Every part of ISO 26262 has an introduction which beings with “ISO 26262 is the adaption of IEC 61508 to comply with needs specific to the application sector of electrical and/or electronic (E/E) systems within road vehicles.” This makes sense as IEC 61508 is designed as a basic safety standard and it is intended to be adapted for sector specific uses. It means ISO 26262 can focus on the needs of automotive without having to worry about machinery, trains, escalators, nuclear, avionics or process control.
Figure 1 - Front page of IEC 61508-1 highlighting its status as a basic safety standard
In the scope of IEC 61508 it clarifies what a basic safety standard is as shown below.
Figure 2 - description of a basic safety standard from IEC 61508 part 1
This means that IEC 61508 can form the basis for sector specific standards and where no such sector specific standards exist it can be used directly (see IEC 61508-0 4.7 and 4.8 for more). However, basic safety standards are not the topic of today’s blog. Rather it is the criticisms of IEC 61508 contained in ISO 26262-10:2011 and ISO 26262-10:2018 clause 4.1.
Based on 9 years working in our automotive group and the last 8 or 9 in our industrial group I believe some of those differences are outdated and wrong and in this blog I will discuss them. Some criticisms however are not without merit.
Figure 3 - Relevant section of ISO 26262 part 10
Let’s take the ISO 26262 objections one by one starting with the assertion that “IEC 61508 is based upon the model of “equipment under control””. I was all ready to refute this one, but this isn’t a great start as I detect 522 references to “EUC” across the English/French versions of IEC 61508.
Figure 4 - Equipment under control definition from IEC 61508-4:2010
When I go just to part 2 there “EUC” is mentioned 27 times in the English version. At this point I’m willing to concede that equipment under control is a big topic even for part 2. However the scope of part 2 is clearer in that sub-clause 1.1 b) and c) state “applies to any safety-related system, as defined by IEC 61508-1, that contains at least one electrical, electronic or programmable electronic element; applies to all elements within an E/E/PE safety-related system (including sensors, actuators and the operator interface);”. Perhaps I have got used to just ignoring all the references to EUC, but I will admit it looks bad, luckily it is clarified by the scope.
Figure 5 - a picture to illustrate the concept of EUC, EUC control system and E/E/PE safety-related system from the IEC 61508 FAQ
Another picture in the FAQ shows a picture where the ECU control system is safety related but the EUC is still shown as separate.
The next point just says that while IEC 61508 is flexible on which hazard analysis method you choose ISO 26262 insists on the risk graph matrix from ISO 26262-3. This is also true and perhaps the IEC 61508 FAQ says it best with “allows both quantitative and qualitative approaches (see annexes B, D, E, F and G of IEC 61508-5).”.
The next objection is to state the difference between the safety functions of IEC 61508 and the safety goals of ISO 26262. This I guess is somewhat true. ISO 26262 starts with a safety goal which leads to a functional safety concept which gives a functional safety requirement and eventually a safety mechanism to implement the goal. This safety mechanism is equivalent to the safety function from IEC 61508. I’m not sure these differences are real as in IEC 61508 you do a hazard analysis to identify the safety functions that are needed and other than ISO 26262 goes through more steps to get to the safety mechanism, I’m not sure it is that different in practice.
ISO 26262 also makes the point that in IEC 61508 the control system can be separate from the safety system or part of it but that in automotive the safety system is the control system. This is similar to the EUC discussion earlier. I find it hard to imagine that this separation always exists in ISO 26262, but it’s been 9 years so perhaps I am wrong. Interesting relevant guidance is found in the IEC FAQ available here.
Figure 6 - excerpt from the IEC 61508 FAQ
The next paragraph in ISO 26262 part 10 has two complaints. The first complaint is that EC 61508 is targeted at singular or low volume systems and two that it contains no requirements for production. As an IC manufacturer who develops ICs and sub-systems to IEC 61508, I certainly hope the low volume bit this isn’t true. As regards the production requirements at least for semiconductors there are manufacturing requirements in IEC 61508-2:2010 Annex F table F.1. However, while IEC 61508 claims to be a full life-cycle model from development to disposal the table of contents of IEC 61508-1 does show its strong relationship with the process sector which often has bespoke safety functions defined and implemented as one off solutions. The production requirements from ISO 26262-7 clause 7 definitely gives you a better feeling that ISO 26262 has considered high volume elements. However having said that the ISO 26262 guidance only runs to two pages.
Figure 7 - excerpt from IEC 61508-1 table of contents
Next ISO 26262 claims that IEC 61508 gives no guidance for distributed developments. With automotive it is clear that the safety goals are developed by the car manufacturers who then ask their suppliers to deliver various elements and sub-systems to meet the technical requirements needed to achieve the safety goals. The 8 parts (including part 0) of IEC 61508 contain 40 references to suppliers with IEC 61508-1:2010 sub-clause 6.2.17 stating “Suppliers providing products or services to an organization having overall responsibility for one or more phases of the overall, E/E/PE system or software safety life-cycles (see 6.2.1), shall deliver products or services as specified by that organization and shall have an appropriate quality management system.” Other requirements for suppliers include the necessity to supply a safety manual so therefore I am going to mark this one as not proven.
Next we get back to the hazard analysis where it states, “IEC 61508 does not contain normative requirements for hazard classification”. This is true BUT IEC 61508 doesn’t restrict a developer from using one provided it can be justified and IEC 61508 offers several examples in part 5. I am therefore going to rate this criticism as technically true but only because it says IEC 61508 doesn’t contain “normative” requirements.
Next it says ISO 26262 part 5 and 6 are adapted to “state of the art in the automotive industry”. I don’t believe that the set of techniques taken as a whole would deliver a system any more or less safe that following IEC 61508. In my view the differences are small.
Figure 8 - final criticism of IEC 61508
If I interpret this correctly then it is saying that the main requirement from IEC 61508 is to have a PFH or PFD below the limits given in IEC 61508-1:2010 tables 2 and 3 and that ISO 26262 cares more about systematic failure modes.
Figure 9 - table 3 of IEC 61508-2:2010
That you must meet a maximum PFH / PFD if following IEC 61508 is true but that is not the only requirement, additionally you must meet the requirements for systematic safety integrity. However, before I get to systematic errors there are very similar numbers to the above given in ISO 26262-5:2018.
Figure 10 - table 6 of ISO 26262-5:2010
I’m a bit out of my depth here but it appears that this table gives values, but alternative limits based on an existing system already in the field is allowed!
Anyway, getting back the criticism that IEC 61508 doesn’t care as much about systematic failures I note the below from IEC 61508-1:2010 and mark the ISO 26262 claim as not proven.
Figure 11 one excerpt from IEC 61508 related to systematic capability
I will concede one difference is that following IEC 61508 a quantitative hazard analysis and risk assessment will determine a maximum allowed PFH. Depending on which range from table 3 that allowed PFH falls in, we get the SIL which determines the set of measures which must be taken to prevent the introduction of systematic failures. In that way the measures to prevent systematic failures are linked to the PFH but generally systematic failures do not contribute to the PFH. However, in cases where the quantification of systematic failures is possible it would seem wrong to ignore them especially if that quantification indicated that the allowed PFH would be exceeded.
Note in a previous blog I covered the differences between IEC 61508 and ISO 26262.