Electronics Procurement Guide

Functional Safety Component Procurement:
ISO 26262, IEC 61508, and SIL/ASIL

Functional safety systems require components that are designed, characterised, and documented to a fundamentally different standard than general-purpose electronics. This guide covers the key standards, safety integrity levels, development process, compliant component selection, and the procurement practices that functional safety demands.

SIL / ASIL / IEC 61508 / ISO 26262 9 min read Standards map + MCU selection guide

This guide covers what functional safety is and why it requires a different approach to component procurement (POINT 01), the key standards and safety integrity levels compared (POINT 02), the functional safety development process (POINT 03), the compliant components available by category (POINT 04), and the procurement practices specific to functional safety (POINT 05).

POINT 01

What Functional Safety Is — and What It Demands from Components

Functional safety is a design and development discipline for electronic systems where a failure can cause harm to people, property, or the environment. It differs from reliability engineering in its fundamental premise: the goal is not to prevent all failures — it is to ensure that when failures occur, the system transitions to a safe state rather than an unsafe one.

This "safe on failure" requirement drives every aspect of component selection. A standard MCU selected for performance and cost is designed without failure mode characterisation documentation — its internal failure modes, failure rates, and diagnostic coverage are not published by the manufacturer. A functional safety MCU is designed specifically with those properties documented, tested, and certified by a third-party assessor. Without this characterisation, the system safety analysis required by every functional safety standard cannot be completed.

Foundation Standard

IEC 61508

Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems — the base standard from which all sector-specific functional safety standards are derived

↓ derived sector standards

ISO 26262

Automotive

ASIL A–D

IEC 61511

Process / Oil & Gas

SIL 1–3

IEC 62061

Industrial Machinery

SIL 1–3

ISO 13849

Machine Safety Control

PL a–e

ISO 14971

Medical Devices

Risk Mgmt

DO-254 / DO-178

Aviation HW/SW

DAL A–E

IEC 61508 as the mandatory foundation: Even when working under a sector-specific standard (ISO 26262, IEC 62061, etc.), IEC 61508 provides the underlying methodology. Component manufacturers reference IEC 61508 in their Safety Manuals and FMEDA documentation even for automotive or industrial applications. A working understanding of IEC 61508 SIL levels and the concepts of Safe Failure Fraction (SFF) and Diagnostic Coverage (DC) is necessary to interpret the documentation provided by functional safety component manufacturers.

POINT 02

Safety Integrity Levels — SIL, ASIL, and PL Compared

Each functional safety standard uses its own safety integrity level scale. The scales are not identical in their requirements, but they express the same fundamental concept: a quantified probability of dangerous failure per hour, with higher integrity levels requiring lower failure rates and more rigorous design and verification processes.

Property	SIL 1 (IEC 61508)	SIL 2 (IEC 61508)	SIL 3 (IEC 61508)	ASIL A/B (ISO 26262)	ASIL C/D (ISO 26262)	PL c/d/e (ISO 13849)
Dangerous failure rate (per hour)	10⁻⁵–10⁻⁶	10⁻⁶–10⁻⁷	10⁻⁷–10⁻⁸	ASIL A: lowest	ASIL D: <10⁻⁸	PL e: <10⁻⁷
Typical application	Low hazard risk systems	Medium risk, non-life critical	High risk, reversible harm	Low–medium risk ADAS	Steering, braking, airbag	Industrial safety stops
Lockstep / redundancy requirement	No (single channel)	Optional	Typically required	ASIL B: often optional	ASIL D: lockstep mandatory	PL e: dual channel
FMEDA documentation required	Yes	Yes	Yes	Yes	Yes	Yes (PFHD)

ASIL decomposition: ISO 26262 allows ASIL decomposition — splitting an ASIL D requirement into two independent ASIL B channels, for example. This is a legitimate design technique that can allow the use of lower-rated components in a redundant architecture. However, decomposition requires true independence between the channels: separate power supplies, separate signal paths, and separate software. Pseudo-independence — two functions on the same MCU — does not qualify for decomposition.

POINT 03

Functional Safety Development Process

Component procurement does not happen independently of the development process — the safety level required for each component is determined in the first stages, and the evidence required for certification is built throughout. Procurement teams who understand the process can anticipate documentation requirements and avoid late-stage surprises.

Hazard Analysis and Risk Assessment (HARA)

Systematically identify hazards the system can cause, assess severity, exposure, and controllability for each hazard, and assign the required safety integrity level (ASIL, SIL, or PL) to each safety function. The HARA output is the ASIL/SIL allocation that drives all component decisions downstream. Without a completed HARA, you cannot know what safety level your components must meet.

Safety Requirements Specification

Define the safety functions the system must perform and the safety goals that must not be violated. Separate functional safety requirements (what the system must do) from technical safety requirements (how it achieves it). These requirements are the reference against which verification and certification evidence is measured.

