Railway Safety Intregrity Level (SIL)
Safety Integrity Level is defined in CENELEC standards EN 50126, EN 50128 and EN 50129.In this article, the meanings of these acronyms used in the railway are explained. To do this, we will initially introduce the concept of Safety Integrity (without "Level").
What is Safety Integrity?
Safety Integrity combines two basic concepts: integrity against systematic failures and integrity against random failures. The first one represents those specification failures, traceability, design, manufacturing and maintenance caused by a failure or incorrect human process. In contrast, the second one occurs randomly due to mechanical-electronic equipment failures, or aging process or wear.
Taking into account these two types of failures, the concept of Safety Integrity can be defined as the capacity (probability) of a system to perform safety functions associated with its target, usually under specific conditions and in an operating environment being predefined and for a certain period of time. In short, its ability to operate (fulfilling its safety functions) correctly without any of these failures will occur. Safety Integrity is measured in hours and it is a value associated with probability of occurrence.
Safety Integrity and therefore, SIL of a railway system is not associated with a product or system, but with closed and limited safety functions of a product or a system.
What is SIL level of a rail system (Safety Integrity Level)?
Safety Integrity Level is just a tabulation of Safety Integrity, which is divided into four discrete values (1 to 4):
This discretization in four levels is very convenient to define Safety Integrity objectives, that has become Safety Integrity Level.
In the rail sector, this Probability of occurrence of Pf (Probe failure) is often called THR (Tolerable Hazard Rate). THR is the probability considered acceptable for the emergence of the occurrence of a potential danger, which would be given by one of the failures incurred, already mentioned.
This potential hazard "is protected by" a safety function, with an assigned SIL level. For instance:
- potential hazard: track circuit does not detect the occupation of a canton of a train.
- safety function: track circuit will correctly detect the shunt produced by a train wheel between the two rails.
As we might expect, the assignment of the THR to a potential hazard is determined by the final person in charge of the installation, usually a railway infrastructure administration.