ISO 26262 vs IEC 61508: Detailed Comparison (ASIL vs SIL, Metrics & Lifecycle)
Hello, functional safety engineers working across automotive and industrial domains! If you have experience with ISO 26262 and are exploring IEC 61508, or if you come from an industrial background and are transitioning into automotive, understanding the relationship and differences between these two standards is essential. ISO 26262 is formally described as “an adaptation of IEC 61508 for the automotive sector” – but the adaptation introduced so many automotive-specific changes that the two standards are quite different in practice.
In this detailed comparison at PiEmbSysTech, we will systematically examine every major dimension where these standards differ – from scope and terminology, through risk classification and hardware metrics, to safety lifecycle structure, decomposition rules, and tool qualification. Let us begin.
ISO 26262 vs IEC 61508 Table of Contents
1. The Parent-Child Relationship
IEC 61508 is the generic international standard for functional safety of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems. Published by the IEC (International Electrotechnical Commission), it is intended to be a foundational standard from which domain-specific standards are derived. ISO 26262 is explicitly described as “the adaptation of IEC 61508 to comply with needs specific to the application sector of E/E systems within road vehicles.”
However, ISO 26262 does not claim compliance with IEC 61508 and does not list IEC 61508 as a normative reference. Unlike most other domain-specific adaptations (such as IEC 61511 for process industry or EN 50129 for railways), ISO 26262 took the IEC 61508 foundation and substantially reworked it for the automotive context – introducing new terminology, new metrics, new risk classification methods, and automotive-specific requirements that go well beyond a simple “adaptation.”
2. Scope – Automotive vs Generic Industrial
IEC 61508: Applies to all industries – process, machinery, energy, rail, medical, and any other domain where E/E/PE systems perform safety functions. It is intentionally broad and generic, providing a framework that can be tailored for specific domains.
ISO 26262: Applies exclusively to road vehicles (excluding mopeds). The second edition (2018) extended the scope from passenger cars under 3,500 kg to all road vehicles including trucks, buses, trailers, and motorcycles. ISO 26262 addresses only safety-related E/E systems installed in series production vehicles – it does not cover one-off prototype vehicles or non-road vehicles.
3. Standard Structure – 12 Parts vs 7 Parts
IEC 61508 consists of 7 parts totaling approximately 650 pages. ISO 26262 consists of 12 parts totaling approximately 800+ pages – significantly more detailed, reflecting the automotive industry’s need for prescriptive guidance rather than the generic framework approach of IEC 61508. The additional parts in ISO 26262 cover areas not separately addressed in IEC 61508, including a dedicated part for semiconductors (Part 11), a dedicated part for motorcycles (Part 12), and a more extensive guidelines and interpretation part (Part 10).
4. Terminology Differences – Key Vocabulary Mapping
| ISO 26262 Term | IEC 61508 Equivalent | Notes |
|---|---|---|
| ASIL (A, B, C, D) | SIL (1, 2, 3, 4) | ASIL is qualitative; SIL is quantitative (target failure rates) |
| QM (Quality Management) | No direct equivalent | IEC 61508 does not define a “below SIL 1” classification |
| Safety goal | Safety function (at the highest level) | ISO 26262 safety goals are more abstract; IEC 61508 safety functions include implementation |
| Safety mechanism | Safety function / diagnostic function | ISO 26262 safety mechanism is internal to the item; IEC 61508 safety function is often a separate system |
| Item | Equipment Under Control (EUC) + safety system | ISO 26262 “item” encompasses both the function and its safety measures |
| HARA | Hazard and risk analysis (general term) | ISO 26262 HARA uses S, E, C parameters; IEC 61508 allows various risk assessment methods |
| SPFM / LFM | SFF (Safe Failure Fraction) | Different metrics – see Section 8 |
| PMHF | PFH (Probability of dangerous Failure per Hour) | Conceptually similar; different calculation details |
| ASIL decomposition | SIL claiming / architectural constraints | Different rules – ISO 26262 is more flexible |
| SEooC | No direct equivalent | IEC 61508 has “proven-in-use” but not the same SEooC concept |
| Controllability (C) | No direct equivalent | Unique to automotive – reflects the driver’s ability to intervene |
5. Risk Classification – ASIL vs SIL
ASIL (Automotive Safety Integrity Level): A qualitative risk classification determined through HARA using three parameters – Severity (S0–S3), Exposure (E0–E4), and Controllability (C0–C3). The ASIL represents the degree of rigor required in development to avoid unreasonable residual risk. There are four levels: ASIL A (lowest) through ASIL D (highest), plus QM for non-safety-relevant functions.
