SPRADF6A December   2023  – May 2024 AM2432 , AM2434 , AM6421 , AM6422 , AM6441 , AM6442

 

  1.   1
  2.   Abstract
  3. 1Functional Safety Goals and Safety Concepts
  4. 2HARA and Safety Concept Assessment Stage
  5. 3SIL and ASIL Classification
  6. 4Random and Systematic Faults
  7. 5AM243x and AM64x: Safety Diagnostics and Examples
  8. 6AM243x and AM64x: Safety MCU With FFI Support
  9. 7Safety Element Out of Context
  10. 8Functional Safety Resources and Examples

3 SIL and ASIL Classification

For many industrial applications, SIL levels are used to classify hazards and define the acceptable failure rates of the safety concept components. The criteria for assigning SIL levels is defined in the International Electrotechnical Commission (IEC) 61508 functional safety standard. IEC 61508 is used in many industries and covers safety-related systems that incorporate electrical, electronic, or programmable electronic devices (or any combination of these three functions).

In IEC 61508, each hazard is classified in terms of Consequence, Frequency and exposure time, Possibility of failing to avoid, and Probability of unwanted occurrence.

Figure 3-1 shows the matrix used to rate each hazard from SIL 1 to SIL 4 (SIL 1 being the lowest risk of harm).

AM6442 IEC 61508 Risk Graph, Hazard Classification MatrixFigure 3-1 IEC 61508 Risk Graph, Hazard Classification Matrix

For automotive applications, ASIL levels are used to classify hazards and define the acceptable failure rates of the safety concept components. The criteria for assigning ASIL levels is defined in the International Organization for Standardization (ISO) 26262 standard. IEC 61508 and ISO 26262 are similar in objectives, but use different methodologies and safety metrics

ISO 26262 classifies each hazard using Severity or harm, probability of Exposure, and Controllability which is the degree to which the hazard can be avoided. Using the matrix shown Figure 3-2, each hazard is classified as quality managed (QM) or one of 4 levels from ASIL A to ASIL D. A QM rating indicates the identified hazard does not require a dedicated safety goal to reduce the risk while an ASIL D rating indicates the highest potential risk of harm.

Note: For integrated circuits (ICs), the standard semiconductor quality managed design and manufacturing processes are sufficient to support a QM rating.
AM6442 ISO 26262 Hazard Classification MatrixFigure 3-2 ISO 26262 Hazard Classification Matrix

FIT rate is a key compliance metric for defining acceptable risk levels in both IEC 61508 and ISO 26262. FIT is defined as the number of Failures In Time in an interval of 109 hours of operation (that is, 1 billion hours of operation).

Not all faults are equal in terms of potential harm and therefore faults are classified into different categories such as non-safety related faults, detected safe faults, undetected safe faults, dangerous detected faults, and dangerous undetected faults. For obvious reasons, the most critical category is the dangerous undetected fault. The other faults categories do not create a significant safety concern or can be detected through diagnostics and mitigated to eliminate any potential harm. The FIT rate at the component level defines the maximum number of dangerous undetected faults that can occur over time.

IEC 61508 SIL and ISO 26262 ASIL metrics are listed in Table 3-1 and Table 3-2.

Table 3-1 IEC 61508 SIL Metrics
HFT = 0HFT = 1
SIL Level (Type B Systems)PFHSFFPFHSFF
SIL 1≤ 1000 FIT≥60%≤ 1000 FIT< 60%
SIL 2≤ 100 FIT ≥ 90%≤ 100 FIT ≥ 60%
SIL 3≤ 10 FIT ≥ 99%≤ 10 FIT ≥ 90%
SIL 4Not achievable≤ 1 FIT ≥ 99%
Table 3-2 ISO 26262 ASIL Metrics
ASIL LevelPMHFSPFMLFM
ASIL A≤ 1000 FITNot specifiedNot specified
ASIL B≤ 100 FIT ≥ 90% ≥ 60%
ASIL C≤ 100 FIT ≥ 97% ≥ 80%
ASIL D≤ 10 FIT ≥ 99% ≥ 90%

The IEC 61508 standard uses Probability of Failure per Hour (PFH) to represent the total number of dangerous undetected faults per hour. Safe Failure Fraction (SFF) represents the percentage of faults that are not dangerous undetected faults.

Similar to the PFH metric, ISO 26262 uses PMHF which stands for Probabilistic Metric for random Hardware Failures to represent the total number of dangerous undetected faults. Single Point Fault Metric (SPFM) is analogous to SFF.

ISO 26262 adds an additional fault metric called the Latent Fault Metric (LFM) for diagnostic hardware that is not found in IEC 61508. A diagnostic hardware fault is considered latent because the fault cannot be detected during normal operation, reveling the fault only when a detectable failure is not detected. To reduce the number of LFM faults, the diagnostic hardware must be designed with a high percentage of test coverage and be extensively tested prior to field deployment.