Formal specification of the Multi-Domain Safety Integrity Verification algorithm.
Version: 3.0 Status: Verified (36/36 ASIL, all cross-domain mappings confirmed)
| Symbol | Meaning |
|---|---|
S, E, C |
ISO 26262 risk parameters (Severity, Exposure, Controllability) |
URS |
Universal Risk Score ∈ [0, 1] |
eSIL |
Equivalent Safety Integrity Level (integer 0–4) |
PFH |
Probability of dangerous Failure per Hour |
SC |
Systematic Capability (IEC 61508 concept) |
D1, D2, D3 |
Requirement dimensions (HW failure rate, systematic capability, architecture) |
L1 |
Layer 1 mapping result (risk equivalence) |
L2 |
Layer 2 mapping result (requirements equivalence) |
Parameters:
| ID | Name | Values |
|---|---|---|
| S | Severity | S1=1, S2=2, S3=3 |
| E | Exposure | E1=1, E2=2, E3=3, E4=4 |
| C | Controllability | C1=1, C2=2, C3=3 |
Score: S + E + C, range [3, 10]
Thresholds:
| Level | URS Band | PFH Target | SC | Arch |
|---|---|---|---|---|
| QM | [0, 0.428] | — | 0 | 0 |
| ASIL A | [0.429, 0.571] | — | 0.5 | 0.5 |
| ASIL B | [0.572, 0.714] | 10⁻⁷/h | 1 | 1.5 |
| ASIL C | [0.715, 0.857] | 10⁻⁷/h | 2 | 2.5 |
| ASIL D | [0.858, 1.0] | 10⁻⁸/h | 3 | 3 |
Note on ASIL A and QM PFH: ISO 26262 does not specify quantitative PMHF targets for QM or ASIL A. These levels rely on quality management and basic systematic processes rather than hardware failure rate requirements. PFH is represented as null in the algorithm, which maps to eSIL_D1 = 0.
Parameters:
| ID | Name | Values |
|---|---|---|
| C | Consequence | C1=0, C2=1, C3=2, C4=3 |
| F | Frequency | F1=0, F2=1 |
| P | Avoidability | P1=0, P2=1 |
| W | Demand Rate | W1=0, W2=1, W3=2 |
Score: C + F + P + W, range [0, 7]
Thresholds:
| Level | URS Band | PFH Target | SC | Arch |
|---|---|---|---|---|
| — (below SIL) | [0, 0.20] | — | 0 | 0 |
| SIL 1 | [0.21, 0.43] | 10⁻⁵/h | 1 | 1 |
| SIL 2 | [0.44, 0.71] | 10⁻⁶/h | 2 | 2 |
| SIL 3 | [0.72, 0.86] | 10⁻⁷/h | 3 | 3 |
| SIL 4 | [0.87, 1.0] | 10⁻⁸/h | 4 | 4 |
Parameters:
| ID | Name | Values |
|---|---|---|
| Sev | Failure Condition Severity | No Effect=0, Minor=1, Major=2, Hazardous=3, Catastrophic=4 |
Score: Sev, range [0, 4]
Thresholds:
| Level | URS Band | PFH Target | SC | Arch |
|---|---|---|---|---|
| DAL E | [0, 0.05] | — | 0 | 0 |
| DAL D | [0.06, 0.25] | 10⁻³/h | 0.5 | 0.5 |
| DAL C | [0.26, 0.50] | 10⁻⁵/h | 1 | 1 |
| DAL B | [0.51, 0.75] | 10⁻⁷/h | 2.5 | 2.5 |
| DAL A | [0.76, 1.0] | 10⁻⁹/h | 4 | 4 |
Note: Aviation's PFH targets are per flight-hour and are significantly more stringent than automotive's per-operating-hour targets. DAL A requires 10⁻⁹/h, which is one order of magnitude beyond SIL 4's 10⁻⁸/h.
Parameters:
| ID | Name | Values |
|---|---|---|
| Sev | Consequence Severity | Insignificant=0, Marginal=1, Critical=2, Catastrophic=3 |
| Freq | Frequency | Incredible=0, Improbable=1, Remote=2, Occasional=3, Probable=4, Frequent=5 |
Score: Sev + Freq, range [0, 8]
Thresholds:
| Level | URS Band | PFH Target | SC | Arch |
|---|---|---|---|---|
| — (below SIL) | [0, 0.12] | — | 0 | 0 |
| SIL 1 | [0.13, 0.37] | 10⁻⁵/h | 1 | 1 |
| SIL 2 | [0.38, 0.62] | 10⁻⁶/h | 2 | 2 |
| SIL 3 | [0.63, 0.87] | 10⁻⁷/h | 3 | 3 |
| SIL 4 | [0.88, 1.0] | 10⁻⁸/h | 4 | 4 |
Parameters:
| ID | Name | Values |
|---|---|---|
| Se | Severity | Se0=0, Se1=1, Se2=2, Se3=3 |
| Fr | Frequency | Fr1=0, Fr2=1 |
| Av | Avoidability | Av1=0, Av2=1 |
Score: Se + Fr + Av, range [0, 5]
Thresholds:
| Level | URS Band | PFH Target | SC | Arch |
|---|---|---|---|---|
| QM | [0, 0.20] | — | 0 | 0 |
| AgPL a | [0.21, 0.40] | 10⁻⁵/h | 0.5 | 0.5 |
| AgPL b | [0.41, 0.60] | 10⁻⁵/h | 1 | 1 |
| AgPL c | [0.61, 0.80] | 10⁻⁶/h | 2 | 2 |
| AgPL d | [0.81, 0.95] | 10⁻⁷/h | 3 | 3 |
| AgPL e | [0.96, 1.0] | 10⁻⁸/h | 3 | 3.5 |
FUNCTION full_pipeline(risk_params, source_standard, target_standard):
// Step 1: Compute additive risk score
score = additive_risk_score(risk_params, source_standard)
// Step 2: Normalize to URS
[lo, hi] = score_range(source_standard)
urs = clamp((score - lo) / (hi - lo), 0, 1)
// Step 3: Determine source level
source_level = urs_to_level(urs, source_standard)
