Request Consultation
Blogs

Functional Safety: IEC 61508 in Plain English

IEC 61508 governs how safety-critical systems are built. Here is what an embedded engineer actually needs to know to ship into a SIL-rated environment.

Apr 23, 2026 5 min

Functional safety standards look intimidating. The actual engineering practice is more straightforward than the document.

If you build embedded systems for industrial, medical, automotive, or rail use, you will eventually encounter IEC 61508 and its sector-specific descendants (ISO 26262 for automotive, IEC 62304 for medical, EN 50128 for rail). The standards intimidate; the practice they encode is more sensible than the documents suggest.

What "functional safety" means

Functional safety is the discipline of building systems whose failure does not cause unacceptable harm. The standard works backwards from "what is the worst that can happen?" to "how reliable must this component be?" That answer is expressed as a Safety Integrity Level (SIL) from 1 (least demanding) to 4 (most demanding).

The SIL ladder

  • SIL 1: residual risk acceptable. Most non-critical industrial controls.
  • SIL 2: serious injury possible. Many automotive systems live here.
  • SIL 3: fatality possible. Rail signaling, some medical devices.
  • SIL 4: catastrophic. Nuclear plant safety systems, some rail interlocking.

What changes per SIL

Each level demands more rigorous development practices. Independent verification. Formal hazard analysis. Coverage targets for unit tests. Redundancy in hardware. Reviewed design rationale. Audit trails. SIL 1 demands "we tested it." SIL 4 demands "we proved it cannot fail in any way the hazard analysis identified."

The development process

The V-model is mandatory. Requirements drive design drives implementation. Each layer has a corresponding verification activity. Trace every requirement to its test. Trace every test to its requirement. Tools like DOORS, Polarion, or Jama keep the trace matrix manageable.

Coding standards

MISRA C or CERT-C for embedded C. Restricted subsets of the language. No dynamic memory allocation in safety code. No recursion. No floating point unless the hardware supports it deterministically. Static analysis tools (Coverity, Polyspace) gate every commit.

Tool qualification

The tools you use are themselves part of the safety case. A C compiler that produces buggy output invalidates everything you built with it. SIL 3+ projects use qualified compilers (Green Hills MULTI, IAR Embedded Workbench Safety) or do their own qualification.

The realistic budget

SIL 2 projects take 2x as long as comparable non-safety projects. SIL 3 takes 3-4x. SIL 4 is its own world. Budget for the rigor. The penalty for getting it wrong is regulatory, not just technical.

What we ship

For client safety-rated projects, we partner with specialist consultancies for the safety case while owning the engineering execution. Most of our embedded work targets SIL 2 / ASIL B — the level where the rigor is meaningful and the budget is finite.