4.2: IEC 61508 Integration
Introduction
IEC 61508 "Functional safety of electrical/electronic/programmable electronic safety-related systems" is the foundational functional safety standard for industrial systems. ISO 26262 is derived from IEC 61508. This section shows how ASPICE integrates with IEC 61508 for industrial embedded systems.
IEC 61508 Overview
Standard Structure
| Part | Title | ASPICE Relevance |
|---|---|---|
| Part 1 | General requirements | Overall framework, definitions |
| Part 2 | Requirements for E/E/PE safety-related systems | SYS.2-5 (System level) |
| Part 3 | Software requirements | SWE.1-6 (PRIMARY FOCUS) |
| Part 4 | Definitions and abbreviations | Glossary (SIL, PFD, etc.) |
| Part 5 | Examples of methods for determination of safety integrity levels | Risk analysis methods |
| Part 6 | Guidelines on application of IEC 61508-2 and IEC 61508-3 | Implementation guidance |
| Part 7 | Overview of techniques and measures | Catalog of safety techniques |
SIL (Safety Integrity Level)
SIL vs ASIL Comparison
| Level | IEC 61508 (SIL) | ISO 26262 (ASIL) | PFH Target (per hour, continuous mode) |
|---|---|---|---|
| SIL 4 | Highest | (No direct equivalent — ASIL-D is the automotive ceiling) | ≥ 10^-9 to < 10^-8 |
| SIL 3 | High | ≈ ASIL-D | ≥ 10^-8 to < 10^-7 |
| SIL 2 | Medium | ≈ ASIL-C | ≥ 10^-7 to < 10^-6 |
| SIL 1 | Low | ≈ ASIL-A/B | ≥ 10^-6 to < 10^-5 |
| None | No safety function | QM (Quality Management) | No target |
Note: SIL-to-ASIL mappings are approximate. ISO 26262 explicitly states it is not a sector-specific standard derived from IEC 61508 alone, and the two risk models (ASIL from Severity × Exposure × Controllability vs. SIL from quantified failure rates) are not directly interchangeable. SIL 4 has no equivalent in ISO 26262 because ASIL-D is defined as the highest automotive integrity level.
Key Difference:
- ISO 26262 (ASIL): Risk-based qualitative classification (Severity × Exposure × Controllability)
- IEC 61508 (SIL): Quantitative failure rate targets (Probability of Failure on Demand / Probability of Dangerous Failure per Hour)
IEC 61508-3 Software Requirements
Software Safety Lifecycle
The following diagram maps the IEC 61508 Part 3 software safety lifecycle phases to their corresponding ASPICE processes, highlighting where the two frameworks align and where additional IEC 61508 activities are required.
| IEC 61508-3 Clause | ASPICE Process | Key Activities |
|---|---|---|
| 7.1 SW Safety Requirements | SWE.1 | Derive from system safety, specify requirements, traceability |
| 7.2 SW Architecture | SWE.2 | Design architecture, allocate to modules, define interfaces |
| 7.4 Module Design/Coding | SWE.3 | Detailed design, defensive programming, coding standards |
| 7.5 Module Testing | SWE.4 | Unit test with coverage, code review, static analysis |
| 7.6 SW Integration | SWE.5 | Incremental integration, interface testing |
| 7.7 HW/SW Integration | SWE.6 | Integrate with hardware, system functional testing |
| 7.8 SW Validation | SYS.5 | Validate safety requirements, independent assessment |
Perfect Alignment: IEC 61508-3 clauses map almost 1:1 to ASPICE SWE processes.
