IEC 61508 · IEC 61511 · Low demand · SIL 1–3

Your SIS projects. Documented, traceable. Ready for the next modification.

Enter your device data. SILVerify performs complete IEC 61508 / 61511 three-barrier SIL verification and generates a professional, FSA-ready report automatically. One session. No spreadsheets. No manual formatting.

Calculation engine validated against the IEC 61508-6:2010 B.3.2.4 reference example.
Try it free — no card required Download example report (DOCX) →
Real SIL 2 project · no personal data
✓ Free to try — explore the full tool on a sample SIL 2 project ✓ Built by an Exida CFSE and TÜV-certified Functional Safety Engineer ✓ Real SIL verification report included
3
Barriers assessed
4
Voting architectures
Frozen
Revision history
61508
+61511
Both standards
00 — The problem

The spreadsheet isn’t the calculation problem. It’s everything that happens after the calculation.

The calculation finishes. Then comes the documentation.
Copy the results into Word. Rebuild the tables. Cross-reference every number. Reformat the template because a SIF changed. At £900–£1,200 per day, half a day on documentation is a workflow problem, not a billing problem.
A modification arrives. The process starts again.
A valve gets replaced. A proof test interval changes. You open the spreadsheet from eighteen months ago and spend two hours reconstructing what the inputs were, which version produced that number, and whether the report still reflects the current configuration.
Someone else has to pick it up.
The calculation made sense when you built it. Whether it still makes sense to an assessor, an auditor, or a colleague six months later is a different question. There’s no frozen snapshot. No revision log. Just a spreadsheet.

The problem isn’t your calculations. The problem is the workflow. Spreadsheets were never designed to produce auditable, client-ready verification documentation. SILVerify was.

Used on live nuclear defence projects
My default has always been a spreadsheet. It works, but the gap between a finished calculation and a finished report is where the time goes — and where the risk lives if someone else has to pick it up later. I used SILVerify on a live project and the report it produced was better structured than what I’d have written myself. Everything is traceable from input to conclusion. For anyone doing this work independently, it’s hard to justify the spreadsheet route once you’ve seen the alternative.
James Hewitt
Exida CFSP · Nuclear Defence
See it for yourself — try it free →
01 — How it works

Three required barriers, plus explicit data uncertainty assessment. Achieved SIL is the minimum of the three barrier results. The limiting barrier is flagged automatically.

SILVerify assesses all three barriers required under IEC 61508 and IEC 61511, and documents data uncertainty per IEC 61511-1 §11.9.4.

Barrier 01 PFDavg

Random hardware reliability

PFDavg calculated from failure rates, diagnostic coverage, proof test coverage, proof test interval, and mission life. Uses the full IEC 61508-6 equation — including the residual failure term that most spreadsheet tools omit, and which dominates on long mission times with incomplete proof test coverage.

PFD_ch = λDU/2 × [PTC×T_I + (1−PTC)×L_T]
Barrier 02 Route 1H

Architectural constraint

Safe Failure Fraction and Hardware Fault Tolerance assessed against the IEC 61508-2 Route 1H tables for Type A and Type B components. HFT is derived directly from the declared voting architecture — including the 2oo2 case where HFT = 0 and SIL 2 via Route 1H is not achievable.

Route 1H — Tables 2 & 3
HFT derived from voting architecture
Barrier 03 SC assessment

Systematic capability

Systematic Capability declared from IEC 61508 certification or prior use evidence. SC synthesis per IEC 61508 Clause 7.4.7 applied where channels have sufficient independence — raising effective SC of a redundant subsystem by one level, to a maximum of SC3.

SC synthesis: effective SC
= channel SC + 1 (max SC3)
Additional — IEC 61511-1 §11.9.4 Data uncertainty

Data uncertainty assessment

Reliability data uncertainties assessed and documented automatically. The best estimate PFDavg is presented alongside an uncertainty band — lower and upper bounds calculated using a configurable uncertainty factor (default ×3, per IEC 61511-1 §11.9.4 guidance). A verdict is returned for each case: PASS with margin, PASS — marginal (warning only), or FAIL. The warning does not change the PASS/FAIL determination — it documents the engineering judgement that the design margin may be insufficient to absorb expected data variation.

