Glossary of functional safety standards

---

These functional safety standards deliver benefits to developers, system integrators and users. By following a standard, a development organization builds safer products. A system integrator can state its expectations to a supplier by requiring compliance with a standard. And users have fewer injuries and deaths. This section provides a list of functional safety standards.

IEC 61508 is the foundational source for good software methods, techniques and tools to support functional safety.

ISO 9001:2015 includes requirements for leadership, planning, support, operation, performance evaluation and continual improvement.

IEC/EN 62061 defines requirements for system-level design of safety-related electrical control systems in machinery and design of non-complex subsystems and devices.

Part 6 covers software and provides lists of recommended and highly recommended techniques for each automotive safety integrity level (ASIL). Only events deemed to be ASIL A, B, C or D need to comply with ISO 26262 .

IEC 62304 includes requirements for the software development process, software maintenance process, software configuration management process and software problem resolution process.

These two European standards (EN 5012x) define safety-related software process standards, hardware and approval processes for railway applications. EN 50128 provides process standards for software for railway control and protection systems. EN 50129 covers safety-related electronic systems for signaling.

This safety standard for agriculture and forestry equipment covers general principles for design and development, concept phase, series development for hardware and software, and processes for production, operation, modification and support.

IEC 61513 defines general requirements for systems important to safety in the nuclear power industry.

BlackBerry QNX is participating in the development of this automotive cybersecurity standard, which is expected to be released in 2020. ISO/SAE 21434 is bringing the auto industry together with the goal of developing reasonably secure vehicles and systems.

• Safety Integrity Level (SIL) 1, 2, 3, 4
  IEC 61508 bases SIL on the probability of failure per hour of operation.
• Automobile Safety Integrity Level (ASIL) A, B, C, D
  ISO 26262 calculates ASIL based on the severity of the injuries that could result from an event, the likelihood the event will occur in normal operation, and how many drivers could control the situation to avoid the injury.
• Medical Device Class A, B, C
  Under IEC 62304, medical devices are classified based on the amount of injury that could be caused to a patient, an operator or an onlooker.

• Dependability: The ability of the system to respond correctly to events in a timely manner, for as long as required. Dependability is a combination of system availability and reliability.
• Availability: How often the system responds to requests in a timely manner.
• Reliability: How often the system responses are correct.

A fault can lead to an error, which can lead to a system failure.

• Fault: A mistake in the code.
• Error: Undesired behavior caused by a fault in the code.
• Failure: The inability of the system to perform a required function due to an uncontained error.

Error recovery can prevent an error from becoming a failure:

• Backward error recovery: The system returns to a previous state.
• Forward error recovery: The system moves to a predefined state.

As illustrated in the following figure, an error at one level in a system may cause a fault at another. A fault in training could cause a software developer to make an error and insert a bug into the code, which ultimately results in a failure of the system.

Glossary of functional safety standards Safety integrity levels: ASIL, SIL and Class

Given ASIL is a relatively recent development, discussions of ASIL often compare its levels to levels defined in other well-established safety or quality management systems. In particular, the ASIL are compared to the SIL risk reduction levels defined in IEC 61508 and the Design Assurance Levels used in the context of DO-178C and DO-254. While there are some similarities, it is important to also understand the differences.

Approximate cross-domain mapping of ASIL

        Domain.                                                                    Domain-Specific Safety Levels

Automotive (ISO 26262)                                 QM          ASIL-A        ASIL-B/C.      ASIL-D.         X

General (IEC-61508) .                                          X            SIL-1.         SIL-2.              SIL-3.         SIL-4

Aviation (ED-12/DO-178/DO-254) .            DAL-E.    DAL-D.       DAL-C.            DAL-B.       DAL-A

Railway (CENELEC 50126/128/129) .           X           SIL-1.           SIL-2.             SIL-3.         SIL-4

The probability metric used in step 3 above depends on whether the functional component will be exposed to high or low demand:

• high demand is defined as more than once per year and low demand is defined as less than or equal to once per year (IEC-61508-4).
• For functions that operate continuously (continuous mode) or functions that operate frequently (high demand mode), SIL specifies an allowable frequency of dangerous failure.
• For functions that operate intermittently (low demand mode), SIL specifies an allowable probability that the function will fail to respond on demand.

Note the difference between function and system. The system implementing the function might be in operation frequently (like an ECU for deploying an air-bag), but the function (like air-bag deployment) might be in demand intermittently.

 SIL                            Low demand mode:                                         High demand or continuous mode:
             average probability of failure on demand       probability of dangerous failure per hour
  1                       ≥ 10−2 to < 10−1                                                                                 ≥ 10−6 to < 10−5

   2                       ≥ 10−3 to < 10−2                                                                                 ≥ 10−7 to < 10−6

   3                       ≥ 10−4 to < 10−3                               ≥ 10−8 to < 10−7 (1 dangerous failure in 1140 years)

   4                      ≥ 10−5 to < 10−4                                                                                  ≥ 10−9 to < 10−8

WIND RIVER VXWORKS 653 3.0 MULTI-CORE EDITION

ARINC 653/DO 178