Exploring the IEC 61508 Proven-In-Use Concept

22 Jan 2026

How Operational History Can Justify Safety Integrity Level Capability

Route 2H – Proven-in-Use (PIU) remains one of the most misapplied concepts in IEC 61508. Despite existing in the standard for more than two decades, many manufacturers either underestimate what qualifies as valid PIU evidence or incorrectly assume it offers a simpler path to safety integrity level (SIL) certification than Route 1H – FMEDA. In practice, PIU is one of the most demanding evidence routes in the standard, requiring maturity, stability, and statistically significant operational history.

This blog clarifies what PIU means in the context of IEC 61508, the exact evidence required, and how engineers should decide between Route 1H and Route 2H.

What “Proven-in-Use” Really Means in IEC 61508

PIU as defined in IEC 61508-2 clause 7.4.10 allows manufacturers to justify random hardware failure rates based on historical operational experience rather than predictive reliability models. PIU is intended for mature, stable components with well-understood failure behaviour, such as actuators, relays, valves, and electromechanical assemblies. PIU is only valid when strong evidence demonstrates that the hardware has been used in representative environments and under controlled configuration conditions.

IEC 61508 allows PIU only when the following conditions are satisfied:

• A documented and stable operating history exists (cl. 7.4.10.2)
• The operating environment matches the intended application (cl. 7.4.10.3(a))
• No significant design changes occurred during the observed period (cl. 7.4.10.3(b))
• Field failures are recorded, classified, and investigated (cl. 7.4.10.3(c))

PIU is not an alternative to systematic capability requirements, which must still be demonstrated via Route 1S/2S in accordance with IEC 61508-1 clause 6 and Annex B.

At its core, Route 2H answers:

“Has the equipment demonstrated, in real service, a dangerous failure rate low enough to meet the SIL target?”

With the concept of Proven-in-Use defined, the next step is understanding what evidence IEC 61508 actually expects before a PIU justification can be accepted.

Minimum Evidence Requirements: What Data You Actually Need

IEC 61508-2, clauses 7.4.10.1 – 7.4.10.4, outline the minimum evidence requirements for PIU justification. These ensure that operational history is representative, traceable, and statistically robust. A valid PIU justification must provide the following:

• A sufficient installed base (commonly ≥100 units for meaningful statistics)
• Enough operating hours to align with SIL targets (10⁶ - 10⁸+ hours)
• Environmental comparability between historical use and intended deployment
• Complete change control ensuring no untracked design or firmware revisions
• Failure logs covering safe, dangerous, detected, and undetected modes

Once the required evidence is available, the challenge becomes turning that operational history into a defendable failure rate. This is where statistical confidence, and specifically the chi-square method, becomes essential.

Statistical Confidence: Why Chi-Square Matters in Proven-In-Use

PIU relies on statistical justification. IEC 61508 requires the use of chi-square-based confidence intervals (IEC 61508-6 Annex D) to ensure that observed failure rates reflect a statistically valid upper bound. This prevents optimistic interpretations of low or zero failure counts, which often indicate insufficient exposure rather than exceptional reliability.

Using chi-square distribution ensures that the dangerous undetected failure rate (λDU) is derived with a defined confidence level (typically 70-90%), forming the basis for PFH/PFDavg calculations used in SIL determination.

Strengths and Weaknesses of Proven-in-Use

With the statistical foundations established, it becomes clearer where PIU performs strongly – and where it introduces limitations of which organizations must be aware.

Strengths

• Reflects real-world equipment performance and ageing
• Ideal for final elements such as valves, actuators, and relays
• Reduces reliance on generic reliability databases
• Preferred in IEC 61511 (process sector) when historical data is strong

Weaknesses

• Requires very large operational datasets
• Invalidated by design or firmware changes
• Not suitable for new or complex digital products
• Does not replace systematic capability requirements

How Proven-in-Use Influences the Wider IEC 61508 Compliance Landscape

While Proven-in-Use (Route 2H) provides an alternative method for justifying hardware random failure rates, it does not reduce or bypass the broader requirements of IEC 61508. A common misconception is that strong operational history can offset weaknesses elsewhere in the lifecycle; in practice, the opposite is true. Choosing Route 2H places additional emphasis on functional safety management, systematic capability, configuration control, and software compliance.

Key Impacts

• FSM must demonstrate strict change control
• Systematic capability (SC1/SC2/SC3) is still required
• Software lifecycle requirements remain unchanged
• Architectural constraints (SFF/HFT) still limit achievable SIL
• Lifecycle documentation and verification activities remain mandatory

So, the true picture is, Route 2H affects only one part of the SIL argument – hardware random failure rate justification. Every other IEC 61508 requirement remains unchanged.

Understanding how PIU interacts with the broader lifecycle makes it easier to compare Route 2H with the more traditional FMEDA-based approach defined under Route 1H.

Route 1H vs Route 2H: Choosing the Right Compliance Path

Route 1H (IEC 61508-2:7.4.4.2) utilizes FMEDA, architectural constraints, diagnostic coverage and predictive reliability models. It is ideal for new designs, digital electronics, smart sensors, and systems requiring detailed failure mode analysis.

Route 2H (IEC 61508-2:7.4.4.3 and 7.4.10) is a field-performance pathway suited to mature designs with extensive operational history and controlled configuration.

In many applications, particularly within IEC 61511 process industries, a combination of FMEDA and PIU evidence provides the most defensible justification.

Closing Thoughts

Proven-in-Use offers a rigorous, evidence-based route to SIL justification. When supported by comprehensive field data, disciplined configuration control, and robust failure recording practices, it provides a highly credible reflection of real-world reliability. Organizations should select Route 1H or 2H based on the maturity and evidence base of the product, not based on perceived ease. The strongest SIL justifications are those where the evidence aligns naturally with the product's design history, operational profile, and intended application.