→ The only SIL verification tool that documents data uncertainty per IEC 61511-1 §11.9.4 — automatically. No other tool currently implements this.
Three reasons the spreadsheet workflow doesn’t survive a real SIS project
Speed
Calculation and report in one session. No second pass, no copy-paste into Word, no rebuilding tables because a SIF changed. No hidden formulas — every intermediate value is shown and copied into the report automatically.
Compounding value
Your device library and failure rate register grow with every project. The second project takes a fraction of the time of the first. By the fifth project, most of the setup work is already done. That value lives in SILVerify — not a folder of spreadsheets on your desktop.
Modification management
Something changes on site. Update the input, generate a new revision. The previous report is frozen — a locked snapshot of the exact inputs that produced that result. Full audit trail created automatically. When a client asks which version of the calculation the report reflects, the answer is unambiguous.
No expensive annual licence
Traditional SIL software means a procurement process, a purchase order, and a four-figure annual commitment regardless of how many projects you actually run. SILVerify is £59/month flat — unlimited verifications, cancel anytime.
02 — Results

Every intermediate value shown. Full traceability from input data to final SIL determination.

Per-channel PFDavg, subsystem totals, relative contribution, three-barrier summary, uncertainty assessment, and achieved SIL — with the limiting subsystem flagged automatically.

SIF-004 · High-Reactor-Pressure Trip · Target SIL 2 · Rev 03 SIL 2 PASS
SubsystemArchitecturePFDavg (channel)Subsystem PFDavgContribution
Sensors (PT-001A/B) 1oo2 3.68 × 10-4 1.77 × 10-4
3%
Logic Solver (LS-001) 1oo1 6.17 × 10-4 6.17 × 10-4
12%
Final Elements (XV-001) 1oo1 4.38 × 10-3 4.38 × 10-3
85% ⚠
Total SIF PFDavg 5.17 × 10-3 SIL 2  ✓

⚠ Final elements contribute 85% of total PFDavg — limiting subsystem. Design changes should target final element architecture before any other subsystem.

Uncertainty assessment — IEC 61511-1 §11.9.4 · Uncertainty factor: ×3 (configurable) PASS — MARGINAL
SIL 2 acceptance range 1.00 × 10-3 — 1.00 × 10-2
Lower bound (÷3) 1.72 × 10-3
Best estimate PFDavg 5.17 × 10-3
Upper bound (×3) 1.55 × 10-2 ⚠ exceeds SIL 2 range
Verdict PASS — marginal (warning only). Recommend targeting PFDavg ≤ 3.33 × 10-3 for full margin.
03 — Architectures

All four voting architectures. Including 2oo2 — where the implications for Route 1H are handled correctly and documented in every report.

HFT is derived automatically from the declared architecture. The 2oo2 case — where HFT = 0 regardless of channel count — is assessed correctly and the architectural constraint consequence is stated explicitly in the report.

1oo1
HFT = 0

Single channel

Baseline single-channel architecture. One failure causes safety function loss. Standard for logic solvers and single-channel final elements where the reliability target is met without redundancy.

1oo2
HFT = 1

Most common sensor architecture

Two channels, either activates the function. One failure tolerated — HFT = 1. Improves both PFDavg and the architectural constraint position. Common cause failure (beta factor) required.

2oo2
HFT = 0

Availability improvement — not safety improvement

Both channels must function. HFT = 0 — identical to 1oo1. Reduces spurious trip rate but does not improve the safety architectural position. Selecting 2oo2 to improve a SIL claim via Route 1H is a common and costly design error.

⚠ Common source of error in manual calculations — documented in every SILVerify report
2oo3
HFT = 1

High availability and safety

Three channels, 2-of-3 voting. One failure tolerated — HFT = 1. Higher PFDavg than 1oo2 for identical channel failure rates. Beta factor required.

04 — Report output

A complete deliverable. Not a calculation printout — an FSA-ready verification document.

The report reads from a frozen input snapshot — it never re-queries live data. The document always represents the exact calculation run it was generated from. All previous reports are stored permanently and never overwritten.

