More on ASIL classifications
ASIL are classified into four categories:
- ASIL A
- ASIL B
- ASIL C
- ASIL D
ASIL D being most stringent and ASIL A being least
Figure 9 explains the ASIL levels combined in terms of classifications described in previous sections.
Some ASIL level examples are demonstrated below:
What ASIL level means to us:
- Depending on ASIL level, ISO 26262 defines the safety requirement that must be fulfilled by the designer and system engineer that even in conditions of failure, the system provides a sufficient margin of safety for the users (driver, passengers, road traffic participants, etc.)
- ASIL level is not attached to particular module rather it is attached to a particular functionality
- ASIL Level could be lowered using decomposition like two independent element performing same function i.e. increasing the probability of detection and taking counter measures
- Proper evidences needs to be maintained at each level of the design cycle to be able to demonstrate traceability of the safety critical features right to the way they are implemented.
The objective of safety analysis is to examine the consequences of faults and failures on items considering their functions, behavior and design. It also provides information on conditions and causes that could bring violations to a safety goals or requirement. Last, it could indicate new hazards not found during the hazard analysis and risk assessment.
Quantitative analysis methods (FMEA, FTA, ETA, Markov models, Reliability block Diagrams) are used to predict the frequency of failures while qualitative analysis (FMEA, FTA, ETA) methods identify failures, both based on the knowledge of fault types and fault modes.
Another possible classification of applicable methods is based on the way they are conducted:
- Inductive safety analysis methods – starting from known causes to find unknown effects;
- Deductive safety analysis methods – starting from known effects to forecast unknown causes.
If the analysis ended that a safety goal or requirements is not being met, such results should be used for deriving prevention or mitigation measures for the causes of the violation.
Confirmation Measures for Compliance
Confirmation measures are used to ensure the proper execution of system safety process, and provide an evaluation of the system safety activities and work products as a whole.
By contrast, verification activities are intended to ensure that a given product development activity fulfills the technical requirements.
Three types of confirmation measures are defined:
- Functional safety audit
- Functional safety assessment
- Confirmation reviews
Each of the confirmation measures will call for the participation from experience individuals, and it is ensured that these evaluations are conducted in an objective manner.
It is now clear that without having a safety process in place and adhering to the ISO 26262 guidelines, no safety critical parts can be cleared for use in automobile products. Understanding of these guidelines form the base of subsequent design cycle of the SoC and these guidelines/rules are not just applied at SoC level but percolate very down to the individual module design. Part II of this paper deals with the safety design concepts that SoC and module designers need to follow in order to be safety compliant.
We would like give our special thanks to Mathieu Blazy Winning, heading ISO 26262 drive across the automotive chips in Freescale, for reviewing the paper
ISO26262 Specs (http://www.iso.org
Ashish Goel is a verification lead, Prashant Bhargava is a senior systems engineer, and Sachin Jain is a design manager with the Automotive and Industrial Solutions Group of Freescale Semiconductor Inc.
If you liked this article, go to the Automotive Designline home page
for the latest in automotive electronics design, technology, trends,
products, and news. Also, get a weekly highlights update delivered
directly to your inbox by signing up for our weekly automotive
electronics newsletter here