SIL (Safety Integrity Level): A quantitative risk classification that specifies a target failure rate for the safety function. SIL is determined through a quantitative risk analysis that estimates the required risk reduction. There are four levels: SIL 1 (lowest) through SIL 4 (highest). SIL 4 demands a target PFH of less than 10⁻⁸ per hour – a level of rigor that has no direct equivalent in ISO 26262 (ASIL D demands <10⁻⁸ PMHF, which is comparable to SIL 3, not SIL 4).
The fundamental difference: ASIL is a qualitative statement about required development rigor based on assessed risk factors. SIL is a quantitative target for the probability of dangerous failure per hour, from which the required development rigor is determined.
6. ASIL-to-SIL Approximate Mapping
ISO 26262 does not provide an official mapping between ASIL and SIL. However, the following approximate comparison is commonly referenced in industry literature:
| ISO 26262 | IEC 61508 | Approximate PFH Target |
|---|---|---|
| QM | Below SIL 1 | No target |
| ASIL A | ~SIL 1 | <10⁻⁵ /h |
| ASIL B | ~SIL 2 | <10⁻⁶ /h |
| ASIL C | ~SIL 2/3 | <10⁻⁷ /h |
| ASIL D | ~SIL 3 | <10⁻⁸ /h |
| — | SIL 4 | <10⁻⁹ /h |
Key insight: ASIL D corresponds approximately to SIL 3, not SIL 4. The rationale is that the maximum number of casualties in a typical automotive accident is limited (typically fewer than 6 people), whereas industrial accidents (chemical plant explosions, nuclear events) can affect hundreds or thousands of people – justifying the SIL 4 level that has no automotive equivalent. ISO 26262 does not have a level equivalent to SIL 4.
7. Hazard Assessment – HARA vs Risk Graph
ISO 26262: Uses a prescriptive HARA process with three specific parameters (Severity, Exposure, Controllability) combined in a fixed lookup table to determine the ASIL. The Controllability parameter – the probability that the driver can prevent the harm – is unique to automotive and has no equivalent in IEC 61508.
IEC 61508: Allows multiple risk assessment methods – risk graphs, quantitative risk analysis, hazard and operability studies (HAZOP), and other methods appropriate to the specific industry. IEC 61508 is more flexible because it must accommodate diverse industries, but this flexibility means less prescriptive guidance for any specific domain.
8. Hardware Metrics – SPFM/LFM/PMHF vs SFF/PFH
This is one of the most significant technical differences between the two standards.
ISO 26262 uses three metrics: SPFM (Single Point Fault Metric) measuring the proportion of single-point failures covered by safety mechanisms, LFM (Latent Fault Metric) measuring the proportion of latent faults detected by diagnostics, and PMHF (Probabilistic Metric for random Hardware Failures) measuring the overall probability of safety goal violation per hour due to random hardware failures.
IEC 61508 uses two primary metrics: SFF (Safe Failure Fraction) – the fraction of the overall failure rate that is either safe or detected, and PFH (Probability of dangerous Failure per Hour) for high-demand/continuous-mode systems.
