Category Archives: Safety Assessment

Functional safety manager can’t assure that this product is safe. instead, he/she knows that it is not safe.

There is saying about interview. An interviewer cannot make a interviewee be hired but can make him/her failed to be hired. I believe that this is true and a similar correspondence can be possible in the functional safety project.

I review functional safety documents frequently, and functional safety scope is too vast for one person to know everything fully so I sometimes conduct incomplete review. Incomplete review means that even though I approve it, it cannot be ensured that it is fully achieved.

Because I understand my weakness, I tried to find nonconformances in the documents. At least I’m first auditor in this project. And if I don’t agree, then it cannot be proceed. In the near future, I have to respond against customer auditor’s questions. There should be some layers of reviewers like me. They act as if ‘safety-nets’ in the project, and they protect systematic faults in the project.

Final reviewer shall be customer side auditors(or assessors). In some ways, customer have to not only have a deep knowledge about product knowledge but also have a deep technical functional safety knowledge. If a person does not have both, team has to be arranged. And who does not have a deep knowledge about the project but has a functional safety knowledge has to enough review experience whether the product under review is well documented or not. And he has to help a customer side product champion to determine whether supplier’s safety concepts or their approaches are good to satisfy their safety requirements.

But…. even though they conduct such audit or assess, they cannot ensure that safety is fully achieved.


FIT budgeting

FIT Budgeting occurs when a item consists of more than one system. It is very similar to apportion of Target level of safety(TLS) in avionics domain. FIT budgeting is related to division of random hardware failure rate for some systems. If more than one supplier has to develop, it will not be easy.

Regarding ASIL decomposition, decomposed QM means that the decomposed requirement do not have to develop according to ISO 26262, but FIT budgeting is still valid. Total FIT number is not changed even though you decompose safety requirements.

In this case, the system which is allocated QM(original ASIL) has determined to be no risks in the systematic aspect.

If this policy follows similarly in the avionics domain, a subsystem which is included in the high SIL systems but is not allocated to safety requirements, it might be okay develop as QM. Of course, FIT budgeting (I mean, apportion of TLS) needs to be considered. I’m not sure, it is my guess.


ASIL decomposition

I read an interesting discussion about ASIL decomposition. He questioned that when ASIL C is decomposed, why ASIL B(C)+ASIL B(C) is missing.

ASIL decomposition – what about the "missing" ones?
[Picture 1. ASIL decomposition. Reference 1]

To explain this, let me refer to a paper, “Understanding the Use, Misuse and Abuse of Safety Integrity Levels”.

There is a move from the belief that a system can be either safe or unsafe, i.e. that safety is a binary attribute, to the acceptance that there is a continuum between absolute safety and certain catastrophe and that this continuum is a scale of risk.

In this sense, SIL is a result of artificial separations between absolute safety and certain catastrophe.

ALARP에 대한 이미지 검색결과

reference 3: picture

There are many standards which adapts SIL concept and their SIL decomposition concepts are similar. So I’d like to explain with IEC 61508 which is a mother standard of functional safety. Because it defines SILs  with a ranged safety levels, which concept is needed to explain.

Table 1. Safety Integrity Levels specifying what has to be observed to achieve the safety certification of a system according to IEC 61508 or ISO 26262.
[Picture 2. Target level of safety for SILs. reference 2]

For a product that has SIL3, probability of failure mode  shall be between 1.0e-4 to 1.0e-3 on continuous mode(low demand rate).

If we assume that the product has two sub-systems, which has no common cause or dependent failure between them, we can decompose target level of safety into two pieces.



5.0E-4 = 5.0E-1 * 1.0E-3

SIL(5.0E-4) = SIL(5.0E-1) + SIL(1.0E-3)



In this sense, generalization rules are defined in the standards.


Then, why ISO26262 doesn’t have a safety target concept? In fact it has, but not in the system level. But similar rules defined in proven in use part,  hw component qualification part, and hw development process part. Not in system part and software part, because there is no reliable reliability model in software, and system consists of software.

Why ASIL C(B)+ASIL C(B) is missing for decomposition of ASIL C ? Because composition of decomposed safety level is not equal to original one.

Reference 1. Linked-in community (ISO 26262 Functional Safety)
Reference 2.

reference 3.