Key Differences: IEC 61508 vs ISO 26262
| Aspect | IEC 61508 (Industrial) | ISO 26262 (Automotive) |
|---|---|---|
| Domain | General (machines, process control, railways) | Automotive only |
| Risk Model | Failure rate (PFD, PFH) | Severity × Exposure × Controllability |
| Integrity Levels | SIL 1-4 (4 highest) | ASIL A-D (D highest) |
| Software Techniques | Broader range (Tables A.1-A.19) | Automotive-specific (e.g., AUTOSAR patterns) |
| Independence | SIL 3/4: Independent verification required | ASIL-C/D: Independent assessment required |
| Tool Qualification | Similar (T1-T3 confidence levels) | TCL 1-3 based on tool impact |
IEC 61508-3 Clause 7.4: Design and Coding Techniques
Recommended Techniques by SIL
Table A.4: Design and Coding Techniques
| Technique | SIL 1 | SIL 2 | SIL 3 | SIL 4 | ASPICE Integration |
|---|---|---|---|---|---|
| Structured programming | R | HR | HR | HR | SWE.3 BP1: Use structured design patterns |
| Modular approach | R | HR | HR | HR | SWE.2 BP1: Component-based architecture |
| Design and coding standards | R | HR | HR | HR | SWE.3 BP5: MISRA C, company coding standard |
| Defensive programming | -- | R | HR | HR | SWE.3 BP6: Input validation, assertion checks |
| Limited use of recursion | -- | -- | R | HR | SWE.3 BP5: MISRA rule (no recursion) |
| Limited use of pointers | -- | -- | R | HR | SWE.3 BP5: MISRA rules on pointer usage |
| Formal methods | NR | NR | R | HR | SWE.3 BP1: VDM, Z notation for SIL 4 |
Legend: HR = Highly Recommended, R = Recommended, NR = Not Recommended, -- = No recommendation
ASPICE Implementation:
- SIL 1/2: Standard ASPICE CL2 practices sufficient
- SIL 3: ASPICE CL3 + enhanced verification
- SIL 4: ASPICE CL3 + formal methods + independent verification
IEC 61508-3 Clause 7.5: Software Module Testing
Testing and Coverage Requirements
Table A.5: Software Module Testing and Verification
| Technique | SIL 1 | SIL 2 | SIL 3 | SIL 4 | ASPICE Integration |
|---|---|---|---|---|---|
| Boundary value analysis | HR | HR | HR | HR | SWE.4 BP2: Test edge cases |
| Equivalence classes | HR | HR | HR | HR | SWE.4 BP2: Partition input domain |
| Error guessing | HR | HR | HR | HR | SWE.4 BP2: Experience-based testing |
| Cause-effect graphing | R | R | R | R | SWE.4 BP2: Decision table testing |
| Performance testing | R | HR | HR | HR | SWE.4 BP3: Load/stress testing |
Table A.6: Software Module Coverage
| Coverage Metric | SIL 1 | SIL 2 | SIL 3 | SIL 4 | ASPICE Mapping |
|---|---|---|---|---|---|
| Statement coverage | HR | HR | R | -- | SWE.4 BP4: Minimum for SIL 1/2 |
| Branch coverage | R | HR | HR | R | SWE.4 BP4: Recommended for SIL 2/3 |
| MC/DC coverage | -- | R | HR | HR | SWE.4 BP4: Highly recommended SIL 3/4 |
| Path coverage | NR | NR | R | R | SWE.4 BP4: Consider for SIL 4 |
Coverage Requirements Summary (IEC 61508-3 Annex A — Highly Recommended targets):
- SIL 1: Statement coverage (HR); no specific percentage mandated — project must justify adequacy
- SIL 2: Branch/decision coverage (HR); statement coverage also HR
- SIL 3: MC/DC coverage (HR); branch coverage (HR)
- SIL 4: MC/DC coverage (HR) + additional measures (path coverage, formal verification)
Note: IEC 61508-3 Annex A defines techniques as HR (Highly Recommended), R (Recommended), or NR (Not Recommended). Specific coverage percentage targets are not mandated by the standard; they must be agreed in the software safety plan and justified based on the system's safety requirements.
Software Architecture Design (IEC 61508-3:7.4.2)
Architectural Patterns for Safety
Table A.3: Software Architecture and Design
| Technique | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Example |
|---|---|---|---|---|---|
| Diverse programming (dual-channel) | NR | R | HR | HR | Two independent implementations, compare outputs |
| Temporal redundancy | R | R | HR | HR | Repeat calculation, compare results |
| Defensive programming | -- | R | HR | HR | Input validation, range checks |
| Error detecting code | R | HR | HR | HR | CRC, checksum on data |
| Failure assertion programming | R | R | HR | HR | Runtime assertions with safe state transition |
ASPICE Integration (SWE.2):
- SIL 1/2: Single-channel architecture acceptable
- SIL 3/4: Dual-channel or 1oo2D (1 out of 2 with diagnostics) architecture
Example: SIL 3 Dual-Channel Architecture
/**
* @brief SIL 3 Dual-Channel Emergency Stop Logic
* Two independent channels calculate the same result; discrepancy triggers safe state
