Levels of safety integrity: ASIL, DAL and SIL
The aviation, automobile, space, nuclear and rail industries largely share the same philosophy regarding classification of safety categories and therefore product and system development synergies can be found between the aforementioned sectors. Companies adapted to one of these sectors, and which currently meet the rigorous standards of their sector, can easily find an adaptation to the other sectors. It would be much easier if a unification, of which Leedeo detects a certain trend, were explicitly described.
Great similarities are
found similarityit is in the
categorization of security in the different industrial domains since all are
based on the final effects of the failures that can occur derived from the
systems that apply the security functions. Risks are usually measured in
their occurrence and severity.
- The railway and industrial automation industries are more focused on occurrence.
- The space industry in severity.
- And the auto industry focuses on a clear combination of the two.
Regarding the acceptability criterion, the considerations are not easily comparable since there are differences in the severity criteria.
The notion of risk exposure also takes on different aspects, such as in the automobile, since two risks classified as equal in severity can be categorized as different while this is not the case in terms of severity. industryindustryaeronautics or in the space industry. In the same way, controllability by the driver impacts the automotive industry. In the aeronautical industry, a certain concept of controllability by the crew can be derived, but with a clear focus on the occurrence.
This article compares the different standards of the different sectors of the following industries:
- nuclear and
to find the similarities similarities and differences in relation to safety standards in terms, mainly of:
- categorization of security and
- the principles of assignment to the different functions applied by the intelligent systems used by said industries, as well as their assignment downstream in the hardware and software components.
We also review part of the processes, approach, methods and tools.
The 5 security levels (A - E) or DAL ( Development Assurance Levels or Design Assurance Levels ) or IDAL ( Item Development Assurance Levels used for the software ) derive from the potential failures and their conditions of the aircraft functions and are defined in the ARP 4754 / ED 79 standard, such as:
The methodology for assigning DAL levels is Top-Down . It begins by assigning DAL levels to the main functions (known as FDAL) of the aircraft systems based on their potential causes in case of failure based on the FHA ( Failure Hazard Analysis ). Once we have the FDAL completed, we go on to assign levels to sub-functions until we reach components or software items (called IDAL).
We are allowed a certain dependency architecture in terms of safety levels. Redundancy and error propagation control mechanisms are accepted in aeronautics to reduce DAL levels. In certain circumstances, a DAL A system can be achieved by redundant DAL B parts or components with appropriate justification. This justification must come, among others, with the demonstration that only multiple and independent failures can reach the failure condition. catastrophiccatastrophic.
Common modes of failure are mitigated with the establishment of independence of safety functions and should always be a trend and philosophyphilosophyseeking such independence when designing systems and equipment. From here the two categories of independent attributes of the sector are derived and considered:
- functional independence
- independencies of item developments
Following the ISO 26262 standard, we must first carry out an identification of hazards at the vehicle level. These are hazards that can cause harm to people in the same, occupants of other vehicles or pedestrians (for example, loss of headlights due to a failure of the control system of the same).
Once the hazard identification has been carried out at the vehicle level, the Hazard Events must be identified . These hazard events are a combination of vehicle failure and vehicle operation that could lead to an accident if the hazard is not treated or mitigated in time. Following the previous example would be the failure of the headlights of the vehicle while driving at night.
The assignment of safety levels, called in the automotive industry Automotive Safety Integrity Level (ASIL) , is based on determining three parameters:
- E exposure. Thiswould bewouldthe likelihood that the vehicle will be exposed to an operational situation in which a hazard occurs in the presence of a system failure. For example, related to the headlight failure example this exposure would be the proportion of driving in darkness compared to the car's total operating time.
- C controllability. Controllability is the measure to which the driver can react in good time if a risk appears and mitigate said risk in time.
- S severity. This would bewould the estimation of the damage that the occurrence of the risk can cause to people (for example, a frontal collision).
The combination of E and C are the probability of occurrence of the risk.
Both for exposure, controllability and severity are rated with discrete scales. An ASIL assignment is derived from the combination of the three parameters.
In addition to ASIL, we put a safety target on each hazard event. This security objective represents a security requirement that is assigned to the entire system that performs the corresponding functions. For example: "the system will only turn off the headlights if the driver so requests". These requirements inherit the ASIL assigned to the associated hazard event. When a security target is associated with more than one hazard event, this target inherits the highest ASIL.
Component assignment follows the following guidelines within the automotive industry:
- As you downgrade and drill down to the requirements, they inherit the ASIL from their "parent" requirement.
- Any component of the system architecture must be developed with the ASIL assigned to your requirement.
- When a system architecture component develops different requirements with different assigned ASILs , it must be developed in compliance with the highest ASIL unless sufficient freedom from subcomponent interference can be demonstrated.
As for freedom of interference we mean there are no cascading failures that could affect ASILS higher from ASILS less demanding.
Certain redundancy is allowed, with the absence of common causes of failure, among others, to reduce ASIL levels as can be seen in the table below:
In the railway sector, the estimated risk for each hazard is determined by the severity-frequency pair.
All unwanted and intolerable levels of risk must be mitigated with actions. Furthermore, for each dangerous event that may lead to an accident, the functions or function associated with said dangerous event must be identified.
Derived directly from IEC 61508, they are definedefinein EN 50129 the Safety Integrity Level (SIL) directly linked to an objective of probabilityprobability, Tolerable Hazard Risk or THR. There are four SIL levels depending on the damage that systems can cause within the sector: 1, injuries to people, 2, serious injuries, 3, death to a person, 4, deaths to a group of people. When we talk about SIL associated with So tfware we mean SSIL. In this case there are 5 SIL levels, the 4 already mentioned and the SIL 0 level, which has no effect on the safety of people.
The THR refers to the ratioto the ratioof failures per hours of operation. The following table shows the THR ranges allowed for each SIL level:
There are no explicit indications of WhatWhatSILs levels can be reduced taking into account the dependency of the architectural solutions of the systems involved. As there is no explicit standard, the SIL levels achieved through architectural solutions with equipment and components with lower SIL levels always require a demonstration.
The most relevant standards in the European aerospace sector are the ECSS ( European Cooperation for Space Standardization ) series . In particular for our Safety approach the ECSS-Q-ST-40 ( Safety ) and in its most current format ECSS-Q-ST-40C Rev.1 (February 2017) as well as the ECSS-Q-ST-30 ( Dependability ) They will be the standards dealt with in this section.
The allocation of security categories begins, as in other sectors, at the level of system functions. Similarly, this methodology should be applied to operations.
Once the functions and operations of the systems have been categorized we can go down to the component level. As on other occasions, if a component must perform several security functions, it will always be assigned with the highest security category of the functions it performs.
In the same way as in the railway sector, a system dependency is not made explicit and therefore, in order to reduce safety levels, it must be demonstrated on a case-by-case basis that the redundancy applied at the architecture level is adequate and that the mechanisms of independence and propagation of mistakes are appropriate.