ASIL ↔ DAL ↔ SIL crosswalk
Every regulated industry has its own integrity-level scheme. Functional-safety engineers crossing domains (e.g. automotive supplier moving into aerospace, rail engineer joining a process-control project) need to know roughly how the schemes line up. This page is the one-page reference: severity, probability target, and the rough equivalence — with the important caveats spelled out.
Cross-domain crosswalk
| Severity | ISO 26262 ASIL (auto) | ARP 4761 DAL (aero) | IEC 61508/61511 SIL (process) | EN 50126 SIL (rail) | MIL-STD-882 RAC (defence) | Probability target |
|---|---|---|---|---|---|---|
| Catastrophic | ASIL D | DAL A | SIL 4 | SIL 4 | RAC 1–4 | < 10⁻⁹ /h (continuous), < 10⁻⁵ /demand |
| Hazardous | ASIL C | DAL B | SIL 3 | SIL 3 | RAC 5–8 | < 10⁻⁸ /h (continuous), < 10⁻⁴ /demand |
| Hazardous | ASIL B | DAL C | SIL 2 | SIL 2 | RAC 5–8 | < 10⁻⁷ /h (continuous), < 10⁻³ /demand |
| Major | ASIL A | DAL D | SIL 1 | SIL 1 | RAC 9–13 | < 10⁻⁶ /h (continuous), < 10⁻² /demand |
| Minor / No effect | QM | DAL E | (none) | SIL 0 / "basic" | RAC 14–20 | — |
This table is a rough guide, not an equivalence
Different schemes use different severity classifications, exposure assumptions and target probabilities. ISO 26262 ASIL is derived from severity × exposure × controllability for road-vehicle scenarios; DAL is derived from severity for flight scenarios; SIL is derived from required risk reduction in process plant. Use this table to orient across domains, not to claim that ASIL D implementation evidence automatically meets DAL A.
How each scheme is derived
- ASIL (ISO 26262) — looks at Severity (S0–S3), Exposure / probability of operational situation (E0–E4), and Controllability by driver (C0–C3). The (S,E,C) triple maps to QM / A / B / C / D via Table 4 in ISO 26262-3.
- DAL (ARP 4761) — derived from the worst credible failure-condition severity per ARP 4761 §2.4 (No-Effect, Minor, Major, Hazardous/Severe-Major, Catastrophic). Maps directly to a Quantitative Probability Requirement (QPR) per FAR/CS-25 §1309.
- SIL (IEC 61508 / 61511) — derived from a Risk Reduction Factor (RRF) target, which itself comes from LOPA or risk-graph methods comparing tolerable risk to "as found" risk. SIL 4 ≈ RRF > 10,000.
- SIL (EN 50126) — Tolerable Hazard Rate (THR) for continuous-mode rail safety functions. Uses the same SIL labels as IEC 61508 with rail-specific lifecycle adaptation in EN 50128 / 50129.
- RAC (MIL-STD-882E) — looks at severity (Catastrophic/Critical/Marginal/Negligible) × probability (Frequent/Probable/Occasional/Remote/Improbable). Yields a Risk Assessment Code 1 (highest) to 20 (lowest).
Implementation-rigor differences
The probability target is only half the picture — each scheme also prescribes specific lifecycle activities (analyses, reviews, qualification testing, documentation) and the integrity-level value drives which activities are mandatory. A few examples that surprise people moving between domains:
- ARP 4761 DAL-A requires Common Cause Analysis (particular-risk + zonal + common-mode) as a separate workstream from FTA. ISO 26262 doesn't carve it out the same way.
- IEC 61508 SIL 3 prescribes specific architectural constraints (Safe Failure Fraction ≥ 90% for Type B, hardware fault tolerance ≥ 1, etc.). ISO 26262 expresses architectural sufficiency through SPFM/LFM metrics rather than HFT minima.
- EN 50128 software safety integrity levels share the SIL label with IEC 61508 but the recommended methods table is rail-specific.