The key difference is that ISO 26262 explicitly separates single-point faults (SPFM) from latent faults (LFM), providing more granular insight into the hardware architecture’s safety characteristics. IEC 61508’s SFF combines all failure categories into a single metric, which can mask architectural weaknesses – a system with a high SFF may still have significant latent fault exposure. The introduction of SPFM and LFM in ISO 26262 was a deliberate improvement over the SFF approach.
Additionally, IEC 61508 uses SFF in combination with Hardware Fault Tolerance (HFT) to determine architectural constraints – a concept absent from ISO 26262. In IEC 61508, a SIL 3 system with HFT=0 requires SFF ≥99%, while HFT=1 requires only SFF ≥90%. ISO 26262 does not use the HFT concept.
9. Architecture – No MooN in ISO 26262
IEC 61508 defines MooN (M-out-of-N) architectures – such as 1oo1 (single channel), 1oo2 (two redundant channels, one must succeed), 2oo3 (three channels, two must agree). These architectural patterns are fundamental to industrial safety system design and directly influence the SIL achievable with a given SFF. ISO 26262 does not use the MooN architecture concept. Instead, it uses a more abstract approach through safety mechanisms, ASIL decomposition, and freedom from interference. The automotive industry’s expectation has traditionally been single-channel systems with internal diagnostics, though dual-channel architectures are increasingly common for ASIL D applications like EPS and autonomous driving functions.
10. Decomposition – ASIL Decomposition vs SIL Stacking
ASIL decomposition in ISO 26262 is more flexible than the corresponding concept in IEC 61508. ISO 26262 allows asymmetric decompositions such as ASIL A(D) + ASIL C(D) = ASIL D, which permits two elements of different ASILs to combine. IEC 61508 is more restrictive – it typically allows only symmetric stacking (e.g., SIL 2 + SIL 2 = SIL 3) and does not permit SIL 1 + SIL 2 = SIL 3. This greater flexibility in ISO 26262 enables more creative and cost-effective architectural solutions but requires more sophisticated dependent failure analysis to justify the independence of asymmetric elements.
11. Software Development Requirements
Both standards require ASIL/SIL-dependent software development methods. The specific tables of recommended methods (coding standards, testing methods, structural coverage) are broadly similar in structure, but ISO 26262 Part 6 provides significantly more detailed automotive-specific guidance – including explicit reference to MISRA C/C++ coding standards, model-based development and back-to-back testing guidance, and detailed structural coverage requirements (statement, branch, MC/DC). IEC 61508 Part 3 provides more generic software development guidance that must be interpreted for the specific application domain.
12. Hardware Development Requirements
ISO 26262 Part 5 provides detailed guidance on hardware safety evaluation with its three-metric approach (SPFM, LFM, PMHF), failure classification into six categories (safe, SPF, residual, detected MPF, perceived MPF, latent MPF), and FMEDA as the primary analysis method. IEC 61508 uses a simpler two-category classification (safe vs dangerous failures, with sub-categories for detected vs undetected), SFF as the primary architectural metric, and PFH as the probabilistic target. The ISO 26262 approach is more granular and provides better architectural insight, while the IEC 61508 approach is simpler but less discriminating.
13. Tool Qualification Differences
Both standards require confidence in the software tools used in development. ISO 26262 Part 8 Clause 11 defines TI (Tool Impact), TD (Tool Error Detection), TCL (Tool Confidence Level), and four qualification methods (1a–1d). IEC 61508 defines tool classes (T1, T2, T3) with similar but not identical criteria. ISO 26262 does not distinguish between development tools (that can introduce errors) and verification tools (that can fail to detect errors) – both are evaluated using the same TI/TD framework. IEC 61508 makes this distinction more explicitly. Qualification evidence is not directly transferable between the standards without additional analysis, though IEC 61508 tool certification can support ISO 26262 qualification method 1b (evaluation of development process).
