SIL Level calculation

Reading time: 5 minutes - Difficulty: advanced
SIL verification through calculation can be carried out through several methods, where the aim is always to define the achievable SIL level of the equipment (i.e. SIL n capable level).

SIL calculation methods

SIL verification through calculation can follow:

  • Markov approach. Markov’s analysis covers most aspects of quantitative safety assessment and provides great flexibility. The approach is based on calculating the probability that the system is in a specific state at a specific time.
  • Petri Net. The Montecarlo simulation consists in animating behavioral models using random numbers to evaluate how many times the system remains in states governed by random or unavoidable delays.
  • RBD (Reliability block diagram). A diagram that provides the relationship between component states and the success or failure of a given system function. This is the most widely used method. 

Each subsystem of a safety chain must be chosen carefully, to not represent the “slow locomotive of the train”.

Here is shown an example of how a subsystem can significantly impact the SIL achieved of the safety function.

The function is divided into subsystems, and for each subsystem, the average probability of failure on demand (hp: low demand mode) is calculated, and the architectural constraints (hp. Route 1H) and systematic capacity are included as well.


Device PFDavg SIL Systematic Capability SIL Architectural Constraints
Sensors 8,39E-06 3 2
Logic Solver 5,09E-07 3 3
Solenoid 1,74E-05 3 3
Actuator 9,76E-07 3 2


SIL PFDavg SIL PFDavg SIL Systematic Capability SIL Architectural Constraints
Total 2,00E-04 3 3 2


The SIL obtained is the lowest of the SIL achieved for PFDavg, its systematic capability, and architectural constraints. This is a SIL 2.

The PFDavg and architectural constraints, having fixed the components, can be improved by changing the architecture. Systematic capability is a characteristic parameter of the component that does not vary with the architecture.

Systematic capability, therefore, defines the maximum SIL the component can achieve.

Note: In common language, when a component is defined SIL n capable, this means that it can be used in “up to n” application and not that it can be used as a stand-alone device in SIL n applications.


Logic Solver overview

A logic solver makes decisions about what to do, based on sensor input. Decision rules are often implemented by software or digital/electronic components.

A logic solver can manage both safety and non-safety functions: it is clear that the two parts must be segregated, and the non-safety function must not interfere with the safety function.

A logic solve can be:

  • Hardwired, control and decision-making are carried out using relays and contactors
  • Solid state, control and decision-making are carried out by a fixed set of arranged and programmed electronic components (no mechanical components)
  • Programmable, control and decision-making are carried out by software


Recommended in-depth study:


Final element overview

A final element is a device that receives the command from the logic solver and converts it into a physical movement. The final element interacts with the protected system.

Some examples of final elements:

  • Block valves
  • Automatic switch
  • Break
  • Fire fighting protection

The standard suggests using a safety philosophy for the drive of the final element.

Fail-safe causes a machine to return to a safe condition in the event of failure or malfunction.

Fail-safe is not always applicable. In the case of a fire-fighting system, the extinguishing system must be activated by means of the “energized to trip” control, in order to avoid possible safety consequences for spurious trips.


Recommended in-depth study:


SIS validation overview

SIS (Safety Instrumented System) safety validation consists of validating, thorough inspection and testing, that the installed and commissioned SIS and associated SIFs meet the requirements, as set out in the safety requirements specification.

The procedures and techniques used for validation should be calibration procedures, hardware testing, software testing, etc.

All individuals involved in the validation procedures must be defined, including their level of independence.


Some of the validation activities are:

  • Verifying the SIS under specific conditions, such as normal operation, emergency, start-up, shutdown, diagnostic function, etc.
  • Verifying the SIS interface and the absence of BPCS interference in terms of safety
  • Verifying communication between the SIS and the other system
  • Checking the device involved in the safety function
  • Verifying the system with the relevant documentation
  • Software validation
  • Validating different types of operating modes
  • Verifying test frequencies

Validation activities are repeated after each (interfering!) change to the SIS.


Recommended in-depth study:


Do you want to learn more about Functional Safety?

What does HARA mean for ISO 26262?

The HARA method The HARA method aims at identifying and categorizing hazardous events of items, and also at specifying safety goals according to ISO 26262 and ASILs (Automotive Safety Integrity Levels) related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk. This means that the combination of a hazard […]

Read more

A brief introduction to ISO 26262

ISO 26262 Standard Application It covers the implementation of functional safety through electrical and/or electronic (E/E) systems, and presents a specific lifecycle for items used in the automotive sector. Thus, it provides a reference for the automotive safety life cycle and supports the adaptation of activities to be performed during the lifecycle phases, i.e. development, […]

Read more
Byhon Logo bianco

Subscribe to our newsletter to stay up to date on Functional Safety and Industrial Cyber Security news and events

Send this to a friend