Regulatory Convergence: How Aerospace, Automotive, and Medical Certification Frameworks Are Borrowing From Each Other
Standards bodies don’t work in isolation anymore. That’s not a platitude — it’s observable in the text. ISO 26262 explicitly acknowledges IEC 61508 as its parent standard. DO-178C and IEC 62304 share a structural logic that any engineer who has worked both can recognize in under an hour. ISO 21448 (SOTIF) introduced a risk taxonomy built around behavioral insufficiency and operational design domains that FDA guidance writers have since referenced directly in their AI/ML-based Software as a Medical Device (SaMD) framework.
The convergence is real, and it’s accelerating. For systems engineers who work across aerospace, automotive, and medical, this is simultaneously a career opportunity and a toolchain crisis. The opportunity: deep pattern recognition across standards makes you genuinely rare. The crisis: most of the tools engineers use were designed for one regulatory world, and they’re groaning under the weight of the others.
This article maps the convergence happening at the framework level, names the practical implications for engineers doing cross-domain work, and examines what it demands from tooling.
The Common Spine: Where the Frameworks Actually Agree
Start with the architecture that underlies all four major safety standards — IEC 61508, ISO 26262, DO-178C, and IEC 62304 — and you find the same skeleton:
Hazard analysis drives requirements. Every framework begins with a systematic identification of what can go wrong, assigns a severity and probability-based risk classification (SIL, ASIL, DAL, SaMD criticality class), and derives safety requirements from that classification. The vocabulary differs. The logic is identical.
Traceability is non-negotiable. All four frameworks require bidirectional traceability from hazard to requirement to design to implementation to verification. The specific artifacts differ — a DO-178C Trace Data file is not the same document as an ISO 26262 safety case — but the underlying demand is the same: prove the chain of custody from identified risk to verified mitigation.
V-model structure organizes development. Whether it’s called a development lifecycle (IEC 62304), a safety lifecycle (IEC 61508), or a hardware/software development process (DO-178C), the V-model or a close variant is how every framework organizes the relationship between specification and verification.
Independence at high criticality. DAL A, ASIL D, SIL 4, Class III — at the top of every severity scale, every framework demands some form of independence between the team that designs a function and the team that verifies it. The specific requirements differ, but the principle is structurally identical.
This common spine is why engineers move between industries more successfully than the certification mythology suggests. The regulatory surface is unfamiliar. The engineering logic underneath it is not.
ISO 26262 and IEC 61508: Explicit Lineage
ISO 26262 is the least ambiguous case of framework borrowing. The standard’s own scope clause states it was derived from IEC 61508. The inheritance is structural: ASIL A–D maps directly onto SIL 1–4 in risk classification logic, though the route to the classification — through the Automotive HAZOP variant called HARA (Hazard Analysis and Risk Assessment) — is domain-specific.
What ISO 26262 added was automotive specificity: the concept of freedom from interference in multi-core and multi-partition systems, the dependent failure analysis requirements (DFA), and the Part 6 software requirements that address C/C++ coding guidelines and tool qualification in ways IEC 61508 left more open.
For engineers already certified in one, the other is learnable. The risk is mistaking familiarity for equivalence — particularly around item definition boundaries and the treatment of legacy components, where the two standards diverge meaningfully.
DO-178C and IEC 62304: Structural Twins
DO-178C (aviation software) and IEC 62304 (medical device software) were not co-developed, but their structural similarity is striking enough that engineers who move between aerospace and medical frequently comment on it.
Both frameworks:
- Stratify software by criticality into discrete levels (DO-178C: Levels A–E; IEC 62304: Classes A–C)
- Define lifecycle processes (planning, development, configuration management, problem resolution) that must be documented and followed
- Require that software verification activities scale with criticality level
- Address configuration management with enough rigor that tool qualification becomes a real concern
The key divergences are in the handling of SOUP (Software of Unknown Provenance — IEC 62304’s term for third-party or legacy software) and in how DO-178C handles structural coverage analysis (MC/DC for Level A) versus IEC 62304’s less prescriptive approach to testing rigor. An engineer moving from avionics to medical will find IEC 62304’s treatment of SOUP more developed and explicit; one moving the other direction will find DO-178C’s structural coverage requirements more demanding than anything in 62304.
But the shared vocabulary — software safety classification, lifecycle documentation, verification independence — means the orientation time is measured in weeks, not years.
SOTIF’s Reach Into Medical AI: The New Frontier
The most consequential convergence currently happening is between ISO 21448 (SOTIF) and FDA’s evolving framework for AI/ML-based SaMD.
SOTIF was developed to address a problem ISO 26262 wasn’t built for: systems that function correctly but behave dangerously because their operational design domain assumptions are violated. The canonical automotive example is a lane-keeping system that works perfectly in clear weather but fails at dusk with worn lane markings — no fault, no defect, just a behavioral insufficiency exposed by an out-of-domain condition.
FDA’s 2021 AI/ML-based SaMD Action Plan and its subsequent guidance drafts describe almost exactly this problem in medical terms: AI diagnostic systems that perform within their validated performance envelope but fail when deployed on patient populations outside the training distribution. The language is different. The technical structure is not.
FDA guidance writers have explicitly referenced operational context as a risk factor in a way that mirrors SOTIF’s ODD framing. The concept of predetermined change control plans (PCCPs) — FDA’s mechanism for allowing AI systems to update post-market — mirrors the SOTIF lifecycle concept of monitoring and feedback loops to catch behavioral insufficiency in deployment.
