ISO26262 AND IEC61508

FUNCTIONAL SAFETY
OVERVIEW
KAVYA PRABHA DIVAKARLA
SYSTEM ENGINEER
AUTOMOTIVE MICROCONTROLLER AND PROCESSORS
AMF-AUT-T2713 | JUNE 2017

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property
of their respective owners. © 2017 NXP B.V.
PUBLIC
AGENDA
1. Functional Safety Introduction
2. IEC 61508, ISO 26262 Introduction
3. Safety Integrity Levels
4. Hardware
5. Software
6. Tools
7. Customer Documents
8. What’s next

PUBLIC 1
01.
Functional Safety
An Introduction to Functional Safety

PUBLIC 2
What is functional Safety?
• ISO 26262 Definition:
− Absence of unacceptable risk due to hazards caused by mal-functional behavior of
electrical and/or electronic systems and the interactions of these systems

• IEC 61508 Definition:

− Safetyis the freedom from unacceptable risk of physical injury or of damage to the health
of people, either directly, or indirectly as a result of damage to property or to the
environment.
− FunctionalSafety is part of the overall safety that depends on a system or equipment
operating correctly in response to its inputs.

What is relevant to NXP is that for the first time these standards call out requirements for electronic components

PUBLIC 3
Functional Safety Basic Concepts
• All systems will have some inherent, quantifiable failure rate. It is not possible to
develop a system with zero failure rate.

• For each application, there is some tolerable failure rate which does not lead to
unacceptable risk.

• Acceptable failure rates vary per application, based on the potential for direct or
indirect physical injury in the event of system malfunction.

• The hazards and risks of applications can be analyzed and assigned categories
based on the level of acceptable risk. These categories are known as Safety
Integrity Levels, or SILs.

PUBLIC 4
Terms & Definitions
• Fault
− Operational issue in a system which may lead to a failure
• Failure
− Result of a fault which leads to an inability to execute safety critical functionality
• Fault Tolerance
− Ability to continue safe operation after a fault
• Fail Safe System:
− System where a fault which may lead to failures is detected and the system is put into a safe state such that faults may not
propagate to other systems
• Fail Functional/Operational System
− System where a fault which may lead to failures is detected and the system can continue operation without loss of safety
function
• Reliability
− Ability to execute operations in system without failure (generally independent of consideration for a safety function)
• Availability
− Amount of time in which a safety function is available divided by total system operation time. Systems with high reliability
and fail functional systems tend to have higher availability than fail safe systems
• Security
− Ability to detect, resist, or prevent tampering with product functionality
• Dependability
− Availability + Reliability + Safety + Security + Maintainability

PUBLIC 5
Safety Failures and their causes
Failures in a functional safety system can be broadly classified into two categories:
Systematic and Random failures
Failures

• Systematic Failures
− Result from a failure in design or manufacturing
Systematic Random
− Often a result of failure to follow best practices
− Occurrence of systematic failures can be reduced through continual and rigorous process
improvement and robust analysis of any new technology

• Random Failures
− Result from random defects or soft errors inherent to process or usage condition
− Rate of random faults cannot generally be reduced; focus must be on the detection and handling
of random faults to prevent application failure

Note: Software failures are considered to be systematic

PUBLIC 6
 Implementing Functional Safety is about
How products are developed:
• Addresses the aspect of Systematic Failures
− Resultfrom a failure in design or manufacturing
− Relevant to Hardware and Software
− Occurrence of failures can be reduced through continual and rigorous process
improvement
Products that detect and handle faults:
• Addresses the aspect of Random Failures
− Inclusionof mechanisms to detect and handle random defects inherent to process or
usage condition
− Relevant to Hardware only
− Supported by FMEDA*, Dependency and Fault Tree Analysis and communicated as FIT*

• FMEDA – Failure Mode Effects and Diagnostic Analysis

• FIT – Failure in Time
PUBLIC 7
Functional Safety is not
• Security
• Reliability
• Quality

PUBLIC 8
Functional Safety Standards
Standard Targeted End Equipment Applications

IEC 61508 Electrical, Electronic, Programmable Electronic Systems

ISO 26262 Road Vehicles (except Mopeds) up to 3500Kg*

EN 50129 Railway Signaling

ISO 22201 Elevator / Escalator

IEC 61511 Process Industry (Chemical, Oil Refining etc.)