14. Safety Lifecycle Differences
Both standards define a safety lifecycle spanning concept through decommissioning, but the ISO 26262 lifecycle is more prescriptive and automotive-specific. ISO 26262 explicitly defines the concept phase (item definition, HARA, FSC), product development at three levels (system, hardware, software), and production/operation/service/decommissioning phases. The V-model development approach is more explicitly structured in ISO 26262 than in IEC 61508. IEC 61508 defines an overall safety lifecycle but provides more flexibility in how each phase is implemented – appropriate for its broader multi-industry scope.
15. Confirmation and Assessment Differences
Both standards require independent assessment of the safety work products. ISO 26262 defines four levels of independence (I0–I3) with ASIL-dependent requirements – from no specific independence requirement at ASIL A to external third-party assessment recommended at ASIL D. IEC 61508 defines similar independence requirements through its Functional Safety Assessment concept. In practice, TÜV (or similar notified body) assessment is common for both standards, but the specific assessment criteria and evidence requirements differ.
16. Semiconductor Guidance – Part 11 vs No Equivalent
ISO 26262 Part 11 provides dedicated (informative) guidance for semiconductor development – addressing IC decomposition, soft errors, on-chip safety mechanisms, semiconductor safety manuals, and IP provider-integrator collaboration. IEC 61508 has no equivalent part dedicated to semiconductors. This gap was one of the motivations for developing Part 11 in the 2018 edition. For semiconductor companies that supply to both automotive and industrial customers, Part 11 provides valuable guidance that can inform IEC 61508 semiconductor development practices as well.
17. The Master Comparison Table
| Dimension | ISO 26262 | IEC 61508 |
|---|---|---|
| Scope | Road vehicles (excluding mopeds) | All industries (generic) |
| Parts | 12 parts (~800+ pages) | 7 parts (~650 pages) |
| Safety integrity levels | ASIL A–D + QM (qualitative) | SIL 1–4 (quantitative) |
| Highest level | ASIL D (~SIL 3) | SIL 4 |
| Risk assessment | HARA (S × E × C → ASIL table) | Multiple methods (risk graph, quantitative) |
| Controllability parameter | Yes (C0–C3, driver capability) | No equivalent |
| HW architectural metric | SPFM + LFM (two separate metrics) | SFF (single metric) |
| Probabilistic metric | PMHF | PFH (continuous/high demand) |
| HW Fault Tolerance (HFT) | Not used | Central concept (HFT 0, 1, 2) |
| MooN architectures | Not defined | 1oo1, 1oo2, 2oo3, etc. |
| Decomposition | ASIL decomposition (asymmetric allowed: A+C=D) | SIL stacking (symmetric only: 2+2=3) |
| Failure classification | 6 categories (safe, SPF, RF, MPF_D, MPF_P, MPF_L) | 4 categories (safe detected, safe undetected, dangerous detected, dangerous undetected) |
| SW coding standard | MISRA C/C++ (explicitly referenced) | Coding standards (generic reference) |
| Tool qualification | TI/TD/TCL framework; methods 1a–1d | T1/T2/T3 tool classes |
| SEooC concept | Yes (Part 10 Clause 9) | No equivalent (has proven-in-use) |
| Semiconductor guidance | Yes (Part 11) | No dedicated part |
| Motorcycle adaptation | Yes (Part 12, MSIL) | N/A |
| Normative reference to parent | No (does not claim IEC 61508 compliance) | N/A (is the parent standard) |
18. When to Use Which Standard
Use ISO 26262 for E/E systems installed in series production road vehicles – passenger cars, trucks, buses, trailers, motorcycles. ISO 26262 is the recognized standard for automotive functional safety and is expected by OEMs and regulatory authorities.
Use IEC 61508 for E/E systems in all other industries – process control, industrial automation, machinery, energy, medical (with IEC 62304), railways (with EN 50129), or for any application not covered by a domain-specific standard.