The practical implication for medical device systems engineers: if you understand SOTIF’s four-quadrant risk space (known/unknown scenarios × safe/unsafe behavior), you have a conceptual head start on the AI safety requirements emerging from FDA. The vocabulary translation is real work, but the engineering intuition transfers.
What This Means for Engineers Doing Cross-Domain Work
Three practical consequences follow from this convergence.
Pattern recognition compounds. An engineer who has run a HARA under ISO 26262 will run a HAZOP derivative for IEC 61508 or a Preliminary System Safety Assessment (PSSA) for ARP 4754A faster the second time — not because the standards are identical, but because the underlying risk decomposition logic is the same. This compounds: every additional standard learned reduces the time to learn the next one.
The delta is still dangerous. Familiarity with the common spine can create false confidence about the specific requirements. DO-178C’s structural coverage analysis for Level A software is a concrete, measurable requirement — 100% MC/DC coverage. IEC 62304 has nothing equivalent. An engineer who assumes they can translate a DO-178C verification plan directly into an IEC 62304 compliance argument will miss the gap. The frameworks converge in structure; they diverge in specific obligations.
Certification arguments need to be rebuilt, not ported. The temptation when working across standards is to reuse existing safety cases. Regulatory bodies — FAA, UNECE, FDA — are sophisticated enough to identify arguments that were structured for a different framework. The artifacts may be reusable. The argument structure needs to be rebuilt for each standard’s specific evidentiary requirements.
What This Demands from Tooling
Here’s where the framework convergence becomes a toolchain problem.
Most requirements and safety management tools were architected for one regulatory world. IBM DOORS was built when aerospace requirements management was the primary use case. Jama Connect has strong support for systems engineering workflows but was not designed around multi-standard traceability as a first principle. Polarion and Codebeamer are mature platforms with significant customer bases in automotive and medical, but their cross-domain traceability is configured through customization layers rather than native multi-standard support.
The specific failure mode, across most of these tools, is the same: they represent requirements and traceability in document or table structures that make multi-standard compliance an exercise in parallel document maintenance. When an engineer needs to demonstrate that a requirement satisfies both ISO 26262 Part 6 obligations and IEC 61508 functional safety requirements — a real scenario in Tier 1 automotive suppliers who also sell to industrial safety markets — document-based tools require manual synchronization. That synchronization is where compliance gaps live.
Graph-based requirements management handles this differently. When requirements, hazards, design artifacts, and verification evidence are nodes in a connected graph, linking a requirement to multiple standard clauses is a structural operation, not a document management problem. The traceability isn’t maintained across separate documents that must stay in sync — it exists as relationships in the model.
Flow Engineering, which was built specifically for hardware and systems engineering teams, takes this approach. Its graph-based model means that a requirement can carry traceability links to multiple standard clauses simultaneously, and that impact analysis — what changes if this requirement is modified — propagates across the full connected model rather than requiring manual review of parallel document sets. For teams that operate across aerospace and medical, or automotive and industrial safety, that architecture is not a luxury. It’s how multi-standard compliance becomes tractable at scale.
The intentional focus of a tool like Flow Engineering is worth naming: it’s designed for requirements and systems engineering traceability, not for managing the full document compliance artifact set that some certification bodies require. Teams that need to generate DO-178C Plan for Software Aspects of Certification (PSAC) documents or 62304-compliant software development plans as formatted compliance outputs will still need document generation tooling alongside it. That’s not a limitation in the pejorative sense — it’s a design choice that keeps the core model clean.
The Vendor Opportunity Nobody Is Fully Capturing Yet
The framework convergence creates an explicit market signal for tool vendors, and most are responding too slowly.
The opportunity is not to build a single tool that “supports all standards.” That framing produces bloated feature lists and shallow compliance mappings. The opportunity is to build a model-centric traceability layer that treats standards as external taxonomies applied to a connected artifact graph — so that the same requirement node can be evaluated against DO-178C, IEC 62304, and ISO 26262 without being replicated across three siloed projects.
Vendors that get there first will own multi-domain systems engineering teams. These teams are not niche: any Tier 1 automotive supplier with aerospace heritage, any medical device company building autonomous systems, any defense contractor whose products span airborne and ground vehicle applications is already working across multiple frameworks simultaneously.
The gap between what these teams need and what the current market offers is visible in how they actually work: spreadsheet-based RTMs maintained in parallel with tool-generated outputs, manual cross-walks between standard clauses, and safety managers whose primary job is keeping documentation in sync rather than analyzing safety.
Honest Assessment
Regulatory convergence is real, but it’s convergence in logic and structure, not in specific requirements. Engineers who treat structural familiarity as full compliance knowledge will get burned. The frameworks share a spine; the compliance obligations in the extremities are domain-specific, and regulators know their domain well.
The opportunity is equally real. Engineers who invest in understanding the common structure across three or four major safety standards — not just the one their current employer requires — are building a genuinely scarce skill. As products blur domain boundaries (automotive ADAS sharing processor architectures with medical imaging systems, aerospace software processes influencing UAM certification), engineers who can navigate multiple frameworks without starting from zero each time are going to find themselves in demand that the current workforce supply cannot meet.
For tool vendors, the signal is clear: toolchains that handle one framework well are table stakes. The teams that are growing, and the compliance problems that are getting harder, all run across multiple frameworks simultaneously. Graph-based, multi-standard traceability is where the puck is going. The teams still maintaining parallel RTM spreadsheets know this. They’re waiting for the tools to catch up.