IEC 61800 Adjustable speed AC motor drive

IEC 62061 Industry Machinery (electronics)

ISO 13849 Industry Machinery

IEC 60730 Automatic Controls for Household use

* Weight restriction will be removed in 2nd edition

PUBLIC 9
02.
IEC 61508, ISO 26262 Introduction
Introduction to the standards and key concepts

PUBLIC 10
IEC 61508 – Functional Safety of Electrical, Electronic, and
Programmable Electronic (E/E/PE) Systems
• Basic Safety Publication

• 1st edition in 1998, updated to 2nd edition in 2010.

• Performance based targets for both systematic and

random failure management

• Covers safety management, system/HW design, SW

design, production, and operation of safety critical
E/E/PE systems

PUBLIC 11
Scope of IEC 61508
• IEC 61508 has specific requirements for E/E/PE systems and SW
− In 1st edition, there is no recognition of HW beyond system level.
− In 2nd edition, HW component requirements are introduced for “ASICs”

• IEC 61508 definition of ASIC is not 100% clear. It can be interpreted to cover a number of
products:
− Custom ICs designed for a specific safety system
− Semi-custom ICs designed for a type of safety system
− FPGA, PLD, and CPLD devices

• A HW component compliant to IEC 61508 is called a “compliant item”

• For easy application to the largest market, new HW components should be developed as
IEC 61508 compliant items.

PUBLIC 12
IEC 61508 Reading recommendation
• part 0, Technical Report: Functional
Safety and IEC 61508
• part 1, General Requirements
• part 2, Requirements for E/E/PE
Systems
• part 3, Software Requirements
• part 4, Definitions and Abbreviations
• part 5, Examples of Methods for the
determination of Safety Integrity Levels
• part 6, Guidelines on the Application of
IEC 61508-2 and IEC 61508-3
• part 7, Overview of Techniques and
Measures

 = recommended;  = optional
PUBLIC 13
ISO 26262 – Functional Safety of Road Vehicles
• Vertical standard, performance based.

• First edition published in 2011.

• Follows similar structure to IEC 61508, but totally replaces

instead of augmenting.

• Separates system design from hardware component design.

As a result, most components used require compliance.

• 2nd edition available in draft

PUBLIC 14
ISO 26262 Reading recommendation
• part 1, Vocabulary
• part 2, Management of functional
safety
• part 3, Concept phase
• part 4, Product development: system
level
• part 5, Product development: HW level
• part 6, Product development: SW level
• part 7, Production and operation
• part 8, Supporting processes
• part 9, Safety analyses
• part 10, Guideline
• Part 11, Semiconductor Guideline*
• Part 12, Adaptation for Motor cycles*

* New to 2nd edition

 = recommended;  = optional
PUBLIC 15
Scope of ISO 26262
• ISO 26262 addresses
− Safety-relatedsystems including one or more E/E systems installed in series production
road vehicles (except Mopeds) with a maximum gross weight up to 3500 Kg*.
• ISO 26262 does not address
− unique E/E systems in special purpose vehicles such as vehicles designed for drivers
with disabilities

For Vehicles (and their components) released for production prior to the publication date of
ISO 26262:
• Proven in use concept allows continued use of existing systems, sub-systems and
components only if no changes are made to the implementation

* Weight restriction will be removed in 2nd edition PUBLIC 16

Safety Lifecycle

IEC 61508 ISO 26262

PUBLIC 17
ISO 26262 Key Differences from IEC 61508
• ISO 26262 aligns with auto industry use cases and definition of acceptable risk

• IEC 61508 concept of safety function is replaced with ISO 26262 safety goals.
− Safety function concept was based on the idea of defining a system under control and then
“bolting-on” risk reduction measures
− Safety goal concept requires that risk reduction be part of the initial control system design

• Typical IEC 61508 systems are installed and then validated in place. ISO 26262 systems
must be validated before release to market.

• ISO 26262 standard clearly defines work products for each requirement. This makes
determination of compliance easier but limits flexibility of development system definition.

