In railway operations, failure is not an option. That is why SIL certification in railway systems — Safety Integrity Level — sits at the foundation of every serious train control platform in the world.
A train running past a stop signal. A collision in a single-track corridor. A speed exceedance in a work zone. These are not theoretical risks — they are incidents that happen when safety systems fail or, worse, when no certified safety system exists at all.
Consequently, SIL certification is not a marketing badge or a compliance checkbox. Instead, it is a rigorous, independently verified guarantee that a system behaves safely under defined conditions — including when things go wrong.
This article explains what SIL certification in railway systems means, how each level is defined, what the certification process demands, and why it should be a hard requirement when evaluating any train protection or control system.
Safety Integrity Level is a measurement framework that IEC 61508 defines — and that its railway-specific counterpart, IEC 62279 / EN 50128, extends for rail environments. Specifically, it quantifies the reliability of a safety function: the probability that a system will perform its intended safety function on demand or within a given period of continuous operation.
In simpler terms: SIL defines how likely a system is not to fail when it needs to work.
Furthermore, there are four SIL levels, from SIL 1 (lowest) to SIL 4 (highest). Each level represents a tenfold reduction in the acceptable probability of dangerous failure.
Probability of Failure on Demand (PFD): ≥ 10⁻² to < 10⁻¹ (1 in 10 to 1 in 100)
SIL 1 applies to safety functions where a failure would have limited consequences or where other independent safeguards exist. In a railway context, this level typically covers auxiliary monitoring systems or non-critical alarms that support — but do not substitute — primary safety mechanisms.
PFD: ≥ 10⁻³ to < 10⁻² (1 in 100 to 1 in 1,000)
SIL 2 is the minimum level appropriate for functions that directly prevent hazardous events in railway operations. Train protection kernels, interlocking logic, and movement authority systems typically operate at SIL 2. Moreover, a system that achieves this level has demonstrated through rigorous analysis that it will fail dangerously no more than once in every 1,000 demands — under worst-case conditions.
Active Rail Technology’s VISK (Virtual Interlocking Safety Kernel) holds SIL 2 certification as a generic product, and operators have proven it in live freight operations across multiple continents.
PFD: ≥ 10⁻⁴ to < 10⁻³ (1 in 1,000 to 1 in 10,000)
SIL 3 applies to environments where a single failure could directly cause multiple fatalities or catastrophic infrastructure damage. As a result, heavy rail mainline signaling and certain interlocking systems in dense passenger networks often target this level.
PFD: ≥ 10⁻⁵ to < 10⁻⁴ (1 in 10,000 to 1 in 100,000)
SIL 4 represents the highest integrity level in the framework. Engineers reserve it for safety functions where failure would be catastrophic and irreversible. Nuclear plant shutdown systems and certain aerospace-grade avionics also operate at this level. In railways, specifically, SIL 4 covers onboard protection systems where failure means uncontrolled train movement with no secondary backstop.
ART’s Active Train Protection onboard system delivers a SIL 4-ready configuration, allowing progressive certification without requiring a full rip-and-replace of existing infrastructure.
General industrial safety standards (IEC 61508) provide the framework. However, railways operate under a more specific standard: IEC 62279 (EN 50128) for software and EN 50129 for system-level safety. CENELEC (the European Committee for Electrotechnical Standardization) developed these standards specifically to address the complexity and risk profile of railway systems. You can consult the full IEC 62279 standard documentation published by the International Electrotechnical Commission for the complete technical specification.
The key difference is that railway standards explicitly account for:
Therefore, SIL certification in railway systems is not just about how rarely a system fails — it is about how engineers designed it, how they tested it, and what happens when a fault appears.
Achieving SIL certification is not a test you pass at the end of development. Instead, it is a discipline that teams embed throughout the entire system lifecycle. The process covers:
Before engineers write any software, a formal analysis identifies every way the system could fail, the consequences of each failure, and the risk reduction the project requires. This step determines what SIL level each safety function must achieve.
Teams document safety requirements with the precision necessary to verify them. Ambiguity is not acceptable in SIL-certified systems — consequently, every requirement must be testable and traceable.