// Step 4: Layer 1 — Risk Equivalence
L1 = urs_to_level(urs, target_standard)
// Step 5: Layer 2 — Requirements Equivalence
eSIL_D1 = pfh_to_esil(source_level.pfh)
eSIL_D2 = clamp(source_level.sc, 0, 4)
eSIL_D3 = clamp(source_level.arch, 0, 4)
composite = min(eSIL_D1, eSIL_D2, eSIL_D3)
L2 = esil_to_level(composite, target_standard)
// Step 6: Gap analysis
gap = (L1 ≠ L2)
RETURN { source_level, urs, L1, L2, gap, dims: {D1, D2, D3} }
FUNCTION additive_risk_score(params, standard):
SWITCH standard:
ISO 26262: RETURN params.S + params.E + params.C
IEC 61508: RETURN params.C + params.F + params.P + params.W
DO-178/254: RETURN params.Sev
CENELEC: RETURN params.Sev + params.Freq
ISO 25119: RETURN params.Se + params.Fr + params.Av
FUNCTION normalize(score, standard):
ranges = {
ISO 26262: [3, 10],
IEC 61508: [0, 7],
DO-178/254: [0, 4],
CENELEC: [0, 8],
ISO 25119: [0, 5]
}
[lo, hi] = ranges[standard]
RETURN clamp((score - lo) / (hi - lo), 0, 1)
FUNCTION urs_to_level(urs, standard):
// Scan thresholds from highest to lowest
FOR i = thresholds.length - 1 DOWNTO 0:
IF urs >= thresholds[i].min:
RETURN thresholds[i]
RETURN thresholds[0]
FUNCTION pfh_to_esil(pfh):
IF pfh == null: RETURN 0
RETURN clamp(floor(-log10(pfh)) - 4, 0, 4)
This maps:
- 10⁻⁵ → eSIL 1
- 10⁻⁶ → eSIL 2
- 10⁻⁷ → eSIL 3
- 10⁻⁸ → eSIL 4
- 10⁻⁹ → eSIL 4 (clamped)
- null → eSIL 0
FUNCTION req_equiv(source_level, target_standard):
d1 = pfh_to_esil(source_level.pfh)
d2 = clamp(source_level.sc, 0, 4)
d3 = clamp(source_level.arch, 0, 4)
composite = min(d1, d2, d3)
// Find target level whose composite eSIL matches
FOR i = thresholds.length - 1 DOWNTO 0:
target_esil = min(
pfh_to_esil(thresholds[i].pfh),
thresholds[i].sc,
thresholds[i].arch
)
IF composite >= target_esil AND target_esil > 0:
RETURN thresholds[i]
RETURN thresholds[0] // Below lowest level
Claim: For all valid (S, E, C) in ISO 26262-3, the ASIL determination is fully determined by S + E + C.
Proof method: Exhaustive verification over all 36 input combinations (S ∈ {1,2,3} × E ∈ {1,2,3,4} × C ∈ {1,2,3}).
Result:
| Sum | Expected ASIL | Combinations | All match? |
|---|---|---|---|
| 3 | QM | (1,1,1) | Yes |
| 4 | QM | (1,1,2), (1,2,1), (2,1,1) | Yes |
| 5 | QM | (1,1,3), (1,2,2), (1,3,1), (2,1,2), (2,2,1), (3,1,1) | Yes |
| 6 | QM | 7 combinations | Yes |
| 7 | ASIL A | 6 combinations | Yes |
| 8 | ASIL B | 6 combinations | Yes |
| 9 | ASIL C | 3 combinations | Yes |
| 10 | ASIL D | (3,4,3) | Yes |
Total: 36/36 verified. The additive property holds without exception.
Implication: ASIL determination can be reduced from a 3D lookup table to a 1D threshold function. This simplification enables direct normalization to URS for cross-domain comparison.
The URS threshold bands are not arbitrary. They are calibrated to satisfy these constraints:
- Monotonicity: Higher levels in each standard must map to higher URS values
- Boundary alignment: The highest level in every standard must map to URS ≈ 1.0
- Below-SIL mapping: QM and "below SIL" levels must occupy the lowest URS bands
- PFH consistency: Levels with the same PFH target should have overlapping or adjacent URS bands
The current calibration produces these verified cross-domain mappings for ISO 26262 → IEC 61508:
| Source | L1 (Risk) | L2 (Reqs) | Gap |
|---|---|---|---|
| QM | SIL 1 | — | Yes |
| ASIL A | SIL 2 | — | Yes |
| ASIL B | SIL 2 | SIL 1 | Yes |
| ASIL C | SIL 3 | SIL 2 | Yes |
| ASIL D | SIL 4 | SIL 3 | Yes |
The algorithm has been verified against:
- 36/36 ISO 26262 ASIL additive formula combinations
- All ISO 26262 → IEC 61508 L1 and L2 mappings
- All cross-domain matrix entries (26 source levels × 4 target standards each)
- Gap pattern confirmation: gap is consistently 1 level on the Systematic Capability dimension for ISO 26262 → IEC 61508
The algorithm is O(L) where L is the maximum number of levels in any standard (currently 6 for ISO 25119). All operations are simple arithmetic — no iteration, no convergence, no randomness. The result is fully deterministic: same inputs always produce the same outputs.