Design and Implementation

Implement the safety requirements using appropriate hardware architectures (redundancy, lockstep, fail-safe state machines, watchdog supervision) and software techniques (runtime monitoring, memory protection, stack overflow detection). Component selection happens here — and must be driven by the ASIL/SIL requirements, not by cost alone.

Verification and Validation (V&V)

Verify that the design implements the safety requirements correctly (design reviews, fault injection testing, FMEDA analysis at system level). Validate that the system as a whole achieves the intended safety goals under representative conditions. The FMEDA data from component manufacturers is used at this stage to calculate system-level safety metrics (DC, SFF, PFH).

Certification by an Accredited Third Party

The safety case — documentation of all analysis, test evidence, and design decisions — is assessed by an accredited certification body: TÜV SÜD, TÜV Rheinland, SGS-TÜV SAAR, UL, Bureau Veritas, BSI, or equivalent. Using pre-certified components significantly reduces the evidence burden and can shorten the certification timeline by months. The certification body's role is to independently assess the safety case, not produce it.

Operation, Monitoring, and Field Feedback

After market release, collect field incident data, monitor for systematic failures, and feed findings back into the design and procurement process. ISO 26262 and IEC 61508 both require a post-release feedback mechanism. Component PCN (Process Change Notification) management is part of this stage — a change to a safety-critical component's silicon revision may require re-verification.

POINT 04

Functional Safety Compliant Components by Type

💾MCU / SoC

Safety Microcontrollers — the central challenge in functional safety hardware

Safety MCUs provide hardware mechanisms to detect internal failures that standard MCUs cannot detect. Key features required for high ASIL/SIL applications:

Dual-core lockstep: Two identical processor cores run the same code simultaneously in lock-step. The outputs are compared every cycle — any discrepancy triggers a fault response. This detects transient and permanent faults in the processor core itself. Required for ASIL D and SIL 3 applications.

ECC on all memories: Error Correcting Code on flash and RAM detects and corrects single-bit errors, and detects (but cannot correct) multi-bit errors. Without ECC, a single alpha-particle strike can corrupt a safety-critical variable without detection.

Built-in diagnostics: Clock monitors, voltage supervisors, ADC self-test, CRC units, CPU self-test (BIST), and windowed watchdog timers. These diagnostics must be exercised during operation to maintain diagnostic coverage claims.

Safety Manual and FMEDA: The manufacturer provides structured documentation of the device's failure modes, failure rates (FIT), and diagnostic coverage — required for system-level safety analysis.

NXP S32K / MPC5xxx Infineon AURIX TC3xx Renesas RH850 STM SPC5 / Stellar TI TMS570 / Hercules Microchip PIC32C

⚡Power Management IC

Safety power management — supervising the system's power integrity

Power management ICs for functional safety applications provide the monitoring functions that ensure the system can detect power supply failures before they cause dangerous behaviour. Key features:

Multi-rail voltage supervision: Individual threshold monitors for each power rail, with configurable window comparators to detect both over-voltage and under-voltage conditions.

Error flag output: A dedicated signal pin that asserts when any monitored supply is out of range — connected to the safety MCU's fault input to trigger safe-state transition.

Power sequencing: Controlled bring-up and bring-down sequencing to prevent undefined states during power transients.

Major suppliers with ASIL-rated power management ICs include Texas Instruments (TPS6594x, TDA safety PMIC), Infineon (TLF35584), NXP (FS4500, FS6500), STMicroelectronics, and ON Semiconductor.

📡Sensors

Safety sensors — measurement paths in the safety loop

Sensors in the safety path (speed sensors in ABS, pressure sensors in hydraulics, position sensors in steering) must provide diagnostic information to confirm their own correct operation. Key characteristics:

Self-diagnostic output: A status flag or error signal that the MCU can use to detect sensor failure or out-of-range conditions.

Redundant sensing elements: Some ASIL D sensor applications use sensors with two independent measurement channels, allowing the system to compare outputs and detect single-point failures.

AEC-Q100/Q101 as a minimum: ASIL-rated sensors build on the AEC-Q automotive qualification baseline. Confirm both AEC qualification and functional safety compliance documentation when sourcing.

Relevant suppliers include Infineon (TLE50xx, TLE5014), NXP, TE Connectivity, Bosch Sensortec (industrial), Honeywell, and Sensata.

🔗Communication ICs

Safety communication — secured data paths between safety nodes

When safety-critical data is communicated between nodes (ECU to ECU, controller to actuator), the communication path itself becomes part of the safety analysis. Key considerations:

CAN FD with SAE J2962: Error frames and CRC in CAN FD provide inherent fault detection. Higher-layer safety protocols (SAE J2962 / CiA 601) add message authentication and sequence number checking to detect message delay, insertion, and corruption.

10BASE-T1S / 100BASE-T1: Automotive Ethernet with diagnostic capabilities. Used in ADAS and zonal architectures where bandwidth requirements exceed CAN capacity.