The architecture must enforce separation between safety-critical and non-safety functions. Furthermore, engineers build in redundancy, diversity, and fault detection mechanisms from the start — not as afterthoughts.
An independent body — separate from the development team — reviews the design, the code, the test results, and the documentation. This is not internal QA. Rather, it is an adversarial review whose purpose is to find failure modes the developers missed.
The completed safety case presents a structured argument, backed by documented evidence, that the system achieves its required SIL level across all identified hazards. As a result, a regulator, operator, or independent assessor can review this document and verify the claim directly.
Certification does not end at deployment. In fact, any change to a SIL-certified system requires re-evaluation. This is why configuration management and change control are not administrative overhead — they are safety requirements.
For a railway operator, a SIL-certified control system delivers something that no uncertified system can replicate: a verifiable, independently validated safety claim.
This matters in several concrete ways:
Collision prevention with documented integrity. A SIL 2-certified movement authority system does not simply try to prevent collisions. Instead, it bounds the failure probability mathematically, enforces it architecturally, and verifies it independently. The difference between “we believe this is safe” and “we can demonstrate this is safe” is precisely the difference between SIL-certified and uncertified systems.
Regulatory compliance and liability. In most mature railway markets, SIL certification — or an equivalent national standard — is a prerequisite for network access or operating approval. Furthermore, even where regulators do not legally mandate it, the absence of a safety case creates significant liability exposure for operators, infrastructure managers, and technology providers alike.
Hybrid and mixed-fleet environments. SIL-certified systems maintain their safety properties even when operating alongside non-equipped assets. This is critical for freight networks in transition, where fully equipped and legacy consists share the same corridor. Specifically, ART’s Active Train Control System handles this through hybrid architecture — maintaining protection across equipped and non-equipped locomotives simultaneously.
Auditability and incident investigation. Additionally, SIL-certified systems generate documented audit trails — event logs, authority records, and alarm histories — that satisfy both operational management requirements and post-incident investigation needs.
Some railway operators — particularly in developing markets or private industrial networks — continue to operate without certified train protection systems, relying instead on procedural controls, radio communications, and manual authority management.
The risk profile of this approach is well-documented. Specifically, it creates exposure to:
These are not edge cases. On the contrary, they are the documented causes of the majority of serious rail incidents in networks without certified protection systems.
As a result, the financial, reputational, and human cost of a single avoidable collision dwarfs the investment required to implement SIL-certified protection.
Modern train protection systems — including PTC (Positive Train Control) in North America and ETCS (European Train Control System) across Europe — build on SIL-certified foundations. They deliver their safety outcomes not because they are large, complex, or expensive, but because their teams designed, verified, and certified their safety functions to a defined integrity level.
Similarly, ART’s Active Train Control System delivers safety outcomes comparable to PTC and ETCS Level 2 architectures, without the complexity and rigidity of legacy OEM platforms. Engineers built it from the ground up for freight-focused, brownfield, and mixed-fleet environments — where progressive deployment, hybrid operation, and real-world communication constraints are the norm, not the exception.
Moreover, the system’s modular architecture — combining the SIL 2-certified VISK safety kernel with SIL 4-ready onboard protection — allows operators to implement certified safety progressively, protecting each phase of investment while building toward a fully communications-based architecture.
Active Rail Technology’s Active Train Control System is a proven operational foundation — deployed across multiple continents in mission-critical freight operations. Built on a SIL 2-certified safety kernel with a clear upgrade path to SIL 4-ready onboard protection.
Active Rail Technology engineers mission-critical control and digital intelligence systems for safe, efficient, and profitable rail operations. Deployed in real rail networks across four continents.
PTC, ETCS, or ATCS — which train protection system fits your network? Compare architectures, costs, and deployment realities for freight rail operators worldwide.
Preventable rail accidents share one cause: no certified train control. See the data, real cases, and how modern systems stop control failures before they kill.
Increase rail throughput without infrastructure investment. Learn how crossing sequence optimization and movement planning unlock hidden capacity in freight networks.
Our systems are deployed in real freight networks across four continents. See what mission-critical rail technology looks like in practice.
