Standards
SIL — four levels of safety integrity. What each one means.
Safety Integrity Levels — SIL 1 through SIL 4 — are how the functional-safety world quantifies "how safe is safe enough" for a given safety function.
They come from IEC 61508. The machinery-specific derivative IEC 62061 uses the same framework. For each SIL there's a target probability of dangerous failure per hour, and an associated set of architectural and process requirements.
This post walks through all four levels without jargon, and lands on why the higher SILs effectively require architectural independence — not just better code.
SIL 1 · the entry level
Target probability of dangerous failure per hour: 10⁻⁶ to 10⁻⁵.
What this looks like in practice. SIL 1 is appropriate where the worst-case consequence of a failure is an injury or a minor environmental incident, and where the safety function runs frequently enough that statistical performance is meaningful.
Architecture. Single-channel implementations are often acceptable. Requirements on systematic capability, diagnostics, and proof-test intervals exist but are relatively light.
Typical examples. Interlocks on low-risk machinery. Basic emergency-stop circuits on equipment where the residual risk after stopping is low.
SIL 2 · redundancy often required
Target probability of dangerous failure per hour: 10⁻⁷ to 10⁻⁶.
What this looks like in practice. SIL 2 covers safety functions where a failure could cause serious injury or a single death. In practice, most SIL 2 designs end up as dual-channel architectures — two independent channels that both have to agree before the safety function releases.
The alternative to dual-channel is very high safe-failure fractions, which are hard to demonstrate, so dual-channel becomes the commercial default.
Architecture. Dual-channel is standard. Each channel has its own inputs, its own logic, and its own outputs. Diagnostic coverage requirements rise. Safe-failure-fraction targets rise.
Typical examples. Food processing machinery. Industrial robotics in operator-adjacent configurations. Safety functions in the general machinery regulations that don't specifically require higher integrity.
SIL 3 · hardware independence becomes the architecture
Target probability of dangerous failure per hour: 10⁻⁸ to 10⁻⁷.
What this looks like in practice. SIL 3 applies where a failure could cause multiple fatalities. This is the level at which architectural independence stops being a design choice and becomes the thing being measured.
A SIL 3 implementation requires that the safety channel be provably independent of the non-safety channel. That independence has to be demonstrable at the hardware level, not just argued at the software level. Common-cause analysis becomes a central part of the safety case.
Architecture. Two-channel or 1oo2D (one-out-of-two with diagnostics). Hardware-level diversity between channels. Independent power paths where feasible. Independent timing sources. The systematic-capability requirements on the components themselves (SC 3) effectively exclude commercial general-purpose CPUs from the safety path, or require extensive evidence for them.
Typical examples. Chemical plant interlocks on catastrophic-release scenarios. Safety functions in higher-risk machinery covered by IEC 62061 and ISO 13849-1 PL e.
SIL 4 · the highest level
Target probability of dangerous failure per hour: 10⁻⁹ to 10⁻⁸.
What this looks like in practice. SIL 4 applies to situations where failure could cause catastrophic consequences — high fatality counts, severe environmental damage, or both. The probability target is about one dangerous failure per 100,000 years of operation.
Architecture. Diverse redundancy. Two or more channels implemented with different technology or different algorithms, so that a failure mode in one is unlikely to be replicated in another at the same moment. Independent verification and validation teams. Full lifecycle evidence. Rigorous common-cause analysis.
Typical examples. Nuclear reactor trip systems. Rail signalling at the highest criticality levels. Flight control systems in some civil aircraft.
What this means for Physical AI
Most general-purpose robotics today lands architecturally somewhere in the SIL 1 to low-SIL 2 region, even when the marketing claims higher. You can check this by asking the vendor whether the safety function is implemented as an independent channel on independent hardware, or as a subroutine running alongside the main perception and planning stack.
Under the EU Machinery Regulation 2023/1230, the requirement is not a specific SIL. It's a coherent safety case demonstrating that the machine is safe under the conditions it will encounter. In practice, for AI-enabled safety functions on high-risk machinery, that safety case is going to have to address the same architectural points SIL 2 and SIL 3 address — because those are the arguments the assessors know how to evaluate.
The practical consequence is that the architectural choices a SIL 2 or SIL 3 designer would make — dual-channel, hardware-independent, diagnostically monitored — are going to become table stakes for Physical AI machines placed on the EU market.
This is not speculation. It's what reading the standards and the regulation back-to-back gives you.
The short version
| Level | Target PFH | Typical architecture | Typical domain |
|---|---|---|---|
| SIL 1 | 10⁻⁶ to 10⁻⁵ | Single channel | Low-risk machinery interlocks |
| SIL 2 | 10⁻⁷ to 10⁻⁶ | Dual-channel | Industrial robotics, food processing |
| SIL 3 | 10⁻⁸ to 10⁻⁷ | 1oo2D, hardware-independent | Chemical interlocks, higher-risk machinery |
| SIL 4 | 10⁻⁹ to 10⁻⁸ | Diverse redundancy | Nuclear, rail signalling, flight control |
Worth printing out. Worth keeping on the desk on Tuesdays.