IEC 61508 is an international standard for functional safety in E/E/PE systems and is the “umbrella” for domain-specific standards such as ISO 26262. The standard is based on the concepts of a safety life cycle (the engineering processes needed for functional safety) and safety integrity level, or SIL (the level of risk reduction). The SILs range from SIL1 (lowest requirement for risk reduction) to SIL4 (highest). The SILs are defined in terms of probability of failure on demand; e.g. for SIL4 the probability of a dangerous failure per hour of continuous operation is between 10-9 and 10-8.
Software-related requirements are defined in Part 3 of IEC 61508, with the identification of techniques and measures for software development/verification; the specific requirements are based on the SIL. The standard specifies three tool qualification categories:
- T1: the tool is not used to either verify the code or to produce output that is part of the executable (e.g., a text editor),
- T2: the tools may fail to detect an error but does not generate code that is part of the executable (i.e., a verification tool such as a coding standard checker), and
- T3: the tool can produce output that is part of the executable (e.g., a compiler).
Tools classified at T2 or T3 must have the appropriate documentation, with T3 requiring additional justification (based on user experience or test cases) that the tool complies with its documentation.
AdaCore's GNAT Pro compiler and CCG received T3 qualification under IEC 61508. The SPARK Pro verification tool received T2 qualification. All three products have been certified by TÜV SÜD, an independent, globally recognized organization which confirms that products meet national and international standards. The TÜV SÜD certification mark is widely acknowledged and respected as a trusted symbol of quality, safety, and sustainability.