• ISO 26262 has hazard and risk analysis, failure rates and metrics adapted for Automotive
use cases.

PUBLIC 18
03.
Safety Integrity Levels
Classification of functional safety products

PUBLIC 19
Determining ISO 26262 ASIL Level
• To determine the ASIL level of a system a Risk Assessment must be performed for
all Hazards identified.
• Risk is comprised of three components: Severity, Exposure & Controllability
S = Severity C = Controllability
Class Description Class Description
S0 No injuries C0 Controllable in general
S1 Light and moderate injuries C1 Simply controllable
S2 Severe and life-threatening injuries (survival probable) C2 Normally controllable
S3 Life-threatening injuries (survival uncertain), fatal injuries C3 Difficult to control or uncontrollable

E = Exposure Causal Factor1 Accident

Class Description

E0 Incredible
E1 Very low probability
Hazard Risk = S x (E * C)
E2 Low probability
E3 Medium probability
E4 High probability Safety Goal1
Causal Factorn Safety Goaln

PUBLIC 20
ASIL Determination Table
Risk = Severity x (Exposure * Controllability)

Controllability
Severity Exposure C1Simply C2 Normal C3 Difficult
E1 Very Low QM QM QM

S1 E2 Low QM QM QM
Light and moderate injuries
E3 Medium QM QM ASIL A
E4 High QM ASIL A ASIL B
E1 Very Low QM QM QM
S2 E2 Low QM QM ASIL A
Severe and life-threatening
injuries (survival probable) E3 Medium QM ASIL A ASIL B
E4 High ASIL A ASIL B ASIL C
E1 Very Low QM QM ASIL A
S3
Life-threatening injuries E2 Low QM ASIL A ASIL B
(survival uncertain), fatal
injuries
E3 Medium ASIL A ASIL B ASIL C
E4 High ASIL B ASIL C ASIL D

PUBLIC 21
Automotive Application Safety levels (e.g.)
Subsystem ASIL Safety Level
ADAS – Vision/Radar B-D • Many applications that don’t have strict safety
Airbags
Alternator
D
C-D
requirements today may have them in the
Body Control Module A-B future.
Brake System (ABS, ESC, Boost) A-D+
Collision Warning - A-B • For example, SAE is providing guidelines for
Cruise Control A-D
Drowsiness Monitor A-B
determining ASILs. Applying these guidelines
E-Call / Telematics A-B will mean that auto apps that haven’t been
Fuel Pump B
Engine Oil Pump B “safety” to-date could be held subject to
Electric Mirrors A-B
Electrochromatic Mirrors A-B
ISO26262.
Engine Control B-D
Lighting A-B
• Carmakers who require conformance will open
Night Vision A-B a market window for safety-capable suppliers
Power Door, Liftgate, Roof, Trunk A-B
Rain Sense Wipers A-B like NXP.
Steering (EPS) D-D+
Throttle Control A-D
Tire Pressure Warning A-B
Transmission B-D
Transmission Oil Pump B-C
Window Lift A-B
PUBLIC 22
 Decomposition is more
Safety – ISO26262 Decomposition relevant at the system level
Achieve an ASIL level with QM products vs. component level
• It is possible to achieve an ASIL level by developing a subsystem of multiple
components which achieves the ASIL level as a whole.
• Decomposition redundantly assigns the same safety requirement to two
independent and diverse elements.

ASIL B = ASIL A + ASIL A ASIL B = ASIL B + QM

• Enables the use of lower rated ASIL or QM products (from a systematic integrity
point of view).
• Key Point: Decomposition makes it possible to use components that achieve lower
ASIL independently.
Way to achieve Fault Metrics
• IO must be handled / checked by ASIL product
• Decision must be made / checked by ASIL product
• QM product must be TS-16949 PUBLIC 23
IEC 61508 Terminology for Safety Systems
• Low demand mode safety functions are required to operate at low frequencies,
typically once or so per year.

• High demand mode safety functions are required to operate at high frequencies,
typically many times per hour

• Continuous demand mode safety functions operate continuously.

• Hardware Fault Tolerance (HFT) is the number of faults that can occur without
failure of the safety function. HFT>0 requires redundancy.

