I took my present job as the Functional Safety person for Analog Devices industrial products over six years ago. However before that I spent nine years in our automotive group where I learned a great deal about automotive EMC and started my functional safety career working on air bag sensors.
Up until 2011 automotive functional safety developments used IEC 61508 but in 2011 revision 1 of IS026262 was published followed by revision 2 at the end of 2018. I believe work has already begun on revision 3. ISO 26262 is the automotive interpretation of ISO 26262. If you don’t believe me see ISO 26262-1:2011, first line of the introduction. ISO 26262-10:2012 sub clause 4.1 is entitled “Functional Safety for automotive systems (relationship to IEC 61508)” and running to two pages.
Below are some of the claimed differences.
- IEC 61508 is designed for low volume systems
- The applications for IEC 61508 allow validation in the field
- IEC 61508 doesn’t specify any measures for distributed developments
- IEC 61508 doesn’t mandate a specific method to do a hazard analysis but ISO 26262 specifies a risk graph
- IEC 61508 is based on probability
- IEC 61508 doesn’t support continuous mode safety functions
Some of the comparisons listed I agree with but I don’t agree with others. The rest of this blog will discuss the differences that are most significant to me.
The first fact of note is the size of ISO 26262. Version 1 had 10 parts but version 2 was extended to include new parts dedicated to semiconductors and motor cycles. The 7 parts of IEC 61508 total around 650 pages but the first 11 parts of ISO 26262 alone total 760 pages. Most other domain specific interpretations of IEC 61508 are in just 1 part with IEC 61511 something of an outlier at 3 parts.
One of the more obvious differences is that automotive uses ASIL instead of SIL as a measure of the confidence in the safety to be achieved. ASIL simply stands for automotive safety integrity level. The next most obvious change is that while the automotive guys kept the four levels they call them A, B, C and D instead of SIL 1 through 4. I am told this was to avoid a false sense of quantification. ASIL D is approximately equal to SIL 3 on the basis that the maximum number of casualties in a car accident is probably less than six. There is no need for an equivalent of SIL 4 which typically is used in the rail, process control and nuclear industries where 10s, 100s or 1000s of people could die.
Additionally automotive has the rating of QM to reflect a part developed to the normal quality management systems, which is in effect the equivalent of SIL 0 (which does not exist but you know what I mean). However even with QM you still get all the rigor required for APQP (advanced product quality planning) including the need to do a DFMEA. For an automotive development the QM system is probably based on ISO/TS 16949 which is based on ISO 9001(used as base for most industrial quality management systems). Personally I like ASIL C in the sense that 99% diagnostic coverage is very hard to achieve in a single channel system but 97% is achievable with effort.
The next difference I want to discuss is SIL assignment. ISO 26262 specifies the use of a risk graph where exposure to the hazard, severity of injuries and controllability are combined in a table to yield the ASIL level.
In industrial, risk graphs are sometimes used, see for instance IEC 62061, but quantified methods are also used with engineering estimates of the exposed hours per year etc. IEC 61508 has to allow more methods because of its role as a basic safety standard suitable to be customized for different domains.
A key concept in IEC 61508 is that of a safety function. A safety function in industrial consists typically of a sensor, logic and actuator designed to achieve or maintain a safe state. Its closest equivalent in ISO 26262 is I believe the safety mechanism. Above the safety mechanism ISO 26262 talks about safety goals (high level safety objective) which leads to a functional safety concept which leads to a functional safety requirement which leads to a safety measure. Safety measures include safety mechanisms. In both cases the safety function or safety goal is to address a specific hazardous event.