*/
// Channel A: Primary calculation
bool emergencyStopRequired_ChannelA(SensorData sensors) {
// Independent implementation #1
return (sensors.pressure > THRESHOLD_HIGH) || (sensors.temperature > THRESHOLD_TEMP);
}
// Channel B: Diverse implementation (different algorithm for same result)
bool emergencyStopRequired_ChannelB(SensorData sensors) {
// Independent implementation #2 (different logical structure)
bool pressureHigh = (sensors.pressure > THRESHOLD_HIGH);
bool temperatureHigh = (sensors.temperature > THRESHOLD_TEMP);
return pressureHigh || temperatureHigh;
}
// Comparator: Detect discrepancy between channels
void processEmergencyStop(SensorData sensors) {
bool channelA_result = emergencyStopRequired_ChannelA(sensors);
bool channelB_result = emergencyStopRequired_ChannelB(sensors);
if (channelA_result != channelB_result) {
// Discrepancy detected - transition to safe state
activateSafeState();
logDiscrepancyEvent();
} else if (channelA_result == true) {
// Both channels agree: Emergency stop required
activateEmergencyStop();
}
// else: Both channels agree emergency stop NOT required (continue normal operation)
}
Static Analysis (IEC 61508-3:7.4.4)
Static Analysis Requirements by SIL
Table A.4 (continued): Static Analysis
| Technique | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Tool Example |
|---|---|---|---|---|---|
| Control flow analysis | R | HR | HR | HR | Cppcheck, Coverity |
| Data flow analysis | R | HR | HR | HR | Coverity, Polyspace |
| Range checking | -- | R | HR | HR | Polyspace, Astrée |
| Worst-case execution time (WCET) | -- | R | HR | HR | aiT, RapiTime |
| Formal proof of correctness | NR | NR | R | HR | Frama-C, SPARK |
ASPICE Integration (SWE.3 BP7):
- All SIL levels: Coding standard checks (MISRA C)
- SIL 2+: Control flow + data flow analysis
- SIL 3/4: WCET analysis for real-time safety functions
- SIL 4: Consider formal verification
Example: Static Analysis Report (SIL 2)
# Static Analysis Report - SIL 2 Industrial Controller
## Tools Used
- Cppcheck v2.12 (control flow, MISRA C)
- Coverity 2024.3.0 (data flow, defect detection)
## Results Summary
| Category | Findings | Critical | High | Medium | Low |
|----------|----------|----------|------|--------|-----|
| Control Flow | 0 | 0 | 0 | 0 | 0 |
| Data Flow | 2 | 0 | 0 | 2 | 0 |
| MISRA C Violations | 5 | 0 | 0 | 3 | 2 |
| Buffer Overflows | 0 | 0 | 0 | 0 | 0 |
| Null Pointer Dereference | 0 | 0 | 0 | 0 | 0 |
## Critical Findings: None [PASS]
## Medium Severity Findings
### FINDING-001: Uninitialized Variable
**File**: `sensor_handler.c:142`
**Description**: Variable `sensorTimeout` used before initialization in edge case.
**Impact**: May lead to incorrect timeout calculation.
**Mitigation**: Initialize to default value at declaration.
**Status**: Fixed in commit abc123
### FINDING-002: MISRA C Rule 8.3 Violation
**Description**: Function declaration/definition parameter names differ.
**Impact**: Code readability (no functional impact).
**Mitigation**: Align parameter names in header and source.
**Status**: Fixed in commit def456
## Conclusion
All critical and high findings resolved. Medium findings are cosmetic or have minimal impact.
**SIL 2 Compliance**: [PASS] PASS
Independent Assessment (IEC 61508-1:8.3 and IEC 61508-3:7.16)
Independence Requirements by SIL
IEC 61508-1 Clause 8.3 requires a Functional Safety Assessment for all SIL levels. The required level of independence of the assessor scales with SIL:
| SIL | Independence Requirement (IEC 61508-1 Table 5) |
|---|---|
| SIL 1 | Independence from the direct design responsibilities (same company acceptable) |
| SIL 2 | Independence from direct design responsibilities; persons from different department or team |
| SIL 3 | Department or organizational unit independent from design/implementation |
| SIL 4 | Organization independent from the developer's company (external assessor) |
Note: "Independence" in IEC 61508 refers to freedom from involvement in the specific design activities being assessed, not necessarily organizational separation. SIL 1 internal review is acceptable provided the reviewer was not responsible for the specific work product being reviewed.
ASPICE Integration (SUP.1):
- SIL 1/2: Internal quality assurance with reviewer independence (SUP.1 BP4: Perform QA reviews)
- SIL 3: Independent QA department (separate reporting structure, different manager)
- SIL 4: External safety assessor (TÜV, UL, Bureau Veritas, etc.)
