Safety is one of the key issues and requirements of today's and tomorrow's automobile development. New functionalities, not only in the area of driver assistance, but also in vehicle dynamics control and active and passive safety systems, are increasingly being covered in the domain of safety engineering. Future development and integration of these functionalities will further strengthen the need to have safe system development processes and to provide evidence that all reasonable safety objectives are satisfied.
With the trend of increasing complexity, software content, and mechatronic implementation, risks of systematic failures and random hardware failures are also increasing. ISO 26262 provides guidance to reduce these risks to a tolerable level by providing feasible requirements and processes.
In a series of two papers, we will try to detail the functional safety standard (ISO 26262) for the automotive sector and the implications it has for the design community. The first paper in the series will touch upon the safety standard requirements, various steps involved in the overall safety assessment flow and what they mean for design community and the second paper will discuss in detail various steps that need to be taken in design for failure prevention.
Evolution of ISO 26262 Standard
ISO 26262 is a Functional Safety standard specifically customized for "Road vehicles -- Functional safety". This standard is an adaptation of the Functional Safety standard IEC 61508 for Automotive Electric/Electronic Systems.
Figure 1: Evolution of ISO 26262
ISO 26262 provides:
- An automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases.
- Functional safety aspects of the entire development process (including activities such as requirements specification, design, implementation, integration, verification, validation, and configuration).
- An automotive-specific risk-based approach for determining risk classes (Automotive Safety Integrity Levels, ASILs).
- ASILs for specifying the item's necessary safety requirements for achieving an acceptable residual risk.
- Provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety is being achieved.
The main scope and goal of ISO 26262 standard can be described as shown in figure 2:
Figure 2: The standard's main scope and goalsSteps involved for ISO 26262 compliance
Figure 3 shows the various steps that are involved in safety classification and assessment leading to ISO 26262 compliance:
Figure 3: An outline of the six steps involved in safety classification and assessmentASIL classification
Automotive Safety Integrity Level (ASIL) expresses the criticality associated with the automotive system. It is a function of exposure, controllability and severity of any critical hazard.
Figure 4: ASIL classificationClassification of exposure:
Exposure is classified as a state of being in an operational situation that can be hazardous if coincident with the failure mode under analysis. The table below classifies the Exposure:
Figure 5Classification of severity
: Severity can be defined as an estimate of the extent of harm
to one or more individuals that can occur in a potentially hazardous situation. The table below classifies severity:
Figure 6Classification of controllability
: Controllability can be defined as the ability to avoid a specified harm
or damage through the timely reactions of the persons involved. The table below classifies controllability:
More on ASIL classifications
ASIL are classified into four categories:
- ASIL A
- ASIL B
- ASIL C
- ASIL D
ASIL D being most stringent and ASIL A being least
Figure 9 explains the ASIL levels combined in terms of classifications described in previous sections.
Some ASIL level examples are demonstrated below:
What ASIL level means to us:
- Depending on ASIL level, ISO 26262 defines the safety requirement that must be fulfilled by the designer and system engineer that even in conditions of failure, the system provides a sufficient margin of safety for the users (driver, passengers, road traffic participants, etc.)
- ASIL level is not attached to particular module rather it is attached to a particular functionality
- ASIL Level could be lowered using decomposition like two independent element performing same function i.e. increasing the probability of detection and taking counter measures
- Proper evidences needs to be maintained at each level of the design cycle to be able to demonstrate traceability of the safety critical features right to the way they are implemented.
The objective of safety analysis is to examine the consequences of faults and failures on items considering their functions, behavior and design. It also provides information on conditions and causes that could bring violations to a safety goals or requirement. Last, it could indicate new hazards not found during the hazard analysis and risk assessment.
Quantitative analysis methods (FMEA, FTA, ETA, Markov models, Reliability block Diagrams) are used to predict the frequency of failures while qualitative analysis (FMEA, FTA, ETA) methods identify failures, both based on the knowledge of fault types and fault modes.
Another possible classification of applicable methods is based on the way they are conducted:
- Inductive safety analysis methods – starting from known causes to find unknown effects;
- Deductive safety analysis methods – starting from known effects to forecast unknown causes.
If the analysis ended that a safety goal or requirements is not being met, such results should be used for deriving prevention or mitigation measures for the causes of the violation.
Confirmation Measures for Compliance
Confirmation measures are used to ensure the proper execution of system safety process, and provide an evaluation of the system safety activities and work products as a whole.
By contrast, verification activities are intended to ensure that a given product development activity fulfills the technical requirements.
Three types of confirmation measures are defined:
- Functional safety audit
- Functional safety assessment
- Confirmation reviews
Each of the confirmation measures will call for the participation from experience individuals, and it is ensured that these evaluations are conducted in an objective manner.
It is now clear that without having a safety process in place and adhering to the ISO 26262 guidelines, no safety critical parts can be cleared for use in automobile products. Understanding of these guidelines form the base of subsequent design cycle of the SoC and these guidelines/rules are not just applied at SoC level but percolate very down to the individual module design. Part II of this paper deals with the safety design concepts that SoC and module designers need to follow in order to be safety compliant.
We would like give our special thanks to Mathieu Blazy Winning, heading ISO 26262 drive across the automotive chips in Freescale, for reviewing the paper
ISO26262 Specs (http://www.iso.org
Ashish Goel is a verification lead, Prashant Bhargava is a senior systems engineer, and Sachin Jain is a design manager with the Automotive and Industrial Solutions Group of Freescale Semiconductor Inc.
If you liked this article, go to the Automotive Designline home page
for the latest in automotive electronics design, technology, trends,
products, and news. Also, get a weekly highlights update delivered
directly to your inbox by signing up for our weekly automotive
electronics newsletter here