ABSTRACT
Technical systems become more and more complex. An increasing number of technical systems contain electronics and software, and, therefore, functional safety has an increasing importance. The safety integrity level (SIL) is a discrete number that defines a set of measures against random and systematic failures depending on the requirements for risk reduction. The concept of SILs has been developed within different systems of standards. When discussing the safety architecture of a system, a main question arises: How can components or subsystems of a lower SIL be combined to give a system with a higher SIL? The answer to this question would allow the use of already existing and certified components to build up a system with a required SIL, perhaps also with a higher SIL than that of the components. We analyze existing rules for the combination of systems with SILs given in many standards for functional safety such as EN 50126/8/9, ISO 26262, IEC 61508, DEF-STAN-00-56, SIRF, and the Yellow Book and compare them. Generally, a combination of subsystems in series gives a system that has an SIL that is the minimum of the SILs of the subsystems. A general rule for SIL apportionment as given in DEF-STAN-00-56, the Yellow Book, or SIRF cannot be provided for all countries and all situations. Target failure rates and/or inspection intervals have to be taken into account. General rules can be given only for subsystems connected in parallel and for some SIL combinations (see e.g., Yellow Book, SIRF). In any case, common cause failures need to be duly taken into account. A general rule of thumb might be to achieve an SIL one step higher by connecting two subsystems in parallel. Other system architectures have to be studied in detail. A good indication whether the chosen architecture would meet an SIL requirement is when the target failure rate of the system SIL is not exceeded by the rate of the system, computed from the rates of its subsystems.
