IEC 61508 — Functional Safety of E/E/PE Systems
How IEC 61508 functional safety concepts and SIL requirements relate to the NexoGraph metamodel.
IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) is the foundational international standard for functional safety. It covers E/E/PE systems across all application sectors and serves as the parent standard from which domain-specific derivatives such as ISO 26262 (automotive) and IEC 62061 (machinery) are drawn.
Where ISO 26262 applies to road vehicles specifically, IEC 61508 applies to industrial plant, medical devices, rail systems, and any other sector requiring safety argumentation for programmable safety-related systems.
Safety Integrity Levels
IEC 61508 defines four Safety Integrity Levels (SIL), analogous to the ASIL A–D levels in ISO 26262:
| SIL | PFD (on-demand mode) | PFH (continuous mode) | Analogous ASIL |
|---|---|---|---|
| SIL 1 | 10⁻² to 10⁻¹ | 10⁻⁶ to 10⁻⁵ | ASIL A |
| SIL 2 | 10⁻³ to 10⁻² | 10⁻⁷ to 10⁻⁶ | ASIL B/C |
| SIL 3 | 10⁻⁴ to 10⁻³ | 10⁻⁸ to 10⁻⁷ | ASIL D |
| SIL 4 | 10⁻⁵ to 10⁻⁴ | 10⁻⁹ to 10⁻⁸ | — (no automotive equivalent) |
PFD = Probability of Failure on Demand. PFH = Probability of dangerous Failure per Hour.
Safety Lifecycle
IEC 61508 Part 1 defines a 16-phase overall safety lifecycle. The phases that produce artefacts tracked in NexoGraph are:
| Phase | Output artefact | NexoGraph entity |
|---|---|---|
| Hazard and Risk Analysis (3) | Hazard log + SIL targets | StakeholderNeed — safety goals derived from hazard analysis |
| Overall Safety Requirements (4) | Safety Requirements Specification (SRS) | Requirement (reqCat: SAFETY) |
| Safety Requirements Allocation (5) | Allocated SRS per system element | Requirement allocated to Package (subsystem) |
| Design and Development (7–9) | Design specification | Architectural layer (planned) |
| Overall Safety Validation (12) | Validation report | Verification entity (planned) |
Standard Structure
IEC 61508 is divided into seven parts:
| Part | Scope |
|---|---|
| Part 1 | General requirements — management of functional safety, overall safety lifecycle |
| Part 2 | Hardware requirements — hardware safety lifecycle, probabilistic hardware metrics |
| Part 3 | Software requirements — software safety lifecycle, software integrity |
| Part 4 | Definitions and abbreviations |
| Part 5 | Examples of methods for determining SIL |
| Part 6 | Guidelines on the application of Parts 2 and 3 |
| Part 7 | Overview of techniques and measures |
NexoGraph is most directly relevant to Parts 1, 2, and 3 — the requirements and design artefacts produced by those parts.
NexoGraph Alignment
| IEC 61508 concept | NexoGraph implementation |
|---|---|
| Equipment under control (EUC) | Top-level Package representing the system under development |
| Safety function | Requirement (reqCat: SAFETY) with reqType: SYSTEM |
| Safety goal | StakeholderNeed or Requirement derived from hazard analysis |
| SRS — system level | Requirement entities under STAKEHOLDER_REQUIREMENTS root |
| SRS — subsystem allocation | Requirement allocated to subsystem Package |
| Safety lifecycle states | lifecycleStateId — lifecycle service governs draft → review → approved progression |
| Bidirectional traceability | Reference relations: Need → Requirement (REFINES_INTO) and Requirement → SystemCapability (SATISFIED_BY) |
| Functional safety management plan | BusinessCase + lifecycle governance |
Gap Analysis
| Gap | IEC 61508 clause | Status |
|---|---|---|
| SIL attribute on Requirement | Part 1, §10.3 | Planned — Requirement needs a sil field (SIL1–4) |
| Safety function allocation to hardware/software | Part 2/3 | Planned — architectural allocation layer |
| Probabilistic failure rate on hardware elements | Part 2, §11 | Not in scope for current MVP |
| FMEA / FMEDA failure mode analysis | Part 2, Annex A | Not in scope — dedicated safety analysis tools integrate via API |
| Software safety lifecycle artefacts | Part 3, §7 | Partial — requirement coverage exists; design/test artifacts planned |
| Safety case / safety case argument | Part 1, §6.2.6 | Not yet modelled |
| Verification and validation plan | Part 1, §7.14 | Verification link planned (see ISO 29148 gaps) |
Relationship to ISO 26262
For automotive projects, IEC 61508 is the parent standard and ISO 26262 is the domain-specific interpretation. Key differences:
| Aspect | IEC 61508 | ISO 26262 |
|---|---|---|
| Scope | Any E/E/PE system | Road vehicle E/E systems |
| Integrity level | SIL 1–4 | ASIL A–D + QM |
| Sector guidance | Generic (Parts 5–7) | Automotive-specific (all parts) |
| Hardware metric | PFD / PFH + HFT | PMHF + SPFM/LFM |
| Use in NexoGraph | Cross-sector safety requirements | Automotive HARA → FSR → TSR chain |
Projects subject to both (e.g., automotive industrial equipment) should apply ISO 26262 and reference IEC 61508 for any elements not covered by the automotive scope.