The functional safety treatment of communication is typically handled at the application layer in software rather than in the physical layer hardware — the communication IC must provide reliable physical layer operation within its stated failure rate specifications.

POINT 05

Procurement Practices Specific to Functional Safety

PRACTICE 01

Obtain Safety Manual and FMEDA before design release — not after

The Safety Manual defines how the component must be used to achieve its claimed safety characteristics — the required diagnostic measures, the operating conditions, the prohibited use cases, and the assumptions the manufacturer has made about the system. If your design does not comply with the Safety Manual's requirements, the ASIL/SIL claim does not apply. The FMEDA provides the quantitative data (FIT rates by failure mode, diagnostic coverage) required for the system-level safety calculation. Both documents must be reviewed and integrated into your system design before the design is released — not during the certification phase, when changes are expensive.

PRACTICE 02

Verify certification status — claimed vs documented

Many component datasheets include phrases like "designed for ASIL D applications" or "suitable for ISO 26262." These statements mean the device has design features relevant to functional safety — they do not mean it has been certified. Certification means a third-party assessor (TÜV SÜD, TÜV Rheinland, SGS-TÜV SAAR, etc.) has reviewed the device documentation and issued a certificate confirming compliance with a specific standard at a specific integrity level. Request the actual certificate number from the manufacturer and verify it with the issuing body. This is the same principle applied to PCB manufacturer certifications — the certificate number is the evidence, not the marketing claim.

PRACTICE 03

Manage silicon revision and firmware version with strict configuration control

Functional safety qualification is specific to a component version. A change in silicon revision — even a minor one described as a bug fix — may change the device's failure modes, diagnostic coverage, or FIT rates. Any such change potentially invalidates the existing FMEDA and may require re-assessment. Implement a formal version control system for all functional safety components: record the silicon revision and date code of every part used in production; monitor PCN notifications from the manufacturer; assess the impact of any change before allowing production to continue with the new revision. The standard automotive PCN review period for safety-critical component changes is typically 12–18 months of advance notice.

PRACTICE 04

Plan for 10–25 year product lifecycle at component selection

Functional safety systems in automotive, industrial, medical, and railway applications have product lifespans that standard consumer electronics do not. An ASIL D MCU selected for a vehicle platform in 2025 must be available — and re-qualifiable — for vehicles still in service in 2045. When selecting functional safety components, confirm: the manufacturer's formal longevity program (NXP, Infineon, Renesas, and TI all offer product longevity assurance for safety-related components, typically 15+ years); the PCN notice period for all changes (functional safety applications typically require 18–24 months, compared to 6 months for commercial parts); and the last-time-buy policy and minimum last-time-buy quantity. A safety MCU re-qualification after an unplanned EOL can take 12–18 months and cost USD 100,000+ in engineering and certification work.

PRACTICE 05

Structure your supplier audit to cover safety-specific requirements

For suppliers of functional safety-critical components, the standard quality audit scope is insufficient. Add to your audit scope: the supplier's process change notification process for safety-critical items and the advance notice period; their traceability system from manufacturing lot to safety document version; the currency and maintenance schedule of their FMEDA and Safety Manual documentation; their customer notification process when safety-relevant errata are discovered; and whether their manufacturing process carries IATF 16949 or equivalent certification for the safety component lines. Suppliers who cannot clearly answer these questions on their safety component practices should not be your primary source for ASIL D or SIL 3 components.

⚠ Component cost vs total certification cost: Functional safety compliant components cost more than standard equivalents — sometimes 50–200% more for safety MCUs. However, the total certification cost of a system is dominated by engineering hours, not component cost. Using a pre-certified ASIL D MCU with a comprehensive Safety Manual can reduce system certification effort by 6–12 months and USD 200,000–500,000 in assessment fees compared to building the same safety case around a standard device. Evaluate functional safety components on total project cost, not unit price.

Summary

Functional safety component procurement is fundamentally different from standard electronics procurement: the components must not only function correctly but must be characterised and certified to demonstrate they will fail safely. Determine your required ASIL/SIL level from a completed HARA before selecting any component. Obtain Safety Manual and FMEDA documentation before releasing your design. Verify certification claims against actual certificates — not marketing statements. Implement strict version control for all safety-critical components. And plan for product lifecycles of 10–25 years at the component selection stage. A safety case built on the right components with complete documentation is a manageable engineering problem. A safety case built on the wrong components or incomplete documentation requires the system to be redesigned.

PCB Procurement Knowledge Base

Was this guide useful?

Sourcing PCBs for functional safety systems? Talk to Denro Keikaku.

Denro Keikaku is a cross-border electronics procurement specialist and direct partner of Chengde Technology. We support PCB sourcing for automotive, industrial, and medical applications where quality traceability and long-term supply are non-negotiable.

View Our Services Get in Touch Quick Choice — Access a Trusted, Cost-Competitive PCB Manufacturer

Functional Safety Component Procurement:ISO 26262, IEC 61508, and SIL/ASIL