• Safe Failure Fraction (SFF) is the ratio of safe and dangerous (but detected)
failures in a system safety function to the total failure rate

PUBLIC 24
Determining IEC 61508 SIL
Likelihood Definition Range (failures/year) Category Definition
Frequent Many times in system lifetime > 10−3 Catastrophic Multiple loss of life
Probable Several times in system lifetime 10−3 to 10−4 Critical Loss of a single life
Occasional Once in system lifetime 10−4 to 10−5 Marginal Major injuries to one or more persons
Remote Unlikely in system lifetime 10−5 to 10−6
Negligible Minor injuries at worst
Improbable Very unlikely to occur 10−6 to 10−7
Incredible Cannot believe that it could occur < 10−7

Consequence
• Class I: Unacceptable in any circumstance
Catastrophic Critical Marginal Negligible
• Class II: Undesirable, tolerable only if risk reduction
Frequent I I I II
is impracticable or if the costs are grossly
Probable I I II III disproportionate to the improvement gained
Occasional I II III III • Class III: Tolerable if the cost of risk reduction
would exceed the improvement
Remote II III III IV
• Class IV: Acceptable as it stands, though it may
Improbable III III IV IV
need to be monitored
Incredible IV IV IV IV

PUBLIC 25
SIL Requirements
• Low demand functions have less
stringent requirements on PFDavg to
achieve a specific SIL.

• High demand and continuous

demand functions have more
stringent requirements on PFH to
achieve a specific SIL.

• Process and machinery applications

mix low and high demand functions.

• Transportation applications are

typically high demand.

PUBLIC 26
Determination of SIL based on HFT and SFF
• Type A products are simple products in which all
failure modes are known

• Type B products are complex products in which

all failure modes are not known (e.g.
semiconductor).

• Hardware Fault Tolerance (HFT) is the number

of faults that can occur without failure of the
safety function. HFT>0 requires redundancy.

• Safe Failure Fraction (SFF) is defined as the

ratio of safe and dangerous (but detected)
failures in a system safety function to the total
failure rate

• SFF is calculated at element (component) or

system level for a safety function. It should not be
applied for sub-elements.

PUBLIC 27
ISO 26262 vs IEC 61508 Safety Integrity Levels
• ISO 26262 was developed to meet automotive
industry specific needs as replacement for IEC
61508.
ISO 26262
ASIL Levels
• IEC 61508 defines 4 safety integrity levels IEC 61508
QM
(SIL1,2,3,4) SIL Levels Quality Managed

1 A

• ISO26262 defines a Quality Managed level in 2 B

addition to 4 safety integrity levels (ASIL
A,B,C,D) 3 C

4 D

• There is no direct correlation between

IEC61508 SIL and ISO 26262 ASIL levels

PUBLIC 28
04.
Hardware
Expectations established on hardware development and products

PUBLIC 29
ISO 26262 Failure Rates
Hardware Failure Modes

Failure Rate λ Non Safety Related Safety Related

Safe Fault

Detected Perceived Latent Residual /

Safe Fault Multiple Multiple Multiple Single
Point Fault Point Fault Point Fault Point Fault

λSPF – Single Point Faults

λRF – Residual Faults
λMPFDP – Detected/Perceived Multi Point Faults
λMPFL – Latent Multi Point Faults
λMPF – λMPFDP + λMPFL = Multi Point Faults*
λS – Safe Faults
λ = λSPF + λRF + λMPF + λS

* multiple-point fault is an individual fault that, in combination with other independent faults, leads to a multiple-point failure

PUBLIC 30
ISO 26262 Fault Metrics
Minimize single point and residual faults.
 Detected and handled by system within system safety response time.

Metric ASIL B ASIL C ASIL D

Single point fault metric

Minimize latent multi point faults.

 Detected and handled within hours through test algorithms.