The definitions of safe and dangerous failures are different between the two standards. The definition of a safe failure in ISO 26262 is closer to what was in IEC 61508 revision 1 before no effect failures were introduced. In effect under ISO 26262 if a failure isn’t dangerous it is safe. ISO 26262 also has the idea of a latent fault metric which is effectively diagnostics on your diagnostics. Within IEC 61508 the situation isn’t so clear with many arguing the definition of a dangerous failure requires the inclusion of diagnostics on your diagnostics and others arguing that since a failure of the diagnostics does not lead to an immediate failure of the safety function that this is not necessary. Further while industrial allows credit to be claimed for diagnostics running at 100x the demand rate there is no such allowance under ISO 26262. Following ISO 26262 to claim credit for a diagnostic the system needs to be able to achieve the safe state within the process safety time.
As regards redundancy and hardware fault tolerance, ISO 26262 has no idea of MooN architectures which seems like an omission for systems which need to fail safe and in some cases continue to operate in the presence of failures. The expectation seems to be that systems will be single channel while industrial and machine safety in particular is still heavily influence by EN 954 and a requirement for two channel safety. Where two channel safety is implemented IEC 61508 does allow a reduction in the diagnostic test rate which is useful but there is no obvious allowance available under ISO 26262. I also find the requirements in ISO 26262 related to ASIL decomposition much more complicated than what is in IEC 61508 but ISO26262 is more flexible in terms allowing things like ASIL A (D) + ASIL C (D) to make an ASIL D system whereas as synthesis of elements in IEC 61508 would restrict you to SIL 2 + SIL 2 = SIL 3 and not allow SIL 1 + SIL2 = SIL 3.
There are differences also to do with the environment. For instance a 20 year lifetime would not be an unusual requirement in industrial, with the equipment running 24 hours per day, every day. However lifetimes in automotive might only be effectively 6 months of operation over a 15 year lifetime. In fact for automotive a typical usage scenario is that the system powers on for an hour and then turns off for several hours. Effectively the duty cycle of operation is very low. This needs to be factored into any reliability predictions. Also every time the car is switched on is a great time to run diagnostics. A couple of tens of milliseconds probably won’t be noticed. This is especially useful to run diagnostics to help meet the latent fault metric. Down sides of automotive are that cars are mobile and therefore can get themselves into trouble. This is part of the reason that automotive has very strenuous EMC requirements. Another issue in automotive is that while in most industrial applications the users are highly trained supervised operators and engineers; in automotive you are dealing with Joe public. Therefore you could argue there is a much higher duty of care.
Some other differences that I don’t cover in detail include
- No idea of proof testing in automotive. Mostly of interest to process control in industrial.
- No low demand in automotive with everything effectively high or continuous demand (despite the fact that an airbag no fire hazard would be low demand according to IEC 61508)
- IEC 61508 has lots of support standards including IEC 61784-3 for networking but ISO 26262 has to handle everything
The above represents a rough summary in keeping with what can be achieved in a blog. What might appear like a deficiency in one of the standards may very well be mitigated by some other step in the application of the standard. Therefore it is wrong to view almost any of the techniques and measures without looking at the whole. All in all both standards have the same objective of keeping people safe and have probably a 90% overlap with work; however outstanding if you want to take a product developed for one domain and use it in the other. ISO 26262 does have some nice concepts such as SEooC (Safety Element out of Context) to represent a design where you don’t know how exactly it will be used in a final system, DIA (Development Interface Agreements), safety culture and others which I think would be a valuable additions to IEC 61508.
I can’t finish without complaining over the acronym FuSa. What was wrong with FS as an acronym for functional safety? I brought this up at an IEC 61508 working group meeting and everybody there denied ever even hearing of FuSa. I guess when you work in a semiconductor company you can’t avoid automotive functional safety.
In a future blog I will look at ISO 26262-11:2018 which has 185 pages of material dedicated to semiconductors. This compares to around 37 pages of semiconductor related content in IEC 61508:2010.
There are actually two videos to go with this blog. You need to watch them in the right order to get the maximum benefit. First the Lexus video – see https://www.youtube.com/watch?v=RsLNNkfSoYI and then the Audi response – see https://www.youtube.com/watch?v=XoQ71g5Mi8M
Note – this is the longest blog of almost 30 so far. Hopefully it was still worth reading to the end.