Use both when developing components (such as safety MCUs or sensors) that are intended for both automotive and industrial applications. The component may need to demonstrate compliance with both standards, or provide evidence packages that support qualification under either standard.
19. Cross-Domain Component Reuse
As noted in the research literature, transitioning components from ISO 26262 to IEC 61508 is generally easier than the reverse – because ISO 26262 adopts the basic principles of IEC 61508 and adds automotive-specific requirements. A component developed to ISO 26262 ASIL D typically meets most of the requirements for IEC 61508 SIL 3 usage, though a formal mapping analysis is required to confirm this. The upcoming IEC TR 61508-6-1 technical report is expected to provide formal guidance on the treatment of hardware and software developed to ISO 26262 for reuse under IEC 61508.
For semiconductor companies developing SEooC products, providing dual-standard evidence packages (FMEDA data in both ISO 26262 format and IEC 61508 format) is increasingly common, enabling customers in both automotive and industrial markets to use the same silicon with appropriate domain-specific qualification.
20. Frequently Asked Questions
Q1: Does ISO 26262 compliance imply IEC 61508 compliance?
No. ISO 26262 does not claim compliance with IEC 61508 and does not list it as a normative reference. While many concepts are similar, there are specific IEC 61508 requirements (such as HFT, SFF, MooN architectures, and SIL 4) that are not addressed by ISO 26262. A formal gap analysis is needed for cross-standard compliance claims.
Q2: Can a SIL 3 component be used directly in an ASIL D system?
Not automatically. While SIL 3 and ASIL D have approximately similar rigor, the specific requirements differ. A mapping analysis must verify that the SIL 3 development evidence satisfies the ISO 26262 requirements for the specific use case. The component may need additional ISO 26262-specific analysis (such as FMEDA in ISO 26262 format) to be accepted.
Q3: Why did ISO 26262 replace SFF with SPFM and LFM?
SFF combines all failure categories into a single metric, which can mask architectural weaknesses. A system could have a high SFF (most failures are safe) but still have significant latent fault exposure. SPFM specifically addresses single-point and residual faults (direct safety goal violations), while LFM specifically addresses latent faults (hidden failures that could combine with future faults). The two-metric approach provides better architectural insight.
Q4: Why is there no ASIL equivalent to SIL 4?
ASIL D corresponds approximately to SIL 3. SIL 4 addresses scenarios where a single event could cause mass casualties (chemical plant explosions, nuclear incidents). In automotive, the maximum number of casualties from a single vehicle malfunction is limited (typically fewer than 6–10 people), so the extreme risk reduction of SIL 4 is not considered necessary. If autonomous vehicles operate in dense urban environments, this reasoning may need to be revisited.
Q5: Which standard is harder to comply with?
ISO 26262 is generally considered more prescriptive and detailed (800+ pages vs 650 pages) but less flexible. IEC 61508 is more flexible (allowing multiple methods for each requirement) but this flexibility places a greater burden on the user to justify their choices. For engineers accustomed to prescriptive standards, ISO 26262 may feel more structured. For engineers accustomed to performance-based standards, IEC 61508 may feel more natural.
21. Conclusion
ISO 26262 and IEC 61508 share a common DNA – both are risk-based functional safety standards that require systematic development processes, quantitative hardware evaluation, and independent assessment. However, ISO 26262’s automotive-specific adaptations – the ASIL classification system, the SPFM/LFM hardware metrics, the Controllability parameter, the ASIL decomposition flexibility, the SEooC concept, and the dedicated semiconductor guidance – make it a substantially different standard in practice. Engineers working across both domains must understand these differences to correctly interpret requirements, map evidence between standards, and enable cross-domain component reuse.
This article is part of our comprehensive ISO 26262 series at PiEmbSysTech.
Stay safe. Stay cross-domain aware. Keep engineering the future.
— The PiEmbSysTech Team
Discover more from PiEmbSysTech - Embedded Systems & VLSI Lab
Subscribe to get the latest posts sent to your email.
