What is SIL? Safety Integrity Level, in plain language

If you've been reading this series you've seen SIL referenced several times. This is the short-form primer I wish existed as a single-page reference — what the acronym means, where it comes from, and what the four levels actually commit the designer to.

The definition

SIL stands for Safety Integrity Level. It is a classification system defined in IEC 61508, the international functional-safety standard first published in 1998 and updated substantially in 2010.

A SIL rating is a number from 1 to 4 assigned to a specific safety function — not to a product, not to a company, not to a brand. A single machine may have several safety functions, each with its own SIL rating. A claim like "this product is SIL 3" is, strictly speaking, meaningless without naming which safety function on which operating mode is being described.

What each number actually means

The headline framing most people see is this:

• SIL 1 — probability of dangerous failure per hour: 10⁻⁶ to 10⁻⁵
• SIL 2 — probability of dangerous failure per hour: 10⁻⁷ to 10⁻⁶
• SIL 3 — probability of dangerous failure per hour: 10⁻⁸ to 10⁻⁷
• SIL 4 — probability of dangerous failure per hour: 10⁻⁹ to 10⁻⁸

Each step up is a factor-of-10 reduction in allowed failure rate. SIL 4 corresponds to roughly one dangerous failure every 100,000 years of operation.

These numbers are real but they are also the part of SIL that gets misunderstood the most. The probability target is not achieved by writing better software. It is achieved by designing an architecture in which a dangerous failure requires multiple independent things to fail simultaneously — and then demonstrating that independence to an assessor who will not take your word for it.

The practical translation

The easier-to-remember version of what SIL means in practice looks like this:

• SIL 1 — usually a single-channel implementation is acceptable.
• SIL 2 — dual-channel is the commercial default.
• SIL 3 — hardware-level independence between channels is required.
• SIL 4 — diverse redundancy, independent teams, full lifecycle evidence.

A designer aiming at SIL 2 is going to design a two-channel safety system. A designer aiming at SIL 3 is going to design two channels on different hardware with analysed common-cause failure modes. A designer aiming at SIL 4 is going to do SIL 3 plus use deliberately different implementation technologies on each channel.

This is why SIL is fundamentally a claim about architecture, not about code quality. Two pieces of software with identical bug-counts-per-KLOC can target different SIL levels depending on the hardware they run on and the independence they enforce.

Where SIL comes up in Physical AI

Under the EU Machinery Regulation 2023/1230, applying in full from 20 January 2027, safety functions on AI-enabled machinery are expected to have a coherent safety case. That safety case does not have to specify a specific SIL number — but in practice the arguments it contains are the same arguments a SIL assessor would evaluate.

What this means is that Physical AI companies targeting the EU market are going to be asked, sooner rather than later, for the SIL-equivalent analysis of their safety functions. Anyone who has read the older standards and the newer regulation back-to-back can see this coming.

For the deeper dive on what SIL 1 through SIL 4 actually look like in an implementation, see the earlier post in this series titled "SIL — four levels of safety integrity." This one is the reference card you can point someone at when they ask the question for the first time.