Independent Assessment Report Template (SIL 3):
# Independent Safety Assessment Report
## SIL 3 Emergency Shutdown System - v1.5
**Assessment Team**: Industrial Safety Dept (independent from development)
**Assessment Date**: 2025-12-15
**Assessor**: Dr. Safety Engineer (Certified IEC 61508 Expert)
### 1. Assessment Scope
**Work Products Reviewed**:
- Software Safety Requirements Specification (SSRS)
- Software Architecture Document (SAD)
- Source Code (15,000 lines C code)
- Unit Test Reports (MC/DC coverage)
- Integration Test Reports
- Static Analysis Reports
### 2. Findings Summary
| Category | Compliant | Non-Compliant | Observations |
|----------|-----------|---------------|--------------|
| Requirements (7.1) | [PASS] | - | All requirements traceable to hazards |
| Architecture (7.2) | [WARN] | 1 | Diversity not fully documented |
| Module Design (7.4) | [PASS] | - | Defensive programming applied |
| Module Testing (7.5) | [PASS] | - | 100% MC/DC coverage achieved |
| Integration (7.6) | [PASS] | - | Incremental integration strategy |
| Validation (7.8) | [WARN] | 1 | Missing environmental stress tests |
### 3. Non-Conformances
#### NC-001: Diversity Justification Missing [MAJOR]
**Clause**: IEC 61508-3:7.4.2.10 (Software diversity)
**Finding**: Dual-channel architecture claimed, but no documented evidence of diverse implementation between Channel A and Channel B.
**Impact**: Cannot claim credit for diversity in safety case.
**Recommendation**: Provide design rationale document showing different algorithms/implementations.
**Response Deadline**: 2025-12-22
#### NC-002: Environmental Stress Testing Not Performed [MINOR]
**Clause**: IEC 61508-3:7.7.2 (Integration testing)
**Finding**: Temperature cycling tests not conducted.
**Impact**: Low (software-only system, hardware tests cover this).
**Recommendation**: Add environmental stress tests OR justify exclusion in test plan.
**Response Deadline**: 2026-01-10
### 4. Recommendation
**Overall Assessment**: [WARN] **CONDITIONALLY COMPLIANT**
The software development process is generally compliant with IEC 61508-3 requirements for SIL 3. However, two non-conformances must be addressed before final approval.
**Next Steps**:
1. Development team resolves NC-001 and NC-002
2. Submit evidence to assessment team
3. Verification review (no full re-assessment needed)
**Approval**: Pending resolution of non-conformances
**Assessor Signature**: _______________ **Date**: 2025-12-15
Tool Qualification (IEC 61508-3:7.4.4.8)
Tool Confidence Levels
IEC 61508-3:2010, Clause 7.4.4.8 requires that software tools used to support the development and testing of the safety-related software be validated. The standard defines tool categories based on whether the tool can introduce errors into the safety-related software and whether those errors can be detected. While IEC 61508 does not use the precise TI/TD/TCL terminology of ISO 26262, the underlying risk logic is equivalent.
| Category | Definition | Qualification Required? |
|---|---|---|
| Category 1: No impact on executable code | Tool output does not contribute to executable code; errors manually verifiable | No formal qualification; document tool and version |
| Category 2: Moderate impact; errors detectable | Tool contributes to executable code but errors are detectable through other safety activities (e.g., testing, code review) | Validation required: demonstrate errors are detectable |
| Category 3: Direct impact; errors may be undetected | Tool contributes to executable code and errors may not be detected by other safety activities | Full qualification required: validation suite, known errors documented |
Example Classifications:
| Tool | Function | Category | Qualification? | Rationale |
|---|---|---|---|---|
| GCC Compiler (with SIL 2 test coverage) | Code generation | 2 | Yes (validation) | Demonstrate testing catches compiler errors |
| Polyspace | Static analysis | 2 | Yes (validation) | False negatives possible; supplement with code review |
| VectorCAST | MC/DC coverage | 3 | Yes (full) | Coverage data trusted as primary evidence |
| Git | Version control | 1 | No | Not in critical path; errors manually verifiable |
Note: Compared to ISO 26262, IEC 61508's tool qualification requirements are structurally equivalent: the key question is whether a tool error can propagate undetected to the safety-related output. SIL 3/4 projects should consider applying the ISO 26262 TCL framework as a structured implementation of IEC 61508-3 Clause 7.4.4.8 requirements, as it provides clearer classification criteria.
Summary
IEC 61508 Integration with ASPICE:
- Near-Perfect Alignment: IEC 61508-3 clauses map directly to ASPICE SWE.1-6
- SIL-Driven Rigor: SIL level determines verification intensity (coverage, reviews, independence)
- Technique Tables: IEC 61508-3 Part 7 Annex A provides catalog of methods (HR/R/NR)
- Dual-Channel Architecture: SIL 3/4 often require redundancy (1oo2D pattern)
- Static Analysis: Control/data flow analysis mandatory for SIL 2+
- Independent Assessment: SIL 3 requires independent department, SIL 4 requires external assessor
- Tool Qualification: T1-T3 confidence levels similar to ISO 26262 TCL 1-3
Key Difference from ISO 26262: Broader application (not automotive-specific), more flexible technique selection.