SIF-004_SIL-Verification-Report_Rev03.docx
  • 01Cover — project, engineer, revision, date. Your name on the document.
  • 02Executive summary — every SIF, target vs achieved SIL at a glance.
  • 03SIF descriptions — tag, hazard, demand rate, target SIL.
  • 04Architecture — subsystem layout and channel count.
  • 05Failure data — every channel input with source traceability.
  • 05bReliability data justification — data source and site-specific justification per device (IEC 61511-1 §11.9.3)
  • 06UPM / CCF — structured beta derivation and justification.
  • 07Calculations — full workings with every intermediate value shown. No formula bar. No hidden cells.
  • 07bUncertainty assessment — bounds, verdict, and engineering recommendation (IEC 61511-1 §11.9.4)
  • 08Results — three-barrier summary. Limiting subsystem flagged automatically.
  • 09Assumptions — documented assumptions and limitations.
  • 10Scope statement — what was verified and what was not.
  • 11Architectural constraint — Route 1H assessment per subsystem.
  • 12Systematic capability — SC declaration and synthesis basis.
  • 13Conclusion — three-barrier summary, unambiguous PASS / FAIL.
Calculation snapshot — frozen at Rev 03
Barrier 1 — PFDavg5.17×10-3 · SIL 2
Barrier 2 — Arch constraintSIL 2 via Route 1H
Barrier 3 — Systematic capSC2 (all subsystems)
Uncertainty verdictPASS — marginal ⚠
Achieved SILSIL 2 · PASS
Generated2026-04-08 · 09:41 UTC
EngineerR. Kelly CFSE
SnapshotFrozen at Rev 03
The report reads from a frozen input snapshot created at calculation time. It never re-queries live data — the document always represents the exact calculation run it was generated from, even if inputs have since been revised. Every revision is stored with its sequence number, date, and full parameter set.
Download example report (DOCX) → Real report · Reactor high-pressure trip · SIL 2 · PASS
05 — Scope

Designed to do one thing correctly. Random hardware reliability for low demand SIS. Documented in every report.

SILVerify accelerates the work of a qualified functional safety engineer. It does not replace engineering judgement. Scope boundaries are explicit in every report it generates.

This is what SILVerify claims to do
IEC 61508 and IEC 61511 — both standards supported
Low demand mode — standard assumption for SIS
SIL 1, 2, and 3 — all three levels fully supported
Random hardware reliability — full PFDavg including residual term
Architectural constraint — Route 1H for Type A and Type B
Systematic capability — SC declaration and Clause 7.4.7 synthesis
Common cause failure — UPM assessment and manual beta entry
Data uncertainty assessment — IEC 61511-1 §11.9.4
Reliability data justification per device — §11.9.3
1oo1, 1oo2, 2oo2, 2oo3 voting architectures
Unlimited SIFs and projects per account
FSA-ready DOCX report with frozen snapshots and revision history
This is what you must cover elsewhere
SIL 4 — outside scope of this tool
High demand and continuous mode — not supported
Systematic failure avoidance — separate assessment required
Software safety integrity — IEC 61508 Part 3 not covered
Functional safety management — FSM process is separate
Process hazard analysis — HAZOP / LOPA outside scope
Proof test procedure adequacy — engineer confirmation required
Low demand assumption verification — engineer responsibility
06 — Users

Built for engineers doing the work. By an engineer who does too.

01 · Independent consultant

FS consultants

Delivering SIL verification on client projects across multiple sites and standards. SILVerify turns 2–4 days of calculation and writeup into a single session. The report goes to the client — complete, documented, signed by you.

02 · In-house engineer

Plant FS engineers

Managing a SIS on an operating facility. SILVerify provides a documented history of every calculation — essential when a modification is proposed, when regulatory inspection is imminent, or when a previous calculation needs to be defended.

03 · Consultancy practice

Engineering teams

Multiple engineers across multiple projects requiring consistent methodology and report format. Team licensing provides a shared tool and shared output format — ending the problem of reconciling three different engineers’ spreadsheet approaches on the same project.

07 — Built by

A practising engineer. Who needed this tool and built it when it didn’t exist.

“I built SILVerify because I was sick of the workflow. The calculation was the easy part. Then came checking it again. Then the Word document. Then reformatting every table because a SIF changed. On a project with ten SIFs that process consumed days. SILVerify exists because that time belongs on the engineering, not the paperwork. The defensibility is the point — but getting your time back is a very close second.”

Richard Kelly — Functional Safety Consultant
Currently working on live nuclear projects
Exida CFSE and TÜV-certified Functional Safety Engineer
MEng Control and Instrumentation for Nuclear Engineering
20 years delivering functional safety on nuclear projects
Founder, Functional Safety Playbook
Exida CFSE
TÜV Certified
Nuclear · 20 yrs
Currently active
IEC 61508-6:2010
B.3.2.4 validated
08 — Pricing

One price. Unlimited verifications. Stop paying for a licence you use three times a year.

