Over the years, safety requirements in the aviation industry have served as a model for other industries to follow. Criticality levels or DALs (Developement Assurance Levels) have their equivalents in other industry standards, such as the automotive, rail, aerospace and many other industries.
In this article we review the safety standards applied in these other sectors to see the extent to which they are comparable or follow the same principles, enabling any company already adapted to one of these standards to have an opportunity to open up new markets.
The aviation sector and DALs
To provide a common frame of reference, let’s start by looking at DALsin the aviation sector. We’ve already referred to this topic in our blog, so if you want to delve deeper into the subject you might want to take a look at this article, where we talk about the levels of criticality in terms of DALs.
The DO-178/ED-12 standard defines five levels of criticality or DALsranging from level E to A. These levels are established on the basis of the consequences the failures would have on the aircraft, crew and passengers. The higher the DAL level, the greater the rigour required to demonstrate that the system is reliable.
Thus, any software that controls, commands or monitors safety-critical functions must have the highest DAL level, i.e. DAL A. From this point on, a top-down path is followed to assign DAL levels to sub-functions, continuing as far as the software components (known as IDALs).
Mitigation of failures is achieved by establishing independence in security functions and software component development. Mechanisms for controlling error propagation and redundancy are also accepted as means of reducing the DAL levels required in some cases..
The automotive sector and ASILs
In the automotive sector, ISO 26262 defines the various ASILs (Automotive Safety Integrity Levels) ranging from A to D, the latter being the most demanding level. In a parallel way to DALs, ASIL levels are established by means of a risk analysis, taking three factors into account: severity, exposure and controllability.
Exposure (E) is the probability that the presence of a hazard coincides with a system failure. Controllability (C) is the driver’s ability to react in advance to mitigate the hazard. Severity (S) is the estimate of the damage that may be caused by the hazard. The combination of these three parameters is what creates the ASIL assignment scale.
In a parallel way to DALs, as the level goes down and one gets into the detail for component assignment, they inherit the ASIL from the higher level. All components must be developed with the ASIL assigned in their requirements, taking the highest value in the event of having different requirements with different ASILs.
Some redundancy is also allowed to reduce ASIL levels depending on the case.
Comparing the ASIL levels with the aforementioned DALs, the following generalisation can be put forward, always bearing in mind that there are different nuances in each standard:
- ASIL D is comparable to DAL B
- ASIL C or B is comparable to DAL C
- ASIL A is comparable to DAL D
This leaves a more demanding DAL A level that does not have an automotive equivalent.
The rail sector and SILs
The rail sector is increasingly incorporating more complex software into its operations, something that ensures an ever-greater presence for safety critical systems in this sector, amid the risk of an accident causing significant damage to crew and passengers.
The rail standard is divided into three parts: CENELEC EN 50126, CENELEC EN 50129 and CENELEC EN 50128. The latter is dedicated to the development of software for the railway sector. This standard is based on SILs (Safety Integrity Levels) which become SSILs (Software SILs), with levels ranging from 0 to 4 (critical level).
The estimated risk is defined by the severity-frequency pairing, following a pattern similar to the previous standards. This gives rise to various levels of risk: negligible, tolerable, undesirable and intolerable. All “undesirable” and “intolerable” levels must be mitigated.
This standard does not indicate whether SIL levels can be reduced, as in previous cases. Because of this, achieving a given SIL level using parts and components with a lower SIL will always require a demonstration to prove their effectiveness.
Approximating the SIL levels to the DALs that have been used as a benchmark in this article, we obtain the following:
- SIL 4 is equivalent to DAL A
- SIL 3 is equivalent to DAL B
- SIL 2 is equivalent to DAL C
- SIL 1 is equivalent to DAL D
The space sector and its Categories
The benchmark standard in this sector is the ECSS-Q-ST-80C, whose distinctive feature is the special attention it pays to relationships with suppliers.
As in previous cases, the assignment of safety categories is conducted at the system function level, then down to the component level. Continuing with the similarities, when a component has to perform several safety functions it should always take the highest category of all. The range of categories in the space sector goes from Category E to Category A.
As in the rail sector, in order to reduce safety levels, it must be demonstrated on a case-by-case basis that redundancy, independence and propagation mechanisms are appropriate, as this is not otherwise explicit in the standard.
The approximate equivalence level between DALs and the categories in the space sector are as follows:
- Category A is equivalent to DAL A
- Category B is equivalent to DAL B
- Category C is equivalent to DAL C
- Category D is equivalent to DAL D
- Category E is equivalent to DAL E
In conclusion
We have seen that the concept of the level of integrity is very similar in the various industry standards. Organizations already working under one of these standards have the opportunity to adapt to other sectors. The main need is to identify the level of criticality in order to understand how to meet the requirements during the software development phase and then obtain the approval of the corresponding entity.
All these sectors rely in one way or another on the final effects of failures to carry out their safety categorization. As for risks, there is also a clear parallel inasmuch as they are usually measured on the basis of their frequency and severity, each with its own nuances.
Although we have compared the levels of various standards, it should always be borne in mind that there are details in each sector that prevent us from speaking of a direct equivalence, even if the levels are similar.
If you are interested in learning more about our Critical Systems Engineering please do not hesitate to contact us.
