ISO 26262
– Functional Safety –
Introduction to ISO 26262
In recent years, cars have become more and more intelligent. There are cars that can park themselves or sense traffic ahead and adjust their rate of speed accordingly, and even experimental vehicles that can operate without driver input. There are also many other features on today’s automobiles that are electronically controlled. The control of the transmission is now electronic. There are multiple LCD screens displaying a variety of information, one of them being a touch screen that controls the audio system and the interaction with cell phones. While there are many advantages to the recent improvements, there is also additional risk. It is more important than ever to recognize any potential risks of hardware or software related failures. The results of such failures could result in severe injury or possible loss of life. The International Organization for Standardization (ISO) recognized this need and published the ISO 26262-1 standard to help ensure functional safety of electrical and electronic systems in road vehicles.
What is ISO 26262
The relatively new ISO-26262-1 standard is titled “Road vehicles – Functional safety” and was initially published in 2011, later revised to add section 10 in 2012, and now has section 11 under development. The ISO 26262 standard is based on the “IEC 61508 Functional safety of electrical / electronic / programmable electronic safety-related systems” standard. The ISO 26262-1 standard advocates the use of a Hazard Analysis and Risk Assessment (HARA) method to identify possible hazardous events within the system and define “safety goals” to mitigate those hazards. In addition, it includes guidelines and regulations for assigning a risk level to an electronic system, software or component, evaluate the risk and document the testing to ensure safety of road vehicle electronic systems. It is important that we cover what the standard is and is not applicable to.
- The ISO 26262-1 Standard is applicable to:
- All safety-related systems with one or more E/E systems installed in series production passenger vehicles with a maximum weight 3,500 kilograms
- Possible hazards caused by a malfunction of E/E safety-related systems, including ones due to interaction of the systems
- The ISO 26262-1 Standard is NOT applicable to:
- Particular E/E systems for special purpose vehicles designed for drivers with disabilities
- Systems and components in production, already under development prior to the publication date of ISO 26262
- The nominal performance of E/E systems, even if specific dedicated functional performance standards exist for the systems (e.g. active and passive safety systems, brake systems, Adaptive Cruise Control)
- Risk related to possible electric shock, fire, exposure to smoke, heat, radiation, toxicity, etc., unless directly caused by malfunction of E/E safety-related systems
The ISO standard includes requirements for each phase of the product life cycle from the concept phase through development, validation, product launch and decommission. In addition, the standard includes an automotive-specific method for determining risk classes or Automotive Safety Integrity Levels (ASIL). The standard also defines methods for using ASILs to specify needed safety requirements to achieve an acceptable level of residual risk. ISO 26262 also includes requirements for proper validation and verification methods to make sure that a satisfactory level of safety has been achieved.
Why Implement ISO 26262
Today’s new vehicles are becoming more and more dependent upon electronic systems and software. These new systems introduce a new risk of possible failure modes. Some of the possible system failures could result in injury or possible fatalities. Safety in manufacturing is serious business. Failure of these new E/E systems could have an extreme impact on the future of an organization. They could result in recalls and possible litigation. Companies need to make every effort to assure safe operation or use of their product. They need to be diligent in identification and evaluation of risk in their designs and follow through with effective measures to reduce or eliminate that risk. The ISO 26262 standard was published to help companies ensure functional safety of their electrical and electronic systems. Organizations looking to implement ISO 26262 should understand the goal is to identify and analyze risk early in the product development process. In addition, they must establish safety goals and achieve these goals through a comprehensive validation plan.