Metric ASIL B ASIL C ASIL D

Latent fault metric

PUBLIC 31
31
IEC 61508 Failure Rates

Failure Rate λ • λS – Safe failure rate

− No impact on safety function
− λSD – Safe detected failure rate
− λSU – Safe undetected failure rate

• λD – Dangerous failure rate

− Impact on safety function
− λDD – Dangerous detected failure rate
− λDU – Dangerous undetected failure rate

λ = λS + λD = (λSD + λSU) + (λDD + λDU)

FIT = Failures In Time = 1 failure in 109 device hours

PUBLIC 32
32
IEC 61508 Safe Failure Fraction & SIL Determination

λDU
Safe Failure Fraction (SFF) = 1 –
λ
High Demand System

Hardware Fault Tolerance = 0 (single channel) Hardware Fault Tolerance = 1 (redundant)

1 Fault may lead to loss of safety function. 2 or more faults needed to loss of safety function.
EX: 1oo1, 1oo1D, 2oo2… 2oo3, 4oo5…

Hardware Fault Tolerance

Safe Failure Fraction
(High Demand System)
HFT = 0 HFT = 1
0 … < 60% - SIL1
60% … < 90% SIL1 SIL2
90% … < 99% SIL2 SIL3
≥ 99% SIL3 SIL4

PUBLIC 33
05.
Software
Expectations established on software development and products

PUBLIC 34
Software component development
Software failures are considered
to be systematic

IEC 61508

ISO 26262

PUBLIC 35
Coding guidelines and design principles

IEC 61508

ISO 26262

PUBLIC 36
Software error detection and handling

IEC 61508

ISO 26262

PUBLIC 37
06.
Tools
Expectations established on software development tools

PUBLIC 38
Tool Confidence Level ISO 26262

• Part 8: 11. Confidence in the use of software tools

• 11.4.5: Evaluation of a software tool by analysis
− Determine Tool Impact (TI)
if a software tool can introduce or fail to detect errors in a safety-related
 TI1: No impact
 TI2: Impact
− Determine Tool Detection (TD) in usage of tool
 TD1: HIGH probability of detecting/preventing potential tool errors
 TD2: MEDIUM probability of detecting/preventing potential tool errors
 TD3: All other cases (LOW/unknown)
− Determine the Tool Confidence Level (TCL)
• 11.4.6: Qualification of a software tool
− TCL1: no qualification needed
− TCL2,TCL3: qualification according to tables
PUBLIC 39
Requirements for Software Tools and Programming Languages

IEC 61508

PUBLIC 40
07.
Customer documents
Supporting documentation NXP provides to our customers to help in functional safety compliant development

PUBLIC 41
NXP SafeAssure Products
To support the customer to build a safety system, the following deliverables
are provided as standard for all ISO 26262 developed products.

• Public Information available via NXP Website

− Quality Certificates
− Safety Manual* (HW and SW)
− Reference Manual
− Data Sheet

• Confidential Information available under NDA

− Safety Plan
− ISO 26262 Safety Case (HW and SW)
− Permanent Failure Rate data (Die & Package) - IEC/TR 62380 or SN29500
− Transient Failure Rate data (Die) - JEDEC Standard JESD89
− Safety Analysis (FMEDA*, DFA) & Report
− SW FMEA and Test Reports
− PPAP
− Confirmation Measures Report (summary of all applicable confirmation measures)

* includes IEC 61508 relevant data

PUBLIC 42
08.
What’s next
ISO 26262 is going through a revision that will be incorporated into the next revision ISO 26262:2018

PUBLIC 43
ISO 26262:2018
• Overall the 2018 ISO 26262 is an incremental improvement • Biggest impacts for NXP
− Very little new content towards fail operational / autonomous − Part 2 changes for confirmation measures
vehicles indicating not yet mature enough in industry to − Part 8.13 changes for evaluation of hardware elements
standardize
− Part 11 guideline for Semiconductors
− Minor references to address interaction of Safety & Security

• When do we implement 2018 content changes

• New content in current draft (ISO 26262:2016)
− 25% already implemented
− Scope now for series production road vehicles, except mopeds.
− 50% during BCaM7 (deploying in 2017)
− Specific content added for Trucks, Buses, Trailers, Semitrailers
and motorcycles (although very minimal) − 25% in 2018
− Part 11 guideline added for Semiconductors
− Part 12 added for motorcycles (mapping of MSIL to ASIL)
− Interaction between safety and security organizations mentioned
(no specifics)
− Method for dependent failure analysis provided in multiple
examples
− Guidance for fault tolerance

PUBLIC 44
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2017 NXP B.V.