SILVerify Individual
£59/mo
Or £590/year — less than £1.65 per day against a £900+ billing rate.
  • Unlimited SIL verification reports
  • Unlimited projects and SIFs
  • Full device library
  • Frozen revision history
  • Cancel anytime — start today
vs
Traditional SIL licence
£250+/mo
From £3,000/year — whether you use it or not.
  • Annual commitment regardless of usage
  • Procurement process + purchase order
  • Fixed cost in quiet months
  • Often a separate report workflow
  • Weeks to procurement approval
Individual
Unlimited reports · cancel anytime
£59
/month
Annual plan — £590/year (save two months)
Less than £1.65/day against a £900+ billing rate
  • Full three-barrier calculation engine
  • Unlimited projects and SIFs
  • All four voting architectures
  • UPM common cause failure assessment
  • SC synthesis per IEC 61508 Clause 7.4.7
  • Data uncertainty assessment — §11.9.4
  • Reliability data justification per device — §11.9.3
  • Device library — controlled failure rate register
  • Complete verification and report history
  • IEC 61508 and IEC 61511
  • Sample project included
  • FSA-ready DOCX report — frozen snapshots and revision history
Try it free — 7 days
Team
3–5 users · unlimited reports
£599
/month · single invoice
Or £5,990/year — two months free
 
  • Everything in Individual
  • 3–5 named users on one account
  • Unlimited report generation included
  • Shared project library across the team
  • Consistent report format across all engineers
  • Admin user management
  • Single monthly or annual invoice
  • Priority support
Get team access — email Richard directly
Calculation accuracy guarantee
If SILVerify produces a result that does not match your manual calculation within normal rounding tolerance, contact us with your inputs. We will investigate, explain the discrepancy, and refund that month’s subscription if the error is on our side. A verification tool you cannot trust is a liability.
SILVerify is in early access. Engineers who subscribe now lock in the current rate permanently.
09 — FAQ

Common questions.

Does SILVerify replace the need for a qualified functional safety engineer?
No. SILVerify handles the calculation and the documentation. The engineering judgement — what the inputs should be, whether the scope is correct, what the result means for your installation — remains yours. The engineer of record is you.
How do I know the calculations are correct?
SILVerify applies the full IEC 61508-6 equations, including the residual failure term that many simplified tools omit. The engine has been validated against the IEC 61508-6:2010 Section B.3.2.4 reference example, with all three subsystem results matching to within rounding. Every intermediate value is shown in the results screen and carried through to the report.
Does SILVerify document data uncertainty and reliability data justification?
Yes. Per IEC 61511-1 §11.9.3, each device entry includes a data source and site-specific justification field — documented in a dedicated report section. Per §11.9.4, the uncertainty band is calculated automatically and a PASS / marginal / FAIL verdict returned. Both sections appear explicitly in every report.
What happens to my device library and project history between projects?
They stay exactly where you left them. Your failure rate register, device library, and project archive are always there when the next project lands. The second verification takes a fraction of the time of the first.
Can I reanalyse a SIF when something changes on site?
Yes. Update the input and generate a new revision. The previous report is frozen — a locked snapshot of the exact inputs that produced that result. Full audit trail created automatically. When a client asks which version of the calculation the report reflects, the answer is unambiguous.
Can I submit the report directly to clients or regulators?
Yes — it is designed as a professional deliverable structured for independent functional safety assessment. It includes a cover page, scope statement, assumptions register, full calculation workings, uncertainty assessment, and a clear PASS/FAIL conclusion. Your name is on it.
What happens to my verification history if I cancel?
Your history is stored and remains on the platform. On cancellation it becomes locked — resubscribing restores full access immediately. A 30-day export window is available after cancellation. Nothing is deleted.
Does it handle both IEC 61508 and IEC 61511?
Yes. You select the applicable standard when creating a project. IEC 61511 adds specific requirements around systematic capability per Clause 11.9 and data uncertainty per §11.9.4 — both flagged and documented explicitly in the report.
Can I try the tool before subscribing?
Yes. A sample project is included so you can explore the full calculation engine — all four architectures, all three barriers, uncertainty assessment, the full results breakdown. No time limit. To run a verification on your own project data and generate a report, choose a plan.
I have a question about a specific calculation or edge case.
Email richard@silverify.co.uk directly. He is the engineer who built the tool and currently uses it on live nuclear projects. Same day response during working hours.

Stop rebuilding your SIL verification
from scratch every time.

Your device library keeps building value. Your project history is preserved. Your next modification takes minutes, not days.

See exactly what your clients would receive on a real SIL 2 example.
Try it free — no card required Download example report →
Real SIL 2 project · no personal data
Free to try
Built by an Exida CFSE and TÜV-certified Functional Safety Engineer
Validated against IEC 61508-6:2010 B.3.2.4 reference example