How to Implement ISO 26262
In many cases, a new standard is introduced during a new product introduction or pilot project. Adopting and implementing a new standard is often met with many challenges, but studies have shown that the ISO 26262 standard integrates well with existing safety concepts in the automotive industry. Many companies are already realizing the benefits of identifying and evaluating risk related to electronic systems and applying appropriate testing throughout the product life cycle. The fundamental deliverables for ISO 26262 include development of a Safety Plan, creating Safety Goals, building and documenting your Safety Case, identifying the Safety Lifecycle and validation and verification of hardware and software systems, components and units. The ISO 26262 standard consists of 11 sections and hundreds of pages. It would be impossible to cover all the information in a brief review. Therefore, this page will focus on some key terms and definitions, along with the risk identification and analysis methods contained within the standard. The Eleven Parts of ISO 26262-1:
- Part 1: Vocabulary
- Part 2: Management of functional safety
- Part 3: Concept phase
- Part 4: Product development at the system level
- Part 5: Product development at the hardware level
- Part 6: Product development at the software level
- Part 7: Production and operation
- Part 8: Supporting processes
- Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses
- Part 10: Guidelines on ISO 26262
- Part 11: Guideline on application of ISO 26262 to semiconductors
Application of the standard is focused on establishing safety goals and evaluating systems against those goals. The systems are evaluated at a vehicle level or “item” as per the standards terminology. Many people focus on the ASIL score, the method of ranking the possible hazards. Nevertheless, what we must remember is that the ISO 26262 standard is a goal-based standard. It is based on establishing safety goals, identifying risk and developing a plan to meet those goals.
Safety Goals
If we step back and look at ISO 26262 as a whole, we note that the standard is about preventing harm to the operator or other individuals. Safety goals are the top-level safety requirements of an item or element. They precede development of the functional safety requirements for elimination or avoidance of unreasonable risk for a potential hazardous event. Safety goals should be expressed as functional objectives and not technical solutions. Next, we must determine our system’s dependability requirements based on the ASIL ratings for exposure, severity and controllability. However, ASILs are only one piece of the process in determining and verifying the required dependability of an item, element or component based on the risks and possible consequences resulting from a failure.
Key Terms
Before we go any further we need to look at some key terms used within the standard. In order to understand the standard, you must first learn the key terms and definitions used in application of the standard. Some of the key terms and definitions used include, but are not limited to, the following list:
- Item: Refers to a specific system or collection of systems that perform a particular function of the vehicle to which the ISO safety life cycle applies. The Item is the highest level identified in a process or system and is usually the initial point for development and analysis of the systems.
- Element: System of part of a hardware system, component or software code used within an E/E system.
- Component: One or more software units or hardware parts.
- Automotive Safety Integrity (ASIL): This helps identify the ISO requirements and safety measures to apply for avoiding unreasonable risk within the design and function of an item or element.
- Hazardous Event: The result of a vehicle-level hazard and operational situation of the vehicle that could potentially result in an accident and / or harm if not controlled by appropriate and timely driver action.
- Software Unit: The lowest level of the software that may be used for standalone testing.
- Hazard Analysis and Risk Assessment (HARA): Methodology used to identify and categorize possible hazardous events relating to items, develop safety goals and ASILs for development of prevention or mitigation of the potential hazards to avoid unreasonable risk.
ASIL Rankings of Safety Goals
The ASIL plays a vital role in achieving ISO 26262 compliance. It should be determined at the beginning of the development process. The planned system functions should be analyzed with respect to possible hazards. The team should ask the question, “If a failure occurs, what will be the effect of the failure or happen to the driver and any accompanying road users?” You then can determine your system’s dependability requirements based on the ASIL ratings of:
- Probability of exposure to harm due to system failure (how likely is it to occur)
- Controllability of the incident by the driver, should the system fail (can the driver control the situation)
- Severity of the failure defined by the possible level of harm to the driver or others if not controlled
The standard contains information for ranking each of the factors. The Exposure factor consists of five different classifications, Severity has four and Controllability has four. The standard also contains a fourth table that indicates how the variables should be combined to determine the ASIL rating for an electronic system, subsystem, or component within the road vehicle.
