Overview of Functional Safety and of ISO 26262
Introduction
Safety is one of the main topic of the future automotive market. A new regulation, approved by European Parliament, establishes requirements for the type-approval of motor vehicles with regard to their safety, introducing new technologies not only in the area of driver assistance but also in vehicle dynamics control. The integration of these new systems into vehicle will need of safe system development processes and the possibility to provide evidence that all reasonable safety objectives are satisfied.
These new technologies, based on distributed functionalities into various control units typically developed by different suppliers, increase the complexity, the software contents and the mechatronic implementation and, consequently, the risks from systematic faults and random hardware faults.
Scope of ISO 26262
The International Standard ISO 26262 provides requirements, process and methods to mitigate the effects of systematic faults and random hardware faults. This Standard treats the concepts of Functional Safety applied in automotive field, obtaining the absence of unacceptable risk due to hazards caused by mal-functional behaviour of systems.
This International Standard is the adaptation of IEC 61508 specializing the application to the sector of E/E systems within road vehicles. The IEC 61508 standard is a generic standard for the functional safety on E/E/EP systems, created in European version by CENELEC in 2002 as EN 61508, and today is used as reference by all major industrial sectors.
This adaptation applies to all activities during the safety lifecycle of electrical-electronic safety-related systems in automotive field.
Application field
This International Standard is applicable to E/E safety-related systems installed in passenger road vehicles, but not in vehicles for drivers with disabilities. Additional requirements for vehicles for the transport of hazardous goods are not covered by this International Standard.
Approach followed by the standard
The ISO 26262:
- shall be applied during the entire automotive design flow:
- development process (including such activities as requirements
- specification, design, implementation, integration, verification, validation and configuration)
- production process
- operation process
- service process
- decommissioning process
- management process
- provides a safety lifecycle, strictly related on a V-Model, in supporting on the Automotive Design Flow
- is based on a specific approach to evaluate the risk in automotive field
- defines the guidelines for the risk assessment to apply in order to select the hazardous situations evaluating in term of risk classes (Automotive Safety Integrity Levels, ASILs)
- uses ASILs, Safety Goal and Safe state to define the safety requirements that allow to obtain an acceptable residual risk
- provides requirements for the verification, validation and confirmation measures to guarantee the robustness of the safety barriers applied during the safety lifecycle
- is intertwined with common quality process.
What is the ASIL
The ISO 26262 redefines the first three SIL levels (Safety Integrity Level) of the IEC 61508 standard in four levels, named ASIL (Automotive Safety Integrity Level), specifying the risk and its requirements for risk reduction. The value of the ASILs is from D, which represent the more critical, to A and is determined by the Risk Assessment. The QM value represents a Not safety critical function. The ASIL, associated to each specific hazard, is determined by the application of the Risk Assessment procedure.
Risk assessment
Risks levels, and consequently the ASILs, are determined on the base of Exposure time, Controllability and Severity:
- Exposure Time: temporal window, characterized by specific operational situation (traffic, vehicle speed, μ split...) in which if the malfunction happens there is an hazardous situation
- Controllability: avoidance of a specified harm or damage through timely reactions of the persons involved
- Severity: measure of injury of the person involved in the hazard
Implementation of ASIL.
Implementation of ASIL
- Definition of the safety goals: are safety requirements of the function, defined for each Hazard as a result of the risk assessment, that describe the safety objectives to reach.
- Implementation of safe state: is the operating mode of the function, to be applied in order to reach an acceptable level of risk, that allows to not violate the safety goal.
- Application of specific measures to mitigate risks from random hardware failures to an acceptable level
- Set of requirements to prevent from systematic failures
- ASIL decomposition allows distributing the ASIL associated to a “function” among several elements that contribute to perform the function addressing the same safety goal.