What does it actually mean when we say a system is “safe”?

When we talk about safety in technical systems, most people think of sensors, light curtains, or safety valves. But functional safety isn’t about making sure a system never fails — that’s impossible. It’s about ensuring that when a failure does happen, its consequences don’t lead to an accident. That’s exactly what concepts like SIL, ASIL, and Performance Level (PL) are for.

Failures are allowed to happen — but are their consequences under control?

Why all these safety levels?

Not every system needs to be equally reliable. A navigation error is an inconvenience; a brake control error can be fatal. That’s why in functional safety there isn’t a single definition of “safe” — there are levels of safety that define how much confidence we can have in a system’s behavior.

A safety level is simply a measure of acceptable risk. The higher the level (SIL4 or ASIL D), the lower the probability that a failure will lead to an accident — and the more rigorous the design process must be.

SIL – Safety Integrity Level

SIL comes from the IEC 61508 standard — the “mother” of all functional safety standards. SIL has four levels (SIL1–SIL4). Each defines how often a safety function may fail.

For example:

• SIL1 allows a dangerous failure approximately once per 1,000 operations,
• SIL3 — only about once per million operations.

SIL applies mainly in process industries, power generation, chemical plants, and gas systems — places where failures can have large-scale consequences. The higher the SIL, the greater the demands on:

• hardware (redundancy, diagnostics, separation),
• software (design methods, testing, strict change management),
• verification processes (independent reviews, validation, documentation).

ASIL – Automotive Safety Integrity Level

In the automotive industry, the corresponding concept is ASIL, defined in ISO 26262. Levels are labeled from A to D, where D represents the highest level of safety.

ASIL is determined based on three criteria:

• Severity (S) – how serious the consequences of a failure could be,
• Exposure (E) – how often that situation may occur,
• Controllability (C) – how easily the driver can react or control the situation.

For example:

• a failure of reverse lights corresponds to ASIL A,
• a fault in the braking system corresponds to ASIL D.

As the ASIL level increases, so do the requirements for system architecture, redundancy, coding methods, and testing rigor.

PL – Performance Level

The ISO 13849 standard mainly applies to machinery and control systems. Levels are labeled from a to e, where e is the highest. PL is based on component reliability, system architecture, and frequency of use. It’s typically applied in machinery and factory automation — for example, emergency stop circuits, light barriers, and industrial robots.

It’s not just numbers – it’s a design philosophy

SIL and ASIL aren’t just “labels” stuck on a project at the end. They represent an entire mindset about safety — from requirements through design to testing and maintenance. The key idea is that safety should be built into the system from the very beginning, not added as an afterthought.

The V-model – the backbone of functional safety

If SIL and ASIL define how safe a system must be, the V-model shows how to build it so that it really is safe.

The V-model illustrates the development process: on the left side, we define requirements and design; on the right side, we test and verify. Each stage on the left has a corresponding “mirror” stage on the right:

• safety requirements → validation tests,
• system design → integration tests,
• module design → unit tests.

This model enforces consistency and traceability. It ensures that what has been tested truly corresponds to what was designed. Without this, compliance with SIL or ASIL would be impossible.

Why not just aim for the “highest” level?

Sometimes someone says, “Let’s just go for SIL4 — that’ll be safest.” Unfortunately, that’s not how it works. Each higher level means:

• more testing and documentation,
• higher costs,
• longer certification times.

Designing a system with a higher safety level than necessary is like buying a tank to go grocery shopping — expensive and completely impractical.

On the other hand, underestimating the required level can lead to disaster — literally.

Why it matters

Safety levels aren’t a bureaucratic invention. They’re the language of risk engineering — a way to turn the abstract “it could happen” into concrete requirements that can be designed, tested, and proven.

Mistakes happen. But a well-designed system ensures that a failure becomes an incident — not a catastrophe.