The definitions provided by the ISO 26262 standard are informative, but not very strict or tightly defined. The definitions allow much discretion on the part of the evaluator, designer, builder, and supplier of each component, element or item and the automaker as well. Due to the quantity of assumptions that must be made to determine the ASIL rating, The Society for Automotive Safety Engineers (SAE) has developed “J2980 – Considerations for ISO26262 ASIL Hazard Classification”. The purpose of this document is to provide guidelines for classifying the three factors used to develop an ASIL. This document should help reduce the number of assumptions made regarding the severity, probability of exposure, and controllability factors. However, the new guidelines may not eliminate the necessity to make some assumptions when determining ASILs. For items with high ASILs, the ISO 26262 standard requires strict measures be taken to minimize or eliminate the unacceptable risk. Under certain circumstances, the ASIL rating may be lowered through the technique of ASIL Decomposition.
ASIL Decomposition
The ISO 26262 standard contains a clause that contains the rules and guidelines for the decomposition of safety related elements. The ASIL is part of the safety goal and is innate to each successive safety requirement. The functional and technical safety requirements are assigned to all the design elements, beginning with the preliminary design concepts all the way down to the software and hardware elements. Through decomposition during the development phase, the ASIL rating can be customized to the next level of the system design. To further clarify; an element that addresses a particular safety goal, assigned a specific ASIL rating, can be broken down into two independent elements, each with a possible lower ASIL rating. The benefit is that the cost of development to a lower ASIL is generally lower. The stipulation is that each of the decomposed elements must address the same safety goal and take on the same safe state. In addition, to demonstrate fulfillment of the original requirements there must be traceability to and from the decomposed element’s requirements. Another thing to remember is that decomposition of the software element requires thorough investigation of the software and hardware independence. However, the hardware metrics are not impacted by the decomposition of the software.
Validation Testing and Qualification
Within the ISO 26262 section 4, the standard covers software, hardware and even testing tool qualifications. The section contains several requirements and tables that indicate analysis and testing requirements based on the ASIL rating. There is also a clause to qualify components based on a “Proven in Use Argument”. This clause is applicable to components or systems having previously been in use in other applications without incident. Proven reliable systems that remain unchanged from previous vehicles are certifiable under the ISO 26262 standard. Therefore, by combining certifiable components from similar applications and from applications used extensively throughout the industry, prior to the standard, the system complexity can be minimized and the certification requirements reduced.
Software Qualification
The qualification process for software and its component or units requires the following actions:
- Defining the software functional requirements
- Determination of resource usage
- Predicting software behavior during various fault situations
Software errors are analyzed and resolved throughout the design process. Software testing is performed under normal operating conditions and during the insertion of various types of faults to determine how it reacts to abnormal inputs. Software development and testing requirements are addressed in part 6 of the standard. The standard covers requirements for:
- Initiating Software Development
- Software Architectural Design
- Software Unit Design
- Software Implementation
The analysis and testing process can be reduced through utilization of existing qualified software during the development process. Examples of proven and qualified software components that could be utilized include but are not limited to driver software, libraries, databases and operating systems.
Hardware Qualification
The qualification process for hardware components generally consists of two purposes:
- Specify how the component fits into the overall system design
- Assess all probable failure modes
Hardware components are validated through comprehensive testing under various operational and environmental conditions. Basic hardware components may be qualified through standard qualification processes. However, more complex hardware components require ASIL evaluation, decomposition and validation testing. The test procedures and results of the testing must be evaluated and documented in a “qualification report”.
The Safety Case
A Safety Case must be developed to validate that our item or element will achieve our dependability goals, using all the applicable methods and evidence consisting of quality management, formal design verification, software code analysis, system testing, or proven-in-use data. The Safety Case should validate that our system meets the safety goals we determined previously and confirm dependability is acceptable for the assigned ASIL. In addition, the Safety Case must validate that our ASIL ranking is appropriate for the system.
Learn More About ISO 26262
Quality-One offers Quality and Reliability Support for Product and Process Development through Consulting, Training and Project Support. Quality-One provides Knowledge, Guidance and Direction in Quality and Reliability activities, tailored to your unique wants, needs and desires. Let us help you Discover the Value of ISO 26262 Consulting, ISO 26262 Training or ISO 26262 Project Support.