be combined according to 6.2. See Table 4 for correlations between PLs and SILs. 

IEC 62061 specifies that this requirement applies to complex components.

[IEC 62061] 7.2 Subsystem architecture design

[…] Subsystem(s) incorporating complex components shall comply with appropriate product standards or IEC 61508-2 and IEC 61508-3 as appropriate for the required SIL and the design shall use Route 1H (see IEC 61508-2:2010, 7.4.4.2) for high demand andor continuous mode.

 

CONCLUSION

Route 1H and 2H are two ways that can be followed to decide the level of reliability of a component and how to use it in a Safety Instrumented Subsystem. Route 1H is the one recommended, especially if we want to use the component in a mixed high/low demand safety system. Route 1H implies that a component needs the value of failure rates recommended by IEC 61508 Series:

  • λSD: Safe detected failure rate
  • λSU: Safe undetected failure rate
  • λDD: Dangerous detected failure rate
  • λDU: Dangerous undetected failure rate
  • λNE: No effect failure rate

Those are normally estimated with the help of external organisations like EXIDA or TÜV.

Safety in Collaborative Robotics
There is no “Collaborative Robot”. That is one of the first statements you hear from people working in Collaborative Robotics. The reason is because...